1 heat_template_version: pike
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
34 description: Keystone region for endpoint
35 KeystoneTokenProvider:
36 description: The keystone token format
40 - allowed_values: ['uuid', 'fernet']
43 description: Mapping of service_name -> network name. Typically set
44 via parameter_defaults in the resource registry. This
45 mapping overrides those in ServiceNetMapDefaults.
52 description: Role name on which the service is applied
56 description: Parameters specific to the role
60 description: Mapping of service endpoint -> protocol. Typically set
61 via parameter_defaults in the resource registry.
68 description: Set to True to enable debugging Keystone service.
71 default: 'admin@example.com'
72 description: The email for the keystone admin account.
76 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
80 description: The keystone auth secret and db password.
84 description: The password for RabbitMQ
89 description: The username for RabbitMQ
94 Rabbit client subscriber parameter to specify
95 an SSL connection to the RabbitMQ host.
99 description: Set rabbit subscriber port, change this if using SSL
103 description: Set the number of workers for keystone::wsgi::apache
104 default: '%{::os_workers}'
105 MonitoringSubscriptionKeystone:
106 default: 'overcloud-keystone'
110 description: The first Keystone credential key. Must be a valid key.
113 description: The second Keystone credential key. Must be a valid key.
116 description: The first Keystone fernet key. Must be a valid key.
119 description: The second Keystone fernet key. Must be a valid key.
120 KeystoneLoggingSource:
123 tag: openstack.keystone
124 path: /var/log/keystone/keystone.log
128 KeystoneCronTokenFlushEnsure:
131 Cron to purge expired tokens - Ensure
133 KeystoneCronTokenFlushMinute:
134 type: comma_delimited_list
136 Cron to purge expired tokens - Minute
138 KeystoneCronTokenFlushHour:
139 type: comma_delimited_list
141 Cron to purge expired tokens - Hour
143 KeystoneCronTokenFlushMonthday:
144 type: comma_delimited_list
146 Cron to purge expired tokens - Month Day
148 KeystoneCronTokenFlushMonth:
149 type: comma_delimited_list
151 Cron to purge expired tokens - Month
153 KeystoneCronTokenFlushWeekday:
154 type: comma_delimited_list
156 Cron to purge expired tokens - Week Day
158 KeystoneCronTokenFlushMaxDelay:
161 Cron to purge expired tokens - Max Delay
163 KeystoneCronTokenFlushDestination:
166 Cron to purge expired tokens - Log destination
167 default: '/var/log/keystone/keystone-tokenflush.log'
168 KeystoneCronTokenFlushUser:
171 Cron to purge expired tokens - User
175 A hash of policies to configure for Keystone.
176 e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
179 KeystoneLDAPDomainEnable:
180 description: Trigger to call ldap_backend puppet keystone define.
183 KeystoneLDAPBackendConfigs:
184 description: Hash containing the configurations for the LDAP backends
185 configured in keystone.
195 ServiceNetMap: {get_param: ServiceNetMap}
196 DefaultPasswords: {get_param: DefaultPasswords}
197 EndpointMap: {get_param: EndpointMap}
198 RoleName: {get_param: RoleName}
199 RoleParameters: {get_param: RoleParameters}
200 EnableInternalTLS: {get_param: EnableInternalTLS}
203 keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
204 keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
205 service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
209 description: Role data for the Keystone role.
