Add keystone installation playbook

In order to support use of keystone, bifrost needs to be able to
install keystone in a minimalistic fashion alongside of ironic.

This commit adds the role, and required changes for that
configuration to be bootstrapped.

Change-Id: Icb1c5dfded5574d901444bbca72e5d74a336093f

playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2

@@ -47,4 +47,5 @@ http {
 			alias {{ http_boot_folder }}/;
 		}
 	}
+        include /etc/nginx/conf.d/bifrost*.conf;
 }

playbooks/roles/bifrost-keystone-install/README.md

@@ -0,0 +1,119 @@
+bifrost-keystone-install
+========================
+
+This role installs keystone for a bifrost/stand-alone ironic deployment
+with all required substrate to allow for keystone configuration,
+including MySQL, RabbitMQ, dnsmasq, and nginx.
+
+Requirements
+------------
+
+This role requires:
+
+- Ansible 2.1
+
+Role Variables
+--------------
+
+Due to the required configuration steps, the configuration must be
+fairly explicit. The defaults should work for a user without any
+issues, however it is highly recommended that the parameters are
+reviewed and modified prior to deployment.
+
+The main settings are in a nested data structure under the name
+``keystone``.  In order to logically separate the settings in order
+to provide the greatest flexibility for change, under ``keystone``
+exists three subsections.  ``bootstrap``, ``message_queue``, and
+``database``.
+
+The ``keystone.bootstrap`` settings provide the information to access
+keystone as it provides the main administrative credentials.
+If keystone is being installed, then these credentials will be used
+to bootstrap keystone the keystone installation.
+Along with those settings we provide the ability to define the initial
+``region_name``, as well as ``admin_url``, ``public_url``, and
+``internal_url`` endpoints URLs for keystone.
+
+If the intent is to utilize a pre-existing keystone service that has
+already undergone bootstrapping, set the ``keystone.bootstrap.enabled``
+setting to false, in order to prevent bifrost from attempting to
+bootstrap a new keystone. The ``keystone.bootstrap`` settings are
+expected to be available by the ``bifrost-ironic-install`` role,
+which has the same datastructure available in it's defaults/main.yml
+file. These settings are used by the ``birost-ironic-install`` role
+in order to create users, roles, and endpoints for Ironic's operation.
+
+Under the ``message_queue`` and ``database`` structures, variables
+are used to define the connection URLs to the message queue,
+and database.
+
+Below is the full data structure.
+
+  keystone:
+    debug: true
+    bootstrap:
+      enabled: true
+      username: admin
+      password: ChangeThisPa55w0rd
+      project_name: admin
+      admin_url: "http://127.0.0.1:35357/v2.0/"
+      public_url: "http://127.0.0.1:5000/v2.0/"
+      internal_url: "http://127.0.0.1:5000/v2.0/"
+      region_name: "RegionOne"
+    message_queue:
+      username: keystone
+      password: ChangeThisPa55w0rd
+      host: 127.0.0.1
+    database:
+      name: keystone
+      username: keystone
+      password: ChangeThisPa55w0rd
+      host: 127.0.0.1
+
+Notes
+-----
+
+None
+
+Dependencies
+------------
+
+The ansible module, os_keystone_session, is required by this module.
+
+The env-setup.sh script should collect this file and place it in the
+proper location prior to executing this role.
+
+Example Playbook
+----------------
+
+# NOTE: The bifrost-keystone-install playbook
+# should be run before the ironic install playbook
+# to enable the same variables to be utilized.
+- hosts: localhost
+  connection: local
+  name: "Install ironic locally"
+  become: yes
+  gather_facts: yes
+  roles:
+    - role: bifrost-keystone-install
+    - role: bifrost-ironic-install
+
+License
+-------
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Author Information
+------------------
+
+Ironic Developers

playbooks/roles/bifrost-keystone-install/defaults/dummy-defaults.yml

@@ -0,0 +1,3 @@
+---
+# NOTE(cinerama) This file is intentionally left blank - do not
+# add variables here.

