openstack

package
v0.1.44 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 18, 2024 License: Apache-2.0 Imports: 52 Imported by: 0

README

Unikorn OpenStack Provider

Provides a driver for OpenStack based regions.

Initial Setup

It is envisaged that an OpenStack cluster may be used for things other than the exclusive use of Unikorn, and as such it tries to respect this as much as possible. We also operate under the principle of least privilege, so don't want to have a full admin credential alyng around.

In particular we want to allow different instances of Unikorn to cohabit to support, for example, staging environments.

We need a number of policies installing to function correctly. Follow the instructions in the Unikorn OpenStack Policy repository to install them.

OpenStack Platform Configuration

Start by selecting a unique name that will be used for the deployment's name, project, and domain:

export USER=unikorn-staging
export DOMAIN=unikorn-staging
export PROJECT=unikorn-default
export PASSWORD=$(apg -n 1 -m 24)
Create the domain.

The use of project domains for projects deployed to provision Kubernetes cluster achieves a few aims. First namespace isolation. Second is a security consideration. It is dangerous, anecdotally, to have a privileged process that has the power of deletion. By limiting the scope of list operations to that of the project domain we limit our impact on other tenants on the system. A domain may also aid in simplifying operations like auditing and capacity planning.

DOMAIN_ID=$(openstack domain create ${DOMAIN} -f json | jq -r .id)
Create the project.

As the OpenStack provider for the region controller also functions as a client in order to retrieve information such as available images, flavors, and so on it also needs to be associated with a project so that the default policy for various API requests is correctly satisfied:

PROJECT_ID=$(openstack project create $PROJECT --domain $DOMAIN -f json | jq -r .id)
Create the user.
USER_ID=$(openstack user create --domain ${DOMAIN_ID} --password ${PASSWORD} ${USER} -f json | jq -r .id)
Grant any roles to the user.

When a Kubernetes cluster is provisioned, it will be done using application credentials, so ensure any required application credentials as configured for the region are explicitly associated with the user here.

[!NOTE] It may be necessary to add the _member_ role on older OpenStack deployments where Neutron requires it to function.

for role in member load-balancer_member manager; do
	openstack role add --user ${USER_ID} --domain ${DOMAIN_ID} ${role}
done

Grant the member role on the project we created in a previous step:

openstack role add --user ${USER_ID} --project ${PROJECT_ID} member
Unikorn Configuration

When we create a Region of type openstack, it will require a secret that contains credentials. This can be configured as follows.

kubectl create secret generic -n unikorn-region gb-north-1-credentials \
    --from-literal=domain-id=${DOMAIN_ID} \
    --from-literal=project-id=${PROJECT_ID} \
    --from-literal=user-id=${USER_ID} \
    --from-literal=password=${PASSWORD}

Finally we can create the region itself, although this should be statically configured via Helm. For additional configuration options for individual OpenStack services, consult kubectl explain regions.region.unikorn-cloud.org for documentation.

apiVersion: region.unikorn-cloud.org/v1alpha1
kind: Region
metadata:
  # Use "uuidgen -r" to select a random ID, this MUST start with a character a-f.
  namespace: unikorn-region
  name: c7e8492f-c320-4278-8201-48cd38fed38b
  labels:
    unikorn-cloud.org/name: gb-north-1
spec:
  provider: openstack
  openstack:
    endpoint: https://openstack.gb-north-1.unikorn-cloud.org:5000
    serviceAccountSecret:
      namespace: unikorn
      name: gb-north-1-credentials

Cleanup actions.

unset DOMAIN
unset DOMAIN_ID
unset USER
unset USER_ID
unset PASSWORD
unset PROJECT
unset PROJECT_ID

Documentation

Index

Constants

View Source 
const (
	// Projects are randomly named to avoid clashes, so we need to add some tags
	// in order to be able to reason about who they really belong to.  It is also
	// useful to have these in place so we can spot orphaned resources and garbage
	// collect them.
	OrganizationTag = "organization"
	ProjectTag      = "project"
)

Variables

View Source 
var (
	// ErrPEMDecode is raised when the PEM decode failed for some reason.
	ErrPEMDecode = errors.New("PEM decode error")

