From 802fb8b591bf07f22bb699ae4172c85012b03960 Mon Sep 17 00:00:00 2001
From: Fredrik Liv <fredrik.liv@elastisys.com>
Date: Thu, 15 Jul 2021 09:56:48 +0200
Subject: [PATCH] Add application credentials support for cinder (#7799)

* csi-driver: Added possibility to use application credentials for cinder

* external-cloud-controller: Added env vars for openstack application credentials
---
 .../csi_driver/cinder/defaults/main.yml       |  3 ++
 .../cinder/tasks/cinder-credential-check.yml  | 43 +++++++++++++++----
 .../templates/cinder-csi-cloud-config.j2      | 11 +++++
 .../openstack/defaults/main.yml               |  3 ++
 4 files changed, 51 insertions(+), 9 deletions(-)

diff --git a/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml b/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml
index 5444f33c5..e52187da2 100644
--- a/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml
+++ b/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml
@@ -5,6 +5,9 @@
 cinder_auth_url: "{{ lookup('env','OS_AUTH_URL') }}"
 cinder_username: "{{ lookup('env','OS_USERNAME') }}"
 cinder_password: "{{ lookup('env','OS_PASSWORD') }}"
+cinder_application_credential_id: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_ID')  }}"
+cinder_application_credential_name: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_NAME')  }}"
+cinder_application_credential_secret: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_SECRET')  }}"
 cinder_region: "{{ lookup('env','OS_REGION_NAME') }}"
 cinder_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
 cinder_tenant_name: "{{ lookup('env','OS_TENANT_NAME')| default(lookup('env','OS_PROJECT_NAME'),true) }}"
diff --git a/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-credential-check.yml b/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-credential-check.yml
index 251449490..cb65f42b0 100644
--- a/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-credential-check.yml
+++ b/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-credential-check.yml
@@ -4,15 +4,38 @@
     msg: "cinder_auth_url is missing"
   when: cinder_auth_url is not defined or not cinder_auth_url
 
-- name: Cinder CSI Driver | check cinder_username value
+- name: Cinder CSI Driver | check cinder_username value cinder_application_credential_name value
   fail:
-    msg: "cinder_username is missing"
-  when: cinder_username is not defined or not cinder_username
+    msg: "you must either set cinder_username or cinder_application_credential_name"
+  when:
+    - cinder_username is not defined or not cinder_username
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name
+
+- name: Cinder CSI Driver | check cinder_application_credential_id value
+  fail:
+    msg: "cinder_application_credential_id is missing"
+  when:
+    - cinder_application_credential_name is defined
+    - cinder_application_credential_name|length > 0
+    - cinder_application_credential_id is not defined or not cinder_application_credential_id
+
+- name: Cinder CSI Driver | check cinder_application_credential_secret value
+  fail:
+    msg: "cinder_application_credential_secret is missing"
+  when:
+    - cinder_application_credential_name is defined
+    - cinder_application_credential_name|length > 0
+    - cinder_application_credential_secret is not defined or not cinder_application_credential_secret
 
 - name: Cinder CSI Driver | check cinder_password value
   fail:
     msg: "cinder_password is missing"
-  when: cinder_password is not defined or not cinder_password
+  when:
+    - cinder_username is defined
+    - cinder_username|length > 0
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name
+    - cinder_application_credential_secret is not defined or not cinder_application_credential_secret
+    - cinder_password is not defined or not cinder_password
 
 - name: Cinder CSI Driver | check cinder_region value
   fail:
@@ -24,11 +47,13 @@
     msg: "one of cinder_tenant_id or cinder_tenant_name must be specified"
   when:
     - cinder_tenant_id is not defined or not cinder_tenant_id
-    - cinder_tenant_name is not defined
+    - cinder_tenant_name is not defined or not cinder_tenant_name
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name
 
-- name: Cinder CSI Driver | check cinder_tenant_name value
+- name: Cinder CSI Driver | check cinder_domain_id value
   fail:
-    msg: "one of cinder_tenant_id or cinder_tenant_name must be specified"
+    msg: "one of cinder_domain_id or cinder_domain_name must be specified"
   when:
-    - cinder_tenant_name is not defined or not cinder_tenant_name
-    - cinder_tenant_id is not defined
+    - cinder_domain_id is not defined or not cinder_domain_id
+    - cinder_domain_name is not defined or not cinder_domain_name
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name
diff --git a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-cloud-config.j2 b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-cloud-config.j2
index 025a5144a..e992fe173 100644
--- a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-cloud-config.j2
+++ b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-cloud-config.j2
@@ -1,7 +1,18 @@
 [Global]
 auth-url="{{ cinder_auth_url }}"
+{% if cinder_application_credential_id is not defined and cinder_application_credential_name is not defined %}
 username="{{ cinder_username }}"
 password="{{ cinder_password }}"
+{% endif %}
+{% if cinder_application_credential_id is defined and cinder_application_credential_id != "" %}
+application-credential-id={{ cinder_application_credential_id }}
+{% endif %}
+{% if cinder_application_credential_name is defined and cinder_application_credential_name != "" %}
+application-credential-name={{ cinder_application_credential_name }}
+{% endif %}
+{% if cinder_application_credential_secret is defined and cinder_application_credential_secret != "" %}
+application-credential-secret={{ cinder_application_credential_secret }}
+{% endif %}
 region="{{ cinder_region }}"
 {% if cinder_tenant_id is defined and cinder_tenant_id != "" %}
 tenant-id="{{ cinder_tenant_id }}"
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
index 2533385e6..70f20adb9 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
@@ -5,6 +5,9 @@
 external_openstack_auth_url: "{{ lookup('env','OS_AUTH_URL')  }}"
 external_openstack_username: "{{ lookup('env','OS_USERNAME')  }}"
 external_openstack_password: "{{ lookup('env','OS_PASSWORD')  }}"
+external_openstack_application_credential_id: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_ID')  }}"
+external_openstack_application_credential_name: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_NAME')  }}"
+external_openstack_application_credential_secret: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_SECRET')  }}"
 external_openstack_region: "{{ lookup('env','OS_REGION_NAME')  }}"
 external_openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
 external_openstack_tenant_name: "{{ lookup('env','OS_TENANT_NAME')| default(lookup('env','OS_PROJECT_NAME'),true) }}"
-- 
GitLab