Merge "Move heat domain setup into service setup tasks"

2018-10-09 18:40:32 +00:00 · 2018-10-09 18:40:32 +00:00 · e54f13fd4c
parent 67d4a3d7c7 d8f75b802f
commit e54f13fd4c
3 changed files with 62 additions and 108 deletions
--- a/tasks/heat_domain_setup.yml
+++ b/tasks/heat_domain_setup.yml
@ -1,83 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This is the role assigned to users created within Heat stacks themselves
- name: Ensure heat_stack_user role
-  keystone:
-    command: ensure_role
-    role_name: "heat_stack_user"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  no_log: True
-
- name: Ensure heat domain
-  keystone:
-    command: ensure_domain
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  no_log: True
-
- name: Ensure heat project
-  keystone:
-    command: ensure_project
-    project_name: "{{ heat_project_name }}"
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  no_log: True
-
- name: Ensure heat user
-  keystone:
-    command: "ensure_user"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ heat_stack_domain_admin }}"
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    password: "{{ heat_stack_domain_admin_password }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-
- name: Ensure heat role
-  keystone:
-    command: "ensure_user_role"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ heat_stack_domain_admin }}"
-    role_name: "{{ keystone_role_name | default('admin') }}"
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
--- a/tasks/heat_service_setup.yml
+++ b/tasks/heat_service_setup.yml
@ -47,14 +47,55 @@
      loop_control:
        label: "{{ item.name }}"

-    - name: Add service user
+    - name: Add owner/user roles
+      os_keystone_role:
+        cloud: default
+        state: present
+        name: "{{ item }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not heat_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+      with_items:
+        - "{{ heat_stack_owner_name }}"
+        - "heat_stack_user"
+
+    - name: Add stack user domain
+      os_keystone_domain:
+        cloud: default
+        state: present
+        name: "{{ heat_stack_user_domain_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_stack_user_domain
+      until: add_stack_user_domain is success
+      retries: 5
+      delay: 10
+
+    - name: Add heat project
+      os_project:
+        cloud: default
+        state: present
+        name: "{{ heat_project_name }}"
+        domain_id: "{{ heat_project_domain_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_project
+      until: add_project is success
+      retries: 5
+      delay: 10
+
+    - name: Add service/heat user
      os_user:
        cloud: default
        state: present
-        name: "{{ heat_service_user_name }}"
-        password: "{{ heat_service_password }}"
-        domain: default
-        default_project: "{{ heat_service_project_name }}"
+        name: "{{ item.name }}"
+        password: "{{ item.password }}"
+        domain: "{{ item.domain }}"
+        default_project: "{{ item.default_project }}"
        endpoint_type: admin
        verify: "{{ not keystone_service_adminuri_insecure }}"
      register: add_service
@ -63,19 +104,15 @@
      retries: 5
      delay: 10
      no_log: True
-
-    - name: Ensure stack_owner role
-      os_keystone_role:
-        cloud: default
-        state: present
-        name: "{{ heat_stack_owner_name }}"
-        endpoint_type: admin
-        verify: "{{ not keystone_service_adminuri_insecure }}"
-      register: add_service
-      when: not heat_service_in_ldap | bool
-      until: add_service is success
-      retries: 5
-      delay: 10
+      with_items:
+        - name: "{{ heat_service_user_name }}"
+          password: "{{ heat_service_password }}"
+          domain: default
+          default_project: "{{ heat_service_project_name }}"
+        - name: "{{ heat_stack_domain_admin }}"
+          password: "{{ heat_stack_domain_admin_password }}"
+          domain: "{{ heat_stack_user_domain_name }}"
+          default_project: "{{ heat_project_name }}"

    - name: Add service user to roles
      os_user_role:
@ -83,7 +120,7 @@
        state: present
        user: "{{ item.user }}"
        role: "{{ item.role }}"
-        project: "{{ heat_service_project_name }}"
+        project: "{{ item.project }}"
        endpoint_type: admin
        verify: "{{ not keystone_service_adminuri_insecure }}"
      register: add_service
@ -94,14 +131,20 @@
      with_items:
        - user: "{{ heat_service_user_name }}"
          role: "{{ heat_service_role_name }}"
+          project: "{{ heat_service_project_name }}"
        # We add the keystone role used by heat to delegate to the heat service user
        # for performing deferred operations via trusts.
        - user: "{{ heat_service_user_name }}"
          role: "{{ heat_stack_owner_name }}"
+          project: "{{ heat_service_project_name }}"
        # Any user creating stacks needs to have the 'heat_stack_owner' role assigned.
        # We add to admin user here for testing purposes.
        - user: "{{ keystone_admin_user_name }}"
          role: "{{ heat_stack_owner_name }}"
+          project: "{{ heat_service_project_name }}"
+        - user: "{{ heat_stack_domain_admin }}"
+          role: "{{ keystone_role_name | default('admin') }}"
+          project: "{{ heat_project_name }}"

    - name: Add endpoints to keystone endpoint catalog
      os_keystone_endpoint:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -87,12 +87,6 @@
    - heat-config
    - systemd-service

- include_tasks: heat_domain_setup.yml
-  when:
-    - "inventory_hostname == ansible_play_hosts[0]"
-  tags:
-    - heat-config
-
 - import_tasks: mq_setup.yml
  when:
    - "heat_services['heat-api']['group'] in group_names"