cli: set OpenStack service account credentials (#1328)

2024-10-01 01:36:09 -04:00 · 2023-03-03 10:10:36 +01:00 · 2023-03-03 10:10:36 +01:00 · 8aa42e30ad
commit 8aa42e30ad
parent 29664fc481
10 changed files with 79 additions and 23 deletions
--- a/cli/internal/cloudcmd/create.go
+++ b/cli/internal/cloudcmd/create.go
@ -272,13 +272,14 @@ func (c *Creator) createOpenStack(ctx context.Context, cl terraformClient, confi
 			CountWorkers:       workerCount,
 			StateDiskSizeGB:    config.StateDiskSizeGB,
 		},
-		Cloud:            config.Provider.OpenStack.Cloud,
-		AvailabilityZone: config.Provider.OpenStack.AvailabilityZone,
-		FloatingIPPoolID: config.Provider.OpenStack.FloatingIPPoolID,
-		FlavorID:         config.Provider.OpenStack.FlavorID,
-		ImageURL:         image,
-		DirectDownload:   *config.Provider.OpenStack.DirectDownload,
-		Debug:            config.IsDebugCluster(),
+		Cloud:                        config.Provider.OpenStack.Cloud,
+		AvailabilityZone:             config.Provider.OpenStack.AvailabilityZone,
+		FloatingIPPoolID:             config.Provider.OpenStack.FloatingIPPoolID,
+		FlavorID:                     config.Provider.OpenStack.FlavorID,
+		ImageURL:                     image,
+		DirectDownload:               *config.Provider.OpenStack.DirectDownload,
+		OpenStackServiceAccountToken: config.Provider.OpenStack.ServiceAccountToken,
+		Debug:                        config.IsDebugCluster(),
 	}

 	if err := cl.PrepareWorkspace(path.Join("terraform", strings.ToLower(cloudprovider.OpenStack.String())), &vars); err != nil {
--- a/cli/internal/terraform/terraform/openstack/main.tf
+++ b/cli/internal/terraform/terraform/openstack/main.tf
@ -16,6 +16,10 @@ provider "openstack" {
  cloud = var.cloud
 }

+data "openstack_identity_auth_scope_v3" "scope" {
+  name = "scope"
+}
+
 locals {
  uid                    = random_id.uid.hex
  name                   = "${var.name}-${local.uid}"
@ -30,6 +34,15 @@ locals {
  ports_debugd           = "4000"
  cidr_vpc_subnet_nodes  = "192.168.178.0/24"
  tags                   = ["constellation-uid-${local.uid}"]
+  identity_service = [
+    for entry in data.openstack_identity_auth_scope_v3.scope.service_catalog :
+    entry if entry.type == "identity"
+  ][0]
+  identity_endpoint = [
+    for endpoint in local.identity_service.endpoints :
+    endpoint if(endpoint.interface == "internal")
+  ][0]
+  identity_internal_url = local.identity_endpoint.url
 }

 resource "random_id" "uid" {
@ -134,12 +147,14 @@ module "instance_group_control_plane" {
  security_groups = [
    openstack_compute_secgroup_v2.vpc_secgroup.id,
  ]
-  tags              = local.tags
-  uid               = local.uid
-  disk_size         = var.state_disk_size
-  availability_zone = var.availability_zone
-  network_id        = openstack_networking_network_v2.vpc_network.id
-  init_secret_hash  = local.initSecretHash
+  tags                            = local.tags
+  uid                             = local.uid
+  disk_size                       = var.state_disk_size
+  availability_zone               = var.availability_zone
+  network_id                      = openstack_networking_network_v2.vpc_network.id
+  init_secret_hash                = local.initSecretHash
+  identity_internal_url           = local.identity_internal_url
+  openstack_service_account_token = var.openstack_service_account_token
 }

 module "instance_group_worker" {
@ -154,10 +169,12 @@ module "instance_group_worker" {
  security_groups = [
    openstack_compute_secgroup_v2.vpc_secgroup.id,
  ]
-  disk_size         = var.state_disk_size
-  availability_zone = var.availability_zone
-  network_id        = openstack_networking_network_v2.vpc_network.id
-  init_secret_hash  = local.initSecretHash
+  disk_size                       = var.state_disk_size
+  availability_zone               = var.availability_zone
+  network_id                      = openstack_networking_network_v2.vpc_network.id
+  init_secret_hash                = local.initSecretHash
+  identity_internal_url           = local.identity_internal_url
+  openstack_service_account_token = var.openstack_service_account_token
 }

