bifrost/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---

# TODO(TheJulia): The user and project domains are hardcoded in this.
# We should likely address that at some point, however I think a user
# should be the driver of that work.

- name: "Error if credentials are undefined."
  fail:
    msg: |
        Credentials are missing or undefined, unable to proceed.
        Please consult roled defaults/main.yml.        
  when: >
      keystone is undefined or keystone.bootstrap is undefined or
      keystone.bootstrap.username is undefined or
      keystone.bootstrap.password is undefined or
      keystone.bootstrap.project_name is undefined or
      ironic_inspector.service_catalog.auth_url is undefined or
      ironic_inspector.service_catalog.username is undefined or
      ironic_inspector.service_catalog.password is undefined or
      ironic_inspector.keystone is undefined or
      ironic_inspector.keystone.default_username is undefined or
      ironic_inspector.keystone.default_password is undefined      

- name: "Create service user for ironic-inspector"
  os_user:
    name: "{{ ironic_inspector.service_catalog.username }}"
    password: "{{ ironic_inspector.service_catalog.password }}"
    state: present
    domain: "default"
    default_project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
    auth:
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "admin"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment:
    OS_IDENTITY_API_VERSION: "3"
  no_log: true

- name: "Associate ironic_inspector user to admin role"
  os_user_role:
    user: "{{ ironic_inspector.service_catalog.username }}"
    role: admin
    project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
    auth:
      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "admin"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment:
    OS_IDENTITY_API_VERSION: "3"
  no_log: true

- name: "Create keystone service record for ironic-inspector"
  os_keystone_service:
    state: present
    name: ironic-inspector
    service_type: baremetal-introspection
    description: OpenStack Baremetal Introspection Service
    auth:
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "admin"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment:
    OS_IDENTITY_API_VERSION: "3"
  no_log: true

- name: "Create ironic-inspector admin endpoint"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name admin
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal admin "{{ ironic_inspector.keystone.admin_url | default('http://127.0.0.1:5050/') }}"    

# NOTE(TheJulia): This seems like something that should be
# to admin or internal interfaces. Perhaps we should attempt
# remove it after we have a working keystone integrated CI job.
- name: "Create ironic-inspector public endpoint"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name admin
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal public "{{ ironic_inspector.keystone.public_url | default('http://127.0.0.1:5050/') }}"    

- name: "Create ironic-inspector internal endpoint"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name admin
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal internal "{{ ironic_inspector.keystone.internal_url | default('http://127.0.0.1:5050/') }}"    
  no_log: true

- name: "Create inspector_user user"
  os_user:
    name: "{{ ironic_inspector.keystone.default_username }}"
    password: "{{ ironic_inspector.keystone.default_password }}"
    default_project: "baremetal"
    domain: "default"
    auth:
      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: admin
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment:
    OS_IDENTITY_API_VERSION: "3"
  no_log: true

- name: "Associate inspector_user with baremetal_admin"
  os_user_role:
    user: "{{ ironic_inspector.keystone.default_username }}"
    role: "baremetal_admin"
    project: baremetal
    auth:
      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: admin
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment:
    OS_IDENTITY_API_VERSION: "3"
  no_log: true