feat(ansible): create playbook and roles for keystone bootstrapping

The current keystone bootstrap is a bash script which makes it hard to
ensure that everything has been setup. By making it Ansible we can
ensure that things are consistent. Unfortunately the openstack's role
module does not support cross-domain or inherited like the CLI does so
this hacks around it with ansible.builtin.command that then needs some
hoops to avoid lint errors.

Author: cardoe

ansible/playbooks/keystone_bootstrap.yaml

@@ -0,0 +1,20 @@
+---
+# Copyright (c) 2025 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Keystone Bootstrap
+  hosts: localhost
+
+  roles:
+    - role: keystone_bootstrap

ansible/requirements.txt

@@ -3,3 +3,5 @@ ansible-runner==2.4.0
 openstacksdk==4.3.0
 pynautobot==2.6.1
 jmespath==1.0.1
+# remove me after the inherited roles workaround can be dropped
+python-openstackclient

ansible/roles/keystone_bootstrap/defaults/main.yml

@@ -0,0 +1,21 @@
+---
+keystone_bootstrap_dex_url: "{{ 'https://dex.' + lookup('ansible.builtin.env', 'DNS_ZONE', default='localnet') }}"
+
+keystone_bootstrap_groups:
+  - name: ucadmin
+    desc: 'Users Federated with Admin'
+    roles:
+      - member
+      - admin
+  - name: ucuser
+    desc: 'Regular Federated Users'
+    roles:
+      - member
+  - name: ucneteng
+    desc: 'Federated Network Engineers'
+    roles:
+      - member
+  - name: ucdctech
+    desc: 'Federated DC Technicians'
+    roles:
+      - member

ansible/roles/keystone_bootstrap/tasks/baremetal.yml

@@ -0,0 +1,27 @@
+---
+# Copyright (c) 2025 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create 'infra' domain
+  openstack.cloud.identity_domain:
+    name: infra
+    description: 'System Infra'
+    state: present
+
+- name: Create 'baremetal' project in 'infra' domain
+  openstack.cloud.project:
+    name: baremetal
+    domain: infra
+    description: 'Ironic Resources'
+    state: present

ansible/roles/keystone_bootstrap/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Admin needs admin role for default domain
+  openstack.cloud.role_assignment:
+    user: "{{ lookup('ansible.builtin.env', 'OS_USERNAME', default=Undefined) }}"
+    domain: "{{ lookup('ansible.builtin.env', 'OS_DEFAULT_DOMAIN', default=Undefined) }}"
+    role: admin
+    state: present
+
+- name: Define baremetal
+  ansible.builtin.include_tasks: baremetal.yml
+
+- name: Define SSO
+  ansible.builtin.include_tasks: sso.yml
+
+- name: Define misc keystone
+  ansible.builtin.include_tasks: misc.yml

ansible/roles/keystone_bootstrap/tasks/misc.yml

@@ -0,0 +1,63 @@
+---
+# Copyright (c) 2025 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create 'argoworkflow' user
+  openstack.cloud.identity_user:
+    name: argoworkflow
+    password: demo
+    domain: infra
+    state: present
+
+- name: Set 'argoworkflow' role
+  openstack.cloud.role_assignment:
+    domain: infra
+    user: argoworkflow
+    project: baremetal
+    role: admin
+    state: present
+
+- name: Create 'monitoring' user
+  openstack.cloud.identity_user:
+    name: monitoring
+    password: monitoring_demo
+    domain: infra
+    state: present
+
+- name: Set 'monitoring' role
+  openstack.cloud.role_assignment:
+    domain: infra
+    user: monitoring
+    project: baremetal
+    role: admin
+    state: present
+
+- name: Create 'flavorsync' user
+  openstack.cloud.identity_user:
+    name: flavorsync
+    password: abcd1234
+    domain: service
+    state: present
+
+- name: Create 'flavorsync' role
+  openstack.cloud.identity_role:
+    name: flavorsync
+    state: present
+
+- name: Set 'flavorsync' role
+  openstack.cloud.role_assignment:
+    user: flavorsync
+    project: baremetal
+    role: flavorsync
+    state: present

