Create heat user in keystone profile

Rather than use the heat::keystone::domain class which also includes the
configuration options, we should just create the user for heat in
keystone independently of the configuration.

Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe
Related-Bug: #1638350
Closes-Bug: #1638626

diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp
index abb9f76..2babf4c 100644 (file)
--- a/manifests/profile/base/heat.pp
+++ b/manifests/profile/base/heat.pp
@@ -53,7 +53,7 @@ class tripleo::profile::base::heat (
 ) {
   # Domain resources will be created at step5 on the node running keystone.pp
   # configure heat.conf at step3 and 4 but actually create the domain later.
-  if $step == 3 or $step == 4 {
+  if $step >= 3 {
     class { '::heat::keystone::domain':
       manage_domain => false,
       manage_user   => false,

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 87fa3c1..e30f712 100644 (file)
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -74,6 +74,23 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*heat_admin_domain*]
+#   domain name for heat admin
+#   Defaults to hiera('heat::keystone::domain::domain_name', 'heat')
+#
+# [*heat_admin_user*]
+#   heat admin user name
+#   Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin')
+#
+# [*heat_admin_email*]
+#   heat admin email address
+#   Defaults to hiera('heat::keystone::domain::domain_admin_email',
+#     'heat_admin@localhost')
+#
+# [*heat_admin_password*]
+#   heat admin password
+#   Defaults to hiera('heat::keystone::domain::domain_password')
+#
 class tripleo::profile::base::keystone (
   $admin_endpoint_network        = hiera('keystone_admin_api_network', undef),
   $bootstrap_node                = hiera('bootstrap_nodeid', undef),
@@ -85,6 +102,10 @@ class tripleo::profile::base::keystone (
   $rabbit_hosts                  = hiera('rabbitmq_node_ips', undef),
   $rabbit_port                   = hiera('keystone::rabbit_port', 5672),
   $step                          = hiera('step'),
+  $heat_admin_domain             = hiera('heat::keystone::domain::domain_name', 'heat'),
+  $heat_admin_user               = hiera('heat::keystone::domain::domain_admin', 'heat_admin'),
+  $heat_admin_email              = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'),
+  $heat_admin_password           = hiera('heat::keystone::domain::domain_password'),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -153,22 +174,22 @@ class tripleo::profile::base::keystone (
 
   if $step >= 5 and $manage_domain {
     if hiera('heat_engine_enabled', false) {
-      # if Heat and Keystone are collocated, so we want to
-      # both configure heat.conf and create Keystone resources.
-      # note: domain_password is given via Hiera.
-      if defined(Class['::tripleo::profile::base::heat']) {
-        include ::heat::keystone::domain
-      } else {
-        # if Heat and Keystone are not collocated, we want Puppet
-        # to only create Keystone resources on the Keystone node
-        # but not try to configure Heat, to avoid leaking the password.
-        class { '::heat::keystone::domain':
-          domain_name     => $::os_service_default,
-          domain_admin    => $::os_service_default,
-          domain_password => $::os_service_default,
-        }
+      # create these seperate and don't use ::heat::keystone::domain since
+      # that class writes out the configs
+      keystone_domain { $heat_admin_domain:
+        ensure  => 'present',
+        enabled => true
+      }
+      keystone_user { "${heat_admin_user}::${heat_admin_domain}":
+        ensure   => 'present',
+        enabled  => true,
+        email    => $heat_admin_email,
+        password => $heat_admin_password
+      }
+      keystone_user_role { "${heat_admin_user}::${heat_admin_domain}@::${heat_admin_domain}":
+        roles   => ['admin'],
+        require => Class['::keystone::roles::admin']
       }
-      Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
     }
   }