puppet/services/keystone.yaml

   1 heat_template_version: ocata
   2
   3 description: >
   4   OpenStack Keystone service configured with Puppet
   5
   6 parameters:
   7   KeystoneEnableDBPurge:
   8     default: true
   9     description: |
  10         Whether to create cron job for purging soft deleted rows in Keystone database.
  11     type: boolean
  12   KeystoneSSLCertificate:
  13     default: ''
  14     description: Keystone certificate for verifying token validity.
  15     type: string
  16   KeystoneSSLCertificateKey:
  17     default: ''
  18     description: Keystone key for signing tokens.
  19     type: string
  20     hidden: true
  21   KeystoneNotificationDriver:
  22     description: Comma-separated list of Oslo notification drivers used by Keystone
  23     default: ['messaging']
  24     type: comma_delimited_list
  25   KeystoneNotificationFormat:
  26     description: The Keystone notification format
  27     default: 'basic'
  28     type: string
  29     constraints:
  30       - allowed_values: [ 'basic', 'cadf' ]
  31   KeystoneRegion:
  32     type: string
  33     default: 'regionOne'
  34     description: Keystone region for endpoint
  35   KeystoneTokenProvider:
  36     description: The keystone token format
  37     type: string
  38     default: 'fernet'
  39     constraints:
  40       - allowed_values: ['uuid', 'fernet']
  41   ServiceNetMap:
  42     default: {}
  43     description: Mapping of service_name -> network name. Typically set
  44                  via parameter_defaults in the resource registry.  This
  45                  mapping overrides those in ServiceNetMapDefaults.
  46     type: json
  47   DefaultPasswords:
  48     default: {}
  49     type: json
  50   EndpointMap:
  51     default: {}
  52     description: Mapping of service endpoint -> protocol. Typically set
  53                  via parameter_defaults in the resource registry.
  54     type: json
  55   Debug:
  56     type: string
  57     default: ''
  58   AdminEmail:
  59     default: 'admin@example.com'
  60     description: The email for the keystone admin account.
  61     type: string
  62     hidden: true
  63   AdminPassword:
  64     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
  65     type: string
  66     hidden: true
  67   AdminToken:
  68     description: The keystone auth secret and db password.
  69     type: string
  70     hidden: true
  71   RabbitPassword:
  72     description: The password for RabbitMQ
  73     type: string
  74     hidden: true
  75   RabbitUserName:
  76     default: guest
  77     description: The username for RabbitMQ
  78     type: string
  79   RabbitClientUseSSL:
  80     default: false
  81     description: >
  82         Rabbit client subscriber parameter to specify
  83         an SSL connection to the RabbitMQ host.
  84     type: string
  85   RabbitClientPort:
  86     default: 5672
  87     description: Set rabbit subscriber port, change this if using SSL
  88     type: number
  89   KeystoneWorkers:
  90     type: string
  91     description: Set the number of workers for keystone::wsgi::apache
  92     default: '%{::os_workers}'
  93   MonitoringSubscriptionKeystone:
  94     default: 'overcloud-keystone'
  95     type: string
  96   KeystoneCredential0:
  97     type: string
  98     description: The first Keystone credential key. Must be a valid key.
  99   KeystoneCredential1:
 100     type: string
 101     description: The second Keystone credential key. Must be a valid key.
 102   KeystoneFernetKey0:
 103     type: string
 104     description: The first Keystone fernet key. Must be a valid key.
 105   KeystoneFernetKey1:
 106     type: string
 107     description: The second Keystone fernet key. Must be a valid key.
