Adding keystone support to inspector config

Additional support to configure keystone with credentials for
inspector and template updates to allow the configuration of
keystone settings related to inspector.

Change-Id: Idef26c86bdc827b8edbc9e0412ec9067a25f52b6

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -116,9 +116,15 @@ inventory_dns: False
 # Settings to enable the use of inspector
 enable_inspector: true
 inspector_auth: "noauth"
+# Deprecated: inspector_auth will be removed in Pike, and is
+# overriden when enable_keystone is set to true.
+#inspector_auth: "noauth"
 inspector_debug: true
 inspector_manage_firewall: false
+
+# Deprecated: ironic_auth_strategy will be removed in Pike.
 ironic_auth_strategy: "noauth"
+
 inspector_data_dir: "/opt/stack/ironic-inspector/var"
 inspector_store_ramdisk_logs: true
 # Note: inspector_port_addition has three valid values: all, active, pxe
@@ -204,8 +210,19 @@ ironic:
     default_username: "bifrost_user"
     default_password: "ChangeThisPa55w0rd"
 
-
+ironic_inspector:
-# TODO(TheJulia): Thinking outloud, I think we ought to head in
+  service_catalog:
-# the direction of identifying the address of the conductor host
+    username: "ironic_inspector"
+    password: "ChangeThisPa55w0rd"
+    auth_url: "http://127.0.0.1:5000/v3"
+    project_name: "service"
+  keystone:
+    default_username: "inspector_user"
+    default_password: "ChangeThisPa55w0rd"
+#    public_url: "http://127.0.0.1:5050/"
+#    private_url: "http://127.0.0.1:5050/"
+#    internal_url: "http://127.0.0.1:5050/"
+# TODO(TheJulia): Thinking outloud, I we ought to head in the
+# direction of identifying the address of the conductor host
 # in a more uniform fashion. What that is exactly, is TBD.
 my_ip_address: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}"

playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml

@@ -36,6 +36,11 @@
     group=ironic
     mode=0755
     state=directory
+
+- name: "Populate keystone for ironic-inspector "
+  include: keystone_setup_inspector.yml
+  when: enable_keystone is defined and enable_keystone | bool == true
+
 - name: "Inspector - Place Configuration"
   template:
     src=ironic-inspector.conf.j2

playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml

@@ -0,0 +1,160 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+# TODO(TheJulia): The user and project domains are hardcoded in this.
+# We should likely address that at some point, however I think a user
+# should be the driver of that work.
+
+- name: "Error if credentials are undefined."
+  fail:
+    msg: |
+        Credentials are missing or undefined, unable to proceed.
+        Please consult roled defaults/main.yml.
+  when: >
+      keystone is undefined or keystone.bootstrap is undefined or
+      keystone.bootstrap.username is undefined or
+      keystone.bootstrap.password is undefined or
+      keystone.bootstrap.project_name is undefined or
+      ironic_inspector.service_catalog.auth_url is undefined or
+      ironic_inspector.service_catalog.username is undefined or
+      ironic_inspector.service_catalog.password is undefined or
+      ironic_inspector.keystone is undefined or
+      ironic_inspector.keystone.default_username is undefined or
+      ironic_inspector.keystone.default_password is undefined
+
+- name: "Create service user for ironic-inspector"
+  os_user:
+    name: "{{ ironic_inspector.service_catalog.username }}"
+    password: "{{ ironic_inspector.service_catalog.password }}"
+    state: present
+    domain: "default"
+    default_project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Associate ironic_inspector user to admin role"
+  os_user_role:
+    user: "{{ ironic_inspector.service_catalog.username }}"
+    role: admin
+    project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
+    auth:
+      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create keystone service record for ironic-inspector"
+  os_keystone_service:
+    state: present
+    name: ironic-inspector
+    service_type: baremetal-introspection
+    description: OpenStack Baremetal Introspection Service
+    auth:
+      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: "admin"
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Create ironic-inspector admin endpoint"
+  command: |
+    openstack
+    --os-identity-api-version 3
+    --os-username "{{ keystone.bootstrap.username }}"
+    --os-password "{{ keystone.bootstrap.password }}"
+    --os-auth-url "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    --os-project-name admin
+    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
+    baremetal admin "{{ ironic_inspector.keystone.admin_url | default('http://127.0.0.1:5050/') }}"
+
+# NOTE(TheJulia): This seems like something that should be
+# to admin or internal interfaces. Perhaps we should attempt
+# remove it after we have a working keystone integrated CI job.
+- name: "Create ironic-inspector public endpoint"
+  command: |
+    openstack
+    --os-identity-api-version 3
+    --os-username "{{ keystone.bootstrap.username }}"
+    --os-password "{{ keystone.bootstrap.password }}"
+    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    --os-project-name admin
+    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
+    baremetal public "{{ ironic_inspector.keystone.public_url | default('http://127.0.0.1:5050/') }}"
+
+- name: "Create ironic-inspector internal endpoint"
+  command: |
+    openstack
+    --os-identity-api-version 3
+    --os-username "{{ keystone.bootstrap.username }}"
+    --os-password "{{ keystone.bootstrap.password }}"
+    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    --os-project-name admin
+    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
+    baremetal internal "{{ ironic_inspector.keystone.internal_url | default('http://127.0.0.1:5050/') }}"
+  no_log: true
+
+- name: "Create inspector_user user"
+  os_user:
+    name: "{{ ironic_inspector.keystone.default_username }}"
+    password: "{{ ironic_inspector.keystone.default_password }}"
+    default_project: "baremetal"
+    domain: "default"
+    auth:
+      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: admin
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true
+
+- name: "Associate inspector_user with baremetal_admin"
+  os_user_role:
+    user: "{{ ironic_inspector.keystone.default_username }}"
+    role: "baremetal_admin"
+    project: baremetal
+    auth:
+      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+      username: "{{ keystone.bootstrap.username }}"
+      password: "{{ keystone.bootstrap.password }}"
+      project_name: admin
+      project_domain_id: "default"
+      user_domain_id: "default"
+    wait: yes
+  environment:
+    OS_IDENTITY_API_VERSION: "3"
+  no_log: true

playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2

@@ -4,17 +4,46 @@
 # http://git.openstack.org/cgit/openstack/ironic-inspector/tree/example.conf
 #}
 [DEFAULT]
-auth_strategy = {{ inspector_auth }}
+{% if enable_keystone is defined and enable_keystone | bool == true %}
+auth_strategy = keystone
+{% else %}
+auth_strategy = {{ inspector_auth | default('noauth') }}
+{% endif %}
 debug = {{ inspector_debug | bool }}
 
 [database]
 connection=mysql+pymysql://inspector:{{ ironic_db_password }}@localhost/inspector?charset=utf8
 
 [firewall]
-manage_firewall = {{ inspector_manage_firewall | bool }}
+manage_firewall = {{ inspector_manage_firewall | bool | default('false') }}
 
 [ironic]
-auth_strategy = {{ ironic_auth_strategy }}
+{% if enable_keystone is defined and enable_keystone | bool == true %}
+os_region = {{ keystone.bootstrap.region_name | default('RegionOne') }}
+project_name = baremetal
+username = {{ ironic_inspector.keystone.default_username }}
+password = {{ ironic_inspector.keystone.default_password }}
+auth_url = {{ ironic_inspector.service_catalog.auth_url }}
+auth_type = password
+auth_strategy = keystone
+user_domain_id = default
+project_domain_id = default
+
+{% else %}
+auth_strategy = {{ ironic_auth_strategy | default('noauth') }}
+{% endif %}
+
+{% if enable_keystone is defined and enable_keystone | bool == true %}
+[keystone_authtoken]
+auth_plugin = password
+auth_url = {{ ironic_inspector.service_catalog.auth_url }}
+username = {{ ironic_inspector.service_catalog.username }}
+password = {{ ironic_inspector.service_catalog.password }}
+user_domain_id = default
+project_name = service
+project_domain_id = default
+
+{% endif %}
 {#
 # Note(TheJulia) preserving ironic_url in the configuration
 # in case future changes allow breaking of the deployment across

releasenotes/notes/inspector-keystone-support-3786a22b49e851e5.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - Functionality to configure the ironic-inspector to
+    utilize keystone, utilizing the base ``enable_keystone``
+    boolean parameter.
+deprecations:
+  - The ``ironic_auth_strategy`` setting is deprecated and will
+    be removed in Pike. The setting has no effect if the
+    ``enable_keystone`` setting is present and set to ``true``.
+  - The ``inspector_auth`` setting is deprecated and will
+    be removed in Pike. The setting has no effect if the
+    ``enable_keystone`` setting is present and set to ``true``.