openstack/tripleo-heat-templates
Code Issues Proposed changes

Keystone domain for Heat

Browse Source 
This patch adds support for configuring Keystone domain for Heat
via heat-keystone-setup-domain script. It should be reverted
as soon as Keystone v3 is fully functional.

This patch won't be fully functional without either python-keystoneclient
fix [1] or workaround [2].

[1] https://bugs.launchpad.net/python-keystoneclient/+bug/1452298
[2] https://review.openstack.org/180563

Change-Id: Ie9cdd518b299c141f0fdbb3441a7761c27321a88
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Depends-On: Ic541f11978908f9344e5590f3961f0d31c04bb0c
This commit is contained in:
Martin Mágr 2015-03-02 11:04:20 +01:00
parent cab673943b
commit 48146252c9
5 changed files with 38 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
overcloud.yaml
View File

@ -482,7 +482,7 @@ parameters:
type: string type: string
hidden: true hidden: true
HeatStackDomainAdminPassword: HeatStackDomainAdminPassword:
description: Password for heat_domain_admin user. description: Password for heat_stack_domain_admin user.
type: string type: string
hidden: true hidden: true
InstanceNameTemplate: InstanceNameTemplate:

4
puppet/controller.yaml
View File

@ -238,7 +238,7 @@ parameters:
type: string type: string
hidden: true hidden: true
HeatStackDomainAdminPassword: HeatStackDomainAdminPassword:
description: Password for heat_domain_admin user. description: Password for heat_stack_domain_admin user.
type: string type: string
hidden: true hidden: true
HeatAuthEncryptionKey: HeatAuthEncryptionKey:
@ -1410,9 +1410,11 @@ resources:
heat::debug: {get_input: debug} heat::debug: {get_input: debug}
heat::db::mysql::password: {get_input: heat_password} heat::db::mysql::password: {get_input: heat_password}
heat_enable_db_purge: {get_input: heat_enable_db_purge} heat_enable_db_purge: {get_input: heat_enable_db_purge}
heat::keystone::domain::domain_password: {get_input: heat_stack_domain_admin_password}
# Keystone # Keystone
keystone::admin_token: {get_input: admin_token} keystone::admin_token: {get_input: admin_token}
keystone::roles::admin::password: {get_input: admin_password}
keystone_ca_certificate: {get_input: keystone_ca_certificate} keystone_ca_certificate: {get_input: keystone_ca_certificate}
keystone_signing_key: {get_input: keystone_signing_key} keystone_signing_key: {get_input: keystone_signing_key}
keystone_signing_certificate: {get_input: keystone_signing_certificate} keystone_signing_certificate: {get_input: keystone_signing_certificate}

7
puppet/hieradata/controller.yaml
View File

@ -1,4 +1,5 @@
# Hiera data here applies to all controller nodes # Hiera data here applies to all controller nodes
nova::api::enabled: true nova::api::enabled: true
nova::conductor::enabled: true nova::conductor::enabled: true
nova::consoleauth::enabled: true nova::consoleauth::enabled: true
@ -29,6 +30,9 @@ redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}"
redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}"
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
# keystone
keystone::roles::admin::email: 'root@localhost'
# service tenant # service tenant
glance::api::keystone_tenant: 'service' glance::api::keystone_tenant: 'service'
glance::registry::keystone_tenant: 'service' glance::registry::keystone_tenant: 'service'
@ -110,6 +114,9 @@ heat::cron::purge_deleted::age: 30
heat::cron::purge_deleted::age_type: 'days' heat::cron::purge_deleted::age_type: 'days'
heat::cron::purge_deleted::maxdelay: 3600 heat::cron::purge_deleted::maxdelay: 3600
heat::cron::purge_deleted::destination: '/dev/null' heat::cron::purge_deleted::destination: '/dev/null'
heat::keystone::domain::domain_name: 'heat_stack'
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
# pacemaker # pacemaker
pacemaker::corosync::cluster_name: 'tripleo_cluster' pacemaker::corosync::cluster_name: 'tripleo_cluster'

17
puppet/manifests/overcloud_controller.pp
View File

@ -638,6 +638,23 @@ if hiera('step') >= 4 {
if $heat_enable_db_purge { if $heat_enable_db_purge {
include ::heat::cron::purge_deleted include ::heat::cron::purge_deleted
} }
if downcase(hiera('bootstrap_nodeid')) == $::hostname {
include ::keystone::roles::admin
# Class ::heat::keystone::domain has to run on bootstrap node
# because it creates DB entities via API calls.
include ::heat::keystone::domain
Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
} else {
# On non-bootstrap node we don't need to create Keystone resources again
class { '::heat::keystone::domain':
manage_domain => false,
manage_user => false,
manage_role => false,
}
}
} #END STEP 4 } #END STEP 4
$package_manifest_name = join(['/var/lib/tripleo/installed-packages/overcloud_controller', hiera('step')]) $package_manifest_name = join(['/var/lib/tripleo/installed-packages/overcloud_controller', hiera('step')])

10
puppet/manifests/overcloud_controller_pacemaker.pp
View File

@ -1825,6 +1825,16 @@ if hiera('step') >= 5 {
class {'::keystone::endpoint' : class {'::keystone::endpoint' :
require => Pacemaker::Resource::Service[$::apache::params::service_name], require => Pacemaker::Resource::Service[$::apache::params::service_name],
} }
include ::heat::keystone::domain
Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
} else {
# On non-master controller we don't need to create Keystone resources again
class { '::heat::keystone::domain':
manage_domain => false,
manage_user => false,
manage_role => false,
}
} }
} #END STEP 5 } #END STEP 5