bifrost/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml
Dmitry Tantsur ddafc94e30 TLS support for API services
Change-Id: I084da313eda17435c095ade7cb1b92981f5341dc
2020-09-02 18:23:40 +02:00

153 lines
5.8 KiB
YAML

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# TODO(TheJulia): The user and project domains are hardcoded in this.
# We should likely address that at some point, however I think a user
# should be the driver of that work.
- name: "Error if credentials are undefined."
fail:
msg: |
Credentials are missing or undefined, unable to proceed.
Please consult roled defaults/main.yml.
when: >
keystone is undefined or keystone.bootstrap is undefined or
keystone.bootstrap.username is undefined or
keystone.bootstrap.password is undefined or
keystone.bootstrap.project_name is undefined or
ironic_inspector.service_catalog.auth_url is undefined or
ironic_inspector.service_catalog.username is undefined or
ironic_inspector.service_catalog.password is undefined or
ironic_inspector.keystone is undefined or
ironic_inspector.keystone.default_username is undefined or
ironic_inspector.keystone.default_password is undefined
- name: "Configure keystone auth"
set_fact:
keystone_auth:
auth_url: "{{ ironic.service_catalog.auth_url | default(keystone_api_url) }}"
username: "{{ keystone.bootstrap.username }}"
password: "{{ keystone.bootstrap.password }}"
project_name: "admin"
project_domain_id: "default"
user_domain_id: "default"
no_log: true
- name: "Create service user for ironic-inspector"
openstack.cloud.identity_user:
name: "{{ ironic_inspector.service_catalog.username }}"
password: "{{ ironic_inspector.service_catalog.password }}"
state: present
domain: "default"
default_project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
auth: "{{ keystone_auth }}"
wait: yes
ca_cert: "{{ tls_certificate_path | default(omit) }}"
environment: "{{ bifrost_venv_env }}"
no_log: true
- name: "Associate ironic_inspector user to admin role"
openstack.cloud.role_assignment:
user: "{{ ironic_inspector.service_catalog.username }}"
role: admin
project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
auth: "{{ keystone_auth }}"
wait: yes
ca_cert: "{{ tls_certificate_path | default(omit) }}"
environment: "{{ bifrost_venv_env }}"
no_log: true
- name: "Create keystone service record for ironic-inspector"
openstack.cloud.catalog_service:
state: present
name: ironic-inspector
service_type: baremetal-introspection
description: OpenStack Baremetal Introspection Service
auth: "{{ keystone_auth }}"
wait: yes
ca_cert: "{{ tls_certificate_path | default(omit) }}"
environment: "{{ bifrost_venv_env }}"
register: introspection_catalog_service
no_log: true
- name: "Create ironic-inspector admin endpoint"
openstack.cloud.endpoint:
state: present
service: "{{ introspection_catalog_service.id }}"
endpoint_interface: admin
url: "{{ ironic_inspector.keystone.admin_url | default(ironic_inspector_api_url) }}"
region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
auth: "{{ keystone_auth }}"
ca_cert: "{{ tls_certificate_path | default(omit) }}"
no_log: true
environment: "{{ bifrost_venv_env }}"
- name: "Setting external ironic-inspector public URL"
set_fact:
ironic_inspector_public_url: "{{ api_protocol }}://{{ public_ip }}:5050/"
when: public_ip is defined
- name: "Create ironic-inspector public endpoint"
openstack.cloud.endpoint:
state: present
service: "{{ introspection_catalog_service.id }}"
endpoint_interface: public
url: "{{ ironic_inspector.keystone.public_url | default(ironic_inspector_public_url) | default(ironic_inspector_api_url) }}"
region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
auth: "{{ keystone_auth }}"
ca_cert: "{{ tls_certificate_path | default(omit) }}"
no_log: true
environment: "{{ bifrost_venv_env }}"
- name: "Setting internal ironic-inspector URL"
set_fact:
ironic_inspector_private_url: "{{ api_protocol }}://{{ private_ip }}:5050/"
when: private_ip is defined and private_ip | length > 0
- name: "Create ironic-inspector internal endpoint"
openstack.cloud.endpoint:
state: present
service: "{{ introspection_catalog_service.id }}"
endpoint_interface: internal
url: "{{ ironic_inspector.keystone.internal_url | default(ironic_inspector_private_url) | default(ironic_inspector_api_url) }}"
region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
auth: "{{ keystone_auth }}"
ca_cert: "{{ tls_certificate_path | default(omit) }}"
no_log: true
environment: "{{ bifrost_venv_env }}"
- name: "Create inspector_user user"
openstack.cloud.identity_user:
name: "{{ ironic_inspector.keystone.default_username }}"
password: "{{ ironic_inspector.keystone.default_password }}"
default_project: "baremetal"
domain: "default"
auth: "{{ keystone_auth }}"
update_password: always
wait: yes
ca_cert: "{{ tls_certificate_path | default(omit) }}"
environment: "{{ bifrost_venv_env }}"
no_log: true
- name: "Associate inspector_user with baremetal_admin"
openstack.cloud.role_assignment:
user: "{{ ironic_inspector.keystone.default_username }}"
role: "baremetal_admin"
project: baremetal
auth: "{{ keystone_auth }}"
wait: yes
ca_cert: "{{ tls_certificate_path | default(omit) }}"
environment: "{{ bifrost_venv_env }}"
no_log: true