Unauthenticated Endpoint Support

[rvalle]

Hi

I am trying to get a fully automated ACS deployment.

I use playbooks to install ACS and then I continue with these modules to configure ACS.

There is a missing link in the right in the middle.

I need an automated way to configure the credentials (API Token) for Ansible modules to work.

Is it possible to use username/password authentication in these Ansible Modules? CMK can handle either username/password or TOKEN auth.

That would allow to create the API token and then switch to TOKEN authentication afterwards.

[resmo]

Hi @rvalle

The api library used (https://github.com/exoscale/cs) in the modules does not allow to auth with username and password (AFAICS). However, the way I we do in the cloustack test container (to test the modules against the simulator api) is to use the internal API which allows unauthenticated api calls on localhost:8096.

To get an idea see https://github.com/ansible/cloudstack-test-container/blob/master/run.sh

[rvalle]

@resmo my current workaround is to install cloudmonkey and do it with it, but since it is not packaged is a bit messy.

I did not realize that cs has a CLI, that helps.

Perhaps we could allow usage of the modules on the unauthenticated endpoint for edge use cases like this one? what do you think?

ansible-collection-cloudstack/plugins/module_utils/cloudstack.py

Line 139 in 8b4e8c6

if not all([api_config['endpoint'], api_config['key'], api_config['secret']]):

[resmo]

Yes, perhaps.

I found it good enough for this special case to use dummy values for secret and key since as they are not validated by the internal API.

[rvalle]

OK, I see. I did not think of that. So, this use case was supported, after all.
Would be useful to document it.

Document or we could allow a setting such as:

api_url_auth: false 

which simply disables the check for TOKEN, and defaults to true.
Its more of less the same but would produce self documented playbooks, and it is actually a feature:

something like:

- name: Configure initial Admin password, get keys.
  cs_user:
    api_url: localhost:8080
    api_url_auth: false
    ...
  register: acs_admin_user
  delegate_to: manager

If you want this I can submit a PR...

[rvalle]

...
However, the way I we do in the cloustack test container (to test the modules against the simulator api) is to use the internal API which allows unauthenticated api calls on localhost:8096.

@resmo any idea how to get that port working on the manager?

I can find a reference in the documentation for manager HA. but in my install the port is not up.

[rvalle]

I can see here: apache/cloudstack#3504 that the port ships disabled with global configuration:

integration.api.port=0

but I wonder if I can override its value without using the API