playbooks/roles/bifrost-keystone-install/defaults/main.yml

@@ -0,0 +1,57 @@
+---
+keystone_source_install: true
+# *_git_url can be overridden by local clones for offline installs
+keystone_git_url: https://git.openstack.org/openstack/keystone
+keystone_git_folder: /opt/stack/keystone
+
+# set to true to skip installing ironic dependencies
+skip_package_install: False
+# set to true to skip generation of configs, ironic db and rabbitmq configuration
+skip_bootstrap: False
+# set to true to skip starting ironic services and dependencies
+skip_start: False
+
+# Parameters for connecting to mysql for database manipulation.
+mysql_username: "root"
+mysql_password: ""
+
+# Support for CORS configuration
+# By default CORS support is disabled.
+enable_cors: false
+# Origin to accept for CORS requests
+cors_allowed_origin: "http://localhost:8000"
+# bifrost utilizes noauth mode by default and as such
+# the setting should be set to false. This setting should
+# not need to be modified by the user.
+enable_cors_credential_support: false
+
+# Settings related to installing bifrost in a virtual environment
+enable_venv: false
+bifrost_venv_dir: "{{ lookup('env', 'VENV') | default('/opt/stack/bifrost') }}"
+bifrost_venv_env:
+  VIRTUAL_ENV: "{{ bifrost_venv_dir }}"
+  PATH: "{{ bifrost_venv_dir }}/bin:{{ ansible_env.PATH }}" # include regular path via lookup env
+  pydoc: "python -m pydoc"
+
+
+keystone:
+  debug: true
+  bootstrap:
+    enabled: true
+    username: admin
+    password: ChangeThisPa55w0rd
+    project_name: admin
+    admin_url: "http://127.0.0.1:35357/v3/"
+    public_url: "http://127.0.0.1:5000/v3/"
+    internal_url: "http://127.0.0.1:5000/v3/"
+    region_name: "RegionOne"
+  message_queue:
+    username: keystone
+    password: ChangeThisPa55w0rd
+    host: 127.0.0.1
+  database:
+    name: keystone
+    username: keystone
+    password: ChangeThisPa55w0rd
+    host: 127.0.0.1
+

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml

@@ -0,0 +1,21 @@
+---
+init_template: upstart_template.j2
+init_dest_dir: /etc/init/
+init_ext: .conf
+nginx_user: www-data
+mysql_service_name: mysql
+required_packages:
+  - mysql-server
+  - rabbitmq-server
+  - python-dev
+  - python-mysqldb
+  - python-configparser
+  - libffi-dev
+  - libxslt1-dev
+  - libssl-dev
+  - libxml2-dev
+  - nginx
+  - uwsgi
+  - uwsgi-core
+  # - python-django-uwsgi - This may not be needed
+  - uwsgi-plugin-python

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_jessie.yml

@@ -0,0 +1,20 @@
+---
+init_template: systemd_template.j2
+init_dest_dir: /usr/lib/systemd/system/
+init_ext: .service
+nginx_user: www-data
+mysql_service_name: mysql
+required_packages:
+  - mysql-server
+  - rabbitmq-server
+  - python-dev
+  - python-mysqldb
+  - python-configparser
+  - libffi-dev
+  - libxslt1-dev
+  - libssl-dev
+  - libxml2-dev
+  - nginx
+  - uwsgi
+  - uwsgi-core
+  - uwsgi-plugin-python

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Fedora_22.yml

@@ -0,0 +1,5 @@
+---
+# NOTE(cinerama): On Fedora 22, ansible 1.9, ansible_pkg_mgr
+# defaults to yum, which may not be installed. This can be safely
+# removed when we start using an ansible release which prefers dnf.
+ansible_pkg_mgr: "dnf"

