116 lines
3.3 KiB
Puppet
116 lines
3.3 KiB
Puppet
## Keystone
|
|
# non admin user
|
|
$username = 'demo'
|
|
$password = hiera('CONFIG_KEYSTONE_DEMO_PW')
|
|
$tenant_name = 'demo'
|
|
# admin user
|
|
$admin_username = 'admin'
|
|
$admin_password = hiera('CONFIG_KEYSTONE_ADMIN_PW')
|
|
$admin_tenant_name = 'admin'
|
|
|
|
## Neutron
|
|
$public_network_name = 'public'
|
|
$public_subnet_name = 'public_subnet'
|
|
$floating_range = hiera('CONFIG_PROVISION_DEMO_FLOATRANGE')
|
|
$private_network_name = 'private'
|
|
$private_subnet_name = 'private_subnet'
|
|
$fixed_range = '10.0.0.0/24'
|
|
$router_name = 'router1'
|
|
$setup_ovs_bridge = hiera('CONFIG_PROVISION_ALL_IN_ONE_OVS_BRIDGE')
|
|
$public_bridge_name = hiera('CONFIG_NEUTRON_L3_EXT_BRIDGE')
|
|
$provision_neutron_avail = hiera('PROVISION_NEUTRON_AVAILABLE')
|
|
|
|
## Users
|
|
|
|
keystone_tenant { $tenant_name:
|
|
ensure => present,
|
|
enabled => true,
|
|
description => 'default tenant',
|
|
}
|
|
keystone_user { $username:
|
|
ensure => present,
|
|
enabled => true,
|
|
tenant => $tenant_name,
|
|
password => $password,
|
|
}
|
|
|
|
if hiera('CONFIG_HEAT_INSTALL') == 'y' {
|
|
keystone_user_role { "${username}@${tenant_name}":
|
|
ensure => present,
|
|
roles => ['_member_', 'heat_stack_owner'],
|
|
}
|
|
}
|
|
|
|
## Neutron
|
|
|
|
if $provision_neutron_avail {
|
|
$neutron_deps = [Neutron_network[$public_network_name]]
|
|
|
|
neutron_network { $public_network_name:
|
|
ensure => present,
|
|
router_external => true,
|
|
tenant_name => $admin_tenant_name,
|
|
}
|
|
neutron_subnet { $public_subnet_name:
|
|
ensure => 'present',
|
|
cidr => $floating_range,
|
|
enable_dhcp => false,
|
|
network_name => $public_network_name,
|
|
tenant_name => $admin_tenant_name,
|
|
}
|
|
neutron_network { $private_network_name:
|
|
ensure => present,
|
|
tenant_name => $tenant_name,
|
|
}
|
|
neutron_subnet { $private_subnet_name:
|
|
ensure => present,
|
|
cidr => $fixed_range,
|
|
network_name => $private_network_name,
|
|
tenant_name => $tenant_name,
|
|
}
|
|
# Tenant-owned router - assumes network namespace isolation
|
|
neutron_router { $router_name:
|
|
ensure => present,
|
|
tenant_name => $tenant_name,
|
|
gateway_network_name => $public_network_name,
|
|
# A neutron_router resource must explicitly declare a dependency on
|
|
# the first subnet of the gateway network.
|
|
require => Neutron_subnet[$public_subnet_name],
|
|
}
|
|
neutron_router_interface { "${router_name}:${private_subnet_name}":
|
|
ensure => present,
|
|
}
|
|
|
|
if $setup_ovs_bridge {
|
|
neutron_l3_ovs_bridge { $public_bridge_name:
|
|
ensure => present,
|
|
subnet_name => $public_subnet_name,
|
|
}
|
|
}
|
|
}
|
|
|
|
if $setup_ovs_bridge {
|
|
firewall { '000 nat':
|
|
chain => 'POSTROUTING',
|
|
jump => 'MASQUERADE',
|
|
source => hiera('CONFIG_PROVISION_DEMO_FLOATRANGE'),
|
|
outiface => $::gateway_device,
|
|
table => 'nat',
|
|
proto => 'all',
|
|
}
|
|
|
|
firewall { '000 forward out':
|
|
chain => 'FORWARD',
|
|
action => 'accept',
|
|
outiface => $public_bridge_name,
|
|
proto => 'all',
|
|
}
|
|
|
|
firewall { '000 forward in':
|
|
chain => 'FORWARD',
|
|
action => 'accept',
|
|
iniface => $public_bridge_name,
|
|
proto => 'all',
|
|
}
|
|
}
|