1 heat_template_version: pike
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
34 description: Keystone region for endpoint
35 KeystoneTokenProvider:
36 description: The keystone token format
40 - allowed_values: ['uuid', 'fernet']
43 description: Dictionary packing service data
47 description: Mapping of service_name -> network name. Typically set
48 via parameter_defaults in the resource registry. This
49 mapping overrides those in ServiceNetMapDefaults.
56 description: Role name on which the service is applied
60 description: Parameters specific to the role
64 description: Mapping of service endpoint -> protocol. Typically set
65 via parameter_defaults in the resource registry.
72 description: Set to True to enable debugging Keystone service.
75 default: 'admin@example.com'
76 description: The email for the keystone admin account.
80 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
84 description: The keystone auth secret and db password.
88 description: The password for RabbitMQ
93 description: The username for RabbitMQ
98 Rabbit client subscriber parameter to specify
99 an SSL connection to the RabbitMQ host.
103 description: Set rabbit subscriber port, change this if using SSL
107 description: Set the number of workers for keystone::wsgi::apache
108 default: '%{::os_workers}'
109 MonitoringSubscriptionKeystone:
110 default: 'overcloud-keystone'
114 description: The first Keystone credential key. Must be a valid key.
117 description: The second Keystone credential key. Must be a valid key.
121 description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
125 description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
128 description: Mapping containing keystone's fernet keys and their paths.
129 KeystoneFernetMaxActiveKeys:
131 description: The maximum active keys in the keystone fernet key repository.
133 ManageKeystoneFernetKeys:
136 description: Whether TripleO should manage the keystone fernet keys or not.
137 If set to true, the fernet keys will get the values from the
138 saved keys repository in mistral (the KeystoneFernetKeys
139 variable). If set to false, only the stack creation
140 initializes the keys, but subsequent updates won't touch them.
141 KeystoneLoggingSource:
144 tag: openstack.keystone
145 path: /var/log/keystone/keystone.log
149 KeystoneCronTokenFlushEnsure:
152 Cron to purge expired tokens - Ensure
154 KeystoneCronTokenFlushMinute:
155 type: comma_delimited_list
157 Cron to purge expired tokens - Minute
159 KeystoneCronTokenFlushHour:
160 type: comma_delimited_list
162 Cron to purge expired tokens - Hour
164 KeystoneCronTokenFlushMonthday:
165 type: comma_delimited_list
167 Cron to purge expired tokens - Month Day
169 KeystoneCronTokenFlushMonth:
170 type: comma_delimited_list
172 Cron to purge expired tokens - Month
174 KeystoneCronTokenFlushWeekday:
175 type: comma_delimited_list
177 Cron to purge expired tokens - Week Day
179 KeystoneCronTokenFlushMaxDelay:
182 Cron to purge expired tokens - Max Delay
184 KeystoneCronTokenFlushDestination:
187 Cron to purge expired tokens - Log destination
188 default: '/var/log/keystone/keystone-tokenflush.log'
189 KeystoneCronTokenFlushUser:
192 Cron to purge expired tokens - User
196 A hash of policies to configure for Keystone.
197 e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
200 KeystoneLDAPDomainEnable:
201 description: Trigger to call ldap_backend puppet keystone define.
204 KeystoneLDAPBackendConfigs:
205 description: Hash containing the configurations for the LDAP backends
206 configured in keystone.
212 default: 'messagingv2'
213 description: Driver or drivers to handle sending notifications.
215 - allowed_values: [ 'messagingv2', 'noop' ]
220 The following parameters are deprecated and will be removed. They should not
221 be relied on for new deployments. If you have concerns regarding deprecated
222 parameters, please contact the TripleO development team on IRC or the
223 OpenStack mailing list.
227 - KeystoneNotificationDriver
234 ServiceData: {get_param: ServiceData}
235 ServiceNetMap: {get_param: ServiceNetMap}
236 DefaultPasswords: {get_param: DefaultPasswords}
237 EndpointMap: {get_param: EndpointMap}
238 RoleName: {get_param: RoleName}
239 RoleParameters: {get_param: RoleParameters}
240 EnableInternalTLS: {get_param: EnableInternalTLS}
243 keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
244 keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
245 service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
249 description: Role data for the Keystone role.
