1 heat_template_version: pike
4 OpenStack Keystone service configured with Puppet
10 Whether to create cron job for purging soft deleted rows in Keystone database.
12 KeystoneSSLCertificate:
14 description: Keystone certificate for verifying token validity.
16 KeystoneSSLCertificateKey:
18 description: Keystone key for signing tokens.
21 KeystoneNotificationDriver:
22 description: Comma-separated list of Oslo notification drivers used by Keystone
23 default: ['messaging']
24 type: comma_delimited_list
25 KeystoneNotificationFormat:
26 description: The Keystone notification format
30 - allowed_values: [ 'basic', 'cadf' ]
31 KeystoneNotificationTopics:
32 description: Keystone notification topics to enable
34 type: comma_delimited_list
38 description: Keystone region for endpoint
39 KeystoneTokenProvider:
40 description: The keystone token format
44 - allowed_values: ['uuid', 'fernet']
47 description: Dictionary packing service data
51 description: Mapping of service_name -> network name. Typically set
52 via parameter_defaults in the resource registry. This
53 mapping overrides those in ServiceNetMapDefaults.
60 description: Role name on which the service is applied
64 description: Parameters specific to the role
68 description: Mapping of service endpoint -> protocol. Typically set
69 via parameter_defaults in the resource registry.
74 description: Set to True to enable debugging on all services.
77 description: Set to True to enable debugging Keystone service.
80 default: 'admin@example.com'
81 description: The email for the keystone admin account.
85 description: The password for the keystone admin account, used for monitoring, querying neutron etc.
89 description: The keystone auth secret and db password.
93 description: The password for RabbitMQ
98 description: The username for RabbitMQ
103 Rabbit client subscriber parameter to specify
104 an SSL connection to the RabbitMQ host.
108 description: Set rabbit subscriber port, change this if using SSL
112 description: Set the number of workers for keystone::wsgi::apache
113 default: '%{::os_workers}'
114 MonitoringSubscriptionKeystone:
115 default: 'overcloud-keystone'
119 description: The first Keystone credential key. Must be a valid key.
122 description: The second Keystone credential key. Must be a valid key.
126 description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
130 description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
133 description: Mapping containing keystone's fernet keys and their paths.
134 KeystoneFernetMaxActiveKeys:
136 description: The maximum active keys in the keystone fernet key repository.
138 ManageKeystoneFernetKeys:
141 description: Whether TripleO should manage the keystone fernet keys or not.
142 If set to true, the fernet keys will get the values from the
143 saved keys repository in mistral (the KeystoneFernetKeys
144 variable). If set to false, only the stack creation
145 initializes the keys, but subsequent updates won't touch them.
146 KeystoneLoggingSource:
149 tag: openstack.keystone
150 path: /var/log/keystone/keystone.log
154 KeystoneCronTokenFlushEnsure:
157 Cron to purge expired tokens - Ensure
159 KeystoneCronTokenFlushMinute:
160 type: comma_delimited_list
162 Cron to purge expired tokens - Minute
164 KeystoneCronTokenFlushHour:
165 type: comma_delimited_list
167 Cron to purge expired tokens - Hour
169 KeystoneCronTokenFlushMonthday:
170 type: comma_delimited_list
172 Cron to purge expired tokens - Month Day
174 KeystoneCronTokenFlushMonth:
175 type: comma_delimited_list
177 Cron to purge expired tokens - Month
179 KeystoneCronTokenFlushWeekday:
180 type: comma_delimited_list
182 Cron to purge expired tokens - Week Day
184 KeystoneCronTokenFlushMaxDelay:
187 Cron to purge expired tokens - Max Delay
189 KeystoneCronTokenFlushDestination:
192 Cron to purge expired tokens - Log destination
193 default: '/var/log/keystone/keystone-tokenflush.log'
194 KeystoneCronTokenFlushUser:
197 Cron to purge expired tokens - User
201 A hash of policies to configure for Keystone.
202 e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
205 KeystoneLDAPDomainEnable:
206 description: Trigger to call ldap_backend puppet keystone define.
209 KeystoneLDAPBackendConfigs:
210 description: Hash containing the configurations for the LDAP backends
211 configured in keystone.
217 default: 'messagingv2'
218 description: Driver or drivers to handle sending notifications.
220 - allowed_values: [ 'messagingv2', 'noop' ]
225 The following parameters are deprecated and will be removed. They should not
226 be relied on for new deployments. If you have concerns regarding deprecated
227 parameters, please contact the TripleO development team on IRC or the
228 OpenStack mailing list.
232 - KeystoneNotificationDriver
239 ServiceData: {get_param: ServiceData}
240 ServiceNetMap: {get_param: ServiceNetMap}
241 DefaultPasswords: {get_param: DefaultPasswords}
242 EndpointMap: {get_param: EndpointMap}
243 RoleName: {get_param: RoleName}
244 RoleParameters: {get_param: RoleParameters}
245 EnableInternalTLS: {get_param: EnableInternalTLS}
248 keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
249 keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
250 service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
254 description: Role data for the Keystone role.
