X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=puppet%2Fservices%2Fkeystone.yaml;h=9535682a034f0afba3eddf51bfdb15f55eb4e065;hb=fb5eb77331006fe34991189b1f84c3ebb6c00132;hp=f3a9cbc494e3bf403ff4445908127bb136bf5d39;hpb=737f40d755b29229d698b37239c4179a08a17a17;p=apex-tripleo-heat-templates.git diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index f3a9cbc4..9535682a 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -113,10 +113,27 @@ parameters: description: The second Keystone credential key. Must be a valid key. KeystoneFernetKey0: type: string - description: The first Keystone fernet key. Must be a valid key. + default: '' + description: (DEPRECATED) The first Keystone fernet key. Must be a valid key. KeystoneFernetKey1: type: string - description: The second Keystone fernet key. Must be a valid key. + default: '' + description: (DEPRECATED) The second Keystone fernet key. Must be a valid key. + KeystoneFernetKeys: + type: json + description: Mapping containing keystone's fernet keys and their paths. + KeystoneFernetMaxActiveKeys: + type: number + description: The maximum active keys in the keystone fernet key repository. + default: 5 + ManageKeystoneFernetKeys: + type: boolean + default: true + description: Whether TripleO should manage the keystone fernet keys or not. + If set to true, the fernet keys will get the values from the + saved keys repository in mistral (the KeystoneFernetKeys + variable). If set to false, only the stack creation + initializes the keys, but subsequent updates won't touch them. KeystoneLoggingSource: type: json default: @@ -186,6 +203,24 @@ parameters: type: json default: {} hidden: true + NotificationDriver: + type: string + default: 'messagingv2' + description: Driver or drivers to handle sending notifications. + constraints: + - allowed_values: [ 'messagingv2', 'noop' ] + +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - KeystoneFernetKey0 + - KeystoneFernetKey1 + - KeystoneNotificationDriver resources: @@ -234,6 +269,7 @@ outputs: keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} + keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: @@ -241,12 +277,8 @@ outputs: content: {get_param: KeystoneCredential0} '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} - keystone::fernet_keys: - '/etc/keystone/fernet-keys/0': - content: {get_param: KeystoneFernetKey0} - '/etc/keystone/fernet-keys/1': - content: {get_param: KeystoneFernetKey1} - keystone::fernet_replace_keys: false + keystone::fernet_keys: {get_param: KeystoneFernetKeys} + keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys} keystone::debug: if: - service_debug_unset @@ -256,7 +288,7 @@ outputs: keystone::rabbit_password: {get_param: RabbitPassword} keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} keystone::rabbit_port: {get_param: RabbitClientPort} - keystone::notification_driver: {get_param: KeystoneNotificationDriver} + keystone::notification_driver: {get_param: NotificationDriver} keystone::notification_format: {get_param: KeystoneNotificationFormat} keystone::roles::admin::email: {get_param: AdminEmail} keystone::roles::admin::password: {get_param: AdminPassword}