puppet/services/keystone.yaml

   1 heat_template_version: 2016-10-14
   2
   3 description: >
   4   OpenStack Keystone service configured with Puppet
   5
   6 parameters:
   7   KeystoneEnableDBPurge:
   8     default: true
   9     description: |
  10         Whether to create cron job for purging soft deleted rows in Keystone database.
  11     type: boolean
  12   KeystoneSSLCertificate:
  13     default: ''
  14     description: Keystone certificate for verifying token validity.
  15     type: string
  16   KeystoneSSLCertificateKey:
  17     default: ''
  18     description: Keystone key for signing tokens.
  19     type: string
  20     hidden: true
  21   KeystoneNotificationDriver:
  22     description: Comma-separated list of Oslo notification drivers used by Keystone
  23     default: ['messaging']
  24     type: comma_delimited_list
  25   KeystoneNotificationFormat:
  26     description: The Keystone notification format
  27     default: 'basic'
  28     type: string
  29     constraints:
  30       - allowed_values: [ 'basic', 'cadf' ]
  31   KeystoneRegion:
  32     type: string
  33     default: 'regionOne'
  34     description: Keystone region for endpoint
  35   KeystoneTokenProvider:
  36     description: The keystone token format
  37     type: string
  38     default: 'uuid'
  39     constraints:
  40       - allowed_values: ['uuid', 'fernet']
  41   ServiceNetMap:
  42     default: {}
  43     description: Mapping of service_name -> network name. Typically set
  44                  via parameter_defaults in the resource registry.  This
  45                  mapping overrides those in ServiceNetMapDefaults.
  46     type: json
  47   DefaultPasswords:
  48     default: {}
  49     type: json
  50   EndpointMap:
  51     default: {}
  52     description: Mapping of service endpoint -> protocol. Typically set
  53                  via parameter_defaults in the resource registry.
  54     type: json
  55   Debug:
  56     type: string
  57     default: ''
  58   AdminEmail:
  59     default: 'admin@example.com'
  60     description: The email for the keystone admin account.
  61     type: string
  62     hidden: true
  63   AdminPassword:
  64     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
  65     type: string
  66     hidden: true
  67   AdminToken:
  68     description: The keystone auth secret and db password.
  69     type: string
  70     hidden: true
  71   RabbitPassword:
  72     description: The password for RabbitMQ
  73     type: string
  74     hidden: true
  75   RabbitUserName:
  76     default: guest
  77     description: The username for RabbitMQ
  78     type: string
  79   RabbitClientUseSSL:
  80     default: false
  81     description: >
  82         Rabbit client subscriber parameter to specify
  83         an SSL connection to the RabbitMQ host.
  84     type: string
  85   RabbitClientPort:
  86     default: 5672
  87     description: Set rabbit subscriber port, change this if using SSL
  88     type: number
  89   KeystoneWorkers:
  90     type: string
  91     description: Set the number of workers for keystone::wsgi::apache
  92     default: '"%{::os_workers}"'
  93   MonitoringSubscriptionKeystone:
  94     default: 'overcloud-keystone'
  95     type: string
  96   KeystoneCredential0:
  97     type: string
  98     description: The first Keystone credential key. Must be a valid key.
  99   KeystoneCredential1:
 100     type: string
 101     description: The second Keystone credential key. Must be a valid key.
 102   KeystoneLoggingSource:
 103     type: json
 104     default:
 105       tag: openstack.keystone
 106       path: /var/log/keystone/keystone.log
 107   EnableInternalTLS:
 108     type: boolean
 109     default: false
 110
 111 resources:
 112
 113   ApacheServiceBase:
 114     type: ./apache.yaml
 115     properties:
 116       ServiceNetMap: {get_param: ServiceNetMap}
 117       DefaultPasswords: {get_param: DefaultPasswords}
 118       EndpointMap: {get_param: EndpointMap}
 119       EnableInternalTLS: {get_param: EnableInternalTLS}
 120
 121 conditions:
 122   keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
 123
 124 outputs:
 125   role_data:
 126     description: Role data for the Keystone role.
