Template system scoped admin-openrc and clouds.yml files
Ironic enabled secure RBAC with system scoped enforcement [1].
Some API calls, for instance 'baremetal:driver:get' needs system
scope role by design [2], even with elevated access project scope
service role [3].
[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] 8ec5606622/ironic/common/policy.py (L1349-L1357)
[3] https://review.opendev.org/c/openstack/kolla-ansible/+/908007
Related-Bug: #2051837
Change-Id: Id6313d7dd343b82d4c9ccf7bf429d340ea0e93d1
This commit is contained in:
parent
600e912400
commit
6e835ae758
@ -32,6 +32,15 @@
|
|||||||
group: "{{ ansible_facts.user_gid }}"
|
group: "{{ ansible_facts.user_gid }}"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Template out admin-openrc-system.sh
|
||||||
|
become: true
|
||||||
|
template:
|
||||||
|
src: "roles/common/templates/admin-openrc-system.sh.j2"
|
||||||
|
dest: "{{ node_config }}/admin-openrc-system.sh"
|
||||||
|
owner: "{{ ansible_facts.user_uid }}"
|
||||||
|
group: "{{ ansible_facts.user_gid }}"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
- name: Template out public-openrc.sh
|
- name: Template out public-openrc.sh
|
||||||
become: true
|
become: true
|
||||||
template:
|
template:
|
||||||
|
23
ansible/roles/common/templates/admin-openrc-system.sh.j2
Normal file
23
ansible/roles/common/templates/admin-openrc-system.sh.j2
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
# Clear any old environment that may conflict.
|
||||||
|
for key in $( set | awk '{FS="="} /^OS_/ {print $1}' ); do unset $key ; done
|
||||||
|
export OS_USER_DOMAIN_NAME='Default'
|
||||||
|
export OS_SYSTEM_SCOPE=all
|
||||||
|
export OS_USERNAME='{{ keystone_admin_user }}'
|
||||||
|
export OS_PASSWORD='{{ keystone_admin_password }}'
|
||||||
|
export OS_AUTH_URL='{{ keystone_internal_url }}'
|
||||||
|
export OS_INTERFACE='internal'
|
||||||
|
export OS_ENDPOINT_TYPE='internalURL'
|
||||||
|
{% if enable_manila | bool %}
|
||||||
|
export OS_MANILA_ENDPOINT_TYPE='internalURL'
|
||||||
|
{% endif %}
|
||||||
|
{% if enable_mistral | bool %}
|
||||||
|
export OS_MISTRAL_ENDPOINT_TYPE='internalURL'
|
||||||
|
{% endif %}
|
||||||
|
export OS_IDENTITY_API_VERSION='3'
|
||||||
|
export OS_REGION_NAME='{{ openstack_region_name }}'
|
||||||
|
export OS_AUTH_PLUGIN='password'
|
||||||
|
{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
|
||||||
|
export OS_CACERT='{{ kolla_admin_openrc_cacert }}'
|
||||||
|
{% endif %}
|
@ -10,6 +10,17 @@ clouds:
|
|||||||
region_name: {{ openstack_region_name }}
|
region_name: {{ openstack_region_name }}
|
||||||
{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
|
{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
|
||||||
cacert: {{ kolla_admin_openrc_cacert }}
|
cacert: {{ kolla_admin_openrc_cacert }}
|
||||||
|
{% endif %}
|
||||||
|
kolla-admin-system:
|
||||||
|
auth:
|
||||||
|
auth_url: {{ keystone_public_url }}
|
||||||
|
user_domain_name: Default
|
||||||
|
system_scope: all
|
||||||
|
username: {{ keystone_admin_user }}
|
||||||
|
password: {{ keystone_admin_password }}
|
||||||
|
region_name: {{ openstack_region_name }}
|
||||||
|
{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
|
||||||
|
cacert: {{ kolla_admin_openrc_cacert }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
kolla-admin-internal:
|
kolla-admin-internal:
|
||||||
auth:
|
auth:
|
||||||
@ -23,4 +34,16 @@ clouds:
|
|||||||
region_name: {{ openstack_region_name }}
|
region_name: {{ openstack_region_name }}
|
||||||
{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
|
{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
|
||||||
cacert: {{ kolla_admin_openrc_cacert }}
|
cacert: {{ kolla_admin_openrc_cacert }}
|
||||||
|
{% endif %}
|
||||||
|
kolla-admin-system-internal:
|
||||||
|
auth:
|
||||||
|
auth_url: {{ keystone_internal_url }}
|
||||||
|
user_domain_name: Default
|
||||||
|
system_scope: all
|
||||||
|
username: {{ keystone_admin_user }}
|
||||||
|
password: {{ keystone_admin_password }}
|
||||||
|
interface: internal
|
||||||
|
region_name: {{ openstack_region_name }}
|
||||||
|
{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
|
||||||
|
cacert: {{ kolla_admin_openrc_cacert }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -23,6 +23,7 @@ function check_config {
|
|||||||
-not -path /etc/kolla \
|
-not -path /etc/kolla \
|
||||||
-not -path /etc/kolla/clouds.yaml \
|
-not -path /etc/kolla/clouds.yaml \
|
||||||
-not -regex .*-openrc.sh \
|
-not -regex .*-openrc.sh \
|
||||||
|
-not -regex .*-openrc-system.sh \
|
||||||
-not -name globals.yml \
|
-not -name globals.yml \
|
||||||
-not -name header \
|
-not -name header \
|
||||||
-not -name inventory \
|
-not -name inventory \
|
||||||
|
@ -9,14 +9,16 @@ export PYTHONUNBUFFERED=1
|
|||||||
|
|
||||||
function test_ironic_logged {
|
function test_ironic_logged {
|
||||||
# Assumes init-runonce has been executed.
|
# Assumes init-runonce has been executed.
|
||||||
. /etc/kolla/admin-openrc.sh
|
KOLLA_CONFIG_PATH=${KOLLA_CONFIG_PATH:-/etc/kolla}
|
||||||
|
export OS_CLIENT_CONFIG_FILE=${KOLLA_CONFIG_PATH}/clouds.yaml
|
||||||
|
export OS_CLOUD=kolla-admin-internal
|
||||||
. ~/openstackclient-venv/bin/activate
|
. ~/openstackclient-venv/bin/activate
|
||||||
|
|
||||||
echo "Enabling DHCP on the external (\"public\") subnet"
|
echo "Enabling DHCP on the external (\"public\") subnet"
|
||||||
openstack subnet set --dhcp public1-subnet
|
openstack subnet set --dhcp public1-subnet
|
||||||
|
|
||||||
# Smoke test ironic API.
|
# Smoke test ironic API.
|
||||||
openstack baremetal driver list
|
openstack --os-cloud kolla-admin-system-internal baremetal driver list
|
||||||
openstack baremetal node list
|
openstack baremetal node list
|
||||||
openstack baremetal port list
|
openstack baremetal port list
|
||||||
# Ironic Inspector API
|
# Ironic Inspector API
|
||||||
|
Loading…
x
Reference in New Issue
Block a user