From 9414ab5cadea0cfd958cc7dfc0041eb758f452e6 Mon Sep 17 00:00:00 2001
From: Lars Kellogg-Stedman <lars@redhat.com>
Date: Fri, 3 Oct 2014 14:32:36 -0400
Subject: [PATCH] use "crux" for creating users/endpoints

this patch introduces the "crux" [1] tool for creating keystone
users, services, and endpoints in an idempotent fashion.  E.g., to
create a user that doesn't exist:

    $ crux user-create -n lars -t lars -p secret
    creating new tenant
    created tenant lars (d74cec5023c4428da533066bb11943db)
    creating new user lars
    created user lars (adf2c2d92e894a3d90a403c5885f192e)

And performing the same operation a second time:

    $ crux user-create -n lars -t lars -p secret
    using existing tenant lars (d74cec5023c4428da533066bb11943db)
    using existing user lars (adf2c2d92e894a3d90a403c5885f192e)

The behavior is similar for creating keystone endpoints.

[1]: https://github.com/larsks/crux

Change-Id: I694e0c1bdcdde595e1af2ee8ef5d0f239a9ad4cd
---
 docker/keystone/Dockerfile |  5 ++-
 docker/keystone/start.sh   | 73 +++++++++++++++++---------------------
 2 files changed, 37 insertions(+), 41 deletions(-)

diff --git a/docker/keystone/Dockerfile b/docker/keystone/Dockerfile
index c120b91885..3192d30bae 100644
--- a/docker/keystone/Dockerfile
+++ b/docker/keystone/Dockerfile
@@ -2,10 +2,13 @@ FROM kollaglue/fedora-rdo-base
 MAINTAINER Lars Kellogg-Stedman <lars@redhat.com>
 
 #Install required packages
+RUN yum -y install dnf dnf-plugins-core; yum clean all
+RUN dnf copr enable -y larsks/crux
 RUN yum install -y openstack-keystone \
 	openstack-utils \
 	mariadb \
-	&& yum clean all
+	crux \
+	; yum clean all
 
 ADD ./start.sh /start.sh
 
diff --git a/docker/keystone/start.sh b/docker/keystone/start.sh
index 657770c894..6e0ff7cd74 100755
--- a/docker/keystone/start.sh
+++ b/docker/keystone/start.sh
@@ -2,82 +2,75 @@
 
 # Exit the container if MariaDB is not yet up - then depend on kube to restart
 if [ -z "$MARIADBMASTER_PORT_3306_TCP_PORT" ]; then
-        exit 1
+    exit 1
 fi
 
 : ${KEYSTONE_ADMIN_PASSWORD:=kolla}
 : ${ADMIN_TENANT_NAME:=admin}
 
 if ! [ "$KEYSTONE_ADMIN_TOKEN" ]; then
-	KEYSTONE_ADMIN_TOKEN=$(openssl rand -hex 15)
+    KEYSTONE_ADMIN_TOKEN=$(openssl rand -hex 15)
 fi
 
 if ! [ "$KEYSTONE_DB_PASSWORD" ]; then
-	KEYSTONE_DB_PASSWORD=$(openssl rand -hex 15)
+    KEYSTONE_DB_PASSWORD=$(openssl rand -hex 15)
 fi
 
 mysql -h ${MARIADBMASTER_PORT_3306_TCP_ADDR} -u root -p${DB_ROOT_PASSWORD} mysql <<EOF
 CREATE DATABASE IF NOT EXISTS keystone;
 GRANT ALL PRIVILEGES ON keystone.* TO
-	'keystone'@'%' IDENTIFIED BY '${KEYSTONE_DB_PASSWORD}'
+    'keystone'@'%' IDENTIFIED BY '${KEYSTONE_DB_PASSWORD}'
 EOF
 
