1 files changed, 21 insertions, 2 deletions

diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index 7aab6f8d..945033a1 100644
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -1,4 +1,4 @@
-heat_template_version: ocata
+heat_template_version: pike
 
 description: >
   OpenStack Ironic API configured with Puppet
@@ -13,6 +13,14 @@ parameters:
   DefaultPasswords:
     default: {}
     type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
   EndpointMap:
     default: {}
     description: Mapping of service endpoint -> protocol. Typically set
@@ -29,6 +37,12 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  IronicApiPolicies:
+    description: |
+      A hash of policies to configure for Ironic API.
+      e.g. { ironic-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
 
 resources:
   IronicBase:
@@ -37,6 +51,8 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
 
 outputs:
   role_data:
@@ -49,8 +65,10 @@ outputs:
           - get_attr: [IronicBase, role_data, config_settings]
           - ironic::api::authtoken::password: {get_param: IronicPassword}
             ironic::api::authtoken::project_name: 'service'
+            ironic::api::authtoken::user_domain_name: 'Default'
+            ironic::api::authtoken::project_domain_name: 'Default'
             ironic::api::authtoken::username: 'ironic'
-            ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+            ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             # NOTE: bind IP is found in Heat replacing the network name with the
             # local node IP for the given network; replacement examples
@@ -62,6 +80,7 @@ outputs:
             ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
             # This is used to build links in responses
             ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
+            ironic::policy::policies: {get_param: IronicApiPolicies}
             tripleo.ironic_api.firewall_rules:
               '133 ironic api':
                 dport: