b5b48d9863
With the heat::deps implementation, we should ensure that the users are created in before the heat::service::end anchor rather than the service itself. This can lead to issues when we move the service to httpd and it is colocated with keystone. Additionally the authtoken class needs to include the ::heat::deps class. Change-Id: I0c2b5e0e3671d37fb0450cd25dd6287bebda4dcb
159 lines
4.9 KiB
Puppet
159 lines
4.9 KiB
Puppet
# == Class: heat::keystone::auth
|
|
#
|
|
# Configures heat user, service and endpoint in Keystone.
|
|
#
|
|
# === Parameters
|
|
# [*password*]
|
|
# (Required) Password for heat user.
|
|
#
|
|
# [*email*]
|
|
# (Optional) Email for heat user.
|
|
# Defaults to 'heat@localhost'.
|
|
#
|
|
# [*auth_name*]
|
|
# (Optional) Username for heat service.
|
|
# Defaults to 'heat'.
|
|
#
|
|
# [*configure_endpoint*]
|
|
# (Optional) Should heat endpoint be configured?
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*configure_service*]
|
|
# (Optional) Should heat service be configured?
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*configure_user*]
|
|
# (Optional) Whether to create the service user.
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*configure_user_role*]
|
|
# (Optional) Whether to configure the admin role for the service user.
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*service_name*]
|
|
# (Optional) Name of the service.
|
|
# Defaults to 'heat'.
|
|
#
|
|
# [*service_type*]
|
|
# (Optional) Type of service.
|
|
# Defaults to 'orchestration'.
|
|
#
|
|
# [*service_description*]
|
|
# (Optional) Description for keystone service.
|
|
# Defaults to 'Openstack Orchestration Service'.
|
|
#
|
|
# [*region*]
|
|
# (Optional) Region for endpoint.
|
|
# Defaults to 'RegionOne'.
|
|
#
|
|
# [*tenant*]
|
|
# (Optional) Tenant for heat user.
|
|
# Defaults to 'services'.
|
|
#
|
|
# [*trusts_delegated_roles*]
|
|
# (optional) Array of trustor roles to be delegated to heat.
|
|
# Defaults to ['heat_stack_owner']
|
|
#
|
|
# [*configure_delegated_roles*]
|
|
# (optional) Whether to configure the delegated roles.
|
|
# Defaults to false until the deprecated parameters in heat::engine
|
|
# are removed after Kilo.
|
|
#
|
|
# [*public_url*]
|
|
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s')
|
|
# This url should *not* contain any trailing '/'.
|
|
#
|
|
# [*admin_url*]
|
|
# (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s')
|
|
# This url should *not* contain any trailing '/'.
|
|
#
|
|
# [*internal_url*]
|
|
# (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s')
|
|
# This url should *not* contain any trailing '/'.
|
|
#
|
|
# [*heat_stack_user_role*]
|
|
# (optional) Keystone role for heat template-defined users.
|
|
# In this context this will create the role for the heat_stack_user.
|
|
# It will not set the value in the config file, if you want to do
|
|
# that you must set heat::engine::heat_stack_user_role. Generally
|
|
# these should be set to the same value.
|
|
# Defaults to 'heat_stack_user'
|
|
|
|
# [*manage_heat_stack_user_role*]
|
|
# (optional) If true, this will manage the Keystone role for
|
|
# $heat_stack_user_role.
|
|
# Defaults to true
|
|
#
|
|
#
|
|
# === Examples
|
|
#
|
|
# class { 'heat::keystone::auth':
|
|
# public_url => 'https://10.0.0.10:8004/v1/%(tenant_id)s',
|
|
# internal_url => 'https://10.0.0.11:8004/v1/%(tenant_id)s',
|
|
# admin_url => 'https://10.0.0.11:8004/v1/%(tenant_id)s',
|
|
# }
|
|
#
|
|
class heat::keystone::auth (
|
|
$password = false,
|
|
$email = 'heat@localhost',
|
|
$auth_name = 'heat',
|
|
$service_name = 'heat',
|
|
$service_type = 'orchestration',
|
|
$service_description = 'Openstack Orchestration Service',
|
|
$region = 'RegionOne',
|
|
$tenant = 'services',
|
|
$configure_endpoint = true,
|
|
$configure_service = true,
|
|
$configure_user = true,
|
|
$configure_user_role = true,
|
|
$trusts_delegated_roles = ['heat_stack_owner'],
|
|
$configure_delegated_roles = false,
|
|
$public_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
|
|
$admin_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
|
|
$internal_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
|
|
$heat_stack_user_role = 'heat_stack_user',
|
|
$manage_heat_stack_user_role = true,
|
|
) {
|
|
|
|
include ::heat::deps
|
|
|
|
validate_string($password)
|
|
|
|
keystone::resource::service_identity { 'heat':
|
|
configure_user => $configure_user,
|
|
configure_user_role => $configure_user_role,
|
|
configure_endpoint => $configure_endpoint,
|
|
configure_service => $configure_service,
|
|
service_type => $service_type,
|
|
service_description => $service_description,
|
|
service_name => $service_name,
|
|
region => $region,
|
|
auth_name => $auth_name,
|
|
password => $password,
|
|
email => $email,
|
|
tenant => $tenant,
|
|
public_url => $public_url,
|
|
admin_url => $admin_url,
|
|
internal_url => $internal_url,
|
|
}
|
|
|
|
if $configure_user_role {
|
|
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['heat::service::end']
|
|
}
|
|
|
|
if $manage_heat_stack_user_role {
|
|
keystone_role { $heat_stack_user_role:
|
|
ensure => present,
|
|
}
|
|
}
|
|
|
|
if $configure_delegated_roles {
|
|
# if this is a keystone only node, we configure the role here
|
|
# but let engine.pp set the config file. A keystone only node
|
|
# will not have a heat.conf file.
|
|
keystone_role { $trusts_delegated_roles:
|
|
ensure => present,
|
|
}
|
|
}
|
|
}
|