Configure Keystone credentials

Configure Keystone credentials by installing 2 keys with dynamic content
generated by python-tripleoclient.

Note: this is a first iteration of managing Keystone credentials. It has
a few limitations:
- keys are not exported to external storage.
- keys are not rotated automatically.

Change-Id: I45cf8821eadf528dfcdc8d74e6e0484597b0d2c0

1 files changed, 12 insertions, 0 deletions

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 79033047..b321ecbe 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -87,6 +87,12 @@ parameters:
   MonitoringSubscriptionKeystone:
     default: 'overcloud-kestone'
     type: string
+  KeystoneCredential0:
+    type: string
+    description: The first Keystone credential key. Must be a valid key.
+  KeystoneCredential1:
+    type: string
+    description: The second Keystone credential key. Must be a valid key.
 
 resources:
 
@@ -121,6 +127,12 @@ outputs:
             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
             keystone::enable_proxy_headers_parsing: true
+            keystone::enable_credential_setup: true
+            keystone::credential_keys:
+              '/etc/keystone/credential-keys/0':
+                content: {get_param: KeystoneCredential0}
+              '/etc/keystone/credential-keys/1':
+                content: {get_param: KeystoneCredential1}
             keystone::debug: {get_param: Debug}
             keystone::db::mysql::password: {get_param: AdminToken}
             keystone::rabbit_userid: {get_param: RabbitUserName}