Merge "Add parameters to specify auth_strategy"

deployment/ironic/ironic-api-container-puppet.yaml

@@ -69,10 +69,22 @@ parameters:
     description: |
       Use the advanced (eventlet safe) memcached client pool.
     default: true
+  IronicAuthStrategy:
+    type: string
+    description: Auth strategy to use with ironic.
+    default: 'keystone'
+    constraints:
+      - allowed_values: ['keystone', 'http_basic', 'noauth']
+  AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
+    type: string
+    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
+    hidden: True
 
 conditions:
   cors_allowed_origin_set:
     not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
+  auth_strategy_http_basic:
+    equals: [{get_param: IronicAuthStrategy}, 'http_basic']
 
 resources:
   ApacheServiceBase:
@@ -160,6 +172,10 @@ outputs:
             ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
             ironic::api::service_name: 'httpd'
             ironic::policy::policies: {get_param: IronicApiPolicies}
+            ironic::wsgi::apache::vhost_custom_fragment:
+              if:
+                - auth_strategy_http_basic
+                - 'WSGIPassAuthorization On'
             ironic::wsgi::apache::bind_host:
               str_replace:
                 template:
@@ -268,6 +284,9 @@ outputs:
                   - /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
                   - /var/log/containers/ironic:/var/log/ironic:z
                   - /var/log/containers/httpd/ironic-api:/var/log/httpd:z
+                - if:
+                  - auth_strategy_http_basic
+                  - - /etc/ironic_passwd:/etc/ironic/htpasswd:z
                 - if:
                     - {get_param: EnableInternalTLS}
                     - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
@@ -284,6 +303,24 @@ outputs:
           with_items:
             - { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
             - { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
+        - name: create password file when auth_stragy is 'http_basic'
+          vars:
+            is_http_basic:
+              if:
+                - auth_strategy_http_basic
+                - true
+                - false
+          copy:
+            dest: /etc/ironic_passwd
+            content:
+              str_replace:
+                template: |
+                  admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
+                  ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
+                params:
+                  $ADMIN_PASSWORD: {get_param: AdminPassword}
+                  $IRONIC_PASSWORD: {get_param: IronicPassword}
+          when: is_http_basic | bool
       deploy_steps_tasks:
         get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
       external_upgrade_tasks:

deployment/ironic/ironic-base-puppet.yaml

@@ -55,6 +55,12 @@ parameters:
     type: string
     constraints:
       - allowed_values: [ '', 'oslo', 'json-rpc']
+  IronicAuthStrategy:
+    type: string
+    description: Auth strategy to use with ironic.
+    default: 'keystone'
+    constraints:
+      - allowed_values: ['keystone', 'http_basic', 'noauth']
 
 conditions:
   default_rsc_set:
@@ -94,6 +100,7 @@ outputs:
           if:
           - default_rsc_set
           - {get_param: IronicDefaultResourceClass}
+        ironic::auth_strategy: {get_param: IronicAuthStrategy}
         ironic::rpc_transport:
           if:
           - rpc_transport_set

deployment/ironic/ironic-conductor-container-puppet.yaml

@@ -253,6 +253,18 @@ parameters:
                  the host to ensure each step of the boot process can
                  successfully lease addresses.
     type: string
+  IronicAuthStrategy:
+    type: string
+    description: Auth strategy to use with ironic.
+    default: keystone
+    constraints:
+      - allowed_values: ['keystone', 'http_basic', 'noauth']
+  NeutronAuthStrategy:
+    type: string
+    description: Auth strategy to use with neutron.
+    default: keystone
+    constraints:
+      - allowed_values: ['keystone', 'noauth']
 
 parameter_groups:
 - label: deprecated
@@ -278,6 +290,12 @@ conditions:
     or:
       - not: {equals: [{get_param: IronicConductorGroup}, '']}
       - not: {equals: [{get_param: [RoleParameters, IronicConductorGroup]}, '']}
+  auth_strategy_non_default:
+    contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
+  auth_strategy_noauth:
+    equals: [{get_param: IronicAuthStrategy}, 'noauth']
+  neutron_noauth:
+    equals: [{get_param: NeutronAuthStrategy}, 'noauth']
 
