From f065bb96b5db3c7f6c55d631573325a53942395a Mon Sep 17 00:00:00 2001 From: ramishra Date: Fri, 25 Jun 2021 11:52:03 +0530 Subject: [PATCH] Add parameters to specify auth_strategy Adds ``NeutronAuthStrategy`` and ``IronicAuthStrategy`` parameters and makes the necessary changes in the services to deploy using them. Change-Id: Ib62678debc3d27ecc1d2bd3d817cf12e69253a18 --- .../ironic/ironic-api-container-puppet.yaml | 37 ++++++++++++++ deployment/ironic/ironic-base-puppet.yaml | 7 +++ .../ironic-conductor-container-puppet.yaml | 40 +++++++++++++-- .../ironic-inspector-container-puppet.yaml | 50 +++++++++++++++++-- ...ironic-neutron-agent-container-puppet.yaml | 39 ++++++++++++--- .../neutron/neutron-api-container-puppet.yaml | 8 +++ deployment/neutron/neutron-base.yaml | 9 ++++ ...eters-neutron-ironic-3d7330a7dc82f43d.yaml | 7 +++ 8 files changed, 183 insertions(+), 14 deletions(-) create mode 100644 releasenotes/notes/add-auth-strategy-parameters-neutron-ironic-3d7330a7dc82f43d.yaml diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index fb457054b3..5974bfb6d8 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -69,10 +69,22 @@ parameters: description: | Use the advanced (eventlet safe) memcached client pool. default: true + IronicAuthStrategy: + type: string + description: Auth strategy to use with ironic. + default: 'keystone' + constraints: + - allowed_values: ['keystone', 'http_basic', 'noauth'] + AdminPassword: #supplied by tripleo-undercloud-passwords.yaml + type: string + description: The password for the keystone admin account, used for monitoring, querying neutron etc. + hidden: True conditions: cors_allowed_origin_set: not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']} + auth_strategy_http_basic: + equals: [{get_param: IronicAuthStrategy}, 'http_basic'] resources: ApacheServiceBase: @@ -160,6 +172,10 @@ outputs: ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} ironic::api::service_name: 'httpd' ironic::policy::policies: {get_param: IronicApiPolicies} + ironic::wsgi::apache::vhost_custom_fragment: + if: + - auth_strategy_http_basic + - 'WSGIPassAuthorization On' ironic::wsgi::apache::bind_host: str_replace: template: @@ -268,6 +284,9 @@ outputs: - /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro - /var/log/containers/ironic:/var/log/ironic:z - /var/log/containers/httpd/ironic-api:/var/log/httpd:z + - if: + - auth_strategy_http_basic + - - /etc/ironic_passwd:/etc/ironic/htpasswd:z - if: - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro @@ -284,6 +303,24 @@ outputs: with_items: - { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' } + - name: create password file when auth_stragy is 'http_basic' + vars: + is_http_basic: + if: + - auth_strategy_http_basic + - true + - false + copy: + dest: /etc/ironic_passwd + content: + str_replace: + template: | + admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}} + ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}} + params: + $ADMIN_PASSWORD: {get_param: AdminPassword} + $IRONIC_PASSWORD: {get_param: IronicPassword} + when: is_http_basic | bool deploy_steps_tasks: get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks] external_upgrade_tasks: diff --git a/deployment/ironic/ironic-base-puppet.yaml b/deployment/ironic/ironic-base-puppet.yaml index 0e410f07f9..3acb8bdd2f 100644 --- a/deployment/ironic/ironic-base-puppet.yaml +++ b/deployment/ironic/ironic-base-puppet.yaml @@ -55,6 +55,12 @@ parameters: type: string constraints: - allowed_values: [ '', 'oslo', 'json-rpc'] + IronicAuthStrategy: + type: string + description: Auth strategy to use with ironic. + default: 'keystone' + constraints: + - allowed_values: ['keystone', 'http_basic', 'noauth'] conditions: default_rsc_set: @@ -94,6 +100,7 @@ outputs: if: - default_rsc_set - {get_param: IronicDefaultResourceClass} + ironic::auth_strategy: {get_param: IronicAuthStrategy} ironic::rpc_transport: if: - rpc_transport_set diff --git a/deployment/ironic/ironic-conductor-container-puppet.yaml b/deployment/ironic/ironic-conductor-container-puppet.yaml index d8996676db..1c1ab9e798 100644 --- a/deployment/ironic/ironic-conductor-container-puppet.yaml +++ b/deployment/ironic/ironic-conductor-container-puppet.yaml @@ -253,6 +253,18 @@ parameters: the host to ensure each step of the boot process can successfully lease addresses. type: string + IronicAuthStrategy: + type: string + description: Auth strategy to use with ironic. + default: keystone + constraints: + - allowed_values: ['keystone', 'http_basic', 'noauth'] + NeutronAuthStrategy: + type: string + description: Auth strategy to use with neutron. + default: keystone + constraints: + - allowed_values: ['keystone', 'noauth'] conditions: default_deploy_interface_set: @@ -268,6 +280,12 @@ conditions: or: - not: {equals: [{get_param: IronicConductorGroup}, '']} - not: {equals: [{get_param: [RoleParameters, IronicConductorGroup]}, '']} + auth_strategy_non_default: + contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']] + auth_strategy_noauth: + equals: [{get_param: IronicAuthStrategy}, 'noauth'] + neutron_noauth: + equals: [{get_param: NeutronAuthStrategy}, 'noauth'] resources: RoleParametersValue: @@ -466,11 +484,23 @@ outputs: # to avoid hard linking errors we store these on the same # volume/device as the ironic master_path # https://github.com/docker/docker/issues/7457 - - ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot - - ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images - - ironic::pxe::tftp_root: /var/lib/ironic/tftpboot - - ironic::pxe::http_root: /var/lib/ironic/httpboot - - ironic::conductor::http_root: /var/lib/ironic/httpboot + ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot + ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images + ironic::pxe::tftp_root: /var/lib/ironic/tftpboot + ironic::pxe::http_root: /var/lib/ironic/httpboot + ironic::conductor::http_root: /var/lib/ironic/httpboot + - if: + - neutron_noauth + - ironic::neutron::endpoint_override: {get_param: [EndpointMap, NeutronInternal, uri_no_suffix]} + ironic::neutron::auth_type: 'none' + - if: + - auth_strategy_non_default + - ironic::service_catalog::auth_type: + if: + - auth_strategy_noauth + - 'none' + - {get_param: IronicAuthStrategy} + ironic::service_catalog::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} service_config_settings: {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 9f26cdc14f..e2b6f2f1a9 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -180,6 +180,16 @@ parameters: '10.10.10.0/24': 'physnet_a' '2001:db8::/64': 'physnet_b' type: json + IronicAuthStrategy: + type: string + description: Auth strategy to use with ironic. + default: 'keystone' + constraints: + - allowed_values: ['keystone', 'http_basic', 'noauth'] + AdminPassword: #supplied by tripleo-undercloud-passwords.yaml + type: string + description: The password for the keystone admin account, used for monitoring, querying neutron etc. + hidden: True parameter_groups: - label: deprecated @@ -201,6 +211,12 @@ conditions: not: {equals : [{get_param: IronicInspectorSubnets}, {}]} enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]} ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}} + auth_strategy_non_default: + contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']] + auth_strategy_http_basic: + equals: [{get_param: IronicAuthStrategy}, 'http_basic'] + auth_strategy_noauth: + equals: [{get_param: IronicAuthStrategy}, 'noauth'] resources: ContainersCommon: @@ -277,6 +293,7 @@ outputs: - get_param: IronicInspectorSubnets - [{ip_range: {get_param: IronicInspectorIpRange}}] ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface} + ironic::inspector::auth_strategy: {get_param: IronicAuthStrategy} ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir ironic::inspector::pxe_filter::dnsmasq::purge_dhcp_hostsdir: false ironic::inspector::pxe_filter::driver: dnsmasq @@ -328,7 +345,6 @@ outputs: collectd_host: localhost - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo - ironic::inspector::enable_ppc64le: if: - enable_architecture_ppc64le @@ -337,6 +353,14 @@ outputs: if: - {get_param: IronicInspectorIPXEEnabled} - 'http' + - if: + - auth_strategy_non_default + - ironic::inspector::ironic::auth_type: + if: + - auth_strategy_noauth + - 'none' + - {get_param: IronicAuthStrategy} + ironic::inspector::ironic::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} - if: - use_swift - ironic::inspector::store_data: 'swift' @@ -487,12 +511,14 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro - /var/lib/ironic:/var/lib/ironic:shared,z - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z + - if: + - auth_strategy_http_basic + - - /etc/ironic_inspector_passwd:/etc/ironic-inspector/htpasswd:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS ironic_inspector_dnsmasq: @@ -529,6 +555,24 @@ outputs: with_items: - { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/ironic-inspector/dhcp-hostsdir, 'setype': container_file_t } + - name: create password file when auth_stragy is 'http_basic' + vars: + is_http_basic: + if: + - auth_strategy_http_basic + - true + - false + copy: + dest: /etc/ironic_inspector_passwd + content: + str_replace: + template: | + admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}} + ironic-inspector:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}} + params: + $ADMIN_PASSWORD: {get_param: AdminPassword} + $IRONIC_PASSWORD: {get_param: IronicPassword} + when: is_http_basic | bool - name: create persistent ironic-inspector dnsmasq dhcp hostsdir file: path: /var/lib/ironic-inspector/dhcp-hostsdir diff --git a/deployment/ironic/ironic-neutron-agent-container-puppet.yaml b/deployment/ironic/ironic-neutron-agent-container-puppet.yaml index 425b99d231..c7530e989f 100644 --- a/deployment/ironic/ironic-neutron-agent-container-puppet.yaml +++ b/deployment/ironic/ironic-neutron-agent-container-puppet.yaml @@ -41,6 +41,24 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + IronicAuthStrategy: + type: string + description: Auth strategy to use with ironic. + default: 'keystone' + constraints: + - allowed_values: ['keystone', 'http_basic', 'noauth'] + NeutronAuthStrategy: + type: string + description: Auth strategy to use with neutron. + default: 'keystone' + constraints: + - allowed_values: ['keystone', 'noauth'] + +conditions: + auth_strategy_noauth: + equals: [{get_param: IronicAuthStrategy}, 'noauth'] + auth_strategy_non_default: + contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']] resources: ContainersCommon: @@ -69,12 +87,21 @@ outputs: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::agents::ml2::networking_baremetal::username: 'ironic' - - neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword} - - neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] } - - neutron::agents::ml2::networking_baremetal::project_name: 'service' - - neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default' - - neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default' - - neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion} + neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword} + neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] } + neutron::agents::ml2::networking_baremetal::project_name: 'service' + neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default' + neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default' + neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion} + neutron::agents::ml2::networking_baremetal::auth_strategy: {get_param: NeutronAuthStrategy} + - if: + - auth_strategy_non_default + - neutron::agents::ml2::networking_baremetal::auth_type: + if: + - auth_strategy_noauth + - 'none' + - {get_param: IronicAuthStrategy} + neutron::agents::ml2::networking_baremetal::ironic_url: { get_param: [ EndpointMap, IronicInternal, uri_no_suffix ] } - get_attr: [NeutronLogging, config_settings] puppet_config: config_volume: neutron diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index a901e81586..ad85a55cab 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -185,6 +185,13 @@ parameters: removed in Ocata. Future releases will enable L3 HA by default if it is appropriate for the deployment type. Alternate mechanisms will be available to override. + NeutronAuthStrategy: + type: string + description: Auth strategy to use with neutron. + default: 'keystone' + constraints: + - allowed_values: ['keystone', 'noauth'] + parameter_groups: - label: deprecated description: | @@ -291,6 +298,7 @@ outputs: neutron::policy::policies: {get_param: NeutronApiPolicies} neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + neutron::server::auth_strategy: {get_param: NeutronAuthStrategy} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron::server::enable_proxy_headers_parsing: true neutron::server::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping} diff --git a/deployment/neutron/neutron-base.yaml b/deployment/neutron/neutron-base.yaml index 51811d9ad6..6f2d4ebe9d 100644 --- a/deployment/neutron/neutron-base.yaml +++ b/deployment/neutron/neutron-base.yaml @@ -106,6 +106,14 @@ parameters: If True, then allow plugins that support it to create VLAN transparent networks. type: boolean + NeutronAuthStrategy: + type: string + description: Auth strategy to use with neutron. + default: 'keystone' + constraints: + - allowed_values: ['keystone', 'noauth'] + + conditions: dhcp_agents_set: @@ -122,6 +130,7 @@ outputs: map_merge: - neutron::notification_driver: {get_param: NotificationDriver} neutron::core_plugin: {get_param: NeutronCorePlugin} + neutron::auth_strategy: {get_param: NeutronAuthStrategy} neutron::service_plugins: {get_param: NeutronServicePlugins} neutron::logging::debug: if: diff --git a/releasenotes/notes/add-auth-strategy-parameters-neutron-ironic-3d7330a7dc82f43d.yaml b/releasenotes/notes/add-auth-strategy-parameters-neutron-ironic-3d7330a7dc82f43d.yaml new file mode 100644 index 0000000000..9dd200623b --- /dev/null +++ b/releasenotes/notes/add-auth-strategy-parameters-neutron-ironic-3d7330a7dc82f43d.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Adds two new parameters 'IronicAuthStrategy' and 'NeutronAuthStrategy' + that defaults to 'keystone'. This would allow deploying standalone + ironic and neutron services without keystone using different + 'auth_strategies' like 'http_basic' and 'noauth'.