Add the posibility to tell openstack to use --os_cacert for keystone_tenant

[dsa-puppet.git] / modules / roles / manifests / keystone.pp
diff --git a/modules/roles/manifests/keystone.pp b/modules/roles/manifests/keystone.pp

index 92642b3491f1394f5cb3352d0bc63cc809875e36..f05bab7a075abb97cb238ce2ce98635df0a45fab 100644 (file)
--- a/modules/roles/manifests/keystone.pp
+++ b/modules/roles/manifests/keystone.pp
@@ -1,32 +1,48 @@
  class roles::keystone {
  
-       $keystone_postgres_password = hkdf('/etc/puppet/secret', "openstack-keystone")
+       Exec { logoutput => 'on_failure' }
  
-       class { 'keystone':
-               verbose        => true,
-               debug          => true,
-               sql_connection => 'postgresql://keystone:$keystone_postgres_password@bmdb1.debian.org/keystone',
-               catalog_type   => 'sql',
-               admin_token    => 'admin_token',
-               enabled        => false,
+       include roles::openstack::params
+
+       $keystone_dbpass = $roles::openstack::params::keystone_dbpass
+       $admin_token     = $roles::openstack::params::admin_token
+       $admin_pass      = $roles::openstack::params::admin_pass
+       $rabbit_pass     = $roles::openstack::params::rabbit_pass
+
+       class { '::keystone':
+               verbose             => true,
+               debug               => true,
+               sql_connection      => "postgresql://keystone:${keystone_dbpass}@bmdb1.debian.org:5435/keystone",
+               catalog_type        => 'sql',
+               admin_token         => $admin_token,
+               enabled             => false,
+               rabbit_host         => undef,
+               rabbit_hosts        => ['rapoport.debian.org','rainier.debian.org'],
+               rabbit_password     => $rabbit_pass,
+               rabbit_userid       => 'openstack',
+               rabbit_virtual_host => '/keystone',
+               memcache_servers    => ['localhost:11211'],
+               cache_backend       => 'keystone.cache.memcache_pool',
+               admin_endpoint      => 'https://openstack.bm.debian.org:35357/',
+               validate_cacert     => '/etc/ssl/debian/certs/ca.crt',
+               validate_service    => true,
         }
-       class { 'keystone::roles::admin':
+       class { '::keystone::roles::admin':
                 email    => 'test@puppetlabs.com',
-               password => 'ChangeMe',
+               password => $admin_pass,
+               validate_cacert     => '/etc/ssl/debian/certs/ca.crt',
         }
-       class { 'keystone::endpoint':
-               public_url => "https://${::fqdn}:5000/",
-               admin_url  => "https://${::fqdn}:35357/",
+       class { '::keystone::endpoint':
+               public_url => 'https://openstack.bm.debian.org:5000/',
+               admin_url  => 'https://openstack.bm.debian.org:35357/',
         }
  
-       keystone_config { 'ssl/enable': value => true }
-
         include apache
-       class { 'keystone::wsgi::apache':
-               ssl => true
-       }
+       class { '::keystone::wsgi::apache':
+               ssl      => true,
+               ssl_cert => '/etc/ssl/debian/certs/openstack.bm.debian.org.crt-chained',
+               ssl_key  => '/etc/ssl/private/openstack.bm.debian.org.key',
  
-       ssl::service { 'openstack.bm.debian.org':
-               notify => Service['apache2'],
         }
  }
+