Update ironic.conf for swift and keystone compat

This change makes is intended to simplify the the ironic.conf file
so that we only carry what is needed. In the file we're setting the
swift configuration section when not in stand alone mode and the
keystone_auth section has been updated for the options that ironic
requires.

URI testing for ironic's rest API has been updated to run the tests
using a header for the authentication token. This is required now that
the keystone_auth section is filled in.

Co-Authored-By: Michael Davies <michael@the-davies.net>
Change-Id: Ic6bd466e6fa03c2382424666588c306bad473e99
Partially-implements: blueprint role-ironic
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -17,7 +17,6 @@
 
 # Verbosity Options
 debug: False
-verbose: True
 
 # These variables are used in 'developer mode' in order to allow the role
 # to build an environment directly from a git source without the presence
@@ -73,19 +72,35 @@ ironic_service_project_name: "service"
 ironic_service_project_domain_id: default
 ironic_service_user_domain_id: default
 ironic_service_role_name: "admin"
-
 ironic_service_in_ldap: False
 
+# Ironic image store information
+ironic_swift_image_container: glance_images
+ironic_swift_api_version: v1
+# The ironic swift auth account and swift endpoints will be generated using the
+#  known swift data as provided by swift stat. If you wish to set either of these
+#  items to something else define these variables.
+# ironic_swift_auth_account: AUTH_1234567890
+# ironic_swift_endpoint: https://localhost:8080
 
 # Is this Ironic installation working standalone?
 # If you're wanting Ironic to work without being integrated to other OpenStack
 # services, set this to True, and update the dhcp configuration appropriately
 ironic_standalone: False
 
+# Enables or disables automated cleaning. Automated cleaning
+# is a configurable set of steps, such as erasing disk drives,
+# that are performed on the node to ensure it is in a baseline
+# state and ready to be deployed to.
+ironic_automated_clean: false
+
 # Database
 ironic_galera_user: ironic
 ironic_galera_database: ironic
 
+## Keystone authentication middleware
+ironic_keystone_auth_plugin: password
+
 # Integrated Openstack configuration
 ironic_openstack_driver_list: agent_ipmitool
 ironic_openstack_auth_strategy: keystone
@@ -102,6 +117,11 @@ ironic_standalone_dhcp_provider: none
 ironic_standalone_sync_power_state_interval: -1
 ironic_standalone_db_connection_string: "mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_galera_password }}@{{ ironic_galera_address }}/ironic"
 
+# Ironic db tuning
+ironic_db_max_overflow: 10
+ironic_db_max_pool_size: 120
+ironic_db_pool_timeout: 30
+
 # Common configuration
 ironic_node_name: ironic
 
@@ -114,6 +134,8 @@ ironic_bin: "{{ ironic_venv_bin }}"
 
 ironic_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/ironic.tgz
 
+ironic_tftp_server_address: "{{ ansible_ssh_host }}"
+
 ironic_requires_pip_packages:
   - virtualenv
   - virtualenv-tools
@@ -124,6 +146,7 @@ ironic_pip_packages:
   - PyMySQL
   - ironic
   - python-ironicclient
+  - python-swiftclient
 
 ironic_api_apt_packages:
   - apache2
@@ -164,7 +187,6 @@ ironic_wsgi_processes: "{{ (_ironic_wsgi_processes | int > 1) | ternary(_ironic_
 ironic_glance_auth_strategy: "{{ ironic_openstack_auth_strategy }}"
 
 # Neutron
-# neutron_service_adminurl:
 ironic_neutron_auth_strategy: "{{ ironic_openstack_auth_strategy }}"
 
 ### Config Overrides

tasks/ironic_post_install.yml

@@ -21,7 +21,9 @@
     ironic_dhcp_provider: "{{ ironic_standalone_dhcp_provider }}"
     ironic_sync_power_state_interval: "{{ ironic_standalone_sync_power_state_interval }}"
     ironic_db_connection_string: "{{ ironic_standalone_db_connection_string }}"
-  when: ironic_standalone
+  when: ironic_standalone | bool
+  tags:
+    - always
 
