Overview

File 0002-fix-bad-scope-for-cert-generation.patch of Package openstack-magnum

From ffdb1144535d80d64757e845d5f200140368099d Mon Sep 17 00:00:00 2001
From: Joshua Hesketh <josh@nitrotech.org>
Date: Fri, 16 Feb 2018 16:19:05 +1100
Subject: Do not scope to OS-TRUST when no TRUST_ID is given

When cluster_user_trust is False no TRUST_ID is set causing an invalid
request to be sent to keystone. If no TRUST_ID is given it is sufficient
to authenticate with just the user/password if magnum is configured
with a project_domain_name and user_domain_name.

Change-Id: Ieb1e42d0f8c16eaed276e57e05833c624573ac7c
---
 .../templates/fragments/make-cert-client.sh        | 27 ++++++++++++++++++++--
 .../templates/fragments/make-cert.sh               | 27 ++++++++++++++++++++--
 2 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert-client.sh b/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert-client.sh
index 24f35d6..40e67ff 100644
--- a/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert-client.sh
+++ b/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert-client.sh
@@ -34,8 +34,30 @@ CLIENT_CSR=$cert_dir/client.csr
 CLIENT_KEY=$cert_dir/client.key
 KUBE_MASTER_URI="https://$KUBE_MASTER_IP:$KUBE_API_PORT"
 
-#Get a token by user credentials and trust
-auth_json=$(cat << EOF
+
+if [ -z $TRUST_ID ]; then
+    # Get a token without scoped TRUST (eg when cluster_user_trust is off)
+    auth_json=$(cat << EOF
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "id": "$TRUSTEE_USER_ID",
+                    "password": "$TRUSTEE_PASSWORD"
+                }
+            }
+        }
+    }
+}
+EOF
+)
+else
+    # Get a token by user credentials and trust
+    auth_json=$(cat << EOF
 {
     "auth": {
         "identity": {
@@ -58,6 +80,7 @@ auth_json=$(cat << EOF
 }
 EOF
 )
+fi
 
 #trust is introduced in Keystone v3 version
 AUTH_URL=${AUTH_URL/v2.0/v3}
diff --git a/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert.sh b/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert.sh
index a63bd31..d32566d 100644
--- a/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert.sh
+++ b/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert.sh
@@ -55,8 +55,29 @@ SERVER_CERT=$cert_dir/server.crt
 SERVER_CSR=$cert_dir/server.csr
 SERVER_KEY=$cert_dir/server.key
 
-#Get a token by user credentials and trust
-auth_json=$(cat << EOF
+if [ -z $TRUST_ID ]; then
+    # Get a token without scoped TRUST (eg when cluster_user_trust is off)
+    auth_json=$(cat << EOF
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "id": "$TRUSTEE_USER_ID",
+                    "password": "$TRUSTEE_PASSWORD"
+                }
+            }
+        }
+    }
+}
+EOF
+)
+else
+    # Get a token by user credentials and trust
+    auth_json=$(cat << EOF
 {
     "auth": {
         "identity": {
@@ -79,6 +100,8 @@ auth_json=$(cat << EOF
 }
 EOF
 )
+fi
+
 
 #trust is introduced in Keystone v3 version
 AUTH_URL=${AUTH_URL/v2.0/v3}
openSUSE Build Service is sponsored by
Places