Extra var ironic_enable_keystone_integration added.

Basically, there are three main installation scenario: Scenario 1: Ironic installation together with other openstack services including keystone. In this case variable enable_keystone is set to true and keystone service will be installed together with ironic installation. It is possible realise this scenario, no fix needed Scenario 2: Ironic installation with connection to already installed keystone. In this scenario we have to set enable_keystone to “No” to prevent from new keystone service installation during the ironic installation process. But in other hand, we need to have correct sections in ironic.conf to provide all information needed to connect to existing keystone. But all sections for keystone are added to ironic.conf only if enable_keystone var is set to “Yes”. It isn’t possible to realise this scenario. Proposed fix provide support for this scenario, where multiple regions share the same keystone service. Scenario 3: No keystone integration. Ironic don't connect to Keystone. It is possible realise this scenario, no fix needed Proposed solution also keep the default behaviour: if no enable_keystone_integration is manually defined by default it takes value of enable_keystone variable and all behaviour is the same. But if we don't want to install keystone and want to connect to existing one at the same time, it will be possible to set enable_keystone var to “No” (preventing keystone from installation) and at the same time set ironic_enable_keystone_integration to Yes to allow needed section appear in ironic.conf through templating. Change-Id: I0c7e9a28876a1d4278fb2ed8555c2b08472864b9
2021-05-29 22:17:20 +03:00 · 2021-05-29 22:17:20 +03:00 · da4fd2d6a2
commit da4fd2d6a2
parent 81a0bb8331
4 changed files with 34 additions and 4 deletions
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@ -288,6 +288,7 @@ ironic_enabled_notification_topics: "{{ ironic_notification_topics | selectattr(
 ####################
 # Keystone
 ####################
+ironic_enable_keystone_integration: "{{ enable_keystone | bool }}"
 ironic_ks_services:
  - name: "ironic"
    type: "baremetal"
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@ -6,7 +6,7 @@
 # suppressed by the deployer by setting a value for the option.

 [DEFAULT]
-{% if not enable_keystone | bool %}
+{% if not ironic_enable_keystone_integration | bool %}
 auth_strategy = noauth
 {% endif %}
 debug = {{ ironic_logging_debug }}
@ -52,7 +52,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1

-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
@ -143,7 +143,7 @@ cafile = {{ openstack_cacert }}
 {% endif %}

 [inspector]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
@ -160,7 +160,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
 {% endif %}

 [service_catalog]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
--- a/doc/source/reference/bare-metal/ironic-guide.rst
+++ b/doc/source/reference/bare-metal/ironic-guide.rst
@ -106,6 +106,28 @@ enabled_boot_interfaces`` option in ``/etc/kolla/config/ironic.conf``:
   [DEFAULT]
   enabled_boot_interfaces = ipxe

+Attach ironic to external keystone (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In :kolla-ansible-doc:`multi-regional <user/multi-regions.html>` deployment
+keystone could be installed in one region (let's say region 1) and ironic -
+in another region (let's say region 2). In this case we don't install keystone
+together with ironic in region 2, but have to configure ironic to connect to
+existing keystone in region 1. To deploy ironic in this way we have to set
+variable ``enable_keystone`` to ``"no"``.
+
+.. code-block:: yaml
+
+    enable_keystone: "no"
+
+It will prevent keystone from being installed in region 2.
+
+To add keystone-related sections in ironic.conf, it is also needed to set
+variable ``ironic_enable_keystone_integration`` to ``"yes"``
+
+.. code-block:: yaml
+
+    ironic_enable_keystone_integration: "yes"
+
 Deployment
 ~~~~~~~~~~
 Run the deploy as usual:
--- a/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml
+++ b/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    New variable ``ironic_enable_keystone_integration`` was added.
+    It helps to add keystone connection information into
+    ``ironic.conf`` if we want to connect to existing keystone
+    (not installing it at the same time).