diff --git a/overcloud-deploy.sh b/overcloud-deploy.sh index 514d688..5c53736 100755 --- a/overcloud-deploy.sh +++ b/overcloud-deploy.sh @@ -74,10 +74,12 @@ if [ -d patches/puppet-modules ]; then echo "uploading puppet modules..." upload-swift-artifacts \ -f puppet-modules.tar.gz \ - --environment $PWD/templates/local_deploy.yaml + --environment $PWD/templates/puppet_modules.yaml sed -i s/DeployArtifactURLs/PuppetModuleUrls/ \ - $PWD/templates/local_deploy.yaml + $PWD/templates/puppet_modules.yaml + + deploy_args+=(-e $PWD/templates/puppet_modules.yaml) fi if [ -f local_deploy_config.sh ]; then diff --git a/scripts/restart-haproxy b/scripts/restart-haproxy new file mode 100755 index 0000000..ec1436c --- /dev/null +++ b/scripts/restart-haproxy @@ -0,0 +1,7 @@ +#!/usr/bin/ansible-playbook + +- hosts: controller + tasks: + - shell: >- + docker container ls -q --filter name=haproxy | + xargs -ICID docker restart CID diff --git a/scripts/restart-keystone b/scripts/restart-keystone new file mode 100755 index 0000000..5bb1ecd --- /dev/null +++ b/scripts/restart-keystone @@ -0,0 +1,6 @@ +#!/usr/bin/ansible-playbook + +- hosts: controller + tasks: + - shell: >- + docker restart keystone diff --git a/templates/deploy.yaml b/templates/deploy.yaml index 2af0c01..0b8eaa0 100644 --- a/templates/deploy.yaml +++ b/templates/deploy.yaml @@ -1,4 +1,16 @@ --- +resource_registry: + + # These lines activate our network interface configuration files. + # Notice that because we are using pre-provisioned servers, our + # roles are named ComputeDeployedServer and + # ControllerDeployedServer, rather than Compute and Controller. + OS::TripleO::ComputeDeployedServer::Net::SoftwareConfig: + network/config/compute.yaml + OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig: + network/config/controller.yaml + OS::TripleO::NodeExtraConfigPost: extraconfig.yaml + parameter_defaults: # The CloudName is used in public API endpoints. @@ -216,5 +228,9 @@ parameter_defaults: KeystoneIdentityProviders: moc: remote_id: https://sso.massopen.cloud/auth/realms/moc - rules: {get_file: ./rules.json} + rules: + - local: + - user: {name: '{0}'} + remote: + - {type: OIDC-preferred_username} protocol: openid diff --git a/templates/extraconfig.yaml b/templates/extraconfig.yaml index e97f902..f5bd9a1 100644 --- a/templates/extraconfig.yaml +++ b/templates/extraconfig.yaml @@ -6,9 +6,12 @@ parameters: type: json FloatingNetworkVlanID: type: string + KeystoneIdentityProviders: + type: json + default: {} resources: - ExtraConfig: + FinishNetworkConfig: type: OS::Heat::SoftwareConfig properties: group: script @@ -40,17 +43,149 @@ resources: params: "@VLANID@": {get_param: FloatingNetworkVlanID} - ExtraDeployments: + FinishNetworkDeployments: type: OS::Heat::SoftwareDeploymentGroup properties: servers: {get_param: servers} - config: {get_resource: ExtraConfig} + config: {get_resource: FinishNetworkConfig} actions: ['CREATE'] -outputs: - deploy_status_code: - value: {get_attr: [ExtraDeployments, deploy_status_codes]} - deploy_stdouts: - value: {get_attr: [ExtraDeployments, deploy_stdouts]} - deploy_stderrs: - value: {get_attr: [ExtraDeployments, deploy_stderrs]} + KeystoneFederationConfig: + type: OS::Heat::SoftwareConfig + properties: + group: ansible + inputs: + - name: keystone_identity_providers + config: | + - hosts: localhost + connection: local + tasks: + # We want this script to run once on one of the + # controllers. We first check to see if we're running on + # the bootstrap node, but this is only unique per role + # (so, e.g., there will be a bootstrap node for the + # compute services as well). + - name: get bootstrap nodeid + command: hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid + register: bootstrap_node + + # In order to identify whether or not we're running on a + # controller, we look at the list of active service names. + - name: get service names + command: hiera -c /etc/puppet/hiera.yaml service_names + register: service_names + + - set_fact: + is_bootstrap_node: >- + {{ bootstrap_node.stdout|lower == ansible_hostname|lower }} + has_keystone: >- + {{ 'keystone' in service_names.stdout|from_json }} + + # We only run the remainder of this playbook if this is a + # bootstrap node *and* it is running keystone. + - when: is_bootstrap_node and has_keystone + block: + - name: create temporary directory + command: "mktemp -td federationXXXXXX" + register: tempdir + + - name: get keystone admin password + command: hiera -c /etc/puppet/hiera.yaml keystone::admin_password + register: keystone_admin_password + + - name: get keystone internal endpoint + command: hiera -c /etc/puppet/hiera.yaml keystone::endpoint::internal_url + register: keystone_endpoint_internal + + - name: get keystone region + command: hiera -c /etc/puppet/hiera.yaml keystone::endpoint::region + register: keystone_region + + - name: write mapping rules to tempdir + copy: + dest: "{{ tempdir.stdout }}/rules-{{ item.key }}.json" + content: "{{ item.value.rules|to_nice_json }}" + with_dict: "{{ keystone_identity_providers }}" + + - file: + path: /etc/openstack + state: directory + owner: root + group: root + mode: 0700 + + - copy: + dest: /etc/openstack/clouds.yaml + owner: root + group: root + mode: "0600" + content: |- + clouds: + overcloud: + auth: + username: admin + project_name: admin + password: "{{ keystone_admin_password.stdout }}" + auth_url: "{{ keystone_endpoint_internal.stdout }}" + region: "{{ keystone_region.stdout }}" + identity_api_version: 3 + + - name: check if identity providers exist + command: >- + openstack --os-cloud overcloud identity provider show {{ item.key }} + ignore_errors: true + with_dict: "{{ keystone_identity_providers }}" + register: providers + + - name: create identity providers + command: >- + openstack --os-cloud overcloud identity provider create + --remote-id {{ item.item.value.remote_id }} {{ item.item.key }} + when: item is failed + with_items: "{{ providers.results }}" + + - name: check if mapping exists + command: >- + openstack --os-cloud overcloud mapping show {{ item.key }}-mapping + ignore_errors: true + with_dict: "{{ keystone_identity_providers }}" + register: mappings + + - name: create mapping + command: >- + openstack --os-cloud overcloud mapping create + --rules "{{ tempdir.stdout }}/rules-{{ item.item.key }}.json" + {{ item.item.key }}-mapping + when: item is failed + with_items: "{{ mappings.results }}" + + - name: check if federation protocol exists + command: >- + openstack --os-cloud overcloud federation protocol show + --identity-provider {{ item.key }} {{ item.value.protocol }} + ignore_errors: true + with_dict: "{{ keystone_identity_providers }}" + register: protocols + + - name: create federation protocol + command: >- + openstack --os-cloud overcloud federation protocol + create {{ item.item.value.protocol }} + --mapping {{ item.item.key }}-mapping + --identity-provider {{ item.item.key }} + when: item is failed + with_items: "{{ protocols.results }}" + always: + - file: + path: "{{ tempdir.stdout }}" + state: absent + ignore_errors: true + + KeystoneFederationDeployments: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: servers} + config: {get_resource: KeystoneFederationConfig} + actions: ['CREATE'] + input_values: + keystone_identity_providers: {get_param: KeystoneIdentityProviders} diff --git a/templates/services.yaml b/templates/services.yaml index f492579..958d31e 100644 --- a/templates/services.yaml +++ b/templates/services.yaml @@ -1,19 +1,9 @@ --- resource_registry: - # These lines activate our network interface configuration files. - # Notice that because we are using pre-provisioned servers, our - # roles are named ComputeDeployedServer and - # ControllerDeployedServer, rather than Compute and Controller. - OS::TripleO::ComputeDeployedServer::Net::SoftwareConfig: - network/config/compute.yaml - OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig: - network/config/controller.yaml - OS::TripleO::NodeExtraConfigPost: extraconfig.yaml OS::Tripleo::Services::PatchPuppetModules: ./services/patch-puppet-modules.yaml - OS::Tripleo::Services::ConfigureKeystoneFederation: - ./services/configure-keystone-federation.yaml + OS::Tripleo::Services::ConfigureKeystoneFederation: OS::Heat::None parameter_defaults: ControllerDeployedServerServices: @@ -72,7 +62,6 @@ parameter_defaults: - OS::TripleO::Services::Keepalived - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - - OS::Tripleo::Services::ConfigureKeystoneFederation - OS::TripleO::Services::ManilaApi - OS::TripleO::Services::ManilaBackendCephFs - OS::TripleO::Services::ManilaBackendIsilon diff --git a/templates/services/configure-keystone-federation.yaml b/templates/services/configure-keystone-federation.yaml deleted file mode 100644 index 452fe23..0000000 --- a/templates/services/configure-keystone-federation.yaml +++ /dev/null @@ -1,157 +0,0 @@ ---- -heat_template_version: pike - -description: > - Configure federation resources in Keystone - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint - AdminPassword: - description: The password for the keystone admin account, used for monitoring, querying neutron etc. - type: string - hidden: true - - KeystoneIdentityProviders: - type: json - default: {} - -outputs: - role_data: - description: Role data for the ConfigureKeystoneFederation service - value: - service_name: configure-keystone-federation - host_prep_tasks: - - name: get list of identity providers - set_fact: - keystone_identity_providers: {get_param: KeystoneIdentityProviders} - - - name: get bootstrap nodeid - command: hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid - register: bootstrap_node_cmd - - - set_fact: - is_bootstrap_node: bootstrap_node_cmd.stdout|lower == ansible_hostname|lower - - - when: is_bootstrap_node - block: - - name: create temporary directory - command: "mktemp -td federationXXXXXX" - register: tempdir - - - name: get keystone admin password - command: hiera -c /etc/puppet/hiera.yaml keystone::admin_password - register: keystone_admin_password - - - name: get keystone internal endpoint - command: hiera -c /etc/puppet/hiera.yaml keystone::endpoint::internal_url - register: keystone_endpoint_internal - - - name: get keystone region - command: hiera -c /etc/puppet/hiera.yaml keystone::endpoint::region - register: keystone_region - - - name: write mapping rules to tempdir - copy: - dest: "{{ tempdir.stdout }}/rules-{{ item.key }}.json" - content: "{{ item.value.rules|to_nice_json }}" - with_dict: "{{ keystone_identity_providers }}" - - - file: - path: /etc/openstack - state: directory - - - copy: - dest: /etc/openstack/clouds.yaml - owner: root - group: root - mode: "0600" - content: |- - clouds: - overcloud: - auth: - username: admin - project_name: admin - password: "{{ keystone_admin_password.stdout }}" - auth_url: "{{ keystone_endpoint_internal.stdout }}" - region: "{{ keystone_region.stdout }}" - identity_api_version: 3 - - - name: check if identity providers exist - command: >- - openstack --os-cloud overcloud identity provider show {{ item.key }} - ignore_errors: true - with_dict: "{{ keystone_identity_providers }}" - register: providers - - - name: create identity providers - command: >- - openstack --os-cloud overcloud identity provider create - --remote-id {{ item.item.value.remote_id }} {{ item.item.key }} - when: item|failed - with_items: "{{ providers.results }}" - - - name: check if mapping exists - command: >- - openstack --os-cloud overcloud mapping show {{ item.key }}-mapping - ignore_errors: true - with_dict: "{{ keystone_identity_providers }}" - register: mappings - - - name: create mapping - command: >- - openstack --os-cloud overcloud mapping create - --rules "{{ tempdir }}/rules-{{ item.item.key }}.json" - {{ item.item.key }}-mapping - when: item|failed - with_items: "{{ mappings.results }}" - - - name: check if federation protocol exists - command: >- - openstack --os-cloud overcloud federation protocol show - --identity-provider {{ item.key }} {{ item.value.protocol }} - ignore_errors: true - with_dict: "{{ keystone_identity_providers }}" - register: protocols - - - name: create federation protocol - command: >- - openstack federation protocol create {{ item.item.value.protocol }} - --mapping {{ item.item.key }}-mapping - --identity-provider {{ item.item.key }} - when: item|failed - with_items: "{{ protocols.results }}" - always: - - file: - path: "{{ tempdir.stdout }}" - state: absent - ignore_errors: true