From 8ce3d646a6d76f9449509456ad0f1e0964b9fe8d Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Tue, 6 Sep 2016 18:24:28 -0400
Subject: Configure Keystone credentials

Configure Keystone credentials by installing 2 keys with dynamic content
generated by python-tripleoclient.

Note: this is a first iteration of managing Keystone credentials. It has
a few limitations:
- keys are not exported to external storage.
- keys are not rotated automatically.

Change-Id: I45cf8821eadf528dfcdc8d74e6e0484597b0d2c0
---
 puppet/services/keystone.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'puppet')

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 79033047..b321ecbe 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -87,6 +87,12 @@ parameters:
   MonitoringSubscriptionKeystone:
     default: 'overcloud-kestone'
     type: string
+  KeystoneCredential0:
+    type: string
+    description: The first Keystone credential key. Must be a valid key.
+  KeystoneCredential1:
+    type: string
+    description: The second Keystone credential key. Must be a valid key.
 
 resources:
 
@@ -121,6 +127,12 @@ outputs:
             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
             keystone::enable_proxy_headers_parsing: true
+            keystone::enable_credential_setup: true
+            keystone::credential_keys:
+              '/etc/keystone/credential-keys/0':
+                content: {get_param: KeystoneCredential0}
+              '/etc/keystone/credential-keys/1':
+                content: {get_param: KeystoneCredential1}
             keystone::debug: {get_param: Debug}
             keystone::db::mysql::password: {get_param: AdminToken}
             keystone::rabbit_userid: {get_param: RabbitUserName}
-- 
cgit 1.2.3-korg