Switch to using authentication by default

Change-Id: I7e3a76de9d37da224298f3821ab8ffc8448966fd

playbooks/roles/bifrost-cloud-config/README.md

@@ -18,7 +18,7 @@ This role supports one variable:
 `noauth_mode`
 
 Whether bifrost has been installed in no-authentication mode.
-Defaults to `true`.
+Defaults to `false`.
 
 This role sets several facts:
 
@@ -69,7 +69,7 @@ Example Playbook
   gather_facts: no
   roles:
     - role: bifrost-cloud-config
-      noauth_mode: true
+      noauth_mode: false
 ```
 
 License

playbooks/roles/bifrost-cloud-config/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-noauth_mode: true
+noauth_mode: false
 
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"

playbooks/roles/bifrost-ironic-install/README.md

@@ -25,12 +25,12 @@ bifrost-ironic-install role.
 testing: false
 
 Enables no-authentication mode where no authentication is used for accessing
-API services. Setting it to ``false`` will make ironic and ironic-inspector
+API services. The default setting of ``true`` makes ironic and ironic-inspector
 either use keystone (if ``enable_keystone`` is true) or HTTP basic auth
 (use ``admin_username``/``admin_password`` and
 ``default_username``/``default_password`` to configure).
 
-noauth_mode: true
+noauth_mode: false
 
 Node cleaning, which was a feature added to ironic during the Kilo cycle,
 removes the previous contents of a node once it has been moved from an

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -264,7 +264,7 @@ ansible_python_interpreter: "{{ bifrost_venv_dir + '/bin/python3' }}"
 # for noauth mode. Since we are introducing the concept of
 # authentication, we need to record the default for
 # conditional statements in the playbooks.
-noauth_mode: true
+noauth_mode: false
 
 # A work around for installing older releases, remove when no longer supporting
 # Ussuri.

playbooks/roles/bifrost-keystone-client-config/defaults/main.yml

@@ -25,7 +25,7 @@ bifrost_venv_env:
 ansible_python_interpreter: "{{ bifrost_venv_dir + '/bin/python3' }}"
 
 enable_keystone: false
-noauth_mode:  true
+noauth_mode: false
 
 # Directory (on the controller) to keep the passwords
 password_dir: "{{ lookup('env', 'HOME') }}/.config/bifrost"

playbooks/roles/bifrost-keystone-client-config/templates/clouds.yaml.j2

@@ -17,7 +17,7 @@ clouds:
     cacert: "{{ tls_certificate_path }}"
 {% endif %}
 {% endfor %}
-{% elif noauth_mode | default(true) | bool %}
+{% elif noauth_mode | default(false) | bool %}
   bifrost:
     auth_type: "none"
     baremetal_endpoint_override: {{ ironic_api_url }}

playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-noauth_mode: true
+noauth_mode: false
 wait_for_node_undeploy: false
 
 # Ensure that Ansible is using python interpreter and dependencies inside the bifrost virtual environment

playbooks/roles/ironic-inspect-node/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # defaults file for ironic-inspect-node
-noauth_mode: true
+noauth_mode: false
 inspection_wait_timeout: 1800
 inventory_dhcp: false
 inventory_dhcp_static_ip: true

releasenotes/notes/no-no-auth-303152d1c29c691d.yaml

@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Bifrost now uses HTTP basic authentication by default. The generated
+    credentials will be stored in ``~/.config/openstack/clouds.yaml``.
+    Use ``noauth_mode=true`` with ``enable_keystone=false`` to disable
+    authentication.

scripts/test-bifrost.sh

@@ -43,7 +43,7 @@ DOWNLOAD_IPA=true
 CREATE_IPA_IMAGE=false
 WRITE_INTERFACES_FILE=true
 PROVISION_WAIT_TIMEOUT=${PROVISION_WAIT_TIMEOUT:-900}
-NOAUTH_MODE=${NOAUTH_MODE:-true}
+NOAUTH_MODE=${NOAUTH_MODE:-false}
 CLOUD_CONFIG=""
 WAIT_FOR_DEPLOY=true