From aa727de74d4a88ba4f86137e36c113477592a79b Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Mon, 14 Dec 2020 13:40:35 +0100
Subject: [PATCH] Switch to using authentication by default

Change-Id: I7e3a76de9d37da224298f3821ab8ffc8448966fd
---
 playbooks/roles/bifrost-cloud-config/README.md             | 4 ++--
 playbooks/roles/bifrost-cloud-config/defaults/main.yml     | 2 +-
 playbooks/roles/bifrost-ironic-install/README.md           | 4 ++--
 playbooks/roles/bifrost-ironic-install/defaults/main.yml   | 2 +-
 .../roles/bifrost-keystone-client-config/defaults/main.yml | 2 +-
 .../templates/clouds.yaml.j2                               | 2 +-
 .../bifrost-unprovision-node-dynamic/defaults/main.yml     | 2 +-
 playbooks/roles/ironic-inspect-node/defaults/main.yml      | 2 +-
 releasenotes/notes/no-no-auth-303152d1c29c691d.yaml        | 7 +++++++
 scripts/test-bifrost.sh                                    | 2 +-
 10 files changed, 18 insertions(+), 11 deletions(-)
 create mode 100644 releasenotes/notes/no-no-auth-303152d1c29c691d.yaml

diff --git a/playbooks/roles/bifrost-cloud-config/README.md b/playbooks/roles/bifrost-cloud-config/README.md
index aec37e6f5..8d0f1b600 100644
--- a/playbooks/roles/bifrost-cloud-config/README.md
+++ b/playbooks/roles/bifrost-cloud-config/README.md
@@ -18,7 +18,7 @@ This role supports one variable:
 `noauth_mode`
 
 Whether bifrost has been installed in no-authentication mode.
-Defaults to `true`.
+Defaults to `false`.
 
 This role sets several facts:
 
@@ -69,7 +69,7 @@ Example Playbook
   gather_facts: no
   roles:
     - role: bifrost-cloud-config
-      noauth_mode: true
+      noauth_mode: false
 ```
 
 License
diff --git a/playbooks/roles/bifrost-cloud-config/defaults/main.yml b/playbooks/roles/bifrost-cloud-config/defaults/main.yml
index 660b4abcf..6c7fa6eb5 100644
--- a/playbooks/roles/bifrost-cloud-config/defaults/main.yml
+++ b/playbooks/roles/bifrost-cloud-config/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-noauth_mode: true
+noauth_mode: false
 
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
diff --git a/playbooks/roles/bifrost-ironic-install/README.md b/playbooks/roles/bifrost-ironic-install/README.md
index 7052c8ffe..9b3477fd7 100644
--- a/playbooks/roles/bifrost-ironic-install/README.md
+++ b/playbooks/roles/bifrost-ironic-install/README.md
@@ -25,12 +25,12 @@ bifrost-ironic-install role.
 testing: false
 
 Enables no-authentication mode where no authentication is used for accessing
-API services. Setting it to ``false`` will make ironic and ironic-inspector
+API services. The default setting of ``true`` makes ironic and ironic-inspector
 either use keystone (if ``enable_keystone`` is true) or HTTP basic auth
 (use ``admin_username``/``admin_password`` and
 ``default_username``/``default_password`` to configure).
 
-noauth_mode: true
+noauth_mode: false
 
 Node cleaning, which was a feature added to ironic during the Kilo cycle,
 removes the previous contents of a node once it has been moved from an
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
index 0cfc42e61..248650782 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@@ -264,7 +264,7 @@ ansible_python_interpreter: "{{ bifrost_venv_dir + '/bin/python3' }}"
 # for noauth mode. Since we are introducing the concept of
 # authentication, we need to record the default for
 # conditional statements in the playbooks.
-noauth_mode: true
+noauth_mode: false
 
 # A work around for installing older releases, remove when no longer supporting
 # Ussuri.
diff --git a/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml b/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml
index 0ea395c17..6022b64ea 100644
--- a/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml
+++ b/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml
@@ -25,7 +25,7 @@ bifrost_venv_env:
 ansible_python_interpreter: "{{ bifrost_venv_dir + '/bin/python3' }}"
 
 enable_keystone: false
-noauth_mode:  true
+noauth_mode: false
 
 # Directory (on the controller) to keep the passwords
 password_dir: "{{ lookup('env', 'HOME') }}/.config/bifrost"
diff --git a/playbooks/roles/bifrost-keystone-client-config/templates/clouds.yaml.j2 b/playbooks/roles/bifrost-keystone-client-config/templates/clouds.yaml.j2
index d4ac31d05..9ba05517b 100644
--- a/playbooks/roles/bifrost-keystone-client-config/templates/clouds.yaml.j2
+++ b/playbooks/roles/bifrost-keystone-client-config/templates/clouds.yaml.j2
@@ -17,7 +17,7 @@ clouds:
     cacert: "{{ tls_certificate_path }}"
 {% endif %}
 {% endfor %}
-{% elif noauth_mode | default(true) | bool %}
+{% elif noauth_mode | default(false) | bool %}
   bifrost:
     auth_type: "none"
     baremetal_endpoint_override: {{ ironic_api_url }}
diff --git a/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml b/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml
index dab4cb995..b8041c878 100644
--- a/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml
+++ b/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-noauth_mode: true
+noauth_mode: false
 wait_for_node_undeploy: false
 
 # Ensure that Ansible is using python interpreter and dependencies inside the bifrost virtual environment
diff --git a/playbooks/roles/ironic-inspect-node/defaults/main.yml b/playbooks/roles/ironic-inspect-node/defaults/main.yml
index 31c164be7..7f005d7e5 100644
--- a/playbooks/roles/ironic-inspect-node/defaults/main.yml
+++ b/playbooks/roles/ironic-inspect-node/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 # defaults file for ironic-inspect-node
-noauth_mode: true
+noauth_mode: false
 inspection_wait_timeout: 1800
 inventory_dhcp: false
 inventory_dhcp_static_ip: true
diff --git a/releasenotes/notes/no-no-auth-303152d1c29c691d.yaml b/releasenotes/notes/no-no-auth-303152d1c29c691d.yaml
new file mode 100644
index 000000000..60c1a79c6
--- /dev/null
+++ b/releasenotes/notes/no-no-auth-303152d1c29c691d.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Bifrost now uses HTTP basic authentication by default. The generated
+    credentials will be stored in ``~/.config/openstack/clouds.yaml``.
+    Use ``noauth_mode=true`` with ``enable_keystone=false`` to disable
+    authentication.
diff --git a/scripts/test-bifrost.sh b/scripts/test-bifrost.sh
index c3fe0776c..ee9d7f057 100755
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@@ -43,7 +43,7 @@ DOWNLOAD_IPA=true
 CREATE_IPA_IMAGE=false
 WRITE_INTERFACES_FILE=true
 PROVISION_WAIT_TIMEOUT=${PROVISION_WAIT_TIMEOUT:-900}
-NOAUTH_MODE=${NOAUTH_MODE:-true}
+NOAUTH_MODE=${NOAUTH_MODE:-false}
 CLOUD_CONFIG=""
 WAIT_FOR_DEPLOY=true