23e723255c
This patch adds the appropriate include to make sure that appropriate keystone user, services, etc. are created when octavia is selected. Closes-bug: #1680588 Change-Id: I0b6d657a0300538292223923d8808c23f936c193
324 lines
11 KiB
Puppet
324 lines
11 KiB
Puppet
# Copyright 2016 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# == Class: tripleo::profile::base::keystone
|
|
#
|
|
# Keystone profile for tripleo
|
|
#
|
|
# === Parameters
|
|
#
|
|
# [*admin_endpoint_network*]
|
|
# (Optional) The network name where the admin endpoint is listening on.
|
|
# This is set by t-h-t.
|
|
# Defaults to hiera('keystone_admin_api_network', undef)
|
|
#
|
|
# [*bootstrap_node*]
|
|
# (Optional) The hostname of the node responsible for bootstrapping tasks
|
|
# Defaults to hiera('bootstrap_nodeid')
|
|
#
|
|
# [*certificates_specs*]
|
|
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
# it will create.
|
|
# Example with hiera:
|
|
# apache_certificates_specs:
|
|
# httpd-internal_api:
|
|
# hostname: <overcloud controller fqdn>
|
|
# service_certificate: <service certificate path>
|
|
# service_key: <service key path>
|
|
# principal: "haproxy/<overcloud controller fqdn>"
|
|
# Defaults to hiera('apache_certificate_specs', {}).
|
|
#
|
|
# [*enable_internal_tls*]
|
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
|
# Defaults to hiera('enable_internal_tls', false)
|
|
#
|
|
# [*heat_admin_domain*]
|
|
# domain name for heat admin
|
|
# Defaults to undef
|
|
#
|
|
# [*heat_admin_email*]
|
|
# heat admin email address
|
|
# Defaults to undef
|
|
#
|
|
# [*heat_admin_password*]
|
|
# heat admin password
|
|
# Defaults to undef
|
|
#
|
|
# [*heat_admin_user*]
|
|
# heat admin user name
|
|
# Defaults to undef
|
|
#
|
|
# [*manage_db_purge*]
|
|
# (Optional) Whether keystone token flushing should be enabled
|
|
# Defaults to hiera('keystone_enable_db_purge', true)
|
|
#
|
|
# [*public_endpoint_network*]
|
|
# (Optional) The network name where the admin endpoint is listening on.
|
|
# This is set by t-h-t.
|
|
# Defaults to hiera('keystone_public_api_network', undef)
|
|
#
|
|
# [*oslomsg_rpc_proto*]
|
|
# Protocol driver for the oslo messaging rpc service
|
|
# Defaults to hiera('messaging_rpc_service_name', rabbit)
|
|
#
|
|
# [*oslomsg_rpc_hosts*]
|
|
# list of the oslo messaging rpc host fqdns
|
|
# Defaults to hiera('rabbitmq_node_names')
|
|
#
|
|
# [*oslomsg_rpc_port*]
|
|
# IP port for oslo messaging rpc service
|
|
# Defaults to hiera('keystone::rabbit_port', 5672)
|
|
#
|
|
# [*oslomsg_rpc_username*]
|
|
# Username for oslo messaging rpc service
|
|
# Defaults to hiera('keystone::rabbit_userid', 'guest')
|
|
#
|
|
# [*oslomsg_rpc_password*]
|
|
# Password for oslo messaging rpc service
|
|
# Defaults to hiera('keystone::rabbit_password')
|
|
#
|
|
# [*oslomsg_notify_proto*]
|
|
# Protocol driver for the oslo messaging notify service
|
|
# Defaults to hiera('messaging_notify_service_name', rabbit)
|
|
#
|
|
# [*oslomsg_notify_hosts*]
|
|
# list of the oslo messaging notify host fqdns
|
|
# Defaults to hiera('rabbitmq_node_names')
|
|
#
|
|
# [*oslomsg_notify_port*]
|
|
# IP port for oslo messaging notify service
|
|
# Defaults to hiera('keystone::rabbit_port', 5672)
|
|
#
|
|
# [*oslomsg_notify_username*]
|
|
# Username for oslo messaging notify service
|
|
# Defaults to hiera('keystone::rabbit_userid', 'guest')
|
|
#
|
|
# [*oslomsg_notify_password*]
|
|
# Password for oslo messaging notify service
|
