1 heat_template_version: ocata
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
34 description: Keystone region for endpoint
35 KeystoneTokenProvider:
36 description: The keystone token format
40 - allowed_values: ['uuid', 'fernet']
43 description: Mapping of service_name -> network name. Typically set
44 via parameter_defaults in the resource registry. This
45 mapping overrides those in ServiceNetMapDefaults.
52 description: Mapping of service endpoint -> protocol. Typically set
53 via parameter_defaults in the resource registry.
59 default: 'admin@example.com'
60 description: The email for the keystone admin account.
64 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
68 description: The keystone auth secret and db password.
72 description: The password for RabbitMQ
77 description: The username for RabbitMQ
82 Rabbit client subscriber parameter to specify
83 an SSL connection to the RabbitMQ host.
87 description: Set rabbit subscriber port, change this if using SSL
91 description: Set the number of workers for keystone::wsgi::apache
92 default: '%{::os_workers}'
93 MonitoringSubscriptionKeystone:
94 default: 'overcloud-keystone'
98 description: The first Keystone credential key. Must be a valid key.
101 description: The second Keystone credential key. Must be a valid key.
104 description: The first Keystone fernet key. Must be a valid key.
107 description: The second Keystone fernet key. Must be a valid key.
108 KeystoneLoggingSource:
111 tag: openstack.keystone
112 path: /var/log/keystone/keystone.log
116 KeystoneCronTokenFlushEnsure:
119 Cron to purge expired tokens - Ensure
121 KeystoneCronTokenFlushMinute:
124 Cron to purge expired tokens - Minute
126 KeystoneCronTokenFlushHour:
129 Cron to purge expired tokens - Hour
131 KeystoneCronTokenFlushMonthday:
134 Cron to purge expired tokens - Month Day
136 KeystoneCronTokenFlushMonth:
139 Cron to purge expired tokens - Month
141 KeystoneCronTokenFlushWeekday:
144 Cron to purge expired tokens - Week Day
146 KeystoneCronTokenFlushMaxDelay:
149 Cron to purge expired tokens - Max Delay
151 KeystoneCronTokenFlushDestination:
154 Cron to purge expired tokens - Log destination
155 default: '/var/log/keystone/keystone-tokenflush.log'
156 KeystoneCronTokenFlushUser:
159 Cron to purge expired tokens - User
167 ServiceNetMap: {get_param: ServiceNetMap}
168 DefaultPasswords: {get_param: DefaultPasswords}
169 EndpointMap: {get_param: EndpointMap}
170 EnableInternalTLS: {get_param: EnableInternalTLS}
173 keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
177 description: Role data for the Keystone role.
179 service_name: keystone
180 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
181 logging_source: {get_param: KeystoneLoggingSource}
186 - get_attr: [ApacheServiceBase, role_data, config_settings]
187 - keystone::database_connection:
190 - - {get_param: [EndpointMap, MysqlInternal, protocol]}
192 - {get_param: AdminToken}
194 - {get_param: [EndpointMap, MysqlInternal, host]}
196 - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
197 keystone::admin_token: {get_param: AdminToken}
198 keystone::admin_password: {get_param: AdminPassword}
199 keystone::roles::admin::password: {get_param: AdminPassword}
200 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
201 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
202 keystone::token_provider: {get_param: KeystoneTokenProvider}
203 keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
204 keystone::enable_proxy_headers_parsing: true
205 keystone::enable_credential_setup: true
206 keystone::credential_keys:
207 '/etc/keystone/credential-keys/0':
208 content: {get_param: KeystoneCredential0}
209 '/etc/keystone/credential-keys/1':
210 content: {get_param: KeystoneCredential1}
211 keystone::fernet_keys:
212 '/etc/keystone/fernet-keys/0':
213 content: {get_param: KeystoneFernetKey0}
214 '/etc/keystone/fernet-keys/1':
215 content: {get_param: KeystoneFernetKey1}
216 keystone::debug: {get_param: Debug}
217 keystone::rabbit_userid: {get_param: RabbitUserName}
218 keystone::rabbit_password: {get_param: RabbitPassword}
219 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
220 keystone::rabbit_port: {get_param: RabbitClientPort}
221 keystone::notification_driver: {get_param: KeystoneNotificationDriver}
222 keystone::notification_format: {get_param: KeystoneNotificationFormat}
223 keystone::roles::admin::email: {get_param: AdminEmail}
224 keystone::roles::admin::password: {get_param: AdminPassword}
225 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
226 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
227 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
228 keystone::endpoint::region: {get_param: KeystoneRegion}
229 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
230 keystone::rabbit_heartbeat_timeout_threshold: 60
231 keystone::cron::token_flush::maxdelay: 3600
232 keystone::roles::admin::service_tenant: 'service'
233 keystone::roles::admin::admin_tenant: 'admin'
234 keystone::cron::token_flush::destination: '/dev/null'
235 keystone::config::keystone_config:
237 value: 'keystone.contrib.ec2.backends.sql.Ec2'
238 keystone::service_name: 'httpd'
239 keystone::enable_ssl: {get_param: EnableInternalTLS}
240 keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
241 keystone::wsgi::apache::servername:
244 "%{hiera('fqdn_$NETWORK')}"
246 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
247 keystone::wsgi::apache::servername_admin:
250 "%{hiera('fqdn_$NETWORK')}"
252 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
253 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
254 # override via extraconfig:
255 keystone::wsgi::apache::threads: 1
256 keystone::db::database_db_max_retries: -1
257 keystone::db::database_max_retries: -1
258 tripleo.keystone.firewall_rules:
265 keystone::admin_bind_host:
268 "%{hiera('fqdn_$NETWORK')}"
270 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
271 keystone::public_bind_host:
274 "%{hiera('fqdn_$NETWORK')}"
276 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
277 # NOTE: bind IP is found in Heat replacing the network name with the
278 # local node IP for the given network; replacement examples
279 # (eg. for internal_api):
281 # internal_api_uri -> [IP]
282 # internal_api_subnet - > IP/CIDR
283 # NOTE: this applies to all 2 bind IP settings below...
284 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
285 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
286 keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
287 keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
288 keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
289 keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
290 keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
291 keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
292 keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
293 keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
294 keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
297 include ::tripleo::profile::base::keystone
298 service_config_settings:
300 keystone::db::mysql::password: {get_param: AdminToken}
301 keystone::db::mysql::user: keystone
302 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
303 keystone::db::mysql::dbname: keystone
304 keystone::db::mysql::allowed_hosts:
306 - "%{hiera('mysql_bind_host')}"
307 # Ansible tasks to handle upgrade
309 - name: Stop keystone service (running under httpd)
311 service: name=httpd state=stopped
313 get_attr: [ApacheServiceBase, role_data, metadata_settings]