Keystone: Member role fixes

This PS makes the initial Keystone Admin and Service account users
members of the projects that they are in.

Change-Id: I2de081a216b7e7b99d301ab605c84d882cdb5840

heat/templates/configmap-etc.yaml

@@ -51,6 +51,10 @@
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path | set .Values.conf.heat.clients_keystone.heat.common.config "auth_uri" | quote | trunc 0 -}}
 {{- end -}}
 
+{{- if empty .Values.conf.heat.trustee.heat.common.context.auth_url -}}
+{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path | set .Values.conf.heat.trustee.heat.common.context "auth_url" | quote | trunc 0 -}}
+{{- end -}}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:

heat/values.yaml

@@ -105,7 +105,7 @@ conf:
             stack_domain_admin: heat-domain
             stack_domain_admin_password: password
             num_engine_workers: 4
-            trusts_delegated_roles: Member
+            trusts_delegated_roles: _member_
     keystone_authtoken:
       keystonemiddleware:
         auth_token:
@@ -121,11 +121,15 @@ conf:
       heat:
         common:
           context:
+            auth_section: trustee
+            auth_type: password
             password: password
             user_domain_name: default
             username: heat-trust
             project_domain_name: default
             project_name: service
+            region_name: RegionOne
+            auth_version: v3
     heat_api:
       heat:
         common:

helm-toolkit/templates/scripts/_ks-user.sh.tpl

@@ -54,21 +54,30 @@ USER_ID=$(openstack user create --or-show --enable -f value -c id \
 # Display user
 openstack user show "${USER_ID}"
 
-# Manage user role
-USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+function ks_assign_user_role () {
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+      --project-domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+
+  # Display user role assignment
+  openstack role assignment list \
+      --role="${USER_ROLE_ID}" \
+      --user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+      --user="${USER_ID}"
+}
+
+# Manage user service role
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
     "${SERVICE_OS_ROLE}");
+ks_assign_user_role
 
-# Manage user role assignment
-openstack role add \
-    --user="${USER_ID}" \
-    --user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
-    --project-domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
-    --project="${USER_PROJECT_ID}" \
-    "${USER_ROLE_ID}"
-
-# Display user role assignment
-openstack role assignment list \
-    --role="${SERVICE_OS_ROLE}" \
-    --user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
-    --user="${USER_ID}"
+# Manage user member role
+: ${MEMBER_OS_ROLE:="_member_"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
 {{- end }}

keystone/values.yaml

@@ -58,8 +58,14 @@ keystone:
   admin_project_domain: default
 
 bootstrap:
-  enabled: false
-  script: null
+  enabled: true
+  script: |
+    openstack role add \
+          --user="${OS_USERNAME}" \
+          --user-domain="${OS_USER_DOMAIN_NAME}" \
+          --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
+          --project="${OS_PROJECT_NAME}" \
+          "_member_"
 
 network:
   api: