Merge "Dynamic roles: consolidate auth parameters in one place"

2020-08-07 13:17:22 +00:00 · 2020-08-07 13:17:22 +00:00 · 82dd2ea5cc
parent d11455ac33 d6f0551eee
commit 82dd2ea5cc
14 changed files with 170 additions and 152 deletions
--- a/playbooks/roles/bifrost-cloud-config/README.md
+++ b/playbooks/roles/bifrost-cloud-config/README.md
@ -0,0 +1,89 @@
+bifrost-cloud-config
+====================
+
+This role generate authentication parameters suitable for bare metal ansible
+modules. It is designed to be included from other roles and is of little use
+otherwise.
+
+Requirements
+------------
+
+None
+
+Role Variables
+--------------
+
+This role supports one variable:
+
+`noauth_mode`
+
+Whether bifrost has been installed in no-authentication mode.
+Defaults to `true`.
+
+This role sets several facts:
+
+`openstack`
+
+OpenStack configuration as returned by the `openstack.cloud.config`
+module. May be missing in no-auth mode.
+
+`openstack_cloud`
+
+The cloud to use for authentication. May be missing in no-auth mode.
+
+`auth`
+
+An object with authentication information. If the fact is already defined,
+it is only overridden in no-auth mode.
+
+`auth_type`
+
+Authentication plugin to use. If `auth` is already defined, it is only
+overridden in no-auth mode.
+
+`ironic_url`
+
+Ironic endpoint to use. If the fact is already defined, it is not overridden.
+
+Notes
+-----
+
+None
+
+Dependencies
+------------
+
+None at this time.
+
+Example Playbook
+----------------
+
+```
+- hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
+  roles:
+    - role: bifrost-cloud-config
+      noauth_mode: true
+```
+
+License
+-------
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Author Information
+------------------
+
+Ironic Developers
--- a/playbooks/roles/bifrost-cloud-config/defaults/main.yml
+++ b/playbooks/roles/bifrost-cloud-config/defaults/main.yml
@ -0,0 +1,2 @@
+---
+noauth_mode: true
--- a/playbooks/roles/bifrost-cloud-config/tasks/main.yml
+++ b/playbooks/roles/bifrost-cloud-config/tasks/main.yml
@ -0,0 +1,62 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+- name: "If in noauth mode, unset authentication parameters."
+  set_fact:
+    auth_type: None
+    auth: {}
+  when: noauth_mode | bool
+
+- name: "Execute openstack.cloud.config to collect facts"
+  openstack.cloud.config:
+  no_log: yes
+  # NOTE(dtantsur): Allow missing clouds.yaml only in no-auth mode
+  ignore_errors: "{{ noauth_mode | bool }}"
+
+- name: "Set openstack_cloud if possible"
+  set_fact:
+    # TODO(dtantsur): support looking up by cloud_name
+    openstack_cloud: "{{ openstack.clouds[0] }}"
+  when:
+    - openstack is defined
+    - openstack.clouds | length > 0
+  no_log: yes
+
+# NOTE(TheJulia): The first record returned by openstack.cloud.config
+# is utilized as the default. A user can still define the parameters
+# if so desired.
+- name: "Set openstack.cloud.config auth parameters if not already set."
+  set_fact:
+    auth: "{{ openstack_cloud.auth }}"
+    auth_type: "{{ openstack_cloud.auth_type }}"
+  when:
+    - auth is undefined
+    - openstack_cloud is defined
+  no_log: yes
+
+# FIXME(dtantsur): this should work by simply passing the cloud to ansible
+# modules, but it does not because of some issues there.
+- name: "Provide ironic_url if there is an endpoint override"
+  set_fact:
+    ironic_url: "{{ openstack_cloud.baremetal_endpoint_override }}"
+  when:
+    - ironic_url | default("") == ""
+    - openstack_cloud is defined
+    - openstack_cloud.baremetal_endpoint_override is defined
+
+- name: "Provide ironic_url for no-auth mode if there is no override"
+  set_fact:
+    ironic_url: "http://localhost:6385/"
+  when:
+    - ironic_url | default("") == ""
+    - noauth_mode | bool
--- a/playbooks/roles/bifrost-configdrives-dynamic/defaults/main.yml
+++ b/playbooks/roles/bifrost-configdrives-dynamic/defaults/main.yml
@ -19,9 +19,6 @@ ipv4_gateway: 192.168.1.1
 ipv4_nameserver: 8.8.8.8
 network_mtu: 1500

