Add config for k8s-keystone-auth webhook

* Make keystone auth webhook configurable with a template label
* on by default
* Add unittests for k8s-keystone-auth config

magnum_capi_helm/conf.py

@@ -58,7 +58,7 @@
     ),
     cfg.StrOpt(
         "default_helm_chart_version",
-        default="0.1.4",
+        default="0.1.6",
         help=(
             "Version of the helm chart specified "
             "by the config: capi_driver.helm_chart_repo "

magnum_capi_helm/driver.py

@@ -561,6 +561,9 @@ def _get_kube_dash_enabled(self, cluster):
     def _get_autoheal_enabled(self, cluster):
         return self._get_label_bool(cluster, "auto_healing_enabled", True)
 
+    def _get_k8s_keystone_auth_enabled(self, cluster):
+        return self._get_label_bool(cluster, "keystone_auth_enabled", True)
+
     def _get_fixed_network_id(self, context, cluster):
         network = cluster.fixed_network
         if not network:
@@ -685,6 +688,26 @@ def _update_helm_release(self, context, cluster, nodegroups=None):
             }
             values = helm.mergeconcat(values, network_details)
 
+        # CatalystCloud: K8s keystone auth webhook
+        if self._get_k8s_keystone_auth_enabled(cluster):
+            k8s_keystone_auth_config = {
+                "authWebhook": "k8s-keystone-auth",
+                "openstack": {
+                    "k8sKeystoneAuth": {  # addon subchart configuration
+                        "enabled": True,
+                        "values": {
+                            "openstackAuthUrl": context.auth_url,
+                            "projectId": context.project_id,
+                        },
+                    }
+                },
+            }
+            values = helm.mergeconcat(values, k8s_keystone_auth_config)
+            LOG.debug(
+                "Enable K8s keystone auth webhook for"
+                f" project: {context.project_id} auth url: {context.auth_url}"
+            )
+
         self._helm_client.install_or_upgrade(
             self._get_chart_release_name(cluster),
             CONF.capi_helm.helm_chart_name,

magnum_capi_helm/tests/test_driver.py

@@ -25,7 +25,6 @@
 from magnum_capi_helm import helm
 from magnum_capi_helm import kubernetes
 
-
 CONF = conf.CONF
 
 
@@ -1187,6 +1186,9 @@ def _get_cluster_helm_standard_values(self):
             "machineSSHKeyName": None,
         }
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
     @mock.patch.object(neutron, "get_network", autospec=True)
     @mock.patch.object(
         driver.Driver, "_ensure_certificate_secrets", autospec=True
@@ -1203,6 +1205,7 @@ def test_create_cluster(
         mock_appcred,
         mock_certs,
         mock_get_net,
+        mock_get_keystone_auth_enabled,
     ):
         mock_image.return_value = (
             "imageid1",
@@ -1243,6 +1246,9 @@ def test_create_cluster(
         )
         self.assertEqual([], mock_get_net.call_args_list)
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
     @mock.patch.object(
         driver.Driver, "_ensure_certificate_secrets", autospec=True
     )
@@ -1257,6 +1263,7 @@ def test_create_cluster_no_dns(
         mock_load,
         mock_appcred,
         mock_certs,
+        mock_get_keystone_auth_enabled,
     ):
         mock_image.return_value = ("imageid1", "1.27.4", "ubuntu")
         mock_client = mock.MagicMock(spec=kubernetes.Client)
@@ -1292,6 +1299,9 @@ def test_create_cluster_no_dns(
             self.driver, self.context, self.cluster_obj
         )
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
     @mock.patch.object(
         driver.Driver, "_ensure_certificate_secrets", autospec=True
     )
@@ -1306,6 +1316,7 @@ def test_create_cluster_boot_volume(
         mock_load,
         mock_appcred,
         mock_certs,
+        mock_get_keystone_auth_enabled,
     ):
         mock_image.return_value = ("imageid1", "1.27.4", "ubuntu")
         mock_client = mock.MagicMock(spec=kubernetes.Client)
@@ -1350,6 +1361,9 @@ def test_create_cluster_boot_volume(
             self.driver, self.context, self.cluster_obj
         )
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
     @mock.patch.object(
         driver.Driver, "_ensure_certificate_secrets", autospec=True
     )
@@ -1364,6 +1378,7 @@ def test_create_cluster_boot_volume_extra_network(
         mock_load,
         mock_appcred,
         mock_certs,
+        mock_get_keystone_auth_enabled,
     ):
         mock_image.return_value = (
             "imageid1",
@@ -1424,6 +1439,9 @@ def test_create_cluster_boot_volume_extra_network(
             self.driver, self.context, self.cluster_obj
         )
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
     @mock.patch.object(driver.Driver, "_ensure_certificate_secrets")
     @mock.patch.object(driver.Driver, "_create_appcred_secret")
     @mock.patch.object(kubernetes.Client, "load")
@@ -1436,6 +1454,7 @@ def test_create_cluster_with_keypair(
         mock_load,
         mock_appcred,
         mock_certs,
+        mock_get_keystone_auth_enabled,
     ):
         mock_image.return_value = (
             "imageid1",
@@ -1469,6 +1488,9 @@ def test_create_cluster_with_keypair(
         mock_appcred.assert_called_once_with(self.context, self.cluster_obj)
         mock_certs.assert_called_once_with(self.context, self.cluster_obj)
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
     @mock.patch.object(driver.Driver, "_ensure_certificate_secrets")
     @mock.patch.object(driver.Driver, "_create_appcred_secret")
     @mock.patch.object(kubernetes.Client, "load")
@@ -1481,6 +1503,7 @@ def test_create_cluster_flatcar(
         mock_load,
         mock_appcred,
         mock_certs,
+        mock_get_keystone_auth_enabled,
     ):
         mock_image.return_value = (
             "imageid1",
@@ -1510,6 +1533,9 @@ def test_create_cluster_flatcar(
         mock_appcred.assert_called_once_with(self.context, self.cluster_obj)
         mock_certs.assert_called_once_with(self.context, self.cluster_obj)
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
     @mock.patch.object(
         driver.Driver, "_ensure_certificate_secrets", autospec=True
     )
@@ -1524,6 +1550,7 @@ def test_create_cluster_no_autoheal(
         mock_load,
         mock_appcred,
         mock_certs,
+        mock_get_keystone_auth_enabled,
     ):
         mock_image.return_value = ("imageid1", "1.27.4", "ubuntu")
         mock_client = mock.MagicMock(spec=kubernetes.Client)
@@ -1733,6 +1760,81 @@ def test_delete_nodegroup(self, mock_update):
             mock_update.call_args.args[2][0].as_dict(),
         )
 
+    @mock.patch.object(
+        driver.Driver, "_get_k8s_keystone_auth_enabled", return_value=False
+    )
+    @mock.patch.object(neutron, "get_network", autospec=True)
+    @mock.patch.object(
+        driver.Driver, "_ensure_certificate_secrets", autospec=True
+    )
+    @mock.patch.object(driver.Driver, "_create_appcred_secret", autospec=True)
+    @mock.patch.object(kubernetes.Client, "load", autospec=True)
+    @mock.patch.object(driver.Driver, "_get_image_details", autospec=True)
+    @mock.patch.object(helm.Client, "install_or_upgrade", autospec=True)
+    def test_k8s_keystone_auth_not_enabled(
+        self,
+        mock_install,
+        mock_image,
+        mock_load,
+        mock_appcred,
+        mock_certs,
+        mock_get_net,
+        mock_get_keystone_auth_enabled,
+    ):
+        mock_image.return_value = (
+            "imageid1",
+            "1.27.4",
+            "ubuntu",
+        )
+        mock_client = mock.MagicMock(spec=kubernetes.Client)
+        mock_load.return_value = mock_client
+        mock_get_net.side_effect = (
+            lambda c, net, source, target, external: f"{net}-{external}"
+        )
+        self.driver._update_helm_release(self.context, self.cluster_obj)
+        mock_install.assert_called()
+        values = mock_install.call_args.args[3]
+        # self.assertIn("kubernetesVersion", values)
+        # print("values: %s" % values["kubernetesVersion"])
+        self.assertNotIn("authWebhook", values)
+
+    @mock.patch.object(neutron, "get_network", autospec=True)
+    @mock.patch.object(
+        driver.Driver, "_ensure_certificate_secrets", autospec=True
+    )
+    @mock.patch.object(driver.Driver, "_create_appcred_secret", autospec=True)
+    @mock.patch.object(kubernetes.Client, "load", autospec=True)
+    @mock.patch.object(driver.Driver, "_get_image_details", autospec=True)
+    @mock.patch.object(helm.Client, "install_or_upgrade", autospec=True)
+    def test_k8s_keystone_auth_enabled(
+        self,
+        mock_install,
+        mock_image,
+        mock_load,
+        mock_appcred,
+        mock_certs,
+        mock_get_net,
+    ):
+        # CONF.capi_helm.k8s_keystone_auth_enabled = True
+        mock_image.return_value = (
+            "imageid1",
+            "1.27.4",
+            "ubuntu",
+        )
+        mock_client = mock.MagicMock(spec=kubernetes.Client)
+        mock_load.return_value = mock_client
+        mock_get_net.side_effect = (
+            lambda c, net, source, target, external: f"{net}-{external}"
+        )
+        self.driver._update_helm_release(self.context, self.cluster_obj)
+        mock_install.assert_called()
+        values = mock_install.call_args.args[3]
+        # self.assertIn("kubernetesVersion", values)
+        # print("values: %s" % values["kubernetesVersion"])
+        self.assertIn("authWebhook", values)
+        k8s_keystone_auth_conf = values["openstack"]["k8sKeystoneAuth"]
+        self.assertEqual(k8s_keystone_auth_conf["enabled"], True)
+
     def test_create_federation(self):
         self.assertRaises(
             NotImplementedError,