Create heat user in keystone profile
Rather than use the heat::keystone::domain class which also includes the configuration options, we should just create the user for heat in keystone independently of the configuration. Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe Related-Bug: #1638350 Closes-Bug: #1638626
This commit is contained in:
parent
91f764b597
commit
44d3ebe546
manifests/profile/base
@ -53,7 +53,7 @@ class tripleo::profile::base::heat (
|
||||
) {
|
||||
# Domain resources will be created at step5 on the node running keystone.pp
|
||||
# configure heat.conf at step3 and 4 but actually create the domain later.
|
||||
if $step == 3 or $step == 4 {
|
||||
if $step >= 3 {
|
||||
class { '::heat::keystone::domain':
|
||||
manage_domain => false,
|
||||
manage_user => false,
|
||||
|
@ -74,6 +74,23 @@
|
||||
# for more details.
|
||||
# Defaults to hiera('step')
|
||||
#
|
||||
# [*heat_admin_domain*]
|
||||
# domain name for heat admin
|
||||
# Defaults to hiera('heat::keystone::domain::domain_name', 'heat')
|
||||
#
|
||||
# [*heat_admin_user*]
|
||||
# heat admin user name
|
||||
# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin')
|
||||
#
|
||||
# [*heat_admin_email*]
|
||||
# heat admin email address
|
||||
# Defaults to hiera('heat::keystone::domain::domain_admin_email',
|
||||
# 'heat_admin@localhost')
|
||||
#
|
||||
# [*heat_admin_password*]
|
||||
# heat admin password
|
||||
# Defaults to hiera('heat::keystone::domain::domain_password')
|
||||
#
|
||||
class tripleo::profile::base::keystone (
|
||||
$admin_endpoint_network = hiera('keystone_admin_api_network', undef),
|
||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||
@ -85,6 +102,10 @@ class tripleo::profile::base::keystone (
|
||||
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
|
||||
$rabbit_port = hiera('keystone::rabbit_port', 5672),
|
||||
$step = hiera('step'),
|
||||
$heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'),
|
||||
$heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'),
|
||||
$heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'),
|
||||
$heat_admin_password = hiera('heat::keystone::domain::domain_password'),
|
||||
) {
|
||||
if $::hostname == downcase($bootstrap_node) {
|
||||
$sync_db = true
|
||||
@ -153,22 +174,22 @@ class tripleo::profile::base::keystone (
|
||||
|
||||
if $step >= 5 and $manage_domain {
|
||||
if hiera('heat_engine_enabled', false) {
|
||||
# if Heat and Keystone are collocated, so we want to
|
||||
# both configure heat.conf and create Keystone resources.
|
||||
# note: domain_password is given via Hiera.
|
||||
if defined(Class['::tripleo::profile::base::heat']) {
|
||||
include ::heat::keystone::domain
|
||||
} else {
|
||||
# if Heat and Keystone are not collocated, we want Puppet
|
||||
# to only create Keystone resources on the Keystone node
|
||||
# but not try to configure Heat, to avoid leaking the password.
|
||||
class { '::heat::keystone::domain':
|
||||
domain_name => $::os_service_default,
|
||||
domain_admin => $::os_service_default,
|
||||
domain_password => $::os_service_default,
|
||||
}
|
||||
# create these seperate and don't use ::heat::keystone::domain since
|
||||
# that class writes out the configs
|
||||
keystone_domain { $heat_admin_domain:
|
||||
ensure => 'present',
|
||||
enabled => true
|
||||
}
|
||||
keystone_user { "${heat_admin_user}::${heat_admin_domain}":
|
||||
ensure => 'present',
|
||||
enabled => true,
|
||||
email => $heat_admin_email,
|
||||
password => $heat_admin_password
|
||||
}
|
||||
keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}":
|
||||
roles => ['admin'],
|
||||
require => Class['::keystone::roles::admin']
|
||||
}
|
||||
Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user