 - name: Setup ironic for integrated Openstack usage
   set_fact:
@@ -31,7 +33,9 @@
     ironic_dhcp_provider: "{{ ironic_openstack_dhcp_provider }}"
     ironic_sync_power_state_interval: "{{ ironic_openstack_sync_power_state_interval }}"
     ironic_db_connection_string: "{{ ironic_openstack_db_connection_string }}"
-  when: not ironic_standalone
+  when: not ironic_standalone | bool
+  tags:
+    - always
 
 - name: Get ironic command path
   command: which ironic
@@ -49,6 +53,72 @@
   tags:
     - ironic-command-bin
 
+- name: Post swift tempURL secret key
+  shell: |
+    . ~/openrc
+    {{ ironic_bin }}/swift \
+        --os-username "service:{{ glance_service_user_name }}" \
+        --os-password {{ glance_service_password }} \
+        --os-auth-url {{ keystone_service_internalurl }} \
+        --os-identity-api-version {{ keystone_service_internalurl.split('/v')[-1] }} \
+        post -m temp-url-key:{{ ironic_swift_temp_url_secret_key }}
+  when:
+    - inventory_hostname == groups['ironic_all'][0]
+    - not ironic_standalone | bool
+  tags:
+    - ironic-swift-auth
+    - always
+
+- name: Get swift account
+  shell: |
+    . ~/openrc
+    {{ ironic_bin }}/swift \
+        --os-username "service:{{ glance_service_user_name }}" \
+        --os-password {{ glance_service_password }} \
+        --os-auth-url {{ keystone_service_internalurl }} \
+        --os-identity-api-version {{ keystone_service_internalurl.split('/v')[-1] }} \
+        stat -v | awk '/StorageURL\:/ {print $2}'
+  register: swift_storage_url
+  when:
+    - (ironic_swift_auth_account is undefined) or (ironic_swift_endpoint is undefined)
+    - not ironic_standalone | bool
+  tags:
+    - ironic-swift-auth
+    - always
+
+- name: Validate swift output
+  fail:
+    msg: |
+      No StorageURL output found using the `swift stat` command and either
+      the ``ironic_swift_auth_account`` or ``ironic_swift_auth_account``
+      variables are undefined. Ensure swift is functional and/or define
+      those variables.
+  when:
+    - (ironic_swift_auth_account is undefined) and (ironic_swift_endpoint is undefined)
+    - not ironic_standalone | bool
+    - not swift_storage_url.stdout
+  tags:
+    - ironic-swift-auth
+    - always
+
+- name: Set the swift auth facts
+  set_fact:
+    ironic_swift_auth_account: "{{ swift_storage_url.stdout.split('/v1/')[-1] }}"
+  when:
+    - ironic_swift_auth_account is undefined
+    - not ironic_standalone | bool
+  tags:
+    - always
+
+- name: Set the swift endpoint facts
+  set_fact:
+    ironic_swift_endpoint: "{{ swift_storage_url.stdout.split('/v1/')[0] }}"
+  when:
+    - ironic_swift_endpoint is undefined
+    - not ironic_standalone | bool
+  tags:
+    - always
+
 - name: Generate ironic config
   config_template:
     src: "{{ item.src }}"

tasks/ironic_pre_install.yml

@@ -66,6 +66,7 @@
     - { path: "{{ ironic_system_home_folder }}/.ssh", mode: "0700" }
     - { path: "{{ ironic_system_home_folder }}/images" }
     - { path: "{{ ironic_system_home_folder }}/master_images" }
+    - { path: "{{ ironic_system_home_folder }}/cache/api", mode: "0700" }
     - { path: "/var/lock/ironic" }
     - { path: "/var/run/ironic" }
     - { path: "/var/www/cgi-bin", owner: root, group: root }

