Adding keystone support to inspector config
Additional support to configure keystone with credentials for inspector and template updates to allow the configuration of keystone settings related to inspector. Change-Id: Idef26c86bdc827b8edbc9e0412ec9067a25f52b6
This commit is contained in:
parent
61379b9d84
commit
ee38716d16
@ -116,9 +116,15 @@ inventory_dns: False
|
||||
# Settings to enable the use of inspector
|
||||
enable_inspector: true
|
||||
inspector_auth: "noauth"
|
||||
# Deprecated: inspector_auth will be removed in Pike, and is
|
||||
# overriden when enable_keystone is set to true.
|
||||
#inspector_auth: "noauth"
|
||||
inspector_debug: true
|
||||
inspector_manage_firewall: false
|
||||
|
||||
# Deprecated: ironic_auth_strategy will be removed in Pike.
|
||||
ironic_auth_strategy: "noauth"
|
||||
|
||||
inspector_data_dir: "/opt/stack/ironic-inspector/var"
|
||||
inspector_store_ramdisk_logs: true
|
||||
# Note: inspector_port_addition has three valid values: all, active, pxe
|
||||
@ -204,8 +210,19 @@ ironic:
|
||||
default_username: "bifrost_user"
|
||||
default_password: "ChangeThisPa55w0rd"
|
||||
|
||||
|
||||
# TODO(TheJulia): Thinking outloud, I think we ought to head in
|
||||
# the direction of identifying the address of the conductor host
|
||||
ironic_inspector:
|
||||
service_catalog:
|
||||
username: "ironic_inspector"
|
||||
password: "ChangeThisPa55w0rd"
|
||||
auth_url: "http://127.0.0.1:5000/v3"
|
||||
project_name: "service"
|
||||
keystone:
|
||||
default_username: "inspector_user"
|
||||
default_password: "ChangeThisPa55w0rd"
|
||||
# public_url: "http://127.0.0.1:5050/"
|
||||
# private_url: "http://127.0.0.1:5050/"
|
||||
# internal_url: "http://127.0.0.1:5050/"
|
||||
# TODO(TheJulia): Thinking outloud, I we ought to head in the
|
||||
# direction of identifying the address of the conductor host
|
||||
# in a more uniform fashion. What that is exactly, is TBD.
|
||||
my_ip_address: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}"
|
||||
|
@ -36,6 +36,11 @@
|
||||
group=ironic
|
||||
mode=0755
|
||||
state=directory
|
||||
|
||||
- name: "Populate keystone for ironic-inspector "
|
||||
include: keystone_setup_inspector.yml
|
||||
when: enable_keystone is defined and enable_keystone | bool == true
|
||||
|
||||
- name: "Inspector - Place Configuration"
|
||||
template:
|
||||
src=ironic-inspector.conf.j2
|
||||
|
@ -0,0 +1,160 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
|
||||
# TODO(TheJulia): The user and project domains are hardcoded in this.
|
||||
# We should likely address that at some point, however I think a user
|
||||
# should be the driver of that work.
|
||||
|
||||
- name: "Error if credentials are undefined."
|
||||
fail:
|
||||
msg: |
|
||||
Credentials are missing or undefined, unable to proceed.
|
||||
Please consult roled defaults/main.yml.
|
||||
when: >
|
||||
keystone is undefined or keystone.bootstrap is undefined or
|
||||
keystone.bootstrap.username is undefined or
|
||||
keystone.bootstrap.password is undefined or
|
||||
keystone.bootstrap.project_name is undefined or
|
||||
ironic_inspector.service_catalog.auth_url is undefined or
|
||||
ironic_inspector.service_catalog.username is undefined or
|
||||
ironic_inspector.service_catalog.password is undefined or
|
||||
ironic_inspector.keystone is undefined or
|
||||
ironic_inspector.keystone.default_username is undefined or
|
||||
ironic_inspector.keystone.default_password is undefined
|
||||
|
||||
- name: "Create service user for ironic-inspector"
|
||||
os_user:
|
||||
name: "{{ ironic_inspector.service_catalog.username }}"
|
||||
password: "{{ ironic_inspector.service_catalog.password }}"
|
||||
state: present
|
||||
domain: "default"
|
||||
default_project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
|
||||
auth:
|
||||
auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
username: "{{ keystone.bootstrap.username }}"
|
||||
password: "{{ keystone.bootstrap.password }}"
|
||||
project_name: "admin"
|
||||
project_domain_id: "default"
|
||||
user_domain_id: "default"
|
||||
wait: yes
|
||||
environment:
|
||||
OS_IDENTITY_API_VERSION: "3"
|
||||
no_log: true
|
||||
|
||||
- name: "Associate ironic_inspector user to admin role"
|
||||
os_user_role:
|
||||
user: "{{ ironic_inspector.service_catalog.username }}"
|
||||
role: admin
|
||||
project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
|
||||
auth:
|
||||
auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
username: "{{ keystone.bootstrap.username }}"
|
||||
password: "{{ keystone.bootstrap.password }}"
|
||||
project_name: "admin"
|
||||
project_domain_id: "default"
|
||||
user_domain_id: "default"
|
||||
wait: yes
|
||||
environment:
|
||||
OS_IDENTITY_API_VERSION: "3"
|
||||
no_log: true
|
||||
|
||||
- name: "Create keystone service record for ironic-inspector"
|
||||
os_keystone_service:
|
||||
state: present
|
||||
name: ironic-inspector
|
||||
service_type: baremetal-introspection
|
||||
description: OpenStack Baremetal Introspection Service
|
||||
auth:
|
||||
auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
username: "{{ keystone.bootstrap.username }}"
|
||||
password: "{{ keystone.bootstrap.password }}"
|
||||
project_name: "admin"
|
||||
project_domain_id: "default"
|
||||
user_domain_id: "default"
|
||||
wait: yes
|
||||
environment:
|
||||
OS_IDENTITY_API_VERSION: "3"
|
||||
no_log: true
|
||||
|
||||
- name: "Create ironic-inspector admin endpoint"
|
||||
command: |
|
||||
openstack
|
||||
--os-identity-api-version 3
|
||||
--os-username "{{ keystone.bootstrap.username }}"
|
||||
--os-password "{{ keystone.bootstrap.password }}"
|
||||
--os-auth-url "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
--os-project-name admin
|
||||
endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
|
||||
baremetal admin "{{ ironic_inspector.keystone.admin_url | default('http://127.0.0.1:5050/') }}"
|
||||
|
||||
# NOTE(TheJulia): This seems like something that should be
|
||||
# to admin or internal interfaces. Perhaps we should attempt
|
||||
# remove it after we have a working keystone integrated CI job.
|
||||
- name: "Create ironic-inspector public endpoint"
|
||||
command: |
|
||||
openstack
|
||||
--os-identity-api-version 3
|
||||
--os-username "{{ keystone.bootstrap.username }}"
|
||||
--os-password "{{ keystone.bootstrap.password }}"
|
||||
--os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
--os-project-name admin
|
||||
endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
|
||||
baremetal public "{{ ironic_inspector.keystone.public_url | default('http://127.0.0.1:5050/') }}"
|
||||
|
||||
- name: "Create ironic-inspector internal endpoint"
|
||||
command: |
|
||||
openstack
|
||||
--os-identity-api-version 3
|
||||
--os-username "{{ keystone.bootstrap.username }}"
|
||||
--os-password "{{ keystone.bootstrap.password }}"
|
||||
--os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
--os-project-name admin
|
||||
endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
|
||||
baremetal internal "{{ ironic_inspector.keystone.internal_url | default('http://127.0.0.1:5050/') }}"
|
||||
no_log: true
|
||||
|
||||
- name: "Create inspector_user user"
|
||||
os_user:
|
||||
name: "{{ ironic_inspector.keystone.default_username }}"
|
||||
password: "{{ ironic_inspector.keystone.default_password }}"
|
||||
default_project: "baremetal"
|
||||
domain: "default"
|
||||
auth:
|
||||
auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
username: "{{ keystone.bootstrap.username }}"
|
||||
password: "{{ keystone.bootstrap.password }}"
|
||||
project_name: admin
|
||||
project_domain_id: "default"
|
||||
user_domain_id: "default"
|
||||
wait: yes
|
||||
environment:
|
||||
OS_IDENTITY_API_VERSION: "3"
|
||||
no_log: true
|
||||
|
||||
- name: "Associate inspector_user with baremetal_admin"
|
||||
os_user_role:
|
||||
user: "{{ ironic_inspector.keystone.default_username }}"
|
||||
role: "baremetal_admin"
|
||||
project: baremetal
|
||||
auth:
|
||||
auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
|
||||
username: "{{ keystone.bootstrap.username }}"
|
||||
password: "{{ keystone.bootstrap.password }}"
|
||||
project_name: admin
|
||||
project_domain_id: "default"
|
||||
user_domain_id: "default"
|
||||
wait: yes
|
||||
environment:
|
||||
OS_IDENTITY_API_VERSION: "3"
|
||||
no_log: true
|
@ -4,17 +4,46 @@
|
||||
# http://git.openstack.org/cgit/openstack/ironic-inspector/tree/example.conf
|
||||
#}
|
||||
[DEFAULT]
|
||||
auth_strategy = {{ inspector_auth }}
|
||||
{% if enable_keystone is defined and enable_keystone | bool == true %}
|
||||
auth_strategy = keystone
|
||||
{% else %}
|
||||
auth_strategy = {{ inspector_auth | default('noauth') }}
|
||||
{% endif %}
|
||||
debug = {{ inspector_debug | bool }}
|
||||
|
||||
[database]
|
||||
connection=mysql+pymysql://inspector:{{ ironic_db_password }}@localhost/inspector?charset=utf8
|
||||
|
||||
[firewall]
|
||||
manage_firewall = {{ inspector_manage_firewall | bool }}
|
||||
manage_firewall = {{ inspector_manage_firewall | bool | default('false') }}
|
||||
|
||||
[ironic]
|
||||
auth_strategy = {{ ironic_auth_strategy }}
|
||||
{% if enable_keystone is defined and enable_keystone | bool == true %}
|
||||
os_region = {{ keystone.bootstrap.region_name | default('RegionOne') }}
|
||||
project_name = baremetal
|
||||
username = {{ ironic_inspector.keystone.default_username }}
|
||||
password = {{ ironic_inspector.keystone.default_password }}
|
||||
auth_url = {{ ironic_inspector.service_catalog.auth_url }}
|
||||
auth_type = password
|
||||
auth_strategy = keystone
|
||||
user_domain_id = default
|
||||
project_domain_id = default
|
||||
|
||||
{% else %}
|
||||
auth_strategy = {{ ironic_auth_strategy | default('noauth') }}
|
||||
{% endif %}
|
||||
|
||||
{% if enable_keystone is defined and enable_keystone | bool == true %}
|
||||
[keystone_authtoken]
|
||||
auth_plugin = password
|
||||
auth_url = {{ ironic_inspector.service_catalog.auth_url }}
|
||||
username = {{ ironic_inspector.service_catalog.username }}
|
||||
password = {{ ironic_inspector.service_catalog.password }}
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
project_domain_id = default
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
# Note(TheJulia) preserving ironic_url in the configuration
|
||||
# in case future changes allow breaking of the deployment across
|
||||
|
@ -0,0 +1,12 @@
|
||||
---
|
||||
features:
|
||||
- Functionality to configure the ironic-inspector to
|
||||
utilize keystone, utilizing the base ``enable_keystone``
|
||||
boolean parameter.
|
||||
deprecations:
|
||||
- The ``ironic_auth_strategy`` setting is deprecated and will
|
||||
be removed in Pike. The setting has no effect if the
|
||||
``enable_keystone`` setting is present and set to ``true``.
|
||||
- The ``inspector_auth`` setting is deprecated and will
|
||||
be removed in Pike. The setting has no effect if the
|
||||
``enable_keystone`` setting is present and set to ``true``.
|
Loading…
Reference in New Issue
Block a user