Merge pull request #242 from rackerlabs/keystone-event

.github/workflows/yamllint.yaml

@@ -46,6 +46,7 @@ jobs:
             argo-workflows/**/workflowtemplates/*.y*ml
             argo-workflows/**/sensors/*.y*ml
             argo-workflows/**/workflows/*.y*ml
+            apps/understack-workflows/workflows/workflowtemplates/*.y*ml
 
   shellcheck:
     runs-on: ubuntu-latest

apps/understack-workflows/READMD.md

@@ -0,0 +1 @@
+../../docs/component-understack-workflows.md

apps/understack-workflows/eventsource-openstack/argo-rabbitmq.yaml

@@ -23,3 +23,19 @@ spec:
   rabbitmqClusterReference:
     name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
     namespace: openstack
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: argo-to-keystone-permission
+spec:
+  vhost: "keystone"
+  userReference:
+    name: "argo"  # name of a user.rabbitmq.com in the same namespace; must specify either spec.userReference or spec.user
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: rabbitmq  # rabbitmqCluster must exist in the same namespace as this resource
+    namespace: openstack

apps/understack-workflows/eventsource-openstack/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - argo-rabbitmq.yaml
   - eventbus-default.yaml
   - openstack-event-source.yaml
+  - sensor-keystone-event-project.yaml

apps/understack-workflows/eventsource-openstack/openstack-event-source.yaml

@@ -7,7 +7,6 @@ spec:
     openstack:
       # amqp server url
       url: amqp://rabbitmq-server-0.rabbitmq-nodes.openstack.svc.cluster.local:5672/ironic
-      routingKey: 'ironic_versioned_notifications.info'
       # jsonBody specifies that all event body payload coming from this
       # source will be JSON
       jsonBody: true
@@ -16,6 +15,44 @@ spec:
       exchangeType: topic
       exchangeDeclare:
         durable: false
+      # routing key for messages within the exchange
+      routingKey: 'ironic_versioned_notifications.info'
+      # optional consume settings
+      # if not provided, default values will be used
+      consume:
+        consumerTag: "argo-events"
+        autoAck: true
+        exclusive: false
+        noLocal: false
+      # username and password for authentication
+      # use secret selectors
+      auth:
+        username:
+          name: argo-user-credentials
+          key: username
+        password:
+          name: argo-user-credentials
+          key: password
+---
+apiVersion: argoproj.io/v1alpha1
+kind: EventSource
+metadata:
+  name: openstack-keystone
+spec:
+  amqp:
+    notifications:
+      # amqp server url
+      url: amqp://rabbitmq-server-0.rabbitmq-nodes.openstack.svc.cluster.local:5672/keystone
+      # jsonBody specifies that all event body payload coming from this
+      # source will be JSON
+      jsonBody: true
+      # name of the exchange.
+      exchangeName: keystone
+      exchangeType: topic
+      exchangeDeclare:
+        durable: false
+      # routing key for messages within the exchange
+      routingKey: 'notifications.info'
       # optional consume settings
       # if not provided, default values will be used
       consume:

apps/understack-workflows/eventsource-openstack/sensor-keystone-event-project.yaml

@@ -0,0 +1,67 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sensor-submit-workflow
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Sensor
+metadata:
+  finalizers:
+  - sensor-controller
+  labels:
+    argocd.argoproj.io/instance: argo-events
+  name: keystone-event-project
+  namespace: argo-events
+  annotations:
+    workflows.argoproj.io/description: |
+      Defined in `apps/understack-workflows/sensors/sensor-keystone-event-project.yaml`
+spec:
+  dependencies:
+  - eventName: notifications
+    eventSourceName: openstack-keystone
+    name: keystone-msg
+    transform:
+      jq: ".body[\"oslo.message\"] | fromjson"
+    filters:
+      dataLogicalOperator: "and"
+      data:
+        - path: "event_type"
+          type: "string"
+          value:
+            - "identity.project.created"
+            - "identity.project.updated"
+            - "identity.project.deleted"
+  template:
+    serviceAccountName: sensor-submit-workflow
+  triggers:
+    - template:
+        name: keystone-event-project
+        argoWorkflow:
+          operation: submit
+          parameters:
+            - dest: spec.arguments.parameters.0.value
+              src:
+                dataKey: event_type
+                dependencyName: keystone-msg
+            - dest: spec.arguments.parameters.1.value
+              src:
+                dataKey: payload.target.id
+                dependencyName: keystone-msg
+          source:
+            resource:
+              apiVersion: argoproj.io/v1alpha1
+              kind: Workflow
+              metadata:
+                generateName: keystone-event-project-
+                namespace: argo-events
+              spec:
+                arguments:
+                  parameters:
+                    - name: event_type
+                      value: "replaced by parameters section"
+                    - name: project_uuid
+                      value: "replaced by parameters section"
+                serviceAccountName: workflow
+                workflowTemplateRef:
+                  name: keystone-event-project

apps/understack-workflows/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 
 resources:
   - eventsource-openstack
+  - workflowtemplates

apps/understack-workflows/workflows/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# this is where our workflows currently run
+namespace: argo-events
+
+resources:
+  - openstack-svc-acct.yaml
+  - sensor-submit-rbac.yaml
+  - workflowtemplates/keystone-event-project.yaml

apps/understack-workflows/workflows/openstack-svc-acct.yaml

@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: openstack-svc-acct
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openstack
+  target:
+    name: openstack-svc-acct
+    template:
+      engineVersion: v2
+      data:
+        clouds.yaml: |
+          clouds:
+            understack:
+              auth_url: http://keystone-api.openstack.svc.cluster.local:5000/v3
+              user_domain_name: {{ .user_domain }}
+              username: {{ .username }}
+              password: {{ .password }}
+              # this should switch to where we will be creating the ironic nodes
+              # in the future
+              project_domain_name: default
+              project_name: undercloud
+  dataFrom:
+    - extract:
+        key: svc-acct-argoworkflow

apps/understack-workflows/workflows/sensor-submit-rbac.yaml

@@ -0,0 +1,40 @@
+---
+# Similarly you can use a ClusterRole and ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: sensor-submit-workflow-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - get
+      - watch
+      - list
+    resources:
+      - workflowtemplates
+      - clusterworkflowtemplates
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+    resources:
+      - workflows
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: openstack-sensor-submit-workflow
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sensor-submit-workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: sensor-submit-workflow
+    namespace: openstack

apps/understack-workflows/workflows/workflowtemplates/wf-keystone-event-project.yaml

@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: keystone-event-project
+  annotations:
+    workflows.argoproj.io/description: |
+      Defined in `apps/understack-workflows/workflowtemplates/wf-keystone-event-project.yaml`
+kind: WorkflowTemplate
+spec:
+  entrypoint: sync-keystone
+  templates:
+    - name: sync-keystone
+      container:
+        image: ghcr.io/rackerlabs/understack/ironic-nautobot-client:latest
+        command:
+          - sync-keystone
+        args:
+          - "--only-domain"
+          - "default"
+          - "{{workflow.parameters.event_type}}"
+          - "{{workflow.parameters.project_uuid}}"
+        volumeMounts:
+          - mountPath: /etc/nb-token/
+            name: nb-token
+            readOnly: true
+          - mountPath: /etc/openstack
+            name: openstack-svc-acct
+            readOnly: true
+      inputs:
+        parameters:
+          - name: project_uuid
+      volumes:
+        - name: nb-token
+          secret:
+            secretName: nautobot-token
+        - name: openstack-svc-acct
+          secret:
+            secretName: openstack-svc-acct

components/openstack/kustomization.yaml

@@ -6,6 +6,11 @@ resources:
   - mariadb-configmap.yaml
   - mariadb-instance.yaml
   - openstack-cluster.yaml
+  # a secret store that let's us copy creds to other namespaces
+  # for service accounts
+  - secretstore-openstack.yaml
+  # defines the service account 'argoworkflow' used by our workflows
+  - svc-acct-argoworkflow.yaml
 
 helmCharts:
   - name: memcached

components/openstack/secretstore-openstack.yaml

@@ -0,0 +1,65 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-openstack
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: eso-openstack
+  name: eso-openstack.service-account-token
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: eso-openstack-role
+rules:
+- apiGroups: [""]
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  resourceNames:
+  - svc-acct-argoworkflow
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - selfsubjectrulesreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eso-openstack-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: eso-openstack-role
+subjects:
+- kind: ServiceAccount
+  name: eso-openstack
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: openstack
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: openstack
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          key: ca.crt
+          namespace: openstack
+      auth:
+        serviceAccount:
+          name: eso-openstack
+          namespace: openstack

components/openstack/svc-acct-argoworkflow.yaml

@@ -0,0 +1,28 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Fake
+metadata:
+  name: svc-acct-argoworkflow
+spec:
+  data:
+    # this provider needs to go away for a generated account
+    # but it currently must be in sync with the keystone bootstrap
+    # script
+    # this should be the 'service' domain in the future
+    user_domain: default
+    username: argoworkflow
+    password: demo
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: svc-acct-argoworkflow
+spec:
+  refreshInterval: 1h
+  target:
+    name: svc-acct-argoworkflow
+  dataFrom:
+  - sourceRef:
+      generatorRef:
+        apiVersion: generators.external-secrets.io/v1alpha1
+        kind: Fake
+        name: svc-acct-argoworkflow