ansible/roles/keystone_bootstrap/tasks/sso.yml

@@ -0,0 +1,91 @@
+---
+# Copyright (c) 2025 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create 'sso' domain
+  openstack.cloud.identity_domain:
+    name: sso
+    description: 'SSO to dex'
+    state: present
+  register: _domain_sso
+
+- name: Create 'sso' identity provider
+  openstack.cloud.federation_idp:
+    name: sso
+    domain_id: "{{ _domain_sso.domain.id }}"
+    description: 'Identity Provider to dex'
+    remote_ids:
+      - "{{ keystone_bootstrap_dex_url }}"
+
+- name: Create sso mapping
+  openstack.cloud.federation_mapping:
+    name: sso_mapping
+    rules:
+      - local:
+          - user:
+              id: '{0}'
+              name: '{1}'
+              email: '{2}'
+            groups: '{3}'
+            domain:
+              id: "{{ _domain_sso.domain.id }}"
+        remote:
+          - type: HTTP_OIDC_SUB
+          - type: REMOTE_USER
+          - type: HTTP_OIDC_EMAIL
+          - type: HTTP_OIDC_GROUPS
+
+- name: Create openid protocol
+  openstack.cloud.keystone_federation_protocol:
+    name: openid
+    idp: sso
+    mapping: sso_mapping
+
+- name: Create federated group mappings
+  loop: keystone_bootstrap_groups
+  block:
+    - name: Create group
+      openstack.cloud.identity_group:
+        name: "{{ item.name }}"
+        domain_id: "{{ _domain_sso.domain.id }}"
+        description: "{{ item.desc }}"
+        state: present
+      register: _group
+
+    # role assignment module is lacking inherited and cross domain assignments
+    - name: Assign member access
+      ansible.builtin.command: openstack role add --group "{{ _group.group.id }}" --domain default --inherited member
+      when: dont_set_roles is not defined
+      changed_when: false
+
+- name: Grant admin for groups
+  loop:
+    - ucadmin
+  block:
+    - name: Find group
+      openstack.cloud.identity_group_info:
+        name: "{{ item }}"
+        domain: "{{ _domain_sso.domain.id }}"
+
+    # role assignment module is lacking inherited and cross domain assignments
+    - name: Assign member access
+      ansible.builtin.command: openstack role add --group "{{ _group.group.id }}" --domain default --inherited admin
+      when: dont_set_roles is not defined
+      changed_when: false
+
+    # role assignment module is lacking inherited and cross domain assignments
+    - name: Assign member access
+      ansible.builtin.command: openstack role add --group "{{ _group.group.id }}" --domain infra --inherited admin
+      when: dont_set_roles is not defined
+      changed_when: false

components/images-openstack.yaml

@@ -14,7 +14,7 @@ images:
 
     # keystone
     keystone_api: "ghcr.io/rackerlabs/understack/keystone:2024.2-ubuntu_jammy"
-    keystone_bootstrap: "docker.io/openstackhelm/heat:2024.2-ubuntu_jammy"
+    keystone_bootstrap: "ghcr.io/rackerlabs/understack/ansible:pr-806"
     keystone_credential_rotate: "ghcr.io/rackerlabs/understack/keystone:2024.2-ubuntu_jammy"
     keystone_credential_setup: "ghcr.io/rackerlabs/understack/keystone:2024.2-ubuntu_jammy"
     keystone_db_sync: "ghcr.io/rackerlabs/understack/keystone:2024.2-ubuntu_jammy"

