Merge pull request #3 from nimbolus/add-token-metdata-option

Add token metdata option

Author: lu1as

docs/install.md

@@ -1,6 +1,6 @@
 # Installation
 
-1. Create config file based on [nova-instance-identity.sample.conf](../dist/nova-instance-identity.sample.conf):
+1. Create config file based on [nova-instance-identity.sample.conf](../sample/nova-instance-identity.sample.conf):
 
 ```sh
 mkdir /etc/nova-instance-identity
@@ -16,7 +16,7 @@ podman run -d --name nova_instance_identity --net host \
     ghcr.io/nimbolus/openstack-nova-instance-identity-provider
 ```
 
-3. If using [kolla-ansible](https://docs.openstack.org/kolla-ansible/latest/), optionally create a haproxy config based on [haproxy.sample.cfg](../dist/haproxy.sample.cfg) at `/etc/kolla/config/haproxy/services.d/nova-instance-identity.cfg` on your deployment host and rollout haproxy role.
+3. If using [kolla-ansible](https://docs.openstack.org/kolla-ansible/latest/), optionally create a haproxy config based on [haproxy.sample.cfg](../sample/haproxy.sample.cfg) at `/etc/kolla/config/haproxy/services.d/nova-instance-identity.cfg` on your deployment host and rollout haproxy role.
 
 4. Register the vendordata endpoint in `nova.conf`, e.g. with kolla-ansible add the following config to `/etc/kolla/config/nova.conf` on your deployment host and rollout nova role.
 

main.py

@@ -17,6 +17,8 @@
                help="Port the service listens to"),
     cfg.BoolOpt('project_name_lookup', default=False,
                 help="Lookup project name and add corresponding token claim"),
+    cfg.DictOpt('token_metadata', default={},
+                help="Attributes that will be returned alongside with the token"),
 ]
 
 CONF.register_opts(common_opts)
@@ -106,7 +108,7 @@ def vendordata():
     return jsonify({
         'token': token,
         'expires_at': expires_at,
-    })
+    } | CONF.token_metadata)
 
 
 def handle_sigterm(signum, frame):

sample/haproxy.sample.cfg

@@ -0,0 +1,14 @@
+frontend nova_instance_identity_front
+    mode http
+    http-request del-header X-Forwarded-Proto
+    timeout client 6h
+    option httplog
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    bind {{ kolla_internal_vip_address }}:8001 ssl crt /etc/haproxy/certificates/haproxy-internal.pem alpn h2,http/1.1
+    default_backend nova_instance_identity_back
+
+backend nova_instance_identity_back
+    mode http
+    timeout server 6h
+    server {{ ansible_hostname }} 127.0.0.1:8001 check inter 2000 rise 2 fall 5

sample/nova-instance-identity.sample.conf

@@ -0,0 +1,28 @@
+[DEFAULT]
+listen_host = 0.0.0.0
+listen_port = 8001
+project_name_lookup = False
+token_metadata = auth_url:https://keystone.example.com/v3,region_name:eu-central-1
+
+[keystone_authtoken]
+auth_type = password
+www_authenticate_uri = https://keystone.example.com
+auth_url = https://keystone.example.com
+project_domain_id = default
+user_domain_id = default
+project_name = service
+username = nova
+password = secret
+region_name = RegionOne
+interface = public
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = secret
+memcached_servers = memcached.example.com:11211
+
+[oidc_provider]
+issuer_url = https://nova-instance-identity.example.com
+audience = openstack
+signing_algorithm = ES256
+jwks_state = jwks.json
+key_rotation_period = 24
+token_lifetime = 1