From 601e4a4a55d7c3514209f4bcffc3d1a801a3dc99 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Tue, 5 Mar 2024 17:57:20 +0000 Subject: [PATCH] Transition to Rackspace API keys Rackspace is requiring multi-factor authentication for all users beginning 2024-03-26. Enabling MFA on our accounts will immediately render password-based authentication inoperable for the API. In preparation for this switch, add new cloud entries for the provider which authenticate by API key so that we can test and move more smoothly between the two while we work out any unanticipated kinks. Change-Id: I787df458aa048ad80e246128085b252bb5888285 --- launch/pyproject.toml | 2 ++ .../roles/install-ansible/tasks/main.yaml | 1 + .../clouds/bridge_all_clouds.yaml.j2 | 36 +++++++++++++++++++ .../templates/clouds/nodepool_clouds.yaml.j2 | 29 +++++++++++++++ .../group_vars/control-plane-clouds.yaml.j2 | 6 ++++ .../templates/group_vars/nodepool.yaml.j2 | 1 + 6 files changed, 75 insertions(+) diff --git a/launch/pyproject.toml b/launch/pyproject.toml index 1bad79265a..80c3fc12c0 100644 --- a/launch/pyproject.toml +++ b/launch/pyproject.toml @@ -19,6 +19,8 @@ dependencies = [ "openstacksdk>=0.103", # Pin to a version of cinderclient known to work with RAX storage... "python-cinderclient<8", + # Needed for Rackspace api_key authentication + "rackspaceauth", ] [project.urls] diff --git a/playbooks/roles/install-ansible/tasks/main.yaml b/playbooks/roles/install-ansible/tasks/main.yaml index 4cfe3570b7..47d4257889 100644 --- a/playbooks/roles/install-ansible/tasks/main.yaml +++ b/playbooks/roles/install-ansible/tasks/main.yaml @@ -9,6 +9,7 @@ _install_ansible_requirements: - 'ansible<9' - 'openstacksdk' + - 'rackspaceauth' - name: Add ARA to defaults if enabled when: install_ansible_ara_enable diff --git a/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 b/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 index 499ac6f3fe..24b6e253c2 100644 --- a/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 +++ b/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 @@ -34,6 +34,42 @@ clouds: username: '{{ clouds.openstackci_ovh_username }}' password: '{{ clouds.openstackci_ovh_password }}' project_name: '{{ clouds.openstackci_ovh_project_name }}' + opendevci-rax: + regions: + - name: DFW + values: + block_storage_endpoint_override: 'https://dfw.blockstorage.api.rackspacecloud.com/v2/' + - name: ORD + values: + block_storage_endpoint_override: 'https://ord.blockstorage.api.rackspacecloud.com/v2/' + - name: IAD + values: + block_storage_endpoint_override: 'https://iad.blockstorage.api.rackspacecloud.com/v2/' + profile: rackspace + auth: + username: '{{ clouds.opendevci_rax_username }}' + api_key: '{{ clouds.opendevci_rax_key }}' + project_id: '{{ clouds.opendevci_rax_project_id }}' + auth_type: 'rackspace_apikey' + volume_api_version: 2 + opendevzuul-rax: + regions: + - name: DFW + values: + block_storage_endpoint_override: 'https://dfw.blockstorage.api.rackspacecloud.com/v2/' + - name: ORD + values: + block_storage_endpoint_override: 'https://ord.blockstorage.api.rackspacecloud.com/v2/' + - name: IAD + values: + block_storage_endpoint_override: 'https://iad.blockstorage.api.rackspacecloud.com/v2/' + profile: rackspace + auth: + username: '{{ clouds.opendevzuul_rax_username }}' + api_key: '{{ clouds.opendevzuul_rax_key }}' + project_id: '{{ clouds.opendevzuul_rax_project_id }}' + auth_type: 'rackspace_apikey' + volume_api_version: 2 openstackci-rax: regions: - name: DFW diff --git a/playbooks/templates/clouds/nodepool_clouds.yaml.j2 b/playbooks/templates/clouds/nodepool_clouds.yaml.j2 index 030c32ddbb..6b851280fb 100644 --- a/playbooks/templates/clouds/nodepool_clouds.yaml.j2 +++ b/playbooks/templates/clouds/nodepool_clouds.yaml.j2 @@ -17,6 +17,35 @@ cache: port: 5 floating-ip: 5 clouds: + rackspace: + profile: rackspace + regions: + - name: DFW + values: + block_storage_endpoint_override: 'https://dfw.blockstorage.api.rackspacecloud.com/v2/' + metrics: + statsd: + prefix: 'nodepool.task.rackspace-dfw' + - name: ORD + values: + block_storage_endpoint_override: 'https://ord.blockstorage.api.rackspacecloud.com/v2/' + metrics: + statsd: + prefix: 'nodepool.task.rackspace-ord' + - name: IAD + values: + block_storage_endpoint_override: 'https://iad.blockstorage.api.rackspacecloud.com/v2/' + metrics: + statsd: + prefix: 'nodepool.task.rackspace-iad' + api_timeout: 60 + auth: + username: '{{ nodepool_rackspace_username }}' + api_key: '{{ nodepool_rackspace_key }}' + project_id: '{{ nodepool_rackspace_project }}' + auth_type: 'rackspace_apikey' + force_ipv4: true + volume_api_version: 2 rax: profile: rackspace regions: diff --git a/playbooks/zuul/templates/group_vars/control-plane-clouds.yaml.j2 b/playbooks/zuul/templates/group_vars/control-plane-clouds.yaml.j2 index 41e7bbfd18..9367a8c2a4 100644 --- a/playbooks/zuul/templates/group_vars/control-plane-clouds.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/control-plane-clouds.yaml.j2 @@ -3,6 +3,12 @@ clouds: openstackci_ovh_username: user openstackci_ovh_password: password openstackci_ovh_project_name: project + opendevci_rax_username: user + opendevci_rax_key: apikey + opendevci_rax_project_id: project + opendevzuul_rax_username: user + opendevzuul_rax_key: apikey + opendevzuul_rax_project_id: project openstackci_rax_username: user openstackci_rax_password: password openstackci_rax_project_id: project diff --git a/playbooks/zuul/templates/group_vars/nodepool.yaml.j2 b/playbooks/zuul/templates/group_vars/nodepool.yaml.j2 index e3c1a72c90..e7ce310757 100644 --- a/playbooks/zuul/templates/group_vars/nodepool.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/nodepool.yaml.j2 @@ -30,6 +30,7 @@ zuul_worker_ssh_private_key_contents: | -----END OPENSSH PRIVATE KEY----- # Necessary for fake clouds.yaml to be written nodepool_rackspace_username: user +nodepool_rackspace_key: apikey nodepool_rackspace_password: password nodepool_rackspace_project: project nodepool_ovh_username: user