From 84d17b055eda257395aa5fd38487382d1ac2105a Mon Sep 17 00:00:00 2001 From: Kayobe deployment user Date: Tue, 5 Nov 2019 22:25:56 +0000 Subject: [PATCH] Use internal API endpoints in overcloud API interaction Connections default to 'public' interface when attempting to run openstack commands. This breaks setups where the network hosts are separate from the controllers. This change adds an ``openstack_interface`` variable to select the correct endpoint to use, which defaults to ``internal``. Co-Authored-By: Michael Senizaiz Change-Id: Ifa766d2cc3ed7077f03c571398072ad5117701c6 Story: 2006814 Task: 37374 --- ansible/baremetal-compute-inspect.yml | 1 + ansible/baremetal-compute-manage.yml | 1 + ansible/baremetal-compute-provide.yml | 1 + ansible/group_vars/all/openstack | 3 +++ .../overcloud-introspection-rules-dell-lldp-workaround.yml | 1 + ansible/overcloud-introspection-rules.yml | 1 + ansible/overcloud-ipa-images.yml | 1 + ansible/provision-net.yml | 3 +++ ansible/roles/ipa-images/defaults/main.yml | 3 +++ ansible/roles/ipa-images/tasks/main.yml | 3 +++ ansible/roles/ipa-images/tasks/set-driver-info.yml | 1 + ansible/roles/ironic-inspector-rules/defaults/main.yml | 3 +++ .../library/os_ironic_inspector_rule.py | 1 + ansible/roles/ironic-inspector-rules/tasks/main.yml | 1 + .../notes/fix-post-config-public-eb72f3a692a2be6b.yaml | 7 +++++++ requirements.yml | 4 ++-- 16 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/fix-post-config-public-eb72f3a692a2be6b.yaml diff --git a/ansible/baremetal-compute-inspect.yml b/ansible/baremetal-compute-inspect.yml index 74734bad1..2f70d1d32 100644 --- a/ansible/baremetal-compute-inspect.yml +++ b/ansible/baremetal-compute-inspect.yml @@ -37,6 +37,7 @@ auth_type: "{{ openstack_auth_type }}" auth: "{{ openstack_auth }}" cacert: "{{ openstack_cacert | default(omit, true) }}" + interface: "{{ openstack_interface | default(omit, true) }}" name: "{{ inventory_hostname }}" timeout: "{{ baremetal_compute_timeout }}" wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/baremetal-compute-manage.yml b/ansible/baremetal-compute-manage.yml index a17636923..5668a2c58 100644 --- a/ansible/baremetal-compute-manage.yml +++ b/ansible/baremetal-compute-manage.yml @@ -35,6 +35,7 @@ os_ironic_state_auth_type: "{{ openstack_auth_type }}" os_ironic_state_auth: "{{ openstack_auth }}" os_ironic_state_cacert: "{{ openstack_cacert }}" + os_ironic_state_interface: "{{ openstack_interface }}" os_ironic_state_name: "{{ inventory_hostname }}" os_ironic_state_provision_state: "manage" os_ironic_state_wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/baremetal-compute-provide.yml b/ansible/baremetal-compute-provide.yml index d8937203f..37a720d44 100644 --- a/ansible/baremetal-compute-provide.yml +++ b/ansible/baremetal-compute-provide.yml @@ -35,6 +35,7 @@ os_ironic_state_auth_type: "{{ openstack_auth_type }}" os_ironic_state_auth: "{{ openstack_auth }}" os_ironic_state_cacert: "{{ openstack_cacert }}" + os_ironic_state_interface: "{{ openstack_interface }}" os_ironic_state_name: "{{ inventory_hostname }}" os_ironic_state_provision_state: "provide" os_ironic_state_wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/group_vars/all/openstack b/ansible/group_vars/all/openstack index e1d61ecef..86bf653e7 100644 --- a/ansible/group_vars/all/openstack +++ b/ansible/group_vars/all/openstack @@ -30,6 +30,9 @@ openstack_auth: # Overcloud CA certificate path. openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}" +# Overcloud interface (public, internal, admin). +openstack_interface: internal + # Overcloud authentication environment variables. These should be compatible # with the openstack client. # By default we pull these from the environment of the shell executing Ansible. diff --git a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml index e86fb38aa..06f6b3a29 100644 --- a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml +++ b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml @@ -130,3 +130,4 @@ ironic_inspector_auth_type: "{{ openstack_auth_type }}" ironic_inspector_auth: "{{ openstack_auth }}" ironic_inspector_cacert: "{{ openstack_cacert }}" + ironic_inspector_interface: "{{ openstack_interface }}" diff --git a/ansible/overcloud-introspection-rules.yml b/ansible/overcloud-introspection-rules.yml index 20ee45bdd..39b004df1 100644 --- a/ansible/overcloud-introspection-rules.yml +++ b/ansible/overcloud-introspection-rules.yml @@ -64,6 +64,7 @@ ironic_inspector_auth_type: "{{ openstack_auth_type }}" ironic_inspector_auth: "{{ openstack_auth }}" ironic_inspector_cacert: "{{ openstack_cacert }}" + ironic_inspector_interface: "{{ openstack_interface }}" ironic_inspector_rules: "{{ inspector_rules }}" # These variables may be referenced in the introspection rules. inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}" diff --git a/ansible/overcloud-ipa-images.yml b/ansible/overcloud-ipa-images.yml index 2f29a639b..a6015775c 100644 --- a/ansible/overcloud-ipa-images.yml +++ b/ansible/overcloud-ipa-images.yml @@ -107,4 +107,5 @@ ipa_images_openstack_auth: "{{ openstack_auth }}" ipa_images_openstack_auth_env: "{{ openstack_auth_env }}" ipa_images_openstack_cacert: "{{ openstack_cacert }}" + ipa_images_openstack_interface: "{{ openstack_interface }}" ipa_images_cache_path: "{{ image_cache_path }}/{{ ipa_image_name }}" diff --git a/ansible/provision-net.yml b/ansible/provision-net.yml index e910f314a..ba8a5a2a4 100644 --- a/ansible/provision-net.yml +++ b/ansible/provision-net.yml @@ -68,6 +68,7 @@ os_networks_auth_type: "{{ openstack_auth_type }}" os_networks_auth: "{{ openstack_auth }}" os_networks_cacert: "{{ openstack_cacert | default(omit, true) }}" + os_networks_interface: "{{ openstack_interface | default(omit, true) }}" # Network configuration. os_networks: "{{ network_registrations }}" tasks: @@ -96,6 +97,7 @@ auth: "{{ openstack_auth }}" auth_type: "{{ openstack_auth_type }}" cacert: "{{ openstack_cacert | default(omit, true) }}" + interface: "{{ openstack_interface | default(omit, true) }}" name: "{{ provision_net.name }}" register: provisioning_network_facts @@ -112,6 +114,7 @@ auth: "{{ openstack_auth }}" auth_type: "{{ openstack_auth_type }}" cacert: "{{ openstack_cacert | default(omit, true) }}" + interface: "{{ openstack_interface | default(omit, true) }}" name: "{{ cleaning_net.name }}" register: cleaning_network_facts diff --git a/ansible/roles/ipa-images/defaults/main.yml b/ansible/roles/ipa-images/defaults/main.yml index 390a0903d..9f39ca385 100644 --- a/ansible/roles/ipa-images/defaults/main.yml +++ b/ansible/roles/ipa-images/defaults/main.yml @@ -20,6 +20,9 @@ ipa_images_openstack_auth_env: {} # CA certificate path. ipa_images_openstack_caert: +# Interface (public, internal, admin). +ipa_images_openstack_interface: + # Path to directory in which to store downloaded images. ipa_images_cache_path: diff --git a/ansible/roles/ipa-images/tasks/main.yml b/ansible/roles/ipa-images/tasks/main.yml index 09de04046..370e85b48 100644 --- a/ansible/roles/ipa-images/tasks/main.yml +++ b/ansible/roles/ipa-images/tasks/main.yml @@ -71,6 +71,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" image: "{{ ipa_images_kernel_name }}" - name: Set a fact containing the Ironic Python Agent (IPA) kernel image @@ -82,6 +83,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" image: "{{ ipa_images_ramdisk_name }}" - name: Set a fact containing the Ironic Python Agent (IPA) ramdisk image @@ -114,6 +116,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" name: "{{ item.name }}" container_format: "{{ item.format }}" disk_format: "{{ item.format }}" diff --git a/ansible/roles/ipa-images/tasks/set-driver-info.yml b/ansible/roles/ipa-images/tasks/set-driver-info.yml index c4f4dbd52..ead8a96a9 100644 --- a/ansible/roles/ipa-images/tasks/set-driver-info.yml +++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml @@ -5,6 +5,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" image: "{{ item.name }}" with_items: - name: "{{ ipa_images_kernel_name }}" diff --git a/ansible/roles/ironic-inspector-rules/defaults/main.yml b/ansible/roles/ironic-inspector-rules/defaults/main.yml index 39f5a56bc..64545b517 100644 --- a/ansible/roles/ironic-inspector-rules/defaults/main.yml +++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml @@ -14,6 +14,9 @@ ironic_inspector_auth: {} # CA certificate path. ironic_inspector_cacert: +# Interface (public, internal, admin). +ironic_inspector_interface: + # URL of Ironic Inspector API endpoint. ironic_inspector_url: diff --git a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py index 717148032..7d75c9d78 100644 --- a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py +++ b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py @@ -85,6 +85,7 @@ def _build_client(module): api_version = (1, 14) client = ironic_inspector_client.v1.ClientV1( inspector_url=module.params['inspector_url'], + interface=module.params['interface'], session=session, region_name=module.params['region_name'], api_version=api_version) return client diff --git a/ansible/roles/ironic-inspector-rules/tasks/main.yml b/ansible/roles/ironic-inspector-rules/tasks/main.yml index 1ca8d2dd8..cd9aeb4d1 100644 --- a/ansible/roles/ironic-inspector-rules/tasks/main.yml +++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml @@ -20,6 +20,7 @@ auth_type: "{{ ironic_inspector_auth_type }}" auth: "{{ ironic_inspector_auth }}" cacert: "{{ ironic_inspector_cacert | default(omit, true) }}" + interface: "{{ ironic_inspector_interface | default(omit, true) }}" conditions: "{{ item.conditions }}" actions: "{{ item.actions }}" description: "{{ item.description | default(omit) }}" diff --git a/releasenotes/notes/fix-post-config-public-eb72f3a692a2be6b.yaml b/releasenotes/notes/fix-post-config-public-eb72f3a692a2be6b.yaml new file mode 100644 index 000000000..7651356c3 --- /dev/null +++ b/releasenotes/notes/fix-post-config-public-eb72f3a692a2be6b.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes an issue where ``kayobe overcloud post configure`` would use the + public OpenStack API interface, which might not be accessible from the + control hosts. See `story 2006814 + `__ for details. diff --git a/requirements.yml b/requirements.yml index fc75de49f..809d5dcab 100644 --- a/requirements.yml +++ b/requirements.yml @@ -32,9 +32,9 @@ - src: stackhpc.os-images version: v1.4.0 - src: stackhpc.os-ironic-state - version: v1.1.0 + version: v1.2.0 - src: stackhpc.os-networks - version: v1.1.0 + version: v1.2.0 - src: stackhpc.os-openstackclient version: v1.3.0 - src: stackhpc.os-shade