From: vegall Date: Tue, 2 Jul 2024 15:30:30 +0000 (+0000) Subject: Fix keystone to manage the OSM users/projects X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=4ea03cf223854ed964f4f8e2713379b10a6d3962;p=osm%2Fdevops.git Fix keystone to manage the OSM users/projects Keystone was not used by default by OSM NBI. Instead, internal authentication is used. When NBI is configured to use Keystone as auth backend, we found that it didn't bootstrap properly because there were no data in the MySQL DB used by Keystone. The initilization of DB was supposed to be done by the Keystone containers in keystone-deployment. However, those container were not able to initialize the DB because they were running as regular users instead of root users. Keystone is thought as an infra solution, not as an application solution. The community behind Keystone development agreed on that behaviour. Based on that, Keystone containers were adapted to run as root. In addition, we decided to disable Keystone and MySQL as part of the default values for OSM helm chart. Change-Id: I0e7078b809abe858a69323d6e3e493e862d6e6ab Signed-off-by: vegall Signed-off-by: garciadeblas --- diff --git a/.gitignore b/.gitignore index e3ed0f85..3c3fce29 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,5 @@ local installers/charm/**/release/ __pycache__ .tox +*Chart.lock +installers/helm/osm/charts/ \ No newline at end of file diff --git a/docker/Keystone/Dockerfile b/docker/Keystone/Dockerfile index b00b3848..29089f55 100644 --- a/docker/Keystone/Dockerfile +++ b/docker/Keystone/Dockerfile @@ -26,8 +26,6 @@ EXPOSE 5000 WORKDIR /app -COPY scripts/start.sh /app/start.sh - RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \ DEBIAN_FRONTEND=noninteractive apt-get autoremove -y && \ @@ -54,8 +52,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ net-tools=1.60* \ mysql-client=8.0.* \ dnsutils=1:9.18.* && \ - rm -rf /var/lib/apt/lists/* && \ - chmod +x start.sh + rm -rf /var/lib/apt/lists/* RUN pip3 install python-ldap==3.2.0 ldappool==3.0.0 python-openstackclient==6.2.0 @@ -82,7 +79,11 @@ RUN groupadd -g 1000 appuser && \ mkdir -p /etc/sudoers.d && \ echo "%appuser ALL= NOPASSWD: /sbin/service apache2 *" > /etc/sudoers.d/appuser -USER appuser +COPY scripts/start.sh /app/start.sh + +RUN chmod +x start.sh + +USER root # database ENV DB_HOST keystone-db diff --git a/docker/Keystone/scripts/start.sh b/docker/Keystone/scripts/start.sh index dde1b5ae..7b4e008a 100755 --- a/docker/Keystone/scripts/start.sh +++ b/docker/Keystone/scripts/start.sh @@ -18,6 +18,8 @@ # contact: esousa@whitestack.com or glavado@whitestack.com ## +set -e + DB_EXISTS="" USER_DB_EXISTS="" DB_NOT_EMPTY="" @@ -121,6 +123,8 @@ sed -i '/^\[database\]$/,/^\[/ s/^connection = .*/connection = mysql+pymysql:\/\ # Setting Keystone tokens sed -i '/^\[token\]$/,/^\[/ s/^.*provider = .*/provider = fernet/' /etc/keystone/keystone.conf +# Setting Keystone for the stderr +sed -i '/\[DEFAULT\]/a use_stderr = true' /etc/keystone/keystone.conf # Use LDAP authentication for Identity if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then @@ -222,6 +226,7 @@ wait_keystone_host # Bootstrap Keystone service if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then + echo "Bootstraping keystone" keystone-manage bootstrap \ --bootstrap-username "$ADMIN_USERNAME" \ --bootstrap-password "$ADMIN_PASSWORD" \ @@ -250,12 +255,33 @@ EOF source setup_env +# Function to retry a command up to 5 times +retry() { + local n=1 + local max=5 + local delay=5 + while true; do + "$@" && break || { + if [[ $n -lt $max ]]; then + ((n++)) + echo "Command failed. Attempt $n/$max:" + sleep $delay; + else + echo "The command has failed after $n attempts." + return 1 + fi + } + done +} + # Create NBI User -if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then - openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME" - openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT" - openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin +if ! openstack user show nbi --domain default; then + echo "NBI user does not exist. Creating nbi user" + retry openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME" || exit 1 + retry openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT" || exit 1 + retry openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin || exit 1 fi +echo "Done creating the NBI user" if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then if !