diff options
| author |   Steven Hardy <shardy@redhat.com> | 2016-10-13 18:56:35 +0100 |
|---|---|---|
| committer |   Emilien Macchi <emilien@redhat.com> | 2016-10-14 09:16:56 -0400 |
| commit | 9ca75667940a203cd0536cb64c9966f4f951c95b (patch) | |
| tree | c18a07340e5cfdab4280f5e39efe2c2da075723e /manifests/profile/base/keystone.pp | |
| parent | 700ad3ee5381135c21a4fddcb1d952d1607fefd0 (diff) | |
Move heat domain/user creation into keystone profile
This needs to happen on the node running keystone, or things break
when you try to deploy e.g the heat_engine service on a non Controller
role. We check the enabled flag for heat engine so this only happens
if the heat_engine service is running on some (any) role.
Partial-Bug: #1631130
Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3
Diffstat (limited to 'manifests/profile/base/keystone.pp')
| -rw-r--r-- | manifests/profile/base/keystone.pp | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index d515f8f..846296e 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -45,10 +45,12 @@ class tripleo::profile::base::keystone ( $sync_db = true $manage_roles = true $manage_endpoint = true + $manage_domain = true } else { $sync_db = false $manage_roles = false $manage_endpoint = false + $manage_domain = false } if $step >= 4 or ( $step >= 3 and $sync_db ) { @@ -76,6 +78,27 @@ class tripleo::profile::base::keystone ( include ::keystone::cron::token_flush } + if $step >= 5 and $manage_domain { + if hiera('heat_engine_enabled', false) { + # if Heat and Keystone are collocated, so we want to + # both configure heat.conf and create Keystone resources. + # note: domain_password is given via Hiera. + if defined(Class['::tripleo::profile::base::heat']) { + include ::heat::keystone::domain + } else { + # if Heat and Keystone are not collocated, we want Puppet + # to only create Keystone resources on the Keystone node + # but not try to configure Heat, to avoid leaking the password. + class { '::heat::keystone::domain': + domain_name => $::os_service_default, + domain_admin => $::os_service_default, + domain_password => $::os_service_default, + } + } + Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain'] + } + } + if $step >= 5 and $manage_endpoint{ if hiera('aodh_api_enabled', false) { include ::aodh::keystone::auth |