From 942bbed848a6cd86bab53c9acfc72e95a3408332 Mon Sep 17 00:00:00 2001
From: Martin Zobel-Helas <zobel@debian.org>
Date: Wed, 1 Jul 2015 21:35:16 +0000
Subject: [PATCH] move passwords to a different file and enable apache certs

Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
---
 .gitignore                          |  1 +
 modules/roles/manifests/keystone.pp | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/.gitignore b/.gitignore
index c29343df..22c685f5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ modules/hiera-puppet
 modules/puppetmaster/manifests/db.pp
 modules/exim/files/email-virtualdomains/
 modules/roles/manifests/pubsub/params.pp
+modules/roles/manifests/openstack/params.pp
 *.swp
 *~
 /secret
diff --git a/modules/roles/manifests/keystone.pp b/modules/roles/manifests/keystone.pp
index 92642b34..befe945f 100644
--- a/modules/roles/manifests/keystone.pp
+++ b/modules/roles/manifests/keystone.pp
@@ -1,32 +1,33 @@
 class roles::keystone {
 
-	$keystone_postgres_password = hkdf('/etc/puppet/secret', "openstack-keystone")
+	include roles::openstack::params
 
-	class { 'keystone':
+	$keystone_dbpass = $roles::openstack::params::keystone_dbpass
+	$admin_token     = roles::openstack::params::admin_token
+	$admin_pass      = roles::openstack::params::admin_pass
+
+	class { '::keystone':
 		verbose        => true,
 		debug          => true,
 		sql_connection => 'postgresql://keystone:$keystone_postgres_password@bmdb1.debian.org/keystone',
 		catalog_type   => 'sql',
-		admin_token    => 'admin_token',
+		admin_token    => $admin_token,
 		enabled        => false,
 	}
 	class { 'keystone::roles::admin':
 		email    => 'test@puppetlabs.com',
-		password => 'ChangeMe',
+		password => $admin_pass,
 	}
 	class { 'keystone::endpoint':
 		public_url => "https://${::fqdn}:5000/",
 		admin_url  => "https://${::fqdn}:35357/",
 	}
 
-	keystone_config { 'ssl/enable': value => true }
-
 	include apache
 	class { 'keystone::wsgi::apache':
-		ssl => true
-	}
+		ssl      => true,
+		ssl_cert => '/etc/ssl/debian/certs/openstack.bm.debian.org.crt-chained',
+		ssl_key  => '/etc/ssl/private/openstack.bm.debian.org.key',
 
-	ssl::service { 'openstack.bm.debian.org':
-		notify => Service['apache2'],
 	}
 }
-- 
2.39.2