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml

@@ -0,0 +1,25 @@
+---
+init_template: systemd_template.j2
+init_dest_dir: /usr/lib/systemd/system/
+init_ext: .service
+syslinux_tftp_dir: /var/lib/tftpboot
+ipxe_dir: /usr/share/ipxe/
+ipxe_full_binary: ipxe.lkrn
+sgabios_dir: /usr/share/sgabios/
+nginx_user: nginx
+virt_group: libvirt
+mysql_service_name: mariadb
+tftp_service_name: tftp
+required_packages:
+  - mariadb-server
+  - rabbitmq-server
+  - python-devel
+  - MySQL-python
+  - python-iniparse
+  - libffi-devel
+  - libxslt-devel
+  - openssl-devel
+  - libxml2-devel
+  - nginx
+  - uwsgi
+  - uwsgi-plugin-python

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.04.yml

@@ -0,0 +1,4 @@
+---
+init_template: systemd_template.j2
+init_dest_dir: /lib/systemd/system/
+init_ext: .service

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.10.yml

@@ -0,0 +1,4 @@
+---
+init_template: systemd_template.j2
+init_dest_dir: /lib/systemd/system/
+init_ext: .service

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_16.04.yml

@@ -0,0 +1,4 @@
+---
+init_template: systemd_template.j2
+init_dest_dir: /lib/systemd/system/
+init_ext: .service

playbooks/roles/bifrost-keystone-install/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Ironic Developers
+  description: Install keystone for Bifrost
+  company: OpenStack
+  license: Apache
+  min_ansible_version: 2.1
+  platforms:
+  - name: Ubuntu
+    versions:
+    - xenial
+  categories:
+  - cloud
+  - cloud:openstack
+dependencies: []

playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml

@@ -0,0 +1,274 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# NOTE(TheJulia): There is significant commonality between this playbook
+# and the bifrost bootstrap process.
+- name: "If VENV is set in the environment, enable installation into venv"
+  set_fact:
+    enable_venv: true
+  when: lookup('env', 'VENV') | length > 0
+
+- name: "Get uwsgi install location"
+  shell: echo $(dirname $(which uwsgi))
+  register: uwsgi_install_prefix
+  environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
+
+- name: "Get keystone-wsgi-admin location"
+  shell: echo $(dirname $(which keystone-wsgi-admin))
+  register: keystone_install_prefix
+  environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
+
+# NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
+# during bootstrapping. all other services are started in the Start phase.
+- name: "Start database service"
+  service: name={{ mysql_service_name }} state=started
+
+- name: "Start rabbitmq-server"
+  service: name=rabbitmq-server state=started
+
+# NOTE(cinerama): on some systems, rabbit may not be ready when we want to
+# make changes to users if we don't wait first
+- name: "Wait for rabbitmq"
+  wait_for: port=5672 delay=5
+
+- name: "Ensure guest user is removed from rabbitmq"
+  rabbitmq_user:
+    user: "guest"
+    state: absent
+    force: yes
+
+- name: "Create keystone user in RabbitMQ"
+  rabbitmq_user:
+    user: "{{ keystone.message_queue.username }}"
+    password: "{{ keystone.message_queue.password }}"
+    force: yes
+    state: present
+    configure_priv: ".*"
+    write_priv: ".*"
+    read_priv: ".*"
+  no_log: true
+
+- name: "Set mysql_username if environment variable mysql_user is set"
+  set_fact:
+    mysql_username: "{{ lookup('env', 'mysql_user') }}"
+  when: lookup('env', 'mysql_user') | length > 0
+  no_log: true
+
+- name: "Set mysql_password if environment variable mysql_pass is set"
+  set_fact:
+    mysql_password: "{{ lookup('env', 'mysql_pass') }}"
+  when: lookup('env', 'mysql_pass') | length > 0
+  no_log: true
+
+- name: "MySQL - Creating DB"
+  mysql_db:
+    name: "{{ keystone.database.name }}"
+    state: present
+    encoding: utf8
+    login_user: "{{ mysql_username | default(None) }}"
+    login_password: "{{ mysql_password | default(None) }}"
+  register: test_created_keystone_db
+
+- name: "MySQL - Creating user for keystone"
+  mysql_user:
+    name: "{{ keystone.database.username }}"
+    password: "{{ keystone.database.password }}"
+    priv: "{{ keystone.database.name }}.*:ALL"
+    state: present
+    login_user: "{{ mysql_username | default(None) }}"
+    login_password: "{{ mysql_password | default(None) }}"
+
+- name: "Create an keystone service group"
+  group:
+    name: "keystone"
+
+- name: "Create an keystone service user"
+  user:
+    name: "keystone"
+    group: "keystone"
+
+- name: "Ensure /etc/keystone exists"
+  file:
+    name: "/etc/keystone"
+    state: directory
+    owner: "keystone"
+    group: "keystone"
+    mode: 0755
+
+- name: "Write keystone configuration from template"
+  template:
+    src: keystone.conf.j2
+    dest: "/etc/keystone/keystone.conf"
+    owner: "keystone"
+    group: "keystone"
+    mode: 0755
+
+- name: "Copy policy.json to /etc/keystone"
+  copy:
+    src: "{{ keystone_git_folder }}/etc/policy.json"
+    dest: "/etc/keystone/"
+    owner: "keystone"
+    group: "keystone"
+    mode: 0644
+
+- name: "Copy keystone-paste.ini to /etc/keystone"
+  copy:
+    src: "{{ keystone_git_folder }}/etc/keystone-paste.ini"
+    dest: "/etc/keystone/"
+    owner: "keystone"
+    group: "keystone"
+    mode: 0644
+
+- name: "Apply/Update keystone DB Schema"
+  command: keystone-manage db_sync
+  environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
+
+- name: "Setup Keystone Credentials"
+  command: >
+    keystone-manage credential_setup
+    --keystone-user=keystone --keystone-group=keystone
+
+- name: "Bootstrap Keystone Database"
+  command: >
+    keystone-manage bootstrap
+    --bootstrap-username="{{ keystone.bootstrap.username }}"
+    --bootstrap-password="{{ keystone.bootstrap.password }}"
+    --bootstrap-project-name="{{ keystone.bootstrap.project_name }}"
+    --bootstrap-service-name="keystone"
+    --bootstrap-admin-url="{{ keystone.bootstrap.admin_url }}"
+    --bootstrap-public-url="{{ keystone.bootstrap.public_url }}"
+    --bootstrap-internal-url="{{ keystone.bootstrap.internal_url }}"
+    --bootstrap-region-id="{{ keystone.bootstrap.region_name }}"
+  environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
+  when: >
+    test_created_keystone_db.changed | bool == true and
+    keystone.bootstrap.enabled | bool == true
+
+- name: "Reserve keystone admin port"
+  sysctl:
+    name: "net.ipv4.ip_local_reserved_ports"
+    value: 35357
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: "Ensure /var/www/keystone exists"
+  file:
+    name: "/var/www/keystone"
+    state: directory
+    owner: "keystone"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0755
+
+- name: "Add keystone to web server group"
+  user:
+    name: "keystone"
+    append: yes
+    groups: "{{nginx_user}}" # TODO(TheJulia): Split webserver user/group.
+
+- name: "Make folder for keystone logs"
+  file:
+    name: "/var/log/nginx/keystone"
+    state: directory
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0755
+
+- name: "Copy keystone-wsgi-public  to /var/www/keystone/public"
+  copy:
+    src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-public"
+    dest: /var/www/keystone/public
+    owner: "keystone"
+    group: "{{nginx_user}}"
+    mode: 0754
+
+- name: "Copy keystone-wsgi-admin to /var/www/keystone/admin"
+  copy:
+    src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-admin"
+    dest: /var/www/keystone/admin
+    owner: "keystone"
+    group: "{{nginx_user}}"
+    mode: 0754
+
+- name: "Ensure /etc/uwsgi exists"
+  file:
+    name: "/etc/uwsgi"
+    state: directory
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0755
+
+- name: "Ensure /run/uwsgi exists"
+  file:
+    name: "/run/uwsgi"
+    state: directory
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0775
+
+- name: "Place keystone public uwsgi config"
+  template:
+    src: keystone-public.ini.j2
+    dest: /etc/uwsgi/apps-available/keystone-public.ini
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0755
+
+- name: "Place keystone admin uwsgi config"
+  template:
+    src: keystone-admin.ini.j2
+    dest: /etc/uwsgi/apps-available/keystone-admin.ini
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0755
+
+- name: "Enable keystone-public in uwsgi"
+  file:
+    src: "/etc/uwsgi/apps-available/keystone-public.ini"
+    dest: "/etc/uwsgi/apps-enabled/keystone-public.ini"
+    state: link
+
+- name: "Enable keystone-admin in uwsgi"
+  file:
+    src: "/etc/uwsgi/apps-available/keystone-admin.ini"
+    dest: "/etc/uwsgi/apps-enabled/keystone-admin.ini"
+    state: link
+
+- name: "Place nginx core configuration"
+  # TODO(TheJulia): Refactor this out so we don't have anything related to
+  # bifrost it's self in the main config file.
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0755
+
+- name: "Place nginx configuration for keystone"
+  # TODO(TheJulia): Refactor this so we use sites-enabled, but bifrost's
+  # handling of co-existence needs to be cleaned up first.
+  template:
+    src: nginx_conf.d_bifrost-keystone.conf.j2
+    dest: /etc/nginx/conf.d/bifrost-keystone.conf
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0755
+
+- name: "Place uwsgi services"
+  template:
+    src: "{{ init_template }}"
+    dest: "{{ init_dest_dir }}{{ item.service_name }}{{ init_ext }}"
+    owner: "root"
+    group: "root"
+  with_items:
+    - { service_path: "{{ uwsgi_install_prefix.stdout }}", service_name: 'uwsgi', username: "{{nginx_user}}", args: '--master --emperor /etc/uwsgi/apps-enabled'}

