Merge "Add parameters to specify auth_strategy"

This commit is contained in:
Zuul 2021-07-02 12:52:24 +00:00 committed by Gerrit Code Review
commit 4c38d13403
8 changed files with 183 additions and 14 deletions

View File

@ -69,10 +69,22 @@ parameters:
description: | description: |
Use the advanced (eventlet safe) memcached client pool. Use the advanced (eventlet safe) memcached client pool.
default: true default: true
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
type: string
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
hidden: True
conditions: conditions:
cors_allowed_origin_set: cors_allowed_origin_set:
not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']} not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
auth_strategy_http_basic:
equals: [{get_param: IronicAuthStrategy}, 'http_basic']
resources: resources:
ApacheServiceBase: ApacheServiceBase:
@ -160,6 +172,10 @@ outputs:
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
ironic::api::service_name: 'httpd' ironic::api::service_name: 'httpd'
ironic::policy::policies: {get_param: IronicApiPolicies} ironic::policy::policies: {get_param: IronicApiPolicies}
ironic::wsgi::apache::vhost_custom_fragment:
if:
- auth_strategy_http_basic
- 'WSGIPassAuthorization On'
ironic::wsgi::apache::bind_host: ironic::wsgi::apache::bind_host:
str_replace: str_replace:
template: template:
@ -268,6 +284,9 @@ outputs:
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
- /var/log/containers/ironic:/var/log/ironic:z - /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z - /var/log/containers/httpd/ironic-api:/var/log/httpd:z
- if:
- auth_strategy_http_basic
- - /etc/ironic_passwd:/etc/ironic/htpasswd:z
- if: - if:
- {get_param: EnableInternalTLS} - {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
@ -284,6 +303,24 @@ outputs:
with_items: with_items:
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
- name: create password file when auth_stragy is 'http_basic'
vars:
is_http_basic:
if:
- auth_strategy_http_basic
- true
- false
copy:
dest: /etc/ironic_passwd
content:
str_replace:
template: |
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$ADMIN_PASSWORD: {get_param: AdminPassword}
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_http_basic | bool
deploy_steps_tasks: deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks] get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
external_upgrade_tasks: external_upgrade_tasks:

View File

@ -55,6 +55,12 @@ parameters:
type: string type: string
constraints: constraints:
- allowed_values: [ '', 'oslo', 'json-rpc'] - allowed_values: [ '', 'oslo', 'json-rpc']
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
conditions: conditions:
default_rsc_set: default_rsc_set:
@ -94,6 +100,7 @@ outputs:
if: if:
- default_rsc_set - default_rsc_set
- {get_param: IronicDefaultResourceClass} - {get_param: IronicDefaultResourceClass}
ironic::auth_strategy: {get_param: IronicAuthStrategy}
ironic::rpc_transport: ironic::rpc_transport:
if: if:
- rpc_transport_set - rpc_transport_set

View File

@ -253,6 +253,18 @@ parameters:
the host to ensure each step of the boot process can the host to ensure each step of the boot process can
successfully lease addresses. successfully lease addresses.
type: string type: string
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: keystone
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: keystone
constraints:
- allowed_values: ['keystone', 'noauth']
parameter_groups: parameter_groups:
- label: deprecated - label: deprecated
@ -278,6 +290,12 @@ conditions:
or: or:
- not: {equals: [{get_param: IronicConductorGroup}, '']} - not: {equals: [{get_param: IronicConductorGroup}, '']}
- not: {equals: [{get_param: [RoleParameters, IronicConductorGroup]}, '']} - not: {equals: [{get_param: [RoleParameters, IronicConductorGroup]}, '']}
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
neutron_noauth:
equals: [{get_param: NeutronAuthStrategy}, 'noauth']
resources: resources:
RoleParametersValue: RoleParametersValue:
@ -475,11 +493,23 @@ outputs:
# to avoid hard linking errors we store these on the same # to avoid hard linking errors we store these on the same
# volume/device as the ironic master_path # volume/device as the ironic master_path
# https://github.com/docker/docker/issues/7457 # https://github.com/docker/docker/issues/7457
- ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot
- ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images
- ironic::pxe::tftp_root: /var/lib/ironic/tftpboot ironic::pxe::tftp_root: /var/lib/ironic/tftpboot
- ironic::pxe::http_root: /var/lib/ironic/httpboot ironic::pxe::http_root: /var/lib/ironic/httpboot
- ironic::conductor::http_root: /var/lib/ironic/httpboot ironic::conductor::http_root: /var/lib/ironic/httpboot
- if:
- neutron_noauth
- ironic::neutron::endpoint_override: {get_param: [EndpointMap, NeutronInternal, uri_no_suffix]}
ironic::neutron::auth_type: 'none'
- if:
- auth_strategy_non_default
- ironic::service_catalog::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
ironic::service_catalog::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
service_config_settings: {} service_config_settings: {}
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:

View File

@ -180,6 +180,16 @@ parameters:
'10.10.10.0/24': 'physnet_a' '10.10.10.0/24': 'physnet_a'
'2001:db8::/64': 'physnet_b' '2001:db8::/64': 'physnet_b'
type: json type: json
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
type: string
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
hidden: True
parameter_groups: parameter_groups:
- label: deprecated - label: deprecated
@ -201,6 +211,12 @@ conditions:
not: {equals : [{get_param: IronicInspectorSubnets}, {}]} not: {equals : [{get_param: IronicInspectorSubnets}, {}]}
enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]} enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]}
ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}} ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}}
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
auth_strategy_http_basic:
equals: [{get_param: IronicAuthStrategy}, 'http_basic']
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
resources: resources:
ContainersCommon: ContainersCommon:
@ -277,6 +293,7 @@ outputs:
- get_param: IronicInspectorSubnets - get_param: IronicInspectorSubnets
- [{ip_range: {get_param: IronicInspectorIpRange}}] - [{ip_range: {get_param: IronicInspectorIpRange}}]
ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface} ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
ironic::inspector::auth_strategy: {get_param: IronicAuthStrategy}
ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
ironic::inspector::pxe_filter::dnsmasq::purge_dhcp_hostsdir: false ironic::inspector::pxe_filter::dnsmasq::purge_dhcp_hostsdir: false
ironic::inspector::pxe_filter::driver: dnsmasq ironic::inspector::pxe_filter::driver: dnsmasq
@ -328,7 +345,6 @@ outputs:
collectd_host: localhost collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo read_default_group: tripleo
ironic::inspector::enable_ppc64le: ironic::inspector::enable_ppc64le:
if: if:
- enable_architecture_ppc64le - enable_architecture_ppc64le
@ -337,6 +353,14 @@ outputs:
if: if:
- {get_param: IronicInspectorIPXEEnabled} - {get_param: IronicInspectorIPXEEnabled}
- 'http' - 'http'
- if:
- auth_strategy_non_default
- ironic::inspector::ironic::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
ironic::inspector::ironic::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
- if: - if:
- use_swift - use_swift
- ironic::inspector::store_data: 'swift' - ironic::inspector::store_data: 'swift'
@ -487,12 +511,14 @@ outputs:
volumes: volumes:
list_concat: list_concat:
- {get_attr: [ContainersCommon, volumes]} - {get_attr: [ContainersCommon, volumes]}
- - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro
- /var/lib/ironic:/var/lib/ironic:shared,z - /var/lib/ironic:/var/lib/ironic:shared,z
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z
- if:
- auth_strategy_http_basic
- - /etc/ironic_inspector_passwd:/etc/ironic-inspector/htpasswd:z
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
ironic_inspector_dnsmasq: ironic_inspector_dnsmasq:
@ -529,6 +555,24 @@ outputs:
with_items: with_items:
- { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/ironic-inspector/dhcp-hostsdir, 'setype': container_file_t } - { 'path': /var/lib/ironic-inspector/dhcp-hostsdir, 'setype': container_file_t }
- name: create password file when auth_stragy is 'http_basic'
vars:
is_http_basic:
if:
- auth_strategy_http_basic
- true
- false
copy:
dest: /etc/ironic_inspector_passwd
content:
str_replace:
template: |
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
ironic-inspector:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$ADMIN_PASSWORD: {get_param: AdminPassword}
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_http_basic | bool
- name: create persistent ironic-inspector dnsmasq dhcp hostsdir - name: create persistent ironic-inspector dnsmasq dhcp hostsdir
file: file:
path: /var/lib/ironic-inspector/dhcp-hostsdir path: /var/lib/ironic-inspector/dhcp-hostsdir

