From b60e8f79a26564b567f7620727428da50d7815b5 Mon Sep 17 00:00:00 2001
From: Yanis Guenane <yguenane@redhat.com>
Date: Fri, 2 Oct 2015 12:18:08 +0200
Subject: Create keystone roles and admin user from t-h-t manifests

Currently keystone initialization happens via os-cloud-config [1].

This commit moves some of that directly into the manifests. This is the
first in a series of two changes to migrate it entirely into t-h-t.

This change focus on implementing what keystone.initialize() was doing
on the tripleoclient [2], creates the admin tenant, user and roles.

It also creates the keystone endpoint itself.

1.  https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L128-L158
2.  https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/overcloud_deploy.py#L462-L527

Change-Id: I98555b707ff9b91c6e218de5dca68106ea05c8ea
Depends-On: Ia4b3244f114dcff746ab89d355ad4933f8fdbddf
---
 puppet/controller.yaml                             | 33 ++++++++++++++++++++--
 puppet/hieradata/controller.yaml                   |  2 ++
 puppet/manifests/overcloud_controller.pp           |  2 ++
 puppet/manifests/overcloud_controller_pacemaker.pp | 21 +++++++++++++-
 4 files changed, 55 insertions(+), 3 deletions(-)

(limited to 'puppet')

diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 98c7ba00..4504428d 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -4,6 +4,11 @@ description: >
   OpenStack controller node configured by Puppet.
 
 parameters:
+  AdminEmail:
+    default: 'admin@example.com'
+    description: The email for the keystone admin account.
+    type: string
+    hidden: true
   AdminPassword:
     default: unset
     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
@@ -277,6 +282,10 @@ parameters:
     type: string
     constraints:
       - allowed_values: [ 'basic', 'cadf' ]
+  KeystoneRegion:
+    type: string
+    default: 'regionOne'
+    description: Keystone region for endpoint
   MysqlClusterUniquePart:
     description: A unique identifier of the MySQL cluster the controller is in.
     type: string
@@ -461,7 +470,7 @@ parameters:
         Specifies the interface where the public-facing virtual ip will be assigned.
         This should be int_public when a VLAN is being used.
     type: string
-  PublicVirtualIP: # DEPRECATED: use per service settings instead
+  PublicVirtualIP:
     type: string
     default: ''  # Has to be here because of the ignored empty value bug
   RabbitCookie:
@@ -721,6 +730,7 @@ resources:
         heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey}
         horizon_allowed_hosts: {get_param: HorizonAllowedHosts}
         horizon_secret: {get_param: HorizonSecret}
+        admin_email: {get_param: AdminEmail}
         admin_password: {get_param: AdminPassword}
         admin_token: {get_param: AdminToken}
         neutron_public_interface_ip: {get_param: NeutronPublicInterfaceIP}
@@ -797,13 +807,25 @@ resources:
             - ''
             - - 'http://'
               - {get_param: KeystoneAdminApiVirtualIP}
-              - ':35357/'
+              - ':35357'
         keystone_auth_uri:
           list_join:
             - ''
             - - 'http://'
               - {get_param: KeystonePublicApiVirtualIP}
               - ':5000/v2.0/'
+        keystone_public_url:
+          list_join:
+            - ''
+            - - 'http://'
+              - {get_param: PublicVirtualIP}
+              - ':5000'
+        keystone_internal_url:
+          list_join:
+            - ''
+            - - 'http://'
+              - {get_param: KeystonePublicApiVirtualIP}
+              - ':5000'
         keystone_ec2_uri:
           list_join:
             - ''
@@ -978,6 +1000,7 @@ resources:
         heat_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]}
         keystone_public_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
         keystone_admin_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
+        keystone_region: {get_param: KeystoneRegion}
         mongo_db_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MongoDbNetwork]}]}
         neutron_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]}
         neutron_local_ip: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NeutronTenantNetwork]}]}
@@ -1155,6 +1178,12 @@ resources:
                 keystone::rabbit_port: {get_input: rabbit_client_port}
                 keystone::notification_driver: {get_input: keystone_notification_driver}
                 keystone::notification_format: {get_input: keystone_notification_format}
+                keystone::roles::admin::email: {get_input: admin_email}
+                keystone::roles::admin::password: {get_input: admin_password}
+                keystone::endpoint::public_url: {get_input: keystone_public_url}
+                keystone::endpoint::internal_url: {get_input: keystone_internal_url}
+                keystone::endpoint::admin_url: {get_input: keystone_identity_uri}
+                keystone::endpoint::region: {get_input: keystone_region}
                 # MongoDB
                 mongodb::server::bind_ip: {get_input: mongo_db_network}
                 mongodb::server::nojournal: {get_input: mongodb_no_journal}
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index bc135260..81ee7cfb 100644
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -42,6 +42,8 @@ heat::keystone_tenant: 'service'
 
 # keystone
 keystone::cron::token_flush::maxdelay: 3600
+keystone::roles::admin::service_tenant: 'service'
+keystone::roles::admin::admin_tenant: 'admin'
 
 #swift
 swift::proxy::pipeline:
diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index 777af228..813309e4 100644
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -159,6 +159,8 @@ if hiera('step') >= 2 {
 if hiera('step') >= 3 {
 
   include ::keystone
+  include ::keystone::roles::admin
+  include ::keystone::endpoint
 
   #TODO: need a cleanup-keystone-tokens.sh solution here
   keystone_config {
diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 38ee9c39..71811563 100644
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -919,7 +919,11 @@ if hiera('step') >= 4 {
 
     # Keystone
     pacemaker::resource::service { $::keystone::params::service_name :
-      clone_params => "interleave=true",
+      clone_params     => "interleave=true",
+      verify_on_create => true,
+      require          => [File['/etc/keystone/ssl/certs/ca.pem'],
+                           File['/etc/keystone/ssl/private/signing_key.pem'],
+                           File['/etc/keystone/ssl/certs/signing_cert.pem']],
     }
 
     pacemaker::constraint::base { 'haproxy-then-keystone-constraint':
@@ -1544,5 +1548,20 @@ if hiera('step') >= 4 {
 
 } #END STEP 4
 
+if hiera('step') >= 5 {
+
+  if $pacemaker_master {
+
+    class {'::keystone::roles::admin' :
+      require => Pacemaker::Resource::Service[$::keystone::params::service_name],
+    } ->
+    class {'::keystone::endpoint' :
+      require => Pacemaker::Resource::Service[$::keystone::params::service_name],
+    }
+
+  }
+
+} #END STEP 5
+
 $package_manifest_name = join(['/var/lib/tripleo/installed-packages/overcloud_controller_pacemaker', hiera('step')])
 package_manifest{$package_manifest_name: ensure => present}
-- 
cgit 1.2.3-korg