components/keystone/values.yaml

@@ -2,102 +2,15 @@
 ---
 release_group: null
 
+images:
+  tags:
+    bootstrap: "ghcr.io/rackerlabs/understack/ansible:pr-806"
+
 bootstrap:
   enabled: true
   ks_user: admin
   script: |
-    # admin needs the admin role for the default domain
-    openstack role add \
-          --user="${OS_USERNAME}" \
-          --domain="${OS_DEFAULT_DOMAIN}" \
-          "admin"
-    # create 'infra' domain
-    openstack domain create --or-show infra
-    # create 'baremetal' project for our ironic nodes to live in
-    openstack project create --or-show --domain infra baremetal
-    # create 'argoworkflow' user for automation
-    openstack user create --or-show --domain infra --password demo argoworkflow
-    # give 'argoworkflow' 'admin' over the 'baremetal' project
-    openstack role add --user-domain infra --project-domain infra --user argoworkflow --project baremetal admin
-
-    # create 'flavorsync' user to allow synchronization of the flavors to nova
-    openstack user create --or-show --domain service --password abcd1234 flavorsync
-    openstack role create --or-show flavorsync
-    openstack role add --user flavorsync --user-domain service --domain default --inherited  flavorsync
-
-    # create 'monitoring' user for monitoring usage
-    openstack user create --or-show --domain infra --password monitoring_demo monitoring
-    # give 'monitoring' the 'admin' over the 'baremetal' project
-    openstack role add --user-domain infra --project-domain infra --user monitoring --project baremetal admin
-
-    # this is too early because ironic won't exist
-    openstack role add --project service --user ironic --user-domain service service
-
-    # OIDC integration
-    RULES_FILE=$(mktemp)
-    cat <<EOF > ${RULES_FILE}
-    [
-        {
-            "local": [
-                {
-                    "user": {
-                        "id": "{0}",
-                        "name": "{1}",
-                        "email": "{2}"
-                    },
-                    "groups": "{3}",
-                     "domain": {
-                        "name": "sso"
-                    }
-                }
-            ],
-            "remote": [
-                {
-                    "type": "HTTP_OIDC_SUB"
-                },
-                {
-                    "type": "REMOTE_USER"
-                },
-                {
-                    "type": "HTTP_OIDC_EMAIL"
-                },
-                {
-                    "type": "HTTP_OIDC_GROUPS"
-                }
-            ]
-        }
-    ]
-    EOF
-    # look up or create our domain for SSO integration, called 'sso'
-    sso_domain_id=$(openstack domain create --or-show --description "Domain for 'sso' identity provider" -f value -c id sso)
-
-    # define our identity provider 'sso' for the domain 'sso'
-    openstack identity provider show sso 2>/dev/null || openstack identity provider create --domain "${sso_domain_id}" --description "Identity Provider to our dex" --remote-id https://dex.dev.undercloud.rackspace.net sso
-
-    # create or update the mapping that we'll use for the 'sso' identity
-    if openstack mapping show sso_mapping 2>/dev/null; then
-      openstack mapping set --rules ${RULES_FILE} sso_mapping;
-    else
-      openstack mapping create --rules ${RULES_FILE} sso_mapping;
-    fi
-
-    # clean up
-    rm -f "${RULES_FILE}"
-
-    # create the federation protocol 'openid' to use the identity provider 'sso' with the 'sso_mapping'
-    openstack federation protocol show openid --identity-provider sso || openstack federation protocol create openid --mapping sso_mapping --identity-provider sso
-
-    for group in ucadmin ucuser ucneteng ucdctech; do
-      # create groups which map to our groups claim from dex which can be mapped to permissions
-      openstack group create --domain "${sso_domain_id}" ${group} --or-show
-      # give each of the groups the member role on the domain and have them inherit it to each project
-      # in the domain
-      openstack role add --group-domain "${sso_domain_id}" --group ${group} --inherited --domain default member
-    done
-    # ucadmin can manage the standard project domain
-    openstack role add --group-domain "${sso_domain_id}" --group ucadmin --inherited --domain default manager
-    # ucadmin can manage the infra domain
-    openstack role add --group-domain "${sso_domain_id}" --group ucadmin --inherited --domain infra manager
+    ansible-runner run /runner --playboot keystone_bootstrap.yaml
 
 network:
   # configure OpenStack Helm to use Undercloud's ingress
@@ -238,6 +151,18 @@ pod:
           - name: oidc-secret
             secret:
               secretName: sso-passphrase
+    keystone_bootstrap:
+      keystone_bootstrap:
+        volumeMounts:
+          - name: ansible-inventory
+            mountPath: /runner/inventory/
+        volumes:
+          - name: ansible-inventory
+            configMap:
+              name: ansible-inventory
+              items:
+                - key: hosts.yaml
+                  path: hosts.yaml
   replicas:
     api: 2
   lifecycle: