trigger-readthedocs: Move secret bits into a dict

What I missed when I layed this out was that you setup a secret like

 - secret:
   name: rtd_credentials
   data:
     username: openstackci
     password: foo

what you have in the job variables is a dictionary called
"rtd_credentials".

It makes it much simpler to use the role with the secret if it accepts
this variable, rather than having to extract the username/password etc
out of the secret dictionary into separate variables.

Additionally, turn on no_log for the uri calls, to avoid potentially
logging any credentials.

Change-Id: I514fb1285196aae0b49a98f0efc21326730e4179

roles/trigger-readthedocs/README.rst

@@ -16,20 +16,23 @@ Trigger readthedocs build for a project
    This may come from a secret, however it can not be triggered
    without authentication.
 
-.. zuul:rolevar:: rtd_integration_token
+.. zuul:rolevar:: rtd_credentials
 
-   The webhook integration token.  You'll find this value on the
+   Complex argument which contains the RTD authentication credentials.
-   project's "Integrations" dashboard page in RTD.  This is expected
-   to come from a secret.  This can be used instead of
-   username/password combo.
-
-.. zuul:rolevar:: rtd_username
-
-   The readthedocs username.  If set, this will be used to
-   authenticate in preference to any token set via
-   ``rtd_integration_token``.
-
-.. zuul:rolevar:: rtd_password
-
-   Password for ``rtd_username``.  Must be set if password is set.
    This is expected to come from a secret.
+
+  .. zuul:rolevar:: integration_token
+
+     The webhook integration token.  You'll find this value on the
+     project's "Integrations" dashboard page in RTD.  This can be used
+     instead of username/password combo.
+
+  .. zuul:rolevar:: username
+
+     The readthedocs username.  If set, this will be used to
+     authenticate in preference to any token set via
+     ``rtd_integration_token``.
+
+  .. zuul:rolevar:: password
+
+     Password for ``username``.  Must be set if username is set.

roles/trigger-readthedocs/tasks/main.yaml

@@ -5,28 +5,30 @@
 
 - name: Check for an authentication type
   fail:
-    msg: Must set either rtd_username or rtd_integration_token
+    msg: Must set either rtd_credentials.username or rtd_credentials.integration_token
-  when: (rtd_username is not defined) and (rtd_integration_token is not defined)
+  when: (rtd_credentials.username is not defined) and (rtd_credentials.integration_token is not defined)
 
-- when: rtd_username is defined
+- when: rtd_credentials.username is defined
   block:
     - name: Require password
       fail:
-        msg: rtd_password is required when using rtd_username
+        msg: password is required when using rtd_credentials.username
-      when: rtd_password is not defined
+      when: rtd_credentials.rtd_password is not defined
 
     - name: Trigger readthedocs build webhook via authentication
       uri:
         method: POST
         url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/'
-        user: '{{ rtd_username }}'
+        user: '{{ rtd_credentials.username }}'
-        password: '{{ rtd_password }}'
+        password: '{{ rtd_credentials.password }}'
         # NOTE(ianw): testing it seems the API doesn't respond with
         # 401 so this is required
         force_basic_auth: yes
+      # avoid logging any credentials
+      no_log: true
 
-- when: rtd_integration_token is defined and
+- when: rtd_credentials.integration_token is defined and
-        rtd_username is not defined
+        rtd_credentials.username is not defined
   block:
     - name: Trigger readthedocs build webhook via token
       uri:
@@ -34,5 +36,7 @@
         url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/'
         body_format: form-urlencoded
         body:
-          token: '{{ rtd_integration_token }}'
+          token: '{{ rtd_credentials.integration_token }}'
           follow_redirects: all
+      # avoid logging any credentials
+      no_log: true