32a82ea039
* Switch from python-ironic-inspector-client to openstacksdk in ironic-inspector-rules. This allows us to use clouds.yaml to provide credentials. * Enable authentication in Bifrost. Passwords are auto-generated by Bifrost, and stored files in /root/.config/bifrost/. This change depends on a Kolla Ansible patch that ensures that these credentials are persisted between recreations of the bifrost container. * Copy clouds.yaml and (if present) a CA certificate from the Bifrost container to the seed host, under the Kayobe Ansible user (stack). This allows us to use the credentials to register introspection rules. * This patch is needed by a Kolla Ansible patch that enables TLS in Bifrost, since we need the CA certificate on the host to register introspection rules when TLS is enabled. Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/851837 Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/851838 Story: 2010206 Task: 45930 Change-Id: I757f1bb72afb01a4f1689bed292f5b71b9048fa0
78 lines
2.5 KiB
Markdown
78 lines
2.5 KiB
Markdown
Ironic Inspector Rules
|
|
======================
|
|
|
|
This role provides a module, `os_ironic_inspector_rule`, which may be
|
|
used to configure an introspection rule in OpenStack ironic inspector.
|
|
The role installs required python dependencies in a virtualenv, and uses
|
|
the `os_ironic_inspector_rule` module to configure a set of rules.
|
|
|
|
Requirements
|
|
------------
|
|
|
|
The OpenStack ironic inspector API should be accessible from the
|
|
target host.
|
|
|
|
Role Variables
|
|
--------------
|
|
|
|
`ironic_inspector_venv` is a path to a directory in which to create a
|
|
virtualenv.
|
|
|
|
`ironic_inspector_auth_type` is an authentication type compatible with
|
|
the `auth_type` argument of `os_*` Ansible modules.
|
|
|
|
`ironic_inspector_auth` is a dict containing authentication information
|
|
compatible with the `auth` argument of `os_*` Ansible modules.
|
|
|
|
`ironic_inspector_cacert` is an optional path to a CA certificate.
|
|
|
|
`ironic_inspector_cloud` is the name of a cloud in ``clouds.yaml``.
|
|
|
|
`ironic_inspector_rules` is a list of introspection rules which should
|
|
exist. See the Inspector rules API for details of parameters available
|
|
for rules.
|
|
|
|
Dependencies
|
|
------------
|
|
|
|
This role depends on the Kayobe `openstacksdk` role.
|
|
|
|
Example Playbook
|
|
----------------
|
|
|
|
The following playbook configures an introspection rule to set the IPMI
|
|
username and password fields in a node's driver info if they are currently
|
|
empty.
|
|
|
|
---
|
|
- name: Ensure ironic inspector introspection rules are configured
|
|
hosts: ironic-inspector
|
|
roles:
|
|
- role: ironic-inspector-rules
|
|
ironic_inspector_venv: "~/ironic-inspector-rules-venv"
|
|
ironic_inspector_auth_type: "password"
|
|
ironic_inspector_auth:
|
|
project_name: <keystone project>
|
|
username: <keystone user>
|
|
password: <keystone password>
|
|
auth_url: <keystone auth URL>
|
|
ironic_inspector_rules:
|
|
- description: "Set IPMI driver_info if no credentials"
|
|
conditions:
|
|
- field: "node://driver_info.ipmi_username"
|
|
op: "is-empty"
|
|
- field: "node://driver_info.ipmi_password"
|
|
op: "is-empty"
|
|
actions:
|
|
- action: "set-attribute"
|
|
path: "driver_info/ipmi_username"
|
|
value: "<IPMI username>"
|
|
- action: "set-attribute"
|
|
path: "driver_info/ipmi_password"
|
|
value: "<IPMI password>"
|
|
|
|
Author Information
|
|
------------------
|
|
|
|
- Mark Goddard (<mark@stackhpc.com>)
|