puppet-keystone/examples/ldap_backend.pp
Tobias Urdin bc1ff1d7cb Add keystone::bootstrap class
This class combines the keystone-manage bootstrap command
from init, the keystone::endpoint functionality that manages
the keystone endpoints and the keystone::roles::admin class
that manages users and projects.

This is one of the steps to make sure we only have a single
point of entry for bootstrapping (keystone-manage bootstrap)
and then only managing resources after that.

This is especially required since we are getting rid of the
admin token and cannot manage resources before keystone-manage
bootstrap has created the user, project, service and endpoints
for us.

These resources should always be in the default domain and
deployments should manage domain specific configuration themselves
using the provider resources.

This class uses the default values from the keystone-manage
bootstrap command.

In the past puppet-keystone has always created a openstack project
that is assumed as a admin project even though the bootstrap command
creates the admin project. Since this uses the default values from
the bootstrap command we should move away from having an openstack
project, if we need that in testing it should be created there and
not in the default deployment.

Depends-On: https://review.opendev.org/#/c/698528/
Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
2019-12-11 16:37:51 +00:00

116 lines
5.1 KiB
Puppet

class { 'keystone':
debug => true,
database_connection => 'mysql://keystone:keystone@127.0.0.1/keystone',
enabled => true,
# helper for using domains
using_domain_config => true
}
# Ensure this matches what is in LDAP or keystone will try to recreate
# the admin user
class { 'keystone::bootstrap':
password => 'ChangeMe',
}
keystone_domain { 'domain_2': ensure => present }
keystone::ldap_backend { 'Default':
url => 'ldap://ldap.example.com:389',
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
password => 'SecretPass',
suffix => 'dc=example,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_enabled_emulation => 'True',
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
group_objectclass => 'organizationalRole',
group_id_attribute => 'cn',
group_name_attribute => 'cn',
group_member_attribute => 'RoleOccupant',
group_desc_attribute => 'description',
project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
project_objectclass => 'organizationalUnit',
project_id_attribute => 'ou',
project_member_attribute => 'member',
project_name_attribute => 'ou',
project_desc_attribute => 'description',
project_allow_create => 'True',
project_allow_update => 'True',
project_allow_delete => 'True',
project_enabled_emulation => 'True',
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
role_objectclass => 'organizationalRole',
role_id_attribute => 'cn',
role_name_attribute => 'cn',
role_member_attribute => 'roleOccupant',
role_allow_create => 'True',
role_allow_update => 'True',
role_allow_delete => 'True',
identity_driver => 'ldap',
chase_referrals => 'False',
use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand',
use_pool => 'True',
use_auth_pool => 'True',
pool_size => 5,
auth_pool_size => 5,
pool_retry_max => 3,
pool_connection_timeout => 120,
}
keystone::ldap_backend { 'domain_2':
url => 'ldap://ldap.example_2.com:389',
user => 'uid=bind,cn=users,cn=accounts,dc=example_2,dc=com',
password => 'SecretPass',
suffix => 'dc=example_2,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example_2,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_enabled_emulation => 'True',
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example_2,dc=com',
group_tree_dn => 'ou=groups,ou=openstack,dc=example_2,dc=com',
group_objectclass => 'organizationalRole',
group_id_attribute => 'cn',
group_name_attribute => 'cn',
group_member_attribute => 'RoleOccupant',
group_desc_attribute => 'description',
project_tree_dn => 'ou=projects,ou=openstack,dc=example_2,dc=com',
project_objectclass => 'organizationalUnit',
project_id_attribute => 'ou',
project_member_attribute => 'member',
project_name_attribute => 'ou',
project_desc_attribute => 'description',
project_allow_create => 'True',
project_allow_update => 'True',
project_allow_delete => 'True',
project_enabled_emulation => 'True',
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example_2,dc=com',
role_tree_dn => 'ou=roles,ou=openstack,dc=example_2,dc=com',
role_objectclass => 'organizationalRole',
role_id_attribute => 'cn',
role_name_attribute => 'cn',
role_member_attribute => 'roleOccupant',
role_allow_create => 'True',
role_allow_update => 'True',
role_allow_delete => 'True',
identity_driver => 'ldap',
chase_referrals => 'False',
use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand',
use_pool => 'True',
use_auth_pool => 'True',
pool_size => 5,
auth_pool_size => 5,
pool_retry_max => 3,
pool_connection_timeout => 120,
}