[keystone] Update federation mapping rules on change

Related-Prod: PRODX-48960 Change-Id: I7f997ad8a33dc9f4dbf3c413100b3fc42cb4ffbd
Mirantis · Jan 10, 2025 · dc31609 · dc31609
1 parent 2af6b21
commit dc31609
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 34 deletions.
diff --git a/charts/openstack/keystone/templates/bin/_keystone-federations-create.py.tpl b/charts/openstack/keystone/templates/bin/_keystone-federations-create.py.tpl
@@ -25,33 +25,6 @@ logging.basicConfig(format=LOG_FORMAT, datefmt=LOG_DATEFMT)
 LOG = logging.getLogger("keystone-federations-create")
 LOG.setLevel(logging.INFO)
 FEDERATION_DATA_FILE_PATH="/etc/keystone/keystone-federations.json"
-OLD_DEFAULT_MAPPING = [
-    {
-        "local": [
-            {"user": {"name": "{0}", "email": "{1}", "domain": {"name": "Default"}}},
-            {"groups": "{2}", "domain": {"name": "Default"}},
-            {"domain": {"name": "Default"}},
-        ],
-        "remote": [
-            {"type": "OIDC-iam_username"},
-            {"type": "OIDC-email"},
-            {"type": "OIDC-iam_roles"},
-        ],
-    }
-]
-NEW_DEFAULT_MAPPING = [
-    {
-        "local": [
-            {"user": {"name": "{0}", "email": "{1}"}},
-            {"groups": "{2}", "domain": {"name": "Default"}},
-        ],
-        "remote": [
-            {"type": "OIDC-iam_username"},
-            {"type": "OIDC-email"},
-            {"type": "OIDC-iam_roles"},
-        ],
-    }
-]
 
 
 def ensure_identity_provider(cloud, name, domain, remote_ids):
@@ -87,12 +60,9 @@ def ensure_mapping(cloud, name, rules):
         cloud.identity.create_mapping(id=name, rules=rules)
     else:
         LOG.info("Mapping %s already exists" % name)
-        if mapping.rules == OLD_DEFAULT_MAPPING:
-            LOG.warning(
-                "Existing mapping %s is identical to old MOSK default. "
-                "Removing erroneous domain specs from the mapping." % name
-            )
-            cloud.identity.update_mapping(mapping, rules=NEW_DEFAULT_MAPPING)
+        if mapping.rules != rules:
+            LOG.info("Rules are changed, updating.")
+            cloud.identity.update_mapping(mapping, rules=rules)
 
 
 def ensure_protocol(cloud, name, idp, mapping):

diff --git a/charts/openstack/keystone/templates/job-federations-create.yaml b/charts/openstack/keystone/templates/job-federations-create.yaml
@@ -68,7 +68,6 @@ spec:
           env:
 {{- include "helm-toolkit.snippets.keystone_os_cloud_vars" ( dict "osCloudName" "admin" ) | indent 12 }}
           command:
-            - python
             - /tmp/keystone-federations-create.py
           volumeMounts:
             - name: pod-tmp