Code Review / apex-tripleo-heat-templates.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Merge "Containerize Horizon"
[apex-tripleo-heat-templates.git] / puppet / services / keystone.yaml
1 heat_template_version: pike
2
3 description: >
4   OpenStack Keystone service configured with Puppet
5
6 parameters:
7   KeystoneEnableDBPurge:
8     default: true
9     description: |
10         Whether to create cron job for purging soft deleted rows in Keystone database.
11     type: boolean
12   KeystoneSSLCertificate:
13     default: ''
14     description: Keystone certificate for verifying token validity.
15     type: string
16   KeystoneSSLCertificateKey:
17     default: ''
18     description: Keystone key for signing tokens.
19     type: string
20     hidden: true
21   KeystoneNotificationDriver:
22     description: Comma-separated list of Oslo notification drivers used by Keystone
23     default: ['messaging']
24     type: comma_delimited_list
25   KeystoneNotificationFormat:
26     description: The Keystone notification format
27     default: 'basic'
28     type: string
29     constraints:
30       - allowed_values: [ 'basic', 'cadf' ]
31   KeystoneRegion:
32     type: string
33     default: 'regionOne'
34     description: Keystone region for endpoint
35   KeystoneTokenProvider:
36     description: The keystone token format
37     type: string
38     default: 'fernet'
39     constraints:
40       - allowed_values: ['uuid', 'fernet']
41   ServiceNetMap:
42     default: {}
43     description: Mapping of service_name -> network name. Typically set
44                  via parameter_defaults in the resource registry.  This
45                  mapping overrides those in ServiceNetMapDefaults.
46     type: json
47   DefaultPasswords:
48     default: {}
49     type: json
50   RoleName:
51     default: ''
52     description: Role name on which the service is applied
53     type: string
54   RoleParameters:
55     default: {}
56     description: Parameters specific to the role
57     type: json
58   EndpointMap:
59     default: {}
60     description: Mapping of service endpoint -> protocol. Typically set
61                  via parameter_defaults in the resource registry.
62     type: json
63   Debug:
64     type: string
65     default: ''
66   KeystoneDebug:
67     default: ''
68     description: Set to True to enable debugging Keystone service.
69     type: string
70   AdminEmail:
71     default: 'admin@example.com'
72     description: The email for the keystone admin account.
73     type: string
74     hidden: true
75   AdminPassword:
76     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
77     type: string
78     hidden: true
79   AdminToken:
80     description: The keystone auth secret and db password.
81     type: string
82     hidden: true
83   RabbitPassword:
84     description: The password for RabbitMQ
85     type: string
86     hidden: true
87   RabbitUserName:
88     default: guest
89     description: The username for RabbitMQ
90     type: string
91   RabbitClientUseSSL:
92     default: false
93     description: >
94         Rabbit client subscriber parameter to specify
95         an SSL connection to the RabbitMQ host.
96     type: string
97   RabbitClientPort:
98     default: 5672
99     description: Set rabbit subscriber port, change this if using SSL
100     type: number
101   KeystoneWorkers:
102     type: string
103     description: Set the number of workers for keystone::wsgi::apache
104     default: '%{::os_workers}'
105   MonitoringSubscriptionKeystone:
106     default: 'overcloud-keystone'
107     type: string
108   KeystoneCredential0:
109     type: string
110     description: The first Keystone credential key. Must be a valid key.
111   KeystoneCredential1:
112     type: string
113     description: The second Keystone credential key. Must be a valid key.
114   KeystoneFernetKey0:
115     type: string
116     description: The first Keystone fernet key. Must be a valid key.
117   KeystoneFernetKey1:
118     type: string
119     description: The second Keystone fernet key. Must be a valid key.
