summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteven Hardy <shardy@redhat.com>2016-10-13 18:56:35 +0100
committerEmilien Macchi <emilien@redhat.com>2016-10-14 09:16:56 -0400
commit9ca75667940a203cd0536cb64c9966f4f951c95b (patch)
treec18a07340e5cfdab4280f5e39efe2c2da075723e
parent700ad3ee5381135c21a4fddcb1d952d1607fefd0 (diff)
Move heat domain/user creation into keystone profile
This needs to happen on the node running keystone, or things break when you try to deploy e.g the heat_engine service on a non Controller role. We check the enabled flag for heat engine so this only happens if the heat_engine service is running on some (any) role. Partial-Bug: #1631130 Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3
-rw-r--r--manifests/profile/base/heat.pp16
-rw-r--r--manifests/profile/base/keystone.pp23
2 files changed, 24 insertions, 15 deletions
diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp
index 027ab7e..2035a4f 100644
--- a/manifests/profile/base/heat.pp
+++ b/manifests/profile/base/heat.pp
@@ -46,7 +46,7 @@ class tripleo::profile::base::heat (
$step = hiera('step'),
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
) {
- # Domain resources will be created at step5 on the bootstrap_node so we
+ # Domain resources will be created at step5 on the node running keystone.pp
# configure heat.conf at step3 and 4 but actually create the domain later.
if $step == 3 or $step == 4 {
class { '::heat::keystone::domain':
@@ -69,20 +69,6 @@ class tripleo::profile::base::heat (
if $manage_db_purge {
include ::heat::cron::purge_deleted
}
- if $bootstrap_node == $::hostname {
- # Class ::heat::keystone::domain has to run on bootstrap node
- # because it creates DB entities via API calls.
- include ::heat::keystone::domain
-
- Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
- } else {
- # On non-bootstrap node we don't need to create Keystone resources again
- class { '::heat::keystone::domain':
- manage_domain => false,
- manage_user => false,
- manage_role => false,
- }
- }
}
}
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index d515f8f..846296e 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -45,10 +45,12 @@ class tripleo::profile::base::keystone (
$sync_db = true
$manage_roles = true
$manage_endpoint = true
+ $manage_domain = true
} else {
$sync_db = false
$manage_roles = false
$manage_endpoint = false
+ $manage_domain = false
}
if $step >= 4 or ( $step >= 3 and $sync_db ) {
@@ -76,6 +78,27 @@ class tripleo::profile::base::keystone (
include ::keystone::cron::token_flush
}
+ if $step >= 5 and $manage_domain {
+ if hiera('heat_engine_enabled', false) {
+ # if Heat and Keystone are collocated, so we want to
+ # both configure heat.conf and create Keystone resources.
+ # note: domain_password is given via Hiera.
+ if defined(Class['::tripleo::profile::base::heat']) {
+ include ::heat::keystone::domain
+ } else {
+ # if Heat and Keystone are not collocated, we want Puppet
+ # to only create Keystone resources on the Keystone node
+ # but not try to configure Heat, to avoid leaking the password.
+ class { '::heat::keystone::domain':
+ domain_name => $::os_service_default,
+ domain_admin => $::os_service_default,
+ domain_password => $::os_service_default,
+ }
+ }
+ Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
+ }
+ }
+
if $step >= 5 and $manage_endpoint{
if hiera('aodh_api_enabled', false) {
include ::aodh::keystone::auth