Merge pull request #328 from rackerlabs/argo-creds

chore: migrate nodes to live in baremetal project

components/keystone/aio-values.yaml

@@ -10,17 +10,17 @@ bootstrap:
           --user="${OS_USERNAME}" \
           --domain="${OS_DEFAULT_DOMAIN}" \
           "admin"
-    # create 'argoworkflow' user
-    # credentials for ironic-nautobot-sync and other argo workflows
-    openstack project create undercloud --or-show
-    openstack user create --project undercloud --password demo argoworkflow --or-show
-    openstack role add --user argoworkflow --project undercloud member
-    openstack role add --user argoworkflow --project undercloud admin
-    # allow ironic user to see servers in undercloud project
-    openstack role add --project undercloud --user ironic --user-domain service  member
+    # create 'infra' domain
+    openstack domain create --or-show infra
+    # create 'baremetal' project for our ironic nodes to live in
+    openstack project create --or-show --domain infra baremetal
+    # create 'argoworkflow' user for automation
+    openstack user create --or-show --domain infra --password demo argoworkflow
+    # give 'argoworkflow' 'admin' over the 'baremetal' project
+    openstack role add --user-domain infra --project-domain infra --user argoworkflow --project baremetal admin
+
+    # this is too early because ironic won't exist
     openstack role add --project service --user ironic --user-domain service service
-    # add 'demo' user to have 'member' role, needed for horizon dashboard use
-    openstack role add --user demo --project undercloud member
 
     # OIDC integration
     RULES_FILE=$(mktemp)
@@ -82,14 +82,14 @@ bootstrap:
       openstack role add --group ${group} --domain default member
     done
     openstack role add --group ucadmin --domain default admin
-    openstack role add --group ucadmin --project undercloud admin
+    openstack role add --group ucadmin --domain infra admin
 
     # TODO: only create this actually requested
     # create 'demo' user with sufficient permissions
     openstack user create --or-show --password demo --email '[email protected]' demo
     openstack user set --email '[email protected]' demo
-    # add 'demo' user to 'ucadmin' group
-    openstack group add user ucadmin demo
+    # add 'demo' user to 'ucuser' group
+    openstack group add user ucuser demo
 
 network:
   # configure OpenStack Helm to use Undercloud's ingress

components/nova/aio-values.yaml

@@ -39,6 +39,11 @@ conf:
     # config_drive to pass data. To avoid users having to remember this, just
     # force it on always.
     force_config_drive: true
+  nova_ironic:
+    ironic:
+      # this is where we populate our hardware
+      project_domain_name: infra
+      project_name: baremetal
 
 
 console:

components/openstack/svc-acct-argoworkflow.yaml

@@ -7,8 +7,7 @@ spec:
     # this provider needs to go away for a generated account
     # but it currently must be in sync with the keystone bootstrap
     # script
-    # this should be the 'service' domain in the future
-    user_domain: default
+    user_domain: infra
     username: argoworkflow
     password: demo
 ---

workflows/argo-events/secrets/openstack-svc-acct.yaml

@@ -19,10 +19,8 @@ spec:
               user_domain_name: {{ .user_domain }}
               username: {{ .username }}
               password: {{ .password }}
-              # this should switch to where we will be creating the ironic nodes
-              # in the future
-              project_domain_name: default
-              project_name: undercloud
+              project_domain_name: infra
+              project_name: baremetal
   dataFrom:
     - extract:
         key: svc-acct-argoworkflow