Role - tripleo-keystone-resources

Role Documentation

Welcome to the “tripleo-keystone-resources” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “tripleo-keystone-resources” role.

# All variables intended for modification should be placed in this file.
tripleo_keystone_resources_hide_sensitive_logs: '{{ hide_sensitive_logs | default(true)
  }}'
tripleo_keystone_resources_debug: '{{ ((ansible_verbosity | int) >= 2) | bool }}'

# All variables within this role should have a prefix of "tripleo_keystone_resources"
tripleo_keystone_resources_cloud_name: openstack
tripleo_keystone_resources_cloud_config: {}
tripleo_keystone_resources_clouds_file_path: /etc/openstack/clouds.yaml
tripleo_keystone_resources_clouds_file_owner: root
tripleo_keystone_resources_clouds_file_group: root
tripleo_keystone_resources_clouds_file_mode: '0644'
tripleo_keystone_resources_catalog_config: {}
tripleo_keystone_resources_member_role_enabled: false
tripleo_keystone_resources_batch: 10

Molecule Scenarios

Molecule is being used to test the “tripleo-keystone-resources” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Driver: delegated
Molecule Options
managed: false
login_cmd_template: >-
  ssh
  -o UserKnownHostsFile=/dev/null
  -o StrictHostKeyChecking=no
  -o Compression=no
  -o TCPKeepAlive=yes
  -o VerifyHostKeyDNS=no
  -o ForwardX11=no
  -o ForwardAgent=no
  {instance}
ansible_connection_options:
  ansible_connection: ssh
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example default playbook
- name: Converge
  hosts: all
  become: true
  tasks:
  - name: Create openstack directory
    become: true
    file:
      path: /etc/openstack
      state: directory
  - name: Configure /etc/openstack/clouds.yaml
    include_role:
      name: tripleo-keystone-resources
      tasks_from: clouds
    vars:
      tripleo_keystone_resources_cloud_name: openstack
      tripleo_keystone_resources_cloud_config:
        auth:
          auth_url: http://localhost:5000/
          project_name: admin
          username: admin
          password: ADMIN_PASS
          project_domain_id: default
          user_domain_id: default
        identity_api_version: 3
        region_name: RegionOne
  - name: Create keystone admin resources
    include_role:
      name: tripleo-keystone-resources
      tasks_from: admin
    vars:
      tripleo_keystone_resources_cloud_name: openstack
      tripleo_keystone_resources_region: RegionOne
      tripleo_keystone_resources_admin_password: ADMIN_PASS
      tripleo_keystone_resources_admin_endpoint: http://localhost:35357
      tripleo_keystone_resources_internal_endpoint: http://localhost:5000
      tripleo_keystone_resources_public_endpoint: http://localhost:5000

Usage

This Ansible role allows to do the following tasks:

  • Manage /etc/openstack/clouds.yaml in order to configure openstacksdk. If /etc/openstack/clouds.yaml already exists with some config, the role will only add new config without removing what was there before; however it will modify an existing config if it changed. Example: “undercloud” cloud is already configured in clouds.yaml and a new “overcloud” config is given to the role. clouds.yaml will now contain both configs. However if a new config is given later for “undercloud” and/or “overcloud”, with e.g. new credentials, the configs will be updated accordingly. The task has two parameters: tripleo_keystone_resources_cloud_name which is the name of the cloud and tripleo_keystone_resources_cloud_config which is the cloud config, defined by openstacksdk. Here is an example of a task which would configure the “overcloud” cloud in clouds.yaml:

- name: Configure /etc/openstack/clouds.yaml
  include_role:
    name: tripleo-keystone-resources
    tasks_from: clouds
  vars:
    tripleo_keystone_resources_cloud_name: overcloud
    tripleo_keystone_resources_cloud_config:
      auth:
        auth_url: https://keystone-public:5000
        password: verysecrete
        project_domain_name: Default
        project_name: admin
        user_domain_name: Default
        username: admin
      identity_api_version: '3'
      region_name: RegionOne
  • Manage Keystone resources like: projects, domains, services, endpoints, roles, users and roles assignements. The resources are split by playbook, so they can be individually used. The main playbook will call them all, by starting with the admin playbook which manages things like: default domain, admin and service projects, admin role and _member_ role if tripleo_keystone_resources_member_role_enabled is set to true (needed by Horizon), admin user and its assignements to the roles, identity service and the three endpoints (public, internal and admin). The rest of the main playbook will create the resources according to what is defined in tripleo_keystone_resources_catalog_config. The tripleo_keystone_resources_catalog_config interface is documented later in this manual. The Keystone resources are created by using the OpenStack Ansible modules, and therefore the openstacksdk. To make it faster, we use async and batch the data by 10. It can be changed with tripleo_keystone_resources_batch. Here is an example of a task which would configure the Keystone resources (with an small example of catalog config with only Neutron resources):

- name: Manage Keystone resources for OpenStack services
  include_role:
    name: tripleo-keystone-resources
  vars:
    tripleo_keystone_resources_catalog_config:
      neutron:
        endpoints:
          public: https://neutron-admin:9696
          internal: https://neutron-admin:9696
          admin: https://neutron-admin:9696
        users:
          neutron:
            password: secrete_neutron
        region: RegionOne
        service: 'network'
    tripleo_keystone_resources_service_project: 'service'
    tripleo_keystone_resources_cloud_name: overcloud
    tripleo_keystone_resources_region: RegionOne
    tripleo_keystone_resources_admin_endpoint: https://keystone-admin:35357
    tripleo_keystone_resources_public_endpoint: https://keystone-public:5000
    tripleo_keystone_resources_internal_endpoint: https://keystone-internal:500
    tripleo_keystone_resources_admin_password: verysecrete

Roles variables

Name

Default Value

Description

tripleo_keystone_resources_cloud_name

openstack

OpenStack cloud name

tripleo_keystone_resources_cloud_config

{}

OpenStack Cloud config

tripleo_keystone_resources_clouds_file_path

/etc/openstack/clouds.yaml

File path for clouds.yaml

tripleo_keystone_resources_clouds_file_owner

root

File owner for clouds.yaml

tripleo_keystone_resources_clouds_file_group

root

File group for clouds.yaml

tripleo_keystone_resources_clouds_file_mode

‘0600’

File mode for clouds.yaml

tripleo_keystone_resources_catalog_config

{}

Cloud catalog config

tripleo_keystone_resources_member_role_enabled

false

Manage _member_ role

tripleo_keystone_resources_batch

10

How many Keystone resources do we manage at the same time

Keystone resources catalog config

The tripleo_keystone_resources_catalog_config parameter defines the Keystone resources that we want to create.

The data type has to be a dictionary where:

  • The (required) key is the service name and must be unique in the deployment.

  • The (optional) endpoints contains three keys: public, internal and admin; which define each endpoint type.

  • The (optional) users contains the users required by the service. Most of the services will have one defined user with its password but a second user or more can be provided with specific roles and domain. If a user has multiple roles, the user role assignment will be done for each role into either a project (default to service) or a domain if defined.

  • The (required if endpoints are needed) region defines the OpenStack region in which the endpoints are created.

  • The (required if endpoints are needed) service defines the service type name for the service that is deployed. Note that it’s important to read the service documentation to know what service type should be used, or the service won’t be discoverable by OpenStack clients.

  • The (optional) roles is a list that contains the extra roles that will be created.

  • The (optional) domains is a list that contains the extra domains that will be created.

Here is an advanced example for Heat API resources:

keystone_resources:
  heat:
    endpoints:
      public: https://neutron-public:8004
      internal: https://neutron-internal:8004
      admin: https://neutron-admin:8004
    users:
      heat:
        password: secrete_heat
      heat_stack_domain_admin:
        password: secret_heat_domain
        roles:
          - admin
        domain: heat_stack
    region: RegionOne
    service: 'orchestration'
    roles:
      - heat_stack_user
    domains:
      - heat_stack