From 3a12ee67e46bf12f014aeb69043830bb42392564 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 17 Nov 2016 15:09:08 -0500 Subject: [PATCH] Add code to support novajoin in the undercloud Novajoin is a new nova metadata micro-service that registers instances created by nova with a FreeIPA server, so that we can take advantage of server/service identities, kerberos credentials, access and sudo controls etc. The included modules will cause the undercloud to be registered with a FreeIPA server, for novajoin to be installed, and for nova on the undercloud to be configured to use novajoin. Implements: blueprint novajoin Depends-On: I5ffa45bdc400e123079c79e15776ebacdcb24de9 Change-Id: Ia2fdb544460cd39fbfda5970c9bfba22feec6403 --- .../puppet-stack-config/puppet-stack-config.pp | 5 +++++ .../puppet-stack-config.yaml.template | 14 ++++++++++++++ instack_undercloud/undercloud.py | 9 +++++++++ undercloud.conf.sample | 9 +++++++++ 4 files changed, 37 insertions(+) diff --git a/elements/puppet-stack-config/puppet-stack-config.pp b/elements/puppet-stack-config/puppet-stack-config.pp index 93dfe5e89..71df7d28f 100644 --- a/elements/puppet-stack-config/puppet-stack-config.pp +++ b/elements/puppet-stack-config/puppet-stack-config.pp @@ -624,3 +624,8 @@ Service[$needless_services] { enable => false, ensure => stopped, } + +# novajoin install +if str2bool(hiera('enable_novajoin', false)) { + include ::nova::metadata::novajoin::api +} diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template index fd33fc392..4e9408dd9 100644 --- a/elements/puppet-stack-config/puppet-stack-config.yaml.template +++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template @@ -676,12 +676,26 @@ enable_telemetry: {{ENABLE_TELEMETRY}} enable_legacy_ceilometer_api: {{ENABLE_LEGACY_CEILOMETER_API}} enable_ui: {{ENABLE_UI}} enable_cinder: {{ENABLE_CINDER}} +enable_novajoin: {{ENABLE_NOVAJOIN}} # Path to install configuration files tripleo_install_user: {{TRIPLEO_INSTALL_USER}} tripleo_undercloud_conf_file: {{TRIPLEO_UNDERCLOUD_CONF_FILE}} tripleo_undercloud_password_file: {{TRIPLEO_UNDERCLOUD_PASSWORD_FILE}} +# Novajoin +nova::metadata::novajoin::api::keystone_auth_url: "%{hiera('keystone_auth_uri')}" +nova::metadata::novajoin::api::nova_password: {{UNDERCLOUD_NOVA_PASSWORD}} +nova::metadata::novajoin::api::transport_url: "rabbit://{{UNDERCLOUD_RABBIT_USERNAME}}:{{UNDERCLOUD_RABBIT_PASSWORD}}@{{LOCAL_IP}}//" +ipaclient::password: {{IPA_OTP}} +ipaclient::hostname: {{UNDERCLOUD_HOSTNAME}} +{{#ENABLE_NOVAJOIN}} +nova::api::vendordata_jsonfile_path: '/etc/nova/cloud-config.json' +nova::api::vendordata_providers: ['StaticJSON', 'DynamicJSON'] +nova::api::vendordata_dynamic_targets: ['join@http://127.0.0.1:9999/v1/'] +nova::notification_topics: 'notifications' +nova::notify_on_state_change: 'vm_state' +{{/ENABLE_NOVAJOIN}} # Firewall tripleo::firewall::manage_firewall: true diff --git a/instack_undercloud/undercloud.py b/instack_undercloud/undercloud.py index 0da5ca0b5..debe6bc76 100644 --- a/instack_undercloud/undercloud.py +++ b/instack_undercloud/undercloud.py @@ -299,6 +299,15 @@ _opts = [ help=('Whether to enable legacy ceilometer api ' 'in the Undercloud.') ), + cfg.BoolOpt('enable_novajoin', + default=False, + help=('Whether to install novajoin metadata service in ' + 'the Undercloud.') + ), + cfg.StrOpt('ipa_otp', + help=('One Time Password to register Undercloud node with ' + 'an IPA server.') + ), cfg.BoolOpt('ipxe_enabled', default=True, help=('Whether to use iPXE for deploy and inspection.'), diff --git a/undercloud.conf.sample b/undercloud.conf.sample index b9f4ab6e2..ff2828341 100644 --- a/undercloud.conf.sample +++ b/undercloud.conf.sample @@ -165,6 +165,15 @@ # Undercloud. (boolean value) #enable_legacy_ceilometer_api = false +# Whether to install novajoin metadata service in the Undercloud. +# (boolean value) +#enable_novajoin = false + +# One Time Password to register Undercloud node with IPA server. +# Required when enable_novajoin = true. +# (string value) +#ipa_otp = + # Whether to use iPXE for deploy and inspection. (boolean value) # Deprecated group/name - [DEFAULT]/ipxe_deploy #ipxe_enabled = true