summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/keystone.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile/base/keystone.pp')
-rw-r--r--manifests/profile/base/keystone.pp54
1 files changed, 39 insertions, 15 deletions
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 8a70110..e30f712 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -74,6 +74,23 @@
# for more details.
# Defaults to hiera('step')
#
+# [*heat_admin_domain*]
+# domain name for heat admin
+# Defaults to hiera('heat::keystone::domain::domain_name', 'heat')
+#
+# [*heat_admin_user*]
+# heat admin user name
+# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin')
+#
+# [*heat_admin_email*]
+# heat admin email address
+# Defaults to hiera('heat::keystone::domain::domain_admin_email',
+# 'heat_admin@localhost')
+#
+# [*heat_admin_password*]
+# heat admin password
+# Defaults to hiera('heat::keystone::domain::domain_password')
+#
class tripleo::profile::base::keystone (
$admin_endpoint_network = hiera('keystone_admin_api_network', undef),
$bootstrap_node = hiera('bootstrap_nodeid', undef),
@@ -85,6 +102,10 @@ class tripleo::profile::base::keystone (
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
$rabbit_port = hiera('keystone::rabbit_port', 5672),
$step = hiera('step'),
+ $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'),
+ $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'),
+ $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'),
+ $heat_admin_password = hiera('heat::keystone::domain::domain_password'),
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -153,22 +174,22 @@ class tripleo::profile::base::keystone (
if $step >= 5 and $manage_domain {
if hiera('heat_engine_enabled', false) {
- # if Heat and Keystone are collocated, so we want to
- # both configure heat.conf and create Keystone resources.
- # note: domain_password is given via Hiera.
- if defined(Class['::tripleo::profile::base::heat']) {
- include ::heat::keystone::domain
- } else {
- # if Heat and Keystone are not collocated, we want Puppet
- # to only create Keystone resources on the Keystone node
- # but not try to configure Heat, to avoid leaking the password.
- class { '::heat::keystone::domain':
- domain_name => $::os_service_default,
- domain_admin => $::os_service_default,
- domain_password => $::os_service_default,
- }
+ # create these seperate and don't use ::heat::keystone::domain since
+ # that class writes out the configs
+ keystone_domain { $heat_admin_domain:
+ ensure => 'present',
+ enabled => true
+ }
+ keystone_user { "${heat_admin_user}::${heat_admin_domain}":
+ ensure => 'present',
+ enabled => true,
+ email => $heat_admin_email,
+ password => $heat_admin_password
+ }
+ keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}":
+ roles => ['admin'],
+ require => Class['::keystone::roles::admin']
}
- Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
}
}
@@ -176,6 +197,9 @@ class tripleo::profile::base::keystone (
if hiera('aodh_api_enabled', false) {
include ::aodh::keystone::auth
}
+ if hiera('barbican_api_enabled', false) {
+ include ::barbican::keystone::auth
+ }
if hiera('ceilometer_api_enabled', false) {
include ::ceilometer::keystone::auth
}