Allow to create cloud.yaml with many clouds

This patch makes the bifrost-keystone-client-config role a bit more
generic to allow creating more that a single cloud configuration
setting.

The role is changed to accept a dict with possibly many clouds configurations,
and the template for clouds.yaml is changed accordingly.

This new functionality is used right away to add the keystone admin user
to the created clouds.yaml file to make the installed keystone usable
for admin-level operations (listing and editig users, projects, roles
and role assignments) - the name of the 'cloud' created is
'bifrost-admin'.

Change-Id: Icb274de989966645cd0f3874f8dff9d9f37d871b

playbooks/install.yaml

@@ -7,7 +7,22 @@
     - { role: bifrost-prep-for-install, when: skip_install is not defined }
     - bifrost-keystone-install
     - bifrost-ironic-install
-    - { role: bifrost-keystone-client-config, config_username: "{{ ironic.keystone.default_username }}", config_password: "{{ ironic.keystone.default_password }}", config_project_name: "baremetal", config_region_name: "{{ keystone.bootstrap.region_name }}", config_auth_url: "{{ keystone.bootstrap.public_url }}", user: "{{ ansible_env.SUDO_USER }}", when: enable_keystone is defined and enable_keystone | bool == true }
+    - role: bifrost-keystone-client-config
+      user: "{{ ansible_env.SUDO_USER }}"
+      clouds:
+        bifrost:
+          config_username: "{{ ironic.keystone.default_username }}"
+          config_password: "{{ ironic.keystone.default_password }}"
+          config_project_name: "baremetal"
+          config_region_name: "{{ keystone.bootstrap.region_name }}"
+          config_auth_url: "{{ keystone.bootstrap.public_url }}"
+        bifrost-admin:
+          config_username: "{{ keystone.bootstrap.username }}"
+          config_password: "{{ ironic.bootstrap.password }}"
+          config_project_name: "{{ keystone.bootstrap.project_name }}"
+          config_region_name: "{{ keystone.bootstrap.region_name }}"
+          config_auth_url: "{{ keystone.bootstrap.public_url }}"
+      when: enable_keystone is defined and enable_keystone | bool == true }
     - { role: bifrost-create-dib-image, dib_imagename: "{{ http_boot_folder }}/ipa", build_ramdisk: false, dib_os_element: "{{ ipa_dib_os_element|default('debian') }}", dib_elements: "ironic-agent {{ ipa_extra_dib_elements | default('') }}", when: create_ipa_image | bool == true }
     - { role: bifrost-create-dib-image, dib_imagename: "{{ deploy_image }}", dib_imagetype: "qcow2", dib_elements: "vm serial-console {{ dib_init_element|default('simple-init') }} {{ extra_dib_elements|default('') }}", when: create_image_via_dib | bool == true and transform_boot_image | bool == false }
   environment:

playbooks/roles/bifrost-keystone-client-config/README.md

@@ -12,24 +12,29 @@ None
 Role Variables
 --------------
 
-This role expects to be invoked with seven variables:
+This role expects to be invoked with two variables:
 
-- config_username
-- config_password
-- config_project_name
-- config_region_name
-- config_auth_url
 - user: Username of the user who will own the
          configuration file.
+- clouds: a dictionary with keys being names of the clouds to create in
+          clouds.yaml, and values are dictionaries of authentication
+          parameters for each cloud:
+    - config_username
+    - config_password
+    - config_project_name
+    - config_region_name
+    - config_auth_url
+    - config_project_domain_id (optional, defaults to 'default')
+    - config_user_domain_id (optional, defaults to 'default')
 
-Additionally, two optional variables exist, which when not defined
+Alternatively, for backward compatibility, the role can accept the above
-default to "default":
+`config_*` variables directly, but this is deprecated.
+In this case, a single cloud named 'bifrost' will be written.
 
-- config_project_domain_id
+The resulting clouds.yaml file will be created at
-- config_user_domain_id
-
-The resulting clouds.yaml file, will be created at
 ~{{user}}/.config/openstack/clouds.yaml.
+If several sets of cloud settings are written, they will be sorted by
+cloud name, in case-insensitive order.
 
 Notes
 -----
@@ -51,12 +56,20 @@ Example Playbook
   gather_facts: no
   roles:
     - role: bifrost-keystone-client-config
-      config_username: username
-      config_password: password
-      config_project_name: baremetal
-      config_region_name: RegionOne
-      config_auth_url: http://localhost:5000/v2.0/
       user: joe
+      clouds:
+        local-cloud-user:
+          config_username: username
+          config_password: password
+          config_project_name: baremetal
+          config_region_name: RegionOne
+          config_auth_url: http://localhost:5000
+        local-cloud-admin:
+          config_username: admin
+          config_password: verysecretpassword
+          config_project_name: admin
+          config_region_name: RegionOne
+          config_auth_url: http://localhost:5000
 
