summaryrefslogtreecommitdiffstats
path: root/puppet/services/keystone.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/services/keystone.yaml')
-rw-r--r--puppet/services/keystone.yaml182
1 files changed, 131 insertions, 51 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 25d92d4a..e3531636 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -4,24 +4,11 @@ description: >
OpenStack Keystone service configured with Puppet
parameters:
- KeystoneCACertificate:
- default: ''
- description: Keystone self-signed certificate authority certificate.
- type: string
KeystoneEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Keystone database.
type: boolean
- KeystoneSigningCertificate:
- default: ''
- description: Keystone certificate for verifying token validity.
- type: string
- KeystoneSigningKey:
- default: ''
- description: Keystone key for signing tokens.
- type: string
- hidden: true
KeystoneSSLCertificate:
default: ''
description: Keystone certificate for verifying token validity.
@@ -45,10 +32,15 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
- KeystoneWorkers:
- default: 0
- description: Number of workers for Keystone service.
- type: number
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
@@ -88,45 +80,133 @@ parameters:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
+ KeystoneWorkers:
+ type: string
+ description: Set the number of workers for keystone::wsgi::apache
+ default: '"%{::processorcount}"'
+ MonitoringSubscriptionKeystone:
+ default: 'overcloud-kestone'
+ type: string
+ KeystoneCredential0:
+ type: string
+ description: The first Keystone credential key. Must be a valid key.
+ KeystoneCredential1:
+ type: string
+ description: The second Keystone credential key. Must be a valid key.
+ KeystoneLoggingSource:
+ type: json
+ default:
+ tag: openstack.keystone
+ path: /var/log/keystone/keystone.log
+
+resources:
+
+ ApacheServiceBase:
+ type: ./apache.yaml
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
outputs:
role_data:
description: Role data for the Keystone role.
value:
+ service_name: keystone
+ monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
+ logging_source: {get_param: KeystoneLoggingSource}
+ logging_groups:
+ - keystone
config_settings:
- keystone::database_connection:
- list_join:
- - ''
- - - {get_param: [EndpointMap, MysqlInternal, protocol]}
- - '://keystone:'
- - {get_param: AdminToken}
- - '@'
- - {get_param: [EndpointMap, MysqlInternal, host]}
- - '/keystone'
- keystone::admin_token: {get_param: AdminToken}
- keystone::roles::admin::password: {get_param: AdminPassword}
- keystone_ca_certificate: {get_param: KeystoneCACertificate}
- keystone_signing_key: {get_param: KeystoneSigningKey}
- keystone_signing_certificate: {get_param: KeystoneSigningCertificate}
- keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
- keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
- keystone::debug: {get_param: Debug}
- keystone::db::mysql::password: {get_param: AdminToken}
- keystone::rabbit_userid: {get_param: RabbitUserName}
- keystone::rabbit_password: {get_param: RabbitPassword}
- keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
- keystone::rabbit_port: {get_param: RabbitClientPort}
- keystone::notification_driver: {get_param: KeystoneNotificationDriver}
- keystone::notification_format: {get_param: KeystoneNotificationFormat}
- keystone::roles::admin::email: {get_param: AdminEmail}
- keystone::roles::admin::password: {get_param: AdminPassword}
- keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
- keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
- keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
- keystone::endpoint::region: {get_param: KeystoneRegion}
- keystone::admin_workers: {get_param: KeystoneWorkers}
- keystone::public_workers: {get_param: KeystoneWorkers}
- keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
- keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+ map_merge:
+ - get_attr: [ApacheServiceBase, role_data, config_settings]
+ - keystone::database_connection:
+ list_join:
+ - ''
+ - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+ - '://keystone:'
+ - {get_param: AdminToken}
+ - '@'
+ - {get_param: [EndpointMap, MysqlInternal, host]}
+ - '/keystone'
+ keystone::admin_token: {get_param: AdminToken}
+ keystone::roles::admin::password: {get_param: AdminPassword}
+ keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
+ keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
+ keystone::enable_proxy_headers_parsing: true
+ keystone::enable_credential_setup: true
+ keystone::credential_keys:
+ '/etc/keystone/credential-keys/0':
+ content: {get_param: KeystoneCredential0}
+ '/etc/keystone/credential-keys/1':
+ content: {get_param: KeystoneCredential1}
+ keystone::debug: {get_param: Debug}
+ keystone::rabbit_userid: {get_param: RabbitUserName}
+ keystone::rabbit_password: {get_param: RabbitPassword}
+ keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+ keystone::rabbit_port: {get_param: RabbitClientPort}
+ keystone::notification_driver: {get_param: KeystoneNotificationDriver}
+ keystone::notification_format: {get_param: KeystoneNotificationFormat}
+ keystone::roles::admin::email: {get_param: AdminEmail}
+ keystone::roles::admin::password: {get_param: AdminPassword}
+ keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+ keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+ keystone::endpoint::region: {get_param: KeystoneRegion}
+ keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
+ keystone::rabbit_heartbeat_timeout_threshold: 60
+ keystone::cron::token_flush::maxdelay: 3600
+ keystone::roles::admin::service_tenant: 'service'
+ keystone::roles::admin::admin_tenant: 'admin'
+ keystone::cron::token_flush::destination: '/dev/null'
+ keystone::config::keystone_config:
+ ec2/driver:
+ value: 'keystone.contrib.ec2.backends.sql.Ec2'
+ keystone::service_name: 'httpd'
+ keystone::wsgi::apache::ssl: false
+ keystone::wsgi::apache::servername:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+ keystone::wsgi::apache::servername_admin:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+ keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
+ # override via extraconfig:
+ keystone::wsgi::apache::threads: 1
+ keystone::db::database_db_max_retries: -1
+ keystone::db::database_max_retries: -1
+ tripleo.keystone.firewall_rules:
+ '111 keystone':
+ dport:
+ - 5000
+ - 13000
+ - 35357
+ - 13357
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ # NOTE: this applies to all 4 bind IP settings below...
+ keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+ keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+ keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+ keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
step_config: |
include ::tripleo::profile::base::keystone
+ service_config_settings:
+ mysql:
+ keystone::db::mysql::password: {get_param: AdminToken}
+ keystone::db::mysql::user: keystone
+ keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+ keystone::db::mysql::dbname: keystone
+ keystone::db::mysql::allowed_hosts:
+ - '%'
+ - "%{hiera('mysql_bind_host')}"