support openstack application credentials

syseleven · Sep 27, 2021 · ccf81f0 · ccf81f0
1 parent 5bcceae
commit ccf81f0
Show file tree

Hide file tree

Showing 11 changed files with 259 additions and 58 deletions.
diff --git a/Makefile b/Makefile
@@ -2,8 +2,8 @@ DOMAIN=syseleven.de
 NAMESPACE=syseleven
 PKG_NAME=metakube
 BINARY=terraform-provider-${PKG_NAME}
-VERSION=0.4.4
-PLATFORM?=$(shell uname -s | tr A-Z a-z)_$(shell uname -m)
+VERSION=0.6.0
+PLATFORM=darwin_amd64
 SWEEP_DIR?=./metakube
 SWEEP?=all
 
@@ -36,17 +36,18 @@ testacc:
 # METAKUBE_ANOTHER_USER_EMAIL - email of an existing user to test cluster access sharing
 # METAKUBE_K8S_VERSION - the kubernetes version
 # METAKUBE_K8S_OLDER_VERSION - lower kubernetes version then METAKUBE_K8S_VERSION
-# OS_PROJECT - Openstack project name
-# OS_AUTH_URL - Openstack auth url
-# OS_USERNAME - Openstack username
-# OS_PASSWORD - Openstack password
+# METAKUBE_OPENSTACK_AUTH_URL
+# METAKUBE_OPENSTACK_APPLICATION_CREDENTIALS_ID
+# METAKUBE_OPENSTACK_APPLICATION_CREDENTIALS_SECRET
 # METAKUBE_OPENSTACK_IMAGE - an image available for openstack clusters
 # METAKUBE_OPENSTACK_IMAGE2 - another image available for openstack clusters
 # METAKUBE_OPENSTACK_FLAVOR - openstack flavor to use
 # METAKUBE_OPENSTACK_USERNAME - openstack credentials username
 # METAKUBE_OPENSTACK_PASSWORD - openstack credentials password
 # METAKUBE_OPENSTACK_TENANT - openstack tenant to use
 # METAKUBE_OPENSTACK_NODE_DC - openstack node datacenter name
+# METAKUBE_OPENSTACK_APPLICATION_CREDENTIALS_ID - openstack application credentials id
+# METAKUBE_OPENSTACK_APPLICATION_CREDENTIALS_SECRET - openstack application credentials secret
 # METAKUBE_AZURE_NODE_DC - azure node datacenter name
 # METAKUBE_AZURE_NODE_SIZE
 # METAKUBE_AZURE_CLIENT_ID

diff --git a/docs/resources/cluster.md b/docs/resources/cluster.md
@@ -77,14 +77,18 @@ One of the following must be selected.
 ### `openstack`
 
 #### Arguments
-* `tenant` - (Required) The project to use for billing. You can set it using environment variable `OS_PROJECT`.
-* `username` - (Required) The account's username. You can set it using environment variable `OS_USERNAME`.
-* `password` - (Required) The account's password. You can set it using environment variable `OS_PASSWORD`.
 * `floating_ip_pool` - (Required) The floating ip pool used by all worker nodes to receive a public ip.
 * `security_group` - (Optional) When specified, all worker nodes will be attached to this security group. If not specified, a security group will be created.
 * `network` - (Optional) When specified, all worker nodes will be attached to this network. If not specified, a network, subnet & router will be created.
 * `subnet_id` - (Optional) When specified, all worker nodes will be attached to this subnet of specified network. If not specified, a network, subnet & router will be created.
 * `subnet_cidr` - Change this to configure a different internal IP range for Nodes. Default: `192.168.1.0/24`.
+When using password based auth
+* `tenant` - (Optional) The project to use for billing. You can set it using environment variable `OS_PROJECT`. Must be omit if application credentials are used.
+* `username` - (Optional) The account's username. You can set it using environment variable `OS_USERNAME`. Must be omit if application credentials are used.
+* `password` - (Optional) The account's password. You can set it using environment variable `OS_PASSWORD`. Must be omit if application credentials are used.
+When using application credentials
+* `application_credentials_id` - (Opitonal) Application credentials ID to use. Must be omit if username/password/tenant are used.
+* `application_credentials_secret` - (Opitonal) Application credentials Secret to use. Must be omit if username/password/tenant are used.
 
 ### `aws`
 

diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/hashicorp/go-version v1.3.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.7.0
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/syseleven/go-metakube v0.0.0-20210823085732-29f20464891c
+	github.com/syseleven/go-metakube v0.0.0-20210831094651-5f2dbb3405e1
 	go.uber.org/zap v1.19.0
 	golang.org/x/mod v0.5.0
 )
diff --git a/go.sum b/go.sum
@@ -453,6 +453,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/syseleven/go-metakube v0.0.0-20210823085732-29f20464891c h1:dkSYiUixhtqOwphuealOTLRbjYElIz4gvwm3DK5cJto=
 github.com/syseleven/go-metakube v0.0.0-20210823085732-29f20464891c/go.mod h1:4AYa17U1yL9SFYSC5VF7rH6Jr4tMYrFSboduGQhrCx8=
+github.com/syseleven/go-metakube v0.0.0-20210831094651-5f2dbb3405e1 h1:OsWRq3+hdx6h+PPjkqsakCGU6i/Q3jmXlMtVyQ7B9Kg=
+github.com/syseleven/go-metakube v0.0.0-20210831094651-5f2dbb3405e1/go.mod h1:4AYa17U1yL9SFYSC5VF7rH6Jr4tMYrFSboduGQhrCx8=
 github.com/syseleven/terraform-plugin-sdk/v2 v2.7.0-sys11-2 h1:5l3YHhsTPDkdvqwfrYugahwJwaaEOFFdzksdNfZy+Hc=
 github.com/syseleven/terraform-plugin-sdk/v2 v2.7.0-sys11-2/go.mod h1:grseeRo9g3yNkYW09iFlV8LG78jTa1ssBgouogQg/RU=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=

diff --git a/main.tf b/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    metakube = {
+      source = "syseleven.de/syseleven/metakube"
+    }
+    openstack = {
+      source = "terraform-provider-openstack/openstack"
+    }
+  }
+}
+
+provider "metakube" {
+  host = "https://stage.metakube.de"
+}
+resource "metakube_project" "project" {
+  name = "tf-project"
+}
+
+data "metakube_k8s_version" "cluster" {
+  major = "1"
+  minor = "21"
+}
+
+resource "metakube_cluster" "cluster" {
+  name       = "cls"
+  dc_name    = "syseleven-cbk1"
+  project_id = metakube_project.project.id
+
+  spec {
+    enable_ssh_agent = true
+    version          = data.metakube_k8s_version.cluster.version
+    cloud {
+      openstack {
+        application_credentials_id = "2f96ca8fae55401598d2ae47dbbf74bb"
+        application_credentials_secret = "A5P-qtUzBba8QL28XrBeM8NAuWxSDwlerNVzcBM0sSZqLSMqiu1j9KlZar_HYsmHudacilBQKGRgftASjFf80w"
+      }
+    }
+  }
+}
diff --git a/metakube/provider_test.go b/metakube/provider_test.go
@@ -19,14 +19,17 @@ const (
 	testEnvK8sVersion      = "METAKUBE_K8S_VERSION"
 	testEnvK8sOlderVersion = "METAKUBE_K8S_OLDER_VERSION"
 
-	testEnvOpenstackNodeDC       = "METAKUBE_OPENSTACK_NODE_DC"
-	testEnvOpenstackUsername     = "METAKUBE_OPENSTACK_USERNAME"
-	testEnvOpenstackPassword     = "METAKUBE_OPENSTACK_PASSWORD"
-	testEnvOpenstackTenant       = "METAKUBE_OPENSTACK_TENANT"
-	testEnvOpenstackImage        = "METAKUBE_OPENSTACK_IMAGE"
-	testEnvOpenstackImage2       = "METAKUBE_OPENSTACK_IMAGE2"
-	testEnvOpenstackImageFlatcar = "METAKUBE_OPENSTACK_IMAGE_FLATCAR"
-	testEnvOpenstackFlavor       = "METAKUBE_OPENSTACK_FLAVOR"
+	testEnvOpenstackNodeDC                       = "METAKUBE_OPENSTACK_NODE_DC"
+	testEnvOpenstackApplicationCredentialsID     = "METAKUBE_OPENSTACK_APPLICATION_CREDENTIALS_ID"
+	testEnvOpenstackApplicationCredentialsSecret = "METAKUBE_OPENSTACK_APPLICATION_CREDENTIALS_SECRET"
+	testEnvOpenstackUsername                     = "METAKUBE_OPENSTACK_USERNAME"
+	testEnvOpenstackAuthUrl                      = "METAKUBE_OPENSTACK_AUTH_URL"
+	testEnvOpenstackPassword                     = "METAKUBE_OPENSTACK_PASSWORD"
+	testEnvOpenstackTenant                       = "METAKUBE_OPENSTACK_TENANT"
+	testEnvOpenstackImage                        = "METAKUBE_OPENSTACK_IMAGE"
+	testEnvOpenstackImage2                       = "METAKUBE_OPENSTACK_IMAGE2"
+	testEnvOpenstackImageFlatcar                 = "METAKUBE_OPENSTACK_IMAGE_FLATCAR"
+	testEnvOpenstackFlavor                       = "METAKUBE_OPENSTACK_FLAVOR"
 
 	testEnvAzureNodeDC         = "METAKUBE_AZURE_NODE_DC"
 	testEnvAzureNodeSize       = "METAKUBE_AZURE_NODE_SIZE"

diff --git a/metakube/resource_metakube_cluster.go b/metakube/resource_metakube_cluster.go
@@ -434,9 +434,11 @@ type clusterPreserveValues struct {
 }
 
 type clusterOpenstackPreservedValues struct {
-	openstackUsername interface{}
-	openstackPassword interface{}
-	openstackTenant   interface{}
+	openstackUsername                     interface{}
+	openstackPassword                     interface{}
+	openstackTenant                       interface{}
+	openstackApplicationCredentialsID     interface{}
+	openstackApplicationCredentialsSecret interface{}
 }
 
 func readClusterPreserveValues(d *schema.ResourceData) clusterPreserveValues {
@@ -446,9 +448,11 @@ func readClusterPreserveValues(d *schema.ResourceData) clusterPreserveValues {
 	var openstack *clusterOpenstackPreservedValues
 	if _, ok := d.GetOk(key("openstack.0")); ok {
 		openstack = &clusterOpenstackPreservedValues{
-			openstackUsername: d.Get(key("openstack.0.username")),
-			openstackPassword: d.Get(key("openstack.0.password")),
-			openstackTenant:   d.Get(key("openstack.0.tenant")),
+			openstackUsername:                     d.Get(key("openstack.0.username")),
+			openstackPassword:                     d.Get(key("openstack.0.password")),
+			openstackTenant:                       d.Get(key("openstack.0.tenant")),
+			openstackApplicationCredentialsID:     d.Get(key("openstack.0.application_credentials_id")),
+			openstackApplicationCredentialsSecret: d.Get(key("openstack.0.application_credentials_secret")),
 		}
 	}
 

diff --git a/metakube/resource_metakube_cluster_schema.go b/metakube/resource_metakube_cluster_schema.go
@@ -278,27 +278,44 @@ func metakubeResourceCluserAWSCloudSpecFields() map[string]*schema.Schema {
 func metakubeResourceClusterOpenstackCloudSpecFields() map[string]*schema.Schema {
 	return map[string]*schema.Schema{
 		"tenant": {
-			Type:         schema.TypeString,
-			Required:     true,
-			DefaultFunc:  schema.EnvDefaultFunc("OS_PROJECT", ""),
-			ValidateFunc: validation.NoZeroValues,
-			Description:  "The opestack project to use for billing",
+			Type:          schema.TypeString,
+			Optional:      true,
+			RequiredWith:  []string{"spec.0.cloud.0.openstack.0.username", "spec.0.cloud.0.openstack.0.password"},
+			ConflictsWith: []string{"spec.0.cloud.0.openstack.0.application_credentials_id", "spec.0.cloud.0.openstack.0.application_credentials_secret"},
+			DefaultFunc:   schema.EnvDefaultFunc("OS_PROJECT", nil),
+			Description:   "The opestack project to use for billing",
 		},
 		"username": {
-			Type:         schema.TypeString,
-			DefaultFunc:  schema.EnvDefaultFunc("OS_USERNAME", ""),
-			Required:     true,
-			Sensitive:    true,
-			ValidateFunc: validation.NoZeroValues,
-			Description:  "The openstack account's username",
+			Type:          schema.TypeString,
+			DefaultFunc:   schema.EnvDefaultFunc("OS_USERNAME", nil),
+			Optional:      true,
+			RequiredWith:  []string{"spec.0.cloud.0.openstack.0.tenant", "spec.0.cloud.0.openstack.0.password"},
+			ConflictsWith: []string{"spec.0.cloud.0.openstack.0.application_credentials_id", "spec.0.cloud.0.openstack.0.application_credentials_secret"},
+			Sensitive:     true,
+			Description:   "The openstack account's username",
 		},
 		"password": {
+			Type:          schema.TypeString,
+			DefaultFunc:   schema.EnvDefaultFunc("OS_PASSWORD", nil),
+			RequiredWith:  []string{"spec.0.cloud.0.openstack.0.tenant", "spec.0.cloud.0.openstack.0.username"},
+			ConflictsWith: []string{"spec.0.cloud.0.openstack.0.application_credentials_id", "spec.0.cloud.0.openstack.0.application_credentials_secret"},
+			Optional:      true,
+			Sensitive:     true,
+			Description:   "The openstack account's password",
+		},
+		"application_credentials_id": {
+			Type:          schema.TypeString,
+			RequiredWith:  []string{"spec.0.cloud.0.openstack.0.application_credentials_secret"},
+			ConflictsWith: []string{"spec.0.cloud.0.openstack.0.username", "spec.0.cloud.0.openstack.0.password", "spec.0.cloud.0.openstack.0.tenant"},
+			Optional:      true,
+			Description:   "Openstack application credentials ID",
+		},
+		"application_credentials_secret": {
 			Type:         schema.TypeString,
-			DefaultFunc:  schema.EnvDefaultFunc("OS_PASSWORD", ""),
-			Required:     true,
+			RequiredWith: []string{"spec.0.cloud.0.openstack.0.application_credentials_id"},
+			Optional:     true,
 			Sensitive:    true,
-			ValidateFunc: validation.NoZeroValues,
-			Description:  "The openstack account's password",
+			Description:  "Openstack application credentials secret",
 		},
 		"floating_ip_pool": {
 			Type:        schema.TypeString,

diff --git a/metakube/resource_metakube_cluster_structure.go b/metakube/resource_metakube_cluster_structure.go
@@ -196,6 +196,12 @@ func flattenOpenstackSpec(values *clusterOpenstackPreservedValues, in *models.Op
 		if values.openstackPassword != nil {
 			att["password"] = values.openstackPassword
 		}
+		if values.openstackApplicationCredentialsID != nil {
+			att["application_credentials_id"] = values.openstackApplicationCredentialsID
+		}
+		if values.openstackApplicationCredentialsSecret != nil {
+			att["application_credentials_secret"] = values.openstackApplicationCredentialsSecret
+		}
 	}
 
 	return []interface{}{att}
@@ -565,6 +571,18 @@ func expandOpenstackCloudSpec(p []interface{}) *models.OpenstackCloudSpec {
 		}
 	}
 
+	if v, ok := in["application_credentials_id"]; ok {
+		if vv, ok := v.(string); ok && vv != "" {
+			obj.ApplicationCredentialID = vv
+		}
+	}
+
+	if v, ok := in["application_credentials_secret"]; ok {
+		if vv, ok := v.(string); ok && vv != "" {
+			obj.ApplicationCredentialSecret = vv
+		}
+	}
+
 	if v, ok := in["username"]; ok {
 		if vv, ok := v.(string); ok && vv != "" {
 			obj.Username = vv

diff --git a/metakube/resource_metakube_cluster_structure_test.go b/metakube/resource_metakube_cluster_structure_test.go
@@ -188,6 +188,33 @@ func TestFlattenOpenstackCloudSpec(t *testing.T) {
 		PreserveValues clusterOpenstackPreservedValues
 		ExpectedOutput []interface{}
 	}{
+		{
+			&models.OpenstackCloudSpec{
+				ApplicationCredentialID:     "",
+				ApplicationCredentialSecret: "",
+				FloatingIPPool:              "FloatingIPPool",
+				Network:                     "Network",
+				RouterID:                    "RouterID",
+				SecurityGroups:              "SecurityGroups",
+				SubnetID:                    "SubnetID",
+				TenantID:                    "TenantID",
+			},
+			clusterOpenstackPreservedValues{
+				openstackApplicationCredentialsID:     "id",
+				openstackApplicationCredentialsSecret: "secret",
+			},
+			[]interface{}{
+				map[string]interface{}{
+					"application_credentials_id":     "id",
+					"application_credentials_secret": "secret",
+					"floating_ip_pool":               "FloatingIPPool",
+					"network":                        "Network",
+					"security_group":                 "SecurityGroups",
+					"subnet_id":                      "SubnetID",
+				},
+			},
+		},
+
 		{
 			&models.OpenstackCloudSpec{
 				FloatingIPPool: "FloatingIPPool",
@@ -557,18 +584,16 @@ func TestExpandOpenstackCloudSpec(t *testing.T) {
 		{
 			[]interface{}{
 				map[string]interface{}{
-					"tenant":           "Tenant",
-					"floating_ip_pool": "FloatingIPPool",
-					"username":         "Username",
-					"password":         "Password",
+					"floating_ip_pool":               "FloatingIPPool",
+					"application_credentials_id":     "id",
+					"application_credentials_secret": "secret",
 				},
 			},
 			&models.OpenstackCloudSpec{
-				Domain:         "Default",
-				FloatingIPPool: "FloatingIPPool",
-				Password:       "Password",
-				Tenant:         "Tenant",
-				Username:       "Username",
+				Domain:                      "Default",
+				FloatingIPPool:              "FloatingIPPool",
+				ApplicationCredentialID:     "id",
+				ApplicationCredentialSecret: "secret",
 			},
 		},
 		{