	// ErrPEMType is raised when the encounter the wrong PEM type, e.g. PKCS#1.
	ErrPEMType = errors.New("PEM type unsupported")

	// ErrKeyType is raised when we encounter an unsupported key type.
	ErrKeyType = errors.New("key type unsupported")
)
View Source 
var (
	// ErrConfiguration is raised when a feature requires additional configuration
	// and none is provided for the region.
	ErrConfiguration = errors.New("required configuration missing")

	// ErrUnsufficentResource is retuend when we've run out of space.
	ErrUnsufficentResource = errors.New("unsufficient resource for request")
)
View Source 
var (
	ErrKeyUndefined = errors.New("a required key was not defined")
)
View Source 
var (
	// ErrResourceNotFound is returned when a named resource cannot
	// be looked up (we have to do it ourselves) and it cannot be found.
	ErrResourceNotFound = errors.New("requested resource not found")
)

Functions

This section is empty.

Types

type ApplicationCredentialProvider 

type ApplicationCredentialProvider struct {
	// contains filtered or unexported fields
}

ApplicationCredentialProvider allows use of an application credential.

func NewApplicationCredentialProvider 

func NewApplicationCredentialProvider(endpoint, id, secret string) *ApplicationCredentialProvider

NewApplicationCredentialProvider creates a client that comsumes application credentials for authentication.

func (*ApplicationCredentialProvider) Client 

func (p *ApplicationCredentialProvider) Client(ctx context.Context) (*gophercloud.ProviderClient, error)

Client implements the Provider interface.

type BlockStorageClient 

type BlockStorageClient struct {
	// contains filtered or unexported fields
}

BlockStorageClient wraps the generic client because gophercloud is unsafe.

func NewBlockStorageClient 

func NewBlockStorageClient(ctx context.Context, provider CredentialProvider) (*BlockStorageClient, error)

NewBlockStorageClient provides a simple one-liner to start computing.

func (*BlockStorageClient) AvailabilityZones 

func (c *BlockStorageClient) AvailabilityZones(ctx context.Context) ([]availabilityzones.AvailabilityZone, error)

AvailabilityZones retrieves block storage availability zones.

func (*BlockStorageClient) UpdateQuotas added in v0.1.42 

func (c *BlockStorageClient) UpdateQuotas(ctx context.Context, projectID string) error

type ComputeClient 

type ComputeClient struct {
	// contains filtered or unexported fields
}

ComputeClient wraps the generic client because gophercloud is unsafe.

func NewComputeClient 

func NewComputeClient(ctx context.Context, provider CredentialProvider, options *unikornv1.RegionOpenstackComputeSpec) (*ComputeClient, error)

NewComputeClient provides a simple one-liner to start computing.

func (*ComputeClient) AvailabilityZones 

func (c *ComputeClient) AvailabilityZones(ctx context.Context) ([]availabilityzones.AvailabilityZone, error)

AvailabilityZones returns a list of availability zones.

func (*ComputeClient) CreateKeypair added in v0.1.37 

func (c *ComputeClient) CreateKeypair(ctx context.Context, name, publicKey string) error

CreateKeypair creates a new keypair. NOTE: while OpenStack can generate one for us, we have far more control doing it ourselves thus allowing us to impose stricter security, and it's more provider agnostic that way.

func (*ComputeClient) CreateServerGroup 

func (c *ComputeClient) CreateServerGroup(ctx context.Context, name string) (*servergroups.ServerGroup, error)

CreateServerGroup creates the named server group with the given policy and returns the result.

func (*ComputeClient) DeleteKeypair added in v0.1.37 

func (c *ComputeClient) DeleteKeypair(ctx context.Context, name string) error

func (*ComputeClient) DeleteServerGroup added in v0.1.30 

func (c *ComputeClient) DeleteServerGroup(ctx context.Context, id string) error

DeleteServerGroup removes a server group, this exists because nova does do any cleanup on project deletion and just orphans the resource.

func (*ComputeClient) Flavors 

func (c *ComputeClient) Flavors(ctx context.Context) ([]flavors.Flavor, error)

Flavors returns a list of flavors.

func (*ComputeClient) KeyPairs 

func (c *ComputeClient) KeyPairs(ctx context.Context) ([]keypairs.KeyPair, error)

KeyPairs returns a list of key pairs.