playbooks/roles/bifrost-keystone-install/tasks/install.yml

@@ -0,0 +1,47 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Install packages"
+  action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
+  with_items: required_packages
+
+- name: "If VENV is set in the environment, enable installation into venv"
+  set_fact:
+    enable_venv: true
+  when: lookup('env', 'VENV') | length > 0
+
+# NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer
+# and it should already be created by the Ansible setup, we will leave this
+# here for the time being.
+- name: "Ensure /opt/stack is present"
+  file: name=/opt/stack state=directory owner=root group=root
+  when: skip_install is not defined
+
+# NOTE(TheJulia): Part of Bifrost's install does this as well, but
+# duplicating here as we are installing a separate service with this.
+# We may wish to refactor this at a later point in time.
+- name: "Install configparser in venv if using"
+  include: pip_install.yml package=configparser virtualenv=bifrost_venv_dir
+  when: skip_install is not defined and (enable_venv | bool == true)
+
+- name: "Install pymysql in venv if using"
+  include: pip_install.yml package=pymysql virtualenv=bifrost_venv_dir
+  when: skip_install is not defined and (enable_venv | bool == true)
+
+- name: "Install keystone using pip"
+  include: pip_install.yml
+    package=keystone
+    state=latest
+    sourcedir={{ keystone_git_folder }}
+    source_install={{ keystone_source_install | bool }}
+  when: skip_install is not defined

