Generate system scoped public-openrc

It can be useful to run Ironic commands on the public API if access to
the internal API is not possible.

Related-Bug: #2051837
Change-Id: Ice0eb62f2bb26ca6e3ac8d02c6ea787b60408a86

ansible/post-deploy.yml

@@ -50,6 +50,15 @@
         group: "{{ ansible_facts.user_gid }}"
         mode: 0600
 
+    - name: Template out public-openrc-system.sh
+      become: true
+      template:
+        src: "roles/common/templates/public-openrc-system.sh.j2"
+        dest: "{{ node_config }}/public-openrc-system.sh"
+        owner: "{{ ansible_facts.user_uid }}"
+        group: "{{ ansible_facts.user_gid }}"
+        mode: 0600
+
     - import_role:
         name: octavia
         tasks_from: openrc.yml

ansible/roles/common/templates/public-openrc-system.sh.j2

@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+# Clear any old environment that may conflict.
+for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
+export OS_USER_DOMAIN_NAME=Default
+export OS_SYSTEM_SCOPE=all
+export OS_USERNAME={{ keystone_admin_user }}
+export OS_PASSWORD={{ keystone_admin_password }}
+export OS_AUTH_URL={{ keystone_public_url }}
+export OS_IDENTITY_API_VERSION=3
+export OS_REGION_NAME={{ openstack_region_name }}
+export OS_AUTH_PLUGIN=password
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
+export OS_CACERT={{ kolla_admin_openrc_cacert }}
+{% endif %}

releasenotes/notes/public-openrc-system-e52c9f5440b6f594.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Generates a system-scoped ``public-openrc-system.sh`` file. This allows
+    running Ironic commands against the public API, which is useful when access
+    to the internal API is unavailable.
+    `LP#2051837 <https://launchpad.net/bugs/2051837>`__