func (*ComputeClient) UpdateQuotas added in v0.1.39 

func (c *ComputeClient) UpdateQuotas(ctx context.Context, projectID string) error

type CreateTokenOptions 

type CreateTokenOptions interface {
	// Options returns a valid set of authentication options.
	Options() *tokens.AuthOptions
}

CreateTokenOptions abstracts away how schizophrenic Openstack is with its million options and million ways to fuck it up.

type CreateTokenOptionsScopedToken 

type CreateTokenOptionsScopedToken struct {
	// contains filtered or unexported fields
}

CreateTokenOptionsScopedToken is typically used to upgrade from an unscoped password passed login to a project scoped one once you have determined a valid project.

func NewCreateTokenOptionsScopedToken 

func NewCreateTokenOptionsScopedToken(token, projectID string) *CreateTokenOptionsScopedToken

NewCreateTokenOptionsScopedToken returns a new instance of project scoped token options.

func (*CreateTokenOptionsScopedToken) Options 

func (o *CreateTokenOptionsScopedToken) Options() *tokens.AuthOptions

Options implements the CreateTokenOptions interface.

type CreateTokenOptionsUnscopedPassword 

type CreateTokenOptionsUnscopedPassword struct {
	// contains filtered or unexported fields
}

CreateTokenOptionsUnscopedPassword is typically used when logging on to a UI when you don't know anything other than username/password.

func NewCreateTokenOptionsUnscopedPassword 

func NewCreateTokenOptionsUnscopedPassword(domain, username, password string) *CreateTokenOptionsUnscopedPassword

NewCreateTokenOptionsUnscopedPassword returns a new instance of unscoped username/password options.

func (*CreateTokenOptionsUnscopedPassword) Options 

func (o *CreateTokenOptionsUnscopedPassword) Options() *tokens.AuthOptions

Options implements the CreateTokenOptions interface.

type CredentialProvider 

type CredentialProvider interface {
	// Client returns a new provider client.
	Client(ctx context.Context) (*gophercloud.ProviderClient, error)
}

CredentialProvider abstracts authentication methods.

type DomainScopedPasswordProvider 

type DomainScopedPasswordProvider struct {
	// contains filtered or unexported fields
}

DomainScopedPasswordProvider allows use of an application credential.

func NewDomainScopedPasswordProvider 

func NewDomainScopedPasswordProvider(endpoint, userID, password, domainID string) *DomainScopedPasswordProvider

NewDomainScopedPasswordProvider creates a client that consumes passwords for authentication.

func (*DomainScopedPasswordProvider) Client 

func (p *DomainScopedPasswordProvider) Client(ctx context.Context) (*gophercloud.ProviderClient, error)

Client implements the Provider interface.

type IdentityClient 

type IdentityClient struct {
	// contains filtered or unexported fields
}

IdentityClient wraps up gophercloud identity management.

func NewIdentityClient 

func NewIdentityClient(ctx context.Context, provider CredentialProvider) (*IdentityClient, error)

NewIdentityClient returns a new identity client.

func (*IdentityClient) CreateApplicationCredential 

func (c *IdentityClient) CreateApplicationCredential(ctx context.Context, userID, name, description string, roles []string) (*applicationcredentials.ApplicationCredential, error)

CreateApplicationCredential creates an application credential for the user.

func (*IdentityClient) CreateProject 

func (c *IdentityClient) CreateProject(ctx context.Context, domainID, name string, tags []string) (*projects.Project, error)

CreateProject creates the named project.

func (*IdentityClient) CreateRoleAssignment 

func (c *IdentityClient) CreateRoleAssignment(ctx context.Context, userID, projectID, roleID string) error

CreateRoleAssignment creates a role between a user and a project.

func (*IdentityClient) CreateToken 

func (c *IdentityClient) CreateToken(ctx context.Context, options CreateTokenOptions) (*tokens.Token, *tokens.User, error)

CreateToken issues a new token.

func (*IdentityClient) CreateUser 

func (c *IdentityClient) CreateUser(ctx context.Context, domainID, name, password string) (*users.User, error)

CreateUser creates a new user.

func (*IdentityClient) DeleteApplicationCredential 

func (c *IdentityClient) DeleteApplicationCredential(ctx context.Context, userID, id string) error

