From 6aaf34366e42709efb7ed3cf059edea5e7480f84 Mon Sep 17 00:00:00 2001
From: Doug Goldstein <doug.goldstein@rackspace.com>
Date: Fri, 20 Sep 2024 11:52:46 -0500
Subject: [PATCH] chore: migrate nodes to live in baremetal project

Move the project that our servers live in and get controlled in do a new
domain called 'infra' with a project called 'baremetal'
---
 components/keystone/aio-values.yaml           | 26 +++++++++----------
 components/nova/aio-values.yaml               |  5 ++++
 .../openstack/svc-acct-argoworkflow.yaml      |  3 +--
 .../secrets/openstack-svc-acct.yaml           |  6 ++---
 4 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/components/keystone/aio-values.yaml b/components/keystone/aio-values.yaml
index 3a57e744f..94b131d29 100644
--- a/components/keystone/aio-values.yaml
+++ b/components/keystone/aio-values.yaml
@@ -10,17 +10,17 @@ bootstrap:
           --user="${OS_USERNAME}" \
           --domain="${OS_DEFAULT_DOMAIN}" \
           "admin"
-    # create 'argoworkflow' user
-    # credentials for ironic-nautobot-sync and other argo workflows
-    openstack project create undercloud --or-show
-    openstack user create --project undercloud --password demo argoworkflow --or-show
-    openstack role add --user argoworkflow --project undercloud member
-    openstack role add --user argoworkflow --project undercloud admin
-    # allow ironic user to see servers in undercloud project
-    openstack role add --project undercloud --user ironic --user-domain service  member
+    # create 'infra' domain
+    openstack domain create --or-show infra
+    # create 'baremetal' project for our ironic nodes to live in
+    openstack project create --or-show --domain infra baremetal
+    # create 'argoworkflow' user for automation
+    openstack user create --or-show --domain infra --password demo argoworkflow
+    # give 'argoworkflow' 'admin' over the 'baremetal' project
+    openstack role add --user-domain infra --project-domain infra --user argoworkflow --project baremetal admin
+
+    # this is too early because ironic won't exist
     openstack role add --project service --user ironic --user-domain service service
-    # add 'demo' user to have 'member' role, needed for horizon dashboard use
-    openstack role add --user demo --project undercloud member
 
     # OIDC integration
     RULES_FILE=$(mktemp)
@@ -82,14 +82,14 @@ bootstrap:
       openstack role add --group ${group} --domain default member
     done
     openstack role add --group ucadmin --domain default admin
-    openstack role add --group ucadmin --project undercloud admin
+    openstack role add --group ucadmin --domain infra admin
 
     # TODO: only create this actually requested
     # create 'demo' user with sufficient permissions
     openstack user create --or-show --password demo --email 'demo@example.com' demo
     openstack user set --email 'demo@example.com' demo
-    # add 'demo' user to 'ucadmin' group
-    openstack group add user ucadmin demo
+    # add 'demo' user to 'ucuser' group
+    openstack group add user ucuser demo
 
 network:
   # configure OpenStack Helm to use Undercloud's ingress
diff --git a/components/nova/aio-values.yaml b/components/nova/aio-values.yaml
index 871bc6a6d..b41829b7c 100644
--- a/components/nova/aio-values.yaml
+++ b/components/nova/aio-values.yaml
@@ -39,6 +39,11 @@ conf:
     # config_drive to pass data. To avoid users having to remember this, just
     # force it on always.
     force_config_drive: true
+  nova_ironic:
+    ironic:
+      # this is where we populate our hardware
+      project_domain_name: infra
+      project_name: baremetal
 
 
 console:
diff --git a/components/openstack/svc-acct-argoworkflow.yaml b/components/openstack/svc-acct-argoworkflow.yaml
index a2e8975cd..545342f8d 100644
--- a/components/openstack/svc-acct-argoworkflow.yaml
+++ b/components/openstack/svc-acct-argoworkflow.yaml
@@ -7,8 +7,7 @@ spec:
     # this provider needs to go away for a generated account
     # but it currently must be in sync with the keystone bootstrap
     # script
-    # this should be the 'service' domain in the future
-    user_domain: default
+    user_domain: infra
     username: argoworkflow
     password: demo
 ---
diff --git a/workflows/argo-events/secrets/openstack-svc-acct.yaml b/workflows/argo-events/secrets/openstack-svc-acct.yaml
index 4e9503a10..0be63799c 100644
--- a/workflows/argo-events/secrets/openstack-svc-acct.yaml
+++ b/workflows/argo-events/secrets/openstack-svc-acct.yaml
@@ -19,10 +19,8 @@ spec:
               user_domain_name: {{ .user_domain }}
               username: {{ .username }}
               password: {{ .password }}
-              # this should switch to where we will be creating the ironic nodes
-              # in the future
-              project_domain_name: default
-              project_name: undercloud
+              project_domain_name: infra
+              project_name: baremetal
   dataFrom:
     - extract:
         key: svc-acct-argoworkflow