1 heat_template_version: pike
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
34 description: Keystone region for endpoint
35 KeystoneTokenProvider:
36 description: The keystone token format
40 - allowed_values: ['uuid', 'fernet']
43 description: Dictionary packing service data
47 description: Mapping of service_name -> network name. Typically set
48 via parameter_defaults in the resource registry. This
49 mapping overrides those in ServiceNetMapDefaults.
56 description: Role name on which the service is applied
60 description: Parameters specific to the role
64 description: Mapping of service endpoint -> protocol. Typically set
65 via parameter_defaults in the resource registry.
70 description: Set to True to enable debugging on all services.
73 description: Set to True to enable debugging Keystone service.
76 default: 'admin@example.com'
77 description: The email for the keystone admin account.
81 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
85 description: The keystone auth secret and db password.
89 description: The password for RabbitMQ
94 description: The username for RabbitMQ
99 Rabbit client subscriber parameter to specify
100 an SSL connection to the RabbitMQ host.
104 description: Set rabbit subscriber port, change this if using SSL
108 description: Set the number of workers for keystone::wsgi::apache
109 default: '%{::os_workers}'
110 MonitoringSubscriptionKeystone:
111 default: 'overcloud-keystone'
115 description: The first Keystone credential key. Must be a valid key.
118 description: The second Keystone credential key. Must be a valid key.
122 description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
126 description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
129 description: Mapping containing keystone's fernet keys and their paths.
130 KeystoneFernetMaxActiveKeys:
132 description: The maximum active keys in the keystone fernet key repository.
134 ManageKeystoneFernetKeys:
137 description: Whether TripleO should manage the keystone fernet keys or not.
138 If set to true, the fernet keys will get the values from the
139 saved keys repository in mistral (the KeystoneFernetKeys
140 variable). If set to false, only the stack creation
141 initializes the keys, but subsequent updates won't touch them.
142 KeystoneLoggingSource:
145 tag: openstack.keystone
146 path: /var/log/keystone/keystone.log
150 KeystoneCronTokenFlushEnsure:
153 Cron to purge expired tokens - Ensure
155 KeystoneCronTokenFlushMinute:
156 type: comma_delimited_list
158 Cron to purge expired tokens - Minute
160 KeystoneCronTokenFlushHour:
161 type: comma_delimited_list
163 Cron to purge expired tokens - Hour
165 KeystoneCronTokenFlushMonthday:
166 type: comma_delimited_list
168 Cron to purge expired tokens - Month Day
170 KeystoneCronTokenFlushMonth:
171 type: comma_delimited_list
173 Cron to purge expired tokens - Month
175 KeystoneCronTokenFlushWeekday:
176 type: comma_delimited_list
178 Cron to purge expired tokens - Week Day
180 KeystoneCronTokenFlushMaxDelay:
183 Cron to purge expired tokens - Max Delay
185 KeystoneCronTokenFlushDestination:
188 Cron to purge expired tokens - Log destination
189 default: '/var/log/keystone/keystone-tokenflush.log'
190 KeystoneCronTokenFlushUser:
193 Cron to purge expired tokens - User
197 A hash of policies to configure for Keystone.
198 e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
201 KeystoneLDAPDomainEnable:
202 description: Trigger to call ldap_backend puppet keystone define.
205 KeystoneLDAPBackendConfigs:
206 description: Hash containing the configurations for the LDAP backends
207 configured in keystone.
213 default: 'messagingv2'
214 description: Driver or drivers to handle sending notifications.
216 - allowed_values: [ 'messagingv2', 'noop' ]
221 The following parameters are deprecated and will be removed. They should not
222 be relied on for new deployments. If you have concerns regarding deprecated
223 parameters, please contact the TripleO development team on IRC or the
224 OpenStack mailing list.
228 - KeystoneNotificationDriver
235 ServiceData: {get_param: ServiceData}
236 ServiceNetMap: {get_param: ServiceNetMap}
237 DefaultPasswords: {get_param: DefaultPasswords}
238 EndpointMap: {get_param: EndpointMap}
239 RoleName: {get_param: RoleName}
240 RoleParameters: {get_param: RoleParameters}
241 EnableInternalTLS: {get_param: EnableInternalTLS}
244 keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
245 keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
246 service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
250 description: Role data for the Keystone role.