251 service_name: keystone
252 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
253 logging_source: {get_param: KeystoneLoggingSource}
258 - get_attr: [ApacheServiceBase, role_data, config_settings]
259 - keystone::database_connection:
261 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
263 password: {get_param: AdminToken}
264 host: {get_param: [EndpointMap, MysqlInternal, host]}
267 read_default_file: /etc/my.cnf.d/tripleo.cnf
268 read_default_group: tripleo
269 keystone::admin_token: {get_param: AdminToken}
270 keystone::admin_password: {get_param: AdminPassword}
271 keystone::roles::admin::password: {get_param: AdminPassword}
272 keystone::policy::policies: {get_param: KeystonePolicies}
273 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
274 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
275 keystone::token_provider: {get_param: KeystoneTokenProvider}
276 keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
277 keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
278 keystone::enable_proxy_headers_parsing: true
279 keystone::enable_credential_setup: true
280 keystone::credential_keys:
281 '/etc/keystone/credential-keys/0':
282 content: {get_param: KeystoneCredential0}
283 '/etc/keystone/credential-keys/1':
284 content: {get_param: KeystoneCredential1}
285 keystone::fernet_keys: {get_param: KeystoneFernetKeys}
286 keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
289 - service_debug_unset
290 - {get_param: Debug }
291 - {get_param: KeystoneDebug }
292 keystone::rabbit_userid: {get_param: RabbitUserName}
293 keystone::rabbit_password: {get_param: RabbitPassword}
294 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
295 keystone::rabbit_port: {get_param: RabbitClientPort}
296 keystone::notification_driver: {get_param: NotificationDriver}
297 keystone::notification_format: {get_param: KeystoneNotificationFormat}
298 keystone::roles::admin::email: {get_param: AdminEmail}
299 keystone::roles::admin::password: {get_param: AdminPassword}
300 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
301 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
302 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
303 keystone::endpoint::region: {get_param: KeystoneRegion}
304 keystone::endpoint::version: ''
305 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
306 keystone::rabbit_heartbeat_timeout_threshold: 60
307 keystone::cron::token_flush::maxdelay: 3600
308 keystone::roles::admin::service_tenant: 'service'
309 keystone::roles::admin::admin_tenant: 'admin'
310 keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
311 keystone::config::keystone_config:
313 value: 'keystone.contrib.ec2.backends.sql.Ec2'
314 keystone::service_name: 'httpd'
315 keystone::enable_ssl: {get_param: EnableInternalTLS}
316 keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
317 keystone::wsgi::apache::servername:
320 "%{hiera('fqdn_$NETWORK')}"
322 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
323 keystone::wsgi::apache::servername_admin:
326 "%{hiera('fqdn_$NETWORK')}"
328 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
329 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
330 # override via extraconfig:
331 keystone::wsgi::apache::threads: 1
332 keystone::db::database_db_max_retries: -1
333 keystone::db::database_max_retries: -1
334 tripleo.keystone.firewall_rules:
341 keystone::admin_bind_host:
344 "%{hiera('fqdn_$NETWORK')}"
346 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
347 keystone::public_bind_host:
350 "%{hiera('fqdn_$NETWORK')}"
352 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
353 # NOTE: bind IP is found in Heat replacing the network name with the
354 # local node IP for the given network; replacement examples
355 # (eg. for internal_api):
357 # internal_api_uri -> [IP]
358 # internal_api_subnet - > IP/CIDR
359 # NOTE: this applies to all 2 bind IP settings below...
360 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
361 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
362 keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
363 keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
364 keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
365 keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
366 keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
367 keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
368 keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
369 keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
370 keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
373 - keystone_ldap_domain_enabled
375 tripleo::profile::base::keystone::ldap_backend_enable: True
376 keystone::using_domain_config: True
377 tripleo::profile::base::keystone::ldap_backends_config:
378 get_param: KeystoneLDAPBackendConfigs
382 include ::tripleo::profile::base::keystone
383 service_config_settings:
385 keystone::db::mysql::password: {get_param: AdminToken}
386 keystone::db::mysql::user: keystone
387 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
388 keystone::db::mysql::dbname: keystone
389 keystone::db::mysql::allowed_hosts:
391 - "%{hiera('mysql_bind_host')}"
394 - keystone_ldap_domain_enabled
396 horizon::keystone_multidomain_support: true
397 horizon::keystone_default_domain: 'Default'
400 get_attr: [ApacheServiceBase, role_data, metadata_settings]
403 expression: $.data.apache_upgrade + $.data.keystone_upgrade
406 get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
408 - name: Stop keystone service (running under httpd)
410 service: name=httpd state=stopped