Merge "Extra var ironic_enable_keystone_integration added." into stable/wallaby

Zuul · openstack-gerrit · commit 3eebbd55e007 · 2021-08-11T15:55:51.000Z
diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
@@ -286,6 +286,7 @@ ironic_enabled_notification_topics: "{{ ironic_notification_topics | selectattr(
 ####################
 # Keystone
 ####################
+ironic_enable_keystone_integration: "{{ enable_keystone | bool }}"
 ironic_ks_services:
   - name: "ironic"
     type: "baremetal"
diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -6,7 +6,7 @@
 # suppressed by the deployer by setting a value for the option.
 
 [DEFAULT]
-{% if not enable_keystone | bool %}
+{% if not ironic_enable_keystone_integration | bool %}
 auth_strategy = noauth
 {% endif %}
 debug = {{ ironic_logging_debug }}
@@ -52,7 +52,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
@@ -143,7 +143,7 @@ cafile = {{ openstack_cacert }}
 {% endif %}
 
 [inspector]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
@@ -160,7 +160,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
 {% endif %}
 
 [service_catalog]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
diff --git a/doc/source/reference/bare-metal/ironic-guide.rst b/doc/source/reference/bare-metal/ironic-guide.rst
@@ -94,6 +94,28 @@ The following changes will occur if iPXE booting is enabled:
   environment. You may also boot directly to iPXE by some other means e.g by
   burning it to the option rom of your ethernet card.
 
+Attach ironic to external keystone (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In :kolla-ansible-doc:`multi-regional <user/multi-regions.html>` deployment
+keystone could be installed in one region (let's say region 1) and ironic -
+in another region (let's say region 2). In this case we don't install keystone
+together with ironic in region 2, but have to configure ironic to connect to
+existing keystone in region 1. To deploy ironic in this way we have to set
+variable ``enable_keystone`` to ``"no"``.
+
+.. code-block:: yaml
+
+    enable_keystone: "no"
+
+It will prevent keystone from being installed in region 2.
+
+To add keystone-related sections in ironic.conf, it is also needed to set
+variable ``ironic_enable_keystone_integration`` to ``"yes"``
+
+.. code-block:: yaml
+
+    ironic_enable_keystone_integration: "yes"
+
 Deployment
 ~~~~~~~~~~
 Run the deploy as usual:
diff --git a/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml b/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    New variable ``ironic_enable_keystone_integration`` was added.
+    It helps to add keystone connection information into
+    ``ironic.conf`` if we want to connect to existing keystone
+    (not installing it at the same time).
