diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 5899439c8..59aa5bc6a 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -150,3 +150,56 @@ bifrost_venv_env: VIRTUAL_ENV: "{{ bifrost_venv_dir }}" PATH: "{{ bifrost_venv_dir }}/bin:{{ ansible_env.PATH }}" # include regular path via lookup env pydoc: "python -m pydoc" + +# Authentication support +# By default, bifrost was developed around being a toolkit +# for noauth mode. Since we are introducing the concept of +# authentication, we need to record the default for +# conditional statements in the playbooks. +noauth_mode: true + +# Keystone Support +# Default parameter if keystone is enabled, or disabled. +enable_keystone: false + +# NOTE: The keystone support in this role +# expects the keystone.bootstrap variables to +# either be loaded OR present from keystone +# installation. The keystone settings below +# should only be used if the role is utilized +# independently of the keystone installation +# role, such as leveraging a pre-existing +# keystone installation. +# WARNING: Using a pre-existing keystone has +# not been tested. +# +#keystone: +# debug: true +# bootstrap: +# enabled: true +# username: admin +# password: ChangeThisPa55w0rd +# project_name: admin +# admin_url: "http://127.0.0.1:35357/v3/" +# public_url: "http://127.0.0.1:5000/v3/" +# internal_url: "http://127.0.0.1:5000/v3/" +# region_name: "RegionOne" +# message_queue: +# username: keystone +# password: ChangeThisPa55w0rd +# host: 127.0.0.1 +# database: +# name: keystone +# username: keystone +# password: ChangeThisPa55w0rd +# host: 127.0.0.1 + +ironic: + service_catalog: + username: "ironic" + password: "ChangeThisPa55w0rd" + auth_url: "http://127.0.0.1:5000/v3" + project_name: "service" + keystone: + default_username: "bifrost_user" + default_password: "ChangeThisPa55w0rd" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index e860b7397..e02f01ca9 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -13,6 +13,15 @@ # See the License for the specific language governing permissions and # limitations under the License. --- +- name: "Fail if authentication configuration conflicts." + fail: + msg: > + noauth_mode and enable_keystone are mutually exclusive options. + Please set one to "false". + when: > + noauth_mode | bool == true and enable_keystone is defined and + enable_keystone | bool == true + - name: "Warn if deprecated variable nginx_port is set" debug: msg: > @@ -126,6 +135,11 @@ owner: root group: root when: skip_install is not defined and enable_pxe_drivers | bool == true + +- name: "Populate keystone for Bifrost" + include: keystone_setup.yml + when: enable_keystone is defined and enable_keystone | bool == true + - name: "Generate ironic Configuration" include: ironic_config.yml - name: "Copy policy.json to /etc/ironic" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml new file mode 100644 index 000000000..a4a9edacc --- /dev/null +++ b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml @@ -0,0 +1,224 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- + +# TODO(TheJulia): The user and project domains are hardcoded in this. +# We should likely address that at some point, however I think a user +# should be the driver of that work. + +- name: "Error if credentials are undefined." + fail: + msg: | + Credentials are missing or undefined, unable to proceed. + Please consult roled defaults/main.yml. + when: > + keystone is undefined or keystone.bootstrap is undefined or + keystone.bootstrap.username is undefined or + keystone.bootstrap.password is undefined or + keystone.bootstrap.project_name is undefined or + ironic.service_catalog.auth_url is undefined or + ironic.service_catalog.username is undefined or + ironic.service_catalog.password is undefined or + ironic.service_catalog.project_name is undefined or + ironic.keystone is undefined or + ironic.keystone.default_username is undefined or + ironic.keystone.default_password is undefined + +- name: "Ensure service project is present" + os_project: + name: "service" + state: present + description: "Service Project" + domain_id: default + enabled: yes + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}/" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create service user for ironic" + os_user: + name: "{{ ironic.service_catalog.username }}" + password: "{{ ironic.service_catalog.password }}" + state: present + domain: "default" + default_project: "{{ ironic.service_catalog.project_name }}" + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Associate ironic user to admin role" + os_user_role: + user: "{{ ironic.service_catalog.username }}" + role: admin + project: "{{ ironic.service_catalog.project_name }}" + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create keystone service record for ironic" + os_keystone_service: + state: present + name: ironic + service_type: baremetal + description: OpenStack Baremetal Service + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create ironic admin endpoint" + command: | + openstack + --os-identity-api-version 3 + --os-username "{{ keystone.bootstrap.username }}" + --os-password "{{ keystone.bootstrap.password }}" + --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + --os-project-name admin + endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + baremetal admin "{{ ironic.keystone.admin_url | default('http://127.0.0.1:6385/') }}" + +- name: "Create ironic public endpoint" + command: | + openstack + --os-identity-api-version 3 + --os-username "{{ keystone.bootstrap.username }}" + --os-password "{{ keystone.bootstrap.password }}" + --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + --os-project-name admin + endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + baremetal public "{{ ironic.keystone.public_url | default('http://127.0.0.1:6385/') }}" + +- name: "Create ironic internal endpoint" + command: | + openstack + --os-identity-api-version 3 + --os-username "{{ keystone.bootstrap.username }}" + --os-password "{{ keystone.bootstrap.password }}" + --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + --os-project-name admin + endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + baremetal internal "{{ ironic.keystone.internal_url | default('http://127.0.0.1:6385/') }}" + no_log: true + +- name: "Create baremetal_admin role" + os_keystone_role: + name: "baremetal_admin" + state: present + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create baremetal_observer role" + os_keystone_role: + name: "baremetal_observer" + state: present + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create baremetal project" + os_project: + name: "baremetal" + state: present + description: "Baremetal Project" + domain_id: default + enabled: yes + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create bifrost user" + os_user: + name: "{{ ironic.keystone.default_username }}" + password: "{{ ironic.keystone.default_password }}" + default_project: "baremetal" + domain: "default" + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: admin + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Associate bifrost user with baremetal_admin" + os_user_role: + user: "{{ ironic.keystone.default_username }}" + role: "baremetal_admin" + project: baremetal + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: admin + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true \ No newline at end of file diff --git a/releasenotes/notes/creation-of-ironic-user-5a970c5f73e8ef45.yaml b/releasenotes/notes/creation-of-ironic-user-5a970c5f73e8ef45.yaml new file mode 100644 index 000000000..360f3083e --- /dev/null +++ b/releasenotes/notes/creation-of-ironic-user-5a970c5f73e8ef45.yaml @@ -0,0 +1,8 @@ +--- +features: + - The functionality to create a service account + and default user account to bifrost has been added. + This is controlled by the ``enable_keystone`` parameter + as well a ``keystone`` and ``ironic`` data structure that + contains all required parameters. Please consult the + bifrost-ironic-install/defaults/main.yml file for more details.