Move heat domain/user creation into keystone profile

This needs to happen on the node running keystone, or things break
when you try to deploy e.g the heat_engine service on a non Controller
role.  We check the enabled flag for heat engine so this only happens
if the heat_engine service is running on some (any) role.

Partial-Bug: #1631130
Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3

diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp
index 027ab7e..2035a4f 100644 (file)
--- a/manifests/profile/base/heat.pp
+++ b/manifests/profile/base/heat.pp
@@ -46,7 +46,7 @@ class tripleo::profile::base::heat (
   $step                = hiera('step'),
   $rabbit_hosts        = hiera('rabbitmq_node_ips', undef),
 ) {
-  # Domain resources will be created at step5 on the bootstrap_node so we
+  # Domain resources will be created at step5 on the node running keystone.pp
   # configure heat.conf at step3 and 4 but actually create the domain later.
   if $step == 3 or $step == 4 {
     class { '::heat::keystone::domain':
@@ -69,20 +69,6 @@ class tripleo::profile::base::heat (
     if $manage_db_purge {
       include ::heat::cron::purge_deleted
     }
-    if $bootstrap_node == $::hostname {
-      # Class ::heat::keystone::domain has to run on bootstrap node
-      # because it creates DB entities via API calls.
-      include ::heat::keystone::domain
-
-      Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
-    } else {
-      # On non-bootstrap node we don't need to create Keystone resources again
-      class { '::heat::keystone::domain':
-        manage_domain => false,
-        manage_user   => false,
-        manage_role   => false,
-      }
-    }
   }
 }
 

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index d515f8f..846296e 100644 (file)
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -45,10 +45,12 @@ class tripleo::profile::base::keystone (
     $sync_db = true
     $manage_roles = true
     $manage_endpoint = true
+    $manage_domain = true
   } else {
     $sync_db = false
     $manage_roles = false
     $manage_endpoint = false
+    $manage_domain = false
   }
 
   if $step >= 4 or ( $step >= 3 and $sync_db ) {
@@ -76,6 +78,27 @@ class tripleo::profile::base::keystone (
     include ::keystone::cron::token_flush
   }
 
+  if $step >= 5 and $manage_domain {
+    if hiera('heat_engine_enabled', false) {
+      # if Heat and Keystone are collocated, so we want to
+      # both configure heat.conf and create Keystone resources.
+      # note: domain_password is given via Hiera.
+      if defined(Class['::tripleo::profile::base::heat']) {
+        include ::heat::keystone::domain
+      } else {
+        # if Heat and Keystone are not collocated, we want Puppet
+        # to only create Keystone resources on the Keystone node
+        # but not try to configure Heat, to avoid leaking the password.
+        class { '::heat::keystone::domain':
+          domain_name     => $::os_service_default,
+          domain_admin    => $::os_service_default,
+          domain_password => $::os_service_default,
+        }
+      }
+      Class['::keystone::roles::admin'] -> Class['::heat::keystone::domain']
+    }
+  }
+
   if $step >= 5 and $manage_endpoint{
     if hiera('aodh_api_enabled', false) {
       include ::aodh::keystone::auth