From 5a8b68a429b03ef13669e61792aba2f8d84da2dc Mon Sep 17 00:00:00 2001
From: Marc-Antoine <piequi@gmail.com>
Date: Mon, 31 Aug 2020 12:30:28 +0200
Subject: [PATCH] Add support for openstack application credentials (#6534)

* Add support for openstack application credentials

* Add some lines for readability

* Update external_openstack_tenant_id check

Do not check external_openstack_tenant_id when application credentials are defined

* Add check for external_openstack_domain_id

* Fix typo
---
 inventory/sample/group_vars/all/openstack.yml |  7 +++
 .../tasks/openstack-credential-check.yml      | 51 ++++++++++++++++---
 .../external-openstack-cloud-config.j2        | 11 ++++
 3 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/inventory/sample/group_vars/all/openstack.yml b/inventory/sample/group_vars/all/openstack.yml
index 71c392414..a7f86271c 100644
--- a/inventory/sample/group_vars/all/openstack.yml
+++ b/inventory/sample/group_vars/all/openstack.yml
@@ -35,6 +35,13 @@
 #   - ""
 # external_openstack_metadata_search_order: "configDrive,metadataService"
 
+## Application credentials to authenticate against Keystone API
+## Those settings will take precedence over username and password that might be set your environment
+## All of them are required
+# external_openstack_application_credential_name:
+# external_openstack_application_credential_id:
+# external_openstack_application_credential_secret:
+
 ## The tag of the external OpenStack Cloud Controller image
 # external_openstack_cloud_controller_image_tag: "latest"
 
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
index d46bcb626..9abc927e2 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
@@ -4,24 +4,63 @@
     msg: "external_openstack_auth_url is missing"
   when: external_openstack_auth_url is not defined or not external_openstack_auth_url
 
-- name: External OpenStack Cloud Controller | check external_openstack_username value
+
+- name: External OpenStack Cloud Controller | check external_openstack_username or external_openstack_application_credential_name value
+  fail:
+    msg: "you must either set external_openstack_username or external_openstack_application_credential_name"
+  when:
+    - external_openstack_username is not defined or not external_openstack_username
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_id value
+  fail:
+    msg: "external_openstack_application_credential_id is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_id is not defined or not external_openstack_application_credential_id
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_secret value
   fail:
-    msg: "external_openstack_username is missing"
-  when: external_openstack_username is not defined or not external_openstack_username
+    msg: "external_openstack_application_credential_secret is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+
 
 - name: External OpenStack Cloud Controller | check external_openstack_password value
   fail:
     msg: "external_openstack_password is missing"
-  when: external_openstack_password is not defined or not external_openstack_password
+  when:
+    - external_openstack_username is defined
+    - external_openstack_username|length > 0
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+    - external_openstack_password is not defined or not external_openstack_password
+
 
 - name: External OpenStack Cloud Controller | check external_openstack_region value
   fail:
     msg: "external_openstack_region is missing"
   when: external_openstack_region is not defined or not external_openstack_region
 
+
 - name: External OpenStack Cloud Controller | check external_openstack_tenant_id value
   fail:
     msg: "one of external_openstack_tenant_id or external_openstack_tenant_name must be specified"
   when:
-    - (external_openstack_tenant_id is not defined or not external_openstack_tenant_id) and
-      (external_openstack_tenant_name is not defined or not external_openstack_tenant_name)
+    - external_openstack_tenant_id is not defined or not external_openstack_tenant_id
+    - external_openstack_tenant_name is not defined or not external_openstack_tenant_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_domain_id value
+  fail:
+    msg: "one of external_openstack_domain_id or external_openstack_domain_name must be specified"
+  when:
+    - external_openstack_domain_id is not defined or not external_openstack_domain_id
+    - external_openstack_domain_name is not defined or not external_openstack_domain_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
index 25a3ab089..2ccf9f9bd 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
@@ -1,7 +1,18 @@
 [Global]
 auth-url="{{ external_openstack_auth_url }}"
+{% if external_openstack_application_credential_id is not defined and external_openstack_application_credential_name is not defined %}
 username="{{ external_openstack_username }}"
 password="{{ external_openstack_password }}"
+{% endif %}
+{% if external_openstack_application_credential_id is defined and external_openstack_application_credential_id != "" %}
+application-credential-id={{ external_openstack_application_credential_id }}
+{% endif %}
+{% if external_openstack_application_credential_name is defined and external_openstack_application_credential_name != "" %}
+application-credential-name={{ external_openstack_application_credential_name }}
+{% endif %}
+{% if external_openstack_application_credential_secret is defined and external_openstack_application_credential_secret != "" %}
+application-credential-secret={{ external_openstack_application_credential_secret }}
+{% endif %}
 region="{{ external_openstack_region }}"
 {% if external_openstack_tenant_id is defined and external_openstack_tenant_id != "" %}
 tenant-id="{{ external_openstack_tenant_id }}"
-- 
GitLab