From 70400b4e712dcebb82b7cbdf4d1d727584eb2263 Mon Sep 17 00:00:00 2001
From: Michael Davies <michael@the-davies.net>
Date: Tue, 19 Jan 2016 08:24:25 +0000
Subject: [PATCH] Adding keystone registration and spliting roles

---
 defaults/main.yml              | 25 +++++++++
 tasks/ironic_service_add.yml   | 99 ++++++++++++++++++++++++++++++++++
 tasks/ironic_service_setup.yml | 30 +++++++++++
 tasks/ironic_upstart_init.yml  |  7 +--
 tasks/main.yml                 | 16 +++++-
 5 files changed, 171 insertions(+), 6 deletions(-)
 create mode 100644 tasks/ironic_service_add.yml
 create mode 100644 tasks/ironic_service_setup.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index bfaa4389..de4eecb6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -45,6 +45,31 @@ ironic_service_names:
     - "{{ ironic_api_program_name }}"
     - "{{ ironic_conductor_program_name }}"
 
+ironic_service_name: ironic
+ironic_service_type: baremetal
+ironic_service_proto: http
+ironic_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(ironic_service_proto) }}"
+ironic_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(ironic_service_proto) }}"
+ironic_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(ironic_service_proto) }}"
+ironic_service_port: 8774
+ironic_service_description: "Ironic Baremetal Service"
+ironic_service_publicuri: "{{ ironic_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ ironic_service_port }}"
+ironic_service_publicurl: "{{ ironic_service_publicuri }}/v2.1/%(tenant_id)s"
+ironic_service_adminuri: "{{ ironic_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_service_port }}"
+ironic_service_adminurl: "{{ ironic_service_adminuri }}/v2.1/%(tenant_id)s"
+ironic_service_internaluri: "{{ ironic_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_service_port }}"
+ironic_service_internalurl: "{{ ironic_service_internaluri }}/v2.1/%(tenant_id)s"
+ironic_program_name: ironic-api
+ironic_service_region: RegionOne
+ironic_service_project_name: "service"
+ironic_service_project_domain_id: default
+ironic_service_user_domain_id: default
+ironic_service_user_name: "ironic"
+ironic_service_role_name: "admin"
+
+ironic_service_in_ldap: False
+
+
 # Is this Ironic installation working standalone?
 ironic_standalone: False
 
diff --git a/tasks/ironic_service_add.yml b/tasks/ironic_service_add.yml
new file mode 100644
index 00000000..855302f2
--- /dev/null
+++ b/tasks/ironic_service_add.yml
@@ -0,0 +1,99 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Create a service
+- name: Ensure ironic service
+  keystone:
+    command: "ensure_service"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    service_name: "{{ service_name }}"
+    service_type: "{{ service_type }}"
+    description: "{{ service_description }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 2
+  tags:
+    - ironic-api-setup
+    - ironic-service-add
+    - ironic-setup
+
+# Create an admin user
+- name: Ensure ironic user
+  keystone:
+    command: "ensure_user"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    user_name: "{{ service_user_name }}"
+    tenant_name: "{{ service_tenant_name }}"
+    password: "{{ service_password }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  when: not ironic_service_in_ldap | bool
+  until: add_service|success
+  retries: 5
+  delay: 10
+  tags:
+    - ironic-api-setup
+    - ironic-service-add
+    - ironic-setup
+
+# Add a role to the user
+- name: Ensure ironic user to admin role
+  keystone:
+    command: "ensure_user_role"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    user_name: "{{ service_user_name }}"
+    tenant_name: "{{ service_tenant_name }}"
+    role_name: "{{ role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  when: not ironic_service_in_ldap | bool
+  until: add_service|success
+  retries: 5
+  delay: 10
+  tags:
+    - ironic-api-setup
+    - ironic-service-add
+    - ironic-setup
+
+# Create an endpoint
+- name: Ensure ironic endpoint
+  keystone:
+    command: "ensure_endpoint"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    region_name: "{{ service_region }}"
+    service_name: "{{ service_name }}"
+    service_type: "{{ service_type }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+    endpoint_list:
+      - url: "{{ service_publicurl }}"
+        interface: "public"
+      - url: "{{ service_internalurl }}"
+        interface: "internal"
+      - url: "{{ service_adminurl }}"
+        interface: "admin"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
+  tags:
+    - ironic-api-setup
+    - ironic-service-add
+    - ironic-setup
diff --git a/tasks/ironic_service_setup.yml b/tasks/ironic_service_setup.yml
new file mode 100644
index 00000000..fe7930f4
--- /dev/null
+++ b/tasks/ironic_service_setup.yml
@@ -0,0 +1,30 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: ironic_service_add.yml
+  vars:
+    service_user_name: "{{ ironic_service_user_name }}"
+    service_tenant_name: "{{ ironic_service_project_name }}"
+    service_name: "{{ ironic_service_name }}"
+    service_type: "{{ ironic_service_type }}"
+    service_region: "{{ ironic_service_region }}"
+    service_description: "{{ ironic_service_description }}"
+    service_password: "{{ ironic_service_password }}"
+    service_publicurl: "{{ ironic_service_publicurl }}"
+    service_internalurl: "{{ ironic_service_internalurl }}"
+    service_adminurl: "{{ ironic_service_adminurl }}"
+    role_name: "{{ ironic_service_role_name }}"
+  tags:
+    - ironic-api
diff --git a/tasks/ironic_upstart_init.yml b/tasks/ironic_upstart_init.yml
index db7f4647..5eb56ff7 100644
--- a/tasks/ironic_upstart_init.yml
+++ b/tasks/ironic_upstart_init.yml
@@ -20,8 +20,7 @@
     system_user: "{{ ironic_system_user_name }}"
     system_group: "{{ ironic_system_group_name }}"
     service_home: "{{ ironic_system_home_folder }}"
-# TODO(mrda): define groups
-#  when: inventory_hostname in groups['tbd']
+  when: inventory_hostname in groups['ironic_api']
 
 - include: ironic_upstart_common_init.yml
   vars:
@@ -30,6 +29,4 @@
     system_user: "{{ ironic_system_user_name }}"
     system_group: "{{ ironic_system_group_name }}"
     service_home: "{{ ironic_system_home_folder }}"
-# TODO(mrda): define groups
-#  when: inventory_hostname in groups['tbd']
-
+  when: inventory_hostname in groups['ironic_conductor']
diff --git a/tasks/main.yml b/tasks/main.yml
index e14ca294..1ad263a3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -14,12 +14,26 @@
 # limitations under the License.
 
   - include: ironic_pre_install.yml
-#  - include: ironic_get_source.yml
   - include: ironic_install.yml
+
   - include: ironic_conductor_install.yml
+    when: >
+      inventory_hostname == groups['ironic_conductor'][0]
+
   - include: python_ironicclient_install.yml
+
   - include: ironic_post_install.yml
+
   - include: ironic_conductor_post_install.yml
+    when: >
+      inventory_hostname == groups['ironic_conductor'][0]
+
   - include: ironic_db_setup.yml
+    when: >
+      inventory_hostname == groups['ironic_conductor'][0]
+
   - include: ironic_upstart_init.yml
 
+  - include: ironic_service_setup.yml
+    when: >
+      inventory_hostname == groups['ironic_api'][0]