1 heat_template_version: pike
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
34 description: Keystone region for endpoint
35 KeystoneTokenProvider:
36 description: The keystone token format
40 - allowed_values: ['uuid', 'fernet']
43 description: Mapping of service_name -> network name. Typically set
44 via parameter_defaults in the resource registry. This
45 mapping overrides those in ServiceNetMapDefaults.
52 description: Role name on which the service is applied
56 description: Parameters specific to the role
60 description: Mapping of service endpoint -> protocol. Typically set
61 via parameter_defaults in the resource registry.
68 description: Set to True to enable debugging Keystone service.
71 default: 'admin@example.com'
72 description: The email for the keystone admin account.
76 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
80 description: The keystone auth secret and db password.
84 description: The password for RabbitMQ
89 description: The username for RabbitMQ
94 Rabbit client subscriber parameter to specify
95 an SSL connection to the RabbitMQ host.
99 description: Set rabbit subscriber port, change this if using SSL
103 description: Set the number of workers for keystone::wsgi::apache
104 default: '%{::os_workers}'
105 MonitoringSubscriptionKeystone:
106 default: 'overcloud-keystone'
110 description: The first Keystone credential key. Must be a valid key.
113 description: The second Keystone credential key. Must be a valid key.
117 description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
121 description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
124 description: Mapping containing keystone's fernet keys and their paths.
125 ManageKeystoneFernetKeys:
128 description: Whether TripleO should manage the keystone fernet keys or not.
129 If set to true, the fernet keys will get the values from the
130 saved keys repository in mistral (the KeystoneFernetKeys
131 variable). If set to false, only the stack creation
132 initializes the keys, but subsequent updates won't touch them.
133 KeystoneLoggingSource:
136 tag: openstack.keystone
137 path: /var/log/keystone/keystone.log
141 KeystoneCronTokenFlushEnsure:
144 Cron to purge expired tokens - Ensure
146 KeystoneCronTokenFlushMinute:
147 type: comma_delimited_list
149 Cron to purge expired tokens - Minute
151 KeystoneCronTokenFlushHour:
152 type: comma_delimited_list
154 Cron to purge expired tokens - Hour
156 KeystoneCronTokenFlushMonthday:
157 type: comma_delimited_list
159 Cron to purge expired tokens - Month Day
161 KeystoneCronTokenFlushMonth:
162 type: comma_delimited_list
164 Cron to purge expired tokens - Month
166 KeystoneCronTokenFlushWeekday:
167 type: comma_delimited_list
169 Cron to purge expired tokens - Week Day
171 KeystoneCronTokenFlushMaxDelay:
174 Cron to purge expired tokens - Max Delay
176 KeystoneCronTokenFlushDestination:
179 Cron to purge expired tokens - Log destination
180 default: '/var/log/keystone/keystone-tokenflush.log'
181 KeystoneCronTokenFlushUser:
184 Cron to purge expired tokens - User
188 A hash of policies to configure for Keystone.
189 e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
192 KeystoneLDAPDomainEnable:
193 description: Trigger to call ldap_backend puppet keystone define.
196 KeystoneLDAPBackendConfigs:
197 description: Hash containing the configurations for the LDAP backends
198 configured in keystone.
206 The following parameters are deprecated and will be removed. They should not
207 be relied on for new deployments. If you have concerns regarding deprecated
208 parameters, please contact the TripleO development team on IRC or the
209 OpenStack mailing list.
219 ServiceNetMap: {get_param: ServiceNetMap}
220 DefaultPasswords: {get_param: DefaultPasswords}
221 EndpointMap: {get_param: EndpointMap}
222 RoleName: {get_param: RoleName}
223 RoleParameters: {get_param: RoleParameters}
224 EnableInternalTLS: {get_param: EnableInternalTLS}
227 keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
228 keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
229 service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
233 description: Role data for the Keystone role.
235 service_name: keystone
236 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
237 logging_source: {get_param: KeystoneLoggingSource}
242 - get_attr: [ApacheServiceBase, role_data, config_settings]
243 - keystone::database_connection:
245 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
247 password: {get_param: AdminToken}
248 host: {get_param: [EndpointMap, MysqlInternal, host]}
251 read_default_file: /etc/my.cnf.d/tripleo.cnf
252 read_default_group: tripleo
253 keystone::admin_token: {get_param: AdminToken}
254 keystone::admin_password: {get_param: AdminPassword}
255 keystone::roles::admin::password: {get_param: AdminPassword}
256 keystone::policy::policies: {get_param: KeystonePolicies}
257 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
258 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
259 keystone::token_provider: {get_param: KeystoneTokenProvider}
260 keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
261 keystone::enable_proxy_headers_parsing: true
262 keystone::enable_credential_setup: true
263 keystone::credential_keys:
264 '/etc/keystone/credential-keys/0':
265 content: {get_param: KeystoneCredential0}
266 '/etc/keystone/credential-keys/1':
267 content: {get_param: KeystoneCredential1}
268 keystone::fernet_keys: {get_param: KeystoneFernetKeys}
269 keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
272 - service_debug_unset
273 - {get_param: Debug }
274 - {get_param: KeystoneDebug }
275 keystone::rabbit_userid: {get_param: RabbitUserName}
276 keystone::rabbit_password: {get_param: RabbitPassword}
277 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
278 keystone::rabbit_port: {get_param: RabbitClientPort}
279 keystone::notification_driver: {get_param: KeystoneNotificationDriver}
280 keystone::notification_format: {get_param: KeystoneNotificationFormat}
281 keystone::roles::admin::email: {get_param: AdminEmail}
282 keystone::roles::admin::password: {get_param: AdminPassword}
283 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
284 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
285 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
286 keystone::endpoint::region: {get_param: KeystoneRegion}
287 keystone::endpoint::version: ''
288 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
289 keystone::rabbit_heartbeat_timeout_threshold: 60
290 keystone::cron::token_flush::maxdelay: 3600
291 keystone::roles::admin::service_tenant: 'service'
292 keystone::roles::admin::admin_tenant: 'admin'
293 keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
294 keystone::config::keystone_config:
296 value: 'keystone.contrib.ec2.backends.sql.Ec2'
297 keystone::service_name: 'httpd'
298 keystone::enable_ssl: {get_param: EnableInternalTLS}
299 keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
300 keystone::wsgi::apache::servername:
303 "%{hiera('fqdn_$NETWORK')}"
305 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
306 keystone::wsgi::apache::servername_admin:
309 "%{hiera('fqdn_$NETWORK')}"
311 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
312 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
313 # override via extraconfig:
314 keystone::wsgi::apache::threads: 1
315 keystone::db::database_db_max_retries: -1
316 keystone::db::database_max_retries: -1
317 tripleo.keystone.firewall_rules:
324 keystone::admin_bind_host:
327 "%{hiera('fqdn_$NETWORK')}"
329 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
330 keystone::public_bind_host:
333 "%{hiera('fqdn_$NETWORK')}"
335 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
336 # NOTE: bind IP is found in Heat replacing the network name with the
337 # local node IP for the given network; replacement examples
338 # (eg. for internal_api):
340 # internal_api_uri -> [IP]
341 # internal_api_subnet - > IP/CIDR
342 # NOTE: this applies to all 2 bind IP settings below...
343 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
344 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
345 keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
346 keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
347 keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
348 keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
349 keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
350 keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
351 keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
352 keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
353 keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
356 - keystone_ldap_domain_enabled
358 tripleo::profile::base::keystone::ldap_backend_enable: True
359 keystone::using_domain_config: True
360 tripleo::profile::base::keystone::ldap_backends_config:
361 get_param: KeystoneLDAPBackendConfigs
365 include ::tripleo::profile::base::keystone
366 service_config_settings:
368 keystone::db::mysql::password: {get_param: AdminToken}
369 keystone::db::mysql::user: keystone
370 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
371 keystone::db::mysql::dbname: keystone
372 keystone::db::mysql::allowed_hosts:
374 - "%{hiera('mysql_bind_host')}"
377 - keystone_ldap_domain_enabled
379 horizon::keystone_multidomain_support: true
380 horizon::keystone_default_domain: 'Default'
383 get_attr: [ApacheServiceBase, role_data, metadata_settings]
386 expression: $.data.apache_upgrade + $.data.keystone_upgrade
389 get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
391 - name: Stop keystone service (running under httpd)
393 service: name=httpd state=stopped