120   KeystoneLoggingSource:
121     type: json
122     default:
123       tag: openstack.keystone
124       path: /var/log/keystone/keystone.log
125   EnableInternalTLS:
126     type: boolean
127     default: false
128   KeystoneCronTokenFlushEnsure:
129     type: string
130     description: >
131         Cron to purge expired tokens - Ensure
132     default: 'present'
133   KeystoneCronTokenFlushMinute:
134     type: comma_delimited_list
135     description: >
136         Cron to purge expired tokens - Minute
137     default: '1'
138   KeystoneCronTokenFlushHour:
139     type: comma_delimited_list
140     description: >
141         Cron to purge expired tokens - Hour
142     default: '*'
143   KeystoneCronTokenFlushMonthday:
144     type: comma_delimited_list
145     description: >
146         Cron to purge expired tokens - Month Day
147     default: '*'
148   KeystoneCronTokenFlushMonth:
149     type: comma_delimited_list
150     description: >
151         Cron to purge expired tokens - Month
152     default: '*'
153   KeystoneCronTokenFlushWeekday:
154     type: comma_delimited_list
155     description: >
156         Cron to purge expired tokens - Week Day
157     default: '*'
158   KeystoneCronTokenFlushMaxDelay:
159     type: string
160     description: >
161         Cron to purge expired tokens - Max Delay
162     default: '0'
163   KeystoneCronTokenFlushDestination:
164     type: string
165     description: >
166         Cron to purge expired tokens - Log destination
167     default: '/var/log/keystone/keystone-tokenflush.log'
168   KeystoneCronTokenFlushUser:
169     type: string
170     description: >
171         Cron to purge expired tokens - User
172     default: 'keystone'
173   KeystonePolicies:
174     description: |
175       A hash of policies to configure for Keystone.
176       e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
177     default: {}
178     type: json
179   KeystoneLDAPDomainEnable:
180     description: Trigger to call ldap_backend puppet keystone define.
181     type: boolean
182     default: False
183   KeystoneLDAPBackendConfigs:
184     description: Hash containing the configurations for the LDAP backends
185                  configured in keystone.
186     type: json
187     default: {}
188     hidden: true
189
190 resources:
191
192   ApacheServiceBase:
193     type: ./apache.yaml
194     properties:
195       ServiceNetMap: {get_param: ServiceNetMap}
196       DefaultPasswords: {get_param: DefaultPasswords}
197       EndpointMap: {get_param: EndpointMap}
198       RoleName: {get_param: RoleName}
199       RoleParameters: {get_param: RoleParameters}
200       EnableInternalTLS: {get_param: EnableInternalTLS}
201
202 conditions:
203   keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
204   keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
205   service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
206
207 outputs:
208   role_data:
209     description: Role data for the Keystone role.
210     value:
211       service_name: keystone
212       monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
213       logging_source: {get_param: KeystoneLoggingSource}
214       logging_groups:
215         - keystone
216       config_settings:
217         map_merge:
218           - get_attr: [ApacheServiceBase, role_data, config_settings]
219           - keystone::database_connection:
220               make_url:
221                 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
222                 username: keystone
223                 password: {get_param: AdminToken}
224                 host: {get_param: [EndpointMap, MysqlInternal, host]}
225                 path: /keystone
226                 query:
227                   read_default_file: /etc/my.cnf.d/tripleo.cnf
228                   read_default_group: tripleo
229             keystone::admin_token: {get_param: AdminToken}
230             keystone::admin_password: {get_param: AdminPassword}
231             keystone::roles::admin::password: {get_param: AdminPassword}
232             keystone::policy::policies: {get_param: KeystonePolicies}
233             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
234             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
235             keystone::token_provider: {get_param: KeystoneTokenProvider}
236             keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
237             keystone::enable_proxy_headers_parsing: true
238             keystone::enable_credential_setup: true
239             keystone::credential_keys:
240               '/etc/keystone/credential-keys/0':
241                 content: {get_param: KeystoneCredential0}
242               '/etc/keystone/credential-keys/1':
243                 content: {get_param: KeystoneCredential1}
244             keystone::fernet_keys:
245               '/etc/keystone/fernet-keys/0':
246                 content: {get_param: KeystoneFernetKey0}
247               '/etc/keystone/fernet-keys/1':
248                 content: {get_param: KeystoneFernetKey1}
249             keystone::fernet_replace_keys: false
250             keystone::debug:
251               if:
252               - service_debug_unset
253               - {get_param: Debug }
254               - {get_param: KeystoneDebug }
255             keystone::rabbit_userid: {get_param: RabbitUserName}
256             keystone::rabbit_password: {get_param: RabbitPassword}
257             keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
258             keystone::rabbit_port: {get_param: RabbitClientPort}
259             keystone::notification_driver: {get_param: KeystoneNotificationDriver}
