Execute flavor setup against octavia_service_setup_host

In order to reduce the packages required to pip install on to the hosts,
we use service delegation to octavia_service_setup_host so that instead
of installing software on the target host, and putting credentials on
every target host, we isolate the software and credentials to a single
host.

In this patch we make the flavor tasks execute using clouds.yaml so that
we do not need to expose the credentials in the task (it will leak the
credentials in vebose mode or on failure). We also set the tasks to execute
on octavia_service_setup_host so that we do not need as much software
installed on the target host.

There are any other tasks in the role which need updating before we can
eliminate the octavia_requires_pip_packages, but for the sake of keeping
the patch smaller and easier to review they will be done in follow up
patches.

Change-Id: Ic2998b9a8a2bed80c9fe0fa9e033f243d3b0d5ae

tasks/main.yml

@@ -72,6 +72,7 @@
     - octavia-install
 
 - include: octavia_flavor_create.yml
+  run_once: true
   when:
     - octavia_nova_flavor_uuid is not defined
   tags:

tasks/octavia_flavor_create.yml

@@ -13,38 +13,38 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Create Octavia Flavor
-  os_nova_flavor:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    state: present
-    name: "{{ octavia_amp_flavor_name}}"
-    ram: "{{ octavia_amp_ram }}"
-    vcpus: "{{ octavia_amp_vcpu }}"
-    disk: "{{ octavia_amp_disk }}"
-    is_public: False
-  run_once: True
+# We set the python interpreter to the ansible runtime venv if
+# the delegation is to localhost so that we get access to the
+# appropriate python libraries in that venv. If the delegation
+# is to another host, we assume that it is accessible by the
+# system python instead.
+- name: Setup the octavia flavor
+  delegate_to: "{{ octavia_service_setup_host }}"
+  vars:
+    ansible_python_interpreter: >-
+      {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
+  block:
+    - name: Create Octavia Flavor
+      os_nova_flavor:
+        cloud: default
+        state: present
+        name: "{{ octavia_amp_flavor_name}}"
+        ram: "{{ octavia_amp_ram }}"
+        vcpus: "{{ octavia_amp_vcpu }}"
+        disk: "{{ octavia_amp_disk }}"
+        is_public: False
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
 
-- name: Gather Octavia Flavor Id
-  os_flavor_facts:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    name: "{{ octavia_amp_flavor_name}}"
+    - name: Gather Octavia Flavor Id
+      os_flavor_facts:
+        cloud: default
+        name: "{{ octavia_amp_flavor_name}}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
 
-- name: Set Octavia Flavor UUID fact 1
-  set_fact:
-     octavia_nova_flavor_uuid: "{{ openstack_flavors[0].id }}"
-  when:
-    - openstack_flavors | length > 0
+    - name: Set Octavia Flavor UUID fact 1
+      set_fact:
+         octavia_nova_flavor_uuid: "{{ openstack_flavors[0].id }}"
+      when:
+        - openstack_flavors | length > 0