#
# This class implements some reasonable admin defaults for keystone.
#
# It creates the following keystone objects:
#   * service tenant (tenant used by all service users)
#   * "admin" tenant (defaults to "openstack")
#   * admin user (that defaults to the "admin" tenant)
#   * admin role
#   * adds admin role to admin user on the "admin" tenant
#
# [*Parameters*]
#
# [email] The email address for the admin. Required.
# [password] The admin password. Required.
# [admin_roles] The list of the roles with admin privileges. Optional. Defaults to ['admin'].
# [admin_tenant] The name of the tenant to be used for admin privileges. Optional. Defaults to openstack.
# [admin] Admin user. Optional. Defaults to admin.
# [ignore_default_tenant] Ignore setting the default tenant value when the user is created. Optional. Defaults to false.
# [admin_tenant_desc] Optional. Description for admin tenant, defaults to 'admin tenant'
# [service_tenant_desc] Optional. Description for admin tenant, defaults to 'Tenant for the openstack services'
# [configure_user] Optional. Should the admin user be created? Defaults to 'true'.
# [configure_user_role] Optional. Should the admin role be configured for the admin user? Defaulst to 'true'.
#
# == Dependencies
# == Examples
# == Authors
#
#   Dan Bode dan@puppetlabs.com
#
# == Copyright
#
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class keystone::roles::admin(
  $email,
  $password,
  $admin                  = 'admin',
  $admin_tenant           = 'openstack',
  $admin_roles            = ['admin'],
  $service_tenant         = 'services',
  $ignore_default_tenant  = false,
  $admin_tenant_desc      = 'admin tenant',
  $service_tenant_desc    = 'Tenant for the openstack services',
  $configure_user         = true,
  $configure_user_role    = true,
  $validate_cacert        = undef,
) {

  keystone_tenant { $service_tenant:
    ensure      => present,
    enabled     => true,
    description => $service_tenant_desc,
    os_cacert   => $validate_cacert,
  }
  keystone_tenant { $admin_tenant:
    ensure      => present,
    enabled     => true,
    description => $admin_tenant_desc,
    os_cacert   => $validate_cacert,
  }
  keystone_role { 'admin':
    ensure => present,
  }

  if $configure_user {
    keystone_user { $admin:
      ensure                => present,
      enabled               => true,
      tenant                => $admin_tenant,
      email                 => $email,
      password              => $password,
      ignore_default_tenant => $ignore_default_tenant,
    }
  }

  if $configure_user_role {
    keystone_user_role { "${admin}@${admin_tenant}":
      ensure => present,
      roles  => $admin_roles,
    }
  }

}