2cf5ce5252
Using keystone is a bit of an advance topic, but documentation is required to allow users to hopefully grasp the essentials of what is required. Change-Id: I25fd57f9acf07420384f021d17a43cf73412a965
111 lines
4.1 KiB
ReStructuredText
111 lines
4.1 KiB
ReStructuredText
*********************
|
|
Bifrost with Keystone
|
|
*********************
|
|
|
|
.. NOTE:: Use of keystone with bifrost is a very new feature and should
|
|
be considered an advanced topic. Please feel free to reach out to the
|
|
bifrost contributors and the ironic community as a whole in the project's
|
|
`IRC`_ channel.
|
|
|
|
.. _`IRC`: https://wiki.openstack.org/wiki/Ironic#IRC
|
|
|
|
##########################
|
|
Installation with Keystone
|
|
##########################
|
|
|
|
Bifrost can now install and make use of keystone. In order to enable
|
|
this as part of the installation, the ``enable_keystone`` variable
|
|
must be set to ``true``.
|
|
Either in ``playbooks/inventory/group_vars/localhost`` or on the
|
|
command line during installation. Example::
|
|
|
|
ansible-playbook -vvvv -i inventory/localhost install.yaml -e enable_keystone=true
|
|
|
|
However, prior to installation, overriding credentials should be set
|
|
in order to customize the deployment to meet your needs. See::
|
|
|
|
playbooks/roles/bifrost-ironic-install/defaults/main.yml
|
|
playbooks/roles/bifrost-keystone-install/defaults/main.yml
|
|
|
|
Using an existing Keystone
|
|
--------------------------
|
|
|
|
If you choose to install bifrost using an existing keystone, this
|
|
should be possible, however it has not been tested. In this case you
|
|
will need to set the appropriate defaults, via
|
|
``playbooks/roles/bifrost-ironic-install/defaults/main.yml``
|
|
which would be a good source for the role level defaults.
|
|
Ideally, when setting new defaults, they should be set in the
|
|
``playbooks/inventory/group_vars/localhost`` file.
|
|
|
|
Creation of clouds.yaml
|
|
-----------------------
|
|
|
|
By default, during bifrost installation, when keystone is enabled,
|
|
a file will be written to the user's home directory that is executing
|
|
the installation. That file can be located at
|
|
``~/.config/openstack/clouds.yaml``. The cloud that is written
|
|
to that file is named ``bifrost``.
|
|
|
|
Use of bifrost with Keystone
|
|
============================
|
|
|
|
Ultimately, as bifrost was designed for relatively short-lived
|
|
installations for rapid hardware deployment, the default operating
|
|
mode is referred to as ``noauth`` mode. With that, in order to
|
|
leverage keystone authentication for the roles, one of the
|
|
following steps need to take place.
|
|
|
|
#. Update the role defaults for each role you plan to make use.
|
|
This may not make much sense for most users, unless they are
|
|
carrying such changes as downstream debt.
|
|
#. Invoke ansible-playbook with variables being set to override
|
|
the default behavior. Example::
|
|
|
|
-e noauth_mode=false -e cloud_name=bifrost
|
|
|
|
#. Set the global defaults for localhost
|
|
(``master/playbooks/inventory/group_vars/localhost``).
|
|
|
|
|
|
OpenStack Client
|
|
----------------
|
|
|
|
A user wishing to invoke OSC commands against the bifrost
|
|
installation, should set the ``OS_CLOUD`` environment variable.
|
|
An example of setting the environment variable and then executing
|
|
the OSC command to list all baremetal nodes::
|
|
|
|
export OS_CLOUD=bifrost
|
|
openstack baremetal node list
|
|
|
|
Keystone roles
|
|
--------------
|
|
|
|
Ironic, which is the underlying OpenStack component bifrost
|
|
helps a user leverage, supports two different roles in keystone
|
|
that helps govern the rights a user has in keystone.
|
|
|
|
These roles are ``baremetal_admin`` and ``baremetal_observer``
|
|
and a user can learn more about the roles from the ironic `install
|
|
guide`_.
|
|
|
|
.. _`install guide`: http://docs.openstack.org/project-install-guide/baremetal/draft/configure-integration.html#configure-the-identity-service-for-the-bare-metal-service
|
|
|
|
##############################
|
|
Use of playbooks with Keystone
|
|
##############################
|
|
|
|
The OpenStack Ansible modules utilize os-client-config to obtain
|
|
authentication details to connect to determine details.
|
|
|
|
If ``noauth_mode`` is explicitly disabled, the bifrost roles that
|
|
speak with Ironic for actions such as enrollment of nodes and
|
|
deployment, automatically attempt to collect authentication
|
|
data from os-client-config. Largely these details are governed
|
|
as environment variables.
|
|
|
|
That being said, os-client-config supports the concept of clouds
|
|
and an a user can explicitly select the cloud they wish to deploy
|
|
to via the ``cloud_name`` parameter.
|