|
# Defaults to hiera('keystone::rabbit_password')
|
|
#
|
|
# [*oslomsg_use_ssl*]
|
|
# Enable ssl oslo messaging services
|
|
# Defaults to hiera('keystone::rabbit_use_ssl', '0')
|
|
#
|
|
# [*step*]
|
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
|
# for more details.
|
|
# Defaults to hiera('step')
|
|
#
|
|
class tripleo::profile::base::keystone (
|
|
$admin_endpoint_network = hiera('keystone_admin_api_network', undef),
|
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
|
$heat_admin_domain = undef,
|
|
$heat_admin_email = undef,
|
|
$heat_admin_password = undef,
|
|
$heat_admin_user = undef,
|
|
$manage_db_purge = hiera('keystone_enable_db_purge', true),
|
|
$public_endpoint_network = hiera('keystone_public_api_network', undef),
|
|
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
|
|
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
|
|
$oslomsg_rpc_password = hiera('keystone::rabbit_password'),
|
|
$oslomsg_rpc_port = hiera('keystone::rabbit_port', '5672'),
|
|
$oslomsg_rpc_username = hiera('keystone::rabbit_userid', 'guest'),
|
|
$oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'),
|
|
$oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)),
|
|
$oslomsg_notify_password = hiera('keystone::rabbit_password'),
|
|
$oslomsg_notify_port = hiera('keystone::rabbit_port', '5672'),
|
|
$oslomsg_notify_username = hiera('keystone::rabbit_userid', 'guest'),
|
|
$oslomsg_use_ssl = hiera('keystone::rabbit_use_ssl', '0'),
|
|
$step = hiera('step'),
|
|
) {
|
|
if $::hostname == downcase($bootstrap_node) {
|
|
$sync_db = true
|
|
$manage_roles = true
|
|
$manage_endpoint = true
|
|
$manage_domain = true
|
|
} else {
|
|
$sync_db = false
|
|
$manage_roles = false
|
|
$manage_endpoint = false
|
|
$manage_domain = false
|
|
}
|
|
|
|
if $enable_internal_tls {
|
|
if !$public_endpoint_network {
|
|
fail('keystone_public_api_network is not set in the hieradata.')
|
|
}
|
|
$tls_certfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_certificate']
|
|
$tls_keyfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_key']
|
|
|
|
if !$admin_endpoint_network {
|
|
fail('keystone_admin_api_network is not set in the hieradata.')
|
|
}
|
|
$tls_certfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_certificate']
|
|
$tls_keyfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_key']
|
|
} else {
|
|
$tls_certfile = undef
|
|
$tls_keyfile = undef
|
|
$tls_certfile_admin = undef
|
|
$tls_keyfile_admin = undef
|
|
}
|
|
|
|
if $step >= 4 or ( $step >= 3 and $sync_db ) {
|
|
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
|
|
class { '::keystone':
|
|
sync_db => $sync_db,
|
|
enable_bootstrap => $sync_db,
|
|
default_transport_url => os_transport_url({
|
|
'transport' => $oslomsg_rpc_proto,
|
|
'hosts' => $oslomsg_rpc_hosts,
|
|
'port' => $oslomsg_rpc_port,
|
|
'username' => $oslomsg_rpc_username,
|
|
'password' => $oslomsg_rpc_password,
|
|
'ssl' => $oslomsg_use_ssl_real,
|
|
}),
|
|
notification_transport_url => os_transport_url({
|
|
'transport' => $oslomsg_notify_proto,
|
|
'hosts' => $oslomsg_notify_hosts,
|
|
'port' => $oslomsg_notify_port,
|
|
'username' => $oslomsg_notify_username,
|
|
'password' => $oslomsg_notify_password,
|
|
'ssl' => $oslomsg_use_ssl_real,
|
|
}),
|
|
}
|
|
|
|
if 'amqp' in [$oslomsg_rpc_proto, $oslomsg_notify_proto]{
|
|
include ::keystone::messaging::amqp
|
|
}
|
|
|
|
include ::keystone::config
|
|
class { '::keystone::wsgi::apache':
|
|
