Adding support of system scoped openrc and clouds.yaml

Change-Id: Iff5a0892d812601c0fa3fd549b7f00a468cfdd97 Closes-Bug: 1903656
2020-11-10 11:46:22 +03:30 · 2020-11-10 11:46:22 +03:30 · c5812b3198
parent 87e9d56d06
commit c5812b3198
5 changed files with 69 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+## Use System Scope Authentication
+openrc_system_scope: false
+
 ## Endpoint types
 openrc_cinder_endpoint_type: internalURL
 openrc_nova_endpoint_type: internalURL
--- a/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml
+++ b/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml
@ -0,0 +1,14 @@
+---
+features:
+  - |
+    The role now supports creating system scoped credentials alongside
+    project scoped credentials. The default behavior of the role did not
+    changed, until ``openrc_system_scope`` variable was set to ``true``.
+    If the ``openrc_system_scope`` is ``true`` the default cloud in
+    clouds.yaml will set to system scoped credentials and another credentials
+    named ``default_project_scope`` will get created with project scoped
+    credentials. Due to usage of openrc file in other roles, the opposite
+    logic applies to openrc files, which means if ``openrc_system_scope``
+    is set to ``true`` the credentials in openrc will set to project scoped
+    credentials and another openrc filec named ``openrc.system_scope`` will
+    get created with system scoped credentials.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -23,6 +23,26 @@
  tags:
    - openstack_openrc-config

+- name: Set fact for system scoped openrc file
+  set_fact:
+    _not_openrc_system_scope: not openrc_system_scope
+  when:
+    - openrc_system_scope
+
+- name: Create project scoped openrc file
+  template:
+    src: openrc.j2
+    dest: "{{ openrc_file_dest }}.system_scope"
+    owner: "{{ openrc_file_owner }}"
+    group: "{{ openrc_file_group }}"
+    mode: "{{ openrc_file_mode }}"
+  vars:
+    openrc_system_scope: false
+  when:
+    - openrc_system_scope
+  tags:
+    - openstack_openrc-config
+
 - name: Create OpenStack client configuration directory
  file:
    dest: "{{ openrc_openstack_client_config_dir_dest }}"
--- a/templates/clouds.yaml.j2
+++ b/templates/clouds.yaml.j2
@ -3,12 +3,16 @@ clouds:
  default:
    auth:
      auth_url: {{ openrc_os_auth_url }}
+{% if openrc_system_scope | default(false) | bool %}
+      system_scope: all
+{% else %}
      project_name: {{ openrc_os_tenant_name }}
      tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+{% endif %}
      username: {{ openrc_os_username }}
      password: {{ openrc_os_password }}
      user_domain_name: {{ openrc_os_domain_name }}
-      project_domain_name: {{ openrc_os_domain_name }}
    region_name: {{ openrc_region_name }}
    interface: {{ openrc_clouds_yml_interface }}
 {% if openrc_os_auth_url.endswith('v2.0') %}
@ -20,3 +24,25 @@ clouds:
    verify: false
    insecure: true
 {% endif %}
+{% if openrc_system_scope | default(false) | bool %}
+  default_project_scope:
+    auth:
+      auth_url: {{ openrc_os_auth_url }}
+      project_name: {{ openrc_os_tenant_name }}
+      tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+      username: {{ openrc_os_username }}
+      password: {{ openrc_os_password }}
+      user_domain_name: {{ openrc_os_domain_name }}
+    region_name: {{ openrc_region_name }}
+    interface: {{ openrc_clouds_yml_interface }}
+{% if openrc_os_auth_url.endswith('v2.0') %}
+    identity_api_version: "2.0"
+{% else %}
+    identity_api_version: "3"
+{% endif %}
+{% if openrc_insecure | bool %}
+    verify: false
+    insecure: true
+{% endif %}
+{% endif %}
--- a/templates/openrc.j2
+++ b/templates/openrc.j2
@ -15,13 +15,17 @@ export OS_ENDPOINT_TYPE={{ openrc_os_endpoint_type }}
 export OS_INTERFACE={{ openrc_os_endpoint_type }}
 export OS_USERNAME={{ openrc_os_username }}
 export OS_PASSWORD='{{ openrc_os_password }}'
+{% if not _not_openrc_system_scope | default(false) | bool %}
 export OS_PROJECT_NAME={{ openrc_os_tenant_name }}
 export OS_TENANT_NAME={{ openrc_os_tenant_name }}
+export OS_PROJECT_DOMAIN_NAME={{ openrc_os_domain_name }}
+{% else %}
+export OS_SYSTEM_SCOPE=all
+{% endif %}
 export OS_AUTH_TYPE={{ openrc_os_auth_type }}
 export OS_AUTH_URL={{ openrc_os_auth_url }}
 export OS_NO_CACHE=1
 export OS_USER_DOMAIN_NAME={{ openrc_os_domain_name }}
-export OS_PROJECT_DOMAIN_NAME={{ openrc_os_domain_name }}
 export OS_REGION_NAME={{ openrc_region_name }}

 # For openstackclient