From 114c21043c39fd1edf867fa2a2b8a5c88281f3fe Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Wed, 26 Aug 2020 15:27:33 +0200 Subject: [PATCH] Move services to internal_ip by default and refactor endpoint creation We're currently defaulting to localhost which makes clouds.yaml/openrc not portable and complicates TLS configuration. Moving to internal_ip makes it possible to just copy clouds.yaml around. Refactored endpoint creation in keystone to use the openstack modules and to avoid copy-pasting authentication information. As a side effect, it becomes possible to update existing endpoints. The use_public_urls variable loses most of its sense now and is replaced by explicitly checking for public_ip. Change-Id: I48b5ab9aa656abbddd619df4bed6be9bf3766da5 --- bifrost/cli.py | 1 - .../bifrost-cloud-config/defaults/main.yml | 7 + .../roles/bifrost-cloud-config/tasks/main.yml | 2 +- .../bifrost-ironic-install/defaults/main.yml | 16 +- .../tasks/keystone_setup.yml | 190 +++++------------- .../tasks/keystone_setup_inspector.yml | 155 ++++---------- .../defaults/main.yml | 11 +- .../defaults/main.yml | 9 +- .../tasks/bootstrap.yml | 12 +- .../notes/api-url-a6f79de3cc8b0e3d.yaml | 15 ++ scripts/test-bifrost.sh | 1 - 11 files changed, 141 insertions(+), 278 deletions(-) create mode 100644 releasenotes/notes/api-url-a6f79de3cc8b0e3d.yaml diff --git a/bifrost/cli.py b/bifrost/cli.py index 7cec91330..8ba685285 100644 --- a/bifrost/cli.py +++ b/bifrost/cli.py @@ -154,7 +154,6 @@ def cmd_install(args): install_dib='true', network_interface=args.network_interface, enable_keystone=args.enable_keystone, - use_public_urls=args.enable_keystone, noauth_mode='false', enabled_hardware_types=args.hardware_types, cleaning_disk_erase=args.cleaning_disk_erase, diff --git a/playbooks/roles/bifrost-cloud-config/defaults/main.yml b/playbooks/roles/bifrost-cloud-config/defaults/main.yml index 02d3c60af..499968d50 100644 --- a/playbooks/roles/bifrost-cloud-config/defaults/main.yml +++ b/playbooks/roles/bifrost-cloud-config/defaults/main.yml @@ -1,2 +1,9 @@ --- noauth_mode: true + +network_interface: "virbr0" +ans_network_interface: "{{ network_interface | replace('-', '_') }}" +internal_ip: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}" + +api_protocol: http +ironic_api_url: "{{ api_protocol }}://{{ internal_ip }}:6385" diff --git a/playbooks/roles/bifrost-cloud-config/tasks/main.yml b/playbooks/roles/bifrost-cloud-config/tasks/main.yml index 2ec611730..53c4c5cf7 100644 --- a/playbooks/roles/bifrost-cloud-config/tasks/main.yml +++ b/playbooks/roles/bifrost-cloud-config/tasks/main.yml @@ -65,7 +65,7 @@ - name: "Provide ironic_url for no-auth mode if there is no override" set_fact: - ironic_url: "http://localhost:6385/" + ironic_url: "{{ ironic_api_url }}" when: - ironic_url | default("") == "" - noauth_mode | bool diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 426008bab..82c9422df 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -260,8 +260,10 @@ noauth_mode: true enable_keystone: false # Service URLs used for communication with them. -ironic_api_url: "http://localhost:6385" -ironic_inspector_api_url: "http://localhost:5050" +api_protocol: http +ironic_api_url: "{{ api_protocol }}://{{ internal_ip }}:6385" +ironic_inspector_api_url: "{{ api_protocol }}://{{ internal_ip }}:5050" +keystone_api_url: "{{ api_protocol }}://{{ internal_ip }}:5000/v3" # Directory (on the controller) to keep the passwords password_dir: "{{ lookup('env', 'HOME') }}/.config/bifrost" @@ -284,7 +286,7 @@ ironic: service_catalog: username: "ironic" password: "{{ service_password }}" - auth_url: "http://127.0.0.1:5000/v3" + auth_url: "{{ keystone_api_url }}" project_name: "service" keystone: default_username: "{{ default_username }}" @@ -299,7 +301,7 @@ ironic_inspector: service_catalog: username: "ironic_inspector" password: "{{ service_password }}" - auth_url: "http://127.0.0.1:5000/v3" + auth_url: "{{ keystone_api_url }}" project_name: "service" keystone: default_username: "{{ default_username }}" @@ -318,9 +320,9 @@ keystone: username: "{{ admin_username }}" password: "{{ admin_password }}" project_name: admin - admin_url: "http://127.0.0.1:35357/v3/" - public_url: "http://127.0.0.1:5000/v3/" - internal_url: "http://127.0.0.1:5000/v3/" + admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/" + public_url: "{{ keystone_api_url }}" + internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/" region_name: "RegionOne" message_queue: username: keystone diff --git a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml index 024ab3ff0..aad086c22 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml @@ -34,20 +34,25 @@ ironic.keystone.default_username is undefined or ironic.keystone.default_password is undefined -- name: "Ensure service project is present" - os_project: - name: "{{ ironic.service_catalog.project_name }}" - state: present - description: "Service Project" - domain_id: "default" - enabled: yes - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}/" +- name: "Configure keystone auth" + set_fact: + keystone_auth: + auth_url: "{{ ironic.service_catalog.auth_url | default(keystone_api_url) }}" username: "{{ keystone.bootstrap.username }}" password: "{{ keystone.bootstrap.password }}" project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" project_domain_id: "default" user_domain_id: "default" + no_log: true + +- name: "Ensure service project is present" + openstack.cloud.project: + name: "{{ ironic.service_catalog.project_name }}" + state: present + description: "Service Project" + domain_id: "default" + enabled: yes + auth: "{{ keystone_auth }}" environment: "{{ bifrost_venv_env }}" no_log: true @@ -58,13 +63,7 @@ state: present domain: "default" default_project: "{{ ironic.service_catalog.project_name }}" - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" update_password: always wait: yes environment: "{{ bifrost_venv_env }}" @@ -75,13 +74,7 @@ user: "{{ ironic.service_catalog.username }}" role: "admin" project: "{{ ironic.service_catalog.project_name }}" - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" no_log: true @@ -92,125 +85,60 @@ name: "ironic" service_type: "baremetal" description: OpenStack Baremetal Service - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" + register: baremetal_catalog_service no_log: true -- name: "Check ironic admin endpoint exists" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}" - endpoint list -f json --noindent --service baremetal --interface admin - --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - no_log: true - register: test_ironic_admin_endpoint - ignore_errors: true - environment: "{{ bifrost_venv_env }}" - -- name: "Check ironic public endpoint exists" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}" - endpoint list -f json --noindent --service baremetal --interface public - --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - no_log: true - register: test_ironic_public_endpoint - ignore_errors: true - environment: "{{ bifrost_venv_env }}" - -- name: "Check ironic internal endpoint exists" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}" - endpoint list -f json --noindent --service baremetal --interface internal - --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - no_log: true - register: test_ironic_internal_endpoint - ignore_errors: true - environment: "{{ bifrost_venv_env }}" - - name: "Create ironic admin endpoint" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}" - endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - baremetal admin "{{ ironic.keystone.admin_url | default('http://127.0.0.1:6385/') }}" + openstack.cloud.endpoint: + state: present + service: "{{ baremetal_catalog_service.id }}" + endpoint_interface: admin + url: "{{ ironic.keystone.admin_url | default(ironic_api_url) }}" + region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + auth: "{{ keystone_auth }}" no_log: true environment: "{{ bifrost_venv_env }}" - when: test_ironic_admin_endpoint.rc != 0 or test_ironic_admin_endpoint.stdout == '[]' - name: "Setting external Ironic public URL" set_fact: - ironic_public_url: "{{ ironic.keystone.public_url | default('http://127.0.0.1:6385/') | replace('127.0.0.1', public_ip | default(internal_ip)) }}" - when: use_public_urls | default(false) | bool + ironic_public_url: "{{ api_protocol }}://{{ public_ip }}:6385/" + when: public_ip is defined - name: "Create ironic public endpoint" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}" - endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - baremetal public "{{ ironic_public_url | default(ironic.keystone.public_url) | default('http://127.0.0.1:6385/') }}" + openstack.cloud.endpoint: + state: present + service: "{{ baremetal_catalog_service.id }}" + endpoint_interface: public + url: "{{ ironic.keystone.public_url | default(ironic_public_url) | default(ironic_api_url) }}" + region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + auth: "{{ keystone_auth }}" no_log: true environment: "{{ bifrost_venv_env }}" - when: test_ironic_public_endpoint.rc != 0 or test_ironic_public_endpoint.stdout == '[]' - name: "Setting internal Ironic URL" set_fact: - ironic_private_url: "{{ ironic.keystone.internal_url | default('http://127.0.0.1:6385/') | replace('127.0.0.1', private_ip) }}" + ironic_private_url: "{{ api_protocol }}://{{ private_ip }}:6385/" when: private_ip is defined and private_ip | length > 0 - name: "Create ironic internal endpoint" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}" - endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - baremetal internal "{{ ironic_private_url | default(ironic.keystone.internal_url) | default('http://127.0.0.1:6385/') }}" + openstack.cloud.endpoint: + state: present + service: "{{ baremetal_catalog_service.id }}" + endpoint_interface: internal + url: "{{ ironic.keystone.internal_url | default(ironic_private_url) | default(ironic_api_url) }}" + region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + auth: "{{ keystone_auth }}" no_log: true environment: "{{ bifrost_venv_env }}" - when: test_ironic_internal_endpoint.rc != 0 or test_ironic_internal_endpoint.stdout == '[]' - name: "Create baremetal_admin role" openstack.cloud.identity_role: name: "baremetal_admin" state: present - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" environment: "{{ bifrost_venv_env }}" no_log: true @@ -218,13 +146,7 @@ openstack.cloud.identity_role: name: "baremetal_observer" state: present - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" environment: "{{ bifrost_venv_env }}" no_log: true @@ -235,13 +157,7 @@ description: "Baremetal Project" domain_id: "default" enabled: yes - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" environment: "{{ bifrost_venv_env }}" no_log: true @@ -251,13 +167,7 @@ password: "{{ ironic.keystone.default_password }}" default_project: "baremetal" domain: "default" - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" no_log: true @@ -267,13 +177,7 @@ user: "{{ ironic.keystone.default_username }}" role: "baremetal_admin" project: "baremetal" - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "{{ keystone.bootstrap.project_name | default('admin') }}" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" no_log: true diff --git a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml index 5ec4e9687..9efdff4e2 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml @@ -33,6 +33,17 @@ ironic_inspector.keystone.default_username is undefined or ironic_inspector.keystone.default_password is undefined +- name: "Configure keystone auth" + set_fact: + keystone_auth: + auth_url: "{{ ironic.service_catalog.auth_url | default(keystone_api_url) }}" + username: "{{ keystone.bootstrap.username }}" + password: "{{ keystone.bootstrap.password }}" + project_name: "admin" + project_domain_id: "default" + user_domain_id: "default" + no_log: true + - name: "Create service user for ironic-inspector" openstack.cloud.identity_user: name: "{{ ironic_inspector.service_catalog.username }}" @@ -40,13 +51,7 @@ state: present domain: "default" default_project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}" - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "admin" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" no_log: true @@ -56,13 +61,7 @@ user: "{{ ironic_inspector.service_catalog.username }}" role: admin project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}" - auth: - auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "admin" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" no_log: true @@ -73,114 +72,54 @@ name: ironic-inspector service_type: baremetal-introspection description: OpenStack Baremetal Introspection Service - auth: - auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: "admin" - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" + register: introspection_catalog_service no_log: true -- name: "Check ironic-inspector admin endpoint exists" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name admin - endpoint list -f json --noindent --service baremetal-introspection --interface admin - --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - no_log: true - register: test_ironic_inspector_admin_endpoint - environment: "{{ bifrost_venv_env }}" - -- name: "Check ironic-inspector public endpoint exists" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name admin - endpoint list -f json --noindent --service baremetal-introspection --interface public - --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - no_log: true - register: test_ironic_inspector_public_endpoint - environment: "{{ bifrost_venv_env }}" - -- name: "Check ironic-inspector internal endpoint exists" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name admin - endpoint list -f json --noindent --service baremetal-introspection --interface internal - --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - no_log: true - register: test_ironic_inspector_internal_endpoint - environment: "{{ bifrost_venv_env }}" - - name: "Create ironic-inspector