k8s-infra
k8s-infra copied to clipboard
snowdrop
Support the auth type: v3applicationcredential
Request
Our openstack playbooks to create/delete a VM use, to access the platform, the auth mode password. While this approach is not bad, it forces us to pass the auth parameters to every task where we access the platform and also to use the snowdrop PSI Team password.
Such a user and password should be mainly used by the Operator in charge of the management of our RHOS PSI instance instead of being used too to create/delete VMs using Ansible playbook.
This is why it should be better to use as auth_type : v3applicationcredential as such a mode supports to use an application id/secret associated to a role, can be rotated, etc. See documentation for more information:
Note: The
v3tokenmode could also be an interesting alternative but it is not well documented, suffer from many issues such as:Service Catalog is empty,ansifact_facts not supported, etc if you dont use exactly version x.y.z of Ansible + openstackdsk
If e decide to use it as mod, then several tasks will be required as:
- [ ] Review and document how to generate the Id/Secret, rotate it and what lifecycle should be
- [ ] Select and define the role to be used by the application credential
- [ ] Refactor the playbooks to use it as auth_mod
- [ ] Log on one time instead of having to do it for every task. See: discussion around module_default and group
I tried this without success
cat <<EOF > openstack/list_images1.yaml
---
- hosts: localhost
module_defaults:
group/openstack.cloud.openstack:
auth_type: "v3applicationcredential"
auth:
auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000/v3"
application_credential_id: "9c9....0deab6e8"
application_credential_secret: "Kfi444Nl-...BcnWB05i5X6orgdTjwhRQ1JYQ"
tasks:
- name: List images
openstack.cloud.image_info:
auth: "{{ override_defaults }}"
filters:
os_distro: "fedora"
register: image_info_result
- name: "Print Openstack output"
debug:
var: image_info_result
EOF
ansible-playbook openstack/list_images1.yaml
-->
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'override_defaults' is undefined. 'override_defaults' is undefined
@jacobdotcosta
This is how I implemented the v3applicationcredential authentication, and it worked.
- name: List Fedora images
openstack.cloud.image_info:
auth_type: "v3applicationcredential"
auth:
auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000"
application_credential_id: "loremipsumdolorsitametconsecteturadipiscingelit"
application_credential_secret: "loremipsumdolorsitametconsecteturadipiscingelitseddoeiusmodtemporincididuntutlaboreetdoloremagnaaliqua"
properties:
os_distro: "fedora"
register: image_info_result
@cmoulliard
This is how I implemented the
v3applicationcredentialauthentication, and it worked.
That works for me too. This is not the question. The idea is to be able to declare one time the AUTH parameters and to inherit them within the different tasks.
@jacobdotcosta
If you want to define a variable with the authentication information so it is reused you can also do this.
- name: "Set facts"
ansible.builtin.set_fact:
rhos_authentication_type: v3applicationcredential
rhos_authentication:
auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000"
application_credential_id: "loremipsumdolorsitametconsecteturadipiscingelit"
application_credential_secret: "loremipsumdolorsitametconsecteturadipiscingelitseddoeiusmodtemporincididuntutlaboreetdoloremagnaaliqua"
- name: List Fedora images
openstack.cloud.image_info:
auth_type: "{{ rhos_authentication_type }}"
auth: "{{ rhos_authentication }}"
properties:
os_distro: "fedora"
register: image_info_result
@cmoulliard
If you want to define a variable with the authentication information so it is reused you can also do this.
What about this where we dont have to pass or override some auth parameters ?
- hosts: localhost
module_defaults:
group/openstack.cloud.openstack:
auth_type: "v3applicationcredential"
auth:
auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000/v3"
application_credential_id: "9c920....e8"
application_credential_secret: "Kfi4....hRQ1JYQ"
tasks:
- name: List images
openstack.cloud.image_info:
filters:
os_distro: "fedora"
register: image_info_result
@jacobdotcosta
That can only be achieved either by using environment variables or using a named cloud.
From the Ansible docs:
Dictionary containing auth information as needed by the cloud’s auth plugin strategy.
For the default password plugin, this would contain auth_url, username, password,
project_name and any information about domains (for example, user_domain_name or
project_domain_name) if the cloud supports them. For other plugins, this param will
need to contain whatever parameters that auth plugin requires. This parameter is not
needed if a named cloud is provided or OpenStack OS_* environment variables are present.
IIUC, named cloud requires having a local clouds.yaml file with the authentication information. Something like:
clouds:
cloud_name:
auth:
project_name: "XXXXXXXXXXXXXXXXXX"
username: "XXXXXXXXXXXXXXXXXX"
password: "XXXXXXXXXXXXXXXXXX"
user_domain_name: "XXXXXXXXXXXXXXXXXX"
project_domain_name: "XXXXXXXXXXXXXXXXXX"
auth_url: "XXXXXXXXXXXXXXXXXX"
region_name: "XXXXXXXXXXXXXXXXXX"
interface: "XXXXXXXXXXXXXXXXXX"
identity_api_version: 3
That can only be achieved either by using environment variables or using a named cloud.
I dont follow you here. Where are you looking to use clouds.yaml fil ?
I was checking for options where we don't need to pass or override the auth parameters on the playbook and roles, and those are the only 2 options I see.
I was checking for options where we don't need to pass or override the auth parameters on the playbook and roles, and those are the only 2 options I see.
I vote to use as no override is needed, can be declared one time = init step, etc
module_defaults:
group/openstack.cloud.openstack:
...