Extend ironic formula
Add posibility to configure glance section.
Allow to install ironic api in different modes,
different policy.json files are applied:
* deploy - only heartbeat and lookup endpoints are allowed
* public - all except heartbeat and lookup is allowed
* mixed - all is allowed (single node case)
Update message_queue and database addresses
Change-Id: I5d711649d88ad2b185947a1bb423fe5ad81f4c9b
diff --git a/ironic/api.sls b/ironic/api.sls
index 96af429..75a2f25 100644
--- a/ironic/api.sls
+++ b/ironic/api.sls
@@ -21,4 +21,13 @@
- full_restart: true
- watch:
- file: /etc/ironic/ironic.conf
+ - file: /etc/ironic/policy.json
+
+/etc/ironic/policy.json:
+ file.managed:
+ - source: salt://ironic/files/{{ api.version }}/policy.json
+ - template: jinja
+ - require:
+ - pkg: ironic_api_packages
+
{%- endif %}
diff --git a/ironic/files/newton/ironic.conf b/ironic/files/newton/ironic.conf
index 2a40f9e..bd0281e 100644
--- a/ironic/files/newton/ironic.conf
+++ b/ironic/files/newton/ironic.conf
@@ -117,7 +117,11 @@
# IP address of this host. If unset, will determine the IP
# programmatically. If unable to do so, will use "127.0.0.1".
# (string value)
+{%- if conductor.get('my_ip') %}
+my_ip = {{ conductor.my_ip }}
+{%- else %}
#my_ip = 127.0.0.1
+{%- endif %}
# Specifies the minimum level for which to send notifications.
# If not set, no notifications will be sent. The default is
@@ -1175,7 +1179,11 @@
#allowed_direct_url_schemes =
# Authentication URL (string value)
+{%- if conductor.get('glance', {}).get('auth_strategy') == 'keystone' %}
+auth_url = {{ conductor.identity.protocol }}://{{ conductor.identity.host }}:{{ conductor.identity.port }}/identity
+{%- else %}
#auth_url = <None>
+{%- endif %}
# Authentication strategy to use when connecting to glance.
# (string value)
@@ -1411,14 +1419,23 @@
#user_domain_id = <None>
# User's domain name (string value)
+{%- if conductor.get('glance', {}).get('user_domain_name') %}
+user_domain_name = {{ conductor.glance.user_domain_name }}
+{%- else %}
#user_domain_name = <None>
+{%- endif %}
+
# User id (string value)
#user_id = <None>
# Username (string value)
# Deprecated group/name - [glance]/user-name
+{%- if conductor.get('glance', {}).get('username') %}
+username = {{ conductor.glance.username }}
+{%- else %}
#username = <None>
+{%- endif %}
[ilo]
diff --git a/ironic/files/newton/policy.json b/ironic/files/newton/policy.json
new file mode 100644
index 0000000..25f2838
--- /dev/null
+++ b/ironic/files/newton/policy.json
@@ -0,0 +1,17 @@
+{%- from "ironic/map.jinja" import api with context %}
+{
+{%- if api.api_type == 'deploy' %}
+{#- This is policy.json for deploy type of API, only heartbeat and lookup allowed #}
+"admin_api": "!",
+"public_api": "is_public_api:True",
+"is_observer": "!",
+"is_admin": "!"
+
+{%- elif api.api_type == 'public' %}
+{#- This is policy.json for public API, block access to paswordless endpoints #}
+
+"public_api": "is_public_api:False"
+
+{%- endif %}
+
+}
diff --git a/ironic/files/ocata/ironic.conf b/ironic/files/ocata/ironic.conf
index 1e2500f..a7d0fe4 100644
--- a/ironic/files/ocata/ironic.conf
+++ b/ironic/files/ocata/ironic.conf
@@ -409,7 +409,11 @@
# IP address of this host. If unset, will determine the IP
# programmatically. If unable to do so, will use "127.0.0.1".
# (string value)
+{%- if conductor.get('my_ip') %}
+my_ip = {{ conductor.my_ip }}
+{%- else %}
#my_ip = 127.0.0.1
+{%- endif %}
# Specifies the minimum level for which to send notifications.
# If not set, no notifications will be sent. The default is
@@ -1473,7 +1477,11 @@
#allowed_direct_url_schemes =
# Authentication URL (string value)
+{%- if conductor.get('glance', {}).get('auth_strategy') == 'keystone' %}
+auth_url = {{ conductor.identity.protocol }}://{{ conductor.identity.host }}:{{ conductor.identity.port }}/identity