playbooks/roles/bifrost-keystone-install/tasks/main.yml

@@ -0,0 +1,46 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# NOTE(cinerama) dummy-defaults.yml is an empty defaults file. We use it
+# here to ensure that with_first_found won't fail should we not have
+# defaults for a particular distribution, version, etc.
+- name: Include OS family-specific defaults
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "../defaults/required_defaults_{{ ansible_os_family }}_family.yml"
+    - "../defaults/dummy-defaults.yml"
+
+- name: Include OS distribution-specific defaults
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "../defaults/required_defaults_{{ ansible_distribution }}.yml"
+    - "../defaults/dummy-defaults.yml"
+
+- name: Include OS version-specific defaults
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "../defaults/required_defaults_{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
+    - "../defaults/required_defaults_{{ ansible_distribution }}_{{ ansible_distribution_version }}.yml"
+    - "../defaults/dummy-defaults.yml"
+
+- name: "Install Keystone"
+  include: install.yml
+  when: enable_keystone is defined and enable_keystone |bool == True and skip_package_install | bool != True
+
+- name: "Bootstrap Keystone"
+  include: bootstrap.yml
+  when: enable_keystone is defined and enable_keystone |bool == True and skip_bootstrap | bool != True
+
+- name: "Start Keystone services"
+  include: start.yml
+  when: enable_keystone is defined and enable_keystone |bool == True and skip_start | bool != True

playbooks/roles/bifrost-keystone-install/tasks/pip_install.yml

@@ -0,0 +1,27 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Install {{ package }} package from pip"
+  pip:
+    name: "{{ package }}"
+    state: "{{ state | default(omit) }}"
+    version: "{{ version | default(omit) }}"
+    virtualenv: "{{ bifrost_venv_dir if enable_venv else omit }}"
+  when: source_install is not defined or source_install == false
+# NOTE (cinerama): We should be able to use the pip module here and
+# possibly merge these two tasks when
+# https://github.com/ansible/ansible-modules-core/pull/2600 lands.
+- name: "Install from {{ sourcedir }} using pip"
+  command: pip install --upgrade --force-reinstall {{ sourcedir }}
+  when: source_install is defined and (source_install | bool == true)
+  environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"

playbooks/roles/bifrost-keystone-install/tasks/start.yml

@@ -0,0 +1,32 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Reload systemd configuration"
+  command: systemctl daemon-reload
+  when: init_template == 'systemd_template.j2'
+
+- name: "Ensure required services are started"
+  service: name={{ item }} state=started
+  with_items:
+    - nginx
+    - uwsgi
+
+# In the event that this server was already running,
+# we need to HUP the service to help ensure that it
+# has the latest configuration. We do this because we
+# cannot trust what service returns as each init system
+# behaves differently.
+- name: "Send services a reload signal"
+  service: name={{ item }} state=reloaded
+  with_items:
+    - nginx

playbooks/roles/bifrost-keystone-install/templates/keystone-admin.ini.j2

@@ -0,0 +1,18 @@
+{{ ansible_managed }}
+[uwsgi]
+master = true
+processes = 2
+threads = 2
+plugin = python
+no-orphans = true
+chmod-socket = 660
+
+socket = /run/uwsgi/keystone-admin.socket
+pidfile = /run/uwsgi/keystone-admin.pid
+
+name = keystone
+uid = keystone
+gid = {{ nginx_user }}
+
+chdir = /var/www/keystone/
+wsgi-file = /var/www/keystone/admin

playbooks/roles/bifrost-keystone-install/templates/keystone-public.ini.j2

@@ -0,0 +1,18 @@
+{{ ansible_managed }}
+[uwsgi]
+master = true
+processes = 2
+threads = 2
+plugin = python
+no-orphans = true
+chmod-socket = 660
+
+socket = /run/uwsgi/keystone-public.socket
+pidfile = /run/uwsgi/keystone-public.pid
+
+name = keystone
+uid = keystone
+gid = {{ nginx_user }}
+
+chdir = /var/www/keystone/
+wsgi-file = /var/www/keystone/public

playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2

@@ -0,0 +1,23 @@
+{{ ansible_managed }}
+[DEFAULT]
+
+debug = {{ keystone.debug | bool }}
+transport_url = amqp://{{ keystone.message_queue.username }}:{{ keystone.message_queue.password }}@{{ keystone.message_queue.host }}:{{ keystone.message_queue.port | default('5672') }}/
+
+[auth]
+
+methods = password,token
+
+{% if enable_cors | bool == true %}
+[cors]
+allowed_origin = {{ cors_allowed_origin | default('allowed_origin=http://localhost:8000') }}
+allow_credentials = {{ enable_cors_credential_support | default('true') }}
+{% endif %}
+
+[database]
+
+connection = mysql+pymysql://{{ keystone.database.username }}:{{ keystone.database.password }}@{{ keystone.database.host }}/{{ keystone.database.name }}?charset=utf8
+use_db_reconnect = true
+
+[security_compliance]
+lockout_failure_attempts = 3

playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2

@@ -0,0 +1,52 @@
+{{ ansible_managed }}
+user {{ nginx_user }};
+worker_processes 2;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	server {
+		listen {{ file_url_port }};
+		server_name {{ ansible_hostname }};
+		root {{ http_boot_folder }};
+		location {{ http_boot_folder }}/ {
+			alias {{ http_boot_folder }}/;
+		}
+	}
+        include /etc/nginx/conf.d/bifrost*.conf;
+}

playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2

@@ -0,0 +1,21 @@
+{{ ansible_managed }}
+server {
+    listen 5000;
+    access_log /var/log/nginx/keystone/access.log;
+    error_log /var/log/nginx/keystone/error.log;
+    location / {
+        uwsgi_pass unix:///run/uwsgi/keystone-public.socket;
+        include uwsgi_params;
+        uwsgi_param SCRIPT_NAME '';
+    }
+}
+server {
+    listen 35357;
+    access_log /var/log/nginx/keystone/access.log;
+    error_log /var/log/nginx/keystone/error.log;
+    location / {
+        uwsgi_pass unix:///run/uwsgi/keystone-admin.socket;
+        include uwsgi_params;
+        uwsgi_param SCRIPT_NAME '';
+   }
+}

playbooks/roles/bifrost-keystone-install/templates/systemd_template.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description={{ item.service_name }} service
+
+[Service]
+ExecStart={{ item.service_path }}/{{ item.service_name }} {{ item.args }}
+User={{ item.username }}
+
+[Install]
+WantedBy=multi-user.target
+Alias={{ item.service_name }}{{ init_ext }}

playbooks/roles/bifrost-keystone-install/templates/upstart_template.j2

@@ -0,0 +1,10 @@
+start on runlevel [2345]
+stop on runlevel [016]
+pre-start script
+  mkdir -p /var/run/{{ item.username }}
+  chown -R {{ item.username }}:{{ item.username }} /var/run/{{ item.username }}
+end script
+respawn
+respawn limit 2 10
+
+exec start-stop-daemon --start -c {{ item.username }} --exec {{ item.service_path }}/{{ item.service_name }} -- {{ item.args }}

releasenotes/notes/keystone-installation-3b812d9f673c7bbe.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - An ansible role enabling the installation of keystone has
+    been added in preparation for the addition of keystone
+    support to bifrost.

scripts/env-setup.sh

@@ -198,6 +198,10 @@ check_get_module `pwd`/lib/ansible/modules/core/cloud/openstack/os_ironic_node.p
 check_get_module `pwd`/lib/ansible/modules/extras/cloud/openstack/os_ironic_inspect.py \
     https://raw.githubusercontent.com/juliakreger/ansible-modules-extras/feature/os-ironic-inspect/cloud/openstack/os_ironic_inspect.py
 
+# os_keystone_service is targeted for Ansible 2.2
+check_get_module `pwd`/lib/ansible/modules/extras/cloud/openstack/os_keystone_service.py \
+    https://raw.githubusercontent.com/ansible/ansible-modules-extras/devel/cloud/openstack/os_keystone_service.py
+
 if [ -n "${VENV-}" ]; then
     sudo -H -E ${PIP} install --upgrade ${ANSIBLE_INSTALL_ROOT}/ansible
     echo