aboutsummaryrefslogtreecommitdiffstats
path: root/puppet-barometer/manifests/keystone
diff options
context:
space:
mode:
Diffstat (limited to 'puppet-barometer/manifests/keystone')
-rw-r--r--puppet-barometer/manifests/keystone/auth.pp99
-rw-r--r--puppet-barometer/manifests/keystone/authtoken.pp263
2 files changed, 362 insertions, 0 deletions
diff --git a/puppet-barometer/manifests/keystone/auth.pp b/puppet-barometer/manifests/keystone/auth.pp
new file mode 100644
index 00000000..655b2c60
--- /dev/null
+++ b/puppet-barometer/manifests/keystone/auth.pp
@@ -0,0 +1,99 @@
+# == Class: barometer::keystone::auth
+#
+# Configures barometer user, service and endpoint in Keystone.
+#
+# === Parameters
+#
+# [*password*]
+# (required) Password for barometer user.
+#
+# [*ensure*]
+# (optional) Ensure state of keystone service identity. Defaults to 'present'.
+#
+# [*auth_name*]
+# Username for barometer service. Defaults to 'barometer'.
+#
+# [*email*]
+# Email for barometer user. Defaults to 'barometer@localhost'.
+#
+# [*tenant*]
+# Tenant for barometer user. Defaults to 'services'.
+#
+# [*configure_endpoint*]
+# Should barometer endpoint be configured? Defaults to 'true'.
+#
+# [*configure_user*]
+# (Optional) Should the service user be configured?
+# Defaults to 'true'.
+#
+# [*configure_user_role*]
+# (Optional) Should the admin role be configured for the service user?
+# Defaults to 'true'.
+#
+# [*service_type*]
+# Type of service. Defaults to 'key-manager'.
+#
+# [*region*]
+# Region for endpoint. Defaults to 'RegionOne'.
+#
+# [*service_name*]
+# (optional) Name of the service.
+# Defaults to the value of 'barometer'.
+#
+# [*service_description*]
+# (optional) Description of the service.
+# Default to 'barometer NFV Service'
+#
+# [*public_url*]
+# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:9890')
+# This url should *not* contain any trailing '/'.
+#
+# [*admin_url*]
+# (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:9890')
+# This url should *not* contain any trailing '/'.
+#
+# [*internal_url*]
+# (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:9890')
+#
+class barometer::keystone::auth (
+ $password,
+ $ensure = 'present',
+ $auth_name = 'barometer',
+ $email = 'barometer@localhost',
+ $tenant = 'services',
+ $configure_endpoint = true,
+ $configure_user = true,
+ $configure_user_role = true,
+ $service_name = 'barometer',
+ $service_description = 'barometer NFV Service',
+ $service_type = 'nfv-orchestration',
+ $region = 'RegionOne',
+ $public_url = 'http://127.0.0.1:9890',
+ $admin_url = 'http://127.0.0.1:9890',
+ $internal_url = 'http://127.0.0.1:9890',
+) {
+
+ if $configure_user_role {
+ Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barometer-server' |>
+ }
+ Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Service <| name == 'barometer-server' |>
+
+ keystone::resource::service_identity { 'barometer':
+ ensure => $ensure,
+ configure_user => $configure_user,
+ configure_user_role => $configure_user_role,
+ configure_endpoint => $configure_endpoint,
+ service_name => $service_name,
+ service_type => $service_type,
+ service_description => $service_description,
+ region => $region,
+ auth_name => $auth_name,
+ password => $password,
+ email => $email,
+ tenant => $tenant,
+ public_url => $public_url,
+ internal_url => $internal_url,
+ admin_url => $admin_url,
+ }
+
+}
diff --git a/puppet-barometer/manifests/keystone/authtoken.pp b/puppet-barometer/manifests/keystone/authtoken.pp
new file mode 100644
index 00000000..b9d3d007
--- /dev/null
+++ b/puppet-barometer/manifests/keystone/authtoken.pp
@@ -0,0 +1,263 @@
+# class: barometer::keystone::auth
+#
+# Configure the keystone_authtoken section in the configuration file
+#
+# === Parameters
+#
+# [*username*]
+# (Optional) The name of the service user
+# Defaults to 'barometer'
+#
+# [*password*]
+# (Required) Password to create for the service user
+#
+# [*auth_url*]
+# (Optional) The URL to use for authentication.
+# Defaults to 'http://localhost:35357'.
+#
+# [*project_name*]
+# (Optional) Service project name
+# Defaults to 'services'
+#
+# [*user_domain_name*]
+# (Optional) Name of domain for $username
+# Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+# (Optional) Name of domain for $project_name
+# Defaults to $::os_service_default
+#
+# [*insecure*]
+# (Optional) If true, explicitly allow TLS without checking server cert
+# against any certificate authorities. WARNING: not recommended. Use with
+# caution.
+# Defaults to $:os_service_default
+#
+# [*auth_section*]
+# (Optional) Config Section from which to load plugin specific options
+# Defaults to $::os_service_default.
+#
+# [*auth_type*]
+# (Optional) Authentication type to load
+# Defaults to 'password'.
+#
+# [*auth_uri*]
+# (Optional) Complete public Identity API endpoint.
+# Defaults to 'http://localhost:5000'.
+#
+# [*auth_version*]
+# (Optional) API version of the admin Identity API endpoint.
+# Defaults to $::os_service_default.
+#
+# [*cache*]
+# (Optional) Env key for the swift cache.
+# Defaults to $::os_service_default.
+#
+# [*cafile*]
+# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+# connections.
+# Defaults to $::os_service_default.
+#
+# [*certfile*]
+# (Optional) Required if identity server requires client certificate
+# Defaults to $::os_service_default.
+#
+# [*check_revocations_for_cached*]
+# (Optional) If true, the revocation list will be checked for cached tokens.
+# This requires that PKI tokens are configured on the identity server.
+# boolean value.
+# Defaults to $::os_service_default.
+#
+# [*delay_auth_decision*]
+# (Optional) Do not handle authorization requests within the middleware, but
+# delegate the authorization decision to downstream WSGI components. Boolean
+# value
+# Defaults to $::os_service_default.
+#
+# [*enforce_token_bind*]
+# (Optional) Used to control the use and type of token binding. Can be set
+# to: "disabled" to not check token binding. "permissive" (default) to
+# validate binding information if the bind type is of a form known to the
+# server and ignore it if not. "strict" like "permissive" but if the bind
+# type is unknown the token will be rejected. "required" any form of token
+# binding is needed to be allowed. Finally the name of a binding method that
+# must be present in tokens. String value.
+# Defaults to $::os_service_default.
+#
+# [*hash_algorithms*]
+# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+# single algorithm or multiple. The algorithms are those supported by Python
+# standard hashlib.new(). The hashes will be tried in the order given, so put
+# the preferred one first for performance. The result of the first hash will
+# be stored in the cache. This will typically be set to multiple values only
+# while migrating from a less secure algorithm to a more secure one. Once all
+# the old tokens are expired this option should be set to a single value for
+# better performance. List value.
+# Defaults to $::os_service_default.
+#
+# [*http_connect_timeout*]
+# (Optional) Request timeout value for communicating with Identity API
+# server.
+# Defaults to $::os_service_default.
+#
+# [*http_request_max_retries*]
+# (Optional) How many times are we trying to reconnect when communicating
+# with Identity API Server. Integer value
+# Defaults to $::os_service_default.
+#
+# [*include_service_catalog*]
+# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+# middleware will not ask for service catalog on token validation and will
+# not set the X-Service-Catalog header. Boolean value.
+# Defaults to $::os_service_default.
+#
+# [*keyfile*]
+# (Optional) Required if identity server requires client certificate
+# Defaults to $::os_service_default.
+#
+# [*memcache_pool_conn_get_timeout*]
+# (Optional) Number of seconds that an operation will wait to get a memcached
+# client connection from the pool. Integer value
+# Defaults to $::os_service_default.
+#
+# [*memcache_pool_dead_retry*]
+# (Optional) Number of seconds memcached server is considered dead before it
+# is tried again. Integer value
+# Defaults to $::os_service_default.
+#
+# [*memcache_pool_maxsize*]
+# (Optional) Maximum total number of open connections to every memcached
+# server. Integer value
+# Defaults to $::os_service_default.
+#
+# [*memcache_pool_socket_timeout*]
+# (Optional) Number of seconds a connection to memcached is held unused in
+# the pool before it is closed. Integer value
+# Defaults to $::os_service_default.
+#
+# [*memcache_pool_unused_timeout*]
+# (Optional) Number of seconds a connection to memcached is held unused in
+# the pool before it is closed. Integer value
+# Defaults to $::os_service_default.
+#
+# [*memcache_secret_key*]
+# (Optional, mandatory if memcache_security_strategy is defined) This string
+# is used for key derivation.
+# Defaults to $::os_service_default.
+#
+# [*memcache_security_strategy*]
+# (Optional) If defined, indicate whether token data should be authenticated
+# or authenticated and encrypted. If MAC, token data is authenticated (with
+# HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+# cache. If the value is not one of these options or empty, auth_token will
+# raise an exception on initialization.
+# Defaults to $::os_service_default.
+#
+# [*memcache_use_advanced_pool*]
+# (Optional) Use the advanced (eventlet safe) memcached client pool. The
+# advanced pool will only work under python 2.x Boolean value
+# Defaults to $::os_service_default.
+#
+# [*memcached_servers*]
+# (Optional) Optionally specify a list of memcached server(s) to use for
+# caching. If left undefined, tokens will instead be cached in-process.
+# Defaults to $::os_service_default.
+#
+# [*manage_memcache_package*]
+# (Optional) Whether to install the python-memcache package.
+# Defaults to false.
+#
+# [*region_name*]
+# (Optional) The region in which the identity server can be found.
+# Defaults to $::os_service_default.
+#
+# [*revocation_cache_time*]
+# (Optional) Determines the frequency at which the list of revoked tokens is
+# retrieved from the Identity service (in seconds). A high number of
+# revocation events combined with a low cache duration may significantly
+# reduce performance. Only valid for PKI tokens. Integer value
+# Defaults to $::os_service_default.
+#
+# [*token_cache_time*]
+# (Optional) In order to prevent excessive effort spent validating tokens,
+# the middleware caches previously-seen tokens for a configurable duration
+# (in seconds). Set to -1 to disable caching completely. Integer value
+# Defaults to $::os_service_default.
+#
+class barometer::keystone::authtoken(
+ $password,
+ $username = 'barometer',
+ $auth_url = 'http://localhost:35357',
+ $project_name = 'services',
+ $user_domain_name = $::os_service_default,
+ $project_domain_name = $::os_service_default,
+ $insecure = $::os_service_default,
+ $auth_section = $::os_service_default,
+ $auth_type = 'password',
+ $auth_uri = 'http://localhost:5000',
+ $auth_version = $::os_service_default,
+ $cache = $::os_service_default,
+ $cafile = $::os_service_default,
+ $certfile = $::os_service_default,
+ $check_revocations_for_cached = $::os_service_default,
+ $delay_auth_decision = $::os_service_default,
+ $enforce_token_bind = $::os_service_default,
+ $hash_algorithms = $::os_service_default,
+ $http_connect_timeout = $::os_service_default,
+ $http_request_max_retries = $::os_service_default,
+ $include_service_catalog = $::os_service_default,
+ $keyfile = $::os_service_default,
+ $memcache_pool_conn_get_timeout = $::os_service_default,
+ $memcache_pool_dead_retry = $::os_service_default,
+ $memcache_pool_maxsize = $::os_service_default,
+ $memcache_pool_socket_timeout = $::os_service_default,
+ $memcache_pool_unused_timeout = $::os_service_default,
+ $memcache_secret_key = $::os_service_default,
+ $memcache_security_strategy = $::os_service_default,
+ $memcache_use_advanced_pool = $::os_service_default,
+ $memcached_servers = $::os_service_default,
+ $manage_memcache_package = false,
+ $region_name = $::os_service_default,
+ $revocation_cache_time = $::os_service_default,
+ $token_cache_time = $::os_service_default,
+) {
+
+ keystone::resource::authtoken { 'barometer_config':
+ username => $username,
+ password => $password,
+ project_name => $project_name,
+ auth_url => $auth_url,
+ auth_uri => $auth_uri,
+ auth_version => $auth_version,
+ auth_type => $auth_type,
+ auth_section => $auth_section,
+ user_domain_name => $user_domain_name,
+ project_domain_name => $project_domain_name,
+ insecure => $insecure,
+ cache => $cache,
+ cafile => $cafile,
+ certfile => $certfile,
+ check_revocations_for_cached => $check_revocations_for_cached,
+ delay_auth_decision => $delay_auth_decision,
+ enforce_token_bind => $enforce_token_bind,
+ hash_algorithms => $hash_algorithms,
+ http_connect_timeout => $http_connect_timeout,
+ http_request_max_retries => $http_request_max_retries,
+ include_service_catalog => $include_service_catalog,
+ keyfile => $keyfile,
+ memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
+ memcache_pool_dead_retry => $memcache_pool_dead_retry,
+ memcache_pool_maxsize => $memcache_pool_maxsize,
+ memcache_pool_socket_timeout => $memcache_pool_socket_timeout,
+ memcache_secret_key => $memcache_secret_key,
+ memcache_security_strategy => $memcache_security_strategy,
+ memcache_use_advanced_pool => $memcache_use_advanced_pool,
+ memcache_pool_unused_timeout => $memcache_pool_unused_timeout,
+ memcached_servers => $memcached_servers,
+ manage_memcache_package => $manage_memcache_package,
+ region_name => $region_name,
+ revocation_cache_time => $revocation_cache_time,
+ token_cache_time => $token_cache_time,
+ }
+}
+