1 files changed, 131 insertions, 51 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 25d92d4a..e3531636 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -4,24 +4,11 @@ description: >
   OpenStack Keystone service configured with Puppet
 
 parameters:
-  KeystoneCACertificate:
-    default: ''
-    description: Keystone self-signed certificate authority certificate.
-    type: string
   KeystoneEnableDBPurge:
     default: true
     description: |
         Whether to create cron job for purging soft deleted rows in Keystone database.
     type: boolean
-  KeystoneSigningCertificate:
-    default: ''
-    description: Keystone certificate for verifying token validity.
-    type: string
-  KeystoneSigningKey:
-    default: ''
-    description: Keystone key for signing tokens.
-    type: string
-    hidden: true
   KeystoneSSLCertificate:
     default: ''
     description: Keystone certificate for verifying token validity.
@@ -45,10 +32,15 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
-  KeystoneWorkers:
-    default: 0
-    description: Number of workers for Keystone service.
-    type: number
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
   EndpointMap:
     default: {}
     description: Mapping of service endpoint -> protocol. Typically set
@@ -88,45 +80,133 @@ parameters:
     default: 5672
     description: Set rabbit subscriber port, change this if using SSL
     type: number
+  KeystoneWorkers:
+    type: string
+    description: Set the number of workers for keystone::wsgi::apache
+    default: '"%{::processorcount}"'
+  MonitoringSubscriptionKeystone:
+    default: 'overcloud-kestone'
+    type: string
+  KeystoneCredential0:
+    type: string
+    description: The first Keystone credential key. Must be a valid key.
+  KeystoneCredential1:
+    type: string
+    description: The second Keystone credential key. Must be a valid key.
+  KeystoneLoggingSource:
+    type: json
+    default:
+      tag: openstack.keystone
+      path: /var/log/keystone/keystone.log
+
+resources:
+
+  ApacheServiceBase:
+    type: ./apache.yaml
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
 
 outputs:
   role_data:
     description: Role data for the Keystone role.
     value:
+      service_name: keystone
+      monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
+      logging_source: {get_param: KeystoneLoggingSource}
+      logging_groups:
+        - keystone
       config_settings:
-        keystone::database_connection:
-          list_join:
-            - ''
-            - - {get_param: [EndpointMap, MysqlInternal, protocol]}
-              - '://keystone:'
-              - {get_param: AdminToken}
-              - '@'
-              - {get_param: [EndpointMap, MysqlInternal, host]}
-              - '/keystone'
-        keystone::admin_token: {get_param: AdminToken}
-        keystone::roles::admin::password: {get_param: AdminPassword}
-        keystone_ca_certificate: {get_param: KeystoneCACertificate}
-        keystone_signing_key: {get_param: KeystoneSigningKey}
-        keystone_signing_certificate: {get_param: KeystoneSigningCertificate}
-        keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
-        keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
-        keystone::debug: {get_param: Debug}
-        keystone::db::mysql::password: {get_param: AdminToken}
-        keystone::rabbit_userid: {get_param: RabbitUserName}
-        keystone::rabbit_password: {get_param: RabbitPassword}
-        keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
-        keystone::rabbit_port: {get_param: RabbitClientPort}
-        keystone::notification_driver: {get_param: KeystoneNotificationDriver}
-        keystone::notification_format: {get_param: KeystoneNotificationFormat}
-        keystone::roles::admin::email: {get_param: AdminEmail}
-        keystone::roles::admin::password: {get_param: AdminPassword}
-        keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
-        keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-        keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
-        keystone::endpoint::region: {get_param: KeystoneRegion}
-        keystone::admin_workers: {get_param: KeystoneWorkers}
-        keystone::public_workers: {get_param: KeystoneWorkers}
-        keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
-        keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+        map_merge:
+          - get_attr: [ApacheServiceBase, role_data, config_settings]
+          - keystone::database_connection:
+              list_join:
+                - ''
+                - - {get_param: [EndpointMap, MysqlInternal, protocol]}
+                  - '://keystone:'
+                  - {get_param: AdminToken}
+                  - '@'
+                  - {get_param: [EndpointMap, MysqlInternal, host]}
+                  - '/keystone'
+            keystone::admin_token: {get_param: AdminToken}
+            keystone::roles::admin::password: {get_param: AdminPassword}
+            keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
+            keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
+            keystone::enable_proxy_headers_parsing: true
+            keystone::enable_credential_setup: true
+            keystone::credential_keys:
+              '/etc/keystone/credential-keys/0':
+                content: {get_param: KeystoneCredential0}
+              '/etc/keystone/credential-keys/1':
+                content: {get_param: KeystoneCredential1}
+            keystone::debug: {get_param: Debug}
+            keystone::rabbit_userid: {get_param: RabbitUserName}
+            keystone::rabbit_password: {get_param: RabbitPassword}
+            keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+            keystone::rabbit_port: {get_param: RabbitClientPort}
+            keystone::notification_driver: {get_param: KeystoneNotificationDriver}
+            keystone::notification_format: {get_param: KeystoneNotificationFormat}
+            keystone::roles::admin::email: {get_param: AdminEmail}
+            keystone::roles::admin::password: {get_param: AdminPassword}
+            keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+            keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            keystone::endpoint::region: {get_param: KeystoneRegion}
+            keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
+            keystone::rabbit_heartbeat_timeout_threshold: 60
+            keystone::cron::token_flush::maxdelay: 3600
+            keystone::roles::admin::service_tenant: 'service'
+            keystone::roles::admin::admin_tenant: 'admin'
+            keystone::cron::token_flush::destination: '/dev/null'
+            keystone::config::keystone_config:
+              ec2/driver:
+                value: 'keystone.contrib.ec2.backends.sql.Ec2'
+            keystone::service_name: 'httpd'
+            keystone::wsgi::apache::ssl: false
+            keystone::wsgi::apache::servername:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            keystone::wsgi::apache::servername_admin:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
+            # override via extraconfig:
+            keystone::wsgi::apache::threads: 1
+            keystone::db::database_db_max_retries: -1
+            keystone::db::database_max_retries: -1
+            tripleo.keystone.firewall_rules:
+              '111 keystone':
+                dport:
+                  - 5000
+                  - 13000
+                  - 35357
+                  - 13357
+            # NOTE: bind IP is found in Heat replacing the network name with the
+            # local node IP for the given network; replacement examples
+            # (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            # NOTE: this applies to all 4 bind IP settings below...
+            keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
       step_config: |
         include ::tripleo::profile::base::keystone
+      service_config_settings:
+        mysql:
+          keystone::db::mysql::password: {get_param: AdminToken}
+          keystone::db::mysql::user: keystone
+          keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+          keystone::db::mysql::dbname: keystone
+          keystone::db::mysql::allowed_hosts:
+            - '%'
+            - "%{hiera('mysql_bind_host')}"