256 service_name: keystone
257 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
258 logging_source: {get_param: KeystoneLoggingSource}
263 - get_attr: [ApacheServiceBase, role_data, config_settings]
264 - keystone::database_connection:
266 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
268 password: {get_param: AdminToken}
269 host: {get_param: [EndpointMap, MysqlInternal, host]}
272 read_default_file: /etc/my.cnf.d/tripleo.cnf
273 read_default_group: tripleo
274 keystone::admin_token: {get_param: AdminToken}
275 keystone::admin_password: {get_param: AdminPassword}
276 keystone::roles::admin::password: {get_param: AdminPassword}
277 keystone::policy::policies: {get_param: KeystonePolicies}
278 keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
279 keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
280 keystone::token_provider: {get_param: KeystoneTokenProvider}
281 keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
282 keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
283 keystone::enable_proxy_headers_parsing: true
284 keystone::enable_credential_setup: true
285 keystone::credential_keys:
286 '/etc/keystone/credential-keys/0':
287 content: {get_param: KeystoneCredential0}
288 '/etc/keystone/credential-keys/1':
289 content: {get_param: KeystoneCredential1}
290 keystone::fernet_keys: {get_param: KeystoneFernetKeys}
291 keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
294 - service_debug_unset
295 - {get_param: Debug }
296 - {get_param: KeystoneDebug }
297 keystone::rabbit_userid: {get_param: RabbitUserName}
298 keystone::rabbit_password: {get_param: RabbitPassword}
299 keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
300 keystone::rabbit_port: {get_param: RabbitClientPort}
301 keystone::notification_driver: {get_param: NotificationDriver}
302 keystone::notification_format: {get_param: KeystoneNotificationFormat}
303 tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
304 keystone::roles::admin::email: {get_param: AdminEmail}
305 keystone::roles::admin::password: {get_param: AdminPassword}
306 keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
307 keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
308 keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
309 keystone::endpoint::region: {get_param: KeystoneRegion}
310 keystone::endpoint::version: ''
311 keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
312 keystone::rabbit_heartbeat_timeout_threshold: 60
313 keystone::cron::token_flush::maxdelay: 3600
314 keystone::roles::admin::service_tenant: 'service'
315 keystone::roles::admin::admin_tenant: 'admin'
316 keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
317 keystone::config::keystone_config:
319 value: 'keystone.contrib.ec2.backends.sql.Ec2'
320 keystone::service_name: 'httpd'
321 keystone::enable_ssl: {get_param: EnableInternalTLS}
322 keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
323 keystone::wsgi::apache::servername:
326 "%{hiera('fqdn_$NETWORK')}"
328 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
329 keystone::wsgi::apache::servername_admin:
332 "%{hiera('fqdn_$NETWORK')}"
334 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
335 keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
336 # override via extraconfig:
337 keystone::wsgi::apache::threads: 1
338 keystone::db::database_db_max_retries: -1
339 keystone::db::database_max_retries: -1
340 tripleo.keystone.firewall_rules:
347 keystone::admin_bind_host:
350 "%{hiera('fqdn_$NETWORK')}"
352 $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
353 keystone::public_bind_host:
356 "%{hiera('fqdn_$NETWORK')}"
358 $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
359 # NOTE: bind IP is found in Heat replacing the network name with the
360 # local node IP for the given network; replacement examples
361 # (eg. for internal_api):
363 # internal_api_uri -> [IP]
364 # internal_api_subnet - > IP/CIDR
365 # NOTE: this applies to all 2 bind IP settings below...
366 keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
367 keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
368 keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
369 keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
370 keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
371 keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
372 keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
373 keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
374 keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
375 keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
376 keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
379 - keystone_ldap_domain_enabled
381 tripleo::profile::base::keystone::ldap_backend_enable: True
382 keystone::using_domain_config: True
383 tripleo::profile::base::keystone::ldap_backends_config:
384 get_param: KeystoneLDAPBackendConfigs
388 include ::tripleo::profile::base::keystone
389 service_config_settings:
391 keystone::db::mysql::password: {get_param: AdminToken}
392 keystone::db::mysql::user: keystone
393 keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
394 keystone::db::mysql::dbname: keystone
395 keystone::db::mysql::allowed_hosts:
397 - "%{hiera('mysql_bind_host')}"
400 - keystone_ldap_domain_enabled
402 horizon::keystone_multidomain_support: true
403 horizon::keystone_default_domain: 'Default'
406 get_attr: [ApacheServiceBase, role_data, metadata_settings]
409 - get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
411 - name: Stop keystone service (running under httpd)
413 service: name=httpd state=stopped