Extra var ironic_enable_keystone_integration added.

ilya-popov · ilya-popov · commit 1add72931eb8 · 2021-08-10T16:29:52.000+03:00
Basically, there are three main installation scenario: Scenario 1: Ironic installation together with other openstack services including keystone. In this case variable enable_keystone is set to true and keystone service will be installed together with ironic installation. It is possible realise this scenario, no fix needed Scenario 2: Ironic installation with connection to already installed keystone. In this scenario we have to set enable_keystone to “No” to prevent from new keystone service installation during the ironic installation process. But in other hand, we need to have correct sections in ironic.conf to provide all information needed to connect to existing keystone. But all sections for keystone are added to ironic.conf only if enable_keystone var is set to “Yes”. It isn’t possible to realise this scenario. Proposed fix provide support for this scenario, where multiple regions share the same keystone service. Scenario 3: No keystone integration. Ironic don't connect to Keystone. It is possible realise this scenario, no fix needed Proposed solution also keep the default behaviour: if no enable_keystone_integration is manually defined by default it takes value of enable_keystone variable and all behaviour is the same. But if we don't want to install keystone and want to connect to existing one at the same time, it will be possible to set enable_keystone var to “No” (preventing keystone from installation) and at the same time set ironic_enable_keystone_integration to Yes to allow needed section appear in ironic.conf through templating. Change-Id: I0c7e9a28876a1d4278fb2ed8555c2b08472864b9 (cherry picked from commit da4fd2d)
diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
@@ -286,6 +286,7 @@ ironic_enabled_notification_topics: "{{ ironic_notification_topics | selectattr(
 ####################
 # Keystone
 ####################
+ironic_enable_keystone_integration: "{{ enable_keystone | bool }}"
 ironic_ks_services:
   - name: "ironic"
     type: "baremetal"
diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -6,7 +6,7 @@
 # suppressed by the deployer by setting a value for the option.
 
 [DEFAULT]
-{% if not enable_keystone | bool %}
+{% if not ironic_enable_keystone_integration | bool %}
 auth_strategy = noauth
 {% endif %}
 debug = {{ ironic_logging_debug }}
@@ -52,7 +52,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
@@ -143,7 +143,7 @@ cafile = {{ openstack_cacert }}
 {% endif %}
 
 [inspector]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
@@ -160,7 +160,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
 {% endif %}
 
 [service_catalog]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
diff --git a/doc/source/reference/bare-metal/ironic-guide.rst b/doc/source/reference/bare-metal/ironic-guide.rst
@@ -94,6 +94,28 @@ The following changes will occur if iPXE booting is enabled:
   environment. You may also boot directly to iPXE by some other means e.g by
   burning it to the option rom of your ethernet card.
 
+Attach ironic to external keystone (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In :kolla-ansible-doc:`multi-regional <user/multi-regions.html>` deployment
+keystone could be installed in one region (let's say region 1) and ironic -
+in another region (let's say region 2). In this case we don't install keystone
+together with ironic in region 2, but have to configure ironic to connect to
+existing keystone in region 1. To deploy ironic in this way we have to set
+variable ``enable_keystone`` to ``"no"``.
+
+.. code-block:: yaml
+
+    enable_keystone: "no"
+
+It will prevent keystone from being installed in region 2.
+
+To add keystone-related sections in ironic.conf, it is also needed to set
+variable ``ironic_enable_keystone_integration`` to ``"yes"``
+
+.. code-block:: yaml
+
+    ironic_enable_keystone_integration: "yes"
+
 Deployment
 ~~~~~~~~~~
 Run the deploy as usual:
diff --git a/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml b/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    New variable ``ironic_enable_keystone_integration`` was added.
+    It helps to add keystone connection information into
+    ``ironic.conf`` if we want to connect to existing keystone
+    (not installing it at the same time).
