From da178621261fcf50593b0b56ddd19aa87e295a39 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Thu, 3 May 2018 18:59:52 -0500
Subject: [PATCH] Magnum: restore basic API functionality to chart

This PS restores basic API functionality to the Magnum chart.

Change-Id: If75c63308ad416758930b35eea71e9eed98441f2
---
 magnum/templates/configmap-bin.yaml      |  2 +
 magnum/templates/configmap-etc.yaml      | 10 +++
 magnum/templates/deployment-api.yaml     |  6 +-
 magnum/templates/job-ks-user-domain.yaml | 84 ++++++++++++++++++++++++
 magnum/templates/job-rabbit-init.yaml    |  1 +
 magnum/templates/secret-keystone.yaml    | 12 ++++
 magnum/values.yaml                       | 12 ++++
 7 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 magnum/templates/job-ks-user-domain.yaml

diff --git a/magnum/templates/configmap-bin.yaml b/magnum/templates/configmap-bin.yaml
index 7129a3b3d5..82ff645405 100644
--- a/magnum/templates/configmap-bin.yaml
+++ b/magnum/templates/configmap-bin.yaml
@@ -38,6 +38,8 @@ data:
 {{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
   ks-user.sh: |
 {{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  ks-domain-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
   magnum-api.sh: |
 {{ tuple "bin/_magnum-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   magnum-conductor.sh: |
diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml
index 5447942507..baab9a0595 100644
--- a/magnum/templates/configmap-etc.yaml
+++ b/magnum/templates/configmap-etc.yaml
@@ -63,6 +63,16 @@ limitations under the License.
 {{- tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.magnum.api "port" | quote | trunc 0 -}}
 {{- end -}}
 
+{{- if empty .Values.conf.magnum.trust.trustee_domain_name -}}
+{{- set .Values.conf.magnum.trust "trustee_domain_name" .Values.endpoints.identity.auth.magnum_stack_user.domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.trust.trustee_domain_admin_name -}}
+{{- set .Values.conf.magnum.trust "trustee_domain_admin_name" .Values.endpoints.identity.auth.magnum_stack_user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.trust.trustee_domain_admin_password -}}
+{{- set .Values.conf.magnum.trust "trustee_domain_admin_password" .Values.endpoints.identity.auth.magnum_stack_user.password | quote | trunc 0 -}}
+{{- end -}}
+
 ---
 apiVersion: v1
 kind: ConfigMap
diff --git a/magnum/templates/deployment-api.yaml b/magnum/templates/deployment-api.yaml
index a0379e1dd0..e6f77cb832 100644
--- a/magnum/templates/deployment-api.yaml
+++ b/magnum/templates/deployment-api.yaml
@@ -67,8 +67,12 @@ spec:
             - name: m-api
               containerPort: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            tcpSocket:
+            httpGet:
+              scheme: HTTP
+              path: /
               port: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 15
+            periodSeconds: 10
           volumeMounts:
             - name: magnum-bin
               mountPath: /tmp/magnum-api.sh
diff --git a/magnum/templates/job-ks-user-domain.yaml b/magnum/templates/job-ks-user-domain.yaml
new file mode 100644
index 0000000000..3d9259693b
--- /dev/null
+++ b/magnum/templates/job-ks-user-domain.yaml
@@ -0,0 +1,84 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_user_domain }}
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.static.ks_user }}
+
+{{- $serviceAccountName := "magnum-ks-user-domain" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: magnum-domain-ks-user
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "magnum" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: magnum-ks-domain-user
+          image: {{ .Values.images.tags.ks_user }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          command:
+            - /tmp/ks-domain-user.sh
+          volumeMounts:
+            - name: ks-user-sh
+              mountPath: /tmp/ks-domain-user.sh
+              subPath: ks-domain-user.sh
+              readOnly: true
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: "magnum"
+            - name: SERVICE_OS_REGION_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_REGION_NAME
+            - name: SERVICE_OS_DOMAIN_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_DOMAIN_NAME
+            - name: SERVICE_OS_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_USERNAME
+            - name: SERVICE_OS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_PASSWORD
+            - name: SERVICE_OS_ROLE
+              value: {{ .Values.endpoints.identity.auth.magnum_stack_user.role | quote }}
+      volumes:
+        - name: ks-user-sh
+          configMap:
+            name: magnum-bin
+            defaultMode: 0555
+{{- end }}
diff --git a/magnum/templates/job-rabbit-init.yaml b/magnum/templates/job-rabbit-init.yaml
index 758778519b..23bc8340e3 100644
--- a/magnum/templates/job-rabbit-init.yaml
+++ b/magnum/templates/job-rabbit-init.yaml
@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
+
 {{- if .Values.manifests.job_rabbit_init }}
 {{- $rmqUserJob := dict "envAll" . "serviceName" "magnum" -}}
 {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
diff --git a/magnum/templates/secret-keystone.yaml b/magnum/templates/secret-keystone.yaml
index f5c4df5750..c508483376 100644
--- a/magnum/templates/secret-keystone.yaml
+++ b/magnum/templates/secret-keystone.yaml
@@ -27,4 +27,16 @@ type: Opaque
 data:
 {{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
 {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $envAll.Values.secrets.identity.magnum_stack_user }}
+type: Opaque
+data:
+  OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
+  OS_REGION_NAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.region_name | b64enc | indent 4 }}
+  OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.domain_name | b64enc | indent 4 }}
+  OS_USERNAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.username | b64enc | indent 4 }}
+  OS_PASSWORD: {{ .Values.endpoints.identity.auth.magnum_stack_user.password | b64enc | indent 4 }}
 {{- end }}
diff --git a/magnum/values.yaml b/magnum/values.yaml
index a1f1bc16c0..2ada2ed7cb 100644
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@@ -111,6 +111,8 @@ conf:
       transport_url: null
     database:
       max_retries: -1
+    trust:
+      trustee_domain_name: null
     keystone_authtoken:
       auth_type: password
       auth_version: v3
@@ -147,6 +149,7 @@ dependencies:
       jobs:
         - magnum-db-sync
         - magnum-ks-user
+        - magnum-domain-ks-user
         - magnum-ks-endpoints
         - magnum-rabbit-init
       services:
@@ -160,6 +163,7 @@ dependencies:
       jobs:
         - magnum-db-sync
         - magnum-ks-user
+        - magnum-domain-ks-user
         - magnum-ks-endpoints
         - magnum-rabbit-init
       services:
@@ -206,6 +210,7 @@ secrets:
   identity:
     admin: magnum-keystone-admin
     magnum: magnum-keystone-user
+    magnum_stack_user: magnum-keystone-stack-user
   oslo_db:
     admin: magnum-db-admin
     magnum: magnum-db-user
@@ -236,6 +241,12 @@ endpoints:
         project_name: service
         user_domain_name: default
         project_domain_name: default
+      magnum_stack_user:
+        role: admin
+        region_name: RegionOne
+        username: magnum-domain
+        password: password
+        domain_name: magnum
     hosts:
       default: keystone-api
       public: keystone
@@ -446,6 +457,7 @@ manifests:
   job_db_drop: false
   job_ks_endpoints: true
   job_ks_service: true
+  job_ks_user_domain: true
   job_ks_user: true
   job_rabbit_init: true
   pdb_api: true