-heat_template_version: 2016-10-14
+heat_template_version: ocata
description: >
OpenStack Keystone service configured with Puppet
KeystoneTokenProvider:
description: The keystone token format
type: string
- default: 'uuid'
+ default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
ServiceNetMap:
KeystoneWorkers:
type: string
description: Set the number of workers for keystone::wsgi::apache
- default: '"%{::os_workers}"'
+ default: '%{::os_workers}'
MonitoringSubscriptionKeystone:
default: 'overcloud-keystone'
type: string
EnableInternalTLS:
type: boolean
default: false
+ KeystoneCronTokenFlushEnsure:
+ type: string
+ description: >
+ Cron to purge expired tokens - Ensure
+ default: 'present'
+ KeystoneCronTokenFlushMinute:
+ type: string
+ description: >
+ Cron to purge expired tokens - Minute
+ default: '1'
+ KeystoneCronTokenFlushHour:
+ type: string
+ description: >
+ Cron to purge expired tokens - Hour
+ default: '0'
+ KeystoneCronTokenFlushMonthday:
+ type: string
+ description: >
+ Cron to purge expired tokens - Month Day
+ default: '*'
+ KeystoneCronTokenFlushMonth:
+ type: string
+ description: >
+ Cron to purge expired tokens - Month
+ default: '*'
+ KeystoneCronTokenFlushWeekday:
+ type: string
+ description: >
+ Cron to purge expired tokens - Week Day
+ default: '*'
+ KeystoneCronTokenFlushMaxDelay:
+ type: string
+ description: >
+ Cron to purge expired tokens - Max Delay
+ default: '0'
+ KeystoneCronTokenFlushDestination:
+ type: string
+ description: >
+ Cron to purge expired tokens - Log destination
+ default: '/var/log/keystone/keystone-tokenflush.log'
+ KeystoneCronTokenFlushUser:
+ type: string
+ description: >
+ Cron to purge expired tokens - User
+ default: 'keystone'
resources:
- '@'
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/keystone'
+ - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
keystone::admin_token: {get_param: AdminToken}
keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
keystone::endpoint::region: {get_param: KeystoneRegion}
+ keystone::endpoint::version: ''
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
keystone::rabbit_heartbeat_timeout_threshold: 60
keystone::cron::token_flush::maxdelay: 3600
keystone::roles::admin::service_tenant: 'service'
keystone::roles::admin::admin_tenant: 'admin'
- keystone::cron::token_flush::destination: '/dev/null'
+ keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
keystone::config::keystone_config:
ec2/driver:
value: 'keystone.contrib.ec2.backends.sql.Ec2'
keystone::wsgi::apache::servername:
str_replace:
template:
- '"%{::fqdn_$NETWORK}"'
+ "%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::servername_admin:
str_replace:
template:
- '"%{::fqdn_$NETWORK}"'
+ "%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
keystone::admin_bind_host:
str_replace:
template:
- '"%{::fqdn_$NETWORK}"'
+ "%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::public_bind_host:
str_replace:
template:
- '"%{::fqdn_$NETWORK}"'
+ "%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the
# NOTE: this applies to all 2 bind IP settings below...
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+ keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
+ keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
+ keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
+ keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
+ keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
+ keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
+ keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
+ keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
+ keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
+
step_config: |
include ::tripleo::profile::base::keystone
service_config_settings:
keystone::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ # Ansible tasks to handle upgrade
+ upgrade_tasks:
+ - name: Stop keystone service (running under httpd)
+ tags: step1
+ service: name=httpd state=stopped
+ metadata_settings:
+ get_attr: [ApacheServiceBase, role_data, metadata_settings]
Code Review / apex-tripleo-heat-templates.git / blobdiff