(openstack domain list | grep -q $LDAP_AUTHENTICATION_DOMAIN_NAME); then @@ -270,7 +296,7 @@ fi while ps -ef | grep -v grep | grep -q apache2 do - sleep 60 + tail -f /var/log/keystone/keystone-manage.log done # Only reaches this point if apache2 stops running diff --git a/installers/helm/osm/templates/keystone/keystone-configmap.yaml b/installers/helm/osm/templates/keystone/keystone-configmap.yaml index 02a859a6..5c1cff1a 100644 --- a/installers/helm/osm/templates/keystone/keystone-configmap.yaml +++ b/installers/helm/osm/templates/keystone/keystone-configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.keystone.enabled -}} +{{- if .Values.keystone.enabled }} ####################################################################################### # Copyright ETSI Contributors and Others. # @@ -22,5 +22,9 @@ metadata: labels: {{- include "osm.labels" . | nindent 4 }} data: +{{- if .Values.mysql.enabled }} DB_HOST: "{{ .Values.global.db.mysql.mysqlService }}" +{{- else }} + DB_HOST: "" +{{- end }} {{- end }} \ No newline at end of file diff --git a/installers/helm/osm/templates/keystone/keystone-deployment.yaml b/installers/helm/osm/templates/keystone/keystone-deployment.yaml index ba7e05d3..10798661 100644 --- a/installers/helm/osm/templates/keystone/keystone-deployment.yaml +++ b/installers/helm/osm/templates/keystone/keystone-deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.keystone.enabled -}} +{{- if and .Values.keystone.enabled .Values.mysql.enabled -}} ####################################################################################### # Copyright ETSI Contributors and Others. # @@ -48,9 +48,8 @@ spec: - name: keystone securityContext: # readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - {{- toYaml .Values.global.securityContext | nindent 12 }} + allowPrivilegeEscalation: true + # runAsNonRoot: false image: {{ include "osm.keystone.image" . }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} ports: diff --git a/installers/helm/osm/templates/keystone/keystone-service.yaml b/installers/helm/osm/templates/keystone/keystone-service.yaml index 7e4aa525..be3cf1da 100644 --- a/installers/helm/osm/templates/keystone/keystone-service.yaml +++ b/installers/helm/osm/templates/keystone/keystone-service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.keystone.enabled -}} +{{- if and .Values.keystone.enabled }} ####################################################################################### # Copyright ETSI Contributors and Others. # diff --git a/installers/helm/osm/templates/nbi/nbi-configmap.yaml b/installers/helm/osm/templates/nbi/nbi-configmap.yaml index e4c6ac99..b76a4fb2 100644 --- a/installers/helm/osm/templates/nbi/nbi-configmap.yaml +++ b/installers/helm/osm/templates/nbi/nbi-configmap.yaml @@ -35,4 +35,8 @@ data: OSMNBI_OTP_RETRY_COUNT: {{ .Values.nbi.smtp.otpRetryCount }} OSMNBI_OTP_EXPIRY_TIME: {{ .Values.nbi.smtp.otpExpiryTime }} {{- end }} + {{- if .Values.keystone.enabled }} + OSMNBI_AUTHENTICATION_BACKEND: "keystone" + OSMNBI_AUTHENTICATION_AUTH_URL: "http://keystone:{{ .Values.keystone.service.port }}/v3" + {{- end }} {{- end }} diff --git a/installers/helm/osm/values.yaml b/installers/helm/osm/values.yaml index 56d3e9f1..3366145b 100644 --- a/installers/helm/osm/values.yaml +++ b/installers/helm/osm/values.yaml @@ -219,7 +219,7 @@ kafka: transaction.state.log.min.isr: 1 keystone: - enabled: true + enabled: false service: port: 5000 image: {} @@ -263,7 +263,7 @@ mon: config: {} mysql: - enabled: true + enabled: false image: tag: "8.1-debian-11" fullnameOverride: "mysql"