0ea44a1eb1
This commit adds the service description as a class parameter in order to allow users to update from a previous version if the service description is changed (incorrectly spelled or wrong description) Change-Id: Ifa39ae38c1004924f14089cfc45394839d442081 Closes-Bug: #1468407
262 lines
8.5 KiB
Puppet
262 lines
8.5 KiB
Puppet
# == Class: heat::keystone::auth
|
|
#
|
|
# Configures heat user, service and endpoint in Keystone.
|
|
#
|
|
# === Parameters
|
|
# [*password*]
|
|
# (Required) Password for heat user.
|
|
#
|
|
# [*email*]
|
|
# (Optional) Email for heat user.
|
|
# Defaults to 'heat@localhost'.
|
|
#
|
|
# [*auth_name*]
|
|
# (Optional) Username for heat service.
|
|
# Defaults to 'heat'.
|
|
#
|
|
# [*configure_endpoint*]
|
|
# (Optional) Should heat endpoint be configured?
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*configure_service*]
|
|
# (Optional) Should heat service be configured?
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*configure_user*]
|
|
# (Optional) Whether to create the service user.
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*configure_user_role*]
|
|
# (Optional) Whether to configure the admin role for the service user.
|
|
# Defaults to 'true'.
|
|
#
|
|
# [*service_name*]
|
|
# (Optional) Name of the service.
|
|
# Defaults to the value of auth_name.
|
|
#
|
|
# [*service_type*]
|
|
# (Optional) Type of service.
|
|
# Defaults to 'orchestration'.
|
|
#
|
|
# [*service_description*]
|
|
# (Optional) Description for keystone service.
|
|
# Defaults to 'Openstack Orchestration Service'.
|
|
#
|
|
# [*region*]
|
|
# (Optional) Region for endpoint.
|
|
# Defaults to 'RegionOne'.
|
|
#
|
|
# [*tenant*]
|
|
# (Optional) Tenant for heat user.
|
|
# Defaults to 'services'.
|
|
#
|
|
# [*trusts_delegated_roles*]
|
|
# (optional) Array of trustor roles to be delegated to heat.
|
|
# Defaults to ['heat_stack_owner']
|
|
#
|
|
# [*configure_delegated_roles*]
|
|
# (optional) Whether to configure the delegated roles.
|
|
# Defaults to false until the deprecated parameters in heat::engine
|
|
# are removed after Kilo.
|
|
#
|
|
# [*public_url*]
|
|
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s')
