Add project ID verification to Zenith clients

Author: Matt Pryor

requirements.yml

@@ -35,7 +35,7 @@ collections:
   - name: openstack.cloud
   - name: https://github.com/stackhpc/ansible-collection-terraform
     type: git
-    version: e7243ff5ccb6186ea2fa6e108e5a2b5f408e59c0
+    version: ae1dc46a9d266bcdc6e79a6e290edbb080596f7f
   - name: https://github.com/stackhpc/ansible_collection_slurm_openstack_tools
     type: git
     version: v0.1.0

roles/cluster_infra/templates/outputs.tf.j2

@@ -10,19 +10,28 @@ output "cluster_nodes" {
       {
         name          = openstack_compute_instance_v2.login.name
         ip            = openstack_compute_instance_v2.login.network[0].fixed_ip_v4
-        groups        = ["{{ cluster_name }}_login"]
+        groups        = ["{{ cluster_name }}_login"],
+        facts  = {
+          openstack_project_id = data.openstack_identity_auth_scope_v3.scope.project_id
+        }
       },
       {
         name          = openstack_compute_instance_v2.control.name
         ip            = openstack_compute_instance_v2.control.network[0].fixed_ip_v4
-        groups        = ["{{ cluster_name }}_control"]
+        groups        = ["{{ cluster_name }}_control"],
+        facts  = {
+          openstack_project_id = data.openstack_identity_auth_scope_v3.scope.project_id
+        }
       }
     ],
     [
       for compute in openstack_compute_instance_v2.compute: {
         name          = compute.name
         ip            = compute.network[0].fixed_ip_v4
-        groups        = ["{{ cluster_name }}_compute"]
+        groups        = ["{{ cluster_name }}_compute"],
+        facts  = {
+          openstack_project_id = data.openstack_identity_auth_scope_v3.scope.project_id
+        }
       }
     ]
   )

roles/cluster_infra/templates/resources.tf.j2

@@ -1,3 +1,11 @@
+#####
+##### The identity scope we are operating in
+##### Used to output the OpenStack project ID as a fact for provisioned hosts
+#####
+data "openstack_identity_auth_scope_v3" "scope" {
+  name = "{{ cluster_name }}"
+}
+
 #####
 ##### Security groups for the cluster
 #####

roles/zenith_proxy/tasks/main.yml

@@ -49,6 +49,7 @@
     src: zenith-client.yaml.j2
     dest: /etc/zenith/{{ zenith_proxy_service_name }}/client.yaml
   become: true
+  register: zenith_proxy_client_config_file
 
 - name: Create podman volume to persist SSH key
   containers.podman.podman_volume:
@@ -89,6 +90,7 @@
       {{
         'restarted'
         if (
+            zenith_proxy_client_config_file is changed or
             zenith_proxy_client_systemd_unit is changed or
             zenith_proxy_client_init is changed
         )

slurm-infra.yml

@@ -80,7 +80,8 @@
         zenith_proxy_upstream_host: "{{ ansible_default_ipv4.address }}"
         zenith_proxy_upstream_port: "{{ grafana_port }}"
         zenith_proxy_client_token: "{{ zenith_token_monitoring }}"
-        zenith_proxy_client_auth_params: {}
+        zenith_proxy_client_auth_params:
+          tenancy-id: "{{ openstack_project_id }}"
         zenith_proxy_mitm_enabled: yes
         zenith_proxy_mitm_auth_inject: basic
         zenith_proxy_mitm_auth_basic_username: "{{ grafana_security.admin_user }}"
@@ -98,7 +99,8 @@
         zenith_proxy_upstream_host: "{{ ansible_default_ipv4.address }}"
         zenith_proxy_upstream_port: 443
         zenith_proxy_client_token: "{{ zenith_token_ood }}"
-        zenith_proxy_client_auth_params: {}
+        zenith_proxy_client_auth_params:
+          tenancy-id: "{{ openstack_project_id }}"
         zenith_proxy_mitm_enabled: yes
         zenith_proxy_mitm_auth_inject: basic
         zenith_proxy_mitm_auth_basic_username: azimuth