ssl_cert => $tls_certfile,
|
|
ssl_key => $tls_keyfile,
|
|
ssl_cert_admin => $tls_certfile_admin,
|
|
ssl_key_admin => $tls_keyfile_admin,
|
|
}
|
|
include ::keystone::cors
|
|
}
|
|
|
|
if $step >= 4 and $manage_db_purge {
|
|
include ::keystone::cron::token_flush
|
|
}
|
|
|
|
if $step == 3 and $manage_domain {
|
|
if hiera('heat_engine_enabled', false) {
|
|
# create these seperate and don't use ::heat::keystone::domain since
|
|
# that class writes out the configs
|
|
keystone_domain { $heat_admin_domain:
|
|
ensure => 'present',
|
|
enabled => true
|
|
}
|
|
keystone_user { "${heat_admin_user}::${heat_admin_domain}":
|
|
ensure => 'present',
|
|
enabled => true,
|
|
email => $heat_admin_email,
|
|
password => $heat_admin_password
|
|
}
|
|
keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}":
|
|
roles => ['admin'],
|
|
require => Class['::keystone::roles::admin']
|
|
}
|
|
}
|
|
}
|
|
|
|
if $step == 3 and $manage_roles {
|
|
include ::keystone::roles::admin
|
|
}
|
|
|
|
if $step == 3 and $manage_endpoint {
|
|
include ::keystone::endpoint
|
|
if hiera('aodh_api_enabled', false) {
|
|
include ::aodh::keystone::auth
|
|
}
|
|
if hiera('barbican_api_enabled', false) {
|
|
include ::barbican::keystone::auth
|
|
}
|
|
# ceilometer user is needed even when ceilometer api
|
|
# not running, so it can authenticate with keystone
|
|
# and dispatch data.
|
|
if hiera('ceilometer_auth_enabled', false) {
|
|
include ::ceilometer::keystone::auth
|
|
}
|
|
if hiera('ceph_rgw_enabled', false) {
|
|
include ::ceph::rgw::keystone::auth
|
|
}
|
|
if hiera('cinder_api_enabled', false) {
|
|
include ::cinder::keystone::auth
|
|
}
|
|
if hiera('congress_enabled', false) {
|
|
include ::congress::keystone::auth
|
|
}
|
|
if hiera('glance_api_enabled', false) {
|
|
include ::glance::keystone::auth
|
|
}
|
|
if hiera('gnocchi_api_enabled', false) {
|
|
include ::gnocchi::keystone::auth
|
|
}
|
|
if hiera('heat_api_enabled', false) {
|
|
include ::heat::keystone::auth
|
|
}
|
|
if hiera('heat_api_cfn_enabled', false) {
|
|
include ::heat::keystone::auth_cfn
|
|
}
|
|
if hiera('ironic_api_enabled', false) {
|
|
include ::ironic::keystone::auth
|
|
}
|
|
if hiera('ironic_inspector_enabled', false) {
|
|
include ::ironic::keystone::auth_inspector
|
|
}
|
|
if hiera('manila_api_enabled', false) {
|
|
include ::manila::keystone::auth
|
|
}
|
|
if hiera('mistral_api_enabled', false) {
|
|
include ::mistral::keystone::auth
|
|
}
|
|
if hiera('neutron_api_enabled', false) {
|
|
include ::neutron::keystone::auth
|
|
}
|
|
if hiera('nova_api_enabled', false) {
|
|
include ::nova::keystone::auth
|
|
}
|
|
if hiera('nova_placement_enabled', false) {
|
|
include ::nova::keystone::auth_placement
|
|
}
|
|
if hiera('octavia_api_enabled', false) {
|
|
include ::octavia::keystone::auth
|
|
}
|
|
if hiera('panko_api_enabled', false) {
|
|
include ::panko::keystone::auth
|
|
}
|
|
if hiera('sahara_api_enabled', false) {
|
|
include ::sahara::keystone::auth
|
|
}
|
|
if hiera('swift_proxy_enabled', false) {
|
|
include ::swift::keystone::auth
|
|
}
|
|
if hiera('tacker_enabled', false) {
|
|
include ::tacker::keystone::auth
|
|
}
|
|
if hiera('trove_api_enabled', false) {
|
|
include ::trove::keystone::auth
|
|
}
|
|
if hiera('zaqar_enabled', false) {
|
|
include ::zaqar::keystone::auth
|
|
include ::zaqar::keystone::auth_websocket
|
|
}
|
|
if hiera('ec2_api_enabled', false) {
|
|
include ::ec2api::keystone::auth
|
|
}
|
|
}
|
|
}
|