|
|
# This url should *not* contain any trailing '/'.
|
|
#
|
|
# [*admin_url*]
|
|
# (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s')
|
|
# This url should *not* contain any trailing '/'.
|
|
#
|
|
# [*internal_url*]
|
|
# (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:8004/v1/%(tenant_id)s')
|
|
# This url should *not* contain any trailing '/'.
|
|
#
|
|
# [*version*]
|
|
# (optional) DEPRECATED: Use public_url, internal_url and admin_url instead.
|
|
# API version endpoint. (Defaults to 'v1')
|
|
# Setting this parameter overrides public_url, internal_url and admin_url parameters.
|
|
#
|
|
# [*port*]
|
|
# (optional) DEPRECATED: Use public_url, internal_url and admin_url instead.
|
|
# Default port for endpoints. (Defaults to 9001)
|
|
# Setting this parameter overrides public_url, internal_url and admin_url parameters.
|
|
#
|
|
# [*public_protocol*]
|
|
# (optional) DEPRECATED: Use public_url instead.
|
|
# Protocol for public endpoint. (Defaults to 'http')
|
|
# Setting this parameter overrides public_url parameter.
|
|
#
|
|
# [*public_address*]
|
|
# (optional) DEPRECATED: Use public_url instead.
|
|
# Public address for endpoint. (Defaults to '127.0.0.1')
|
|
# Setting this parameter overrides public_url parameter.
|
|
#
|
|
# [*internal_protocol*]
|
|
# (optional) DEPRECATED: Use internal_url instead.
|
|
# Protocol for internal endpoint. (Defaults to 'http')
|
|
# Setting this parameter overrides internal_url parameter.
|
|
#
|
|
# [*internal_address*]
|
|
# (optional) DEPRECATED: Use internal_url instead.
|
|
# Internal address for endpoint. (Defaults to '127.0.0.1')
|
|
# Setting this parameter overrides internal_url parameter.
|
|
#
|
|
# [*admin_protocol*]
|
|
# (optional) DEPRECATED: Use admin_url instead.
|
|
# Protocol for admin endpoint. (Defaults to 'http')
|
|
# Setting this parameter overrides admin_url parameter.
|
|
#
|
|
# [*admin_address*]
|
|
# (optional) DEPRECATED: Use admin_url instead.
|
|
# Admin address for endpoint. (Defaults to '127.0.0.1')
|
|
# Setting this parameter overrides admin_url parameter.
|
|
#
|
|
# === Deprecation notes
|
|
#
|
|
# If any value is provided for public_protocol, public_address or port parameters,
|
|
# public_url will be completely ignored. The same applies for internal and admin parameters.
|
|
#
|
|
# === Examples
|
|
#
|
|
# class { 'heat::keystone::auth':
|
|
# public_url => 'https://10.0.0.10:8004/v1/%(tenant_id)s',
|
|
# internal_url => 'https://10.0.0.11:8004/v1/%(tenant_id)s',
|
|
# admin_url => 'https://10.0.0.11:8004/v1/%(tenant_id)s',
|
|
# }
|
|
#
|
|
class heat::keystone::auth (
|
|
$password = false,
|
|
$email = 'heat@localhost',
|
|
$auth_name = 'heat',
|
|
$service_name = undef,
|
|
$service_type = 'orchestration',
|
|
$service_description = 'Openstack Orchestration Service',
|
|
$region = 'RegionOne',
|
|
$tenant = 'services',
|
|
$configure_endpoint = true,
|
|
$configure_service = true,
|
|
$configure_user = true,
|
|
$configure_user_role = true,
|
|
$trusts_delegated_roles = ['heat_stack_owner'],
|
|
$configure_delegated_roles = false,
|
|
$public_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
|
|
$admin_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
|
|
$internal_url = 'http://127.0.0.1:8004/v1/%(tenant_id)s',
|
|
# DEPRECATED PARAMETERS
|
|
$version = undef,
|
|
$port = undef,
|
|
$public_protocol = undef,
|
|
$public_address = undef,
|
|
$internal_protocol = undef,
|
|
$internal_address = undef,
|
|
$admin_protocol = undef,
|
|
$admin_address = undef,
|
|
) {
|
|
|
|
validate_string($password)
|
|
|
|
if $version {
|
|
warning('The version parameter is deprecated, use public_url, internal_url and admin_url instead.')
|
|
}
|
|
|
|
if $port {
|
|
warning('The port parameter is deprecated, use public_url, internal_url and admin_url instead.')
|
|
}
|
|
|
|
if $public_protocol {
|
|
warning('The public_protocol parameter is deprecated, use public_url instead.')
|
|
}
|
|
|
|
if $internal_protocol {
|
|
warning('The internal_protocol parameter is deprecated, use internal_url instead.')
|
|
}
|
|
|
|
if $admin_protocol {
|
|
warning('The admin_protocol parameter is deprecated, use admin_url instead.')
|
|
}
|
|
|
|
if $public_address {
|
|
warning('The public_address parameter is deprecated, use public_url instead.')
|
|
}
|
|
|
|
if $internal_address {
|
|
warning('The internal_address parameter is deprecated, use internal_url instead.')
|
|
}
|
|
|
|
if $admin_address {
|
|
warning('The admin_address parameter is deprecated, use admin_url instead.')
|
|
}
|
|
|
|
if ($public_protocol or $public_address or $port or $version) {
|
|
$public_url_real = sprintf('%s://%s:%s/%s/%%(tenant_id)s',
|
|
pick($public_protocol, 'http'),
|
|
pick($public_address, '127.0.0.1'),
|
|
pick($port, '8004'),
|
|
pick($version, 'v1'))
|
|
} else {
|
|
$public_url_real = $public_url
|
|
}
|
|
|
|
if ($admin_protocol or $admin_address or $port or $version) {
|
|
$admin_url_real = sprintf('%s://%s:%s/%s/%%(tenant_id)s',
|
|
pick($admin_protocol, 'http'),
|
|
pick($admin_address, '127.0.0.1'),
|
|
pick($port, '8004'),
|
|
pick($version, 'v1'))
|
|
} else {
|
|
$admin_url_real = $admin_url
|
|
}
|
|
|
|
if ($internal_protocol or $internal_address or $port or $version) {
|
|
$internal_url_real = sprintf('%s://%s:%s/%s/%%(tenant_id)s',
|
|
pick($internal_protocol, 'http'),
|
|
pick($internal_address, '127.0.0.1'),
|
|
pick($port, '8004'),
|
|
pick($version, 'v1'))
|
|
} else {
|
|
$internal_url_real = $internal_url
|
|
}
|
|
|
|
$real_service_name = pick($service_name, $auth_name)
|
|
|
|
keystone::resource::service_identity { $auth_name:
|
|
configure_user => $configure_user,
|
|
configure_user_role => $configure_user_role,
|
|
configure_endpoint => $configure_endpoint,
|
|
configure_service => $configure_service,
|
|
service_type => $service_type,
|
|
service_description => $service_description,
|
|
service_name => $real_service_name,
|
|
region => $region,
|
|
password => $password,
|
|
email => $email,
|
|
tenant => $tenant,
|
|
public_url => $public_url_real,
|
|
admin_url => $admin_url_real,
|
|
internal_url => $internal_url_real,
|
|
}
|
|
|
|
if $configure_user_role {
|
|
Keystone_user_role["${auth_name}@${tenant}"] ~>
|
|
Service <| name == 'heat-api' |>
|
|
}
|
|
|
|
keystone_role { 'heat_stack_user':
|
|
ensure => present,
|
|
}
|
|
|
|
if $configure_delegated_roles {
|
|
# Sanity check - remove after we remove the deprecated item
|
|
if $heat::engine::configure_delegated_roles {
|
|
fail('both heat::engine and heat::keystone::auth are both trying to configure delegated roles')
|
|
}
|
|
# if this is a keystone only node, we configure the role here
|
|
# but let engine.pp set the config file. A keystone only node
|
|
# will not have a heat.conf file. We will use the value in
|
|
# engine.pp as the one source of truth for the delegated role list.
|
|
keystone_role { $trusts_delegated_roles:
|
|
ensure => present,
|
|
}
|
|
}
|
|
}
|