 108   KeystoneLoggingSource:
 109     type: json
 110     default:
 111       tag: openstack.keystone
 112       path: /var/log/keystone/keystone.log
 113   EnableInternalTLS:
 114     type: boolean
 115     default: false
 116   KeystoneCronTokenFlushEnsure:
 117     type: string
 118     description: >
 119         Cron to purge expired tokens - Ensure
 120     default: 'present'
 121   KeystoneCronTokenFlushMinute:
 122     type: comma_delimited_list
 123     description: >
 124         Cron to purge expired tokens - Minute
 125     default: '1'
 126   KeystoneCronTokenFlushHour:
 127     type: comma_delimited_list
 128     description: >
 129         Cron to purge expired tokens - Hour
 130     default: '*'
 131   KeystoneCronTokenFlushMonthday:
 132     type: comma_delimited_list
 133     description: >
 134         Cron to purge expired tokens - Month Day
 135     default: '*'
 136   KeystoneCronTokenFlushMonth:
 137     type: comma_delimited_list
 138     description: >
 139         Cron to purge expired tokens - Month
 140     default: '*'
 141   KeystoneCronTokenFlushWeekday:
 142     type: comma_delimited_list
 143     description: >
 144         Cron to purge expired tokens - Week Day
 145     default: '*'
 146   KeystoneCronTokenFlushMaxDelay:
 147     type: string
 148     description: >
 149         Cron to purge expired tokens - Max Delay
 150     default: '0'
 151   KeystoneCronTokenFlushDestination:
 152     type: string
 153     description: >
 154         Cron to purge expired tokens - Log destination
 155     default: '/var/log/keystone/keystone-tokenflush.log'
 156   KeystoneCronTokenFlushUser:
 157     type: string
 158     description: >
 159         Cron to purge expired tokens - User
 160     default: 'keystone'
 161   KeystonePolicies:
 162     description: |
 163       A hash of policies to configure for Keystone.
 164       e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
 165     default: {}
 166     type: json
 167   KeystoneLDAPDomainEnable:
 168     description: Trigger to call ldap_backend puppet keystone define.
 169     type: boolean
 170     default: False
 171   KeystoneLDAPBackendConfigs:
 172     description: Hash containing the configurations for the LDAP backends
 173                  configured in keystone.
 174     type: json
 175     default: {}
 176     hidden: true
 177
 178 resources:
 179
 180   ApacheServiceBase:
 181     type: ./apache.yaml
 182     properties:
 183       ServiceNetMap: {get_param: ServiceNetMap}
 184       DefaultPasswords: {get_param: DefaultPasswords}
 185       EndpointMap: {get_param: EndpointMap}
 186       EnableInternalTLS: {get_param: EnableInternalTLS}
 187
 188 conditions:
 189   keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
 190   keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
 191
 192 outputs:
 193   role_data:
 194     description: Role data for the Keystone role.
 195     value:
 196       service_name: keystone
 197       monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
 198       logging_source: {get_param: KeystoneLoggingSource}
 199       logging_groups:
 200         - keystone
 201       config_settings:
 202         map_merge:
 203           - get_attr: [ApacheServiceBase, role_data, config_settings]
 204           - keystone::database_connection:
 205               list_join:
 206                 - ''
 207                 - - {get_param: [EndpointMap, MysqlInternal, protocol]}
 208                   - '://keystone:'
 209                   - {get_param: AdminToken}
 210                   - '@'
 211                   - {get_param: [EndpointMap, MysqlInternal, host]}
 212                   - '/keystone'
 213                   - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
 214             keystone::admin_token: {get_param: AdminToken}
 215             keystone::admin_password: {get_param: AdminPassword}
 216             keystone::roles::admin::password: {get_param: AdminPassword}
 217             keystone::policy::policies: {get_param: KeystonePolicies}
 218             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
 219             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
 220             keystone::token_provider: {get_param: KeystoneTokenProvider}
 221             keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
 222             keystone::enable_proxy_headers_parsing: true
 223             keystone::enable_credential_setup: true
 224             keystone::credential_keys:
 225               '/etc/keystone/credential-keys/0':
 226                 content: {get_param: KeystoneCredential0}
 227               '/etc/keystone/credential-keys/1':
 228                 content: {get_param: KeystoneCredential1}
 229             keystone::fernet_keys:
 230               '/etc/keystone/fernet-keys/0':
 231                 content: {get_param: KeystoneFernetKey0}
 232               '/etc/keystone/fernet-keys/1':
 233                 content: {get_param: KeystoneFernetKey1}
 234             keystone::debug: {get_param: Debug}
 235             keystone::rabbit_userid: {get_param: RabbitUserName}
 236             keystone::rabbit_password: {get_param: RabbitPassword}
 237             keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
 238             keystone::rabbit_port: {get_param: RabbitClientPort}
 239             keystone::notification_driver: {get_param: KeystoneNotificationDriver}
 240             keystone::notification_format: {get_param: KeystoneNotificationFormat}
