Enable _member_ role for undercloud install.

During upgrade, as we don't use instack_undercloud anymore, we missing
the _member_ role to the admin user.

This creates the necessary hooks in tht to have the member role
created during upgrade (and install for that matter).

This passes on the keystone_enable_member to puppet-tripleo, but it
needs a patch there as well for this mechanism to fully work.

Change-Id: I2319ed876eba7f21c0e80444bf78ca080fef252a
Depends-On: https://review.openstack.org/611919
Partial-Bug: #1799177
(cherry picked from commit 1c64c2c07b)

environments/undercloud.yaml

@@ -39,6 +39,7 @@ parameter_defaults:
   KernelIpForward: 1
   KernelIpNonLocalBind: 1
   KeystoneCorsAllowedOrigin: '*'
+  KeystoneEnableMember: true
   # Increase the Token expiration time until we fix the actual session bug:
   # https://bugs.launchpad.net/tripleo/+bug/1761050
   TokenExpiration: 14400

puppet/services/keystone.yaml

@@ -286,6 +286,10 @@ parameters:
     default: ''
     description: Indicate whether this resource may be shared with the domain received in the request
                  "origin" header.
+  KeystoneEnableMember:
+    description: Create the _member_ role, useful for undercloud deployment.
+    type: boolean
+    default: False
 
 parameter_groups:
 - label: deprecated
@@ -343,6 +347,7 @@ outputs:
             - cors_allowed_origin_unset
             - {}
             - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
+          - keystone_enable_member: {get_param: KeystoneEnableMember}
           - keystone::database_connection:
               make_url:
                 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}