heat_template_version: pike

description: >
  OpenStack Keystone service configured with Puppet

parameters:
  KeystoneEnableDBPurge:
    default: true
    description: |
        Whether to create cron job for purging soft deleted rows in Keystone database.
    type: boolean
  KeystoneSSLCertificate:
    default: ''
    description: Keystone certificate for verifying token validity.
    type: string
  KeystoneSSLCertificateKey:
    default: ''
    description: Keystone key for signing tokens.
    type: string
    hidden: true
  KeystoneNotificationDriver:
    description: Comma-separated list of Oslo notification drivers used by Keystone
    default: ['messaging']
    type: comma_delimited_list
  KeystoneNotificationFormat:
    description: The Keystone notification format
    default: 'basic'
    type: string
    constraints:
      - allowed_values: [ 'basic', 'cadf' ]
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  KeystoneTokenProvider:
    description: The keystone token format
    type: string
    default: 'fernet'
    constraints:
      - allowed_values: ['uuid', 'fernet']
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  Debug:
    type: string
    default: ''
  AdminEmail:
    default: 'admin@example.com'
    description: The email for the keystone admin account.
    type: string
    hidden: true
  AdminPassword:
    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
    type: string
    hidden: true
  AdminToken:
    description: The keystone auth secret and db password.
    type: string
    hidden: true
  RabbitPassword:
    description: The password for RabbitMQ
    type: string
    hidden: true
  RabbitUserName:
    default: guest
    description: The username for RabbitMQ
    type: string
  RabbitClientUseSSL:
    default: false
    description: >
        Rabbit client subscriber parameter to specify
        an SSL connection to the RabbitMQ host.
    type: string
  RabbitClientPort:
    default: 5672
    description: Set rabbit subscriber port, change this if using SSL
    type: number
  KeystoneWorkers:
    type: string
    description: Set the number of workers for keystone::wsgi::apache
    default: '%{::os_workers}'
  MonitoringSubscriptionKeystone:
    default: 'overcloud-keystone'
    type: string
  KeystoneCredential0:
    type: string
    description: The first Keystone credential key. Must be a valid key.
  KeystoneCredential1:
    type: string
    description: The second Keystone credential key. Must be a valid key.
  KeystoneFernetKey0:
    type: string
    description: The first Keystone fernet key. Must be a valid key.
  KeystoneFernetKey1:
    type: string
    description: The second Keystone fernet key. Must be a valid key.
  KeystoneLoggingSource:
    type: json
    default:
      tag: openstack.keystone
      path: /var/log/keystone/keystone.log
  EnableInternalTLS:
    type: boolean
    default: false
  KeystoneCronTokenFlushEnsure:
    type: string
    description: >
        Cron to purge expired tokens - Ensure
    default: 'present'
  KeystoneCronTokenFlushMinute:
    type: comma_delimited_list
    description: >
        Cron to purge expired tokens - Minute
    default: '1'
  KeystoneCronTokenFlushHour:
    type: comma_delimited_list
    description: >
        Cron to purge expired tokens - Hour
    default: '*'
  KeystoneCronTokenFlushMonthday:
    type: comma_delimited_list
    description: >
        Cron to purge expired tokens - Month Day
    default: '*'
  KeystoneCronTokenFlushMonth:
    type: comma_delimited_list
    description: >
        Cron to purge expired tokens - Month
    default: '*'
  KeystoneCronTokenFlushWeekday:
    type: comma_delimited_list
    description: >
        Cron to purge expired tokens - Week Day
    default: '*'
  KeystoneCronTokenFlushMaxDelay:
    type: string
    description: >
        Cron to purge expired tokens - Max Delay
    default: '0'
  KeystoneCronTokenFlushDestination:
    type: string
    description: >
        Cron to purge expired tokens - Log destination
    default: '/var/log/keystone/keystone-tokenflush.log'
  KeystoneCronTokenFlushUser:
    type: string
    description: >
        Cron to purge expired tokens - User
    default: 'keystone'
  KeystonePolicies:
    description: |
      A hash of policies to configure for Keystone.
      e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
    default: {}
    type: json
  KeystoneLDAPDomainEnable:
    description: Trigger to call ldap_backend puppet keystone define.
    type: boolean
    default: False
  KeystoneLDAPBackendConfigs:
    description: Hash containing the configurations for the LDAP backends
                 configured in keystone.
    type: json
    default: {}
    hidden: true

resources:

  ApacheServiceBase:
    type: ./apache.yaml
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}
      EnableInternalTLS: {get_param: EnableInternalTLS}

conditions:
  keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
  keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}

outputs:
  role_data:
    description: Role data for the Keystone role.
    value:
      service_name: keystone
      monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
      logging_source: {get_param: KeystoneLoggingSource}
      logging_groups:
        - keystone
      config_settings:
        map_merge:
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - keystone::database_connection:
              make_url:
                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
                username: keystone
                password: {get_param: AdminToken}
                host: {get_param: [EndpointMap, MysqlInternal, host]}
                path: /keystone
                query:
                  read_default_file: /etc/my.cnf.d/tripleo.cnf
                  read_default_group: tripleo
            keystone::admin_token: {get_param: AdminToken}
            keystone::admin_password: {get_param: AdminPassword}
            keystone::roles::admin::password: {get_param: AdminPassword}
            keystone::policy::policies: {get_param: KeystonePolicies}
            keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
            keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
            keystone::token_provider: {get_param: KeystoneTokenProvider}
            keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
            keystone::enable_proxy_headers_parsing: true
            keystone::enable_credential_setup: true
            keystone::credential_keys:
              '/etc/keystone/credential-keys/0':
                content: {get_param: KeystoneCredential0}
              '/etc/keystone/credential-keys/1':
                content: {get_param: KeystoneCredential1}
            keystone::fernet_keys:
              '/etc/keystone/fernet-keys/0':
                content: {get_param: KeystoneFernetKey0}
              '/etc/keystone/fernet-keys/1':
                content: {get_param: KeystoneFernetKey1}
            keystone::fernet_replace_keys: false
            keystone::debug: {get_param: Debug}
            keystone::rabbit_userid: {get_param: RabbitUserName}
            keystone::rabbit_password: {get_param: RabbitPassword}
            keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
            keystone::rabbit_port: {get_param: RabbitClientPort}
            keystone::notification_driver: {get_param: KeystoneNotificationDriver}
            keystone::notification_format: {get_param: KeystoneNotificationFormat}
            keystone::roles::admin::email: {get_param: AdminEmail}
            keystone::roles::admin::password: {get_param: AdminPassword}
            keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
            keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
            keystone::endpoint::region: {get_param: KeystoneRegion}
            keystone::endpoint::version: ''
            keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
            keystone::rabbit_heartbeat_timeout_threshold: 60
            keystone::cron::token_flush::maxdelay: 3600
            keystone::roles::admin::service_tenant: 'service'
            keystone::roles::admin::admin_tenant: 'admin'
            keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
            keystone::config::keystone_config:
              ec2/driver:
                value: 'keystone.contrib.ec2.backends.sql.Ec2'
            keystone::service_name: 'httpd'
            keystone::enable_ssl: {get_param: EnableInternalTLS}
            keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            keystone::wsgi::apache::servername:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
            keystone::wsgi::apache::servername_admin:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
            keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
            # override via extraconfig:
            keystone::wsgi::apache::threads: 1
            keystone::db::database_db_max_retries: -1
            keystone::db::database_max_retries: -1
            tripleo.keystone.firewall_rules:
              '111 keystone':
                dport:
                  - 5000
                  - 13000
                  - 35357
                  - 13357
            keystone::admin_bind_host:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
            keystone::public_bind_host:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
            # NOTE: bind IP is found in Heat replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
            # NOTE: this applies to all 2 bind IP settings below...
            keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
            keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
            keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
            keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
            keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
            keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
            keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
            keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
            keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
            keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
            keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
          -
            if:
            - keystone_ldap_domain_enabled
            -
              tripleo::profile::base::keystone::ldap_backend_enable: True
              keystone::using_domain_config: True
              tripleo::profile::base::keystone::ldap_backends_config:
                get_param: KeystoneLDAPBackendConfigs
            - {}

      step_config: |
        include ::tripleo::profile::base::keystone
      service_config_settings:
        mysql:
          keystone::db::mysql::password: {get_param: AdminToken}
          keystone::db::mysql::user: keystone
          keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
          keystone::db::mysql::dbname: keystone
          keystone::db::mysql::allowed_hosts:
            - '%'
            - "%{hiera('mysql_bind_host')}"
        horizon:
          if:
          - keystone_ldap_domain_enabled
          -
            horizon::keystone_multidomain_support: true
            horizon::keystone_default_domain: 'Default'
          - {}
      metadata_settings:
        get_attr: [ApacheServiceBase, role_data, metadata_settings]
      upgrade_tasks:
        yaql:
          expression: $.data.apache_upgrade + $.data.keystone_upgrade
          data:
            apache_upgrade:
              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
            keystone_upgrade:
              - name: Stop keystone service (running under httpd)
                tags: step1
                service: name=httpd state=stopped