Update heat bootstrap scripts

This patch set adds in two roles for heat: heat_stack_owner
and heat_stack_user as outlined in the Newton [0] and Ocata [1],
as well as assigning roles.

[0] https://docs.openstack.org/project-install-guide/orchestration/newton/install-ubuntu.html
[1] https://docs.openstack.org/project-install-guide/orchestration/ocata/install-ubuntu.html

Change-Id: I8510ae114448cc1985c11e9b337b9697a379a920
Signed-off-by: Tin Lam <tin@irrational.io>
Co-Authored-By: Pete Birley <pete@port.direct>

heat/values.yaml

@@ -283,10 +283,17 @@ network:
       port: 30003
 
 bootstrap:
-  enabled: false
+  enabled: true
-  ks_user: heat
+  ks_user: admin
   script: |
-    openstack token issue
+    #NOTE(portdirect): required for all users who operate heat stacks
+    openstack role create --or-show heat_stack_owner
+
+    #NOTE(portdirect): The Orchestration service automatically assigns the
+    # 'heat_stack_user' role to users that it creates during stack deployment.
+    # By default, this role restricts API operations. To avoid conflicts, do
+    # not add this role to users with the heat_stack_owner role.
+    openstack role create --or-show heat_stack_user
 
 dependencies:
   static:
@@ -421,7 +428,9 @@ endpoints:
         user_domain_name: default
         project_domain_name: default
       heat:
-        role: admin
+        role:
+          - admin
+          - heat_stack_owner
         region_name: RegionOne
         username: heat
         password: password

helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl

@@ -68,8 +68,13 @@ spec:
 {{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
-            - name: SERVICE_OS_ROLE
+            - name: SERVICE_OS_ROLES
-              value: {{ index $envAll.Values.endpoints.identity.auth $serviceUser "role" | quote }}
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
       volumes:
         - name: ks-user-sh
           configMap:

helm-toolkit/templates/scripts/_ks-user.sh.tpl

@@ -76,6 +76,10 @@ openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
 openstack user show "${USER_ID}"
 
 function ks_assign_user_role () {
+  # Get user role
+  USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+      "${SERVICE_OS_ROLE}");
+
   # Manage user role assignment
   openstack role add \
       --user="${USER_ID}" \
@@ -92,9 +96,10 @@ function ks_assign_user_role () {
 }
 
 # Manage user service role
-export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+IFS=','
-    "${SERVICE_OS_ROLE}");
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
-ks_assign_user_role
+  ks_assign_user_role
+done
 
 # Manage user member role
 : ${MEMBER_OS_ROLE:="_member_"}

keystone/values.yaml

@@ -56,6 +56,15 @@ bootstrap:
           --project="${OS_PROJECT_NAME}" \
           "_member_"
 
+    #NOTE(portdirect): required for all users who operate heat stacks
+    openstack role create --or-show heat_stack_owner
+    openstack role add \
+          --user="${OS_USERNAME}" \
+          --user-domain="${OS_USER_DOMAIN_NAME}" \
+          --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
+          --project="${OS_PROJECT_NAME}" \
+          "heat_stack_owner"
+
 network:
   api:
     ingress: