Add application credentials support for cinder (#7799)

* csi-driver: Added possibility to use application credentials for cinder

* external-cloud-controller: Added env vars for openstack application credentials

roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml

@@ -5,6 +5,9 @@
 cinder_auth_url: "{{ lookup('env','OS_AUTH_URL') }}"
 cinder_username: "{{ lookup('env','OS_USERNAME') }}"
 cinder_password: "{{ lookup('env','OS_PASSWORD') }}"
+cinder_application_credential_id: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_ID')  }}"
+cinder_application_credential_name: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_NAME')  }}"
+cinder_application_credential_secret: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_SECRET')  }}"
 cinder_region: "{{ lookup('env','OS_REGION_NAME') }}"
 cinder_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
 cinder_tenant_name: "{{ lookup('env','OS_TENANT_NAME')| default(lookup('env','OS_PROJECT_NAME'),true) }}"

roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-credential-check.yml

@@ -4,15 +4,38 @@
     msg: "cinder_auth_url is missing"
   when: cinder_auth_url is not defined or not cinder_auth_url
 
-- name: Cinder CSI Driver | check cinder_username value
+- name: Cinder CSI Driver | check cinder_username value cinder_application_credential_name value
   fail:
-    msg: "cinder_username is missing"
-  when: cinder_username is not defined or not cinder_username
+    msg: "you must either set cinder_username or cinder_application_credential_name"
+  when:
+    - cinder_username is not defined or not cinder_username
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name
+
+- name: Cinder CSI Driver | check cinder_application_credential_id value
+  fail:
+    msg: "cinder_application_credential_id is missing"
+  when:
+    - cinder_application_credential_name is defined
+    - cinder_application_credential_name|length > 0
+    - cinder_application_credential_id is not defined or not cinder_application_credential_id
+
+- name: Cinder CSI Driver | check cinder_application_credential_secret value
+  fail:
+    msg: "cinder_application_credential_secret is missing"
+  when:
+    - cinder_application_credential_name is defined
+    - cinder_application_credential_name|length > 0
+    - cinder_application_credential_secret is not defined or not cinder_application_credential_secret
 
 - name: Cinder CSI Driver | check cinder_password value
   fail:
     msg: "cinder_password is missing"
-  when: cinder_password is not defined or not cinder_password
+  when:
+    - cinder_username is defined
+    - cinder_username|length > 0
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name
+    - cinder_application_credential_secret is not defined or not cinder_application_credential_secret
+    - cinder_password is not defined or not cinder_password
 
 - name: Cinder CSI Driver | check cinder_region value
   fail:
@@ -24,11 +47,13 @@
     msg: "one of cinder_tenant_id or cinder_tenant_name must be specified"
   when:
     - cinder_tenant_id is not defined or not cinder_tenant_id
-    - cinder_tenant_name is not defined
-
-- name: Cinder CSI Driver | check cinder_tenant_name value
-  fail:
-    msg: "one of cinder_tenant_id or cinder_tenant_name must be specified"
-  when:
     - cinder_tenant_name is not defined or not cinder_tenant_name
-    - cinder_tenant_id is not defined
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name
+
+- name: Cinder CSI Driver | check cinder_domain_id value
+  fail:
+    msg: "one of cinder_domain_id or cinder_domain_name must be specified"
+  when:
+    - cinder_domain_id is not defined or not cinder_domain_id
+    - cinder_domain_name is not defined or not cinder_domain_name
+    - cinder_application_credential_name is not defined or not cinder_application_credential_name

roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-cloud-config.j2

@@ -1,7 +1,18 @@
 [Global]
 auth-url="{{ cinder_auth_url }}"
+{% if cinder_application_credential_id is not defined and cinder_application_credential_name is not defined %}
 username="{{ cinder_username }}"
 password="{{ cinder_password }}"
+{% endif %}
+{% if cinder_application_credential_id is defined and cinder_application_credential_id != "" %}
+application-credential-id={{ cinder_application_credential_id }}
+{% endif %}
+{% if cinder_application_credential_name is defined and cinder_application_credential_name != "" %}
+application-credential-name={{ cinder_application_credential_name }}
+{% endif %}
+{% if cinder_application_credential_secret is defined and cinder_application_credential_secret != "" %}
+application-credential-secret={{ cinder_application_credential_secret }}
+{% endif %}
 region="{{ cinder_region }}"
 {% if cinder_tenant_id is defined and cinder_tenant_id != "" %}
 tenant-id="{{ cinder_tenant_id }}"

roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml

@@ -5,6 +5,9 @@
 external_openstack_auth_url: "{{ lookup('env','OS_AUTH_URL')  }}"
 external_openstack_username: "{{ lookup('env','OS_USERNAME')  }}"
 external_openstack_password: "{{ lookup('env','OS_PASSWORD')  }}"
+external_openstack_application_credential_id: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_ID')  }}"
+external_openstack_application_credential_name: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_NAME')  }}"
+external_openstack_application_credential_secret: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_SECRET')  }}"
 external_openstack_region: "{{ lookup('env','OS_REGION_NAME')  }}"
 external_openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
 external_openstack_tenant_name: "{{ lookup('env','OS_TENANT_NAME')| default(lookup('env','OS_PROJECT_NAME'),true) }}"