Use kolla_toolbox to execute REST methods

Delegate executing uri REST methods to the current module containers
using kolla_toolbox. This will allow self signed certificate that are
already copied into the container to be automatically validated. This
circumvents requiring Kolla Ansible to explicitly disable certificate
validation in the ansible uri module.

Partially-Implements: blueprint custom-cacerts

Change-Id: I2625db7b8000af980e4745734c834c5d9292290b

ansible/roles/elasticsearch/tasks/upgrade.yml

@@ -2,23 +2,29 @@
 # The official procedure for upgrade elasticsearch:
 # https://www.elastic.co/guide/en/elasticsearch/reference/5.6/restart-upgrade.html
 - name: Disable shard allocation
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/_cluster/settings"
+  kolla_toolbox:
-    method: PUT
+    module_name: uri
-    status_code: 200
+    module_args:
-    return_content: yes
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/_cluster/settings"
-    body: {"transient": {"cluster.routing.allocation.enable": "none"}}
+      method: PUT
-    body_format: json
+      status_code: 200
+      return_content: yes
+      body: {"transient": {"cluster.routing.allocation.enable": "none"}}
+      body_format: json
   delegate_to: "{{ groups['elasticsearch'][0] }}"
   run_once: true
 
 - name: Perform a synced flush
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/_flush/synced"
+  kolla_toolbox:
-    method: POST
+    module_name: uri
-    status_code: 200
+    module_args:
-    return_content: yes
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/_flush/synced"
-    body_format: json
+      method: POST
+      status_code: 200
+      return_content: yes
+      body_format: json
   delegate_to: "{{ groups['elasticsearch'][0] }}"
   run_once: true
   retries: 10

ansible/roles/grafana/tasks/post_config.yml

@@ -1,8 +1,11 @@
 ---
 - name: Wait for grafana application ready
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ grafana_server_port }}/login"
+  kolla_toolbox:
-    status_code: 200
+    module_name: uri
+    module_args:
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ grafana_server_port }}/login"
+      status_code: 200
   register: result
   until: result.get('status') == 200
   retries: 30
@@ -10,15 +13,18 @@
   run_once: true
 
 - name: Enable grafana datasources
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ grafana_server_port }}/api/datasources"
+  kolla_toolbox:
-    method: POST
+    module_name: uri
-    user: "{{ grafana_admin_username }}"
+    module_args:
-    password: "{{ grafana_admin_password }}"
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ grafana_server_port }}/api/datasources"
-    body: "{{ item.value.data | to_json }}"
+      method: POST
-    body_format: json
+      user: "{{ grafana_admin_username }}"
-    force_basic_auth: yes
+      password: "{{ grafana_admin_password }}"
-    status_code: 200, 409
+      body: "{{ item.value.data | to_json }}"
+      body_format: json
+      force_basic_auth: yes
+      status_code: 200, 409
   register: response
   run_once: True
   changed_when: response.status == 200
@@ -28,13 +34,16 @@
   when: item.value.enabled | bool
 
 - name: Disable Getting Started panel
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ grafana_server_port }}/api/user/helpflags/1"
+  kolla_toolbox:
-    method: PUT
+    module_name: uri
-    user: "{{ grafana_admin_username }}"
+    module_args:
-    password: "{{ grafana_admin_password }}"
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ grafana_server_port }}/api/user/helpflags/1"
-    force_basic_auth: yes
+      method: PUT
-    status_code: 200
+      user: "{{ grafana_admin_username }}"
+      password: "{{ grafana_admin_password }}"
+      force_basic_auth: yes
+      status_code: 200
   register: grafana_response
   changed_when: grafana_response.status == 200
   run_once: true

ansible/roles/ironic/handlers/main.yml

@@ -35,8 +35,11 @@
 # TODO(mgoddard): remove this task when
 # https://storyboard.openstack.org/#!/story/2006393 has been fixed.
 - name: Wait for ironic-api to be accessible
-  uri:
+  become: true
-    url: "{{ ironic_internal_endpoint }}"
+  kolla_toolbox:
+    module_name: uri
+    module_args:
+      url: "{{ ironic_internal_endpoint }}"
   register: result
   until: result is success
   retries: 12

ansible/roles/kibana/tasks/post_config.yml

@@ -6,12 +6,15 @@
   run_once: true
 
 - name: Register the kibana index in elasticsearch
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana"
+  kolla_toolbox:
-    method: PUT
+    module_name: uri
-    body: "{{ kibana_default_index_options | to_json }}"
+    module_args:
-    body_format: json
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana"
-    status_code: 200, 201, 400
+      method: PUT
+      body: "{{ kibana_default_index_options | to_json }}"
+      body_format: json
+      status_code: 200, 201, 400
   register: result
   failed_when:
     # If the index already exists, Elasticsearch will respond with a 400 error.
@@ -21,9 +24,12 @@
   run_once: true
 
 - name: Wait for kibana to register in elasticsearch
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana"
+  kolla_toolbox:
-    status_code: 200
+    module_name: uri
+    module_args:
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana"
+      status_code: 200
   register: result
   until: result.status == 200
   retries: 20
@@ -31,21 +37,27 @@
   run_once: true
 
 - name: Change kibana config to set index as defaultIndex
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana/config/*"
+  kolla_toolbox:
-    method: PUT
+    module_name: uri
-    body:
+    module_args:
-      defaultIndex: "{{ kibana_default_index_pattern }}"
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana/config/*"
-    body_format: json
+      method: PUT
-    status_code: 200, 201
+      body:
+        defaultIndex: "{{ kibana_default_index_pattern }}"
+      body_format: json
+      status_code: 200, 201
   run_once: true
 
 - name: Get kibana default indexes
-  uri:
+  become: true
-    headers:
+  kolla_toolbox:
-      Content-Type: application/json
+    module_name: uri
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana"
+    module_args:
-    method: GET
+      headers:
+        Content-Type: application/json
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana"
+      method: GET
   register: kibana_default_indexes
   run_once: true
   when: kibana_default_index is defined
@@ -59,12 +71,15 @@
   connection: local
 
 - name: Add index pattern to kibana
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana/index-pattern/{{ kibana_default_index_pattern }}"  # noqa 204
+  kolla_toolbox:
-    method: PUT
+    module_name: uri
-    body: "{{ kibana_default_index | to_json }}"
+    module_args:
-    body_format: json
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ elasticsearch_port }}/.kibana/index-pattern/{{ kibana_default_index_pattern }}"
-    status_code: 201
+      method: PUT
+      body: "{{ kibana_default_index | to_json }}"
+      body_format: json
+      status_code: 201
   run_once: true
   when:
     - kibana_default_index is defined

ansible/roles/monasca/tasks/post_config.yml

@@ -1,8 +1,11 @@
 ---
 - name: Wait for Monasca Grafana to load
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/login"
+  kolla_toolbox:
-    status_code: 200
+    module_name: uri
+    module_args:
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/login"
+      status_code: 200
   register: result
   until: result.get('status') == 200
   retries: 10
@@ -14,52 +17,64 @@
     monasca_grafana_control_plane_org: "{{ monasca_control_plane_project }}@{{ default_project_domain_id }}"
 
 - name: List Monasca Grafana organisations
-  uri:
+  become: true
-    method: GET
+  kolla_toolbox:
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs"
+    module_name: uri
-    user: '{{ monasca_grafana_admin_username }}'
+    module_args:
-    password: '{{ monasca_grafana_admin_password }}'
+      method: GET
-    return_content: true
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs"
-    force_basic_auth: true
+      user: '{{ monasca_grafana_admin_username }}'
+      password: '{{ monasca_grafana_admin_password }}'
+      return_content: true
+      force_basic_auth: true
   run_once: True
   register: monasca_grafana_orgs
 
 - name: Create default control plane organisation if it doesn't exist
-  uri:
+  become: true
-    method: POST
+  kolla_toolbox:
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs"
+    module_name: uri
-    user: '{{ monasca_grafana_admin_username }}'
+    module_args:
-    password: '{{ monasca_grafana_admin_password }}'
+      method: POST
-    body_format: json
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs"
-    body:
+      user: '{{ monasca_grafana_admin_username }}'
-      name: '{{ monasca_grafana_control_plane_org }}'
+      password: '{{ monasca_grafana_admin_password }}'
-    force_basic_auth: true
+      body_format: json
+      body:
+        name: '{{ monasca_grafana_control_plane_org }}'
+      force_basic_auth: true
   run_once: True
   when: monasca_grafana_control_plane_org not in monasca_grafana_orgs.json|map(attribute='name')|unique
 