DeleteApplicationCredential deletes an application credential for the user.

func (*IdentityClient) DeleteProject 

func (c *IdentityClient) DeleteProject(ctx context.Context, projectID string) error

func (*IdentityClient) DeleteUser 

func (c *IdentityClient) DeleteUser(ctx context.Context, userID string) error

DeleteUser removes an existing user.

func (*IdentityClient) ListApplicationCredentials 

func (c *IdentityClient) ListApplicationCredentials(ctx context.Context, userID string) ([]applicationcredentials.ApplicationCredential, error)

ListApplicationCredentials lists application credentials for the scoped user.

func (*IdentityClient) ListAvailableProjects 

func (c *IdentityClient) ListAvailableProjects(ctx context.Context) ([]projects.Project, error)

ListAvailableProjects lists projects that an authenticated (but unscoped) user can scope to.

func (*IdentityClient) ListRoles 

func (c *IdentityClient) ListRoles(ctx context.Context) ([]roles.Role, error)

ListRoles grabs a set of roles that are on the provider.

type ImageClient 

type ImageClient struct {
	// contains filtered or unexported fields
}

ImageClient wraps the generic client because gophercloud is unsafe.

func NewImageClient 

func NewImageClient(ctx context.Context, provider CredentialProvider, options *unikornv1.RegionOpenstackImageSpec) (*ImageClient, error)

NewImageClient provides a simple one-liner to start computing.

func (*ImageClient) Images 

func (c *ImageClient) Images(ctx context.Context) ([]images.Image, error)

Images returns a list of images.

type NetworkClient 

type NetworkClient struct {
	// contains filtered or unexported fields
}

NetworkClient wraps the generic client because gophercloud is unsafe.

func NewNetworkClient 

func NewNetworkClient(ctx context.Context, provider CredentialProvider, options *unikornv1.RegionOpenstackNetworkSpec) (*NetworkClient, error)

NewNetworkClient provides a simple one-liner to start networking.

func NewTestNetworkClient added in v0.1.18 

func NewTestNetworkClient(options *unikornv1.RegionOpenstackNetworkSpec) *NetworkClient

func (*NetworkClient) AddRouterInterface added in v0.1.34 

func (c *NetworkClient) AddRouterInterface(ctx context.Context, routerID, subnetID string) error

func (*NetworkClient) CreateRouter added in v0.1.34 

func (c *NetworkClient) CreateRouter(ctx context.Context, name string) (*routers.Router, error)

func (*NetworkClient) CreateSubnet added in v0.1.34 

func (c *NetworkClient) CreateSubnet(ctx context.Context, name, networkID, prefix string, dnsNameservers []string) (*subnets.Subnet, error)

func (*NetworkClient) CreateVLANProviderNetwork added in v0.1.17 

func (c *NetworkClient) CreateVLANProviderNetwork(ctx context.Context, name string, vlanID int) (*networks.Network, error)

CreateVLANProviderNetwork creates a VLAN provider network for a project. This requires https://github.com/unikorn-cloud/python-unikorn-openstack-policy to be installed, see the README for further details on how this has to work.

func (*NetworkClient) DeleteRouter added in v0.1.34 

func (c *NetworkClient) DeleteRouter(ctx context.Context, id string) error

func (*NetworkClient) DeleteSubnet added in v0.1.34 

func (c *NetworkClient) DeleteSubnet(ctx context.Context, id string) error

func (*NetworkClient) DeleteVLANProviderNetwork added in v0.1.34 

func (c *NetworkClient) DeleteVLANProviderNetwork(ctx context.Context, id string) error

func (*NetworkClient) ExternalNetworks 

func (c *NetworkClient) ExternalNetworks(ctx context.Context) ([]networks.Network, error)

ExternalNetworks returns a list of external networks.

func (*NetworkClient) RemoveRouterInterface added in v0.1.34 

func (c *NetworkClient) RemoveRouterInterface(ctx context.Context, routerID, subnetID string) error

type PasswordProvider 

type PasswordProvider struct {
	// contains filtered or unexported fields
}

PasswordProvider allows use of an application credential.

func NewPasswordProvider 

func NewPasswordProvider(endpoint, userID, password, projectID string) *PasswordProvider

NewPasswordProvider creates a client that comsumes passwords for authentication.

func (*PasswordProvider) Client 

func (p *PasswordProvider) Client(ctx context.Context) (*gophercloud.ProviderClient, error)

Client implements the Provider interface.

