openstack/kayobe
Code Issues Proposed changes
46bba8eb27
kayobe/ansible/seed-credentials.yml
Mark Goddard 32a82ea039 Support authentication in Bifrost 
* Switch from python-ironic-inspector-client to openstacksdk in
  ironic-inspector-rules. This allows us to use clouds.yaml to provide
  credentials.
* Enable authentication in Bifrost. Passwords are auto-generated by
  Bifrost, and stored files in /root/.config/bifrost/. This change
  depends on a Kolla Ansible patch that ensures that these credentials
  are persisted between recreations of the bifrost container.
* Copy clouds.yaml and (if present) a CA certificate from the Bifrost
  container to the seed host, under the Kayobe Ansible user (stack).
  This allows us to use the credentials to register introspection rules.
* This patch is needed by a Kolla Ansible patch that enables TLS in
  Bifrost, since we need the CA certificate on the host to register
  introspection rules when TLS is enabled.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/851837
Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/851838

Story: 2010206
Task: 45930

Change-Id: I757f1bb72afb01a4f1689bed292f5b71b9048fa0
2022-08-25 11:56:03 +02:00

46 lines
1.6 KiB
YAML
Raw Blame History

---
# Copy the Bifrost clouds.yaml file and CA certificate (if one is in use) to
# the host. This allows us to access the Ironic and Inspector APIs outside of
# the Bifrost container.
- name: Ensure credentials are available on the host
hosts: seed
tags:
- seed-credentials
vars:
openstack_config_dir: "{{ ansible_facts.env.HOME }}/.config/openstack"
tasks:
- name: Ensure OpenStack config directory exists
file:
path: "{{ openstack_config_dir }}"
state: directory
mode: 0700
- name: Get clouds.yaml from Bifrost container
command:
cmd: docker exec bifrost_deploy cat /root/.config/openstack/clouds.yaml
changed_when: false
register: clouds_yaml
no_log: true
- name: Write clouds.yaml
copy:
content: |
{%- set clouds = clouds_yaml.stdout | from_yaml -%}
{%- for cloud in clouds.clouds.keys() | list -%}
{%- if 'cacert' in clouds.clouds[cloud] -%}
{%- set _ = clouds.clouds[cloud].update({'cacert': openstack_config_dir ~ '/bifrost.crt'}) -%}
{%- endif -%}
{%- endfor -%}
{{ clouds | to_nice_yaml }}
dest: "{{ openstack_config_dir }}/clouds.yaml"
mode: 0600
- name: Copy CA certificate from Bifrost container
vars:
clouds: "{{ clouds_yaml.stdout | from_yaml }}"
cacerts: "{{ clouds.clouds.values() | selectattr('cacert', 'defined') | map(attribute='cacert') | list }}"
command:
cmd: docker cp bifrost_deploy:{{ cacerts[0] }} {{ openstack_config_dir }}/bifrost.crt
changed_when: false
when: cacerts | length > 0
View Git Blame Copy Permalink