Define keystone token provider

In order to eventually enable fernet tokens for keystone, we need to be
specify the token provider. This change codifies the current default
used by TripleO of uuid tokens and fernet token setup disabled.

Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a
Closes-Bug: #1641763

1 files changed, 12 insertions, 1 deletions

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 4ae90e97..d819e043 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
 
 description: >
   OpenStack Keystone service configured with Puppet
@@ -32,6 +32,12 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  KeystoneTokenProvider:
+    description: The keystone token format
+    type: string
+    default: 'uuid'
+    constraints:
+      - allowed_values: ['uuid', 'fernet']
   ServiceNetMap:
     default: {}
     description: Mapping of service_name -> network name. Typically set
@@ -112,6 +118,9 @@ resources:
       EndpointMap: {get_param: EndpointMap}
       EnableInternalTLS: {get_param: EnableInternalTLS}
 
+conditions:
+  keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+
 outputs:
   role_data:
     description: Role data for the Keystone role.
@@ -138,6 +147,8 @@ outputs:
             keystone::roles::admin::password: {get_param: AdminPassword}
             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
+            keystone::token_provider: {get_param: KeystoneTokenProvider}
+            keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
             keystone::enable_proxy_headers_parsing: true
             keystone::enable_credential_setup: true
             keystone::credential_keys: