Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the auth type: v3applicationcredential #324

Open
4 tasks
cmoulliard opened this issue Jun 14, 2023 · 9 comments
Open
4 tasks

Support the auth type: v3applicationcredential #324

cmoulliard opened this issue Jun 14, 2023 · 9 comments
Assignees
@jacobdotcosta
Labels
enhancement New feature or request module::ansible module::openstack

Comments

@cmoulliard
Copy link
Member

cmoulliard commented Jun 14, 2023
edited
Loading

Request

Our openstack playbooks to create/delete a VM use, to access the platform, the auth mode password. While this approach is not bad, it forces us to pass the auth parameters to every task where we access the platform and also to use the snowdrop PSI Team password.

Such a user and password should be mainly used by the Operator in charge of the management of our RHOS PSI instance instead of being used too to create/delete VMs using Ansible playbook.

This is why it should be better to use as auth_type : v3applicationcredential as such a mode supports to use an application id/secret associated to a role, can be rotated, etc. See documentation for more information:

Note: The v3token mode could also be an interesting alternative but it is not well documented, suffer from many issues such as: Service Catalog is empty, ansifact_facts not supported, etc if you dont use exactly version x.y.z of Ansible + openstackdsk

If e decide to use it as mod, then several tasks will be required as:

  • Review and document how to generate the Id/Secret, rotate it and what lifecycle should be
  • Select and define the role to be used by the application credential
  • Refactor the playbooks to use it as auth_mod
  • Log on one time instead of having to do it for every task. See: discussion around module_default and group
@cmoulliard
Copy link
Member Author

I tried this without success

cat <<EOF > openstack/list_images1.yaml
---
- hosts: localhost
  module_defaults:
    group/openstack.cloud.openstack:
      auth_type: "v3applicationcredential"
      auth:
        auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000/v3"
        application_credential_id: "9c9....0deab6e8"
        application_credential_secret: "Kfi444Nl-...BcnWB05i5X6orgdTjwhRQ1JYQ"
      
  tasks:
    - name: List images
      openstack.cloud.image_info:
        auth: "{{ override_defaults }}"
        filters:
          os_distro: "fedora"
      register: image_info_result

    - name: "Print Openstack output"
      debug:
        var: image_info_result
EOF
ansible-playbook openstack/list_images1.yaml

-->

fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'override_defaults' is undefined. 'override_defaults' is undefined

@jacobdotcosta

@jacobdotcosta
Copy link
Member

jacobdotcosta commented Jun 14, 2023
edited
Loading

This is how I implemented the v3applicationcredential authentication, and it worked.

    - name: List Fedora images
      openstack.cloud.image_info:
        auth_type: "v3applicationcredential"
        auth:
          auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000"
          application_credential_id: "loremipsumdolorsitametconsecteturadipiscingelit"
          application_credential_secret: "loremipsumdolorsitametconsecteturadipiscingelitseddoeiusmodtemporincididuntutlaboreetdoloremagnaaliqua"
        properties:
          os_distro: "fedora"
      register: image_info_result

@cmoulliard

@cmoulliard
Copy link
Member Author

cmoulliard commented Jun 14, 2023
edited
Loading

This is how I implemented the v3applicationcredential authentication, and it worked.

That works for me too. This is not the question. The idea is to be able to declare one time the AUTH parameters and to inherit them within the different tasks.

@jacobdotcosta

@jacobdotcosta
Copy link
Member

If you want to define a variable with the authentication information so it is reused you can also do this.

    - name: "Set facts"
      ansible.builtin.set_fact:
        rhos_authentication_type: v3applicationcredential
        rhos_authentication:
          auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000"
          application_credential_id: "loremipsumdolorsitametconsecteturadipiscingelit"
          application_credential_secret: "loremipsumdolorsitametconsecteturadipiscingelitseddoeiusmodtemporincididuntutlaboreetdoloremagnaaliqua"

    - name: List Fedora images
      openstack.cloud.image_info:
        auth_type: "{{ rhos_authentication_type }}"
        auth: "{{ rhos_authentication }}"
        properties:
          os_distro: "fedora"
      register: image_info_result

@cmoulliard

@cmoulliard
Copy link
Member Author

If you want to define a variable with the authentication information so it is reused you can also do this.

What about this where we dont have to pass or override some auth parameters ?

- hosts: localhost
  module_defaults:
    group/openstack.cloud.openstack:
      auth_type: "v3applicationcredential"
      auth:
        auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000/v3"
        application_credential_id: "9c920....e8"
        application_credential_secret: "Kfi4....hRQ1JYQ"
      
  tasks:
    - name: List images
      openstack.cloud.image_info:
        filters:
          os_distro: "fedora"
      register: image_info_result

@jacobdotcosta

@jacobdotcosta
Copy link
Member

That can only be achieved either by using environment variables or using a named cloud.

From the Ansible docs:

Dictionary containing auth information as needed by the cloud’s auth plugin strategy. 
For the default password plugin, this would contain auth_url, username, password, 
project_name and any information about domains (for example, user_domain_name or 
project_domain_name) if the cloud supports them. For other plugins, this param will 
need to contain whatever parameters that auth plugin requires. This parameter is not 
needed if a named cloud is provided or OpenStack OS_* environment variables are present.

IIUC, named cloud requires having a local clouds.yaml file with the authentication information. Something like:

clouds:
 cloud_name:
    auth:
      project_name: "XXXXXXXXXXXXXXXXXX"
      username: "XXXXXXXXXXXXXXXXXX"
      password: "XXXXXXXXXXXXXXXXXX"
      user_domain_name: "XXXXXXXXXXXXXXXXXX"
      project_domain_name: "XXXXXXXXXXXXXXXXXX"
      auth_url: "XXXXXXXXXXXXXXXXXX"
    region_name: "XXXXXXXXXXXXXXXXXX"
    interface: "XXXXXXXXXXXXXXXXXX"
    identity_api_version: 3

@cmoulliard
Copy link
Member Author

That can only be achieved either by using environment variables or using a named cloud.

I dont follow you here. Where are you looking to use clouds.yaml fil ?

@jacobdotcosta
Copy link
Member

I was checking for options where we don't need to pass or override the auth parameters on the playbook and roles, and those are the only 2 options I see.

@cmoulliard
Copy link
Member Author

I was checking for options where we don't need to pass or override the auth parameters on the playbook and roles, and those are the only 2 options I see.

I vote to use as no override is needed, can be declared one time = init step, etc

module_defaults:
    group/openstack.cloud.openstack:
...

@jacobdotcosta jacobdotcosta self-assigned this Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jacobdotcosta jacobdotcosta

Labels
enhancement New feature or request module::ansible module::openstack
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cmoulliard @jacobdotcosta