252 service_name: keystone
253 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
254 logging_source: {get_param: KeystoneLoggingSource}
259 - get_attr: [ApacheServiceBase, role_data, config_settings]
260 - keystone::database_connection:
262 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
264 password: {get_param: AdminToken}
265 host: {get_param: [EndpointMap, MysqlInternal, host]}
268 read_default_file: /etc/my.cnf.d/tripleo.cnf
269 read_default_group: tripleo
270 keystone::admin_token: {get_param: AdminToken}
271 keystone::admin_password: {get_param: AdminPassword}
272 keystone::roles::admin::password: {get_param: AdminPassword}
273 keystone::policy::policies: {get_param: KeystonePolicies}
274 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
275 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
276 keystone::token_provider: {get_param: KeystoneTokenProvider}
277 keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
278 keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
279 keystone::enable_proxy_headers_parsing: true
280 keystone::enable_credential_setup: true
281 keystone::credential_keys:
282 '/etc/keystone/credential-keys/0':
283 content: {get_param: KeystoneCredential0}
284 '/etc/keystone/credential-keys/1':
285 content: {get_param: KeystoneCredential1}
286 keystone::fernet_keys: {get_param: KeystoneFernetKeys}
287 keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
290 - service_debug_unset
291 - {get_param: Debug }
292 - {get_param: KeystoneDebug }
293 keystone::rabbit_userid: {get_param: RabbitUserName}
294 keystone::rabbit_password: {get_param: RabbitPassword}
295 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
296 keystone::rabbit_port: {get_param: RabbitClientPort}
297 keystone::notification_driver: {get_param: NotificationDriver}
298 keystone::notification_format: {get_param: KeystoneNotificationFormat}
299 keystone::roles::admin::email: {get_param: AdminEmail}
300 keystone::roles::admin::password: {get_param: AdminPassword}
301 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
302 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
303 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
304 keystone::endpoint::region: {get_param: KeystoneRegion}
305 keystone::endpoint::version: ''
306 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
307 keystone::rabbit_heartbeat_timeout_threshold: 60
308 keystone::cron::token_flush::maxdelay: 3600
309 keystone::roles::admin::service_tenant: 'service'
310 keystone::roles::admin::admin_tenant: 'admin'
311 keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
312 keystone::config::keystone_config:
314 value: 'keystone.contrib.ec2.backends.sql.Ec2'
315 keystone::service_name: 'httpd'
316 keystone::enable_ssl: {get_param: EnableInternalTLS}
317 keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
318 keystone::wsgi::apache::servername:
321 "%{hiera('fqdn_$NETWORK')}"
323 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
324 keystone::wsgi::apache::servername_admin:
327 "%{hiera('fqdn_$NETWORK')}"
329 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
330 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
331 # override via extraconfig:
332 keystone::wsgi::apache::threads: 1
333 keystone::db::database_db_max_retries: -1
334 keystone::db::database_max_retries: -1
335 tripleo.keystone.firewall_rules:
342 keystone::admin_bind_host:
345 "%{hiera('fqdn_$NETWORK')}"
347 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
348 keystone::public_bind_host:
351 "%{hiera('fqdn_$NETWORK')}"
353 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
354 # NOTE: bind IP is found in Heat replacing the network name with the
355 # local node IP for the given network; replacement examples
356 # (eg. for internal_api):
358 # internal_api_uri -> [IP]
359 # internal_api_subnet - > IP/CIDR
360 # NOTE: this applies to all 2 bind IP settings below...
361 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
362 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
363 keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
364 keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
365 keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
366 keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
367 keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
368 keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
369 keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
370 keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
371 keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
374 - keystone_ldap_domain_enabled
376 tripleo::profile::base::keystone::ldap_backend_enable: True
377 keystone::using_domain_config: True
378 tripleo::profile::base::keystone::ldap_backends_config:
379 get_param: KeystoneLDAPBackendConfigs
383 include ::tripleo::profile::base::keystone
384 service_config_settings:
386 keystone::db::mysql::password: {get_param: AdminToken}
387 keystone::db::mysql::user: keystone
388 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
389 keystone::db::mysql::dbname: keystone
390 keystone::db::mysql::allowed_hosts:
392 - "%{hiera('mysql_bind_host')}"
395 - keystone_ldap_domain_enabled
397 horizon::keystone_multidomain_support: true
398 horizon::keystone_default_domain: 'Default'
401 get_attr: [ApacheServiceBase, role_data, metadata_settings]
404 expression: $.data.apache_upgrade + $.data.keystone_upgrade
407 get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
409 - name: Stop keystone service (running under httpd)
411 service: name=httpd state=stopped