1 heat_template_version: 2016-04-08
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
34 description: Keystone region for endpoint
37 description: Mapping of service_name -> network name. Typically set
38 via parameter_defaults in the resource registry. This
39 mapping overrides those in ServiceNetMapDefaults.
46 description: Mapping of service endpoint -> protocol. Typically set
47 via parameter_defaults in the resource registry.
53 default: 'admin@example.com'
54 description: The email for the keystone admin account.
58 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
62 description: The keystone auth secret and db password.
66 description: The password for RabbitMQ
71 description: The username for RabbitMQ
76 Rabbit client subscriber parameter to specify
77 an SSL connection to the RabbitMQ host.
81 description: Set rabbit subscriber port, change this if using SSL
85 description: Set the number of workers for keystone::wsgi::apache
86 default: '"%{::processorcount}"'
87 MonitoringSubscriptionKeystone:
88 default: 'overcloud-kestone'
92 description: The first Keystone credential key. Must be a valid key.
95 description: The second Keystone credential key. Must be a valid key.
96 KeystoneLoggingSource:
99 tag: openstack.keystone
100 path: /var/log/keystone/keystone.log
107 ServiceNetMap: {get_param: ServiceNetMap}
108 DefaultPasswords: {get_param: DefaultPasswords}
109 EndpointMap: {get_param: EndpointMap}
113 description: Role data for the Keystone role.
115 service_name: keystone
116 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
117 logging_source: {get_param: KeystoneLoggingSource}
122 - get_attr: [ApacheServiceBase, role_data, config_settings]
123 - keystone::database_connection:
126 - - {get_param: [EndpointMap, MysqlInternal, protocol]}
128 - {get_param: AdminToken}
130 - {get_param: [EndpointMap, MysqlInternal, host]}
132 keystone::admin_token: {get_param: AdminToken}
133 keystone::admin_password: {get_param: AdminPassword}
134 keystone::roles::admin::password: {get_param: AdminPassword}
135 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
136 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
137 keystone::enable_proxy_headers_parsing: true
138 keystone::enable_credential_setup: true
139 keystone::credential_keys:
140 '/etc/keystone/credential-keys/0':
141 content: {get_param: KeystoneCredential0}
142 '/etc/keystone/credential-keys/1':
143 content: {get_param: KeystoneCredential1}
144 keystone::debug: {get_param: Debug}
145 keystone::db::mysql::password: {get_param: AdminToken}
146 keystone::rabbit_userid: {get_param: RabbitUserName}
147 keystone::rabbit_password: {get_param: RabbitPassword}
148 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
149 keystone::rabbit_port: {get_param: RabbitClientPort}
150 keystone::notification_driver: {get_param: KeystoneNotificationDriver}
151 keystone::notification_format: {get_param: KeystoneNotificationFormat}
152 keystone::roles::admin::email: {get_param: AdminEmail}
153 keystone::roles::admin::password: {get_param: AdminPassword}
154 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
155 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
156 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
157 keystone::endpoint::region: {get_param: KeystoneRegion}
158 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
159 keystone::db::mysql::user: keystone
160 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
161 keystone::db::mysql::dbname: keystone
162 keystone::db::mysql::allowed_hosts:
164 - "%{hiera('mysql_bind_host')}"
165 keystone::rabbit_heartbeat_timeout_threshold: 60
166 keystone::cron::token_flush::maxdelay: 3600
167 keystone::roles::admin::service_tenant: 'service'
168 keystone::roles::admin::admin_tenant: 'admin'
169 keystone::cron::token_flush::destination: '/dev/null'
170 keystone::config::keystone_config:
172 value: 'keystone.contrib.ec2.backends.sql.Ec2'
173 keystone::service_name: 'httpd'
174 keystone::wsgi::apache::ssl: false
175 keystone::wsgi::apache::servername:
178 '"%{::fqdn_$NETWORK}"'
180 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
181 keystone::wsgi::apache::servername_admin:
184 '"%{::fqdn_$NETWORK}"'
186 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
187 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
188 # override via extraconfig:
189 keystone::wsgi::apache::threads: 1
190 keystone::db::database_db_max_retries: -1
191 keystone::db::database_max_retries: -1
192 tripleo.keystone.firewall_rules:
199 # NOTE: bind IP is found in Heat replacing the network name with the
200 # local node IP for the given network; replacement examples
201 # (eg. for internal_api):
203 # internal_api_uri -> [IP]
204 # internal_api_subnet - > IP/CIDR
205 # NOTE: this applies to all 4 bind IP settings below...
206 keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
207 keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
208 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
209 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
211 include ::tripleo::profile::base::keystone