puppet-heat/manifests/keystone/auth.pp

183 lines
5.6 KiB
Puppet

# == Class: heat::keystone::auth
#
# Configures heat user, service and endpoint in Keystone.
#
# === Parameters
# [*password*]
# (Required) Password for heat user.
#
# [*email*]
# (Optional) Email for heat user.
# Defaults to 'heat@localhost'.
#
# [*auth_name*]
# (Optional) Username for heat service.
# Defaults to 'heat'.
#
# [*configure_endpoint*]
# (Optional) Should heat endpoint be configured?
# Defaults to true.
#
# [*configure_service*]
# (Optional) Should heat service be configured?
# Defaults to true.
#
# [*configure_user*]
# (Optional) Whether to create the service user.
# Defaults to true.
#
# [*configure_user_role*]
# (Optional) Whether to configure the admin role for the service user.
# Defaults to true.
#
# [*service_name*]
# (Optional) Name of the service.
# Defaults to 'heat'.
#
# [*service_type*]
# (Optional) Type of service.
# Defaults to 'orchestration'.
#
# [*service_description*]
# (Optional) Description for keystone service.
# Defaults to 'OpenStack Orchestration Service'.
#
# [*region*]
# (Optional) Region for endpoint.
# Defaults to 'RegionOne'.
#
# [*tenant*]
# (Optional) Tenant for heat user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to heat user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to heat user.
# Defaults to []
#
# [*trusts_delegated_roles*]
# (Optional) Array of trustor roles to be delegated to heat.
# Defaults to ['heat_stack_owner']
#
# [*configure_delegated_roles*]
# (Optional) Whether to configure the delegated roles.
# Defaults to false until the deprecated parameters in heat::engine
# are removed after Kilo.
#
# [*public_url*]
# (Optional) The endpoint's public url.
# This url should *not* contain any trailing '/'.
# Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s'
#
# [*admin_url*]
# (Optional) The endpoint's admin url.
# This url should *not* contain any trailing '/'.
# Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s'
#
# [*internal_url*]
# (Optional) The endpoint's internal url.
# This url should *not* contain any trailing '/'.
# Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s'
#
# [*heat_stack_user_role*]
# (Optional) Keystone role for heat template-defined users.
# In this context this will create the role for the heat_stack_user.
# It will not set the value in the config file, if you want to do
# that you must set heat::engine::heat_stack_user_role. Generally
# these should be set to the same value.
# Defaults to 'heat_stack_user'
# [*manage_heat_stack_user_role*]
# (Optional) If true, this will manage the Keystone role for
# $heat_stack_user_role.
# Defaults to true
#
#
# === Examples
#
# class { 'heat::keystone::auth':
# public_url => 'https://10.0.0.10:8004/v1/%(tenant_id)s',
# internal_url => 'https://10.0.0.11:8004/v1/%(tenant_id)s',
# admin_url => 'https://10.0.0.11:8004/v1/%(tenant_id)s',
# }
#
class heat::keystone::auth (
$password,
$email = 'heat@localhost',
$auth_name = 'heat',
$service_name = 'heat',
$service_type = 'orchestration',
$service_description = 'OpenStack Orchestration Service',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_service = true,
$configure_user = true,
$configure_user_role = true,
$trusts_delegated_roles = ['heat_stack_owner'],
$configure_delegated_roles = false,
$public_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
$admin_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
$internal_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
$heat_stack_user_role = 'heat_stack_user',
$manage_heat_stack_user_role = true,
) {
include heat::deps
validate_legacy(String, 'validate_string', $password)
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['heat::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['heat::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['heat::service::end']
}
keystone::resource::service_identity { 'heat':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
configure_endpoint => $configure_endpoint,
configure_service => $configure_service,
service_type => $service_type,
service_description => $service_description,
service_name => $service_name,
region => $region,
auth_name => $auth_name,
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
if $manage_heat_stack_user_role {
keystone_role { $heat_stack_user_role:
ensure => present,
}
}
if $configure_delegated_roles {
# if this is a keystone only node, we configure the role here
# but let engine.pp set the config file. A keystone only node
# will not have a heat.conf file.
keystone_role { $trusts_delegated_roles:
ensure => present,
}
}
}