Merge "Keystone domain for Heat"

overcloud.yaml

@@ -482,7 +482,7 @@ parameters:
     type: string
     hidden: true
   HeatStackDomainAdminPassword:
-    description: Password for heat_domain_admin user.
+    description: Password for heat_stack_domain_admin user.
     type: string
     hidden: true
   InstanceNameTemplate:

puppet/controller.yaml

@@ -238,7 +238,7 @@ parameters:
     type: string
     hidden: true
   HeatStackDomainAdminPassword:
-    description: Password for heat_domain_admin user.
+    description: Password for heat_stack_domain_admin user.
     type: string
     hidden: true
   HeatAuthEncryptionKey:
@@ -1410,9 +1410,11 @@ resources:
                 heat::debug: {get_input: debug}
                 heat::db::mysql::password: {get_input: heat_password}
                 heat_enable_db_purge: {get_input: heat_enable_db_purge}
+                heat::keystone::domain::domain_password: {get_input: heat_stack_domain_admin_password}
 
                 # Keystone
                 keystone::admin_token: {get_input: admin_token}
+                keystone::roles::admin::password: {get_input: admin_password}
                 keystone_ca_certificate: {get_input: keystone_ca_certificate}
                 keystone_signing_key: {get_input: keystone_signing_key}
                 keystone_signing_certificate: {get_input: keystone_signing_certificate}

puppet/hieradata/controller.yaml

@@ -1,4 +1,5 @@
 # Hiera data here applies to all controller nodes
+
 nova::api::enabled: true
 nova::conductor::enabled: true
 nova::consoleauth::enabled: true
@@ -29,6 +30,9 @@ redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}"
 redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}"
 redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
 
+# keystone
+keystone::roles::admin::email: 'root@localhost'
+
 # service tenant
 glance::api::keystone_tenant: 'service'
 glance::registry::keystone_tenant: 'service'
@@ -110,6 +114,9 @@ heat::cron::purge_deleted::age: 30
 heat::cron::purge_deleted::age_type: 'days'
 heat::cron::purge_deleted::maxdelay: 3600
 heat::cron::purge_deleted::destination: '/dev/null'
+heat::keystone::domain::domain_name: 'heat_stack'
+heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
+heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
 
 # pacemaker
 pacemaker::corosync::cluster_name: 'tripleo_cluster'

puppet/manifests/overcloud_controller.pp

@@ -663,6 +663,23 @@ if hiera('step') >= 4 {
   if $heat_enable_db_purge {
     include ::heat::cron::purge_deleted
   }
+
+  if downcase(hiera('bootstrap_nodeid')) == $::hostname {
+    include ::keystone::roles::admin
+    # Class ::heat::keystone::domain has to run on bootstrap node
+    # because it creates DB entities via API calls.
+    include ::heat::keystone::domain
+
+    Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
+  } else {
+    # On non-bootstrap node we don't need to create Keystone resources again
+    class { '::heat::keystone::domain':
+      manage_domain => false,
+      manage_user   => false,
+      manage_role   => false,
+    }
+  }
+
 } #END STEP 4
 
 $package_manifest_name = join(['/var/lib/tripleo/installed-packages/overcloud_controller', hiera('step')])

puppet/manifests/overcloud_controller_pacemaker.pp

@@ -1851,6 +1851,16 @@ if hiera('step') >= 5 {
     class {'::keystone::endpoint' :
       require => Pacemaker::Resource::Service[$::apache::params::service_name],
     }
+    include ::heat::keystone::domain
+    Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
+
+  } else {
+    # On non-master controller we don't need to create Keystone resources again
+    class { '::heat::keystone::domain':
+      manage_domain => false,
+      manage_user   => false,
+      manage_role   => false,
+    }
   }
 
 } #END STEP 5