 crudini --set /etc/keystone/keystone.conf \
-	database \
-	connection \
-	"mysql://keystone:${KEYSTONE_DB_PASSWORD}@${MARIADBMASTER_PORT_3306_TCP_ADDR}:${MARIADBMASTER_PORT_3306_TCP_PORT}/keystone"
+    database \
+    connection \
+    "mysql://keystone:${KEYSTONE_DB_PASSWORD}@${MARIADBMASTER_PORT_3306_TCP_ADDR}:${MARIADBMASTER_PORT_3306_TCP_PORT}/keystone"
 crudini --set /etc/keystone/keystone.conf \
-	DEFAULT \
-	admin_token \
-	"${KEYSTONE_ADMIN_TOKEN}"
+    DEFAULT \
+    admin_token \
+    "${KEYSTONE_ADMIN_TOKEN}"
 crudini --del /etc/keystone/keystone.conf \
-	DEFAULT \
-	log_file
+    DEFAULT \
+    log_file
 crudini --del /etc/keystone/keystone.conf \
-	DEFAULT \
-	log_dir
+    DEFAULT \
+    log_dir
 crudini --set /etc/keystone/keystone.conf DEFAULT use_stderr True
 
 cat /etc/keystone/keystone.conf
 
 /usr/bin/keystone-manage db_sync
-
 /usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
 
+MY_IP=$(ip route get $(ip route | awk '$1 == "default" {print $3}') |
+    awk '$4 == "src" {print $5}')
+if [ -z "$KEYSTONEMASTER_35357_PORT_35357_TCP_ADDR" ]; then
+    KEYSTONEMASTER_35357_PORT_35357_TCP_ADDR=$MY_IP
+fi
+if [ -z "$KEYSTONEMASTER_5000_PORT_5000_TCP_ADDR" ]; then
+    KEYSTONEMASTER_5000_PORT_5000_TCP_ADDR=$MY_IP
+fi
+
 /usr/bin/keystone-all &
 PID=$!
 
-# TODO(sdake) better would be to retry each keystone operation
-/usr/bin/sleep 5
-
 export SERVICE_TOKEN="${KEYSTONE_ADMIN_TOKEN}"
 export SERVICE_ENDPOINT="http://127.0.0.1:35357/v2.0"
+SERVICE_ENDPOINT_ADMIN="http://${KEYSTONEMASTER_35357_PORT_35357_TCP_ADDR}:35357/v2.0"
+SERVICE_ENDPOINT_USER="http://${KEYSTONEMASTER_5000_PORT_5000_TCP_ADDR}:5000/v2.0"
 
-# Create the admin user
-/usr/bin/keystone user-create --name admin --pass ${KEYSTONE_ADMIN_PASSWORD}
-/usr/bin/keystone role-create --name admin
-/usr/bin/keystone tenant-create --name ${ADMIN_TENANT_NAME}
-/usr/bin/keystone user-role-add --user admin --role admin --tenant ${ADMIN_TENANT_NAME}
+# wait for keystone to become active
+while ! curl -o /dev/null -s --fail ${SERVICE_ENDPOINT}; do
+    sleep 1;
+done
 
-# Create the keystone service and endpoint
-/usr/bin/keystone service-create --name=keystone --type=identity --description="Identity Service"
-export SERVICE_ENDPOINT_USER="http://${KEYSTONEMASTER_PORT_5000_TCP_ADDR}:5000/v2.0"
-export SERVICE_ENDPOINT_ADMIN="http://${KEYSTONEMASTER_PORT_35357_TCP_ADDR}:35357/v2.0"
-/usr/bin/keystone endpoint-create \
- --region RegionOne \
- --service-id=`keystone service-list | grep keystone | tr -s ' ' | cut -d \  -f 2` \
- --publicurl=${SERVICE_ENDPOINT_USER} \
- --internalurl=${SERVICE_ENDPOINT_USER} \
- --adminurl=http:${SERVICE_ENDPOINT_ADMIN}
-
-
-# TODO(sdake) better would be to validate the database for the endpoint
-/usr/bin/sleep 5
+crux user-create -n admin -p "${KEYSTONE_ADMIN_PASSWORD}" -t admin -r admin
+crux endpoint-create -n keystone -t identity \
+    -I "${SERVICE_ENDPOINT_USER}" \
+    -A "${SERVICE_ENDPOINT_ADMIN}"
 
 kill -TERM $PID
 
-# TODO(sdake) better here would be to check ps for the existance of $PID
-/usr/bin/sleep 2
-
 echo "Running keystone service."
 exec /usr/bin/keystone-all