The role has proven to be stable and made the deployment a bit faster
since it's only taking a minute to create all Keystone resources with
Ansible vs more than 8 minutes with Puppet. This effort is worth a
backport to stable/train.
Introduce tripleo-keystone-resources role
This role will manage Keystone resources, like
/etc/openstack/clouds.yaml, Keystone endpoints/users/roles/etc and
everything that was managed by Puppet before regarding Keystone.
Management of Keystone resources for each OpenStack service:
- services
- projects
- endpoints
- roles
- users and their assignment to roles
- admin resources
It's using batch + async so it runs faster than with Puppet where it
calls openstack client for each resource. Here it's using the python
openstacksdk with concurrency.
Change-Id: Ib9615c55d0fb4ea71208d74c5ee22594db52f46a
(cherry picked from commit 566bcf66ce)
Update override for keystone resources
The existing override was double quoting the override options which would
lead the config generator to double quote keys in the rendered data. This
change modifies the override data to make it use a jinja data structure
which will ensure we're not having to deal with quoting issues.
Change-Id: If3000457cb0c4fcd07082057ee801d30ff4a10e9
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 30c7de49b0)
tripleo-keystone-resources: fix a typo for domains creation
The variable was wrong for the loop item, this patch fixes it.
Change-Id: I095a60421ec1ecb60fdbf14cf7788a82492ed651
(cherry picked from commit 71d0997328)
tripleo-keystone-resources: handle multiple roles per user
os_user_role module can only assign one role to a user.
If a user needs multiple roles, we need a filter to build a dict where
each key is a user with a list of the assigned roles.
Change-Id: I3aff5f25b90affceacdf95d0f2725ed740761b70
(cherry picked from commit 478daa5471)
Data structure changes for tripleo-keystone-resources role
While reviewing the first implementation it appears that we can extend
the data structure to make it so we wouldn't need extra Ansible tasks to
handle other Keystone resources needed by some services like barbican,
ceilometer or heat.
This change does the following:
- remove "container" related variable name from "haskey" filter, as we
will recycle it from the tripleo-keystone-resources role.
- keystone endpoints will be found under "endpoints" and not "urls".
- keystone endpoints data will be built from the keystone_resources
dictionary only if endpoints are specified in the dict items.
The loop-endpoints will loop over a list of keystone resources which
contain "endpoints" key. However, it needs access to some other keys
during the endpoint creation so we re-used that filter.
- Same for Keystone Services, with "service" attribute.
- Re-use "get_key_from_dict" filter to get all Keystone users to create.
This can be done because the function will return only the key and its
value when present, create a list and then we pass it to the users
playbook.
We do the same for the user roles assignment, but we also apply the
"get_role_assignments" filter, to build the proper data structure so
role assignement is done correctly.
- Allow to create extra roles and domains.
- Allow to override the default domain when creating a user.
- Modify "get_role_assignments" filter so if a domain is specified, the
user is assigned to the role in a domain and not in a project.
If on domain is specified, we assign it into a project, and the
default is set by tripleo_keystone_resources_service_project where the
default is "service" by legacy.
The data structure of the returned value changed, to work with this
complex situation (in Keystone v3, domain & project are mutually
exclusive when doing role assignment).
- Add tripleo_keystone_resources_batch variable and set to 10 by
default, so we'll manage 10 resources at the same time in async to
speed things up.
- Create get_domain_id() filter to go over all domains and get a domain
id from a domain name. Unfortunately, the module that list all domains
changed in Ansible 2.9.1 so we have 2 kind of playbooks to support old
and new style to gather all domains infos.
The new structure looks like the following:
keystone_resources:
nova:
service: compute
region: RegionOne
endpoints:
public: https://public-nova:8774
admin: https://admin-nova:8774
internal: https://internal-nova:8774
users:
nova:
password: secretenova
roles:
- admin
- service
domain: nova_extra_domain
roles:
- nova_extra_role
domains:
- nova_extra_domain
Change-Id: Ia68f8852662fb4abbd194954a246afb740bf3f71
(cherry picked from commit 44204ec6b2)
edbaa07ea4