 resource "openstack_networking_floatingip_v2" "public_ip" {
--- a/cli/internal/terraform/terraform/openstack/modules/instance_group/main.tf
+++ b/cli/internal/terraform/terraform/openstack/modules/instance_group/main.tf
@ -51,6 +51,8 @@ resource "openstack_compute_instance_v2" "instance_group_member" {
    constellation-role             = local.role_dashed
    constellation-uid              = var.uid
    constellation-init-secret-hash = var.init_secret_hash
+    openstack-auth-url             = var.identity_internal_url
  }
+  user_data               = var.openstack_service_account_token
  availability_zone_hints = var.availability_zone
 }
--- a/cli/internal/terraform/terraform/openstack/modules/instance_group/variables.tf
+++ b/cli/internal/terraform/terraform/openstack/modules/instance_group/variables.tf
@ -61,3 +61,14 @@ variable "init_secret_hash" {
  type        = string
  description = "Hash of the init secret."
 }
+
+variable "identity_internal_url" {
+  type        = string
+  description = "Internal URL of the Identity service."
+}
+
+
+variable "openstack_service_account_token" {
+  type        = string
+  description = "OpenStack service account token."
+}
--- a/cli/internal/terraform/terraform/openstack/variables.tf
+++ b/cli/internal/terraform/terraform/openstack/variables.tf
@ -51,6 +51,12 @@ variable "floating_ip_pool_id" {
  description = "The pool (network name) to use for floating IPs."
 }

+variable "openstack_service_account_token" {
+  type        = string
+  description = "OpenStack service account token."
+}
+
+
 variable "debug" {
  type        = bool
  default     = false
--- a/cli/internal/terraform/variables.go
+++ b/cli/internal/terraform/variables.go
@ -233,6 +233,8 @@ type OpenStackClusterVariables struct {
 	ImageURL string
 	// DirectDownload decides whether to download the image directly from the URL to OpenStack or to upload it from the local machine.
 	DirectDownload bool
+	// OpenStackServiceAccountToken is the OpenStack service account token to use.
+	OpenStackServiceAccountToken string
 	// Debug is true if debug mode is enabled.
 	Debug bool
 }
@ -249,6 +251,7 @@ func (v *OpenStackClusterVariables) String() string {
 	writeLinef(b, "floating_ip_pool_id = %q", v.FloatingIPPoolID)
 	writeLinef(b, "image_url = %q", v.ImageURL)
 	writeLinef(b, "direct_download = %t", v.DirectDownload)
+	writeLinef(b, "openstack_service_account_token = %q", v.OpenStackServiceAccountToken)
 	writeLinef(b, "debug = %t", v.Debug)

 	return b.String()
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -238,6 +238,9 @@ type OpenStackConfig struct {
 	//   Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html
 	FloatingIPPoolID string `yaml:"floatingIPPoolID" validate:"required"`
 	// description: |
+	//   Service account token to use authenticate VMs with the OpenStack API. Alternatively leave empty and pass value via CONSTELL_OPENSTACK_SERVICE_ACCOUNT_TOKEN environment variable.
+	ServiceAccountToken string `yaml:"serviceAccountToken" validate:"required"`
+	// description: |
 	//   If enabled, downloads OS image directly from source URL to OpenStack. Otherwise, downloads image to local machine and uploads to OpenStack.
 	DirectDownload *bool `yaml:"directDownload" validate:"required"`
 }
@ -365,6 +368,11 @@ func New(fileHandler file.Handler, name string, force bool) (*Config, error) {
 		c.Provider.Azure.ClientSecretValue = clientSecretValue
 	}

