diff options
-rw-r--r-- | puppet/controller.yaml | 33 | ||||
-rw-r--r-- | puppet/hieradata/controller.yaml | 2 | ||||
-rw-r--r-- | puppet/manifests/overcloud_controller.pp | 2 | ||||
-rw-r--r-- | puppet/manifests/overcloud_controller_pacemaker.pp | 21 |
4 files changed, 55 insertions, 3 deletions
diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 98c7ba00..4504428d 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -4,6 +4,11 @@ description: > OpenStack controller node configured by Puppet. parameters: + AdminEmail: + default: 'admin@example.com' + description: The email for the keystone admin account. + type: string + hidden: true AdminPassword: default: unset description: The password for the keystone admin account, used for monitoring, querying neutron etc. @@ -277,6 +282,10 @@ parameters: type: string constraints: - allowed_values: [ 'basic', 'cadf' ] + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint MysqlClusterUniquePart: description: A unique identifier of the MySQL cluster the controller is in. type: string @@ -461,7 +470,7 @@ parameters: Specifies the interface where the public-facing virtual ip will be assigned. This should be int_public when a VLAN is being used. type: string - PublicVirtualIP: # DEPRECATED: use per service settings instead + PublicVirtualIP: type: string default: '' # Has to be here because of the ignored empty value bug RabbitCookie: @@ -721,6 +730,7 @@ resources: heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey} horizon_allowed_hosts: {get_param: HorizonAllowedHosts} horizon_secret: {get_param: HorizonSecret} + admin_email: {get_param: AdminEmail} admin_password: {get_param: AdminPassword} admin_token: {get_param: AdminToken} neutron_public_interface_ip: {get_param: NeutronPublicInterfaceIP} @@ -797,13 +807,25 @@ resources: - '' - - 'http://' - {get_param: KeystoneAdminApiVirtualIP} - - ':35357/' + - ':35357' keystone_auth_uri: list_join: - '' - - 'http://' - {get_param: KeystonePublicApiVirtualIP} - ':5000/v2.0/' + keystone_public_url: + list_join: + - '' + - - 'http://' + - {get_param: PublicVirtualIP} + - ':5000' + keystone_internal_url: + list_join: + - '' + - - 'http://' + - {get_param: KeystonePublicApiVirtualIP} + - ':5000' keystone_ec2_uri: list_join: - '' @@ -978,6 +1000,7 @@ resources: heat_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]} keystone_public_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]} keystone_admin_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]} + keystone_region: {get_param: KeystoneRegion} mongo_db_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MongoDbNetwork]}]} neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]} neutron_local_ip: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronTenantNetwork]}]} @@ -1155,6 +1178,12 @@ resources: keystone::rabbit_port: {get_input: rabbit_client_port} keystone::notification_driver: {get_input: keystone_notification_driver} keystone::notification_format: {get_input: keystone_notification_format} + keystone::roles::admin::email: {get_input: admin_email} + keystone::roles::admin::password: {get_input: admin_password} + keystone::endpoint::public_url: {get_input: keystone_public_url} + keystone::endpoint::internal_url: {get_input: keystone_internal_url} + keystone::endpoint::admin_url: {get_input: keystone_identity_uri} + keystone::endpoint::region: {get_input: keystone_region} # MongoDB mongodb::server::bind_ip: {get_input: mongo_db_network} mongodb::server::nojournal: {get_input: mongodb_no_journal} diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml index bc135260..81ee7cfb 100644 --- a/puppet/hieradata/controller.yaml +++ b/puppet/hieradata/controller.yaml @@ -42,6 +42,8 @@ heat::keystone_tenant: 'service' # keystone keystone::cron::token_flush::maxdelay: 3600 +keystone::roles::admin::service_tenant: 'service' +keystone::roles::admin::admin_tenant: 'admin' #swift swift::proxy::pipeline: diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp index 777af228..813309e4 100644 --- a/puppet/manifests/overcloud_controller.pp +++ b/puppet/manifests/overcloud_controller.pp @@ -159,6 +159,8 @@ if hiera('step') >= 2 { if hiera('step') >= 3 { include ::keystone + include ::keystone::roles::admin + include ::keystone::endpoint #TODO: need a cleanup-keystone-tokens.sh solution here keystone_config { diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp index 38ee9c39..71811563 100644 --- a/puppet/manifests/overcloud_controller_pacemaker.pp +++ b/puppet/manifests/overcloud_controller_pacemaker.pp @@ -919,7 +919,11 @@ if hiera('step') >= 4 { # Keystone pacemaker::resource::service { $::keystone::params::service_name : - clone_params => "interleave=true", + clone_params => "interleave=true", + verify_on_create => true, + require => [File['/etc/keystone/ssl/certs/ca.pem'], + File['/etc/keystone/ssl/private/signing_key.pem'], + File['/etc/keystone/ssl/certs/signing_cert.pem']], } pacemaker::constraint::base { 'haproxy-then-keystone-constraint': @@ -1544,5 +1548,20 @@ if hiera('step') >= 4 { } #END STEP 4 +if hiera('step') >= 5 { + + if $pacemaker_master { + + class {'::keystone::roles::admin' : + require => Pacemaker::Resource::Service[$::keystone::params::service_name], + } -> + class {'::keystone::endpoint' : + require => Pacemaker::Resource::Service[$::keystone::params::service_name], + } + + } + +} #END STEP 5 + $package_manifest_name = join(['/var/lib/tripleo/installed-packages/overcloud_controller_pacemaker', hiera('step')]) package_manifest{$package_manifest_name: ensure => present} |