From fdc640ddcbc13de17609005f4ca34cc4067cd5f8 Mon Sep 17 00:00:00 2001
From: siavashsardari <siavash.sardari@gmail.com>
Date: Tue, 10 Nov 2020 11:46:22 +0330
Subject: [PATCH] Adding support of system scoped openrc and clouds.yaml

Change-Id: Iff5a0892d812601c0fa3fd549b7f00a468cfdd97
Closes-Bug: 1903656
---
 defaults/main.yml                             |  6 ++-
 ...system_scope_support-ab364c1725e2506e.yaml | 15 ++++++
 tasks/main.yml                                | 13 ++++-
 templates/clouds.yaml.j2                      | 28 ++++++++++-
 templates/openrc-system-scope.j2              | 48 +++++++++++++++++++
 5 files changed, 106 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml
 create mode 100644 templates/openrc-system-scope.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 7bbd899..95ee6fd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+## Use System Scope Authentication
+openrc_system_scope: false
+
 ## Endpoint types
 openrc_cinder_endpoint_type: internalURL
 openrc_nova_endpoint_type: internalURL
@@ -32,8 +35,9 @@ openrc_os_domain_name: Default
 openrc_insecure: >-
   {{ (keystone_service_adminuri_insecure | default(false) | bool or
       keystone_service_internaluri_insecure | default(false) | bool) }}
-## Create openrc file
+## Create openrc file(s)
 openrc_file_dest: "{{ ansible_env.HOME }}/openrc"
+openrc_system_file_dest: "{{ openrc_file_dest | dirname }}/openrc.system_scope"
 openrc_file_owner: "{{ ansible_user_id }}"
 openrc_file_group: "{{ ansible_user_id }}"
 openrc_file_mode: "0600"
diff --git a/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml b/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml
new file mode 100644
index 0000000..15162a7
--- /dev/null
+++ b/releasenotes/notes/system_scope_support-ab364c1725e2506e.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The role now supports creating system scoped credentials alongside
+    project scoped credentials. The default behavior of the role did not
+    changed, until ``openrc_system_scope`` variable was set to ``true``.
+    If the ``openrc_system_scope`` is ``true`` the default cloud in
+    clouds.yaml will set to system scoped credentials and another credentials
+    named ``default_project_scope`` will get created with project scoped
+    credentials. Due to usage of openrc file in other roles, the opposite
+    logic applies to openrc files, which means if ``openrc_system_scope``
+    is set to ``true`` the credentials in openrc will set to project scoped
+    credentials and another openrc filec named ``openrc.system_scope`` will
+    get created with system scoped credentials and will be placed in
+    destination of ``openrc_system_file_dest`` variable.
diff --git a/tasks/main.yml b/tasks/main.yml
index 71341cd..0fd677c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -15,13 +15,22 @@
 
 - name: Create openrc file
   template:
-    src: openrc.j2
-    dest: "{{ openrc_file_dest }}"
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     owner: "{{ openrc_file_owner }}"
     group: "{{ openrc_file_group }}"
     mode: "{{ openrc_file_mode }}"
   tags:
     - openstack_openrc-config
+  with_items:
+    - project_scoped_openrc:
+      src: openrc.j2
+      dest: "{{ openrc_file_dest }}"
+    - system_scoped_openrc:
+      src: openrc-system-scope.j2
+      dest: "{{ openrc_system_file_dest }}"
+      condition: "{{ openrc_system_scope | default(false) | bool }}"
+  when: item.condition | default(True)
 