View File

@ -41,6 +41,24 @@ parameters:
type: string type: string
default: 'regionOne' default: 'regionOne'
description: Keystone region for endpoint description: Keystone region for endpoint
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'noauth']
conditions:
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
resources: resources:
ContainersCommon: ContainersCommon:
@ -69,12 +87,21 @@ outputs:
map_merge: map_merge:
- get_attr: [NeutronBase, role_data, config_settings] - get_attr: [NeutronBase, role_data, config_settings]
- neutron::agents::ml2::networking_baremetal::username: 'ironic' - neutron::agents::ml2::networking_baremetal::username: 'ironic'
- neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword} neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword}
- neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] } neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
- neutron::agents::ml2::networking_baremetal::project_name: 'service' neutron::agents::ml2::networking_baremetal::project_name: 'service'
- neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default' neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default'
- neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default' neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default'
- neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion} neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion}
neutron::agents::ml2::networking_baremetal::auth_strategy: {get_param: NeutronAuthStrategy}
- if:
- auth_strategy_non_default
- neutron::agents::ml2::networking_baremetal::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
neutron::agents::ml2::networking_baremetal::ironic_url: { get_param: [ EndpointMap, IronicInternal, uri_no_suffix ] }
- get_attr: [NeutronLogging, config_settings] - get_attr: [NeutronLogging, config_settings]
puppet_config: puppet_config:
config_volume: neutron config_volume: neutron

View File

@ -185,6 +185,13 @@ parameters:
removed in Ocata. Future releases will enable L3 HA by default if it is removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be appropriate for the deployment type. Alternate mechanisms will be
available to override. available to override.
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'noauth']
parameter_groups: parameter_groups:
- label: deprecated - label: deprecated
description: | description: |
@ -291,6 +298,7 @@ outputs:
neutron::policy::policies: {get_param: NeutronApiPolicies} neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::auth_strategy: {get_param: NeutronAuthStrategy}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
neutron::server::enable_proxy_headers_parsing: true neutron::server::enable_proxy_headers_parsing: true
neutron::server::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping} neutron::server::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping}

View File

@ -106,6 +106,14 @@ parameters:
If True, then allow plugins that support it to create VLAN If True, then allow plugins that support it to create VLAN
transparent networks. transparent networks.
type: boolean type: boolean
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'noauth']
conditions: conditions:
dhcp_agents_set: dhcp_agents_set:
@ -122,6 +130,7 @@ outputs:
map_merge: map_merge:
- neutron::notification_driver: {get_param: NotificationDriver} - neutron::notification_driver: {get_param: NotificationDriver}
neutron::core_plugin: {get_param: NeutronCorePlugin} neutron::core_plugin: {get_param: NeutronCorePlugin}
neutron::auth_strategy: {get_param: NeutronAuthStrategy}
neutron::service_plugins: {get_param: NeutronServicePlugins} neutron::service_plugins: {get_param: NeutronServicePlugins}
neutron::logging::debug: neutron::logging::debug:
if: if:

View File

@ -0,0 +1,7 @@
---
features:
- |
Adds two new parameters 'IronicAuthStrategy' and 'NeutronAuthStrategy'
that defaults to 'keystone'. This would allow deploying standalone
ironic and neutron services without keystone using different
'auth_strategies' like 'http_basic' and 'noauth'.