From ee38716d16b75b3f93e21b9b4bcdd483484a83e3 Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Thu, 6 Oct 2016 18:45:25 +0000 Subject: [PATCH] Adding keystone support to inspector config Additional support to configure keystone with credentials for inspector and template updates to allow the configuration of keystone settings related to inspector. Change-Id: Idef26c86bdc827b8edbc9e0412ec9067a25f52b6 --- .../bifrost-ironic-install/defaults/main.yml | 23 ++- .../tasks/inspector_bootstrap.yml | 5 + .../tasks/keystone_setup_inspector.yml | 160 ++++++++++++++++++ .../templates/ironic-inspector.conf.j2 | 35 +++- ...tor-keystone-support-3786a22b49e851e5.yaml | 12 ++ 5 files changed, 229 insertions(+), 6 deletions(-) create mode 100644 playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml create mode 100644 releasenotes/notes/inspector-keystone-support-3786a22b49e851e5.yaml diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 2af90f129..4b0bb61d2 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -116,9 +116,15 @@ inventory_dns: False # Settings to enable the use of inspector enable_inspector: true inspector_auth: "noauth" +# Deprecated: inspector_auth will be removed in Pike, and is +# overriden when enable_keystone is set to true. +#inspector_auth: "noauth" inspector_debug: true inspector_manage_firewall: false + +# Deprecated: ironic_auth_strategy will be removed in Pike. ironic_auth_strategy: "noauth" + inspector_data_dir: "/opt/stack/ironic-inspector/var" inspector_store_ramdisk_logs: true # Note: inspector_port_addition has three valid values: all, active, pxe @@ -204,8 +210,19 @@ ironic: default_username: "bifrost_user" default_password: "ChangeThisPa55w0rd" - -# TODO(TheJulia): Thinking outloud, I think we ought to head in -# the direction of identifying the address of the conductor host +ironic_inspector: + service_catalog: + username: "ironic_inspector" + password: "ChangeThisPa55w0rd" + auth_url: "http://127.0.0.1:5000/v3" + project_name: "service" + keystone: + default_username: "inspector_user" + default_password: "ChangeThisPa55w0rd" +# public_url: "http://127.0.0.1:5050/" +# private_url: "http://127.0.0.1:5050/" +# internal_url: "http://127.0.0.1:5050/" +# TODO(TheJulia): Thinking outloud, I we ought to head in the +# direction of identifying the address of the conductor host # in a more uniform fashion. What that is exactly, is TBD. my_ip_address: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml index 9a5ca3021..0e9503d33 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml @@ -36,6 +36,11 @@ group=ironic mode=0755 state=directory + +- name: "Populate keystone for ironic-inspector " + include: keystone_setup_inspector.yml + when: enable_keystone is defined and enable_keystone | bool == true + - name: "Inspector - Place Configuration" template: src=ironic-inspector.conf.j2 diff --git a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml new file mode 100644 index 000000000..9048bb47a --- /dev/null +++ b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml @@ -0,0 +1,160 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- + +# TODO(TheJulia): The user and project domains are hardcoded in this. +# We should likely address that at some point, however I think a user +# should be the driver of that work. + +- name: "Error if credentials are undefined." + fail: + msg: | + Credentials are missing or undefined, unable to proceed. + Please consult roled defaults/main.yml. + when: > + keystone is undefined or keystone.bootstrap is undefined or + keystone.bootstrap.username is undefined or + keystone.bootstrap.password is undefined or + keystone.bootstrap.project_name is undefined or + ironic_inspector.service_catalog.auth_url is undefined or + ironic_inspector.service_catalog.username is undefined or + ironic_inspector.service_catalog.password is undefined or + ironic_inspector.keystone is undefined or + ironic_inspector.keystone.default_username is undefined or + ironic_inspector.keystone.default_password is undefined + +- name: "Create service user for ironic-inspector" + os_user: + name: "{{ ironic_inspector.service_catalog.username }}" + password: "{{ ironic_inspector.service_catalog.password }}" + state: present + domain: "default" + default_project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}" + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Associate ironic_inspector user to admin role" + os_user_role: + user: "{{ ironic_inspector.service_catalog.username }}" + role: admin + project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}" + auth: + auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create keystone service record for ironic-inspector" + os_keystone_service: + state: present + name: ironic-inspector + service_type: baremetal-introspection + description: OpenStack Baremetal Introspection Service + auth: + auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Create ironic-inspector admin endpoint" + command: | + openstack + --os-identity-api-version 3 + --os-username "{{ keystone.bootstrap.username }}" + --os-password "{{ keystone.bootstrap.password }}" + --os-auth-url "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + --os-project-name admin + endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + baremetal admin "{{ ironic_inspector.keystone.admin_url | default('http://127.0.0.1:5050/') }}" + +# NOTE(TheJulia): This seems like something that should be +# to admin or internal interfaces. Perhaps we should attempt +# remove it after we have a working keystone integrated CI job. +- name: "Create ironic-inspector public endpoint" + command: | + openstack + --os-identity-api-version 3 + --os-username "{{ keystone.bootstrap.username }}" + --os-password "{{ keystone.bootstrap.password }}" + --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + --os-project-name admin + endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + baremetal public "{{ ironic_inspector.keystone.public_url | default('http://127.0.0.1:5050/') }}" + +- name: "Create ironic-inspector internal endpoint" + command: | + openstack + --os-identity-api-version 3 + --os-username "{{ keystone.bootstrap.username }}" + --os-password "{{ keystone.bootstrap.password }}" + --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + --os-project-name admin + endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + baremetal internal "{{ ironic_inspector.keystone.internal_url | default('http://127.0.0.1:5050/') }}" + no_log: true + +- name: "Create inspector_user user" + os_user: + name: "{{ ironic_inspector.keystone.default_username }}" + password: "{{ ironic_inspector.keystone.default_password }}" + default_project: "baremetal" + domain: "default" + auth: + auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: admin + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true + +- name: "Associate inspector_user with baremetal_admin" + os_user_role: + user: "{{ ironic_inspector.keystone.default_username }}" + role: "baremetal_admin" + project: baremetal + auth: + auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: admin + project_domain_id: "default" + user_domain_id: "default" + wait: yes + environment: + OS_IDENTITY_API_VERSION: "3" + no_log: true diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 index 6a5e458a4..193e8c796 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 @@ -4,17 +4,46 @@ # http://git.openstack.org/cgit/openstack/ironic-inspector/tree/example.conf #} [DEFAULT] -auth_strategy = {{ inspector_auth }} +{% if enable_keystone is defined and enable_keystone | bool == true %} +auth_strategy = keystone +{% else %} +auth_strategy = {{ inspector_auth | default('noauth') }} +{% endif %} debug = {{ inspector_debug | bool }} [database] connection=mysql+pymysql://inspector:{{ ironic_db_password }}@localhost/inspector?charset=utf8 [firewall] -manage_firewall = {{ inspector_manage_firewall | bool }} +manage_firewall = {{ inspector_manage_firewall | bool | default('false') }} [ironic] -auth_strategy = {{ ironic_auth_strategy }} +{% if enable_keystone is defined and enable_keystone | bool == true %} +os_region = {{ keystone.bootstrap.region_name | default('RegionOne') }} +project_name = baremetal +username = {{ ironic_inspector.keystone.default_username }} +password = {{ ironic_inspector.keystone.default_password }} +auth_url = {{ ironic_inspector.service_catalog.auth_url }} +auth_type = password +auth_strategy = keystone +user_domain_id = default +project_domain_id = default + +{% else %} +auth_strategy = {{ ironic_auth_strategy | default('noauth') }} +{% endif %} + +{% if enable_keystone is defined and enable_keystone | bool == true %} +[keystone_authtoken] +auth_plugin = password +auth_url = {{ ironic_inspector.service_catalog.auth_url }} +username = {{ ironic_inspector.service_catalog.username }} +password = {{ ironic_inspector.service_catalog.password }} +user_domain_id = default +project_name = service +project_domain_id = default + +{% endif %} {# # Note(TheJulia) preserving ironic_url in the configuration # in case future changes allow breaking of the deployment across diff --git a/releasenotes/notes/inspector-keystone-support-3786a22b49e851e5.yaml b/releasenotes/notes/inspector-keystone-support-3786a22b49e851e5.yaml new file mode 100644 index 000000000..c246ef231 --- /dev/null +++ b/releasenotes/notes/inspector-keystone-support-3786a22b49e851e5.yaml @@ -0,0 +1,12 @@ +--- +features: + - Functionality to configure the ironic-inspector to + utilize keystone, utilizing the base ``enable_keystone`` + boolean parameter. +deprecations: + - The ``ironic_auth_strategy`` setting is deprecated and will + be removed in Pike. The setting has no effect if the + ``enable_keystone`` setting is present and set to ``true``. + - The ``inspector_auth`` setting is deprecated and will + be removed in Pike. The setting has no effect if the + ``enable_keystone`` setting is present and set to ``true``.