bc1ff1d7cb
This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
66 lines
3.1 KiB
Puppet
66 lines
3.1 KiB
Puppet
# A full example from a real deployment that allows Keystone to modify
|
|
# everything except users, uses enabled_emulation, and ldaps
|
|
|
|
# Ensure this matches what is in LDAP or keystone will try to recreate
|
|
# the admin user
|
|
class { 'keystone::bootstrap':
|
|
password => 'ChangeMe',
|
|
}
|
|
|
|
# You can test this connection with ldapsearch first to ensure it works.
|
|
# LDAP configurations are *highly* dependent on your setup and this file
|
|
# will need to be tweaked. This sample talks to ldap.example.com, here is
|
|
# an example of ldapsearch that will search users on this box:
|
|
# ldapsearch -v -x -H 'ldap://example.com:389' -D \
|
|
# "uid=bind,cn=users,cn=accounts,dc=example,dc=com" -w SecretPass \
|
|
# -b cn=users,cn=accounts,dc=example,dc=com
|
|
class { 'keystone:ldap':
|
|
url => 'ldap://ldap.example.com:389',
|
|
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
|
|
password => 'SecretPass',
|
|
suffix => 'dc=example,dc=com',
|
|
query_scope => 'sub',
|
|
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
|
|
user_id_attribute => 'uid',
|
|
user_name_attribute => 'uid',
|
|
user_mail_attribute => 'mail',
|
|
user_enabled_emulation => 'True',
|
|
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
|
|
group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
|
|
group_objectclass => 'organizationalRole',
|
|
group_id_attribute => 'cn',
|
|
group_name_attribute => 'cn',
|
|
group_member_attribute => 'RoleOccupant',
|
|
group_desc_attribute => 'description',
|
|
project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
|
|
project_objectclass => 'organizationalUnit',
|
|
project_id_attribute => 'ou',
|
|
project_member_attribute => 'member',
|
|
project_name_attribute => 'ou',
|
|
project_desc_attribute => 'description',
|
|
project_allow_create => 'True',
|
|
project_allow_update => 'True',
|
|
project_allow_delete => 'True',
|
|
project_enabled_emulation => 'True',
|
|
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
|
|
role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
|
|
role_objectclass => 'organizationalRole',
|
|
role_id_attribute => 'cn',
|
|
role_name_attribute => 'cn',
|
|
role_member_attribute => 'roleOccupant',
|
|
role_allow_create => 'True',
|
|
role_allow_update => 'True',
|
|
role_allow_delete => 'True',
|
|
identity_driver => 'ldap',
|
|
chase_referrals => 'False',
|
|
use_tls => 'True',
|
|
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
|
|
tls_req_cert => 'demand',
|
|
use_pool => 'True',
|
|
use_auth_pool => 'True',
|
|
pool_size => 5,
|
|
auth_pool_size => 5,
|
|
pool_retry_max => 3,
|
|
pool_connection_timeout => 120,
|
|
}
|