 - name: Create OpenStack client configuration directory
   file:
diff --git a/templates/clouds.yaml.j2 b/templates/clouds.yaml.j2
index b5bb526..5c418b6 100644
--- a/templates/clouds.yaml.j2
+++ b/templates/clouds.yaml.j2
@@ -3,12 +3,16 @@ clouds:
   default:
     auth:
       auth_url: {{ openrc_os_auth_url }}
+{% if openrc_system_scope | default(false) | bool %}
+      system_scope: all
+{% else %}
       project_name: {{ openrc_os_tenant_name }}
       tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+{% endif %}
       username: {{ openrc_os_username }}
       password: {{ openrc_os_password }}
       user_domain_name: {{ openrc_os_domain_name }}
-      project_domain_name: {{ openrc_os_domain_name }}
     region_name: {{ openrc_region_name }}
     interface: {{ openrc_clouds_yml_interface }}
 {% if openrc_os_auth_url.endswith('v2.0') %}
@@ -20,3 +24,25 @@ clouds:
     verify: false
     insecure: true
 {% endif %}
+{% if openrc_system_scope | default(false) | bool %}
+  default_project_scope:
+    auth:
+      auth_url: {{ openrc_os_auth_url }}
+      project_name: {{ openrc_os_tenant_name }}
+      tenant_name: {{ openrc_os_tenant_name }}
+      project_domain_name: {{ openrc_os_domain_name }}
+      username: {{ openrc_os_username }}
+      password: {{ openrc_os_password }}
+      user_domain_name: {{ openrc_os_domain_name }}
+    region_name: {{ openrc_region_name }}
+    interface: {{ openrc_clouds_yml_interface }}
+{% if openrc_os_auth_url.endswith('v2.0') %}
+    identity_api_version: "2.0"
+{% else %}
+    identity_api_version: "3"
+{% endif %}
+{% if openrc_insecure | bool %}
+    verify: false
+    insecure: true
+{% endif %}
+{% endif %}
diff --git a/templates/openrc-system-scope.j2 b/templates/openrc-system-scope.j2
new file mode 100644
index 0000000..8313404
--- /dev/null
+++ b/templates/openrc-system-scope.j2
@@ -0,0 +1,48 @@
+# {{ ansible_managed }}
+export LC_ALL={{ openrc_locale }}
+
+# COMMON CINDER ENVS
+export CINDER_ENDPOINT_TYPE={{ openrc_cinder_endpoint_type }}
+
+# COMMON NOVA ENVS
+export NOVA_ENDPOINT_TYPE={{ openrc_nova_endpoint_type }}
+
+# COMMON MANILA ENVS
+export OS_MANILA_ENDPOINT_TYPE={{ openrc_manila_endpoint_type }}
+
+# COMMON OPENSTACK ENVS
+export OS_ENDPOINT_TYPE={{ openrc_os_endpoint_type }}
+export OS_INTERFACE={{ openrc_os_endpoint_type }}
+export OS_USERNAME={{ openrc_os_username }}
+export OS_PASSWORD='{{ openrc_os_password }}'
+export OS_AUTH_TYPE={{ openrc_os_auth_type }}
+export OS_AUTH_URL={{ openrc_os_auth_url }}
+export OS_NO_CACHE=1
+export OS_USER_DOMAIN_NAME={{ openrc_os_domain_name }}
+export OS_REGION_NAME={{ openrc_region_name }}
+export OS_SYSTEM_SCOPE=all
+
+# For openstackclient
+{% if openrc_os_auth_url.endswith('v2.0') %}
+export OS_IDENTITY_API_VERSION=2.0
+export OS_AUTH_VERSION=2
+{% else %}
+export OS_IDENTITY_API_VERSION=3
+export OS_AUTH_VERSION=3
+{% endif %}
+
+{% if openrc_insecure | bool %}
+export OS_INSECURE='true'
+export OS_VERIFY='false'
+# Convenience Aliases for Self-Signed Certs
+alias cinder='cinder --insecure'
+alias glance='glance --insecure'
+alias heat='heat --insecure'
+alias keystone='keystone --insecure'
+alias neutron='neutron --insecure'
+alias nova='nova --insecure'
+alias openstack='openstack --insecure'
+alias swift='swift --insecure'
+alias tacker='tacker --insecure'
+alias manila='manila --insecure'
+{% endif %}