aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/horizon.yaml5
-rw-r--r--puppet/services/keystone.yaml27
-rw-r--r--puppet/services/securetty.yaml36
3 files changed, 68 insertions, 0 deletions
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 7ae518b5..8fb13c16 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -40,6 +40,10 @@ parameters:
type: string
hidden: true
default: ''
+ HorizonSecureCookies:
+ description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
+ type: boolean
+ default: true
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
@@ -88,6 +92,7 @@ outputs:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
+ horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
memcached_ipv6: {get_param: MemcachedIPv6}
-
if:
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 0976b97c..632d9b0b 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -164,6 +164,16 @@ parameters:
e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
+ KeystoneLDAPDomainEnable:
+ description: Trigger to call ldap_backend puppet keystone define.
+ type: boolean
+ default: False
+ KeystoneLDAPBackendConfigs:
+ description: Hash containing the configurations for the LDAP backends
+ configured in keystone.
+ type: json
+ default: {}
+ hidden: true
resources:
@@ -177,6 +187,7 @@ resources:
conditions:
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+ keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
outputs:
role_data:
@@ -300,6 +311,15 @@ outputs:
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
+ -
+ if:
+ - keystone_ldap_domain_enabled
+ -
+ tripleo::profile::base::keystone::ldap_backend_enable: True
+ keystone::using_domain_config: True
+ tripleo::profile::base::keystone::ldap_backends_config:
+ get_param: KeystoneLDAPBackendConfigs
+ - {}
step_config: |
include ::tripleo::profile::base::keystone
@@ -312,6 +332,13 @@ outputs:
keystone::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ horizon:
+ if:
+ - keystone_ldap_domain_enabled
+ -
+ horizon::keystone_multidomain_support: true
+ horizon::keystone_default_domain: 'Default'
+ - {}
# Ansible tasks to handle upgrade
upgrade_tasks:
- name: Stop keystone service (running under httpd)
diff --git a/puppet/services/securetty.yaml b/puppet/services/securetty.yaml
new file mode 100644
index 00000000..6d32fe82
--- /dev/null
+++ b/puppet/services/securetty.yaml
@@ -0,0 +1,36 @@
+heat_template_version: ocata
+
+description: >
+ Configure securetty values
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ TtyValues:
+ default: {}
+ description: Configures console values in securetty
+ type: json
+ constraints:
+ - length: { min: 1}
+
+outputs:
+ role_data:
+ description: Console data for the securetty
+ value:
+ service_name: securetty
+ config_settings:
+ tripleo::profile::base::securetty::tty_list: {get_param: TtyValues}
+ step_config: |
+ include ::tripleo::profile::base::securetty