+	serviceAccountToken := os.Getenv(constants.EnvVarOpenStackServiceAccountToken)
+	if serviceAccountToken != "" && c.Provider.OpenStack != nil {
+		c.Provider.OpenStack.ServiceAccountToken = serviceAccountToken
+	}
+
 	// Backwards compatibility: configs without the field `microserviceVersion` are valid in version 2.6.
 	// In case the field is not set in an old config we prefil it with the default value.
 	if c.MicroserviceVersion == "" {
--- a/internal/config/config_doc.go
+++ b/internal/config/config_doc.go
@ -330,7 +330,7 @@ func init() {
 			FieldName: "openstack",
 		},
 	}
-	OpenStackConfigDoc.Fields = make([]encoder.Doc, 5)
+	OpenStackConfigDoc.Fields = make([]encoder.Doc, 6)
 	OpenStackConfigDoc.Fields[0].Name = "cloud"
 	OpenStackConfigDoc.Fields[0].Type = "string"
 	OpenStackConfigDoc.Fields[0].Note = ""
@ -351,11 +351,16 @@ func init() {
 	OpenStackConfigDoc.Fields[3].Note = ""
 	OpenStackConfigDoc.Fields[3].Description = "Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html"
 	OpenStackConfigDoc.Fields[3].Comments[encoder.LineComment] = "Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html"
-	OpenStackConfigDoc.Fields[4].Name = "directDownload"
-	OpenStackConfigDoc.Fields[4].Type = "bool"
+	OpenStackConfigDoc.Fields[4].Name = "serviceAccountToken"
+	OpenStackConfigDoc.Fields[4].Type = "string"
 	OpenStackConfigDoc.Fields[4].Note = ""
-	OpenStackConfigDoc.Fields[4].Description = "If enabled, downloads OS image directly from source URL to OpenStack. Otherwise, downloads image to local machine and uploads to OpenStack."
-	OpenStackConfigDoc.Fields[4].Comments[encoder.LineComment] = "If enabled, downloads OS image directly from source URL to OpenStack. Otherwise, downloads image to local machine and uploads to OpenStack."
+	OpenStackConfigDoc.Fields[4].Description = "Service account token to use authenticate VMs with the OpenStack API. Alternatively leave empty and pass value via CONSTELL_OPENSTACK_SERVICE_ACCOUNT_TOKEN environment variable."
+	OpenStackConfigDoc.Fields[4].Comments[encoder.LineComment] = "Service account token to use authenticate VMs with the OpenStack API. Alternatively leave empty and pass value via CONSTELL_OPENSTACK_SERVICE_ACCOUNT_TOKEN environment variable."
+	OpenStackConfigDoc.Fields[5].Name = "directDownload"
+	OpenStackConfigDoc.Fields[5].Type = "bool"
+	OpenStackConfigDoc.Fields[5].Note = ""
+	OpenStackConfigDoc.Fields[5].Description = "If enabled, downloads OS image directly from source URL to OpenStack. Otherwise, downloads image to local machine and uploads to OpenStack."
+	OpenStackConfigDoc.Fields[5].Comments[encoder.LineComment] = "If enabled, downloads OS image directly from source URL to OpenStack. Otherwise, downloads image to local machine and uploads to OpenStack."

 	QEMUConfigDoc.Type = "QEMUConfig"
 	QEMUConfigDoc.Comments[encoder.LineComment] = "QEMUConfig holds config information for QEMU based Constellation deployments."
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -184,7 +184,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
 }

 func TestValidate(t *testing.T) {
-	const defaultErrCount = 24 // expect this number of error messages by default because user-specific values are not set and multiple providers are defined by default
+	const defaultErrCount = 25 // expect this number of error messages by default because user-specific values are not set and multiple providers are defined by default
 	const azErrCount = 9
 	const gcpErrCount = 6

--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -145,6 +145,9 @@ const (
 	// EnvVarAzureClientSecretValue is environment variable to overwrite
 	// provider.azure.clientSecretValue .
 	EnvVarAzureClientSecretValue = EnvVarPrefix + "AZURE_CLIENT_SECRET_VALUE"
+	// EnvVarOpenStackServiceAccountToken is environment variable to overwrite
+	// provider.openstack.serviceAccountToken .
+	EnvVarOpenStackServiceAccountToken = EnvVarPrefix + "OPENSTACK_SERVICE_ACCOUNT_TOKEN"
 	// EnvVarNoSpinner is environment variable used to disable the loading indicator (spinner)
 	// displayed in Constellation CLI. Any non-empty value, e.g., CONSTELL_NO_SPINNER=1,
 	// can be used to disable the spinner.