admin endpoint" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name admin - endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - baremetal-introspection admin "{{ ironic_inspector.keystone.admin_url | default('http://127.0.0.1:5050/') }}" + openstack.cloud.endpoint: + state: present + service: "{{ introspection_catalog_service.id }}" + endpoint_interface: admin + url: "{{ ironic_inspector.keystone.admin_url | default(ironic_inspector_api_url) }}" + region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + auth: "{{ keystone_auth }}" no_log: true environment: "{{ bifrost_venv_env }}" - when: test_ironic_inspector_admin_endpoint.rc != 0 or test_ironic_inspector_admin_endpoint.stdout == '[]' - name: "Setting external ironic-inspector public URL" set_fact: - ironic_inspector_public_url: >- - {{ ironic_inspector.keystone.public_url | default('http://127.0.0.1:5050/') | replace('127.0.0.1', public_ip | default(internal_ip)) }} - when: use_public_urls | default(false) | bool + ironic_inspector_public_url: "{{ api_protocol }}://{{ public_ip }}:5050/" + when: public_ip is defined -# NOTE(TheJulia): This seems like something that should be -# to admin or internal interfaces. Perhaps we should attempt -# remove it after we have a working keystone integrated CI job. - name: "Create ironic-inspector public endpoint" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name admin - endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - baremetal-introspection public "{{ ironic_inspector_public_url | default(ironic_inspector.keystone.public_url) | default('http://127.0.0.1:5050/') }}" + openstack.cloud.endpoint: + state: present + service: "{{ introspection_catalog_service.id }}" + endpoint_interface: public + url: "{{ ironic_inspector.keystone.public_url | default(ironic_inspector_public_url) | default(ironic_inspector_api_url) }}" + region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + auth: "{{ keystone_auth }}" no_log: true environment: "{{ bifrost_venv_env }}" - when: test_ironic_inspector_public_endpoint.rc != 0 or test_ironic_inspector_public_endpoint.stdout == '[]' - name: "Setting internal ironic-inspector URL" set_fact: - ironic_inspector_private_url: "{{ ironic_inspector.keystone.internal_url | default('http://127.0.0.1:5050/') | replace('127.0.0.1', private_ip) }}" + ironic_inspector_private_url: "{{ api_protocol }}://{{ private_ip }}:5050/" when: private_ip is defined and private_ip | length > 0 - name: "Create ironic-inspector internal endpoint" - command: | - openstack - --os-identity-api-version 3 - --os-username "{{ keystone.bootstrap.username }}" - --os-password "{{ keystone.bootstrap.password }}" - --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - --os-project-name admin - endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}" - baremetal-introspection internal "{{ ironic_inspector_private_url | default(ironic_inspector.keystone.internal_url) | default('http://127.0.0.1:5050/') }}" + openstack.cloud.endpoint: + state: present + service: "{{ introspection_catalog_service.id }}" + endpoint_interface: internal + url: "{{ ironic_inspector.keystone.internal_url | default(ironic_inspector_private_url) | default(ironic_inspector_api_url) }}" + region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}" + auth: "{{ keystone_auth }}" no_log: true environment: "{{ bifrost_venv_env }}" - when: test_ironic_inspector_internal_endpoint.rc != 0 or test_ironic_inspector_internal_endpoint.stdout == '[]' - name: "Create inspector_user user" openstack.cloud.identity_user: @@ -188,13 +127,7 @@ password: "{{ ironic_inspector.keystone.default_password }}" default_project: "baremetal" domain: "default" - auth: - auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: admin - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" update_password: always wait: yes environment: "{{ bifrost_venv_env }}" @@ -205,13 +138,7 @@ user: "{{ ironic_inspector.keystone.default_username }}" role: "baremetal_admin" project: baremetal - auth: - auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}" - username: "{{ keystone.bootstrap.username }}" - password: "{{ keystone.bootstrap.password }}" - project_name: admin - project_domain_id: "default" - user_domain_id: "default" + auth: "{{ keystone_auth }}" wait: yes environment: "{{ bifrost_venv_env }}" no_log: true diff --git a/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml b/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml index 4b13de8a3..a364cfefd 100644 --- a/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml +++ b/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml @@ -1,6 +1,13 @@ --- -ironic_api_url: "http://localhost:6385" -ironic_inspector_api_url: "http://localhost:5050" + +network_interface: "virbr0" +ans_network_interface: "{{ network_interface | replace('-', '_') }}" +internal_ip: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}" + +# Service URLs used for communication with them. +api_protocol: http +ironic_api_url: "{{ api_protocol }}://{{ internal_ip }}:6385" +ironic_inspector_api_url: "{{ api_protocol }}://{{ internal_ip }}:5050" # Ensure that Ansible is using python interpreter and dependencies inside the bifrost virtual environment bifrost_venv_dir: "{{ lookup('env', 'VENV') or '/opt/stack/bifrost' }}" diff --git a/playbooks/roles/bifrost-keystone-install/defaults/main.yml b/playbooks/roles/bifrost-keystone-install/defaults/main.yml index 296d24f8d..e1925360d 100644 --- a/playbooks/roles/bifrost-keystone-install/defaults/main.yml +++ b/playbooks/roles/bifrost-keystone-install/defaults/main.yml @@ -35,6 +35,9 @@ network_interface: "virbr0" ans_network_interface: "{{ network_interface | replace('-', '_') }}" internal_ip: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}" +api_protocol: http +keystone_api_url: "{{ api_protocol }}://{{ internal_ip }}:5000/v3" + # Defaults required by this role that are normally inherited via # other roles. file_url_port: 8080 @@ -66,9 +69,9 @@ keystone: username: "{{ admin_username }}" password: "{{ admin_password }}" project_name: admin - admin_url: "http://127.0.0.1:35357/v3/" - public_url: "http://127.0.0.1:5000/v3/" - internal_url: "http://127.0.0.1:5000/v3/" + admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/" + public_url: "{{ keystone_api_url }}" + internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/" region_name: "RegionOne" message_queue: username: keystone diff --git a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml index 01a5edb93..bf670c500 100644 --- a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml @@ -120,12 +120,12 @@ - name: "Setting external Keystone public URL" set_fact: - keystone_public_url: "{{ keystone.bootstrap.public_url | replace('127.0.0.1', public_ip | default(internal_ip)) }}" - when: use_public_urls | default(false) | bool + keystone_public_url: "{{ api_protocol }}://{{ public_ip }}:5000/v3" + when: public_ip is defined - name: "Setting internal Keystone URL" set_fact: - keystone_private_url: "{{ keystone.bootstrap.internal_url | replace('127.0.0.1', private_ip) }}" + keystone_private_url: "{{ api_protocol }}://{{ private_ip }}:5000/v3" when: private_ip is defined and private_ip | length > 0 - name: "Bootstrap Keystone Database" @@ -135,9 +135,9 @@ --bootstrap-password="{{ keystone.bootstrap.password }}" --bootstrap-project-name="{{ keystone.bootstrap.project_name }}" --bootstrap-service-name="keystone" - --bootstrap-admin-url="{{ keystone.bootstrap.admin_url }}" - --bootstrap-public-url="{{ keystone_public_url | default(keystone.bootstrap.public_url) }}" - --bootstrap-internal-url="{{ keystone_private_url | default(keystone.bootstrap.internal_url) }}" + --bootstrap-admin-url="{{ keystone.bootstrap.admin_url | default(keystone_api_url) }}" + --bootstrap-public-url="{{ keystone.bootstrap.public_url | default(keystone_public_url) | default(keystone_api_url) }}" + --bootstrap-internal-url="{{ keystone.bootstrap.internal_url | default(keystone_private_url) | default(keystone_api_url) }}" --bootstrap-region-id="{{ keystone.bootstrap.region_name }}" environment: "{{ bifrost_venv_env }}" when: > diff --git a/releasenotes/notes/api-url-a6f79de3cc8b0e3d.yaml b/releasenotes/notes/api-url-a6f79de3cc8b0e3d.yaml new file mode 100644 index 000000000..300e668c2 --- /dev/null +++ b/releasenotes/notes/api-url-a6f79de3cc8b0e3d.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + The first IPv4 address of the ``network_interface`` is now used for ironic + and ironic-inspector API URLs in ``clouds.yaml`` in ``openrc`` instead + of ``localhost``. Use ``ironic_api_url`` and ``ironic_inspector_api_url`` + to override. +fixes: + - | + Changes to keystone endpoint configuration are now automatically reflected + on existing endpoints. +upgrade: + - | + The ``use_public_urls`` parameter is no longer supported, just provide + ``public_ip`` instead. diff --git a/scripts/test-bifrost.sh b/scripts/test-bifrost.sh index 3f9fec6d1..b8bd2e9cc 100755 --- a/scripts/test-bifrost.sh +++ b/scripts/test-bifrost.sh @@ -176,7 +176,6 @@ ${ANSIBLE} -vvvv \ -e wait_timeout=${PROVISION_WAIT_TIMEOUT} \ -e noauth_mode=${NOAUTH_MODE} \ -e enable_keystone=${ENABLE_KEYSTONE} \ - -e use_public_urls=${ENABLE_KEYSTONE} \ -e wait_for_node_deploy=${WAIT_FOR_DEPLOY} \ -e not_enrolled_data_file=${BAREMETAL_DATA_FILE}.rest \ -e skip_install=${CLI_TEST} \