Add support to update keystone for bifrost

Adds the playbook steps required to add ironic to the keystone catalog, create a service account, create roles, and ultimately create a baremetal tenant with a user and baremetal_admin rights. Change-Id: I1a2e7229b24ebfe12b5b80f1a937baba2835ab1b
2016-09-30 12:21:29 +00:00 · 2016-09-30 12:21:29 +00:00 · 6ad5be7891
commit 6ad5be7891
parent a5c688a9ab
4 changed files with 299 additions and 0 deletions
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -144,3 +144,56 @@ bifrost_venv_env:
  VIRTUAL_ENV: "{{ bifrost_venv_dir }}"
  PATH: "{{ bifrost_venv_dir }}/bin:{{ ansible_env.PATH }}" # include regular path via lookup env
  pydoc: "python -m pydoc"
+
+# Authentication support
+# By default, bifrost was developed around being a toolkit
+# for noauth mode. Since we are introducing the concept of
+# authentication, we need to record the default for
+# conditional statements in the playbooks.
+noauth_mode: true
+
+# Keystone Support
+# Default parameter if keystone is enabled, or disabled.
+enable_keystone: false
+
+# NOTE: The keystone support in this role
+# expects the keystone.bootstrap variables to
+# either be loaded OR present from keystone
+# installation. The keystone settings below
+# should only be used if the role is utilized
+# independently of the keystone installation
+# role, such as leveraging a pre-existing
+# keystone installation.
+# WARNING: Using a pre-existing keystone has
+# not been tested.
+#
+#keystone:
+#  debug: true
+#  bootstrap:
+#    enabled: true
+#    username: admin
+#    password: ChangeThisPa55w0rd
+#    project_name: admin
+#    admin_url: "http://127.0.0.1:35357/v3/"
+#    public_url: "http://127.0.0.1:5000/v3/"
+#    internal_url: "http://127.0.0.1:5000/v3/"
+#    region_name: "RegionOne"
+#  message_queue:
+#    username: keystone
+#    password: ChangeThisPa55w0rd
+#    host: 127.0.0.1
+#  database:
+#    name: keystone
+#    username: keystone
+#    password: ChangeThisPa55w0rd
+#    host: 127.0.0.1
+
+ironic:
+  service_catalog:
+    username: "ironic"
+    password: "ChangeThisPa55w0rd"
+    auth_url: "http://127.0.0.1:5000/v3"
+    project_name: "service"
+  keystone:
+    default_username: "bifrost_user"
+    default_password: "ChangeThisPa55w0rd"
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -13,6 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
+- name: "Fail if authentication configuration conflicts."
+  fail:
+    msg: >
+      noauth_mode and enable_keystone are mutually exclusive options.
+      Please set one to "false".
+  when: >
+    noauth_mode | bool == true and enable_keystone is defined and
+    enable_keystone | bool == true
+
 - name: "Warn if deprecated variable nginx_port is set"
  debug:
    msg: >
@ -116,6 +125,11 @@
    owner: root
    group: root
  when: skip_install is not defined and enable_pxe_drivers | bool == true
+
+- name: "Populate keystone for Bifrost"
+  include: keystone_setup.yml
+  when: enable_keystone is defined and enable_keystone | bool == true
+
 - name: "Generate ironic Configuration"
  include: ironic_config.yml
 - name: "Copy policy.json to /etc/ironic"
--- a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml
@ -0,0 +1,224 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+# TODO(TheJulia): The user and project domains are hardcoded in this.
+# We should likely address that at some point, however I think a user
+# should be the driver of that work.
+
+- name: "Error if credentials are undefined."
+  fail:
+    msg: |
+        Credentials are missing or undefined, unable to proceed.
+        Please consult roled defaults/main.yml.
+  when: >
+      keystone is undefined or keystone.bootstrap is undefined or
+      keystone.bootstrap.username is undefined or
+      keystone.bootstrap.password is undefined or
+      keystone.bootstrap.project_name is undefined or
+      ironic.service_catalog.auth_url is undefined or
+      ironic.service_catalog.username is undefined or
+      ironic.service_catalog.password is undefined or
+      ironic.service_catalog.project_name is undefined or
+      ironic.keystone is undefined or
+      ironic.keystone.default_username is undefined or
+      ironic.keystone.default_password is undefined
+
+- name: "Ensure service project is present"
+  os_project:
+    name: "service"
+    state: present
+    description: "Service Project"
+    domain_id: default
+    enabled: yes
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}/"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create service user for ironic"
+  os_user:
+    name: "{{ ironic.service_catalog.username }}"
+    password: "{{ ironic.service_catalog.password }}"
+    state: present
+    domain: "default"
+    default_project: "{{ ironic.service_catalog.project_name }}"
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Associate ironic user to admin role"
+  os_user_role:
+    user: "{{ ironic.service_catalog.username }}"
+    role: admin
+    project: "{{ ironic.service_catalog.project_name }}"
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create keystone service record for ironic"
+  os_keystone_service:
+    state: present
+    name: ironic
+    service_type: baremetal
+    description: OpenStack Baremetal Service
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create ironic admin endpoint"
+  command: |
+    openstack
+    --os-identity-api-version 3
+    --os-username "{{ keystone.bootstrap.username }}"
+    --os-password "{{ keystone.bootstrap.password }}"
+    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    --os-project-name admin
+    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
+    baremetal admin "{{ ironic.keystone.admin_url | default('http://127.0.0.1:6385/') }}"
+
+- name: "Create ironic public endpoint"
+  command: |
+    openstack
+    --os-identity-api-version 3
+    --os-username "{{ keystone.bootstrap.username }}"
+    --os-password "{{ keystone.bootstrap.password }}"
+    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    --os-project-name admin
+    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
+    baremetal public "{{ ironic.keystone.public_url | default('http://127.0.0.1:6385/') }}"
+
+- name: "Create ironic internal endpoint"
+  command: |
+    openstack
+    --os-identity-api-version 3
+    --os-username "{{ keystone.bootstrap.username }}"
+    --os-password "{{ keystone.bootstrap.password }}"
+    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    --os-project-name admin
+    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
+    baremetal internal "{{ ironic.keystone.internal_url | default('http://127.0.0.1:6385/') }}"
+  no_log: true
+
+- name: "Create baremetal_admin role"
+  os_keystone_role:
+    name: "baremetal_admin"
+    state: present
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create baremetal_observer role"
+  os_keystone_role:
+    name: "baremetal_observer"
+    state: present
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create baremetal project"
+  os_project:
+    name: "baremetal"
+    state: present
+    description: "Baremetal Project"
+    domain_id: default
+    enabled: yes
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create bifrost user"
+  os_user:
+    name: "{{ ironic.keystone.default_username }}"
+    password: "{{ ironic.keystone.default_password }}"
+    default_project: "baremetal"
+    domain: "default"
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: admin
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Associate bifrost user with baremetal_admin"
+  os_user_role:
+    user: "{{ ironic.keystone.default_username }}"
+    role: "baremetal_admin"
+    project: baremetal
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: admin
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
--- a/releasenotes/notes/creation-of-ironic-user-5a970c5f73e8ef45.yaml
+++ b/releasenotes/notes/creation-of-ironic-user-5a970c5f73e8ef45.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - The functionality to create a service account
+    and default user account to bifrost has been added.
+    This is controlled by the ``enable_keystone`` parameter
+    as well a ``keystone`` and ``ironic`` data structure that
+    contains all required parameters.  Please consult the
+    bifrost-ironic-install/defaults/main.yml file for more details.