2f124f8e9b
Adds support for setting the system scope to user role assignments. Also updates the domain assignment so it can be customised. Note that the scope assignments follow the precedence of project->domain->system [1]. As such, the previous default value of domain was being ignored as we always set a project, so the removal of the default domain in this patch has no effect on existing behaviour. 1. https://docs.ansible.com/ansible/latest/collections/openstack/cloud/role_assignment_module.html#parameter-system Change-Id: Ie7fe78ab67b1bf8a19def25fef321de5c2d80aa9
127 lines
5.5 KiB
YAML
127 lines
5.5 KiB
YAML
---
|
|
- block:
|
|
- name: "{{ project_name }} | Creating services"
|
|
kolla_toolbox:
|
|
container_engine: "{{ kolla_container_engine }}"
|
|
module_name: openstack.cloud.catalog_service
|
|
module_args:
|
|
name: "{{ item.name }}"
|
|
service_type: "{{ item.type }}"
|
|
description: "{{ item.description }}"
|
|
region_name: "{{ service_ks_register_region_name }}"
|
|
auth: "{{ service_ks_register_auth }}"
|
|
interface: "{{ service_ks_register_interface }}"
|
|
cacert: "{{ service_ks_cacert }}"
|
|
loop: "{{ service_ks_register_services }}"
|
|
loop_control:
|
|
label: "{{ item.name }} ({{ item.type }})"
|
|
register: service_ks_register_result
|
|
until: service_ks_register_result is success
|
|
retries: "{{ service_ks_register_retries }}"
|
|
delay: "{{ service_ks_register_delay }}"
|
|
when: item.enabled | default(True) | bool
|
|
|
|
- name: "{{ project_name }} | Creating endpoints"
|
|
kolla_toolbox:
|
|
container_engine: "{{ kolla_container_engine }}"
|
|
module_name: openstack.cloud.endpoint
|
|
module_args:
|
|
service: "{{ item.0.name }}"
|
|
url: "{{ item.1.url }}"
|
|
endpoint_interface: "{{ item.1.interface }}"
|
|
region: "{{ service_ks_register_endpoint_region }}"
|
|
region_name: "{{ service_ks_register_region_name }}"
|
|
auth: "{{ service_ks_register_auth }}"
|
|
interface: "{{ service_ks_register_interface }}"
|
|
cacert: "{{ service_ks_cacert }}"
|
|
with_subelements:
|
|
- "{{ service_ks_register_services }}"
|
|
- endpoints
|
|
loop_control:
|
|
label: "{{ item.0.name }} -> {{ item.1.url }} -> {{ item.1.interface }}"
|
|
register: service_ks_register_result
|
|
until: service_ks_register_result is success
|
|
retries: "{{ service_ks_register_retries }}"
|
|
delay: "{{ service_ks_register_delay }}"
|
|
when: item.0.enabled | default(True) | bool
|
|
|
|
- name: "{{ project_name }} | Creating projects"
|
|
kolla_toolbox:
|
|
container_engine: "{{ kolla_container_engine }}"
|
|
module_name: openstack.cloud.project
|
|
module_args:
|
|
name: "{{ item }}"
|
|
domain: "{{ service_ks_register_domain }}"
|
|
region_name: "{{ service_ks_register_region_name }}"
|
|
auth: "{{ service_ks_register_auth }}"
|
|
interface: "{{ service_ks_register_interface }}"
|
|
cacert: "{{ service_ks_cacert }}"
|
|
with_items: "{{ service_ks_register_users | map(attribute='project') | unique | list }}"
|
|
register: service_ks_register_result
|
|
until: service_ks_register_result is success
|
|
retries: "{{ service_ks_register_retries }}"
|
|
delay: "{{ service_ks_register_delay }}"
|
|
|
|
- name: "{{ project_name }} | Creating users"
|
|
kolla_toolbox:
|
|
container_engine: "{{ kolla_container_engine }}"
|
|
module_name: openstack.cloud.identity_user
|
|
module_args:
|
|
default_project: "{{ item.project }}"
|
|
name: "{{ item.user }}"
|
|
password: "{{ item.password }}"
|
|
update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
|
|
domain: "{{ service_ks_register_domain }}"
|
|
region_name: "{{ service_ks_register_region_name }}"
|
|
auth: "{{ service_ks_register_auth }}"
|
|
interface: "{{ service_ks_register_interface }}"
|
|
cacert: "{{ service_ks_cacert }}"
|
|
with_items: "{{ service_ks_register_users }}"
|
|
loop_control:
|
|
label: "{{ item.user }} -> {{ item.project }}"
|
|
register: service_ks_register_result
|
|
until: service_ks_register_result is success
|
|
retries: "{{ service_ks_register_retries }}"
|
|
delay: "{{ service_ks_register_delay }}"
|
|
|
|
- name: "{{ project_name }} | Creating roles"
|
|
kolla_toolbox:
|
|
container_engine: "{{ kolla_container_engine }}"
|
|
module_name: openstack.cloud.identity_role
|
|
module_args:
|
|
name: "{{ item }}"
|
|
region_name: "{{ service_ks_register_region_name }}"
|
|
auth: "{{ service_ks_register_auth }}"
|
|
interface: "{{ service_ks_register_interface }}"
|
|
cacert: "{{ service_ks_cacert }}"
|
|
with_items: "{{ service_ks_register_users | map(attribute='role') | unique | list + service_ks_register_roles }}"
|
|
register: service_ks_register_result
|
|
until: service_ks_register_result is success
|
|
retries: "{{ service_ks_register_retries }}"
|
|
delay: "{{ service_ks_register_delay }}"
|
|
|
|
- name: "{{ project_name }} | Granting user roles"
|
|
kolla_toolbox:
|
|
container_engine: "{{ kolla_container_engine }}"
|
|
module_name: openstack.cloud.role_assignment
|
|
module_args:
|
|
user: "{{ item.user }}"
|
|
role: "{{ item.role }}"
|
|
project: "{{ item.project | default(omit) }}"
|
|
domain: "{{ item.domain | default(omit) }}"
|
|
system: "{{ item.system | default(omit) }}"
|
|
region_name: "{{ service_ks_register_region_name }}"
|
|
auth: "{{ service_ks_register_auth }}"
|
|
interface: "{{ service_ks_register_interface }}"
|
|
cacert: "{{ service_ks_cacert }}"
|
|
with_items: "{{ service_ks_register_users + service_ks_register_user_roles }}"
|
|
loop_control:
|
|
label: "{{ item.user }} -> {{ item.project | default(item.domain) | default(item.system) }} -> {{ item.role }}"
|
|
register: service_ks_register_result
|
|
until: service_ks_register_result is success
|
|
retries: "{{ service_ks_register_retries }}"
|
|
delay: "{{ service_ks_register_delay }}"
|
|
|
|
become: true
|
|
run_once: True
|