Once internal CA is used, that is not part of default trust store,
we need to ensure that openstack clients will use system-trust instead
of the default one provided by certifi library.
Change-Id: Ibe6b59b497fa665b722b648a57cb5568b1b29b5f
Since CentOS do not support C.UTF-8 locale[1] we're placing system
default inside openrc file. If locale can't be found from gathered facts
it's defaulted to C.UTF-8.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1361965
Change-Id: I304bacf0e586b119ac41757b96fa237d2839aaf5
When there is a special char in the name of a server or something else,
openstack client cannot print the char and throw this error:
'ascii' codec can't encode character u'\xe8' in position 106729: ordinal not in range(128)
Changing the locale to C.UTF-8 fix this small issue.
Change-Id: I2607f1617c37181c5de2cd49634e6e487f7a22d9
It seems that most tools are expecting a literal 'true' or 'false' value
for env variables, so use that instead of '1' and empty values.
Change-Id: I36c5460165dba6acd1b94e82c712312f9fd307a9
If openrc_insecure is set to True, we need to export OS_INSECURE and
OS_VERIFY in order for API calls to not verify SSL vertificates. We
also need to add similar options to the clouds.yaml file as well.
Change-Id: I50e411c5ff974ff9a0b67aca6e9d7e48db596df7
For gnocchi cli this env var is mandatory in the openrc.
Default value: password
Closes-Bug: 1781552
Change-Id: I1e54d53dd131351dda70d3d166ae8e2029caa1cb
The logic which previously implemented a
check for v3 in the endpoint does not work
with versionless endpoints.
As versionless endpoints are likely to be
more common, and the v3 auth protocol is
now the defult and the norm, the check is
now done for a v2 endpoint instead.
Related-Bug: #1688320
Change-Id: If4818e6220aba921890e647cfb21e078bb254821
Use single quotes around OS_PASSWORD to prevent shell variable
expansion. Add a test to validate contents of the openrc file.
Closes-Bug: 1663185
Change-Id: I4b1e7b5cb83061ea35108db545fdfa33cef037a5
Unquoted OS_PASSWORD variable can break shell commands when special
characters are used.
Closes-Bug: #1663185
Change-Id: Ia61a4ea1861d0f8792355213443b202b15ab862c
Some service clients do not respect the old OS_ENDPOINT_TYPE
parameter, instead only supporting the newer fashion of
OS_INTERFACE which is viewed as less confusing. This adds support
for that option.
Failure to include this causes SSL certificate errors when the
service clients attempt to use the public endpoint with a self-
signed certificate on defaulted installs, particularly AIOs.
This error can be demonstrated by trying to use the Gnocchi or new
Aodh clients from a utility container, though only the Gnocchi
client is currently installed in the integrated build.
Change-Id: I60af4f0cf56964eaec8980264ec1ebadc550c0b8
Add OS_REGION_NAME to the openrc file. Replaces openrc_clouds_yml_region_name
with a common openrc_service_region variable.
Change-Id: I68cbd6b2aaa64ef655cfc617a96d428fb2c35d2b
Some clients still rely on OS_TENANT_NAME so we
should define and export it. The example client/tool
that appears to rely on it still is Rally, found during
development of:
https://github.com/trumant/openstack-ansible-os_rally
Change-Id: I5bc29ee6b459078f34bc6ac3a8e771a8192de4a1
Change Ifabb4a2aec070c00349e794364a71394feea99f1 in python-cinderclient
1.4.0 means the presence of OS_TENANT_NAME is no longer
required
Change-Id: I8210f8a48f482f19ae3eb70c5ae0bf649a9b856a
OpenStack client supports defining one or more sets of credentials
inside a clouds.yml configuration file. A default configuration has
been created named `default` that contains the same admin credentials
from the `openrc` file currently being templated.
The default configuration can be specified using the following:
openstack --os-cloud default <command>
Change-Id: Icc0c06a9b9a9e2e75b58fe90b4da9dd46b63e7f4
The OS_IDENTITY_API_VERSION need to be set to 2.0 instead of 2 when
using the Keystone Identity API version 2. Other settings are currently
not affected
Change-Id: I574bf1c1e908833b139a14b1f402df8db837344b
Closes-Bug: #1506231
This commit adds the LC_ALL export to the openrc file to ensure that
the openstack clients and system work with different preset local
settings.
Change-Id: I9f62b9b3db50b70ebdddc724215ebd3b0a138e42
Closes-Bug: #1408935
Adding this environment variable expands Identity v3 coverage for legacy
OpenStack CLI clients. This corrects the authentication URLs used even
if v2 is still being used.
Change-Id: I68197ffd12d71a437c482f13520b83cb08d4c9de
Closes-Bug: #1495685
In order to enable and deploy federated Keystone, we need to use version
3 of the Keystone API and the v3 Keystone Client. This work begins that
transition by having a set of backwards compatible library commands.
Specifically, this commit updates the keystone library to use v3
Keystone Client and the usage of ensure_tenant in the os_keystone tasks
to use the v3 admin url.
In version 3 of Keystone's Endpoints (Catalog) API each endpoint only
has one URL and has separate interface types (public, internal, admin).
This change updates all uses of ensure_endpoint to structure the
endpoint data in a better way for the ensure_endpoint command in the
keystone module. As a result, some incidents where internalurl and
adminurl were swapped have been fixed.
Note:
In new deployments the endpoints will be created using the v3 API and
will therefore not be available via the v2 API. This will be a breaking
change to legacy CLI clients. The openstack CLI should be used instead.
DocImpact
Related-Bug: #1470635
Partially-implements: blueprint keystone-federation
Change-Id: I2cd4f505e850b4b113452abc25ee00d486b1637d
This patch introduces an insecure flag for the Keystone internal
and admin endpoints:
* keystone_service_adminuri_insecure
* keystone_service_internaluri_insecure
Both values default to false. If you have setup SSL endpoints
for Keystone using an untrusted certificate then you should
set the appropriate flag to true in your user_variables.
This patch is used to enable testing and development with
Keystone SSL endpoints without having to make use of SSL
certificates signed by a trusted, public CA.
The patch introduces a new optional argument (insecure) to the
keystone, glance and neutron Ansible libraries. This is a
boolean value which, when true, enables these libraries to
access Keystone endpoints 'insecurely'. When these libraries
are used in plays, the appropriate value is set automatically
as per the above conditions.
Implements: blueprint keystone-federation
Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.
Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
simplistic approach. This change duplicates code within the roles but
ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
anyone who may want or need to dive into the JSON blob that is created.
In the inventory a properties field is used for items that customize containers
within the inventory.
* The environment map has been modified to support additional host groups to
enable the seperation of infrastructure pieces. While the old infra_hosts group
will still work this change allows for groups to be divided up into seperate
chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
variables extracted into the separate file
etc/openstack_deploy/user_secrets.yml in order to allow seperate
security settings on that file.
Items Excised:
* All of the roles have had the LXC logic removed from within them which
should allow roles to be consumed outside of the `os-ansible-deployment`
reference architecture.
Note:
* the directory rpc_deployment still exists and is presently pointed at plays
containing a deprecation warning instructing the user to move to the standard
playbooks directory.
* While all of the rackspace specific components and variables have been removed
and or were refactored the repository still relies on an upstream mirror of
Openstack built python files and container images. This upstream mirror is hosted
at rackspace at "http://rpc-repo.rackspace.com" though this is
not locked to and or tied to rackspace specific installations. This repository
contains all of the needed code to create and/or clone your own mirror.
DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
This patch removes and/or renames anything that is Rackspace specific
from the playbooks, roles and variables.
It also removes items which appear to be orphaned/unused and flattens
the playbooks into a single directory in order to better match ansible
best practise (and remove some horrible fiddles we were doing).
The following have been removed due to RAX/RPC naming or RAX/RPC
specific usage:
- playbooks/monitoring
- playbooks/rax*
- playbooks/rpc*
- roles/maas*
- roles/rax*
- roles/rpc*
- scripts/f5-*
- scripts/maas*
- scripts/rpc*
- scripts/*lab*
- vars/repo_packages/rackspace*
- vars/repo_packages/rax*
- vars/repo_packages/rpc*
- vars/repo_packages/holland.yml
The following have been removed as they are unused:
- playbooks/setup/host-network-setup.yml
- roles/openssl_pem_request
- roles/host_interfaces
- scripts/elsa*
- ssh/
- vars/repo_packages/turbolift.yml
The following directories have been renamed:
- etc/rpc_deploy > etc/openstack_deploy
- rpc_deployment > playbooks
The playbooks have all been moved into a single directory:
- rpc_deployment/playbooks/infrastructure/* > playbooks/
- rpc_deployment/playbooks/openstack/* > playbooks/
- rpc_deployment/playbooks/setup/* > playbooks/
The following files have been renamed:
- lxc-rpc > lxc-openstack
- lxc-rpc.conf > lxc-openstack.conf
- rpc_environment > openstack_environment
- rpc_release > openstack_release (etc and pip)
- rpc_tempest_gate.sh > openstack_tempest_gate.sh
- rpc_user_config > openstack_user_config
The following variables have been renamed:
- rpc_release > openstack_release
- rpc_repo_url > openstack_repo_url
The following variables have been introduced:
- openstack_code_name: The code name of the upstream OpenStack release
(eg: Juno)
Notable variable/template value changes:
- rabbit_cluster_name: rpc > openstack
- wsrep_cluster_name: rpc_galera_cluster > openstack_galera_cluster
DocImpact
Closes-Bug: #1403676
Implements: blueprint rackspace-namesake
Change-Id: Ib480fdad500b03c7cb90684aa444da9946ba8032