Allow tripleo-admin creation both for Nova-managed and split-stack

When we deploy with split-stack, we can no longer count on the
heat-admin user existing, as all the methods that we currently use to
create it depend on provisioning overcloud with Nova.

Previously the ssh access on the overcloud for administrative
tasks (manual vs. automated) was as follows for the two deployment
scenarios (Nova+Ironic vs. Split Stack):

+-----------+---------------+------------------+
|           | Nova + Ironic | Split Stack      |
+-----------+---------------+------------------+
| manual    | heat-admin    | (differs by env) |
+-----------+---------------+------------------+
| automated | heat-admin    | N/A              |
+-----------+---------------+------------------+

With this patch we'd start moving towards:

+-----------+---------------+------------------+
|           | Nova + Ironic | Split Stack      |
+-----------+---------------+------------------+
| manual    | heat-admin    | (differs by env) |
+-----------+---------------+------------------+
| automated | tripleo-admin | tripleo-admin    |
+-----------+---------------+------------------+

I haven't reused the heat-admin name, as that is discontinued even in
Heat, and using this name would be confusing, because our usage of the
admin user has nothing to do with Heat really. We just originally
reused heat-admin for validations because it already existed. (Should
anyone wish to keep using heat-admin also for Mistral automated tasks,
they can set overcloud_admin parameter of the workflow.)

By default the new workflow initializes the tripleo-admin user the
Nova way, and no parameters are required. However, when the workflow
gets ssh_user, ssh_private_key, and ssh_servers parameters, it does
the initialization using the provided ssh connection instead of trying
to look up servers in Nova. This makes it possible to use the workflow
for Split Stack environments too.

Closes-Bug: #1708180
Change-Id: Ibe8e54f7b38d8c6c8d944d2b13f0eed004c34c4c

workbooks/access.yaml

@@ -0,0 +1,130 @@
+---
+version: '2.0'
+name: tripleo.access.v1
+description: TripleO administration access workflows
+
+workflows:
+
+  enable_ssh_admin:
+    description: >-
+      This workflow creates an admin user on the overcloud nodes,
+      which can then be used for connecting for automated
+      administrative or deployment tasks, e.g. via Ansible. The
+      workflow can be used both for Nova-managed and split-stack
+      deployments, assuming the correct input values are passed
+      in. The workflow defaults to Nova-managed approach, for which no
+      additional parameters need to be supplied. In case of
+      split-stack, temporary ssh connection details (user, key, list
+      of servers) need to be provided -- these are only used
+      temporarily to create the actual ssh admin user for use by
+      Mistral.
+    input:
+      - ssh_private_key: null
+      - ssh_user: null
+      - ssh_servers: []
+      - overcloud_admin: tripleo-admin
+      - queue_name: tripleo
+    tasks:
+      get_pubkey:
+        action: tripleo.validations.get_pubkey
+        on-success: generate_playbook
+        publish:
+          pubkey: <% task(get_pubkey).result %>
+
+      generate_playbook:
+        on-success:
+          - create_admin_via_nova: <% $.ssh_private_key = null %>
+          - create_admin_via_ssh: <% $.ssh_private_key != null %>
+        publish:
+          create_admin_tasks:
+            - name: create user <% $.overcloud_admin %>
+              user:
+                name: '<% $.overcloud_admin %>'
+            - name: grant admin rights to user <% $.overcloud_admin %>
+              copy:
+                dest: /etc/sudoers.d/<% $.overcloud_admin %>
+                content: |
+                  <% $.overcloud_admin %> ALL=(ALL) NOPASSWD:ALL
+                mode: 0440
+            - name: ensure .ssh dir exists for user <% $.overcloud_admin %>
+              file:
+                path: /home/<% $.overcloud_admin %>/.ssh
+                state: directory
+                owner: <% $.overcloud_admin %>
+                group: <% $.overcloud_admin %>
+                mode: 0700
+            - name: ensure authorized_keys file exists for user <% $.overcloud_admin %>
+              file:
+                path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
+                state: touch
+                owner: <% $.overcloud_admin %>
+                group: <% $.overcloud_admin %>
+                mode: 0700
+            - name: authorize TripleO Mistral key for user <% $.overcloud_admin %>
+              lineinfile:
+                path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
+                line: <% $.pubkey %>
+                regexp: "Generated by TripleO"
+
+      # Nova variant
+      create_admin_via_nova:
+        workflow: tripleo.access.v1.create_admin_via_nova
+        input:
+          queue_name: <% $.queue_name %>
+          tasks: <% $.create_admin_tasks %>
+
+      # SSH variant
+      create_admin_via_ssh:
+        workflow: tripleo.access.v1.create_admin_via_ssh
+        input:
+          ssh_private_key: <% $.ssh_private_key %>
+          ssh_user: <% $.ssh_user %>
+          ssh_servers: <% $.ssh_servers %>
+          tasks: <% $.create_admin_tasks %>
+
+  create_admin_via_nova:
+    input:
+      - tasks
+      - queue_name: tripleo
+    tasks:
+      get_servers:
+        action: nova.servers_list
+        on-success: create_admin
+        publish:
+          servers: <% task(get_servers).result._info %>
+
+      create_admin:
+        workflow: tripleo.deployment.v1.deploy_on_server
+        with-items: server in <% $.servers %>
+        input:
+          server_name: <% $.server.name %>
+          server_uuid: <% $.server.id %>
+          queue_name: <% $.queue_name %>
+          config_name: create_admin
+          group: ansible
+          config: |
+            - hosts: localhost
+              connection: local
+              tasks: <% json_pp($.tasks) %>
+
+  create_admin_via_ssh:
+    input:
+      - tasks
+      - ssh_private_key
+      - ssh_user
+      - ssh_servers
+    tasks:
+      write_tmp_playbook:
+        action: tripleo.ansible-playbook
+        input:
+          inventory:
+            overcloud:
+              hosts: <% $.ssh_servers.toDict($, {}) %>
+          remote_user: <% $.ssh_user %>
+          ssh_private_key: <% $.ssh_private_key %>
+          ssh_common_args: '-o StrictHostKeyChecking=no'
+          become: true
+          become_user: root
+          playbook:
+            - hosts: overcloud
+              tasks: <% $.tasks %>

workbooks/ceph-ansible.yaml

@@ -11,8 +11,8 @@ workflows:
       - ceph_ansible_extra_vars: {}
       - ceph_ansible_playbook: /usr/share/ceph-ansible/site-docker.yml.sample
     tasks:
-      deploy_ssh_key:
-        workflow: tripleo.validations.v1.copy_ssh_key
+      enable_ssh_admin:
+        workflow: tripleo.access.v1.enable_ssh_admin
         on-success: get_private_key
       get_private_key:
         action: tripleo.validations.get_privkey
@@ -64,7 +64,7 @@ workflows:
             clients:
               hosts: <% $.client_ips.toDict($, {}) %>
           playbook: <% $.ceph_ansible_playbook %>
-          remote_user: heat-admin
+          remote_user: tripleo-admin
           become: true
           become_user: root
           verbosity: <% $.ansible_playbook_verbosity %>

workbooks/validations.yaml

@@ -220,6 +220,9 @@ workflows:
 
   copy_ssh_key:
     input:
+      # FIXME: we should stop using heat-admin as e.g. split-stack
+      # environments (where Nova didn't create overcloud nodes) don't
+      # have it present
       - overcloud_admin: heat-admin
       - queue_name: tripleo
     tasks: