aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services/keystone.yaml
blob: d45ed86ed3d8416e6ad9332c12c97e6849de4822 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
heat_template_version: 2016-04-08

description: >
  OpenStack Keystone service configured with Puppet

parameters:
  KeystoneEnableDBPurge:
    default: true
    description: |
        Whether to create cron job for purging soft deleted rows in Keystone database.
    type: boolean
  KeystoneSSLCertificate:
    default: ''
    description: Keystone certificate for verifying token validity.
    type: string
  KeystoneSSLCertificateKey:
    default: ''
    description: Keystone key for signing tokens.
    type: string
    hidden: true
  KeystoneNotificationDriver:
    description: Comma-separated list of Oslo notification drivers used by Keystone
    default: ['messaging']
    type: comma_delimited_list
  KeystoneNotificationFormat:
    description: The Keystone notification format
    default: 'basic'
    type: string
    constraints:
      - allowed_values: [ 'basic', 'cadf' ]
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  Debug:
    type: string
    default: ''
  AdminEmail:
    default: 'admin@example.com'
    description: The email for the keystone admin account.
    type: string
    hidden: true
  AdminPassword:
    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
    type: string
    hidden: true
  AdminToken:
    description: The keystone auth secret and db password.
    type: string
    hidden: true
  RabbitPassword:
    description: The password for RabbitMQ
    type: string
    hidden: true
  RabbitUserName:
    default: guest
    description: The username for RabbitMQ
    type: string
  RabbitClientUseSSL:
    default: false
    description: >
        Rabbit client subscriber parameter to specify
        an SSL connection to the RabbitMQ host.
    type: string
  RabbitClientPort:
    default: 5672
    description: Set rabbit subscriber port, change this if using SSL
    type: number
  KeystoneWorkers:
    type: string
    description: Set the number of workers for keystone::wsgi::apache
    default: '"%{::processorcount}"'
outputs:
  role_data:
    description: Role data for the Keystone role.
    value:
      service_name: keystone
      config_settings:
        keystone::database_connection:
          list_join:
            - ''
            - - {get_param: [EndpointMap, MysqlInternal, protocol]}
              - '://keystone:'
              - {get_param: AdminToken}
              - '@'
              - {get_param: [EndpointMap, MysqlInternal, host]}
              - '/keystone'
        keystone::admin_token: {get_param: AdminToken}
        keystone::roles::admin::password: {get_param: AdminPassword}
        keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
        keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
        keystone::enable_proxy_headers_parsing: true
        keystone::debug: {get_param: Debug}
        keystone::db::mysql::password: {get_param: AdminToken}
        keystone::rabbit_userid: {get_param: RabbitUserName}
        keystone::rabbit_password: {get_param: RabbitPassword}
        keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
        keystone::rabbit_port: {get_param: RabbitClientPort}
        keystone::notification_driver: {get_param: KeystoneNotificationDriver}
        keystone::notification_format: {get_param: KeystoneNotificationFormat}
        keystone::roles::admin::email: {get_param: AdminEmail}
        keystone::roles::admin::password: {get_param: AdminPassword}
        keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
        keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
        keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
        keystone::endpoint::region: {get_param: KeystoneRegion}
        keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
        keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
        keystone::db::mysql::user: keystone
        keystone::db::mysql::host: {get_param: [EndpointMap, MysqlNoBracketsInternal, host]}
        keystone::db::mysql::dbname: keystone
        keystone::db::mysql::allowed_hosts:
          - '%'
          - "%{hiera('mysql_bind_host')}"
        keystone::rabbit_heartbeat_timeout_threshold: 60
        keystone::cron::token_flush::maxdelay: 3600
        keystone::roles::admin::service_tenant: 'service'
        keystone::roles::admin::admin_tenant: 'admin'
        keystone::cron::token_flush::destination: '/dev/null'
        keystone::config::keystone_config:
          ec2/driver:
            value: 'keystone.contrib.ec2.backends.sql.Ec2'
        keystone::service_name: 'httpd'
        keystone::wsgi::apache::ssl: false

        keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
        # override via extraconfig:
        keystone::wsgi::apache::threads: 1
        keystone::db::database_db_max_retries: -1
        keystone::db::database_max_retries: -1
        tripleo.keystone.firewall_rules:
          '111 keystone':
            dport:
              - 5000
              - 13000
              - 35357
              - 13357
      step_config: |
        include ::tripleo::profile::base::keystone