From 9ca75667940a203cd0536cb64c9966f4f951c95b Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Thu, 13 Oct 2016 18:56:35 +0100 Subject: Move heat domain/user creation into keystone profile This needs to happen on the node running keystone, or things break when you try to deploy e.g the heat_engine service on a non Controller role. We check the enabled flag for heat engine so this only happens if the heat_engine service is running on some (any) role. Partial-Bug: #1631130 Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3 --- manifests/profile/base/heat.pp | 16 +--------------- manifests/profile/base/keystone.pp | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 15 deletions(-) diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index 027ab7e..2035a4f 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -46,7 +46,7 @@ class tripleo::profile::base::heat ( $step = hiera('step'), $rabbit_hosts = hiera('rabbitmq_node_ips', undef), ) { - # Domain resources will be created at step5 on the bootstrap_node so we + # Domain resources will be created at step5 on the node running keystone.pp # configure heat.conf at step3 and 4 but actually create the domain later. if $step == 3 or $step == 4 { class { '::heat::keystone::domain': @@ -69,20 +69,6 @@ class tripleo::profile::base::heat ( if $manage_db_purge { include ::heat::cron::purge_deleted } - if $bootstrap_node == $::hostname { - # Class ::heat::keystone::domain has to run on bootstrap node - # because it creates DB entities via API calls. - include ::heat::keystone::domain - - Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain'] - } else { - # On non-bootstrap node we don't need to create Keystone resources again - class { '::heat::keystone::domain': - manage_domain => false, - manage_user => false, - manage_role => false, - } - } } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index d515f8f..846296e 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -45,10 +45,12 @@ class tripleo::profile::base::keystone ( $sync_db = true $manage_roles = true $manage_endpoint = true + $manage_domain = true } else { $sync_db = false $manage_roles = false $manage_endpoint = false + $manage_domain = false } if $step >= 4 or ( $step >= 3 and $sync_db ) { @@ -76,6 +78,27 @@ class tripleo::profile::base::keystone ( include ::keystone::cron::token_flush } + if $step >= 5 and $manage_domain { + if hiera('heat_engine_enabled', false) { + # if Heat and Keystone are collocated, so we want to + # both configure heat.conf and create Keystone resources. + # note: domain_password is given via Hiera. + if defined(Class['::tripleo::profile::base::heat']) { + include ::heat::keystone::domain + } else { + # if Heat and Keystone are not collocated, we want Puppet + # to only create Keystone resources on the Keystone node + # but not try to configure Heat, to avoid leaking the password. + class { '::heat::keystone::domain': + domain_name => $::os_service_default, + domain_admin => $::os_service_default, + domain_password => $::os_service_default, + } + } + Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain'] + } + } + if $step >= 5 and $manage_endpoint{ if hiera('aodh_api_enabled', false) { include ::aodh::keystone::auth -- cgit 1.2.3-korg