 127     value:
 128       service_name: keystone
 129       monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
 130       logging_source: {get_param: KeystoneLoggingSource}
 131       logging_groups:
 132         - keystone
 133       config_settings:
 134         map_merge:
 135           - get_attr: [ApacheServiceBase, role_data, config_settings]
 136           - keystone::database_connection:
 137               list_join:
 138                 - ''
 139                 - - {get_param: [EndpointMap, MysqlInternal, protocol]}
 140                   - '://keystone:'
 141                   - {get_param: AdminToken}
 142                   - '@'
 143                   - {get_param: [EndpointMap, MysqlInternal, host]}
 144                   - '/keystone'
 145             keystone::admin_token: {get_param: AdminToken}
 146             keystone::admin_password: {get_param: AdminPassword}
 147             keystone::roles::admin::password: {get_param: AdminPassword}
 148             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
 149             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
 150             keystone::token_provider: {get_param: KeystoneTokenProvider}
 151             keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
 152             keystone::enable_proxy_headers_parsing: true
 153             keystone::enable_credential_setup: true
 154             keystone::credential_keys:
 155               '/etc/keystone/credential-keys/0':
 156                 content: {get_param: KeystoneCredential0}
 157               '/etc/keystone/credential-keys/1':
 158                 content: {get_param: KeystoneCredential1}
 159             keystone::debug: {get_param: Debug}
 160             keystone::rabbit_userid: {get_param: RabbitUserName}
 161             keystone::rabbit_password: {get_param: RabbitPassword}
 162             keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
 163             keystone::rabbit_port: {get_param: RabbitClientPort}
 164             keystone::notification_driver: {get_param: KeystoneNotificationDriver}
 165             keystone::notification_format: {get_param: KeystoneNotificationFormat}
 166             keystone::roles::admin::email: {get_param: AdminEmail}
 167             keystone::roles::admin::password: {get_param: AdminPassword}
 168             keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
 169             keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 170             keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
 171             keystone::endpoint::region: {get_param: KeystoneRegion}
 172             keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
 173             keystone::rabbit_heartbeat_timeout_threshold: 60
 174             keystone::cron::token_flush::maxdelay: 3600
 175             keystone::roles::admin::service_tenant: 'service'
 176             keystone::roles::admin::admin_tenant: 'admin'
 177             keystone::cron::token_flush::destination: '/dev/null'
 178             keystone::config::keystone_config:
 179               ec2/driver:
 180                 value: 'keystone.contrib.ec2.backends.sql.Ec2'
 181             keystone::service_name: 'httpd'
 182             keystone::enable_ssl: {get_param: EnableInternalTLS}
 183             keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
 184             keystone::wsgi::apache::servername:
 185               str_replace:
 186                 template:
 187                   '"%{::fqdn_$NETWORK}"'
 188                 params:
 189                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 190             keystone::wsgi::apache::servername_admin:
 191               str_replace:
 192                 template:
 193                   '"%{::fqdn_$NETWORK}"'
 194                 params:
 195                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 196             keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
 197             # override via extraconfig:
 198             keystone::wsgi::apache::threads: 1
 199             keystone::db::database_db_max_retries: -1
 200             keystone::db::database_max_retries: -1
 201             tripleo.keystone.firewall_rules:
 202               '111 keystone':
 203                 dport:
 204                   - 5000
 205                   - 13000
 206                   - 35357
 207                   - 13357
 208             keystone::admin_bind_host:
 209               str_replace:
 210                 template:
 211                   '"%{::fqdn_$NETWORK}"'
 212                 params:
 213                   $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 214             keystone::public_bind_host:
 215               str_replace:
 216                 template:
 217                   '"%{::fqdn_$NETWORK}"'
 218                 params:
 219                   $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 220             # NOTE: bind IP is found in Heat replacing the network name with the
 221             # local node IP for the given network; replacement examples
 222             # (eg. for internal_api):
 223             # internal_api -> IP
 224             # internal_api_uri -> [IP]
 225             # internal_api_subnet - > IP/CIDR
 226             # NOTE: this applies to all 2 bind IP settings below...
 227             keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
 228             keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
 229       step_config: |
 230         include ::tripleo::profile::base::keystone
 231       service_config_settings:
 232         mysql:
 233           keystone::db::mysql::password: {get_param: AdminToken}
 234           keystone::db::mysql::user: keystone
 235           keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
 236           keystone::db::mysql::dbname: keystone
 237           keystone::db::mysql::allowed_hosts:
 238             - '%'
 239             - "%{hiera('mysql_bind_host')}"