Execute network setup against octavia_service_setup_host

In order to reduce the packages required to pip install on to the hosts,
we use service delegation to octavia_service_setup_host so that instead
of installing software on the target host, and putting credentials on
every target host, we isolate the software and credentials to a single
host.

In this patch we make the network tasks execute using clouds.yaml so that
we do not need to expose the credentials in the task (it will leak the
credentials in vebose mode or on failure). We also set the tasks to execute
on octavia_service_setup_host so that we do not need as much software
installed on the target host.

There are any other tasks in the role which need updating before we can
eliminate the octavia_requires_pip_packages, but for the sake of keeping
the patch smaller and easier to review they will be done in follow up
patches.

Change-Id: I07f0907a3841f81c0f76a25ce89de9f1145c35f9

tasks/main.yml

@@ -60,6 +60,7 @@
     - octavia-install
 
 - include: octavia_mgmt_network.yml
+  run_once: true
   when:
     - octavia_neutron_management_network_uuid is not defined
     - octavia_neutron_management_network_name is defined

tasks/octavia_mgmt_network.yml

@@ -13,70 +13,58 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Create mgmt network
-  os_network:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    region_name: "{{ octavia_service_region }}"
-    validate_certs: "{{ keystone_service_adminuri_insecure }}"
-    auth_type: "{{ octavia_keystone_auth_plugin }}"
-    state: present
-    name: "{{ octavia_neutron_management_network_name }}"
-    provider_network_type: "{{ octavia_provider_network_type }}"
-    provider_physical_network: "{{ octavia_provider_network_name }}"
-    provider_segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}"
-  run_once: True
-  when:
-    - octavia_service_net_setup
+# We set the python interpreter to the ansible runtime venv if
+# the delegation is to localhost so that we get access to the
+# appropriate python libraries in that venv. If the delegation
+# is to another host, we assume that it is accessible by the
+# system python instead.
+- name: Setup the network
+  delegate_to: "{{ octavia_service_setup_host }}"
+  vars:
+    ansible_python_interpreter: >-
+      {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
+  block:
+    - name: Create mgmt network
+      os_network:
+        cloud: default
+        state: present
+        region_name: "{{ octavia_service_region }}"
+        name: "{{ octavia_neutron_management_network_name }}"
+        provider_network_type: "{{ octavia_provider_network_type }}"
+        provider_physical_network: "{{ octavia_provider_network_name }}"
+        provider_segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      when:
+        - octavia_service_net_setup | bool
 
-- name: Ensure mgmt subnet exists
-  os_subnet:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    region_name: "{{ octavia_service_region }}"
-    validate_certs: "{{ keystone_service_adminuri_insecure }}"
-    auth_type: "{{ octavia_keystone_auth_plugin }}"
-    state: present
-    network_name: "{{ octavia_neutron_management_network_name }}"
-    name: "{{ octavia_neutron_management_network_name }}-subnet"
-    cidr: "{{ octavia_management_net_subnet_cidr }}"
-    enable_dhcp: "{{ octavia_management_net_dhcp }}"
-    allocation_pool_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}"
-    allocation_pool_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}"
-  run_once: True
-  when:
-    - octavia_service_net_setup
+    - name: Ensure mgmt subnet exists
+      os_subnet:
+        cloud: default
+        state: present
+        region_name: "{{ octavia_service_region }}"
+        network_name: "{{ octavia_neutron_management_network_name }}"
+        name: "{{ octavia_neutron_management_network_name }}-subnet"
+        cidr: "{{ octavia_management_net_subnet_cidr }}"
+        enable_dhcp: "{{ octavia_management_net_dhcp }}"
+        allocation_pool_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}"
+        allocation_pool_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      when:
+        - octavia_service_net_setup | bool
 
-- name: Get neutron network
-  os_networks_facts:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    region_name: "{{ octavia_service_region }}"
-    validate_certs: "{{ keystone_service_adminuri_insecure }}"
-    auth_type: "{{ octavia_keystone_auth_plugin }}"
-    name: "{{ octavia_neutron_management_network_name }}"
+    - name: Get neutron network
+      os_networks_facts:
+        cloud: default
+        region_name: "{{ octavia_service_region }}"
+        name: "{{ octavia_neutron_management_network_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
 
-- name: Set provisioning UUID fact
-  set_fact:
-     octavia_neutron_management_network_uuid: "{{ openstack_networks[0].id }}"
-  when:
-    - octavia_neutron_management_network_uuid is not defined
-    - octavia_neutron_management_network_name is defined
+    - name: Set provisioning UUID fact
+      set_fact:
+         octavia_neutron_management_network_uuid: "{{ openstack_networks[0].id }}"
+      when:
+        - octavia_neutron_management_network_uuid is not defined
+        - octavia_neutron_management_network_name is defined