Code Review / apex-tripleo-heat-templates.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Add role specific information to the service template
[apex-tripleo-heat-templates.git] / puppet / services / keystone.yaml
1 heat_template_version: pike
2
3 description: >
4   OpenStack Keystone service configured with Puppet
5
6 parameters:
7   KeystoneEnableDBPurge:
8     default: true
9     description: |
10         Whether to create cron job for purging soft deleted rows in Keystone database.
11     type: boolean
12   KeystoneSSLCertificate:
13     default: ''
14     description: Keystone certificate for verifying token validity.
15     type: string
16   KeystoneSSLCertificateKey:
17     default: ''
18     description: Keystone key for signing tokens.
19     type: string
20     hidden: true
21   KeystoneNotificationDriver:
22     description: Comma-separated list of Oslo notification drivers used by Keystone
23     default: ['messaging']
24     type: comma_delimited_list
25   KeystoneNotificationFormat:
26     description: The Keystone notification format
27     default: 'basic'
28     type: string
29     constraints:
30       - allowed_values: [ 'basic', 'cadf' ]
31   KeystoneRegion:
32     type: string
33     default: 'regionOne'
34     description: Keystone region for endpoint
35   KeystoneTokenProvider:
36     description: The keystone token format
37     type: string
38     default: 'fernet'
39     constraints:
40       - allowed_values: ['uuid', 'fernet']
41   ServiceNetMap:
42     default: {}
43     description: Mapping of service_name -> network name. Typically set
44                  via parameter_defaults in the resource registry.  This
45                  mapping overrides those in ServiceNetMapDefaults.
46     type: json
47   DefaultPasswords:
48     default: {}
49     type: json
50   RoleName:
51     default: ''
52     description: Role name on which the service is applied
53     type: string
54   RoleParameters:
55     default: {}
56     description: Parameters specific to the role
57     type: json
58   EndpointMap:
59     default: {}
60     description: Mapping of service endpoint -> protocol. Typically set
61                  via parameter_defaults in the resource registry.
62     type: json
63   Debug:
64     type: string
65     default: ''
66   AdminEmail:
67     default: 'admin@example.com'
68     description: The email for the keystone admin account.
69     type: string
70     hidden: true
71   AdminPassword:
72     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
73     type: string
74     hidden: true
75   AdminToken:
76     description: The keystone auth secret and db password.
77     type: string
78     hidden: true
79   RabbitPassword:
80     description: The password for RabbitMQ
81     type: string
82     hidden: true
83   RabbitUserName:
84     default: guest
85     description: The username for RabbitMQ
86     type: string
87   RabbitClientUseSSL:
88     default: false
89     description: >
90         Rabbit client subscriber parameter to specify
91         an SSL connection to the RabbitMQ host.
92     type: string
93   RabbitClientPort:
94     default: 5672
95     description: Set rabbit subscriber port, change this if using SSL
96     type: number
97   KeystoneWorkers:
98     type: string
99     description: Set the number of workers for keystone::wsgi::apache
100     default: '%{::os_workers}'
101   MonitoringSubscriptionKeystone:
102     default: 'overcloud-keystone'
103     type: string
104   KeystoneCredential0:
105     type: string
106     description: The first Keystone credential key. Must be a valid key.
107   KeystoneCredential1:
108     type: string
109     description: The second Keystone credential key. Must be a valid key.
110   KeystoneFernetKey0:
111     type: string
112     description: The first Keystone fernet key. Must be a valid key.
113   KeystoneFernetKey1:
114     type: string
115     description: The second Keystone fernet key. Must be a valid key.
116   KeystoneLoggingSource:
117     type: json
118     default:
119       tag: openstack.keystone
120       path: /var/log/keystone/keystone.log
121   EnableInternalTLS:
122     type: boolean
123     default: false
124   KeystoneCronTokenFlushEnsure:
125     type: string
126     description: >
127         Cron to purge expired tokens - Ensure
128     default: 'present'
129   KeystoneCronTokenFlushMinute:
130     type: comma_delimited_list
131     description: >
132         Cron to purge expired tokens - Minute
133     default: '1'
134   KeystoneCronTokenFlushHour:
135     type: comma_delimited_list
136     description: >
137         Cron to purge expired tokens - Hour
138     default: '*'
139   KeystoneCronTokenFlushMonthday:
140     type: comma_delimited_list
141     description: >
142         Cron to purge expired tokens - Month Day
143     default: '*'
144   KeystoneCronTokenFlushMonth:
145     type: comma_delimited_list
146     description: >
147         Cron to purge expired tokens - Month
148     default: '*'
149   KeystoneCronTokenFlushWeekday:
150     type: comma_delimited_list
151     description: >
152         Cron to purge expired tokens - Week Day
153     default: '*'
154   KeystoneCronTokenFlushMaxDelay:
155     type: string
156     description: >
157         Cron to purge expired tokens - Max Delay
158     default: '0'
159   KeystoneCronTokenFlushDestination:
160     type: string
161     description: >
162         Cron to purge expired tokens - Log destination
163     default: '/var/log/keystone/keystone-tokenflush.log'
164   KeystoneCronTokenFlushUser:
165     type: string
166     description: >
167         Cron to purge expired tokens - User
168     default: 'keystone'
169   KeystonePolicies:
170     description: |
171       A hash of policies to configure for Keystone.
172       e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
173     default: {}
174     type: json
175   KeystoneLDAPDomainEnable:
176     description: Trigger to call ldap_backend puppet keystone define.
177     type: boolean
178     default: False
179   KeystoneLDAPBackendConfigs:
180     description: Hash containing the configurations for the LDAP backends
181                  configured in keystone.
182     type: json
183     default: {}
184     hidden: true
185
186 resources:
187
188   ApacheServiceBase:
189     type: ./apache.yaml
190     properties:
191       ServiceNetMap: {get_param: ServiceNetMap}
192       DefaultPasswords: {get_param: DefaultPasswords}
193       EndpointMap: {get_param: EndpointMap}
194       RoleName: {get_param: RoleName}
195       RoleParameters: {get_param: RoleParameters}
196       EnableInternalTLS: {get_param: EnableInternalTLS}
197
198 conditions:
199   keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
200   keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
201
202 outputs:
203   role_data:
204     description: Role data for the Keystone role.
205     value:
206       service_name: keystone
207       monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
208       logging_source: {get_param: KeystoneLoggingSource}
209       logging_groups:
210         - keystone
211       config_settings:
212         map_merge:
213           - get_attr: [ApacheServiceBase, role_data, config_settings]
214           - keystone::database_connection:
215               make_url:
216                 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
217                 username: keystone
218                 password: {get_param: AdminToken}
219                 host: {get_param: [EndpointMap, MysqlInternal, host]}
220                 path: /keystone
221                 query:
222                   read_default_file: /etc/my.cnf.d/tripleo.cnf
223                   read_default_group: tripleo
224             keystone::admin_token: {get_param: AdminToken}
225             keystone::admin_password: {get_param: AdminPassword}
226             keystone::roles::admin::password: {get_param: AdminPassword}
227             keystone::policy::policies: {get_param: KeystonePolicies}
228             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
229             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
230             keystone::token_provider: {get_param: KeystoneTokenProvider}
231             keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
232             keystone::enable_proxy_headers_parsing: true
233             keystone::enable_credential_setup: true
234             keystone::credential_keys:
235               '/etc/keystone/credential-keys/0':
236                 content: {get_param: KeystoneCredential0}
237               '/etc/keystone/credential-keys/1':
238                 content: {get_param: KeystoneCredential1}
239             keystone::fernet_keys:
240               '/etc/keystone/fernet-keys/0':
241                 content: {get_param: KeystoneFernetKey0}
242               '/etc/keystone/fernet-keys/1':
243                 content: {get_param: KeystoneFernetKey1}
244             keystone::fernet_replace_keys: false
245             keystone::debug: {get_param: Debug}
246             keystone::rabbit_userid: {get_param: RabbitUserName}
247             keystone::rabbit_password: {get_param: RabbitPassword}
248             keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
249             keystone::rabbit_port: {get_param: RabbitClientPort}
250             keystone::notification_driver: {get_param: KeystoneNotificationDriver}
251             keystone::notification_format: {get_param: KeystoneNotificationFormat}
