3 files changed, 42 insertions, 8 deletions
diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml
index 6448387c..92536994 100644
--- a/puppet/services/ceph-rgw.yaml
+++ b/puppet/services/ceph-rgw.yaml
@@ -57,7 +57,11 @@ outputs:
             tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
             tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]}
             tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]}
-            ceph::params::user_radosgw: ceph
+            tripleo::profile::base::ceph::rgw::rgw_keystone_version: v3
+            ceph::profile::params::rgw_keystone_admin_domain: default
+            ceph::profile::params::rgw_keystone_admin_project: service
+            ceph::profile::params::rgw_keystone_admin_user: swift
+            ceph::profile::params::rgw_keystone_admin_password: {get_param: SwiftPassword}
             tripleo.ceph_rgw.firewall_rules:
               '122 ceph rgw':
                 dport: {get_param: [EndpointMap, CephRgwInternal, port]}
@@ -68,7 +72,8 @@ outputs:
           ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
           ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
           ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
-          ceph::rgw::keystone::auth::user: 'swift'
-          ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}
           ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
-          ceph::rgw::keystone::auth::tenant: 'service'
+          ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ]
+          ceph::rgw::keystone::auth::tenant: service
+          ceph::rgw::keystone::auth::user: swift
+          ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index b32c8185..eee04ce0 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -91,9 +91,6 @@ outputs:
             cinder::config:
               DEFAULT/swift_catalog_info:
                 value: 'object-store:swift:internalURL'
-            # TODO(emilien) remove the next line when https://review.openstack.org/422915
-            # is merged.
-            cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
             tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
             tripleo.cinder_api.firewall_rules:
               '119 cinder':
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 3ddb1927..09ea5d22 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -45,8 +45,23 @@ parameters:
     default:
       tag: openstack.glance.api
       path: /var/log/glance/api.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
 
 resources:
+
+  TLSProxyBase:
+    type: OS::TripleO::Services::TLSProxyBase
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
+
   GlanceBase:
     type: ./glance-base.yaml
     properties:
@@ -66,6 +81,7 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [GlanceBase, role_data, config_settings]
+          - get_attr: [TLSProxyBase, role_data, config_settings]
           - glance::api::database_connection:
               list_join:
                 - ''
@@ -100,7 +116,23 @@ outputs:
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+            tripleo::profile::base::glance::api::tls_proxy_bind_ip:
+              get_param: [ServiceNetMap, GlanceApiNetwork]
+            tripleo::profile::base::glance::api::tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+            tripleo::profile::base::glance::api::tls_proxy_port:
+              get_param: [EndpointMap, GlanceInternal, port]
+            # Bind to localhost if internal TLS is enabled, since we put a TLs
+            # proxy in front.
+            glance::api::bind_host:
+              if:
+              - use_tls_proxy
+              - 'localhost'
+              - {get_param: [ServiceNetMap, GlanceApiNetwork]}
       step_config: |
         include ::tripleo::profile::base::glance::api
       service_config_settings: