Downloadable Kubernetes configuration file based on application credentials

Make a kubeconfig file available through download along with openrc and clouds.yaml files, as Kubernetes can use OpenStack application credentials for authentication.

More information here:
https://superuser.openstack.org/articles/strengthening-open-infrastructure-integrating-openstack-and-kubernetes/

openstack_dashboard/dashboards/identity/application_credentials/forms.py

@@ -30,6 +30,9 @@ LOG = logging.getLogger(__name__)
 class CreateApplicationCredentialForm(forms.SelfHandlingForm):
     # Hide the domain_id and domain_name by default
     name = forms.CharField(max_length=255, label=_("Name"))
+    namespace = forms.CharField(max_length=255,
+                                label=_("Namespace (Kubernetes)"),
+                                required=False)
     description = forms.CharField(
         widget=forms.widgets.Textarea(attrs={'rows': 4}),
         label=_("Description"),
@@ -98,6 +101,7 @@ class CreateApplicationCredentialForm(forms.SelfHandlingForm):
             )
             self.request.session['application_credential'] = \
                 new_app_cred.to_dict()
+            self.request.session['application_credential']['namespace'] = data['namespace']
             request.method = 'GET'
             return self.next_view.as_view()(request)
         except exceptions.Conflict:

openstack_dashboard/dashboards/identity/application_credentials/templates/application_credentials/_success.html

@@ -31,5 +31,9 @@
         <span class="fa fa-download"></span>
         {{ download_clouds_yaml_label }}
     </a>
+    <a href="{{ download_kubeconfig_url }}" class="btn btn-default">
+        <span class="fa fa-download"></span>
+        {{ download_kubeconfig_label }}
+    </a>
     <a onClick="location.href='{{cancel_url}}'" href="{{ cancel_url }}" class="btn btn-default">{{ cancel_label }}</a>
 {% endblock %}

openstack_dashboard/dashboards/identity/application_credentials/templates/application_credentials/kubeconfig.template

+apiVersion: v1
+kind: Config
+clusters:
+- name: kubernetes
+  cluster:
+    server: {{ kubernetes_url }}
+    certificate-authority-data: {{ kubernetes_certificate_authority_data }}
+contexts:
+- name: kubernetes
+  context:
+    cluster: kubernetes
+    user: {{ user }}
+    namespace: {{ kubernetes_namespace }}
+current-context: kubernetes
+users:
+  - name: {{ user }}
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1beta1
+        command: bin/kubectl-keystone-auth
+        args:
+        - "--keystone-url={{ auth_url }}
+        - "--domain-name=none"
+        - "--user-name={{ user }}"
+        - "--application-credential-id={{ application_credential_id }}"
+        - "--application-credential-secret={{ application_credential_secret }}"

openstack_dashboard/dashboards/identity/application_credentials/urls.py

@@ -28,6 +28,8 @@ urlpatterns = [
         views.CreateSuccessfulView.as_view(), name='success'),
     url(r'^download_openrc/$',
         views.download_rc_file, name='download_openrc'),
+    url(r'^download_kubeconfig/$',
+        views.download_kubeconfig_file, name='download_kubeconfig'),
     url(r'^download_clouds_yaml/$',
         views.download_clouds_yaml_file, name='download_clouds_yaml'),
 ]

openstack_dashboard/dashboards/identity/application_credentials/views.py

@@ -97,14 +97,18 @@ class CreateSuccessfulView(forms.ModalFormView):
         'horizon:identity:application_credentials:index')
     cancel_label = _("Close")
     download_openrc_label = _("Download openrc file")
+    download_kubeconfig_label = _("Download kubeconfig file")
     download_clouds_yaml_label = _("Download clouds.yaml")
 
     def get_context_data(self, **kwargs):
         context = super(CreateSuccessfulView, self).get_context_data(**kwargs)
         context['download_openrc_label'] = self.download_openrc_label
+        context['download_kubeconfig_label'] = self.download_kubeconfig_label
         context['download_clouds_yaml_label'] = self.download_clouds_yaml_label
         context['download_openrc_url'] = reverse(
             'horizon:identity:application_credentials:download_openrc')
+        context['download_kubeconfig_url'] = reverse(
+           'horizon:identity:application_credentials:download_kubeconfig')
         context['download_clouds_yaml_url'] = reverse(
             'horizon:identity:application_credentials:download_clouds_yaml')
         return context
@@ -129,9 +133,13 @@ def _get_context(request):
     context = dict(auth_url=auth_url,
                    interface=interface,
                    region=region,
+                   user=request.user,
                    application_credential_id=app_cred['id'],
                    application_credential_name=app_cred['name'],
-                   application_credential_secret=app_cred['secret'])
+                   application_credential_secret=app_cred['secret'],
+                   kubernetes_namespace=app_cred['namespace'],
+                   kubernetes_url=settings.KUBECONFIG_KUBERNETES_URL,
+                   kubernetes_certificate_authority_data=settings.KUBECONFIG_CERTIFICATE_AUTHORITY_DATA)
     return context
 
 
@@ -152,6 +160,14 @@ def download_rc_file(request):
     return response
 
 
+def download_kubeconfig_file(request):
+    context = _get_context(request)
+    template = 'identity/application_credentials/kubeconfig.template'
+    filename = 'app-cred-%s-kubeconfig' % context['application_credential_name']
+    response = _render_attachment(filename, template, context, request)
+    return response
+
+
 def download_clouds_yaml_file(request):
     context = _get_context(request)
     context['cloud_name'] = getattr(

openstack_dashboard/local/local_settings.py.example

@@ -916,3 +916,7 @@ ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []}
 # Once the password expires keystone will deny the access and users must
 # contact an admin to change their password.
 #PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0
+
+
+KUBECONFIG_KUBERNETES_URL = "https://127.0.0.1:44333"
+KUBECONFIG_CERTIFICATE_AUTHORITY_DATA = ""