From 44d3ebe54661df0fcea30969f495f9780ee7c671 Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Tue, 1 Nov 2016 13:43:17 -0600 Subject: Create heat user in keystone profile Rather than use the heat::keystone::domain class which also includes the configuration options, we should just create the user for heat in keystone independently of the configuration. Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe Related-Bug: #1638350 Closes-Bug: #1638626 --- manifests/profile/base/heat.pp | 2 +- manifests/profile/base/keystone.pp | 51 +++++++++++++++++++++++++++----------- 2 files changed, 37 insertions(+), 16 deletions(-) (limited to 'manifests/profile/base') diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index abb9f76..2babf4c 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -53,7 +53,7 @@ class tripleo::profile::base::heat ( ) { # Domain resources will be created at step5 on the node running keystone.pp # configure heat.conf at step3 and 4 but actually create the domain later. - if $step == 3 or $step == 4 { + if $step >= 3 { class { '::heat::keystone::domain': manage_domain => false, manage_user => false, diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 87fa3c1..e30f712 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -74,6 +74,23 @@ # for more details. # Defaults to hiera('step') # +# [*heat_admin_domain*] +# domain name for heat admin +# Defaults to hiera('heat::keystone::domain::domain_name', 'heat') +# +# [*heat_admin_user*] +# heat admin user name +# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin') +# +# [*heat_admin_email*] +# heat admin email address +# Defaults to hiera('heat::keystone::domain::domain_admin_email', +# 'heat_admin@localhost') +# +# [*heat_admin_password*] +# heat admin password +# Defaults to hiera('heat::keystone::domain::domain_password') +# class tripleo::profile::base::keystone ( $admin_endpoint_network = hiera('keystone_admin_api_network', undef), $bootstrap_node = hiera('bootstrap_nodeid', undef), @@ -85,6 +102,10 @@ class tripleo::profile::base::keystone ( $rabbit_hosts = hiera('rabbitmq_node_ips', undef), $rabbit_port = hiera('keystone::rabbit_port', 5672), $step = hiera('step'), + $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'), + $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'), + $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'), + $heat_admin_password = hiera('heat::keystone::domain::domain_password'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -153,22 +174,22 @@ class tripleo::profile::base::keystone ( if $step >= 5 and $manage_domain { if hiera('heat_engine_enabled', false) { - # if Heat and Keystone are collocated, so we want to - # both configure heat.conf and create Keystone resources. - # note: domain_password is given via Hiera. - if defined(Class['::tripleo::profile::base::heat']) { - include ::heat::keystone::domain - } else { - # if Heat and Keystone are not collocated, we want Puppet - # to only create Keystone resources on the Keystone node - # but not try to configure Heat, to avoid leaking the password. - class { '::heat::keystone::domain': - domain_name => $::os_service_default, - domain_admin => $::os_service_default, - domain_password => $::os_service_default, - } + # create these seperate and don't use ::heat::keystone::domain since + # that class writes out the configs + keystone_domain { $heat_admin_domain: + ensure => 'present', + enabled => true + } + keystone_user { "${heat_admin_user}::${heat_admin_domain}": + ensure => 'present', + enabled => true, + email => $heat_admin_email, + password => $heat_admin_password + } + keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}": + roles => ['admin'], + require => Class['::keystone::roles::admin'] } - Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain'] } } -- cgit 1.2.3-korg