diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index 53c00e2c08..57bf36f297 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -1,7 +1,8 @@ [DEFAULT] debug = {{ ironic_logging_debug }} -admin_token = {{ keystone_admin_token }} +admin_user = {{ openstack_auth.username }} +admin_password = {{ keystone_admin_password }} {% if service_name == 'ironic-api' %} [api] diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index 78977e1c0b..e9d1507686 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -24,7 +24,10 @@ keystone_public_address: "{{ kolla_external_fqdn }}" keystone_admin_address: "{{ kolla_internal_fqdn }}" keystone_internal_address: "{{ kolla_internal_fqdn }}" +keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}" +keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}" +keystone_public_url: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keystone_public_port }}" + keystone_logging_debug: "{{ openstack_logging_debug }}" openstack_keystone_auth: "{'auth_url':'{{ openstack_auth_v2.auth_url }}','username':'{{ openstack_auth_v2.username }}','password':'{{ openstack_auth_v2.password }}','project_name':'{{ openstack_auth_v2.project_name }}'}" -openstack_keystone_token_auth: "{'endpoint':'{{ openstack_auth_v2.auth_url }}','token':'{{ keystone_admin_token }}'}" diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml index 53a9f55a87..27bee9596b 100644 --- a/ansible/roles/keystone/tasks/register.yml +++ b/ansible/roles/keystone/tasks/register.yml @@ -1,39 +1,7 @@ --- -- name: Creating the admin project, user and role - command: docker exec -t kolla_toolbox /usr/bin/ansible localhost - -m kolla_keystone_user - -a "project=admin - user=admin - password={{ keystone_admin_password }} - role=admin - region_name={{ openstack_region_name }} - auth_type=admin_token - auth={{ '{{ openstack_keystone_token_auth }}' }}" - -e "{'openstack_keystone_token_auth':{{ openstack_keystone_token_auth }}}" - register: keystone_admin_user - changed_when: "{{ keystone_admin_user.stdout.find('localhost | SUCCESS => ') != -1 and (keystone_admin_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" - until: keystone_admin_user.stdout.split()[2] == 'SUCCESS' - retries: 10 - delay: 5 - run_once: True - -- name: Creating the Keystone service and endpoint - command: docker exec -t kolla_toolbox /usr/bin/ansible localhost - -m kolla_keystone_service - -a "service_name=keystone - service_type=identity - description='Openstack Identity' - endpoint_region={{ openstack_region_name }} - admin_url='{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}' - internal_url='{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}' - public_url='{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keystone_public_port }}' - region_name={{ openstack_region_name }} - auth_type=admin_token - auth={{ '{{ openstack_keystone_token_auth }}' }}" - -e "{'openstack_keystone_token_auth':{{ openstack_keystone_token_auth }}}" - register: keystone_endpoint - changed_when: "{{ keystone_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (keystone_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" - until: keystone_endpoint.stdout.split()[2] == 'SUCCESS' - retries: 10 - delay: 5 +- name: Creating admin project, user, role, service, and endpoint + command: docker exec -t keystone kolla_keystone_bootstrap {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }} admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ openstack_region_name }} + register: keystone_bootstrap + changed_when: "{{ (keystone_bootstrap.stdout | from_json).changed }}" + failed_when: "{{ (keystone_bootstrap.stdout | from_json).failed }}" run_once: True diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2 index 7d2ef7eb8c..c911d028cf 100644 --- a/ansible/roles/keystone/templates/keystone.conf.j2 +++ b/ansible/roles/keystone/templates/keystone.conf.j2 @@ -4,7 +4,5 @@ debug = {{ keystone_logging_debug }} # NOTE(elemoine) log_dir alone does not work for Keystone log_file = /var/log/kolla/keystone/keystone.log -admin_token = {{ keystone_admin_token }} - [database] connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }} diff --git a/docker/keystone/Dockerfile.j2 b/docker/keystone/Dockerfile.j2 index b893ce478f..4c23875a1e 100644 --- a/docker/keystone/Dockerfile.j2 +++ b/docker/keystone/Dockerfile.j2 @@ -60,16 +60,12 @@ RUN ln -s keystone-source/* keystone \ {% endif %} -# NOTE(SamYaple): This is to reintroduce a deprecated option as a quick-fix -# until the correct new procedure is implemented. -# TODO(SamYaple): Replace this with `keystone-manage bootstrap` -RUN sed -i 's|token_auth json_body|token_auth admin_token_auth json_body|g' /etc/keystone/keystone-paste.ini - RUN usermod -a -G kolla keystone \ && chown -R keystone: /var/www/cgi-bin/keystone \ && chmod 755 /var/www/cgi-bin/keystone/* +COPY keystone_bootstrap.sh /usr/local/bin/kolla_keystone_bootstrap COPY extend_start.sh /usr/local/bin/kolla_extend_start -RUN chmod 755 /usr/local/bin/kolla_extend_start +RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_keystone_bootstrap {{ include_footer }} diff --git a/docker/keystone/keystone_bootstrap.sh b/docker/keystone/keystone_bootstrap.sh new file mode 100644 index 0000000000..9702f02886 --- /dev/null +++ b/docker/keystone/keystone_bootstrap.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# NOTE(SamYaple): Kolla needs to wraps `keystone-manage bootstrap` to ensure +# any change is reported correctly for idempotency. This script will exit with +# valid json that can be parsed with information about if the task has failed +# and if anything changed. + +USERNAME=$1 +PASSWORD=$2 +PROJECT=$3 +ROLE=$4 +ADMIN_URL=$5 +INTERNAL_URL=$6 +PUBLIC_URL=$7 +REGION=$8 + +function get_token { + unset OS_TOKEN OS_URL + OS_TOKEN=$(openstack --os-identity-api-version 3 --os-username "${USERNAME}" --os-password "${PASSWORD}" --os-project-name "${PROJECT}" --os-auth-url "${ADMIN_URL}" token issue 2>&1 | awk '/ id / {print $4}') + OS_URL="${ADMIN_URL}/v3" +} + +function fail_json { + echo '{"failed": true, "msg": "'$1'"}' + exit 1 +} + +function exit_json { + echo '{"failed": false, "changed": '"${changed}"'}' +} + +function create_service { + if [[ ! $(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" service list 2>&1 | awk '/identity/') ]]; then + openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" service create identity --name keystone 2>&1 > /dev/null + changed="true" + fi +} + +function create_endpoints { + endpoints=$(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint list) + if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "admin" {print $14;exit}') != "${ADMIN_URL}" ]]; then + openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone admin "${ADMIN_URL}" 2>&1 > /dev/null + changed="true" + fi + if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "internal" {print $14;exit}') != "${INTERNAL_URL}" ]]; then + openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone internal "${INTERNAL_URL}" 2>&1 > /dev/null + changed="true" + fi + if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "public" {print $14;exit}') != "${PUBLIC_URL}" ]]; then + openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone public "${PUBLIC_URL}" 2>&1 > /dev/null + changed="true" + fi +} + +changed="false" +get_token +if [[ ! $(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" user list 2>&1 | awk '/'"${USERNAME}"'/') ]]; then + keystone_bootstrap=$(keystone-manage bootstrap --bootstrap-username "${USERNAME}" --bootstrap-password "${PASSWORD}" --bootstrap-project-name "${PROJECT}" --bootstrap-role-name "${ROLE}" 2>&1) + if [[ $? != 0 ]]; then + fail_json "${keystone_bootstrap}" + fi + + changed=$(echo "${keystone_bootstrap}" | awk ' + /Domain default already exists, skipping creation./ || + /Project '"${PROJECT}"' already exists, skipping creation./ || + /User '"${USERNAME}"' already exists, skipping creation./ || + /Role '"${ROLE}"' exists, skipping creation./ || + /User '"${USERNAME}"' already has '"${ROLE}"' on '"${PROJECT}"'./ {count++} + END { + if (count == 5) changed="false"; else changed="true" + print changed + }' + ) +fi + +get_token +if [[ ! "${OS_TOKEN}" ]]; then + fail_json "Unable to issue token" +fi +create_service +create_endpoints +exit_json diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index c92a3e58c0..7dc9626dee 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -25,7 +25,6 @@ docker_registry_password: #################### # OpenStack options #################### -keystone_admin_token: "password" keystone_admin_password: "password" keystone_database_password: "password"