260             keystone::notification_format: {get_param: KeystoneNotificationFormat}
261             keystone::roles::admin::email: {get_param: AdminEmail}
262             keystone::roles::admin::password: {get_param: AdminPassword}
263             keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
264             keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
265             keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
266             keystone::endpoint::region: {get_param: KeystoneRegion}
267             keystone::endpoint::version: ''
268             keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
269             keystone::rabbit_heartbeat_timeout_threshold: 60
270             keystone::cron::token_flush::maxdelay: 3600
271             keystone::roles::admin::service_tenant: 'service'
272             keystone::roles::admin::admin_tenant: 'admin'
273             keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
274             keystone::config::keystone_config:
275               ec2/driver:
276                 value: 'keystone.contrib.ec2.backends.sql.Ec2'
277             keystone::service_name: 'httpd'
278             keystone::enable_ssl: {get_param: EnableInternalTLS}
279             keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
280             keystone::wsgi::apache::servername:
281               str_replace:
282                 template:
283                   "%{hiera('fqdn_$NETWORK')}"
284                 params:
285                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
286             keystone::wsgi::apache::servername_admin:
287               str_replace:
288                 template:
289                   "%{hiera('fqdn_$NETWORK')}"
290                 params:
291                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
292             keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
293             # override via extraconfig:
294             keystone::wsgi::apache::threads: 1
295             keystone::db::database_db_max_retries: -1
296             keystone::db::database_max_retries: -1
297             tripleo.keystone.firewall_rules:
298               '111 keystone':
299                 dport:
300                   - 5000
301                   - 13000
302                   - 35357
303                   - 13357
304             keystone::admin_bind_host:
305               str_replace:
306                 template:
307                   "%{hiera('fqdn_$NETWORK')}"
308                 params:
309                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
310             keystone::public_bind_host:
311               str_replace:
312                 template:
313                   "%{hiera('fqdn_$NETWORK')}"
314                 params:
315                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
316             # NOTE: bind IP is found in Heat replacing the network name with the
317             # local node IP for the given network; replacement examples
318             # (eg. for internal_api):
319             # internal_api -> IP
320             # internal_api_uri -> [IP]
321             # internal_api_subnet - > IP/CIDR
322             # NOTE: this applies to all 2 bind IP settings below...
323             keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
324             keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
325             keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
326             keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
327             keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
328             keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
329             keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
330             keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
331             keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
332             keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
333             keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
334           -
335             if:
336             - keystone_ldap_domain_enabled
337             -
338               tripleo::profile::base::keystone::ldap_backend_enable: True
339               keystone::using_domain_config: True
340               tripleo::profile::base::keystone::ldap_backends_config:
341                 get_param: KeystoneLDAPBackendConfigs
342             - {}
343
344       step_config: |
345         include ::tripleo::profile::base::keystone
346       service_config_settings:
347         mysql:
348           keystone::db::mysql::password: {get_param: AdminToken}
349           keystone::db::mysql::user: keystone
350           keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
351           keystone::db::mysql::dbname: keystone
352           keystone::db::mysql::allowed_hosts:
353             - '%'
354             - "%{hiera('mysql_bind_host')}"
355         horizon:
356           if:
357           - keystone_ldap_domain_enabled
358           -
359             horizon::keystone_multidomain_support: true
360             horizon::keystone_default_domain: 'Default'
361           - {}
362       metadata_settings:
363         get_attr: [ApacheServiceBase, role_data, metadata_settings]
364       upgrade_tasks:
365         yaql:
366           expression: $.data.apache_upgrade + $.data.keystone_upgrade
367           data:
368             apache_upgrade:
369               get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
370             keystone_upgrade:
371               - name: Stop keystone service (running under httpd)
372                 tags: step1
373                 service: name=httpd state=stopped