-# Default URL to Ironic
-ironic_url: "http://localhost:6385/"
-
 # Default ISO generation utility
 iso_gen_utility: "mkisofs"

--- a/playbooks/roles/bifrost-configdrives-dynamic/tasks/update_facts_from_ironic.yaml
+++ b/playbooks/roles/bifrost-configdrives-dynamic/tasks/update_facts_from_ironic.yaml
@ -12,26 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
- name: "If in noauth mode, set auth parameters accordingly."
-  set_fact:
-    auth_type: None
-    auth: {}
-  when: noauth_mode is defined and noauth_mode | bool == true
-
- name: "Execute openstack.cloud.config to collect facts"
-  openstack.cloud.config:
-  no_log: yes
-  when: noauth_mode is defined and noauth_mode | bool == false
-
-# NOTE(TheJulia): The first record returned by openstack.cloud.config
-# is utilized as the default. A user can still define the parameters
-# if so desired.
- name: "Set openstack.cloud.config auth parameters if not already set."
-  set_fact:
-    auth: "{{ openstack.clouds[0].auth }}"
-    auth_type: "{{ openstack.clouds[0].auth_type }}"
-  when: auth is undefined
-  no_log: yes
+- import_role:
+    name: bifrost-cloud-config

 # Note(TheJulia): This step allows us to collect things that
 # ironic knows, that we do not know potentially, such as an UUID
@ -39,8 +21,8 @@
 - name: "Collecting node facts"
  os_ironic_node_info:
    cloud: "{{ cloud_name | default(omit) }}"
-    auth_type: "{{ auth_type }}"
-    auth: "{{ auth }}"
+    auth_type: "{{ auth_type | default(omit) }}"
+    auth: "{{ auth | default(omit) }}"
    ironic_url: "{{ ironic_url | default(omit) }}"
    uuid: "{{ uuid | default() }}"
    name: "{{ name | default() }}"
--- a/playbooks/roles/bifrost-deploy-nodes-dynamic/defaults/main.yml
+++ b/playbooks/roles/bifrost-deploy-nodes-dynamic/defaults/main.yml
@ -1,6 +1,5 @@
 ---
 # defaults file for bifrost-deploy-nodes-dynamic
-ironic_url: "http://localhost:6385/"
 file_url_port: "8080"
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
@ -12,7 +11,6 @@ inventory_dhcp: false
 inventory_dhcp_static_ip: true
 inventory_dns: false
 deploy_url_protocol: "http"
-noauth_mode: true

 # Under normal circumstances, the os_ironic_node module does not wait for
 # the node to reach active state before continuing with the deployment
--- a/playbooks/roles/bifrost-deploy-nodes-dynamic/tasks/main.yml
+++ b/playbooks/roles/bifrost-deploy-nodes-dynamic/tasks/main.yml
@ -21,26 +21,8 @@
  setup:
    gather_timeout: "{{ fact_gather_timeout }}"

- name: "If in noauth mode, unset authentication parameters."
-  set_fact:
-    auth_type: None
-    auth: {}
-  when: noauth_mode is defined and noauth_mode | bool == true
-
- name: "Execute openstack.cloud.config to collect facts"
-  openstack.cloud.config:
-  no_log: yes
-  when: noauth_mode is defined and noauth_mode | bool == false
-
-# NOTE(TheJulia): The first record returned by openstack.cloud.config
-# is utilized as the default. A user can still define the parameters
-# if so desired.
- name: "Set openstack.cloud.config auth parameters if not already set."
-  set_fact:
-    auth: "{{ openstack.clouds[0].auth }}"
-    auth_type: "{{ openstack.clouds[0].auth_type }}"
-  when: auth is undefined
-  no_log: yes
+- import_role:
+    name: bifrost-cloud-config

 - name: "Setup DHCP for nodes."
  template:
@ -71,9 +53,10 @@

 - name: "Deploy to hardware - Using custom instance_info."
  openstack.cloud.baremetal_node_action:
+    cloud: "{{ cloud_name | default(omit) }}"
    auth_type: "{{ auth_type | default(omit) }}"
    auth: "{{ auth | default(omit) }}"
-    ironic_url: "{{ ironic_url }}"
+    ironic_url: "{{ ironic_url | default(omit) }}"
    uuid: "{{ uuid }}"
    state: present
    config_drive: "{{ deploy_url_protocol }}://{{ internal_ip }}:{{ file_url_port }}/configdrive-{{ uuid }}.iso.gz"
--- a/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml
+++ b/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml
@ -1,5 +1,4 @@
 ---
-ironic_url: "http://localhost:6385/"
 noauth_mode: true
 wait_for_node_undeploy: false

--- a/playbooks/roles/bifrost-unprovision-node-dynamic/tasks/main.yml
+++ b/playbooks/roles/bifrost-unprovision-node-dynamic/tasks/main.yml
@ -12,26 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
- name: "If in noauth mode, unset authentication parameters."
-  set_fact:
-    auth_type: None
-    auth: {}
-  when: noauth_mode is defined and noauth_mode | bool == true
-
- name: "Execute openstack.cloud.config to collect facts"
-  openstack.cloud.config:
-  no_log: yes
-
-# NOTE(TheJulia): The first record returned by openstack.cloud.config
-# is utilized as the default. A user can still define the parameters
-# if so desired.
- name: "Set openstack.cloud.config auth parameters if not already set."
-  set_fact:
-    auth: "{{ openstack.clouds[0].auth }}"
-    auth_type: "{{ openstack.clouds[0].auth_type }}"
-  when: auth is undefined
-  no_log: yes
-  when: noauth_mode is defined and noauth_mode | bool == false
+- import_role:
+    name: bifrost-cloud-config

 - name: "Unprovision node"
  openstack.cloud.baremetal_node_action:
--- a/playbooks/roles/ironic-delete-dynamic/defaults/main.yml
+++ b/playbooks/roles/ironic-delete-dynamic/defaults/main.yml
@ -1,7 +1,4 @@
 ---
-ironic_url: "http://localhost:6385/"
-noauth_mode: true
-
 # Ensure that Ansible is using python interpreter and dependencies inside the bifrost virtual environment
 enable_venv: true
 bifrost_venv_dir: "{{ lookup('env', 'VENV') or '/opt/stack/bifrost' }}"
--- a/playbooks/roles/ironic-delete-dynamic/tasks/main.yml
+++ b/playbooks/roles/ironic-delete-dynamic/tasks/main.yml
@ -12,26 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
- name: "If in noauth mode, unset authentication parameters."
-  set_fact:
-    auth_type: None
-    auth: {}
-  when: noauth_mode is defined and noauth_mode | bool == true
-
- name: "Execute openstack.cloud.config to collect facts"
-  openstack.cloud.config:
-  no_log: yes
-  when: noauth_mode is defined and noauth_mode | bool == false
-
-# NOTE(TheJulia): The first record returned by openstack.cloud.config
-# is utilized as the default. A user can still define the parameters
-# if so desired.
- name: "Set openstack.cloud.config auth parameters if not already set."
-  set_fact:
-    auth: "{{ openstack.clouds[0].auth }}"
-    auth_type: "{{ openstack.clouds[0].auth_type }}"
-  when: auth is undefined
-  no_log: yes
+- import_role:
+    name: bifrost-cloud-config

 - name: "Delete hardware"
  openstack.cloud.baremetal_node:
--- a/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
+++ b/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
@ -1,5 +1,4 @@
 ---
-ironic_url: "http://localhost:6385/"
 file_url_port: "8080"
 # Default network interface that bifrost will be attached to.
 network_interface: "virbr0"
@ -14,8 +13,6 @@ ipa_file_protocol: "http"
 ipa_kernel_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + network_interface | replace('-', '_')]['ipv4']['address'] }}:{{file_url_port}}/ipa.kernel"
 ipa_ramdisk_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + network_interface | replace('-', '_')]['ipv4']['address'] }}:{{file_url_port}}/ipa.initramfs"

-noauth_mode: true
-
 # Timeout for gathering facts.
 fact_gather_timeout: "{{ lookup('config', 'DEFAULT_GATHER_TIMEOUT', on_missing='skip') | default(omit, true) }}"

--- a/playbooks/roles/ironic-enroll-dynamic/tasks/main.yml
+++ b/playbooks/roles/ironic-enroll-dynamic/tasks/main.yml
@ -16,26 +16,8 @@
  setup:
    gather_timeout: "{{ fact_gather_timeout }}"

- name: "If in noauth mode, unset authentication parameters."
-  set_fact:
-    auth_type: None
-    auth: {}
-  when: noauth_mode is defined and noauth_mode | bool == true
-
- name: "Execute openstack.cloud.config to collect facts"
-  openstack.cloud.config:
-  no_log: yes
-  when: noauth_mode is defined and noauth_mode | bool == false
-
-# NOTE(TheJulia): The first record returned by openstack.cloud.config
-# is utilized as the default. A user can still define the parameters
-# if so desired.
- name: "Set openstack.cloud.config auth parameters if not already set."
-  set_fact:
-    auth: "{{ openstack.clouds[0].auth }}"
-    auth_type: "{{ openstack.clouds[0].auth_type }}"
-  when: auth is undefined
-  no_log: yes
+- import_role:
+    name: bifrost-cloud-config

 - name: "Dynamic enrollment"
  openstack.cloud.baremetal_node:
--- a/playbooks/roles/ironic-inspect-node/tasks/main.yml
+++ b/playbooks/roles/ironic-inspect-node/tasks/main.yml
@ -16,26 +16,8 @@
  setup:
    gather_timeout: "{{ fact_gather_timeout }}"

- name: "If in noauth mode, unset authentication parameters."
-  set_fact:
-    auth_type: None
-    auth: {}
-  when: noauth_mode is defined and noauth_mode | bool == true
-
- name: "Execute openstack.cloud.config to collect facts"
-  openstack.cloud.config:
-  no_log: yes
-  when: noauth_mode is defined and noauth_mode | bool == false
-
-# NOTE(TheJulia): The first record returned by openstack.cloud.config
-# is utilized as the default. A user can still define the parameters
-# if so desired.
- name: "Set openstack.cloud.config auth parameters if not already set."
-  set_fact:
-    auth: "{{ openstack.clouds[0].auth }}"
-    auth_type: "{{ openstack.clouds[0].auth_type }}"
-  when: auth is undefined
-  no_log: yes
+- import_role:
+    name: bifrost-cloud-config

 - name: "Setup DHCP for nodes."
  template:
@ -62,7 +44,7 @@
  become: yes
  when: (inventory_dhcp | bool == true) or (inventory_dns | bool == true)

- name: "Execute node introspection - noauth_mode"
+- name: "Execute node introspection"
  openstack.cloud.baremetal_inspect:
    cloud: "{{ cloud_name | default(omit) }}"
    auth_type: "{{ auth_type | default(omit) }}"
@ -71,19 +53,3 @@
    uuid: "{{ uuid | default('') }}"
    name: "{{ name | default('') }}"
    timeout: "{{ inspection_wait_timeout }}"
-  when: noauth_mode is not defined or noauth_mode | bool == True
-
-# NOTE(TheJulia): Some behavior appears to have changed in ansible at
-# some point where arguments are passed that are part of the spec for,
-# which raises a bug in the inspection module where auth_type must be
-# defined, as it is otherwise always sent as a null value.
- name: "Execute node introspection"
-  openstack.cloud.baremetal_inspect:
-    cloud: "{{ cloud_name | default(omit) }}"
-    auth_type: "{{ auth_type | default('password') }}"
-    auth: "{{ auth | default(omit) }}"
-    ironic_url: "{{ ironic_url | default(omit) }}"
-    uuid: "{{ uuid | default('') }}"
-    name: "{{ name | default('') }}"
-    timeout: "{{ inspection_wait_timeout }}"
-  when: noauth_mode is defined and noauth_mode | bool == False