diff options
Diffstat (limited to 'puppet/services/keystone.yaml')
-rw-r--r-- | puppet/services/keystone.yaml | 182 |
1 files changed, 131 insertions, 51 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 25d92d4a..e3531636 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -4,24 +4,11 @@ description: > OpenStack Keystone service configured with Puppet parameters: - KeystoneCACertificate: - default: '' - description: Keystone self-signed certificate authority certificate. - type: string KeystoneEnableDBPurge: default: true description: | Whether to create cron job for purging soft deleted rows in Keystone database. type: boolean - KeystoneSigningCertificate: - default: '' - description: Keystone certificate for verifying token validity. - type: string - KeystoneSigningKey: - default: '' - description: Keystone key for signing tokens. - type: string - hidden: true KeystoneSSLCertificate: default: '' description: Keystone certificate for verifying token validity. @@ -45,10 +32,15 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint - KeystoneWorkers: - default: 0 - description: Number of workers for Keystone service. - type: number + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -88,45 +80,133 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + KeystoneWorkers: + type: string + description: Set the number of workers for keystone::wsgi::apache + default: '"%{::processorcount}"' + MonitoringSubscriptionKeystone: + default: 'overcloud-kestone' + type: string + KeystoneCredential0: + type: string + description: The first Keystone credential key. Must be a valid key. + KeystoneCredential1: + type: string + description: The second Keystone credential key. Must be a valid key. + KeystoneLoggingSource: + type: json + default: + tag: openstack.keystone + path: /var/log/keystone/keystone.log + +resources: + + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} outputs: role_data: description: Role data for the Keystone role. value: + service_name: keystone + monitoring_subscription: {get_param: MonitoringSubscriptionKeystone} + logging_source: {get_param: KeystoneLoggingSource} + logging_groups: + - keystone config_settings: - keystone::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://keystone:' - - {get_param: AdminToken} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/keystone' - keystone::admin_token: {get_param: AdminToken} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone_ca_certificate: {get_param: KeystoneCACertificate} - keystone_signing_key: {get_param: KeystoneSigningKey} - keystone_signing_certificate: {get_param: KeystoneSigningCertificate} - keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} - keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} - keystone::debug: {get_param: Debug} - keystone::db::mysql::password: {get_param: AdminToken} - keystone::rabbit_userid: {get_param: RabbitUserName} - keystone::rabbit_password: {get_param: RabbitPassword} - keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - keystone::rabbit_port: {get_param: RabbitClientPort} - keystone::notification_driver: {get_param: KeystoneNotificationDriver} - keystone::notification_format: {get_param: KeystoneNotificationFormat} - keystone::roles::admin::email: {get_param: AdminEmail} - keystone::roles::admin::password: {get_param: AdminPassword} - keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - keystone::endpoint::region: {get_param: KeystoneRegion} - keystone::admin_workers: {get_param: KeystoneWorkers} - keystone::public_workers: {get_param: KeystoneWorkers} - keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} - keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + map_merge: + - get_attr: [ApacheServiceBase, role_data, config_settings] + - keystone::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://keystone:' + - {get_param: AdminToken} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/keystone' + keystone::admin_token: {get_param: AdminToken} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} + keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} + keystone::enable_proxy_headers_parsing: true + keystone::enable_credential_setup: true + keystone::credential_keys: + '/etc/keystone/credential-keys/0': + content: {get_param: KeystoneCredential0} + '/etc/keystone/credential-keys/1': + content: {get_param: KeystoneCredential1} + keystone::debug: {get_param: Debug} + keystone::rabbit_userid: {get_param: RabbitUserName} + keystone::rabbit_password: {get_param: RabbitPassword} + keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + keystone::rabbit_port: {get_param: RabbitClientPort} + keystone::notification_driver: {get_param: KeystoneNotificationDriver} + keystone::notification_format: {get_param: KeystoneNotificationFormat} + keystone::roles::admin::email: {get_param: AdminEmail} + keystone::roles::admin::password: {get_param: AdminPassword} + keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + keystone::endpoint::region: {get_param: KeystoneRegion} + keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge} + keystone::rabbit_heartbeat_timeout_threshold: 60 + keystone::cron::token_flush::maxdelay: 3600 + keystone::roles::admin::service_tenant: 'service' + keystone::roles::admin::admin_tenant: 'admin' + keystone::cron::token_flush::destination: '/dev/null' + keystone::config::keystone_config: + ec2/driver: + value: 'keystone.contrib.ec2.backends.sql.Ec2' + keystone::service_name: 'httpd' + keystone::wsgi::apache::ssl: false + keystone::wsgi::apache::servername: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::servername_admin: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} + # override via extraconfig: + keystone::wsgi::apache::threads: 1 + keystone::db::database_db_max_retries: -1 + keystone::db::database_max_retries: -1 + tripleo.keystone.firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - 35357 + - 13357 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + # NOTE: this applies to all 4 bind IP settings below... + keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} + keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} + keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} step_config: | include ::tripleo::profile::base::keystone + service_config_settings: + mysql: + keystone::db::mysql::password: {get_param: AdminToken} + keystone::db::mysql::user: keystone + keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + keystone::db::mysql::dbname: keystone + keystone::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" |