From da4fd2d6a2e3fdca981babf37ab0f3307ee1eb2a Mon Sep 17 00:00:00 2001 From: Ilya Popov Date: Sat, 29 May 2021 22:17:20 +0300 Subject: [PATCH] Extra var ironic_enable_keystone_integration added. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Basically, there are three main installation scenario: Scenario 1: Ironic installation together with other openstack services including keystone. In this case variable enable_keystone is set to true and keystone service will be installed together with ironic installation. It is possible realise this scenario, no fix needed Scenario 2: Ironic installation with connection to already installed keystone. In this scenario we have to set enable_keystone to “No” to prevent from new keystone service installation during the ironic installation process. But in other hand, we need to have correct sections in ironic.conf to provide all information needed to connect to existing keystone. But all sections for keystone are added to ironic.conf only if enable_keystone var is set to “Yes”. It isn’t possible to realise this scenario. Proposed fix provide support for this scenario, where multiple regions share the same keystone service. Scenario 3: No keystone integration. Ironic don't connect to Keystone. It is possible realise this scenario, no fix needed Proposed solution also keep the default behaviour: if no enable_keystone_integration is manually defined by default it takes value of enable_keystone variable and all behaviour is the same. But if we don't want to install keystone and want to connect to existing one at the same time, it will be possible to set enable_keystone var to “No” (preventing keystone from installation) and at the same time set ironic_enable_keystone_integration to Yes to allow needed section appear in ironic.conf through templating. Change-Id: I0c7e9a28876a1d4278fb2ed8555c2b08472864b9 --- ansible/roles/ironic/defaults/main.yml | 1 + ansible/roles/ironic/templates/ironic.conf.j2 | 8 +++---- .../reference/bare-metal/ironic-guide.rst | 22 +++++++++++++++++++ ...emplate-for-keystone-1ee5f80fda7a21a0.yaml | 7 ++++++ 4 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index 900f7f5b76..275378d71e 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -288,6 +288,7 @@ ironic_enabled_notification_topics: "{{ ironic_notification_topics | selectattr( #################### # Keystone #################### +ironic_enable_keystone_integration: "{{ enable_keystone | bool }}" ironic_ks_services: - name: "ironic" type: "baremetal" diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index f385fdc812..9b7de4d5c2 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -6,7 +6,7 @@ # suppressed by the deployer by setting a value for the option. [DEFAULT] -{% if not enable_keystone | bool %} +{% if not ironic_enable_keystone_integration | bool %} auth_strategy = noauth {% endif %} debug = {{ ironic_logging_debug }} @@ -52,7 +52,7 @@ connection_recycle_time = {{ database_connection_recycle_time }} max_pool_size = {{ database_max_pool_size }} max_retries = -1 -{% if enable_keystone | bool %} +{% if ironic_enable_keystone_integration | bool %} [keystone_authtoken] www_authenticate_uri = {{ keystone_internal_url }} auth_url = {{ keystone_admin_url }} @@ -143,7 +143,7 @@ cafile = {{ openstack_cacert }} {% endif %} [inspector] -{% if enable_keystone | bool %} +{% if ironic_enable_keystone_integration | bool %} auth_url = {{ keystone_admin_url }} auth_type = password project_domain_id = default @@ -160,7 +160,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }} {% endif %} [service_catalog] -{% if enable_keystone | bool %} +{% if ironic_enable_keystone_integration | bool %} auth_url = {{ keystone_admin_url }} auth_type = password project_domain_id = default diff --git a/doc/source/reference/bare-metal/ironic-guide.rst b/doc/source/reference/bare-metal/ironic-guide.rst index 8add19ed96..b9c893211c 100644 --- a/doc/source/reference/bare-metal/ironic-guide.rst +++ b/doc/source/reference/bare-metal/ironic-guide.rst @@ -106,6 +106,28 @@ enabled_boot_interfaces`` option in ``/etc/kolla/config/ironic.conf``: [DEFAULT] enabled_boot_interfaces = ipxe +Attach ironic to external keystone (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In :kolla-ansible-doc:`multi-regional ` deployment +keystone could be installed in one region (let's say region 1) and ironic - +in another region (let's say region 2). In this case we don't install keystone +together with ironic in region 2, but have to configure ironic to connect to +existing keystone in region 1. To deploy ironic in this way we have to set +variable ``enable_keystone`` to ``"no"``. + +.. code-block:: yaml + + enable_keystone: "no" + +It will prevent keystone from being installed in region 2. + +To add keystone-related sections in ironic.conf, it is also needed to set +variable ``ironic_enable_keystone_integration`` to ``"yes"`` + +.. code-block:: yaml + + ironic_enable_keystone_integration: "yes" + Deployment ~~~~~~~~~~ Run the deploy as usual: diff --git a/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml b/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml new file mode 100644 index 0000000000..002f3990e2 --- /dev/null +++ b/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + New variable ``ironic_enable_keystone_integration`` was added. + It helps to add keystone connection information into + ``ironic.conf`` if we want to connect to existing keystone + (not installing it at the same time).