Fix deployment with public TLS enabled

When deploying with tls enabled in public endpoints, ansible modules fails due SSL certificates are self-signed. This change adds a new variable to allow customization on which endpoints ansible should connect. Defaults to admin because admin auth parameters defaults to admin endpoint. Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc Closes-Bug: #1720995

Fix deployment with public TLS enabled
56374206 · Eduardo Gonzalez · 709c6b7b · 56374206 · 56374206 · 56374206
Commit 56374206 authored 7 years ago by Eduardo Gonzalez
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -319,6 +319,10 @@ openstack_auth:
    project_name: "admin"
    domain_name: "default"

+# Endpoint type used to connect with OpenStack services with ansible modules.
+# Valid options are [ public, internal, admin ]
+openstack_interface: "admin"
+
 # These roles are required for Kolla to be operation, however a savvy deployer
 # could disable some of these required roles and run their own services.
 enable_glance: "yes"

--- a/ansible/roles/aodh/tasks/register.yml
+++ b/ansible/roles/aodh/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_aodh_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_aodh_auth: "{{ openstack_aodh_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_aodh_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_aodh_auth: "{{ openstack_aodh_auth }}"
  run_once: True
--- a/ansible/roles/barbican/tasks/register.yml
+++ b/ansible/roles/barbican/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_barbican_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_barbican_auth: "{{ openstack_barbican_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_barbican_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_barbican_auth: "{{ openstack_barbican_auth }}"
  run_once: True
@@ -39,6 +41,7 @@
    module_args:
      name: "{{ item }}"
      auth: "{{ '{{ openstack_barbican_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_barbican_auth: "{{ openstack_barbican_auth }}"
  run_once: True

--- a/ansible/roles/ceilometer/tasks/register.yml
+++ b/ansible/roles/ceilometer/tasks/register.yml
@@ -9,6 +9,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_ceilometer_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
     openstack_ceilometer_auth: "{{ openstack_ceilometer_auth }}"
  run_once: True
@@ -22,6 +23,7 @@
      role: "ResellerAdmin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_ceilometer_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
     openstack_ceilometer_auth: "{{ openstack_ceilometer_auth }}"
  when: enable_swift | bool

--- a/ansible/roles/ceph/tasks/start_rgw_keystone.yml
+++ b/ansible/roles/ceph/tasks/start_rgw_keystone.yml
@@ -16,6 +16,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_swift_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_swift_auth: "{{ openstack_swift_auth }}"
  run_once: True
@@ -34,6 +35,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_ceph_rgw_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_ceph_rgw_auth: "{{ openstack_swift_auth }}"
  run_once: True
--- a/ansible/roles/cinder/tasks/check.yml
+++ b/ansible/roles/cinder/tasks/check.yml
@@ -7,6 +7,7 @@
      state: present
      size: 1
      display_name: kolla_test_volume
+      endpoint_type: "{{ openstack_interface }}"
  run_once: True
  delegate_to: "{{ groups['cinder-api'][0] }}"
  when: kolla_enable_sanity_cinder | bool
@@ -18,6 +19,7 @@
      auth: "{{ openstack_cinder_auth }}"
      state: absent
      display_name: kolla_test_volume
+      endpoint_type: "{{ openstack_interface }}"
  run_once: True
  delegate_to: "{{ groups['cinder-api'][0] }}"
  when: kolla_enable_sanity_cinder | bool
--- a/ansible/roles/cinder/tasks/register.yml
+++ b/ansible/roles/cinder/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_cinder_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_cinder_auth: "{{ openstack_cinder_auth }}"
  run_once: True
@@ -35,6 +36,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_cinder_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_cinder_auth: "{{ openstack_cinder_auth }}"
  run_once: True
--- a/ansible/roles/cloudkitty/tasks/register.yml
+++ b/ansible/roles/cloudkitty/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_cloudkitty_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_cloudkitty_auth: "{{ openstack_cloudkitty_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_cloudkitty_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_cloudkitty_auth: "{{ openstack_cloudkitty_auth }}"
  run_once: True
@@ -39,6 +41,7 @@
    module_args:
      name: "{{ cloudkitty_openstack_keystone_default_role }}"
      auth: "{{ '{{ openstack_cloudkitty_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_cloudkitty_auth: "{{ openstack_cloudkitty_auth }}"
  run_once: True
--- a/ansible/roles/congress/tasks/register.yml
+++ b/ansible/roles/congress/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_congress_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_congress_auth: "{{ openstack_congress_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_congress_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_congress_auth: "{{ openstack_congress_auth }}"
  run_once: True
--- a/ansible/roles/designate/tasks/register.yml
+++ b/ansible/roles/designate/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_designate_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_designate_auth: "{{ openstack_designate_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_designate_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_designate_auth: "{{ openstack_designate_auth }}"
  run_once: True
--- a/ansible/roles/freezer/tasks/register.yml
+++ b/ansible/roles/freezer/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_freezer_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_freezer_auth: "{{ openstack_freezer_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: admin
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_freezer_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_freezer_auth: "{{ openstack_freezer_auth }}"
  run_once: True
--- a/ansible/roles/glance/tasks/check.yml
+++ b/ansible/roles/glance/tasks/check.yml
@@ -6,6 +6,7 @@
      auth: "{{ openstack_glance_auth }}"
      name: "glance_sanity_check"
      filename: "/etc/hostname"
+      endpoint_type: "{{ openstack_interface }}"
  delegate_to: "{{ groups['glance-api'][0] }}"
  run_once: True
  when: kolla_enable_sanity_glance | bool
@@ -17,6 +18,7 @@
      auth: "{{ openstack_glance_auth }}"
      name: "glance_sanity_check"
      state: absent
+      endpoint_type: "{{ openstack_interface }}"
  delegate_to: "{{ groups['glance-api'][0] }}"
  run_once: True
  when: kolla_enable_sanity_glance | bool
--- a/ansible/roles/glance/tasks/register.yml
+++ b/ansible/roles/glance/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_glance_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_glance_auth: "{{ openstack_glance_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_glance_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_glance_auth: "{{ openstack_glance_auth }}"
  run_once: True
--- a/ansible/roles/gnocchi/tasks/register.yml
+++ b/ansible/roles/gnocchi/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_gnocchi_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_gnocchi_auth: "{{ openstack_gnocchi_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_gnocchi_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_gnocchi_auth: "{{ openstack_gnocchi_auth }}"
  run_once: True
--- a/ansible/roles/heat/tasks/register.yml
+++ b/ansible/roles/heat/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_heat_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_heat_auth: "{{ openstack_heat_auth }}"
  run_once: True
@@ -32,6 +33,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_heat_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_heat_auth: "{{ openstack_heat_auth }}"
  run_once: True
@@ -42,6 +44,7 @@
    module_args:
      name: "{{ heat_stack_user_role }}"
      auth: "{{ '{{ openstack_heat_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_heat_auth: "{{ openstack_heat_auth }}"
  run_once: True
@@ -52,6 +55,7 @@
    module_args:
      name: "{{ heat_stack_owner_role }}"
      auth: "{{ '{{ openstack_heat_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_heat_auth: "{{ openstack_heat_auth }}"
  run_once: True
@@ -65,6 +69,7 @@
      role: "{{ heat_stack_owner_role }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_heat_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_heat_auth: "{{ openstack_heat_auth }}"
  run_once: True
--- a/ansible/roles/ironic/tasks/register.yml
+++ b/ansible/roles/ironic/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_ironic_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_ironic_auth: "{{ openstack_ironic_auth }}"
  run_once: True
@@ -30,6 +31,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_ironic_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_ironic_auth: "{{ openstack_ironic_auth }}"
  run_once: True
@@ -47,6 +49,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_ironic_inspector_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_ironic_inspector_auth: "{{ openstack_ironic_inspector_auth }}"
  run_once: True
@@ -66,6 +69,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_ironic_inspector_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_ironic_inspector_auth: "{{ openstack_ironic_inspector_auth }}"
  run_once: True

--- a/ansible/roles/karbor/tasks/register.yml
+++ b/ansible/roles/karbor/tasks/register.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_karbor_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_karbor_auth: "{{ openstack_karbor_auth }}"
  run_once: True
@@ -29,6 +30,7 @@
      role: "admin"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_karbor_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_karbor_auth: "{{ openstack_karbor_auth }}"
  run_once: True
--- a/ansible/roles/keystone/tasks/check.yml
+++ b/ansible/roles/keystone/tasks/check.yml
@@ -4,6 +4,7 @@
    module_name: os_auth
    module_args:
      auth: "{{ openstack_keystone_auth }}"
+      endpoint_type: "{{ openstack_interface }}"
  run_once: True
  delegate_to: "{{ groups['keystone'][0] }}"
  when: kolla_enable_sanity_keystone | bool
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@@ -13,6 +13,7 @@
    module_args:
      name: "{{ keystone_default_user_role }}"
      auth: "{{ '{{ openstack_keystone_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_keystone_auth: "{{ openstack_keystone_auth }}"
  register: default_role

--- a/ansible/roles/keystone/tasks/update_endpoints.yml
+++ b/ansible/roles/keystone/tasks/update_endpoints.yml
@@ -11,6 +11,7 @@
      interface: "{{ item.interface }}"
      region_name: "{{ openstack_region_name }}"
      auth: "{{ '{{ openstack_keystone_auth }}' }}"
+      endpoint_type: "{{ openstack_interface }}"
    module_extra_vars:
      openstack_keystone_auth: "{{ openstack_keystone_auth }}"
  run_once: True