 License
 -------

playbooks/roles/bifrost-keystone-client-config/tasks/main.yml

@@ -11,6 +11,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
+- name: redefine cloud settings vars for backward compat
+  set_fact:
+    clouds:
+      bifrost:
+        config_username: "{{ config_username }}"
+        config_password: "{{ config_password }}"
+        config_project_name: "{{ config_project_name }}"
+        config_region_name: "{{ config_region_name }}"
+        config_auth_url: "{{ config_auth_url}}"
+        config_project_domain_id: "{{ config_project_domain_id|default('default') }}"
+        config_user_domain_id: "{{ config_user_domain_id|default('default') }}"
+  when:
+    - "{{ clouds is undefined }}"
+    - "{{ config_username is defined }}"
+    - "{{ config_password is defined }}"
+    - "{{ config_project_name is defined }}"
+    - "{{ config_region_name is defined }}"
+    - "{{ config_auth_url is defined }}"
+
 - name: "Ensure the ~/.config/openstack/ exists"
   file:
     name: "~{{ user | default('root') }}/.config/openstack"

playbooks/roles/bifrost-keystone-client-config/templates/clouds.yaml.j2

@@ -1,12 +1,14 @@
 # WARNING: This file is managed by bifrost.
 clouds:
-  bifrost:
+{% for cloud in clouds | default({}) | dictsort %}
-    region_name: {{ config_region_name }}
+  {{ cloud.0 }}:
+    region_name: {{ cloud.1.config_region_name }}
     auth:
-      username: {{ config_username }}
+      username: {{ cloud.1.config_username }}
-      password: {{ config_password }}
+      password: {{ cloud.1.config_password }}
-      project_name: {{ config_project_name }}
+      project_name: {{ cloud.1.config_project_name }}
-      auth_url: {{ config_auth_url }}
+      auth_url: {{ cloud.1.config_auth_url }}
-      project_domain_id: "{{ config_project_domain_id | default('default') }}"
+      project_domain_id: "{{ cloud.1.config_project_domain_id | default('default') }}"
-      user_domain_id: "{{ config_user_domain_id | default('default') }}"
+      user_domain_id: "{{ cloud.1.config_user_domain_id | default('default') }}"
     identity_api_version: "3"
+{% endfor %}

playbooks/test-bifrost.yaml

@@ -78,7 +78,16 @@
     # the ramdisk which causes ramdisk-image-create to believe it failed.
     - { role: bifrost-create-dib-image, dib_imagename: "{{ http_boot_folder }}/ipa", build_ramdisk: false, dib_os_element: "{{ ipa_dib_os_element|default('debian') }}", dib_os_release: "jessie", dib_elements: "ironic-agent {{ ipa_extra_dib_elements | default('') }}", when: create_ipa_image | bool == true }
     - { role: bifrost-create-dib-image, dib_imagetype: "qcow2", dib_imagename: "{{deploy_image}}", dib_os_element: "debian", dib_os_release: "jessie", dib_elements: "vm serial-console simple-init {{ extra_dib_elements|default('') }}", when: create_image_via_dib | bool == true and transform_boot_image | bool == false }
-    - { role: bifrost-keystone-client-config, config_username: "{{ ironic.keystone.default_username }}", config_password: "{{ ironic.keystone.default_password }}", config_project_name: "baremetal", config_region_name: "{{ keystone.bootstrap.region_name }}", config_auth_url: "{{ keystone.bootstrap.public_url }}", user: "{{ ansible_env.SUDO_USER }}", when: enable_keystone is defined and enable_keystone | bool == true }
+    - role: bifrost-keystone-client-config
+      user: "{{ ansible_env.SUDO_USER }}"
+      clouds:
+        bifrost:
+          config_username: "{{ ironic.keystone.default_username }}"
+          config_password: "{{ ironic.keystone.default_password }}"
+          config_project_name: "baremetal"
+          config_region_name: "{{ keystone.bootstrap.region_name }}"
+          config_auth_url: "{{ keystone.bootstrap.public_url }}"
+      when: "{{ enable_keystone is defined and enable_keystone | bool == true }}"
   environment:
     http_proxy: "{{ lookup('env','http_proxy') }}"
     https_proxy: "{{ lookup('env','https_proxy') }}"

releasenotes/notes/more-clouds-7c0fccf5701918d7.yaml

@@ -0,0 +1,21 @@
+---
+features:
+  - |
+    'bifrost-keystone-client-config' role can now write 'clouds.yaml' file
+    with several clouds settings. It starts to accept a single compound
+    variable 'clouds' that should contain a dict of
+    '<cloud-name>:<dict-of-cloud-settings>'.
+    Previous way of passing 'config_*' vars to the role is supported for
+    backward compatibility but is deprecated.
+
+    In addition to previous 'bifrost' cloud, the default 'install.yaml'
+    playbook now also writes 'bifrost-admin' cloud settings that contain
+    Keystone admin credentials so that when installed, the Keystone service
+    is fully usable right away (users/projects etc can be managed).
+
+deprecations:
+  - |
+    Passing 'config_*' variables defining credentials for 'bifrost'
+    cloud to 'bifrost-keystone-client-config' role is deprecated.
+    Instead a single compound variable named 'clouds' defining sets of
+    settings to be written to 'clouds.yaml' should be passed to that role.