tests/test-rest-api.yml

@@ -7,14 +7,26 @@
     # needed by the functional test playbook below
     - name: Install httplib2 so we can use the uri module
       pip:
-        name: httplib2
+        name: "{{ item }}"
+      with_items:
+        - httplib2
+        - python-openstackclient
+    - name: Get auth token
+      shell: >
+        . /root/openrc && openstack token issue --format yaml | awk '/^id\:/ {print $2}'
+      register: get_keystone_token
+    - name: set token
+      set_fact:
+        keystone_token: "{{ get_keystone_token.stdout }}"
     - name: Check the ironic-api
       uri:
         url: "{{ ironic_service_publicuri }}"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
     - name: list chassis
       uri:
         url: "{{ ironic_service_publicuri }}/v1/chassis"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
         return_content: yes
       register: chassis_list
@@ -22,6 +34,7 @@
       assert: that="chassis_list.json.chassis == []"
     - name: list drivers
       uri:
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         url: "{{ ironic_service_publicuri }}/v1/drivers"
         status_code: 200
         return_content: yes
@@ -31,6 +44,7 @@
     - name: list nodes
       uri:
         url: "{{ ironic_service_publicuri }}/v1/nodes"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
         return_content: yes
       register: node_list
@@ -42,6 +56,7 @@
         method: POST
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         body_format: json
         body: "{\"name\": \"restnode\", \"driver\": \"agent_ipmitool\", \"driver_info\": {\"ipmi_address\": \"1.2.3.4\"}}"
         status_code: 201
@@ -58,15 +73,17 @@
         method: POST
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         body_format: json
         body: " {\"node_uuid\": \"{{ node_response.json.uuid }}\", \"address\": \"00:00:00:00:00:01\"}"
         status_code: 201
         return_content: yes
     - name: list ports
       uri:
+        url: "{{ ironic_service_publicuri }}/v1/ports"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
-        url: "{{ ironic_service_publicuri }}/v1/ports"
         body: " {\"node\": \"{{ node_response.json.uuid }}\"}"
         body_format: json
         return_content: yes
@@ -82,15 +99,17 @@
         method: POST
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         body_format: json
         body: " {\"node_uuid\": \"{{ node_response.json.uuid }}\", \"address\": \"00:00:00:00:00:02\"}"
         status_code: 201
         return_content: yes
     - name: list ports again
       uri:
+        url: "{{ ironic_service_publicuri }}/v1/ports"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
-        url: "{{ ironic_service_publicuri }}/v1/ports"
         body: " {\"node\": \"{{ node_response.json.uuid }}\"}"
         body_format: json
         return_content: yes
@@ -104,6 +123,7 @@
         url: "{{ ironic_service_publicuri }}/v1/nodes/restnode/validate"
         method: GET
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
         return_content: yes
       register: validate_node
@@ -123,6 +143,7 @@
           - "validate_node.json.raid.result == true"
     - name: update a node
       uri:
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         url: "{{ ironic_service_publicuri }}/v1/nodes/restnode"
         body: " [{\"path\": \"/name\", \"value\": \"renamednode\", \"op\": \"replace\"}]"
         method: PATCH
@@ -139,6 +160,7 @@
         method: DELETE
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 204
         return_content: yes
   vars_files:

tests/test-vars.yml

@@ -19,6 +19,7 @@ galera_root_user: root
 galera_root_password: "secrete"
 rabbitmq_servers: 10.100.100.101:5672
 rabbitmq_use_ssl: False
+rabbitmq_port: 5672
 memcached_servers: 127.0.0.1
 memcached_encryption_key: "secrete"
 keystone_venv_tag: "testing"
@@ -29,7 +30,7 @@ keystone_service_password: "secrete"
 keystone_galera_address: 10.100.100.101
 keystone_galera_database: keystone
 keystone_galera_user: keystone
-keystone_container_mysql_password: "SuperSecrete"
+keystone_container_mysql_password: "secrete"
 keystone_auth_admin_token: "SuperSecreteTestToken"
 keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
@@ -62,8 +63,20 @@ ironic_service_password: "secrete"
 ironic_galera_address: 10.100.100.101
 ironic_galera_database: ironic
 ironic_galera_user: ironic
-ironic_galera_password: "SuperSecrete"
+ironic_galera_password: "secrete"
 ironic_rabbitmq_password: "secrete"
 ironic_rabbitmq_userid: ironic
 ironic_rabbitmq_vhost: /ironic
 ironic_standalone: True
+ironic_swift_endpoint: "http://localhost:8080"
+ironic_swift_auth_account: "AUTH_1234567890"
+ironic_swift_temp_url_secret_key: secrete
+ironic_rabbitmq_userid: ironic
+ironic_rabbitmq_password: secrete
+ironic_rabbitmq_vhost: /ironic
+glance_api_servers: http://localhost:9292
+neutron_service_adminurl: http://localhost:9696
+neutron_service_region: RegionOne
+neutron_service_password: secrete
+neutron_service_project_name: ironic
+neutron_service_user_name: ironic