 resources:
   RoleParametersValue:
@@ -475,11 +493,23 @@ outputs:
           # to avoid hard linking errors we store these on the same
           # volume/device as the ironic master_path
           # https://github.com/docker/docker/issues/7457
-          - ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot
+            ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot
-          - ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images
+            ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images
-          - ironic::pxe::tftp_root: /var/lib/ironic/tftpboot
+            ironic::pxe::tftp_root: /var/lib/ironic/tftpboot
-          - ironic::pxe::http_root: /var/lib/ironic/httpboot
+            ironic::pxe::http_root: /var/lib/ironic/httpboot
-          - ironic::conductor::http_root: /var/lib/ironic/httpboot
+            ironic::conductor::http_root: /var/lib/ironic/httpboot
+          - if:
+              - neutron_noauth
+              - ironic::neutron::endpoint_override: {get_param: [EndpointMap, NeutronInternal, uri_no_suffix]}
+                ironic::neutron::auth_type: 'none'
+          - if:
+              - auth_strategy_non_default
+              - ironic::service_catalog::auth_type:
+                  if:
+                    - auth_strategy_noauth
+                    - 'none'
+                    - {get_param: IronicAuthStrategy}
+                ironic::service_catalog::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
       service_config_settings: {}
       # BEGIN DOCKER SETTINGS
       puppet_config:

deployment/ironic/ironic-inspector-container-puppet.yaml

@@ -180,6 +180,16 @@ parameters:
                '10.10.10.0/24': 'physnet_a'
                '2001:db8::/64': 'physnet_b'
     type: json
+  IronicAuthStrategy:
+    type: string
+    description: Auth strategy to use with ironic.
+    default: 'keystone'
+    constraints:
+      - allowed_values: ['keystone', 'http_basic', 'noauth']
+  AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
+    type: string
+    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
+    hidden: True
 
 parameter_groups:
 - label: deprecated
@@ -201,6 +211,12 @@ conditions:
     not: {equals : [{get_param: IronicInspectorSubnets}, {}]}
   enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]}
   ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}}
+  auth_strategy_non_default:
+    contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
+  auth_strategy_http_basic:
+    equals: [{get_param: IronicAuthStrategy}, 'http_basic']
+  auth_strategy_noauth:
+    equals: [{get_param: IronicAuthStrategy}, 'noauth']
 
 resources:
   ContainersCommon:
@@ -277,6 +293,7 @@ outputs:
               - get_param: IronicInspectorSubnets
               - [{ip_range: {get_param: IronicInspectorIpRange}}]
             ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
+            ironic::inspector::auth_strategy: {get_param: IronicAuthStrategy}
             ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
             ironic::inspector::pxe_filter::dnsmasq::purge_dhcp_hostsdir: false
             ironic::inspector::pxe_filter::driver: dnsmasq
@@ -328,7 +345,6 @@ outputs:
                       collectd_host: localhost
                     - read_default_file: /etc/my.cnf.d/tripleo.cnf
                       read_default_group: tripleo
-
             ironic::inspector::enable_ppc64le:
               if:
                 - enable_architecture_ppc64le
@@ -337,6 +353,14 @@ outputs:
               if:
                 - {get_param: IronicInspectorIPXEEnabled}
                 - 'http'
+          - if:
+              - auth_strategy_non_default
+              - ironic::inspector::ironic::auth_type:
+                  if:
+                    - auth_strategy_noauth
+                    - 'none'
+                    - {get_param: IronicAuthStrategy}
+                ironic::inspector::ironic::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
           - if:
               - use_swift
               - ironic::inspector::store_data: 'swift'
@@ -487,12 +511,14 @@ outputs:
             volumes:
               list_concat:
                 - {get_attr: [ContainersCommon, volumes]}
-                -
+                - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
                   - /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro
                   - /var/lib/ironic:/var/lib/ironic:shared,z
                   - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z
                   - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z
+                - if:
+                  - auth_strategy_http_basic
+                  - - /etc/ironic_inspector_passwd:/etc/ironic-inspector/htpasswd:z
             environment:
               KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
           ironic_inspector_dnsmasq:
@@ -529,6 +555,24 @@ outputs:
           with_items:
             - { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' }
             - { 'path': /var/lib/ironic-inspector/dhcp-hostsdir, 'setype': container_file_t }
+        - name: create password file when auth_stragy is 'http_basic'
+          vars:
+            is_http_basic:
+              if:
+                - auth_strategy_http_basic
+                - true
+                - false
+          copy:
+            dest: /etc/ironic_inspector_passwd
+            content:
+              str_replace:
+                template: |
+                  admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
+                  ironic-inspector:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
+                params:
+                  $ADMIN_PASSWORD: {get_param: AdminPassword}
+                  $IRONIC_PASSWORD: {get_param: IronicPassword}
+          when: is_http_basic | bool
         - name: create persistent ironic-inspector dnsmasq dhcp hostsdir
           file:
             path: /var/lib/ironic-inspector/dhcp-hostsdir

deployment/ironic/ironic-neutron-agent-container-puppet.yaml

@@ -41,6 +41,24 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  IronicAuthStrategy:
+    type: string
+    description: Auth strategy to use with ironic.
+    default: 'keystone'
+    constraints:
+      - allowed_values: ['keystone', 'http_basic', 'noauth']
+  NeutronAuthStrategy:
+    type: string
+    description: Auth strategy to use with neutron.
+    default: 'keystone'
+    constraints:
+      - allowed_values: ['keystone', 'noauth']
+
+conditions:
+  auth_strategy_noauth:
+    equals: [{get_param: IronicAuthStrategy}, 'noauth']
+  auth_strategy_non_default:
+    contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
 
 resources:
   ContainersCommon:
@@ -69,12 +87,21 @@ outputs:
         map_merge:
           - get_attr: [NeutronBase, role_data, config_settings]
           - neutron::agents::ml2::networking_baremetal::username: 'ironic'
-          - neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword}
+            neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword}
-          - neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
+            neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
-          - neutron::agents::ml2::networking_baremetal::project_name: 'service'
+            neutron::agents::ml2::networking_baremetal::project_name: 'service'
-          - neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default'
+            neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default'
-          - neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default'
+            neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default'
-          - neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion}
+            neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion}
+            neutron::agents::ml2::networking_baremetal::auth_strategy: {get_param: NeutronAuthStrategy}
+          - if:
+              - auth_strategy_non_default
+              - neutron::agents::ml2::networking_baremetal::auth_type:
+                  if:
+                    - auth_strategy_noauth
+                    - 'none'
+                    - {get_param: IronicAuthStrategy}
+                neutron::agents::ml2::networking_baremetal::ironic_url: { get_param: [ EndpointMap, IronicInternal, uri_no_suffix ] }
           - get_attr: [NeutronLogging, config_settings]
       puppet_config:
         config_volume: neutron

deployment/neutron/neutron-api-container-puppet.yaml

@@ -185,6 +185,13 @@ parameters:
       removed in Ocata.  Future releases will enable L3 HA by default if it is
       appropriate for the deployment type. Alternate mechanisms will be
       available to override.
+  NeutronAuthStrategy:
+    type: string
+    description: Auth strategy to use with neutron.
+    default: 'keystone'
+    constraints:
+      - allowed_values: ['keystone', 'noauth']
+
 parameter_groups:
 - label: deprecated
   description: |
@@ -291,6 +298,7 @@ outputs:
             neutron::policy::policies: {get_param: NeutronApiPolicies}
             neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            neutron::server::auth_strategy: {get_param: NeutronAuthStrategy}
             neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
             neutron::server::enable_proxy_headers_parsing: true
             neutron::server::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping}

deployment/neutron/neutron-base.yaml

@@ -106,6 +106,14 @@ parameters:
         If True, then allow plugins that support it to create VLAN
         transparent networks.
     type: boolean
+  NeutronAuthStrategy:
+    type: string
+    description: Auth strategy to use with neutron.
+    default: 'keystone'
+    constraints:
+      - allowed_values: ['keystone', 'noauth']
+
+
 
 conditions:
   dhcp_agents_set:
@@ -122,6 +130,7 @@ outputs:
         map_merge:
           - neutron::notification_driver: {get_param: NotificationDriver}
             neutron::core_plugin: {get_param: NeutronCorePlugin}
+            neutron::auth_strategy: {get_param: NeutronAuthStrategy}
             neutron::service_plugins: {get_param: NeutronServicePlugins}
             neutron::logging::debug:
               if:

releasenotes/notes/add-auth-strategy-parameters-neutron-ironic-3d7330a7dc82f43d.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Adds two new parameters 'IronicAuthStrategy' and 'NeutronAuthStrategy'
+    that defaults to 'keystone'. This would allow deploying standalone
+    ironic and neutron services without keystone using different
+    'auth_strategies' like 'http_basic' and 'noauth'.