Add support for openstack application credentials (#6534)

* Add support for openstack application credentials * Add some lines for readability * Update external_openstack_tenant_id check Do not check external_openstack_tenant_id when application credentials are defined * Add check for external_openstack_domain_id * Fix typo

Add support for openstack application credentials (#6534)
5a8b68a4 · Marc-Antoine · GitHub · 34d88ea6 · 5a8b68a4 · 5a8b68a4
Unverified Commit 5a8b68a4 authored 4 years ago by Marc-Antoine Committed by GitHub 4 years ago
--- a/inventory/sample/group_vars/all/openstack.yml
+++ b/inventory/sample/group_vars/all/openstack.yml
@@ -35,6 +35,13 @@
 #   - ""
 # external_openstack_metadata_search_order: "configDrive,metadataService"

+## Application credentials to authenticate against Keystone API
+## Those settings will take precedence over username and password that might be set your environment
+## All of them are required
+# external_openstack_application_credential_name:
+# external_openstack_application_credential_id:
+# external_openstack_application_credential_secret:
+
 ## The tag of the external OpenStack Cloud Controller image
 # external_openstack_cloud_controller_image_tag: "latest"


--- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
@@ -4,24 +4,63 @@
    msg: "external_openstack_auth_url is missing"
  when: external_openstack_auth_url is not defined or not external_openstack_auth_url

- name: External OpenStack Cloud Controller | check external_openstack_username value
+
+- name: External OpenStack Cloud Controller | check external_openstack_username or external_openstack_application_credential_name value
+  fail:
+    msg: "you must either set external_openstack_username or external_openstack_application_credential_name"
+  when:
+    - external_openstack_username is not defined or not external_openstack_username
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_id value
+  fail:
+    msg: "external_openstack_application_credential_id is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_id is not defined or not external_openstack_application_credential_id
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_secret value
  fail:
-    msg: "external_openstack_username is missing"
-  when: external_openstack_username is not defined or not external_openstack_username
+    msg: "external_openstack_application_credential_secret is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+

 - name: External OpenStack Cloud Controller | check external_openstack_password value
  fail:
    msg: "external_openstack_password is missing"
-  when: external_openstack_password is not defined or not external_openstack_password
+  when:
+    - external_openstack_username is defined
+    - external_openstack_username|length > 0
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+    - external_openstack_password is not defined or not external_openstack_password
+

 - name: External OpenStack Cloud Controller | check external_openstack_region value
  fail:
    msg: "external_openstack_region is missing"
  when: external_openstack_region is not defined or not external_openstack_region

+
 - name: External OpenStack Cloud Controller | check external_openstack_tenant_id value
  fail:
    msg: "one of external_openstack_tenant_id or external_openstack_tenant_name must be specified"
  when:
-    - (external_openstack_tenant_id is not defined or not external_openstack_tenant_id) and
-      (external_openstack_tenant_name is not defined or not external_openstack_tenant_name)
+    - external_openstack_tenant_id is not defined or not external_openstack_tenant_id
+    - external_openstack_tenant_name is not defined or not external_openstack_tenant_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_domain_id value
+  fail:
+    msg: "one of external_openstack_domain_id or external_openstack_domain_name must be specified"
+  when:
+    - external_openstack_domain_id is not defined or not external_openstack_domain_id
+    - external_openstack_domain_name is not defined or not external_openstack_domain_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
 [Global]
 auth-url="{{ external_openstack_auth_url }}"
+{% if external_openstack_application_credential_id is not defined and external_openstack_application_credential_name is not defined %}
 username="{{ external_openstack_username }}"
 password="{{ external_openstack_password }}"
+{% endif %}
+{% if external_openstack_application_credential_id is defined and external_openstack_application_credential_id != "" %}
+application-credential-id={{ external_openstack_application_credential_id }}
+{% endif %}
+{% if external_openstack_application_credential_name is defined and external_openstack_application_credential_name != "" %}
+application-credential-name={{ external_openstack_application_credential_name }}
+{% endif %}
+{% if external_openstack_application_credential_secret is defined and external_openstack_application_credential_secret != "" %}
+application-credential-secret={{ external_openstack_application_credential_secret }}
+{% endif %}
 region="{{ external_openstack_region }}"
 {% if external_openstack_tenant_id is defined and external_openstack_tenant_id != "" %}
 tenant-id="{{ external_openstack_tenant_id }}"