Role support for authentication

Bifrost was built around utilizing noauth authenticaiton mode.
However the roles can easilly be re-utilized by users consuming
only part of bifrost, or that are wishing to utilize the roles as
examples to create their own playbooks.

To allow re-consumption of roles interacting with ironic, addition
of logic to allow for os-client-config to be utilized for module
authentication

Change-Id: I072791613cdf99723c567d24dbd3aee935e2e068
Implements: blueprint bifrost-role-auth-support

playbooks/releasenotes/notes/bifrost-role-auth-support-ea6b5571cd339aa2.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - Allows to choose to leverage authenticaiton with roles that
+    interact with ironic services via ansible modules. This is
+    limited to sessions that obtain authentication information
+    via os-client-config. The role defaults ultimately remain
+    unchanged and default to noauth mode.  More information on
+    os-client-config can be found at:
+    http://docs.openstack.org/developer/os-client-config/
+issues:
+  - Users wishing to utilize authentication without leveraging
+    os-client-config, will need to manually update the playbooks
+    in order to set the appropriate module settings.

playbooks/roles/bifrost-deploy-nodes-dynamic/README.md

@@ -60,6 +60,14 @@ inventory_dhcp: A boolean value, defaulted to false, which causes the role
                 to update a template file and reload dhsmasq upon each update
                 in order to perform static dhcp assignments utilizing the
                 ipv4_address parameter.
+
+noauth_mode: Controls if the module is called in noauth mode.
+             By default, this is the standard mode of operation,
+             however if set to false, the role utilizes os_client_config
+             which expects a clouds.yml file.  More information about
+             this file format can be found at:
+             http://docs.openstack.org/developer/os-client-config/
+
 Dependencies
 ------------
 

playbooks/roles/bifrost-deploy-nodes-dynamic/defaults/main.yml

@@ -8,5 +8,5 @@ http_boot_folder: "/httpboot"
 deploy_image_filename: "deployment_image.qcow2"
 deploy_image: "{{http_boot_folder}}/{{deploy_image_filename}}"
 inventory_dhcp: false
-
 deploy_url_protocol: "http"
+noauth_mode: true

playbooks/roles/bifrost-deploy-nodes-dynamic/tasks/main.yml

@@ -17,6 +17,11 @@
 # the pass-through could mean that the user could deploy
 # things that are not directly accessible or reasonable
 # to be inspected.
+- name: "If in noauth mode, set Auth parameters to None"
+  set_fact:
+    auth_type: None
+    auth: None
+  when: noauth_mode | bool == true
 - name: "Setup DHCP for nodes."
   template: src=dhcp-host.j2 dest=/etc/dnsmasq.d/bifrost.dhcp-hosts.d/{{ inventory_hostname }}  owner=root group=root mode=0644
   delegate_to: localhost
@@ -28,10 +33,10 @@
   command: killall -HUP dnsmasq
   become: yes
   when: inventory_dhcp | bool
-- name: "Deploy to hardware - Using custom instance_info."
+- name: "Deploy to hardware - Using custom instance_info"
   os_ironic_node:
-    auth_type: None
+    auth_type: "{{ auth_type | default(omit) }}"
-    auth: None
+    auth: "{{ auth | default(omit) }}"
     ironic_url: "{{ ironic_url }}"
     uuid: "{{ uuid }}"
     state: present
@@ -48,8 +53,8 @@
   when: instance_info is not defined and test_deploy_image.stat.exists | bool == false
 - name: "Deploy to hardware - bifrost default"
   os_ironic_node:
-    auth_type: None
+    auth_type: "{{ auth_type | default(omit) }}"
-    auth: None
+    auth: "{{ auth | default(omit) }}"
     ironic_url: "{{ ironic_url }}"
     uuid: "{{ uuid }}"
     state: present

playbooks/roles/bifrost-unprovision-node-dynamic/README.md

@@ -19,6 +19,13 @@ uuid: The UUID value for the node, at the host level.
 ironic_url: The setting defining the URL to the Ironic API.  Presently
             defaulted to: "http://localhost:6385/"
 
+noauth_mode: Controls if the module is called in noauth mode.
+             By default, this is the standard mode of operation,
+             however if set to false, the role utilizes os_client_config
+             which expects a clouds.yml file.  More information about
+             this file format can be found at:
+             http://docs.openstack.org/developer/os-client-config/
+
 Dependencies
 ------------
 

playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 ironic_url: "http://localhost:6385/"
+noauth_mode: true

playbooks/roles/bifrost-unprovision-node-dynamic/tasks/main.yml

@@ -12,10 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-- name: "Unprovision node"
+- name: "If in noauth mode, set Auth parameters to None"
-  os_ironic_node:
+  set_fact:
     auth_type: None
     auth: None
+  when: noauth_mode | bool == true
+- name: "Unprovision node"
+  os_ironic_node:
+    auth_type: "{{ auth_type | default(omit) }}"
+    auth: "{{ auth | default(omit) }}"
     ironic_url: "{{ ironic_url }}"
     uuid: "{{ uuid | default() }}"
     name: "{{ name | default() }}"

playbooks/roles/ironic-delete-dynamic/README.md

@@ -24,6 +24,13 @@ nics: A list of dictionary key-value pairs in the format of a key value
 
