diff --git a/ansible/baremetal-compute-inspect.yml b/ansible/baremetal-compute-inspect.yml index 74734bad1..2f70d1d32 100644 --- a/ansible/baremetal-compute-inspect.yml +++ b/ansible/baremetal-compute-inspect.yml @@ -37,6 +37,7 @@ auth_type: "{{ openstack_auth_type }}" auth: "{{ openstack_auth }}" cacert: "{{ openstack_cacert | default(omit, true) }}" + interface: "{{ openstack_interface | default(omit, true) }}" name: "{{ inventory_hostname }}" timeout: "{{ baremetal_compute_timeout }}" wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/baremetal-compute-manage.yml b/ansible/baremetal-compute-manage.yml index a17636923..5668a2c58 100644 --- a/ansible/baremetal-compute-manage.yml +++ b/ansible/baremetal-compute-manage.yml @@ -35,6 +35,7 @@ os_ironic_state_auth_type: "{{ openstack_auth_type }}" os_ironic_state_auth: "{{ openstack_auth }}" os_ironic_state_cacert: "{{ openstack_cacert }}" + os_ironic_state_interface: "{{ openstack_interface }}" os_ironic_state_name: "{{ inventory_hostname }}" os_ironic_state_provision_state: "manage" os_ironic_state_wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/baremetal-compute-provide.yml b/ansible/baremetal-compute-provide.yml index d8937203f..37a720d44 100644 --- a/ansible/baremetal-compute-provide.yml +++ b/ansible/baremetal-compute-provide.yml @@ -35,6 +35,7 @@ os_ironic_state_auth_type: "{{ openstack_auth_type }}" os_ironic_state_auth: "{{ openstack_auth }}" os_ironic_state_cacert: "{{ openstack_cacert }}" + os_ironic_state_interface: "{{ openstack_interface }}" os_ironic_state_name: "{{ inventory_hostname }}" os_ironic_state_provision_state: "provide" os_ironic_state_wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/group_vars/all/openstack b/ansible/group_vars/all/openstack index e1d61ecef..86bf653e7 100644 --- a/ansible/group_vars/all/openstack +++ b/ansible/group_vars/all/openstack @@ -30,6 +30,9 @@ openstack_auth: # Overcloud CA certificate path. openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}" +# Overcloud interface (public, internal, admin). +openstack_interface: internal + # Overcloud authentication environment variables. These should be compatible # with the openstack client. # By default we pull these from the environment of the shell executing Ansible. diff --git a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml index e86fb38aa..06f6b3a29 100644 --- a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml +++ b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml @@ -130,3 +130,4 @@ ironic_inspector_auth_type: "{{ openstack_auth_type }}" ironic_inspector_auth: "{{ openstack_auth }}" ironic_inspector_cacert: "{{ openstack_cacert }}" + ironic_inspector_interface: "{{ openstack_interface }}" diff --git a/ansible/overcloud-introspection-rules.yml b/ansible/overcloud-introspection-rules.yml index 20ee45bdd..39b004df1 100644 --- a/ansible/overcloud-introspection-rules.yml +++ b/ansible/overcloud-introspection-rules.yml @@ -64,6 +64,7 @@ ironic_inspector_auth_type: "{{ openstack_auth_type }}" ironic_inspector_auth: "{{ openstack_auth }}" ironic_inspector_cacert: "{{ openstack_cacert }}" + ironic_inspector_interface: "{{ openstack_interface }}" ironic_inspector_rules: "{{ inspector_rules }}" # These variables may be referenced in the introspection rules. inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}" diff --git a/ansible/overcloud-ipa-images.yml b/ansible/overcloud-ipa-images.yml index 2f29a639b..a6015775c 100644 --- a/ansible/overcloud-ipa-images.yml +++ b/ansible/overcloud-ipa-images.yml @@ -107,4 +107,5 @@ ipa_images_openstack_auth: "{{ openstack_auth }}" ipa_images_openstack_auth_env: "{{ openstack_auth_env }}" ipa_images_openstack_cacert: "{{ openstack_cacert }}" + ipa_images_openstack_interface: "{{ openstack_interface }}" ipa_images_cache_path: "{{ image_cache_path }}/{{ ipa_image_name }}" diff --git a/ansible/provision-net.yml b/ansible/provision-net.yml index e910f314a..ba8a5a2a4 100644 --- a/ansible/provision-net.yml +++ b/ansible/provision-net.yml @@ -68,6 +68,7 @@ os_networks_auth_type: "{{ openstack_auth_type }}" os_networks_auth: "{{ openstack_auth }}" os_networks_cacert: "{{ openstack_cacert | default(omit, true) }}" + os_networks_interface: "{{ openstack_interface | default(omit, true) }}" # Network configuration. os_networks: "{{ network_registrations }}" tasks: @@ -96,6 +97,7 @@ auth: "{{ openstack_auth }}" auth_type: "{{ openstack_auth_type }}" cacert: "{{ openstack_cacert | default(omit, true) }}" + interface: "{{ openstack_interface | default(omit, true) }}" name: "{{ provision_net.name }}" register: provisioning_network_facts @@ -112,6 +114,7 @@ auth: "{{ openstack_auth }}" auth_type: "{{ openstack_auth_type }}" cacert: "{{ openstack_cacert | default(omit, true) }}" + interface: "{{ openstack_interface | default(omit, true) }}" name: "{{ cleaning_net.name }}" register: cleaning_network_facts diff --git a/ansible/roles/ipa-images/defaults/main.yml b/ansible/roles/ipa-images/defaults/main.yml index 390a0903d..9f39ca385 100644 --- a/ansible/roles/ipa-images/defaults/main.yml +++ b/ansible/roles/ipa-images/defaults/main.yml @@ -20,6 +20,9 @@ ipa_images_openstack_auth_env: {} # CA certificate path. ipa_images_openstack_caert: +# Interface (public, internal, admin). +ipa_images_openstack_interface: + # Path to directory in which to store downloaded images. ipa_images_cache_path: diff --git a/ansible/roles/ipa-images/tasks/main.yml b/ansible/roles/ipa-images/tasks/main.yml index 09de04046..370e85b48 100644 --- a/ansible/roles/ipa-images/tasks/main.yml +++ b/ansible/roles/ipa-images/tasks/main.yml @@ -71,6 +71,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" image: "{{ ipa_images_kernel_name }}" - name: Set a fact containing the Ironic Python Agent (IPA) kernel image @@ -82,6 +83,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" image: "{{ ipa_images_ramdisk_name }}" - name: Set a fact containing the Ironic Python Agent (IPA) ramdisk image @@ -114,6 +116,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" name: "{{ item.name }}" container_format: "{{ item.format }}" disk_format: "{{ item.format }}" diff --git a/ansible/roles/ipa-images/tasks/set-driver-info.yml b/ansible/roles/ipa-images/tasks/set-driver-info.yml index c4f4dbd52..ead8a96a9 100644 --- a/ansible/roles/ipa-images/tasks/set-driver-info.yml +++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml @@ -5,6 +5,7 @@ auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" + interface: "{{ ipa_images_openstack_interface | default(omit, true) }}" image: "{{ item.name }}" with_items: - name: "{{ ipa_images_kernel_name }}" diff --git a/ansible/roles/ironic-inspector-rules/defaults/main.yml b/ansible/roles/ironic-inspector-rules/defaults/main.yml index 39f5a56bc..64545b517 100644 --- a/ansible/roles/ironic-inspector-rules/defaults/main.yml +++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml @@ -14,6 +14,9 @@ ironic_inspector_auth: {} # CA certificate path. ironic_inspector_cacert: +# Interface (public, internal, admin). +ironic_inspector_interface: + # URL of Ironic Inspector API endpoint. ironic_inspector_url: diff --git a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py index 717148032..7d75c9d78 100644 --- a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py +++ b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py @@ -85,6 +85,7 @@ def _build_client(module): api_version = (1, 14) client = ironic_inspector_client.v1.ClientV1( inspector_url=module.params['inspector_url'], + interface=module.params['interface'], session=session, region_name=module.params['region_name'], api_version=api_version) return client diff --git a/ansible/roles/ironic-inspector-rules/tasks/main.yml b/ansible/roles/ironic-inspector-rules/tasks/main.yml index 1ca8d2dd8..cd9aeb4d1 100644 --- a/ansible/roles/ironic-inspector-rules/tasks/main.yml +++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml @@ -20,6 +20,7 @@ auth_type: "{{ ironic_inspector_auth_type }}" auth: "{{ ironic_inspector_auth }}" cacert: "{{ ironic_inspector_cacert | default(omit, true) }}" + interface: "{{ ironic_inspector_interface | default(omit, true) }}" conditions: "{{ item.conditions }}" actions: "{{ item.actions }}" description: "{{ item.description | default(omit) }}" diff --git a/releasenotes/notes/fix-post-config-public-eb72f3a692a2be6b.yaml b/releasenotes/notes/fix-post-config-public-eb72f3a692a2be6b.yaml new file mode 100644 index 000000000..7651356c3 --- /dev/null +++ b/releasenotes/notes/fix-post-config-public-eb72f3a692a2be6b.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes an issue where ``kayobe overcloud post configure`` would use the + public OpenStack API interface, which might not be accessible from the + control hosts. See `story 2006814 + `__ for details. diff --git a/requirements.yml b/requirements.yml index fc75de49f..809d5dcab 100644 --- a/requirements.yml +++ b/requirements.yml @@ -32,9 +32,9 @@ - src: stackhpc.os-images version: v1.4.0 - src: stackhpc.os-ironic-state - version: v1.1.0 + version: v1.2.0 - src: stackhpc.os-networks - version: v1.1.0 + version: v1.2.0 - src: stackhpc.os-openstackclient version: v1.3.0 - src: stackhpc.os-shade