1 files changed, 46 insertions, 19 deletions

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 8a70110..26e7b1f 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -51,6 +51,22 @@
 #   creates the certificates.
 #   Defaults to hiera('generate_service_certificate', false).
 #
+# [*heat_admin_domain*]
+#   domain name for heat admin
+#   Defaults to undef
+#
+# [*heat_admin_email*]
+#   heat admin email address
+#   Defaults to undef
+#
+# [*heat_admin_password*]
+#   heat admin password
+#   Defaults to undef
+#
+# [*heat_admin_user*]
+#   heat admin user name
+#   Defaults to undef
+#
 # [*manage_db_purge*]
 #   (Optional) Whether keystone token flushing should be enabled
 #   Defaults to hiera('keystone_enable_db_purge', true)
@@ -62,8 +78,8 @@
 #
 #
 # [*rabbit_hosts*]
-#   list of the rabbbit host IPs
-#   Defaults to hiera('rabbitmq_node_ips')
+#   list of the rabbbit host fqdns
+#   Defaults to hiera('rabbitmq_node_names')
 #
 # [*rabbit_port*]
 #   IP port for rabbitmq service
@@ -80,9 +96,13 @@ class tripleo::profile::base::keystone (
   $certificates_specs            = hiera('apache_certificates_specs', {}),
   $enable_internal_tls           = hiera('enable_internal_tls', false),
   $generate_service_certificates = hiera('generate_service_certificates', false),
+  $heat_admin_domain             = undef,
+  $heat_admin_email              = undef,
+  $heat_admin_password           = undef,
+  $heat_admin_user               = undef,
   $manage_db_purge               = hiera('keystone_enable_db_purge', true),
   $public_endpoint_network       = hiera('keystone_public_api_network', undef),
-  $rabbit_hosts                  = hiera('rabbitmq_node_ips', undef),
+  $rabbit_hosts                  = hiera('rabbitmq_node_names', undef),
   $rabbit_port                   = hiera('keystone::rabbit_port', 5672),
   $step                          = hiera('step'),
 ) {
@@ -122,10 +142,11 @@ class tripleo::profile::base::keystone (
   }
 
   if $step >= 4 or ( $step >= 3 and $sync_db ) {
+    $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}")
     class { '::keystone':
       sync_db          => $sync_db,
       enable_bootstrap => $sync_db,
-      rabbit_hosts     => suffix($rabbit_hosts, ":${rabbit_port}")
+      rabbit_hosts     => $rabbit_endpoints,
     }
 
     include ::keystone::config
@@ -153,22 +174,22 @@ class tripleo::profile::base::keystone (
 
   if $step >= 5 and $manage_domain {
     if hiera('heat_engine_enabled', false) {
-      # if Heat and Keystone are collocated, so we want to
-      # both configure heat.conf and create Keystone resources.
-      # note: domain_password is given via Hiera.
-      if defined(Class['::tripleo::profile::base::heat']) {
-        include ::heat::keystone::domain
-      } else {
-        # if Heat and Keystone are not collocated, we want Puppet
-        # to only create Keystone resources on the Keystone node
-        # but not try to configure Heat, to avoid leaking the password.
-        class { '::heat::keystone::domain':
-          domain_name     => $::os_service_default,
-          domain_admin    => $::os_service_default,
-          domain_password => $::os_service_default,
-        }
+      # create these seperate and don't use ::heat::keystone::domain since
+      # that class writes out the configs
+      keystone_domain { $heat_admin_domain:
+        ensure  => 'present',
+        enabled => true
+      }
+      keystone_user { "${heat_admin_user}::${heat_admin_domain}":
+        ensure   => 'present',
+        enabled  => true,
+        email    => $heat_admin_email,
+        password => $heat_admin_password
+      }
+      keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}":
+        roles   => ['admin'],
+        require => Class['::keystone::roles::admin']
       }
-      Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
     }
   }
 
@@ -176,6 +197,9 @@ class tripleo::profile::base::keystone (
     if hiera('aodh_api_enabled', false) {
       include ::aodh::keystone::auth
     }
+    if hiera('barbican_api_enabled', false) {
+      include ::barbican::keystone::auth
+    }
     if hiera('ceilometer_api_enabled', false) {
       include ::ceilometer::keystone::auth
     }
@@ -212,6 +236,9 @@ class tripleo::profile::base::keystone (
     if hiera('nova_api_enabled', false) {
       include ::nova::keystone::auth
     }
+    if hiera('panko_api_enabled', false) {
+      include ::panko::keystone::auth
+    }
     if hiera('sahara_api_enabled', false) {
       include ::sahara::keystone::auth
     }