+{%- else %}
#auth_url = <None>
+{%- endif %}
# Authentication strategy to use when connecting to glance.
# (string value)
@@ -1709,14 +1717,22 @@
#user_domain_id = <None>
# User's domain name (string value)
+{%- if conductor.get('glance', {}).get('user_domain_name') %}
+user_domain_name = {{ conductor.glance.user_domain_name }}
+{%- else %}
#user_domain_name = <None>
+{%- endif %}
# User id (string value)
#user_id = <None>
# Username (string value)
# Deprecated group/name - [glance]/user-name
+{%- if conductor.get('glance', {}).get('username') %}
+username = {{ conductor.glance.username }}
+{%- else %}
#username = <None>
+{%- endif %}
[ilo]
@@ -2659,7 +2675,11 @@
# 'http://$my_ip:9696' when auth_strategy is 'noauth', and to
# discovery from Keystone catalog when auth_strategy is
# 'keystone'. (string value)
+{%- if conductor.get('neutron', {}).get('url') %}
+url = {{ conductor.neutron.url }}
+{%- else %}
#url = <None>
+{%- endif %}
# Timeout value for connecting to neutron in seconds. (integer
# value)
diff --git a/ironic/files/ocata/policy.json b/ironic/files/ocata/policy.json
new file mode 100644
index 0000000..25f2838
--- /dev/null
+++ b/ironic/files/ocata/policy.json
@@ -0,0 +1,17 @@
+{%- from "ironic/map.jinja" import api with context %}
+{
+{%- if api.api_type == 'deploy' %}
+{#- This is policy.json for deploy type of API, only heartbeat and lookup allowed #}
+"admin_api": "!",
+"public_api": "is_public_api:True",
+"is_observer": "!",
+"is_admin": "!"
+
+{%- elif api.api_type == 'public' %}
+{#- This is policy.json for public API, block access to paswordless endpoints #}
+
+"public_api": "is_public_api:False"
+
+{%- endif %}
+
+}
diff --git a/ironic/map.jinja b/ironic/map.jinja
index 5e17c9b..71344d0 100644
--- a/ironic/map.jinja
+++ b/ironic/map.jinja
@@ -2,6 +2,7 @@
'Common': {
'pkgs': ['ironic-api'],
'service': 'ironic-api',
+ 'api_type': 'mixed',
}
}, base='Common', merge=pillar.ironic.get('api', {})) %}
diff --git a/metadata/service/api/cluster.yml b/metadata/service/api/cluster.yml
index c6a5002..5e07a47 100644
--- a/metadata/service/api/cluster.yml
+++ b/metadata/service/api/cluster.yml
@@ -3,6 +3,7 @@
parameters:
ironic:
api:
+ api_type: ${_param:ironic_api_type}
enabled: true
version: ${_param:ironic_version}
bind:
@@ -15,10 +16,10 @@
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
- host: ${_param:cluster_vip_address}
+ host: ${_param:openstack_message_queue_address}
database:
engine: mysql
- host: ${_param:cluster_vip_address}
+ host: ${_param:openstack_database_address}
port: 3306
name: ironic
user: ironic
diff --git a/metadata/service/api/single.yml b/metadata/service/api/single.yml
index 936f250..3765d85 100644
--- a/metadata/service/api/single.yml
+++ b/metadata/service/api/single.yml
@@ -3,6 +3,7 @@
parameters:
ironic:
api:
+ api_type: 'mixed'
enabled: true
version: ${_param:ironic_version}
bind:
diff --git a/metadata/service/conductor/cluster.yml b/metadata/service/conductor/cluster.yml
index 49360f7..5726304 100644
--- a/metadata/service/conductor/cluster.yml
+++ b/metadata/service/conductor/cluster.yml
@@ -5,16 +5,17 @@
conductor:
enabled: true
version: ${_param:ironic_version}
+ my_ip: ${_param:cluster_baremetal_local_address}
message_queue:
engine: rabbitmq
port: 5672
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
- host: ${_param:cluster_vip_address}
+ host: ${_param:openstack_message_queue_address}
database:
engine: mysql
- host: ${_param:cluster_vip_address}
+ host: ${_param:openstack_database_address}
port: 3306
name: ironic
user: ironic
@@ -32,18 +33,35 @@
project_domain_id: default
protocol: 'http'
neutron:
+ auth_strategy: keystone
+ auth_type: password
cleaning_network: baremetal
provisioning_network: baremetal
project_domain_id: ${ironic:conductor:identity:project_domain_id}
user_domain_id: ${ironic:conductor:identity:user_domain_id}
+ project_name: ${ironic:conductor:identity:tenant}
password: ${ironic:conductor:identity:password}
username: ${ironic:conductor:identity:user}
+ url: http://${_param:neutron_service_host}:9696
+ glance:
+ auth_strategy: 'keystone'
+ auth_type: password
+ host: ${_param:cluster_vip_address}
+ port: 9292
+ region: ${_param:openstack_region}
+ username: glance
+ tenant: service
+ project_name: service
+ project_domain_name: Default
+ user_domain_name: Default
+ password: ${_param:keystone_glance_password}
enabled_drivers:
- agent_ipmitool
+ - pxe_ipmitool
- fake
automated_clean: false
- http_url: 'http://${_param:cluster_vip_address}'
- api_url: 'http://${_param:cluster_vip_address}:6385'
+ http_url: 'http://${_param:cluster_baremetal_local_address}'
+ api_url: 'http://${_param:cluster_vip_baremtal_address}:6385'
pxe_config_template: '$pybasedir/drivers/modules/ipxe_config.template'
pxe_bootfile_name: '/undionly.kpxe'
ipxe_enabled: true