Add a trigger to call ldap_backend define

Ldap_backend is a define so we need a resource to talk it. If ldap_backend_enable set by tripleo-heat-templates, we call the ldap_backend as a resource. Given an environment such as the following: parameter_defaults: KeystoneLdapDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. Partial-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Authored-By: Guillaume Coré <gucore@redhat.com> Signed-off-by: Cyril Lopez <cylopez@redhat.com> Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
2017-03-30 15:54:32 +02:00 · 2017-03-30 15:54:32 +02:00 · b8388e378a
parent 6f19cb59f3
commit b8388e378a
2 changed files with 21 additions and 0 deletions
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@ -59,6 +59,15 @@
 #   heat admin user name
 #   Defaults to undef
 #
+# [*ldap_backends_config*]
+#   Configuration for keystone::ldap_backend. This takes a hash that will
+#   create each backend specified.
+#   Defaults to undef
+#
+# [*ldap_backend_enable*]
+#   Enables creating per-domain LDAP backends for keystone.
+#   Default to false
+#
 # [*manage_db_purge*]
 #   (Optional) Whether keystone token flushing should be enabled
 #   Defaults to hiera('keystone_enable_db_purge', true)
@ -126,6 +135,8 @@ class tripleo::profile::base::keystone (
  $heat_admin_email              = undef,
  $heat_admin_password           = undef,
  $heat_admin_user               = undef,
+  $ldap_backends_config          = undef,
+  $ldap_backend_enable           = false,
  $manage_db_purge               = hiera('keystone_enable_db_purge', true),
  $public_endpoint_network       = hiera('keystone_public_api_network', undef),
  $oslomsg_rpc_proto             = hiera('messaging_rpc_service_name', 'rabbit'),
@ -207,6 +218,11 @@ class tripleo::profile::base::keystone (
      ssl_key_admin  => $tls_keyfile_admin,
    }
    include ::keystone::cors
+
+    if $ldap_backend_enable {
+      validate_hash($ldap_backends_config)
+      create_resources('::keystone::ldap_backend', $ldap_backends_config)
+    }
  }

  if $step >= 4 and $manage_db_purge {
--- a/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml
+++ b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - Add keystone::ldap_backend call as resource when is trigged to setup a LDAP
+    backend as keystone domain. This allows per-domain LDAP backends for
+    keystone.