forked from openstack/kayobe
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Switch from python-ironic-inspector-client to openstacksdk in ironic-inspector-rules. This allows us to use clouds.yaml to provide credentials. * Enable authentication in Bifrost. Passwords are auto-generated by Bifrost, and stored files in /root/.config/bifrost/. This change depends on a Kolla Ansible patch that ensures that these credentials are persisted between recreations of the bifrost container. * Copy clouds.yaml and (if present) a CA certificate from the Bifrost container to the seed host, under the Kayobe Ansible user (stack). This allows us to use the credentials to register introspection rules. * This patch is needed by a Kolla Ansible patch that enables TLS in Bifrost, since we need the CA certificate on the host to register introspection rules when TLS is enabled. Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/851837 Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/851838 Story: 2010206 Task: 45930 Change-Id: I757f1bb72afb01a4f1689bed292f5b71b9048fa0 (cherry picked from commit 32a82ea)
- Loading branch information
1 parent
5324851
commit 0ff1f8c
Showing
11 changed files
with
88 additions
and
63 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,16 @@ | ||
--- | ||
- name: Ensure required Python packages are installed | ||
pip: | ||
name: "{{ item.name }}" | ||
version: "{{ item.version | default(omit) }}" | ||
state: latest | ||
virtualenv: "{{ ironic_inspector_venv }}" | ||
extra_args: "{% if ironic_inspector_upper_constraints_file %}-c {{ ironic_inspector_upper_constraints_file }}{% endif %}" | ||
with_items: | ||
- name: python-ironic-inspector-client | ||
|
||
- name: Ensure introspection rules exist | ||
vars: | ||
ansible_python_interpreter: "{{ ironic_inspector_venv }}/bin/python" | ||
os_ironic_inspector_rule: | ||
auth_type: "{{ ironic_inspector_auth_type }}" | ||
auth: "{{ ironic_inspector_auth }}" | ||
cacert: "{{ ironic_inspector_cacert | default(omit, true) }}" | ||
cloud: "{{ ironic_inspector_cloud | default(omit, true) }}" | ||
interface: "{{ ironic_inspector_interface | default(omit, true) }}" | ||
conditions: "{{ item.conditions }}" | ||
actions: "{{ item.actions }}" | ||
description: "{{ item.description | default(omit) }}" | ||
uuid: "{{ item.uuid | default(item.description | to_uuid) | default(omit) }}" | ||
state: present | ||
inspector_url: "{{ ironic_inspector_url }}" | ||
with_items: "{{ ironic_inspector_rules }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
# Copy the Bifrost clouds.yaml file and CA certificate (if one is in use) to | ||
# the host. This allows us to access the Ironic and Inspector APIs outside of | ||
# the Bifrost container. | ||
- name: Ensure credentials are available on the host | ||
hosts: seed | ||
tags: | ||
- seed-credentials | ||
vars: | ||
openstack_config_dir: "{{ ansible_facts.env.HOME }}/.config/openstack" | ||
tasks: | ||
- name: Ensure OpenStack config directory exists | ||
file: | ||
path: "{{ openstack_config_dir }}" | ||
state: directory | ||
mode: 0700 | ||
|
||
- name: Get clouds.yaml from Bifrost container | ||
command: | ||
cmd: docker exec bifrost_deploy cat /root/.config/openstack/clouds.yaml | ||
changed_when: false | ||
register: clouds_yaml | ||
no_log: true | ||
|
||
- name: Write clouds.yaml | ||
copy: | ||
content: | | ||
{%- set clouds = clouds_yaml.stdout | from_yaml -%} | ||
{%- for cloud in clouds.clouds.keys() | list -%} | ||
{%- if 'cacert' in clouds.clouds[cloud] -%} | ||
{%- set _ = clouds.clouds[cloud].update({'cacert': openstack_config_dir ~ '/bifrost.crt'}) -%} | ||
{%- endif -%} | ||
{%- endfor -%} | ||
{{ clouds | to_nice_yaml }} | ||
dest: "{{ openstack_config_dir }}/clouds.yaml" | ||
mode: 0600 | ||
|
||
- name: Copy CA certificate from Bifrost container | ||
vars: | ||
clouds: "{{ clouds_yaml.stdout | from_yaml }}" | ||
cacerts: "{{ clouds.clouds.values() | selectattr('cacert', 'defined') | map(attribute='cacert') | list }}" | ||
command: | ||
cmd: docker cp bifrost_deploy:{{ cacerts[0] }} {{ openstack_config_dir }}/bifrost.crt | ||
changed_when: false | ||
when: cacerts | length > 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
features: | ||
- | | ||
Adds support for copying the Bifrost ``clouds.yaml`` file and optionally a | ||
TLS CA certificate from the Bifrost container to the seed host. This makes | ||
it possible to enable authentication and TLS for Bifrost services. | ||
upgrade: | ||
- | | ||
Enables authentication by default in Bifrost. |