Add code to support novajoin in the undercloud

Novajoin is a new nova metadata micro-service that registers instances created by nova with a FreeIPA server, so that we can take advantage of server/service identities, kerberos credentials, access and sudo controls etc. The included modules will cause the undercloud to be registered with a FreeIPA server, for novajoin to be installed, and for nova on the undercloud to be configured to use novajoin. Change-Id: I2e1c18a0174f70dc6e9c1d402caac574e6c81678 Implements: blueprint novajoin
2016-11-17 15:09:08 -05:00 · 2016-11-17 15:09:08 -05:00 · 267d9b1fcb
parent 747f41385e
commit 267d9b1fcb
5 changed files with 48 additions and 3 deletions
--- a/elements/puppet-stack-config/install.d/02-puppet-stack-config
+++ b/elements/puppet-stack-config/install.d/02-puppet-stack-config
@ -45,6 +45,11 @@ for _, group in undercloud.list_opts():
        upper_name = opt.name.upper()
        context[upper_name] = os.environ[upper_name]

+# Mustache conditional logic requires ENABLE_NOVAJOIN to be undefined
+# when novajoin is not enabled.
+if context['ENABLE_NOVAJOIN'].lower() == 'false':
+    del context['ENABLE_NOVAJOIN']
+
 endpoint_context = {}
 for k, v in os.environ.items():
    if k.startswith('UNDERCLOUD_ENDPOINT_'):
--- a/elements/puppet-stack-config/puppet-stack-config.pp
+++ b/elements/puppet-stack-config/puppet-stack-config.pp
@ -624,3 +624,8 @@ Service[$needless_services] {
  enable => false,
  ensure => stopped,
 }
+
+# novajoin install
+if str2bool(hiera('enable_novajoin', false)) {
+  include ::nova::metadata::novajoin::api
+}
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@ -683,6 +683,20 @@ tripleo_install_user: {{TRIPLEO_INSTALL_USER}}
 tripleo_undercloud_conf_file: {{TRIPLEO_UNDERCLOUD_CONF_FILE}}
 tripleo_undercloud_password_file: {{TRIPLEO_UNDERCLOUD_PASSWORD_FILE}}

+# Novajoin
+{{#ENABLE_NOVAJOIN}}
+nova::metadata::novajoin::api::keystone_auth_url: "%{hiera('keystone_auth_uri')}"
+nova::metadata::novajoin::api::nova_password: {{UNDERCLOUD_NOVA_PASSWORD}}
+nova::metadata::novajoin::api::transport_url: "rabbit://{{UNDERCLOUD_RABBIT_USERNAME}}:{{UNDERCLOUD_RABBIT_PASSWORD}}@{{LOCAL_IP}}//"
+ipaclient::password: {{IPA_OTP}}
+ipaclient::hostname: {{UNDERCLOUD_HOSTNAME}}
+enable_novajoin: true
+nova::api::vendordata_jsonfile_path: '/etc/nova/cloud-config-novajoin.json'
+nova::api::vendordata_providers: ['StaticJSON', 'DynamicJSON']
+nova::api::vendordata_dynamic_targets: ['join@http://127.0.0.1:9999/v1/']
+nova::notification_topics: 'notifications'
+nova::notify_on_state_change: 'vm_state'
+{{/ENABLE_NOVAJOIN}}

 # Firewall
 tripleo::firewall::manage_firewall: true
--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@ -313,6 +313,17 @@ _opts = [
                      'removed in future release. Please consider moving to '
                      'gnocchi/Aodh/Panko API instead.')
                ),
+    cfg.BoolOpt('enable_novajoin',
+                default=False,
+                help=('Whether to install novajoin metadata service in '
+                      'the Undercloud.')
+                ),
+    cfg.StrOpt('ipa_otp',
+               default='',
+               help=('One Time Password to register Undercloud node with '
+                     'an IPA server.  '
+                     'Required when enable_novajoin = True.')
+               ),
    cfg.BoolOpt('ipxe_enabled',
                default=True,
                help=('Whether to use iPXE for deploy and inspection.'),
--- a/undercloud.conf.sample
+++ b/undercloud.conf.sample
@ -146,7 +146,7 @@
 # Whether to install Zaqar services in the Undercloud. (boolean value)
 #enable_zaqar = true

-# Whether to install Telemetry services (ceilometer, aodh, gnocchi) in the
+# Whether to install Telemetry services (ceilometer, aodh) in the
 # Undercloud. (boolean value)
 #enable_telemetry = true

@ -161,10 +161,20 @@
 # from remote volumes. (boolean value)
 #enable_cinder = false

-# Whether to enable legacy ceilometer api service in the
-# Undercloud. (boolean value)
+# Whether to enable legacy ceilometer api in the Undercloud. Note:
+# Ceilometer API has been deprecated and will be removed in future
+# release. Please consider moving to gnocchi/Aodh/Panko API instead.
+# (boolean value)
 #enable_legacy_ceilometer_api = true

+# Whether to install novajoin metadata service in the Undercloud.
+# (boolean value)
+#enable_novajoin = false
+
+# One Time Password to register Undercloud node with an IPA server.
+# Required when enable_novajoin = True. (string value)
+#ipa_otp =
+
 # Whether to use iPXE for deploy and inspection. (boolean value)
 # Deprecated group/name - [DEFAULT]/ipxe_deploy
 #ipxe_enabled = true