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

func New 

func New(ctx context.Context, cli client.Client, region *unikornv1.Region) (*Provider, error)

func (*Provider) CreateIdentity added in v0.1.2 

func (p *Provider) CreateIdentity(ctx context.Context, identity *unikornv1.Identity) error

CreateIdentity creates a new identity for cloud infrastructure.

func (*Provider) CreatePhysicalNetwork added in v0.1.18 

func (p *Provider) CreatePhysicalNetwork(ctx context.Context, identity *unikornv1.Identity, physicalNetwork *unikornv1.PhysicalNetwork) error

CreatePhysicalNetwork creates a physical network for an identity.

func (*Provider) DeleteIdentity added in v0.1.4 

func (p *Provider) DeleteIdentity(ctx context.Context, identity *unikornv1.Identity) error

DeleteIdentity cleans up an identity for cloud infrastructure.

func (*Provider) DeletePhysicalNetwork added in v0.1.34 

func (p *Provider) DeletePhysicalNetwork(ctx context.Context, identity *unikornv1.Identity, physicalNetwork *unikornv1.PhysicalNetwork) error

DeletePhysicalNetwork deletes a physical network.

func (*Provider) Flavors 

func (p *Provider) Flavors(ctx context.Context) (providers.FlavorList, error)

Flavors list all available flavors.

func (*Provider) GetOpenstackIdentity added in v0.1.33 

func (p *Provider) GetOpenstackIdentity(ctx context.Context, identity *unikornv1.Identity) (*unikornv1.OpenstackIdentity, error)

func (*Provider) GetOpenstackPhysicalNetwork added in v0.1.34 

func (p *Provider) GetOpenstackPhysicalNetwork(ctx context.Context, physicalNetwork *unikornv1.PhysicalNetwork) (*unikornv1.OpenstackPhysicalNetwork, error)

func (*Provider) GetOrCreateOpenstackIdentity added in v0.1.33 

func (p *Provider) GetOrCreateOpenstackIdentity(ctx context.Context, identity *unikornv1.Identity) (*unikornv1.OpenstackIdentity, bool, error)

func (*Provider) GetOrCreateOpenstackPhysicalNetwork added in v0.1.34 

func (p *Provider) GetOrCreateOpenstackPhysicalNetwork(ctx context.Context, identity *unikornv1.Identity, physicalNetwork *unikornv1.PhysicalNetwork) (*unikornv1.OpenstackPhysicalNetwork, bool, error)

func (*Provider) Images 

func (p *Provider) Images(ctx context.Context) (providers.ImageList, error)

Images lists all available images.

func (*Provider) ListExternalNetworks added in v0.1.3 

func (p *Provider) ListExternalNetworks(ctx context.Context) (providers.ExternalNetworks, error)

ListExternalNetworks returns a list of external networks if the platform supports such a concept.

func (*Provider) Region added in v0.1.33 

func (p *Provider) Region(ctx context.Context) (*unikornv1.Region, error)

Region returns the provider's region.

type TokenProvider 

type TokenProvider struct {
	// contains filtered or unexported fields
}

TokenProvider creates a client from an endpoint and token.

func NewTokenProvider 

func NewTokenProvider(endpoint, token string) *TokenProvider

NewTokenProvider returns a new initialized provider.

func (*TokenProvider) Client 

func (p *TokenProvider) Client(ctx context.Context) (*gophercloud.ProviderClient, error)

Client implements the Provider interface.

type UnauthenticatedProvider 

type UnauthenticatedProvider struct {
	// contains filtered or unexported fields
}

UnauthenticatedProvider is used for token issue.

func NewUnauthenticatedProvider 

func NewUnauthenticatedProvider(endpoint string) *UnauthenticatedProvider

NewTokenProvider returns a new initialized provider.

func (*UnauthenticatedProvider) Client 

func (p *UnauthenticatedProvider) Client(ctx context.Context) (*gophercloud.ProviderClient, error)

Client implements the Provider interface.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.