puppet/services/keystone.yaml

   1 heat_template_version: 2016-04-08
   2
   3 description: >
   4   OpenStack Keystone service configured with Puppet
   5
   6 parameters:
   7   KeystoneEnableDBPurge:
   8     default: true
   9     description: |
  10         Whether to create cron job for purging soft deleted rows in Keystone database.
  11     type: boolean
  12   KeystoneSSLCertificate:
  13     default: ''
  14     description: Keystone certificate for verifying token validity.
  15     type: string
  16   KeystoneSSLCertificateKey:
  17     default: ''
  18     description: Keystone key for signing tokens.
  19     type: string
  20     hidden: true
  21   KeystoneNotificationDriver:
  22     description: Comma-separated list of Oslo notification drivers used by Keystone
  23     default: ['messaging']
  24     type: comma_delimited_list
  25   KeystoneNotificationFormat:
  26     description: The Keystone notification format
  27     default: 'basic'
  28     type: string
  29     constraints:
  30       - allowed_values: [ 'basic', 'cadf' ]
  31   KeystoneRegion:
  32     type: string
  33     default: 'regionOne'
  34     description: Keystone region for endpoint
  35   ServiceNetMap:
  36     default: {}
  37     description: Mapping of service_name -> network name. Typically set
  38                  via parameter_defaults in the resource registry.  This
  39                  mapping overrides those in ServiceNetMapDefaults.
  40     type: json
  41   DefaultPasswords:
  42     default: {}
  43     type: json
  44   EndpointMap:
  45     default: {}
  46     description: Mapping of service endpoint -> protocol. Typically set
  47                  via parameter_defaults in the resource registry.
  48     type: json
  49   Debug:
  50     type: string
  51     default: ''
  52   AdminEmail:
  53     default: 'admin@example.com'
  54     description: The email for the keystone admin account.
  55     type: string
  56     hidden: true
  57   AdminPassword:
  58     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
  59     type: string
  60     hidden: true
  61   AdminToken:
  62     description: The keystone auth secret and db password.
  63     type: string
  64     hidden: true
  65   RabbitPassword:
  66     description: The password for RabbitMQ
  67     type: string
  68     hidden: true
  69   RabbitUserName:
  70     default: guest
  71     description: The username for RabbitMQ
  72     type: string
  73   RabbitClientUseSSL:
  74     default: false
  75     description: >
  76         Rabbit client subscriber parameter to specify
  77         an SSL connection to the RabbitMQ host.
  78     type: string
  79   RabbitClientPort:
  80     default: 5672
  81     description: Set rabbit subscriber port, change this if using SSL
  82     type: number
  83   KeystoneWorkers:
  84     type: string
  85     description: Set the number of workers for keystone::wsgi::apache
  86     default: '"%{::os_workers}"'
  87   MonitoringSubscriptionKeystone:
  88     default: 'overcloud-kestone'
  89     type: string
  90   KeystoneCredential0:
  91     type: string
  92     description: The first Keystone credential key. Must be a valid key.
  93   KeystoneCredential1:
  94     type: string
  95     description: The second Keystone credential key. Must be a valid key.
  96   KeystoneLoggingSource:
  97     type: json
  98     default:
  99       tag: openstack.keystone
 100       path: /var/log/keystone/keystone.log
 101   EnableInternalTLS:
 102     type: boolean
 103     default: false
 104
 105 resources:
 106
 107   ApacheServiceBase:
 108     type: ./apache.yaml
 109     properties:
 110       ServiceNetMap: {get_param: ServiceNetMap}
 111       DefaultPasswords: {get_param: DefaultPasswords}
 112       EndpointMap: {get_param: EndpointMap}
 113       EnableInternalTLS: {get_param: EnableInternalTLS}
 114
 115 outputs:
 116   role_data:
 117     description: Role data for the Keystone role.