 241             keystone::roles::admin::email: {get_param: AdminEmail}
 242             keystone::roles::admin::password: {get_param: AdminPassword}
 243             keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
 244             keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 245             keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
 246             keystone::endpoint::region: {get_param: KeystoneRegion}
 247             keystone::endpoint::version: ''
 248             keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
 249             keystone::rabbit_heartbeat_timeout_threshold: 60
 250             keystone::cron::token_flush::maxdelay: 3600
 251             keystone::roles::admin::service_tenant: 'service'
 252             keystone::roles::admin::admin_tenant: 'admin'
 253             keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
 254             keystone::config::keystone_config:
 255               ec2/driver:
 256                 value: 'keystone.contrib.ec2.backends.sql.Ec2'
 257             keystone::service_name: 'httpd'
 258             keystone::enable_ssl: {get_param: EnableInternalTLS}
 259             keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
 260             keystone::wsgi::apache::servername:
 261               str_replace:
 262                 template:
 263                   "%{hiera('fqdn_$NETWORK')}"
 264                 params:
 265                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 266             keystone::wsgi::apache::servername_admin:
 267               str_replace:
 268                 template:
 269                   "%{hiera('fqdn_$NETWORK')}"
 270                 params:
 271                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 272             keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
 273             # override via extraconfig:
 274             keystone::wsgi::apache::threads: 1
 275             keystone::db::database_db_max_retries: -1
 276             keystone::db::database_max_retries: -1
 277             tripleo.keystone.firewall_rules:
 278               '111 keystone':
 279                 dport:
 280                   - 5000
 281                   - 13000
 282                   - 35357
 283                   - 13357
 284             keystone::admin_bind_host:
 285               str_replace:
 286                 template:
 287                   "%{hiera('fqdn_$NETWORK')}"
 288                 params:
 289                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 290             keystone::public_bind_host:
 291               str_replace:
 292                 template:
 293                   "%{hiera('fqdn_$NETWORK')}"
 294                 params:
 295                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 296             # NOTE: bind IP is found in Heat replacing the network name with the
 297             # local node IP for the given network; replacement examples
 298             # (eg. for internal_api):
 299             # internal_api -> IP
 300             # internal_api_uri -> [IP]
 301             # internal_api_subnet - > IP/CIDR
 302             # NOTE: this applies to all 2 bind IP settings below...
 303             keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 304             keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 305             keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
 306             keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
 307             keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
 308             keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
 309             keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
 310             keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
 311             keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
 312             keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
 313             keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
 314           -
 315             if:
 316             - keystone_ldap_domain_enabled
 317             -
 318               tripleo::profile::base::keystone::ldap_backend_enable: True
 319               keystone::using_domain_config: True
 320               tripleo::profile::base::keystone::ldap_backends_config:
 321                 get_param: KeystoneLDAPBackendConfigs
 322             - {}
 323
 324       step_config: |
 325         include ::tripleo::profile::base::keystone
 326       service_config_settings:
 327         mysql:
 328           keystone::db::mysql::password: {get_param: AdminToken}
 329           keystone::db::mysql::user: keystone
 330           keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
 331           keystone::db::mysql::dbname: keystone
 332           keystone::db::mysql::allowed_hosts:
 333             - '%'
 334             - "%{hiera('mysql_bind_host')}"
 335         horizon:
 336           if:
 337           - keystone_ldap_domain_enabled
 338           -
 339             horizon::keystone_multidomain_support: true
 340             horizon::keystone_default_domain: 'Default'
 341           - {}
 342       # Ansible tasks to handle upgrade
 343       upgrade_tasks:
 344         - name: Stop keystone service (running under httpd)
 345           tags: step1
 346           service: name=httpd state=stopped
 347       metadata_settings:
 348         get_attr: [ApacheServiceBase, role_data, metadata_settings]