   [{'mac':'01:02:03:04:05:06'},{'mac':'01:02:03:04:05:07'}]
 
+noauth_mode: Controls if the module is called in noauth mode.
+             By default, this is the standard mode of operation,
+             however if set to false, the role utilizes os_client_config
+             which expects a clouds.yml file.  More information about
+             this file format can be found at:
+             http://docs.openstack.org/developer/os-client-config/
+
 Dependencies
 ------------
 

playbooks/roles/ironic-delete-dynamic/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 ironic_url: "http://localhost:6385/"
+noauth_mode: true

playbooks/roles/ironic-delete-dynamic/tasks/main.yml

@@ -12,10 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-- name: "Delete hardware"
+- name: "If in noauth mode, set Auth parameters to None"
-  os_ironic:
+  set_fact:
     auth_type: None
     auth: None
+  when: noauth_mode | bool == true
+- name: "Delete hardware"
+  os_ironic:
+    auth_type: "{{ auth_type | default(omit) }}"
+    auth: "{{ auth | default(omit) }}"
     ironic_url: "{{ ironic_url }}"
     driver: ""
     uuid: "{{ uuid | default() }}"

playbooks/roles/ironic-enroll-dynamic/README.md

@@ -33,6 +33,13 @@ ipa_file_protocol: The protocol to utilize to access IPA files. The default is
                    Do note, that a user wishing to utilize HTTPS may wish to
                    review the iPXE documentation: http://ipxe.org/crypto
 
+noauth_mode: Controls if the module is called in noauth mode.
+             By default, this is the standard mode of operation,
+             however if set to false, the role utilizes os_client_config
+             which expects a clouds.yml file.  More information about
+             this file format can be found at:
+             http://docs.openstack.org/developer/os-client-config/
+
 This role expects a data structure similar to the one below, however it should
 be understood that the individual entries under power can vary based on power
 driver required.

playbooks/roles/ironic-enroll-dynamic/defaults/main.yml

@@ -15,3 +15,5 @@ ipa_file_protocol: "http"
 
 ipa_kernel_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
 ipa_ramdisk_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
+
+noauth_mode: true

playbooks/roles/ironic-enroll-dynamic/tasks/main.yml

@@ -12,10 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-- name: "Dynamic enrollment"
+- name: "If in noauth mode, set Auth parameters to None"
-  os_ironic:
+  set_fact:
     auth_type: None
     auth: None
+  when: noauth_mode | bool == true
+- name: "Dynamic enrollment"
+  os_ironic:
+    auth_type: "{{ auth_type | default(omit) }}"
+    auth: "{{ auth | default(omit) }}"
     ironic_url: "{{ ironic_url }}"
     driver: "{{ driver }}"
     uuid: "{{ uuid | default() }}"

playbooks/roles/ironic-inspect-node/README.md

@@ -18,6 +18,13 @@ uuid: The UUID of the node to invoke ironic node introspection upon.
 name: A node name to invoke inspection upon.  This variable is not
       required if the node uuid value is supplied.
 
+noauth_mode: Controls if the module is called in noauth mode.
+             By default, this is the standard mode of operation,
+             however if set to false, the role utilizes os_client_config
+             which expects a clouds.yml file.  More information about
+             this file format can be found at:
+             http://docs.openstack.org/developer/os-client-config/
+
 Dependencies
 ------------
 

playbooks/roles/ironic-inspect-node/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 # defaults file for ironic-inspect-node
+noauth_mode: true

playbooks/roles/ironic-inspect-node/tasks/main.yml

@@ -12,10 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-- name: "Execute node introspection"
+- name: "If in noauth mode, set Auth parameters to None"
-  os_ironic_inspect:
+  set_fact:
     auth_type: None
     auth: None
+  when: noauth_mode | bool == true
+- name: "Execute node introspection - NoAuth Mode"
+  os_ironic_inspect:
+    auth_type: "{{ auth_type | default(omit) }}"
+    auth: "{{ auth | default(omit) }}"
     ironic_url: "{{ ironic_url }}"
     uuid: "{{ uuid }}"
   delegate_to: localhost