Fixes bifrost so it utilizes:
* The admin role, instead of the long deprecated baremetal_admin
role.
* Utilizes system scope and admin scoped access where needed
for during installation self-test commands to execute
as expected.
* The user utilized for inspector's keystone access
now utilizes the "admin" role instead of the
baremetal_admin role.
Closes-Bug: 2051168
Change-Id: I090520547846a7a8d85bd032a52d6da039761186
The ansible collection team wants to deprecate ironic_url in favour of
auth.endpoint. This has been supported for a long time, adjust
the no-auth code to use it.
This leave os_ironic_node_info, which should be replaced by the upstream
baremetal_node_info instead.
Change-Id: Icec366a4a5b66e77cc5ee9cf92248be68bd41807
The voting jobs also use the new mode (since it requires more OS
coverage), the DHCP jobs are left with no-auth.
Change-Id: I8c8ee112edbc1e61b54aff13c06c518c7daa9700
It's easy to forget to override them, and you'll end up with a well known
password used in your keystone and database. Use the password module
to generate secure random passwords instead. Operators of production
environments are still expected to provide their own passwords.
The generated passwords are stored in /etc/bifrost and reused on the next
installation. A new task is provided for upgrading the bootstrap (admin)
user in keystone to the new password.
Change-Id: I6771015f2b062233eeff85704655c8e2ab64364d
Installs the openstack client unconditionally, not just when keystone is
enabled. This allows us to communicate with ironic inspector, and a new
bifrost-inspector entry has been added to clouds.yml in the noauth case
to support this.
Also adds a play to test-bifrost.yaml that exercises the openstack
client by performing a node list and querying inspector rules.
Change-Id: I19dfe3f63ba2c7fea7ce5881d7c8d0dff8f11264
When keystone is not in use, the clouds.yaml file generated by bifrost
uses an auth_type of "none". This does not appear to work, and results
in the following error (even with OS_CLOUD=bifrost):
Missing parameter(s):
Set a cloud-name with --os-cloud or OS_CLOUD
This change modifies the "url" parameter to be "endpoint", which works
correctly.
Change-Id: I9b84739dcb90b6482b332676244c68642042dfd4
Closes-Bug: #1754070
in Pike keystoneauth got a proper 'none' auth plugin, let's use it in
the generated clouds.yaml file.
Change-Id: I3e4e7f800f52406003620f7fb587290be77a6a3f
os-client-config can work for standalone mode with specifically written
clouds.yaml file providing auth_type as None.
This patch changes `bifrost-keystone-client-config` role to write
`clouds.yaml` file also when keystone is not installed, with a `bifrost`
cloud configured, so that users can write automation scripts
around ironic installed by bifrost in unified manner independently of
whether keystone is installed or not, by using
openstack --os-cloud bifrost ...
command.
This effectively mimics current `env-vars` file in bifrost, but using
`clouds.yaml` configuration file.
Change-Id: I4c27ffed20b3d02723f7be99ccd61d8cee74bea1
This patch makes the bifrost-keystone-client-config role a bit more
generic to allow creating more that a single cloud configuration
setting.
The role is changed to accept a dict with possibly many clouds configurations,
and the template for clouds.yaml is changed accordingly.
This new functionality is used right away to add the keystone admin user
to the created clouds.yaml file to make the installed keystone usable
for admin-level operations (listing and editig users, projects, roles
and role assignments) - the name of the 'cloud' created is
'bifrost-admin'.
Change-Id: Icb274de989966645cd0f3874f8dff9d9f37d871b
In order to support authentication, bifrost needs to be
able to store the configuration safely on disk. The best
answer to this problem seems to be to utilize clouds.yaml
and os-client-config.
Change-Id: I0ee43f1ff8d63deda640dbe4c5ea2e57462b7174