From c5812b319894e499555d00749a047663a24da46d Mon Sep 17 00:00:00 2001
From: siavashsardari <siavash.sardari@gmail.com>
Date: Tue, 10 Nov 2020 11:46:22 +0330
Subject: [PATCH] Adding support of system scoped openrc and clouds.yaml

Change-Id: Iff5a0892d812601c0fa3fd549b7f00a468cfdd97
Closes-Bug: 1903656
---
 defaults/main.yml                             |  3 ++
 ...system_scope_support-ab364c1725e2506e.yaml | 14 ++++++++++
 tasks/main.yml                                | 20 +++++++++++++
 templates/clouds.yaml.j2                      | 28 ++++++++++++++++++-
 templates/openrc.j2                           |  6 +++-
 5 files changed, 69 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 7bbd899..21c4fad 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+## Use System Scope Authentication
+openrc_system_scope: false
+
 ## Endpoint types
 openrc_cinder_endpoint_type: internalURL
 openrc_nova_endpoint_type: internalURL
diff --git a/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml b/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml
new file mode 100644
index 0000000..acf0a39
--- /dev/null
+++ b/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    The role now supports creating system scoped credentials alongside
+    project scoped credentials. The default behavior of the role did not
+    changed, until ``openrc_system_scope`` variable was set to ``true``.
+    If the ``openrc_system_scope`` is ``true`` the default cloud in
+    clouds.yaml will set to system scoped credentials and another credentials
+    named ``default_project_scope`` will get created with project scoped
+    credentials. Due to usage of openrc file in other roles, the opposite
+    logic applies to openrc files, which means if ``openrc_system_scope``
+    is set to ``true`` the credentials in openrc will set to project scoped
+    credentials and another openrc filec named ``openrc.system_scope`` will
+    get created with system scoped credentials.
diff --git a/tasks/main.yml b/tasks/main.yml
index 71341cd..b9c3068 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -23,6 +23,26 @@
   tags:
     - openstack_openrc-config
 
+- name: Set fact for system scoped openrc file
+  set_fact:
+    _not_openrc_system_scope: not openrc_system_scope
+  when:
+    - openrc_system_scope
+
+- name: Create project scoped openrc file
+  template:
+    src: openrc.j2
+    dest: "{{ openrc_file_dest }}.system_scope"
+    owner: "{{ openrc_file_owner }}"
+    group: "{{ openrc_file_group }}"
+    mode: "{{ openrc_file_mode }}"
+  vars:
+    openrc_system_scope: false
+  when:
+    - openrc_system_scope
+  tags:
+    - openstack_openrc-config
+
 - name: Create OpenStack client configuration directory
   file:
     dest: "{{ openrc_openstack_client_config_dir_dest }}"
diff --git a/templates/clouds.yaml.j2 b/templates/clouds.yaml.j2
index b5bb526..5c418b6 100644
--- a/templates/clouds.yaml.j2
+++ b/templates/clouds.yaml.j2
@@ -3,12 +3,16 @@ clouds:
   default:
     auth:
       auth_url: {{ openrc_os_auth_url }}
+{% if openrc_system_scope | default(false) | bool %}
+      system_scope: all
+{% else %}
       project_name: {{ openrc_os_tenant_name }}
       tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+{% endif %}
       username: {{ openrc_os_username }}
       password: {{ openrc_os_password }}
       user_domain_name: {{ openrc_os_domain_name }}
-      project_domain_name: {{ openrc_os_domain_name }}
     region_name: {{ openrc_region_name }}
     interface: {{ openrc_clouds_yml_interface }}
 {% if openrc_os_auth_url.endswith('v2.0') %}
@@ -20,3 +24,25 @@ clouds:
     verify: false
     insecure: true
 {% endif %}
+{% if openrc_system_scope | default(false) | bool %}
+  default_project_scope:
+    auth:
+      auth_url: {{ openrc_os_auth_url }}
+      project_name: {{ openrc_os_tenant_name }}
+      tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+      username: {{ openrc_os_username }}
+      password: {{ openrc_os_password }}
+      user_domain_name: {{ openrc_os_domain_name }}
+    region_name: {{ openrc_region_name }}
+    interface: {{ openrc_clouds_yml_interface }}
+{% if openrc_os_auth_url.endswith('v2.0') %}
+    identity_api_version: "2.0"
+{% else %}
+    identity_api_version: "3"
+{% endif %}
+{% if openrc_insecure | bool %}
+    verify: false
+    insecure: true
+{% endif %}
+{% endif %}
diff --git a/templates/openrc.j2 b/templates/openrc.j2
index 05d2409..55a108d 100644
--- a/templates/openrc.j2
+++ b/templates/openrc.j2
@@ -15,13 +15,17 @@ export OS_ENDPOINT_TYPE={{ openrc_os_endpoint_type }}
 export OS_INTERFACE={{ openrc_os_endpoint_type }}
 export OS_USERNAME={{ openrc_os_username }}
 export OS_PASSWORD='{{ openrc_os_password }}'
+{% if not _not_openrc_system_scope | default(false) | bool %}
 export OS_PROJECT_NAME={{ openrc_os_tenant_name }}
 export OS_TENANT_NAME={{ openrc_os_tenant_name }}
+export OS_PROJECT_DOMAIN_NAME={{ openrc_os_domain_name }}
+{% else %}
+export OS_SYSTEM_SCOPE=all
+{% endif %}
 export OS_AUTH_TYPE={{ openrc_os_auth_type }}
 export OS_AUTH_URL={{ openrc_os_auth_url }}
 export OS_NO_CACHE=1
 export OS_USER_DOMAIN_NAME={{ openrc_os_domain_name }}
-export OS_PROJECT_DOMAIN_NAME={{ openrc_os_domain_name }}
 export OS_REGION_NAME={{ openrc_region_name }}
 
 # For openstackclient