From 9ca75667940a203cd0536cb64c9966f4f951c95b Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Thu, 13 Oct 2016 18:56:35 +0100
Subject: Move heat domain/user creation into keystone profile

This needs to happen on the node running keystone, or things break
when you try to deploy e.g the heat_engine service on a non Controller
role.  We check the enabled flag for heat engine so this only happens
if the heat_engine service is running on some (any) role.

Partial-Bug: #1631130
Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3
---
 manifests/profile/base/keystone.pp | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'manifests/profile/base/keystone.pp')

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index d515f8f..846296e 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -45,10 +45,12 @@ class tripleo::profile::base::keystone (
     $sync_db = true
     $manage_roles = true
     $manage_endpoint = true
+    $manage_domain = true
   } else {
     $sync_db = false
     $manage_roles = false
     $manage_endpoint = false
+    $manage_domain = false
   }
 
   if $step >= 4 or ( $step >= 3 and $sync_db ) {
@@ -76,6 +78,27 @@ class tripleo::profile::base::keystone (
     include ::keystone::cron::token_flush
   }
 
+  if $step >= 5 and $manage_domain {
+    if hiera('heat_engine_enabled', false) {
+      # if Heat and Keystone are collocated, so we want to
+      # both configure heat.conf and create Keystone resources.
+      # note: domain_password is given via Hiera.
+      if defined(Class['::tripleo::profile::base::heat']) {
+        include ::heat::keystone::domain
+      } else {
+        # if Heat and Keystone are not collocated, we want Puppet
+        # to only create Keystone resources on the Keystone node
+        # but not try to configure Heat, to avoid leaking the password.
+        class { '::heat::keystone::domain':
+          domain_name     => $::os_service_default,
+          domain_admin    => $::os_service_default,
+          domain_password => $::os_service_default,
+        }
+      }
+      Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
+    }
+  }
+
   if $step >= 5 and $manage_endpoint{
     if hiera('aodh_api_enabled', false) {
       include ::aodh::keystone::auth
-- 
cgit 1.2.3-korg