 - name: Lookup Monasca Grafana control plane organisation ID
-  uri:
+  become: true
-    method: GET
+  kolla_toolbox:
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs/name/{{ monasca_grafana_control_plane_org }}"
+    module_name: uri
-    user: '{{ monasca_grafana_admin_username }}'
+    module_args:
-    password: '{{ monasca_grafana_admin_password }}'
+      method: GET
-    return_content: true
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs/name/{{ monasca_grafana_control_plane_org }}"
-    force_basic_auth: true
+      user: '{{ monasca_grafana_admin_username }}'
+      password: '{{ monasca_grafana_admin_password }}'
+      return_content: true
+      force_basic_auth: true
   run_once: True
   register: monasca_grafana_conf_org
 
 - name: Add {{ monasca_grafana_admin_username }} user to control plane organisation
-  uri:
+  become: true
-    method: POST
+  kolla_toolbox:
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs/{{ monasca_grafana_conf_org.json.id }}/users"
+    module_name: uri
-    user: '{{ monasca_grafana_admin_username }}'
+    module_args:
-    password: '{{ monasca_grafana_admin_password }}'
+      method: POST
-    body:
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/orgs/{{ monasca_grafana_conf_org.json.id }}/users"
-      loginOrEmail: '{{ monasca_grafana_admin_username }}'
+      user: '{{ monasca_grafana_admin_username }}'
-      role: Admin
+      password: '{{ monasca_grafana_admin_password }}'
-    force_basic_auth: true
+      body:
-    body_format: json
+        loginOrEmail: '{{ monasca_grafana_admin_username }}'
-    status_code: 200, 409
+        role: Admin
+      force_basic_auth: true
+      body_format: json
+      status_code: 200, 409
   register: monasca_grafana_add_user_response
   run_once: True
   changed_when: monasca_grafana_add_user_response.status == 200
@@ -67,24 +82,30 @@
                monasca_grafana_add_user_response.status == 409 and ("User is already" not in  monasca_grafana_add_user_response.json.message|default(""))
 
 - name: Switch Monasca Grafana to the control plane organisation
-  uri:
+  become: true
-    method: POST
+  kolla_toolbox:
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/user/using/{{ monasca_grafana_conf_org.json.id }}"
+    module_name: uri
-    user: '{{ monasca_grafana_admin_username }}'
+    module_args:
-    password: '{{ monasca_grafana_admin_password }}'
+      method: POST
-    force_basic_auth: true
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/user/using/{{ monasca_grafana_conf_org.json.id }}"
+      user: '{{ monasca_grafana_admin_username }}'
+      password: '{{ monasca_grafana_admin_password }}'
+      force_basic_auth: true
   run_once: True
 
 - name: Enable Monasca Grafana datasource for control plane organisation
-  uri:
+  become: true
-    url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/datasources"
+  kolla_toolbox:
-    method: POST
+    module_name: uri
-    user: "{{ monasca_grafana_admin_username }}"
+    module_args:
-    password: "{{ monasca_grafana_admin_password }}"
+      url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | put_address_in_context('url') }}:{{ monasca_grafana_server_port }}/api/datasources"
-    body: "{{ item.value.data | to_json }}"
+      method: POST
-    body_format: json
+      user: "{{ monasca_grafana_admin_username }}"
-    force_basic_auth: true
+      password: "{{ monasca_grafana_admin_password }}"
-    status_code: 200, 409
+      body: "{{ item.value.data | to_json }}"
+      body_format: json
+      force_basic_auth: true
+      status_code: 200, 409
   register: monasca_grafana_datasource_response
   run_once: True
   changed_when: monasca_grafana_datasource_response.status == 200

releasenotes/notes/execute-rest-methods-inside-containers-ce2a1410dbdc71f3.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Delegate executing ansible uri REST methods to service containers using
+    kolla_toolbox. This will enable any certificates that are already copied
+    and extracted into the service container to be automatically validated.
+    This is particularly useful in the case that the certificate is either
+    self-signed or signed by a local (private) CA.