 118     value:
 119       service_name: keystone
 120       monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
 121       logging_source: {get_param: KeystoneLoggingSource}
 122       logging_groups:
 123         - keystone
 124       config_settings:
 125         map_merge:
 126           - get_attr: [ApacheServiceBase, role_data, config_settings]
 127           - keystone::database_connection:
 128               list_join:
 129                 - ''
 130                 - - {get_param: [EndpointMap, MysqlInternal, protocol]}
 131                   - '://keystone:'
 132                   - {get_param: AdminToken}
 133                   - '@'
 134                   - {get_param: [EndpointMap, MysqlInternal, host]}
 135                   - '/keystone'
 136             keystone::admin_token: {get_param: AdminToken}
 137             keystone::admin_password: {get_param: AdminPassword}
 138             keystone::roles::admin::password: {get_param: AdminPassword}
 139             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
 140             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
 141             keystone::enable_proxy_headers_parsing: true
 142             keystone::enable_credential_setup: true
 143             keystone::credential_keys:
 144               '/etc/keystone/credential-keys/0':
 145                 content: {get_param: KeystoneCredential0}
 146               '/etc/keystone/credential-keys/1':
 147                 content: {get_param: KeystoneCredential1}
 148             keystone::debug: {get_param: Debug}
 149             keystone::rabbit_userid: {get_param: RabbitUserName}
 150             keystone::rabbit_password: {get_param: RabbitPassword}
 151             keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
 152             keystone::rabbit_port: {get_param: RabbitClientPort}
 153             keystone::notification_driver: {get_param: KeystoneNotificationDriver}
 154             keystone::notification_format: {get_param: KeystoneNotificationFormat}
 155             keystone::roles::admin::email: {get_param: AdminEmail}
 156             keystone::roles::admin::password: {get_param: AdminPassword}
 157             keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
 158             keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 159             keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
 160             keystone::endpoint::region: {get_param: KeystoneRegion}
 161             keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
 162             keystone::rabbit_heartbeat_timeout_threshold: 60
 163             keystone::cron::token_flush::maxdelay: 3600
 164             keystone::roles::admin::service_tenant: 'service'
 165             keystone::roles::admin::admin_tenant: 'admin'
 166             keystone::cron::token_flush::destination: '/dev/null'
 167             keystone::config::keystone_config:
 168               ec2/driver:
 169                 value: 'keystone.contrib.ec2.backends.sql.Ec2'
 170             keystone::service_name: 'httpd'
 171             keystone::enable_ssl: {get_param: EnableInternalTLS}
 172             keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
 173             keystone::wsgi::apache::servername:
 174               str_replace:
 175                 template:
 176                   '"%{::fqdn_$NETWORK}"'
 177                 params:
 178                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 179             keystone::wsgi::apache::servername_admin:
 180               str_replace:
 181                 template:
 182                   '"%{::fqdn_$NETWORK}"'
 183                 params:
 184                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 185             keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
 186             # override via extraconfig:
 187             keystone::wsgi::apache::threads: 1
 188             keystone::db::database_db_max_retries: -1
 189             keystone::db::database_max_retries: -1
 190             tripleo.keystone.firewall_rules:
 191               '111 keystone':
 192                 dport:
 193                   - 5000
 194                   - 13000
 195                   - 35357
 196                   - 13357
 197             keystone::admin_bind_host:
 198               str_replace:
 199                 template:
 200                   '"%{::fqdn_$NETWORK}"'
 201                 params:
 202                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 203             keystone::public_bind_host:
 204               str_replace:
 205                 template:
 206                   '"%{::fqdn_$NETWORK}"'
 207                 params:
 208                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 209             # NOTE: bind IP is found in Heat replacing the network name with the
 210             # local node IP for the given network; replacement examples
 211             # (eg. for internal_api):
 212             # internal_api -> IP
 213             # internal_api_uri -> [IP]
 214             # internal_api_subnet - > IP/CIDR
 215             # NOTE: this applies to all 2 bind IP settings below...
 216             keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 217             keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 218       step_config: |
 219         include ::tripleo::profile::base::keystone
 220       service_config_settings:
 221         mysql:
 222           keystone::db::mysql::password: {get_param: AdminToken}
 223           keystone::db::mysql::user: keystone
 224           keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
 225           keystone::db::mysql::dbname: keystone
 226           keystone::db::mysql::allowed_hosts:
 227             - '%'
 228             - "%{hiera('mysql_bind_host')}"