Mark Goddard 32a82ea039 Support authentication in Bifrost

* Switch from python-ironic-inspector-client to openstacksdk in
  ironic-inspector-rules. This allows us to use clouds.yaml to provide
  credentials.
* Enable authentication in Bifrost. Passwords are auto-generated by
  Bifrost, and stored files in /root/.config/bifrost/. This change
  depends on a Kolla Ansible patch that ensures that these credentials
  are persisted between recreations of the bifrost container.
* Copy clouds.yaml and (if present) a CA certificate from the Bifrost
  container to the seed host, under the Kayobe Ansible user (stack).
  This allows us to use the credentials to register introspection rules.
* This patch is needed by a Kolla Ansible patch that enables TLS in
  Bifrost, since we need the CA certificate on the host to register
  introspection rules when TLS is enabled.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/851837
Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/851838

Story: 2010206
Task: 45930

Change-Id: I757f1bb72afb01a4f1689bed292f5b71b9048fa0

2022-08-25 11:56:03 +02:00

2.5 KiB

Raw Permalink Blame History

Ironic Inspector Rules

This role provides a module, os_ironic_inspector_rule, which may be used to configure an introspection rule in OpenStack ironic inspector. The role installs required python dependencies in a virtualenv, and uses the os_ironic_inspector_rule module to configure a set of rules.

Requirements

The OpenStack ironic inspector API should be accessible from the target host.

Role Variables

ironic_inspector_venv is a path to a directory in which to create a virtualenv.

ironic_inspector_auth_type is an authentication type compatible with the auth_type argument of os_* Ansible modules.

ironic_inspector_auth is a dict containing authentication information compatible with the auth argument of os_* Ansible modules.

ironic_inspector_cacert is an optional path to a CA certificate.

ironic_inspector_cloud is the name of a cloud in clouds.yaml.

ironic_inspector_rules is a list of introspection rules which should exist. See the Inspector rules API for details of parameters available for rules.

Dependencies

This role depends on the Kayobe openstacksdk role.

Example Playbook

The following playbook configures an introspection rule to set the IPMI username and password fields in a node's driver info if they are currently empty.

---
- name: Ensure ironic inspector introspection rules are configured
  hosts: ironic-inspector
  roles:
    - role: ironic-inspector-rules
      ironic_inspector_venv: "~/ironic-inspector-rules-venv"
      ironic_inspector_auth_type: "password"
      ironic_inspector_auth:
        project_name: <keystone project>
        username: <keystone user>
        password: <keystone password>
        auth_url: <keystone auth URL>
      ironic_inspector_rules:
        - description: "Set IPMI driver_info if no credentials"
          conditions:
            - field: "node://driver_info.ipmi_username"
              op: "is-empty"
            - field: "node://driver_info.ipmi_password"
              op: "is-empty"
          actions:
            - action: "set-attribute"
              path: "driver_info/ipmi_username"
              value: "<IPMI username>"
            - action: "set-attribute"
              path: "driver_info/ipmi_password"
              value: "<IPMI password>"

Author Information

Mark Goddard (mark@stackhpc.com)

2.5 KiB Raw Permalink Blame History