diff --git a/heat/templates/bin/_trusts.sh.tpl b/heat/templates/bin/_trusts.sh.tpl
new file mode 100644
index 0000000000..0e1e2e5ea1
--- /dev/null
+++ b/heat/templates/bin/_trusts.sh.tpl
@@ -0,0 +1,49 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -ex
+
+# Get IDs for filtering
+OS_PROJECT_ID=$(openstack project show -f value -c id ${OS_PROJECT_NAME})
+OS_USER_ID=$(openstack user show -f value -c id ${OS_USERNAME})
+SERVICE_OS_TRUSTEE_ID=$(openstack user show -f value -c id ${SERVICE_OS_TRUSTEE})
+
+# Check if trust doesn't already exist
+openstack trust list -f value -c "Project ID" \
+ -c "Trustee User ID" -c "Trustor User ID" | \
+ grep "^${OS_PROJECT_ID} ${SERVICE_OS_TRUSTEE_ID} ${OS_USER_ID}$" && \
+ exit 0
+
+# If there are no roles specified...
+if [ -z "${SERVICE_OS_ROLES}" ]; then
+ # ...Heat will try to delegate all of the roles that user has in the
+ # project. Let's fetch them all and use that.
+ readarray -t roles < <(openstack role assignment list -f value \
+ -c "Role" --user="${OS_USERNAME}" --project="${OS_PROJECT_ID}")
+else
+ # Split roles into an array
+ IFS=',' read -r -a roles <<< "${SERVICE_OS_ROLES}"
+fi
+
+# Create trust between trustor and trustee
+SERVICE_OS_TRUST_ID=$(openstack trust create -f value -c id \
+ --project="${OS_PROJECT_NAME}" \
+ ${roles[@]/#/--role=} \
+ "${OS_USERNAME}" \
+ "${SERVICE_OS_TRUSTEE}")
+
+# Display trust
+openstack trust show "${SERVICE_OS_TRUST_ID}"
diff --git a/heat/templates/configmap-bin.yaml b/heat/templates/configmap-bin.yaml
index f1373fd6ca..a913b23ed2 100644
--- a/heat/templates/configmap-bin.yaml
+++ b/heat/templates/configmap-bin.yaml
@@ -38,6 +38,8 @@ data:
{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
ks-domain-user.sh: |+
{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
+ trusts.sh: |+
+{{ tuple "bin/_trusts.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
heat-api.sh: |
{{ tuple "bin/_heat-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
heat-cfn.sh: |
diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml
new file mode 100644
index 0000000000..14f7b2ab22
--- /dev/null
+++ b/heat/templates/job-trusts.yaml
@@ -0,0 +1,54 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.trusts }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-trusts
+spec:
+ template:
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ initContainers:
+{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: heat-trusts
+ image: {{ $envAll.Values.images.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.trusts | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - bash
+ - /tmp/trusts.sh
+ volumeMounts:
+ - name: heat-bin
+ mountPath: /tmp/trusts.sh
+ subPath: trusts.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ value: {{ .Values.conf.heat.default.heat.common.config.trusts_delegated_roles }}
+ - name: SERVICE_OS_TRUSTEE
+ value: {{ .Values.endpoints.identity.auth.trustee.username }}
+ volumes:
+ - name: heat-bin
+ configMap:
+ name: heat-bin
diff --git a/heat/values.yaml b/heat/values.yaml
index 0fc275ec88..2f8304cc1c 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-# Default values for keystone.
+# Default values for heat.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
@@ -52,7 +52,7 @@ conf:
common:
config:
num_engine_workers: 4
- trusts_delegated_roles: _member_
+ trusts_delegated_roles: ""
keystone_authtoken:
keystonemiddleware:
auth_token:
@@ -62,7 +62,6 @@ conf:
heat:
common:
context:
- auth_section: trustee
auth_type: password
auth_version: v3
heat_api:
@@ -148,6 +147,12 @@ dependencies:
services:
- service: identity
endpoint: internal
+ trusts:
+ jobs:
+ - heat-ks-user
+ services:
+ - service: identity
+ endpoint: internal
api:
jobs:
- heat-db-sync
@@ -233,7 +238,7 @@ endpoints:
stack_user:
role: admin
region_name: RegionOne
- username: heat-trust
+ username: heat-domain
password: password
domain_name: heat
hosts:
@@ -456,6 +461,13 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
+ trusts:
+ requests:
+ memory: "124Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
manifests:
configmap_bin: true
diff --git a/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
index 6531e92686..e80c0f6963 100644
--- a/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
+++ b/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -56,9 +56,7 @@ openstack user show "${SERVICE_OS_USERID}"
# Manage role
SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
- --domain="${SERVICE_OS_DOMAIN_ID}" \
"${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
- --domain="${SERVICE_OS_DOMAIN_ID}" \
"${SERVICE_OS_ROLE}" )
# Manage user role assignment