252             keystone::roles::admin::email: {get_param: AdminEmail}
253             keystone::roles::admin::password: {get_param: AdminPassword}
254             keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
255             keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
256             keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
257             keystone::endpoint::region: {get_param: KeystoneRegion}
258             keystone::endpoint::version: ''
259             keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
260             keystone::rabbit_heartbeat_timeout_threshold: 60
261             keystone::cron::token_flush::maxdelay: 3600
262             keystone::roles::admin::service_tenant: 'service'
263             keystone::roles::admin::admin_tenant: 'admin'
264             keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
265             keystone::config::keystone_config:
266               ec2/driver:
267                 value: 'keystone.contrib.ec2.backends.sql.Ec2'
268             keystone::service_name: 'httpd'
269             keystone::enable_ssl: {get_param: EnableInternalTLS}
270             keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
271             keystone::wsgi::apache::servername:
272               str_replace:
273                 template:
274                   "%{hiera('fqdn_$NETWORK')}"
275                 params:
276                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
277             keystone::wsgi::apache::servername_admin:
278               str_replace:
279                 template:
280                   "%{hiera('fqdn_$NETWORK')}"
281                 params:
282                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
283             keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
284             # override via extraconfig:
285             keystone::wsgi::apache::threads: 1
286             keystone::db::database_db_max_retries: -1
287             keystone::db::database_max_retries: -1
288             tripleo.keystone.firewall_rules:
289               '111 keystone':
290                 dport:
291                   - 5000
292                   - 13000
293                   - 35357
294                   - 13357
295             keystone::admin_bind_host:
296               str_replace:
297                 template:
298                   "%{hiera('fqdn_$NETWORK')}"
299                 params:
300                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
301             keystone::public_bind_host:
302               str_replace:
303                 template:
304                   "%{hiera('fqdn_$NETWORK')}"
305                 params:
306                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
307             # NOTE: bind IP is found in Heat replacing the network name with the
308             # local node IP for the given network; replacement examples
309             # (eg. for internal_api):
310             # internal_api -> IP
311             # internal_api_uri -> [IP]
312             # internal_api_subnet - > IP/CIDR
313             # NOTE: this applies to all 2 bind IP settings below...
314             keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
315             keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
316             keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
317             keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
318             keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
319             keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
320             keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
321             keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
322             keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
323             keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
324             keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
325           -
326             if:
327             - keystone_ldap_domain_enabled
328             -
329               tripleo::profile::base::keystone::ldap_backend_enable: True
330               keystone::using_domain_config: True
331               tripleo::profile::base::keystone::ldap_backends_config:
332                 get_param: KeystoneLDAPBackendConfigs
333             - {}
334
335       step_config: |
336         include ::tripleo::profile::base::keystone
337       service_config_settings:
338         mysql:
339           keystone::db::mysql::password: {get_param: AdminToken}
340           keystone::db::mysql::user: keystone
341           keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
342           keystone::db::mysql::dbname: keystone
343           keystone::db::mysql::allowed_hosts:
344             - '%'
345             - "%{hiera('mysql_bind_host')}"
346         horizon:
347           if:
348           - keystone_ldap_domain_enabled
349           -
350             horizon::keystone_multidomain_support: true
351             horizon::keystone_default_domain: 'Default'
352           - {}
353       metadata_settings:
354         get_attr: [ApacheServiceBase, role_data, metadata_settings]
355       upgrade_tasks:
356         yaql:
357           expression: $.data.apache_upgrade + $.data.keystone_upgrade
358           data:
359             apache_upgrade:
360               get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
361             keystone_upgrade:
362               - name: Stop keystone service (running under httpd)
363                 tags: step1
364                 service: name=httpd state=stopped