211 service_name: keystone
212 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
213 logging_source: {get_param: KeystoneLoggingSource}
218 - get_attr: [ApacheServiceBase, role_data, config_settings]
219 - keystone::database_connection:
221 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
223 password: {get_param: AdminToken}
224 host: {get_param: [EndpointMap, MysqlInternal, host]}
227 read_default_file: /etc/my.cnf.d/tripleo.cnf
228 read_default_group: tripleo
229 keystone::admin_token: {get_param: AdminToken}
230 keystone::admin_password: {get_param: AdminPassword}
231 keystone::roles::admin::password: {get_param: AdminPassword}
232 keystone::policy::policies: {get_param: KeystonePolicies}
233 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
234 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
235 keystone::token_provider: {get_param: KeystoneTokenProvider}
236 keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
237 keystone::enable_proxy_headers_parsing: true
238 keystone::enable_credential_setup: true
239 keystone::credential_keys:
240 '/etc/keystone/credential-keys/0':
241 content: {get_param: KeystoneCredential0}
242 '/etc/keystone/credential-keys/1':
243 content: {get_param: KeystoneCredential1}
244 keystone::fernet_keys:
245 '/etc/keystone/fernet-keys/0':
246 content: {get_param: KeystoneFernetKey0}
247 '/etc/keystone/fernet-keys/1':
248 content: {get_param: KeystoneFernetKey1}
249 keystone::fernet_replace_keys: false
252 - service_debug_unset
253 - {get_param: Debug }
254 - {get_param: KeystoneDebug }
255 keystone::rabbit_userid: {get_param: RabbitUserName}
256 keystone::rabbit_password: {get_param: RabbitPassword}
257 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
258 keystone::rabbit_port: {get_param: RabbitClientPort}
259 keystone::notification_driver: {get_param: KeystoneNotificationDriver}
260 keystone::notification_format: {get_param: KeystoneNotificationFormat}
261 keystone::roles::admin::email: {get_param: AdminEmail}
262 keystone::roles::admin::password: {get_param: AdminPassword}
263 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
264 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
265 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
266 keystone::endpoint::region: {get_param: KeystoneRegion}
267 keystone::endpoint::version: ''
268 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
269 keystone::rabbit_heartbeat_timeout_threshold: 60
270 keystone::cron::token_flush::maxdelay: 3600
271 keystone::roles::admin::service_tenant: 'service'
272 keystone::roles::admin::admin_tenant: 'admin'
273 keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
274 keystone::config::keystone_config:
276 value: 'keystone.contrib.ec2.backends.sql.Ec2'
277 keystone::service_name: 'httpd'
278 keystone::enable_ssl: {get_param: EnableInternalTLS}
279 keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
280 keystone::wsgi::apache::servername:
283 "%{hiera('fqdn_$NETWORK')}"
285 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
286 keystone::wsgi::apache::servername_admin:
289 "%{hiera('fqdn_$NETWORK')}"
291 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
292 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
293 # override via extraconfig:
294 keystone::wsgi::apache::threads: 1
295 keystone::db::database_db_max_retries: -1
296 keystone::db::database_max_retries: -1
297 tripleo.keystone.firewall_rules:
304 keystone::admin_bind_host:
307 "%{hiera('fqdn_$NETWORK')}"
309 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
310 keystone::public_bind_host:
313 "%{hiera('fqdn_$NETWORK')}"
315 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
316 # NOTE: bind IP is found in Heat replacing the network name with the
317 # local node IP for the given network; replacement examples
318 # (eg. for internal_api):
320 # internal_api_uri -> [IP]
321 # internal_api_subnet - > IP/CIDR
322 # NOTE: this applies to all 2 bind IP settings below...
323 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
324 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
325 keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
326 keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
327 keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
328 keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
329 keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
330 keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
331 keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
332 keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
333 keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
336 - keystone_ldap_domain_enabled
338 tripleo::profile::base::keystone::ldap_backend_enable: True
339 keystone::using_domain_config: True
340 tripleo::profile::base::keystone::ldap_backends_config:
341 get_param: KeystoneLDAPBackendConfigs
345 include ::tripleo::profile::base::keystone
346 service_config_settings:
348 keystone::db::mysql::password: {get_param: AdminToken}
349 keystone::db::mysql::user: keystone
350 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
351 keystone::db::mysql::dbname: keystone
352 keystone::db::mysql::allowed_hosts:
354 - "%{hiera('mysql_bind_host')}"
357 - keystone_ldap_domain_enabled
359 horizon::keystone_multidomain_support: true
360 horizon::keystone_default_domain: 'Default'
363 get_attr: [ApacheServiceBase, role_data, metadata_settings]
366 expression: $.data.apache_upgrade + $.data.keystone_upgrade
369 get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
371 - name: Stop keystone service (running under httpd)
373 service: name=httpd state=stopped