Add a cloud profile for system-admins

Keystone's bootstrap process will create administrative role assignments
for the admin user on an admin project. It will also do this for system
role assignments.

Let's create a cloud profile specifically for system-scoped access. This
will be useful as we adopt more secure RBAC personas and convert tripleo
plumbing to interact with administrative APIs using system-scoped tokens
(as more projects adopt system-admin).

Change-Id: I3471dd1da3ea8987ae6dcb25a7e5fbc0b573e89b

deployment/keystone/keystone-container-puppet.yaml

@@ -779,6 +779,31 @@ outputs:
                   identity_api_version: '3'
                   volume_api_version: '3'
                   region_name: {get_param: KeystoneRegion}
+            - name: Configure system admin account in /etc/openstack/clouds.yaml
+              include_role:
+                name: tripleo_keystone_resources
+                tasks_from: clouds
+              vars:
+                tripleo_keystone_resources_cloud_name:
+                  list_join:
+                  - '-'
+                  - - {get_param: RootStackName}
+                    - 'system-admin'
+                tripleo_keystone_resources_cloud_config:
+                  auth:
+                    auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+                    password: {get_param: AdminPassword}
+                    system_scope: all
+                    user_domain_name: Default
+                    username: admin
+                  cacert:
+                    if:
+                      - public_tls_enabled
+                      - {get_param: PublicTLSCAFile}
+                      - ''
+                  identity_api_version: '3'
+                  volume_api_version: '3'
+                  region_name: {get_param: KeystoneRegion}
         - name: Manage Keystone resources
           become: true
           when: