openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Add parameters to specify auth_strategy"

This commit is contained in:
Zuul 2021-07-02 12:52:24 +00:00 committed by Gerrit Code Review
parent 9550a5680d f065bb96b5
commit 4c38d13403
8 changed files with 183 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
deployment/ironic/ironic-api-container-puppet.yaml
View File

@ -69,10 +69,22 @@ parameters:
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
type: string
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
hidden: True
conditions:
cors_allowed_origin_set:
not: {equals : [{get_param: IronicCorsAllowedOrigin}, '']}
auth_strategy_http_basic:
equals: [{get_param: IronicAuthStrategy}, 'http_basic']
resources:
ApacheServiceBase:
@ -160,6 +172,10 @@ outputs:
ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
ironic::api::service_name: 'httpd'
ironic::policy::policies: {get_param: IronicApiPolicies}
ironic::wsgi::apache::vhost_custom_fragment:
if:
- auth_strategy_http_basic
- 'WSGIPassAuthorization On'
ironic::wsgi::apache::bind_host:
str_replace:
template:
@ -268,6 +284,9 @@ outputs:
- /var/lib/config-data/puppet-generated/ironic_api:/var/lib/kolla/config_files/src:ro
- /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
- if:
- auth_strategy_http_basic
- - /etc/ironic_passwd:/etc/ironic/htpasswd:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
@ -284,6 +303,24 @@ outputs:
with_items:
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
- name: create password file when auth_stragy is 'http_basic'
vars:
is_http_basic:
if:
- auth_strategy_http_basic
- true
- false
copy:
dest: /etc/ironic_passwd
content:
str_replace:
template: |
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$ADMIN_PASSWORD: {get_param: AdminPassword}
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_http_basic | bool
deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
external_upgrade_tasks:

7
deployment/ironic/ironic-base-puppet.yaml
View File

@ -55,6 +55,12 @@ parameters:
type: string
constraints:
- allowed_values: [ '', 'oslo', 'json-rpc']
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
conditions:
default_rsc_set:
@ -94,6 +100,7 @@ outputs:
if:
- default_rsc_set
- {get_param: IronicDefaultResourceClass}
ironic::auth_strategy: {get_param: IronicAuthStrategy}
ironic::rpc_transport:
if:
- rpc_transport_set

40
deployment/ironic/ironic-conductor-container-puppet.yaml
View File

@ -253,6 +253,18 @@ parameters:
the host to ensure each step of the boot process can
successfully lease addresses.
type: string
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: keystone
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: keystone
constraints:
- allowed_values: ['keystone', 'noauth']
parameter_groups:
- label: deprecated
@ -278,6 +290,12 @@ conditions:
or:
- not: {equals: [{get_param: IronicConductorGroup}, '']}
- not: {equals: [{get_param: [RoleParameters, IronicConductorGroup]}, '']}
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
neutron_noauth:
equals: [{get_param: NeutronAuthStrategy}, 'noauth']
resources:
RoleParametersValue:
@ -475,11 +493,23 @@ outputs:
# to avoid hard linking errors we store these on the same
# volume/device as the ironic master_path
# https://github.com/docker/docker/issues/7457
- ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot
- ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images
- ironic::pxe::tftp_root: /var/lib/ironic/tftpboot
- ironic::pxe::http_root: /var/lib/ironic/httpboot
- ironic::conductor::http_root: /var/lib/ironic/httpboot
ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot
ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images
ironic::pxe::tftp_root: /var/lib/ironic/tftpboot
ironic::pxe::http_root: /var/lib/ironic/httpboot
ironic::conductor::http_root: /var/lib/ironic/httpboot
- if:
- neutron_noauth
- ironic::neutron::endpoint_override: {get_param: [EndpointMap, NeutronInternal, uri_no_suffix]}
ironic::neutron::auth_type: 'none'
- if:
- auth_strategy_non_default
- ironic::service_catalog::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
ironic::service_catalog::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:

50
deployment/ironic/ironic-inspector-container-puppet.yaml
View File

@ -180,6 +180,16 @@ parameters:
'10.10.10.0/24': 'physnet_a'
'2001:db8::/64': 'physnet_b'
type: json
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
type: string
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
hidden: True
parameter_groups:
- label: deprecated
@ -201,6 +211,12 @@ conditions:
not: {equals : [{get_param: IronicInspectorSubnets}, {}]}
enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]}
ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}}
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
auth_strategy_http_basic:
equals: [{get_param: IronicAuthStrategy}, 'http_basic']
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
resources:
ContainersCommon:
@ -277,6 +293,7 @@ outputs:
- get_param: IronicInspectorSubnets
- [{ip_range: {get_param: IronicInspectorIpRange}}]
ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
ironic::inspector::auth_strategy: {get_param: IronicAuthStrategy}
ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
ironic::inspector::pxe_filter::dnsmasq::purge_dhcp_hostsdir: false
ironic::inspector::pxe_filter::driver: dnsmasq
@ -328,7 +345,6 @@ outputs:
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
ironic::inspector::enable_ppc64le:
if:
- enable_architecture_ppc64le
@ -337,6 +353,14 @@ outputs:
if:
- {get_param: IronicInspectorIPXEEnabled}
- 'http'
- if:
- auth_strategy_non_default
- ironic::inspector::ironic::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
ironic::inspector::ironic::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
- if:
- use_swift
- ironic::inspector::store_data: 'swift'
@ -487,12 +511,14 @@ outputs:
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro
- /var/lib/ironic:/var/lib/ironic:shared,z
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z
- if:
- auth_strategy_http_basic
- - /etc/ironic_inspector_passwd:/etc/ironic-inspector/htpasswd:z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
ironic_inspector_dnsmasq:
@ -529,6 +555,24 @@ outputs:
with_items:
- { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/ironic-inspector/dhcp-hostsdir, 'setype': container_file_t }
- name: create password file when auth_stragy is 'http_basic'
vars:
is_http_basic:
if:
- auth_strategy_http_basic
- true
- false
copy:
dest: /etc/ironic_inspector_passwd
content:
str_replace:
template: |
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
ironic-inspector:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$ADMIN_PASSWORD: {get_param: AdminPassword}
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_http_basic | bool
- name: create persistent ironic-inspector dnsmasq dhcp hostsdir
file:
path: /var/lib/ironic-inspector/dhcp-hostsdir

39
deployment/ironic/ironic-neutron-agent-container-puppet.yaml
View File

@ -41,6 +41,24 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'noauth']
conditions:
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
resources:
ContainersCommon:
@ -69,12 +87,21 @@ outputs:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- neutron::agents::ml2::networking_baremetal::username: 'ironic'
- neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword}
- neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
- neutron::agents::ml2::networking_baremetal::project_name: 'service'
- neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default'
- neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default'
- neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion}
neutron::agents::ml2::networking_baremetal::password: {get_param: IronicPassword}
neutron::agents::ml2::networking_baremetal::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
neutron::agents::ml2::networking_baremetal::project_name: 'service'
neutron::agents::ml2::networking_baremetal::user_domain_name: 'Default'
neutron::agents::ml2::networking_baremetal::project_domain_name: 'Default'
neutron::agents::ml2::networking_baremetal::region_name: {get_param: KeystoneRegion}
neutron::agents::ml2::networking_baremetal::auth_strategy: {get_param: NeutronAuthStrategy}
- if:
- auth_strategy_non_default
- neutron::agents::ml2::networking_baremetal::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
neutron::agents::ml2::networking_baremetal::ironic_url: { get_param: [ EndpointMap, IronicInternal, uri_no_suffix ] }
- get_attr: [NeutronLogging, config_settings]
puppet_config:
config_volume: neutron

8
deployment/neutron/neutron-api-container-puppet.yaml
View File

@ -185,6 +185,13 @@ parameters:
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'noauth']
parameter_groups:
- label: deprecated
description: |
@ -291,6 +298,7 @@ outputs:
neutron::policy::policies: {get_param: NeutronApiPolicies}
neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
neutron::server::auth_strategy: {get_param: NeutronAuthStrategy}
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
neutron::server::enable_proxy_headers_parsing: true
neutron::server::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping}

9
deployment/neutron/neutron-base.yaml
View File

@ -106,6 +106,14 @@ parameters:
If True, then allow plugins that support it to create VLAN
transparent networks.
type: boolean
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'noauth']
conditions:
dhcp_agents_set:
@ -122,6 +130,7 @@ outputs:
map_merge:
- neutron::notification_driver: {get_param: NotificationDriver}
neutron::core_plugin: {get_param: NeutronCorePlugin}
neutron::auth_strategy: {get_param: NeutronAuthStrategy}
neutron::service_plugins: {get_param: NeutronServicePlugins}
neutron::logging::debug:
if:

7
releasenotes/notes/add-auth-strategy-parameters-neutron-ironic-3d7330a7dc82f43d.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Adds two new parameters 'IronicAuthStrategy' and 'NeutronAuthStrategy'
that defaults to 'keystone'. This would allow deploying standalone
ironic and neutron services without keystone using different
'auth_strategies' like 'http_basic' and 'noauth'.