1 heat_template_version: pike
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
34 description: Keystone region for endpoint
35 KeystoneTokenProvider:
36 description: The keystone token format
40 - allowed_values: ['uuid', 'fernet']
43 description: Mapping of service_name -> network name. Typically set
44 via parameter_defaults in the resource registry. This
45 mapping overrides those in ServiceNetMapDefaults.
52 description: Role name on which the service is applied
56 description: Parameters specific to the role
60 description: Mapping of service endpoint -> protocol. Typically set
61 via parameter_defaults in the resource registry.
68 description: Set to True to enable debugging Keystone service.
71 default: 'admin@example.com'
72 description: The email for the keystone admin account.
76 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
80 description: The keystone auth secret and db password.
84 description: The password for RabbitMQ
89 description: The username for RabbitMQ
94 Rabbit client subscriber parameter to specify
95 an SSL connection to the RabbitMQ host.
99 description: Set rabbit subscriber port, change this if using SSL
103 description: Set the number of workers for keystone::wsgi::apache
104 default: '%{::os_workers}'
105 MonitoringSubscriptionKeystone:
106 default: 'overcloud-keystone'
110 description: The first Keystone credential key. Must be a valid key.
113 description: The second Keystone credential key. Must be a valid key.
117 description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
121 description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
124 description: Mapping containing keystone's fernet keys and their paths.
125 KeystoneFernetMaxActiveKeys:
127 description: The maximum active keys in the keystone fernet key repository.
129 ManageKeystoneFernetKeys:
132 description: Whether TripleO should manage the keystone fernet keys or not.
133 If set to true, the fernet keys will get the values from the
134 saved keys repository in mistral (the KeystoneFernetKeys
135 variable). If set to false, only the stack creation
136 initializes the keys, but subsequent updates won't touch them.
137 KeystoneLoggingSource:
140 tag: openstack.keystone
141 path: /var/log/keystone/keystone.log
145 KeystoneCronTokenFlushEnsure:
148 Cron to purge expired tokens - Ensure
150 KeystoneCronTokenFlushMinute:
151 type: comma_delimited_list
153 Cron to purge expired tokens - Minute
155 KeystoneCronTokenFlushHour:
156 type: comma_delimited_list
158 Cron to purge expired tokens - Hour
160 KeystoneCronTokenFlushMonthday:
161 type: comma_delimited_list
163 Cron to purge expired tokens - Month Day
165 KeystoneCronTokenFlushMonth:
166 type: comma_delimited_list
168 Cron to purge expired tokens - Month
170 KeystoneCronTokenFlushWeekday:
171 type: comma_delimited_list
173 Cron to purge expired tokens - Week Day
175 KeystoneCronTokenFlushMaxDelay:
178 Cron to purge expired tokens - Max Delay
180 KeystoneCronTokenFlushDestination:
183 Cron to purge expired tokens - Log destination
184 default: '/var/log/keystone/keystone-tokenflush.log'
185 KeystoneCronTokenFlushUser:
188 Cron to purge expired tokens - User
192 A hash of policies to configure for Keystone.
193 e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
196 KeystoneLDAPDomainEnable:
197 description: Trigger to call ldap_backend puppet keystone define.
200 KeystoneLDAPBackendConfigs:
201 description: Hash containing the configurations for the LDAP backends
202 configured in keystone.
208 default: 'messagingv2'
209 description: Driver or drivers to handle sending notifications.
211 - allowed_values: [ 'messagingv2', 'noop' ]
216 The following parameters are deprecated and will be removed. They should not
217 be relied on for new deployments. If you have concerns regarding deprecated
218 parameters, please contact the TripleO development team on IRC or the
219 OpenStack mailing list.
223 - KeystoneNotificationDriver
230 ServiceNetMap: {get_param: ServiceNetMap}
231 DefaultPasswords: {get_param: DefaultPasswords}
232 EndpointMap: {get_param: EndpointMap}
233 RoleName: {get_param: RoleName}
234 RoleParameters: {get_param: RoleParameters}
235 EnableInternalTLS: {get_param: EnableInternalTLS}
238 keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
239 keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
240 service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
244 description: Role data for the Keystone role.
246 service_name: keystone
247 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
248 logging_source: {get_param: KeystoneLoggingSource}
253 - get_attr: [ApacheServiceBase, role_data, config_settings]
254 - keystone::database_connection:
256 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
258 password: {get_param: AdminToken}
259 host: {get_param: [EndpointMap, MysqlInternal, host]}
262 read_default_file: /etc/my.cnf.d/tripleo.cnf
263 read_default_group: tripleo
264 keystone::admin_token: {get_param: AdminToken}
265 keystone::admin_password: {get_param: AdminPassword}
266 keystone::roles::admin::password: {get_param: AdminPassword}
267 keystone::policy::policies: {get_param: KeystonePolicies}
268 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
269 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
270 keystone::token_provider: {get_param: KeystoneTokenProvider}
271 keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
272 keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
273 keystone::enable_proxy_headers_parsing: true
274 keystone::enable_credential_setup: true
275 keystone::credential_keys:
276 '/etc/keystone/credential-keys/0':
277 content: {get_param: KeystoneCredential0}
278 '/etc/keystone/credential-keys/1':
279 content: {get_param: KeystoneCredential1}
280 keystone::fernet_keys: {get_param: KeystoneFernetKeys}
281 keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
284 - service_debug_unset
285 - {get_param: Debug }
286 - {get_param: KeystoneDebug }
287 keystone::rabbit_userid: {get_param: RabbitUserName}
288 keystone::rabbit_password: {get_param: RabbitPassword}
289 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
290 keystone::rabbit_port: {get_param: RabbitClientPort}
291 keystone::notification_driver: {get_param: NotificationDriver}
292 keystone::notification_format: {get_param: KeystoneNotificationFormat}
293 keystone::roles::admin::email: {get_param: AdminEmail}
294 keystone::roles::admin::password: {get_param: AdminPassword}
295 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
296 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
297 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
298 keystone::endpoint::region: {get_param: KeystoneRegion}
299 keystone::endpoint::version: ''
300 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
301 keystone::rabbit_heartbeat_timeout_threshold: 60
302 keystone::cron::token_flush::maxdelay: 3600
303 keystone::roles::admin::service_tenant: 'service'
304 keystone::roles::admin::admin_tenant: 'admin'
305 keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
306 keystone::config::keystone_config:
308 value: 'keystone.contrib.ec2.backends.sql.Ec2'
309 keystone::service_name: 'httpd'
310 keystone::enable_ssl: {get_param: EnableInternalTLS}
311 keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
312 keystone::wsgi::apache::servername:
315 "%{hiera('fqdn_$NETWORK')}"
317 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
318 keystone::wsgi::apache::servername_admin:
321 "%{hiera('fqdn_$NETWORK')}"
323 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
324 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
325 # override via extraconfig:
326 keystone::wsgi::apache::threads: 1
327 keystone::db::database_db_max_retries: -1
328 keystone::db::database_max_retries: -1
329 tripleo.keystone.firewall_rules:
336 keystone::admin_bind_host:
339 "%{hiera('fqdn_$NETWORK')}"
341 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
342 keystone::public_bind_host:
345 "%{hiera('fqdn_$NETWORK')}"
347 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
348 # NOTE: bind IP is found in Heat replacing the network name with the
349 # local node IP for the given network; replacement examples
350 # (eg. for internal_api):
352 # internal_api_uri -> [IP]
353 # internal_api_subnet - > IP/CIDR
354 # NOTE: this applies to all 2 bind IP settings below...
355 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
356 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
357 keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
358 keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
359 keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
360 keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
361 keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
362 keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
363 keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
364 keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
365 keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
368 - keystone_ldap_domain_enabled
370 tripleo::profile::base::keystone::ldap_backend_enable: True
371 keystone::using_domain_config: True
372 tripleo::profile::base::keystone::ldap_backends_config:
373 get_param: KeystoneLDAPBackendConfigs
377 include ::tripleo::profile::base::keystone
378 service_config_settings:
380 keystone::db::mysql::password: {get_param: AdminToken}
381 keystone::db::mysql::user: keystone
382 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
383 keystone::db::mysql::dbname: keystone
384 keystone::db::mysql::allowed_hosts:
386 - "%{hiera('mysql_bind_host')}"
389 - keystone_ldap_domain_enabled
391 horizon::keystone_multidomain_support: true
392 horizon::keystone_default_domain: 'Default'
395 get_attr: [ApacheServiceBase, role_data, metadata_settings]
398 expression: $.data.apache_upgrade + $.data.keystone_upgrade
401 get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
403 - name: Stop keystone service (running under httpd)
405 service: name=httpd state=stopped