Commit Graph

14 Commits

Author SHA1 Message Date
Dmitry Tantsur 9bf1fde62a fix keystone auth scope
Fixes bifrost so it utilizes:
* The admin role, instead of the long deprecated baremetal_admin
  role.
* Utilizes system scope and admin scoped access where needed
  for during installation self-test commands to execute
  as expected.
* The user utilized for inspector's keystone access
  now utilizes the "admin" role instead of the
  baremetal_admin role.

Closes-Bug: 2051168
Change-Id: I090520547846a7a8d85bd032a52d6da039761186
2024-01-24 13:02:24 -08:00
Dmitry Tantsur ba9ddfea6a Stop passing ironic_url to ansible modules
The ansible collection team wants to deprecate ironic_url in favour of
auth.endpoint. This has been supported for a long time, adjust
the no-auth code to use it.

This leave os_ironic_node_info, which should be replaced by the upstream
baremetal_node_info instead.

Change-Id: Icec366a4a5b66e77cc5ee9cf92248be68bd41807
2022-07-05 18:20:28 +02:00
Dmitry Tantsur aa727de74d Switch to using authentication by default
Change-Id: I7e3a76de9d37da224298f3821ab8ffc8448966fd
2020-12-14 13:40:35 +01:00
Dmitry Tantsur ddafc94e30 TLS support for API services
Change-Id: I084da313eda17435c095ade7cb1b92981f5341dc
2020-09-02 18:23:40 +02:00
Dmitry Tantsur bcda97b630 Support HTTP basic auth and switch bifrost-cli to it
The voting jobs also use the new mode (since it requires more OS
coverage), the DHCP jobs are left with no-auth.

Change-Id: I8c8ee112edbc1e61b54aff13c06c518c7daa9700
2020-08-07 15:21:27 +02:00
Dmitry Tantsur 2a6fc72559 Use random passwords by default
It's easy to forget to override them, and you'll end up with a well known
password used in your keystone and database. Use the password module
to generate secure random passwords instead. Operators of production
environments are still expected to provide their own passwords.

The generated passwords are stored in /etc/bifrost and reused on the next
installation. A new task is provided for upgrading the bootstrap (admin)
user in keystone to the new password.

Change-Id: I6771015f2b062233eeff85704655c8e2ab64364d
2020-07-25 21:59:02 +02:00
Dmitry Tantsur 08b5bd725a Deprecate a separate bifrost-inspector cloud
It is possible to provide both endpoints via one cloud record.

Change-Id: I6a3735a431e570b6d9bf5e6f3fba86fc980ef967
2020-05-25 14:03:41 +02:00
Dmitry Tantsur 0b7fd20e9e Stop installing openstackclient if keystone is not enabled
We have a standalone command now, let's use it.

Change-Id: I446d7b490d4a14ede01384fd72926f85660ea6e7
2020-05-25 12:38:33 +02:00
Mark Goddard 2486f456d4 Install openstack client, inspector in clouds.yml
Installs the openstack client unconditionally, not just when keystone is
enabled. This allows us to communicate with ironic inspector, and a new
bifrost-inspector entry has been added to clouds.yml in the noauth case
to support this.

Also adds a play to test-bifrost.yaml that exercises the openstack
client by performing a node list and querying inspector rules.

Change-Id: I19dfe3f63ba2c7fea7ce5881d7c8d0dff8f11264
2018-08-15 19:23:51 +01:00
Mark Goddard e1a167a3bb Use endpoint rather than url in clouds.yaml with no keystone
When keystone is not in use, the clouds.yaml file generated by bifrost
uses an auth_type of "none". This does not appear to work, and results
in the following error (even with OS_CLOUD=bifrost):

Missing parameter(s):
Set a cloud-name with --os-cloud or OS_CLOUD

This change modifies the "url" parameter to be "endpoint", which works
correctly.

Change-Id: I9b84739dcb90b6482b332676244c68642042dfd4
Closes-Bug: #1754070
2018-03-21 17:30:24 +00:00
Pavlo Shchelokovskyy 21ca45937a Use 'none' auth plugin w/o keystone
in Pike keystoneauth got a proper 'none' auth plugin, let's use it in
the generated clouds.yaml file.

Change-Id: I3e4e7f800f52406003620f7fb587290be77a6a3f
2017-08-30 12:12:42 +03:00
Pavlo Shchelokovskyy de0a964e1a Always write clouds.yaml
os-client-config can work for standalone mode with specifically written
clouds.yaml file providing auth_type as None.

This patch changes `bifrost-keystone-client-config` role to write
`clouds.yaml` file also when keystone is not installed, with a `bifrost`
cloud configured, so that users can write automation scripts
around ironic installed by bifrost in unified manner independently of
whether keystone is installed or not, by using

  openstack --os-cloud bifrost ...

command.

This effectively mimics current `env-vars` file in bifrost, but using
`clouds.yaml` configuration file.

Change-Id: I4c27ffed20b3d02723f7be99ccd61d8cee74bea1
2017-03-16 10:49:43 +02:00
Pavlo Shchelokovskyy e09bec2c83 Allow to create cloud.yaml with many clouds
This patch makes the bifrost-keystone-client-config role a bit more
generic to allow creating more that a single cloud configuration
setting.

The role is changed to accept a dict with possibly many clouds configurations,
and the template for clouds.yaml is changed accordingly.

This new functionality is used right away to add the keystone admin user
to the created clouds.yaml file to make the installed keystone usable
for admin-level operations (listing and editig users, projects, roles
and role assignments) - the name of the 'cloud' created is
'bifrost-admin'.

Change-Id: Icb274de989966645cd0f3874f8dff9d9f37d871b
2017-02-01 21:55:54 +02:00
Julia Kreger 9068d38352 Add ability to write clouds.yaml
In order to support authentication, bifrost needs to be
able to store the configuration safely on disk. The best
answer to this problem seems to be to utilize clouds.yaml
and os-client-config.

Change-Id: I0ee43f1ff8d63deda640dbe4c5ea2e57462b7174
2016-11-22 14:24:08 +00:00