Adding support of system scoped openrc and clouds.yaml

Change-Id: Iff5a0892d812601c0fa3fd549b7f00a468cfdd97
Closes-Bug: 1903656

defaults/main.yml

@@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+## Use System Scope Authentication
+openrc_system_scope: false
+
 ## Endpoint types
 openrc_cinder_endpoint_type: internalURL
 openrc_nova_endpoint_type: internalURL
@@ -32,8 +35,9 @@ openrc_os_domain_name: Default
 openrc_insecure: >-
   {{ (keystone_service_adminuri_insecure | default(false) | bool or
       keystone_service_internaluri_insecure | default(false) | bool) }}
-## Create openrc file
+## Create openrc file(s)
 openrc_file_dest: "{{ ansible_env.HOME }}/openrc"
+openrc_system_file_dest: "{{ openrc_file_dest | dirname }}/openrc.system_scope"
 openrc_file_owner: "{{ ansible_user_id }}"
 openrc_file_group: "{{ ansible_user_id }}"
 openrc_file_mode: "0600"

releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The role now supports creating system scoped credentials alongside
+    project scoped credentials. The default behavior of the role did not
+    changed, until ``openrc_system_scope`` variable was set to ``true``.
+    If the ``openrc_system_scope`` is ``true`` the default cloud in
+    clouds.yaml will set to system scoped credentials and another credentials
+    named ``default_project_scope`` will get created with project scoped
+    credentials. Due to usage of openrc file in other roles, the opposite
+    logic applies to openrc files, which means if ``openrc_system_scope``
+    is set to ``true`` the credentials in openrc will set to project scoped
+    credentials and another openrc filec named ``openrc.system_scope`` will
+    get created with system scoped credentials and will be placed in
+    destination of ``openrc_system_file_dest`` variable.

tasks/main.yml

@@ -15,13 +15,22 @@
 
 - name: Create openrc file
   template:
-    src: openrc.j2
-    dest: "{{ openrc_file_dest }}"
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     owner: "{{ openrc_file_owner }}"
     group: "{{ openrc_file_group }}"
     mode: "{{ openrc_file_mode }}"
   tags:
     - openstack_openrc-config
+  with_items:
+    - project_scoped_openrc:
+      src: openrc.j2
+      dest: "{{ openrc_file_dest }}"
+    - system_scoped_openrc:
+      src: openrc-system-scope.j2
+      dest: "{{ openrc_system_file_dest }}"
+      condition: "{{ openrc_system_scope | default(false) | bool }}"
+  when: item.condition | default(True)
 
 - name: Create OpenStack client configuration directory
   file:

templates/clouds.yaml.j2

@@ -3,12 +3,16 @@ clouds:
   default:
     auth:
       auth_url: {{ openrc_os_auth_url }}
+{% if openrc_system_scope | default(false) | bool %}
+      system_scope: all
+{% else %}
       project_name: {{ openrc_os_tenant_name }}
       tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+{% endif %}
       username: {{ openrc_os_username }}
       password: {{ openrc_os_password }}
       user_domain_name: {{ openrc_os_domain_name }}
-      project_domain_name: {{ openrc_os_domain_name }}
     region_name: {{ openrc_region_name }}
     interface: {{ openrc_clouds_yml_interface }}
 {% if openrc_os_auth_url.endswith('v2.0') %}
@@ -20,3 +24,25 @@ clouds:
     verify: false
     insecure: true
 {% endif %}
+{% if openrc_system_scope | default(false) | bool %}
+  default_project_scope:
+    auth:
+      auth_url: {{ openrc_os_auth_url }}
+      project_name: {{ openrc_os_tenant_name }}
+      tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+      username: {{ openrc_os_username }}
+      password: {{ openrc_os_password }}
+      user_domain_name: {{ openrc_os_domain_name }}
+    region_name: {{ openrc_region_name }}
+    interface: {{ openrc_clouds_yml_interface }}
+{% if openrc_os_auth_url.endswith('v2.0') %}
+    identity_api_version: "2.0"
+{% else %}
+    identity_api_version: "3"
+{% endif %}
+{% if openrc_insecure | bool %}
+    verify: false
+    insecure: true
+{% endif %}
+{% endif %}

templates/openrc-system-scope.j2

@@ -0,0 +1,48 @@
+# {{ ansible_managed }}
+export LC_ALL={{ openrc_locale }}
+
+# COMMON CINDER ENVS
+export CINDER_ENDPOINT_TYPE={{ openrc_cinder_endpoint_type }}
+
+# COMMON NOVA ENVS
+export NOVA_ENDPOINT_TYPE={{ openrc_nova_endpoint_type }}
+
+# COMMON MANILA ENVS
+export OS_MANILA_ENDPOINT_TYPE={{ openrc_manila_endpoint_type }}
+
+# COMMON OPENSTACK ENVS
+export OS_ENDPOINT_TYPE={{ openrc_os_endpoint_type }}
+export OS_INTERFACE={{ openrc_os_endpoint_type }}
+export OS_USERNAME={{ openrc_os_username }}
+export OS_PASSWORD='{{ openrc_os_password }}'
+export OS_AUTH_TYPE={{ openrc_os_auth_type }}
+export OS_AUTH_URL={{ openrc_os_auth_url }}
+export OS_NO_CACHE=1
+export OS_USER_DOMAIN_NAME={{ openrc_os_domain_name }}
+export OS_REGION_NAME={{ openrc_region_name }}
+export OS_SYSTEM_SCOPE=all
+
+# For openstackclient
+{% if openrc_os_auth_url.endswith('v2.0') %}
+export OS_IDENTITY_API_VERSION=2.0
+export OS_AUTH_VERSION=2
+{% else %}
+export OS_IDENTITY_API_VERSION=3
+export OS_AUTH_VERSION=3
+{% endif %}
+
+{% if openrc_insecure | bool %}
+export OS_INSECURE='true'
+export OS_VERIFY='false'
+# Convenience Aliases for Self-Signed Certs
+alias cinder='cinder --insecure'
+alias glance='glance --insecure'
+alias heat='heat --insecure'
+alias keystone='keystone --insecure'
+alias neutron='neutron --insecure'
+alias nova='nova --insecure'
+alias openstack='openstack --insecure'
+alias swift='swift --insecure'
+alias tacker='tacker --insecure'
+alias manila='manila --insecure'
+{% endif %}