/
domain.pp
134 lines (126 loc) · 4.25 KB
/
domain.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# == Class: magnum::keystone::domain
#
# Configures magnum domain in Keystone.
#
# === Parameters
#
# [*cluster_user_trust*]
# enable creation of a user trust for clusters.
# Defaults to $facts['os_service_default'].
#
# [*domain_name*]
# magnum domain name.
# Defaults to 'magnum'.
#
# [*domain_id*]
# id of the domain to create trustee for clusters.
# Defaults to $facts['os_service_default'].
#
# [*domain_admin*]
# Keystone domain admin user which will be created.
# Defaults to 'magnum_admin'.
#
# [*domain_admin_id*]
# Id of the admin with roles sufficient to manage users in the trustee_domain.
# Defaults to $facts['os_service_default'].
#
# [*domain_admin_domain_name*]
# Name of the domain admin user's domain.
# Defaults to $domain_name.
#
# [*domain_admin_domain_id*]
# Id of the domain admin user's domain.
# Defaults to $facts['os_service_default'].
#
# [*domain_admin_email*]
# Keystone domain admin user email address.
# Defaults to 'magnum_admin@localhost'.
#
# [*domain_password*]
# Keystone domain admin user password.
# Required when manage_user is true.
# Defaults to 'changeme'.
#
# [*roles*]
# The roles which are delegated to the trustee by the trustor.
# Defaults to $facts['os_service_default'].
#
# [*keystone_interface*]
# Auth interface used by instances/trustee.
# Defaults to 'public'.
#
# [*keystone_region_name*]
# Region in Identity service catalog to use for
# communication with the OpenStack service.
# Defaults to $facts['os_service_default'].
#
# [*manage_domain*]
# Whether manage or not the domain creation.
# If using the default domain, it needs to be False because puppet-keystone
# can already manage it.
# Defaults to 'true'.
#
# [*manage_user*]
# Whether manage or not the user creation.
# Defaults to 'true'.
#
# [*manage_role*]
# Whether manage or not the user role creation.
# Defaults to 'true'.
#
class magnum::keystone::domain (
$cluster_user_trust = $facts['os_service_default'],
$domain_name = 'magnum',
$domain_id = $facts['os_service_default'],
$domain_admin = 'magnum_admin',
$domain_admin_id = $facts['os_service_default'],
$domain_admin_email = 'magnum_admin@localhost',
$domain_password = undef,
$domain_admin_domain_name = $facts['os_service_default'],
$domain_admin_domain_id = $facts['os_service_default'],
$roles = $facts['os_service_default'],
$keystone_interface = 'public',
$keystone_region_name = $facts['os_service_default'],
Boolean $manage_domain = true,
Boolean $manage_user = true,
Boolean $manage_role = true,
) {
include magnum::deps
include magnum::params
if $manage_domain {
ensure_resource('keystone_domain', $domain_name, {
'ensure' => 'present',
'enabled' => true,
})
}
if $manage_user {
if $domain_password == undef {
fail('domain_password is required when managing the domain user')
}
ensure_resource('keystone_user', "${domain_admin}::${domain_name}", {
'ensure' => 'present',
'enabled' => true,
'email' => $domain_admin_email,
'password' => $domain_password,
})
}
if $manage_role {
ensure_resource('keystone_user_role', "${domain_admin}::${domain_name}@::${domain_name}", {
'roles' => ['admin'],
})
}
$domain_password_real = pick($domain_password, $facts['os_service_default'])
magnum_config {
'trust/cluster_user_trust': value => $cluster_user_trust;
'trust/trustee_domain_name': value => $domain_name;
'trust/trustee_domain_id': value => $domain_id;
'trust/trustee_domain_admin_name': value => $domain_admin;
'trust/trustee_domain_admin_id': value => $domain_admin_id;
'trust/trustee_domain_admin_domain_name': value => $domain_admin_domain_name;
'trust/trustee_domain_admin_domain_id': value => $domain_admin_domain_id;
'trust/trustee_domain_admin_password': value => $domain_password_real, secret => true;
'trust/roles': value => $roles;
'trust/trustee_keystone_interface': value => $keystone_interface;
'trust/trustee_keystone_region_name': value => $keystone_region_name;
}
}