openstack/kolla-ansible
Code Issues Proposed changes
Files
2e933dceb591c3505f35c2c1de924f3978fb81a7
kolla-ansible/ansible/roles/ironic/templates/ironic.conf.j2
Niklas Hagman 2e933dceb5 Transition Keystone admin user to system scope 
A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible

Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
2021-09-28 09:45:06 -07:00

207 lines
6.2 KiB
Django/Jinja
Raw Blame History

# NOTE(mgoddard): Ironic is changing the default value of [deploy]
# default_boot_option from 'netboot' to 'local'. If the option is not set,
# ironic will log a warning during the transition period. Even so,
# kolla-ansible should not set a value for this option as the warning is
# intended to inform operators of the impending change. The warning may be
# suppressed by the deployer by setting a value for the option.
[DEFAULT]
{% if not ironic_enable_keystone_integration | bool %}
auth_strategy = noauth
{% endif %}
debug = {{ ironic_logging_debug }}
log_dir = /var/log/kolla/ironic
transport_url = {{ rpc_transport_url }}
{% if pin_release_version is defined %}
pin_release_version = {{ pin_release_version }}
{% endif %}
my_ip = {{ api_interface_address }}
[oslo_messaging_notifications]
transport_url = {{ notify_transport_url }}
{% if ironic_enabled_notification_topics %}
driver = messagingv2
topics = {{ ironic_enabled_notification_topics | map(attribute='name') | join(',') }}
{% else %}
driver = noop
{% endif %}
{% if om_enable_rabbitmq_tls | bool %}
[oslo_messaging_rabbit]
ssl = true
ssl_ca_file = {{ om_rabbitmq_cacert }}
{% endif %}
{% if ironic_policy_file is defined %}
[oslo_policy]
policy_file = {{ ironic_policy_file }}
{% endif %}
{% if service_name == 'ironic-conductor' %}
[conductor]
automated_clean=false
{% endif %}
[database]
connection = mysql+pymysql://{{ ironic_database_user }}:{{ ironic_database_password }}@{{ ironic_database_address }}/{{ ironic_database_name }}
connection_recycle_time = {{ database_connection_recycle_time }}
max_pool_size = {{ database_max_pool_size }}
max_retries = -1
{% if ironic_enable_keystone_integration | bool %}
[keystone_authtoken]
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
{% endif %}
{% if enable_cinder | bool %}
[cinder]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% endif %}
{% if enable_glance | bool %}
[glance]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% endif %}
{% if enable_neutron | bool %}
[neutron]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cleaning_network = {{ ironic_cleaning_network }}
cafile = {{ openstack_cacert }}
{% endif %}
{% if enable_nova | bool %}
[nova]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% endif %}
{% if enable_swift | bool %}
[swift]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% endif %}
[inspector]
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% else %}
auth_type = none
endpoint_override = {{ ironic_inspector_internal_endpoint }}
{% endif %}
[service_catalog]
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% else %}
auth_type = none
endpoint_override = {{ ironic_internal_endpoint }}
{% endif %}
[agent]
deploy_logs_local_path = /var/log/kolla/ironic
deploy_logs_storage_backend = local
deploy_logs_collect = always
[pxe]
pxe_append_params = nofb nomodeset vga=normal console=tty0 console=ttyS0,{{ ironic_console_serial_speed }}
{% if enable_ironic_ipxe | bool %}
{# NOTE(mgoddard): iPXE uses the TFTP image cache (tftp_master_path, default
/tftpboot/master_images), in which images get hard linked to the http_root
directory (/httpboot). These must be on the same device, but /httpboot and
/tftpboot live in separate Docker volumes. Override the default paths for
iPXE to place them both in /httpboot. This prevents mixing PXE and iPXE. #}
tftp_root = /httpboot
tftp_master_path = /httpboot/master_images
tftp_server = {{ api_interface_address }}
{% endif %}
[deploy]
http_url = {{ ironic_ipxe_url }}
[oslo_middleware]
enable_proxy_headers_parsing = True
{% if not enable_neutron | bool %}
[dhcp]
dhcp_provider = none
{% endif %}
View Git Blame Copy Permalink