cookbook-openstack-identity/attributes/default.rb

#
# Cookbook:: openstack-identity
# Recipe:: default
#
# Copyright:: 2012-2021, AT&T Services, Inc.
# Copyright:: 2013-2021, Chef Software, Inc.
# Copyright:: 2013-2021, IBM Corp.
# Copyright:: 2017-2021, x-ion GmbH
# Copyright:: 2018-2021, Workday, Inc.
# Copyright:: 2019-2021, x-ion GmbH
# Copyright:: 2016-2021, Oregon State University
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Set to some text value if you want templated config files
# to contain a custom banner at the top of the written file
default['openstack']['identity']['custom_template_banner'] = '
# This file is automatically generated by Chef
# Any changes will be overwritten
'

%w(internal public).each do |ep_type|
  # host for openstack internal/public identity endpoint
  default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
  # scheme for openstack internal/public identity endpoint
  default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
  # port for openstack internal/public identity endpoint
  default['openstack']['endpoints'][ep_type]['identity']['port'] = 5000
  # path for openstack internal/public identity endpoint
  default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3'
end

# address for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1'
# port for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['public']['identity']['port'] = 5000

# identity service token backend for user and service tokens
default['openstack']['identity']['token']['backend'] = 'sql'

# Specify a location to retrieve keystone-paste.ini from
# which can either be a remote url using http:// or a
# local path to a file using file:// which would generally
# be a distribution file - if this option is left nil then
# the templated version distributed with this cookbook
# will be used (keystone-paste.ini.erb)
default['openstack']['identity']['pastefile_url'] = nil

# This specifies the pipeline of the keystone V3 API,
# all Identity V3 API requests will be processed by the order of the pipeline.
# this value will be used in the templated version of keystone-paste.ini
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
default['openstack']['identity']['pipeline']['api_v3'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3'

# region to be used for endpoint registration
default['openstack']['identity']['region'] = node['openstack']['region']

# enable or disable the usage of syslog
default['openstack']['identity']['syslog']['use'] = false
# syslog log facility to log to in case syslog is used
default['openstack']['identity']['syslog']['facility'] = 'LOG_LOCAL2'
# syslog config facility in case syslog is used
default['openstack']['identity']['syslog']['config_facility'] = 'local2'

# endpoint type to be used for creating resources
default['openstack']['identity']['endpoint_type'] = 'internalURL'
# user to be created and used for identity service
default['openstack']['identity']['admin_user'] = 'admin'
# project to be created and used for identity service
default['openstack']['identity']['admin_project'] = 'admin'
# domain to be created and used for identity service project
default['openstack']['identity']['admin_project_domain'] = 'default'
# role to be created and used for identity service
default['openstack']['identity']['admin_role'] = 'admin'
# domain to be created and used for identity service user
default['openstack']['identity']['admin_domain_name'] = 'default'

# specify whether to enable SSL for Keystone API endpoint
default['openstack']['identity']['ssl']['enabled'] = false
# specify server whether to enforce client certificate requirement
default['openstack']['identity']['ssl']['cert_required'] = false
# SSL certificate, keyfile and CA certficate file locations
default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
# Protocol for SSL (Apache)
default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
# Which ciphers to use with the SSL/TLS protocol (Apache)
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
default['openstack']['identity']['ssl']['ciphers'] = nil
# path of the cert file for SSL.
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
# path of the keyfile for SSL.
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
default['openstack']['identity']['ssl']['chainfile'] = nil
# path of the CA cert file for SSL.
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
# path of the CA cert files for SSL (Apache)
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
# (optional) path to certificate-revocation lists (Apache)
default['openstack']['identity']['ssl']['ca_revocation_path'] = nil

# Fernet keys to read from databags/vaults. This should be changed in the
# environment when rotating keys (with the defaults below, the items
# 'fernet_key0' and 'fernet_key1' will be read from the databag/vault
# 'keystone).
# For more information please read:
# https://docs.openstack.org/keystone/queens/admin/identity-fernet-token-faq.html
default['openstack']['identity']['fernet']['keys'] = [0, 1]
default['openstack']['identity']['conf']['fernet_tokens']['key_repository'] =
  '/etc/keystone/fernet-tokens'

# Credential keys to read from databags/vaults. This should be changed in the
# environment when rotating keys (with the defaults below, the items
# 'credential_key0' and 'credential_key1' will be read from the databag/vault
# 'keystone).
# For more information please read:
# https://docs.openstack.org/keystone/queens/admin/identity-credential-encryption.html
default['openstack']['identity']['credential']['keys'] = [0, 1]
default['openstack']['identity']['conf']['credential']['key_repository'] =
  '/etc/keystone/credential-tokens'

# configuration directory for keystone domain specific options
default['openstack']['identity']['domain_config_dir'] = '/etc/keystone/domains'

# keystone service user name
default['openstack']['identity']['user'] = 'keystone'
# keystone service user group
default['openstack']['identity']['group'] = 'keystone'

# platform defaults
case node['platform_family']
when 'rhel'
  # platform specific package and service name options
  case node['platform_version'].to_i
  when 8
    default['openstack']['identity']['platform'] = {
      'memcache_python_packages' => ['python3-memcached'],
      # TODO(ramereth): python3-urllib3 is here to workaround an issue if
      # it's already been installed from the base repository which is
      # incompatible with what's shipped with RDO. This should be removed
      # once fixed upstream.
      'keystone_packages' =>
        %w(
          openstack-keystone
          openstack-selinux
          python3-urllib3
        ),
      'keystone_apache2_site' => 'keystone', # currently unused on RHEL
      'keystone_service' => 'openstack-keystone',
      'keystone_process_name' => 'keystone-all',
      'package_options' => '',
    }
  when 7
    default['openstack']['identity']['platform'] = {
      'memcache_python_packages' => ['python-memcached'],
      # TODO(ramereth): python2-urllib3 is here to workaround an issue if
      # it's already been installed from the base repository which is
      # incompatible with what's shipped with RDO. This should be removed
      # once fixed upstream.
      'keystone_packages' =>
        %w(
          openstack-keystone
          openstack-selinux
          python2-urllib3
        ),
      'keystone_apache2_site' => 'keystone', # currently unused on RHEL
      'keystone_service' => 'openstack-keystone',
      'keystone_process_name' => 'keystone-all',
      'package_options' => '',
    }
  end
when 'debian'
  # platform specific package and service name options
  default['openstack']['identity']['platform'] = {
    'memcache_python_packages' => ['python3-memcache'],
    'keystone_packages' =>
      %w(
        keystone
        python3-keystone
      ),
    'keystone_apache2_site' => platform?('ubuntu') ? 'keystone' : 'wsgi-keystone',
    'keystone_service' => 'keystone',
    'keystone_process_name' => 'keystone-all',
    'package_overrides' => '',
  }
end

# array of bare options for openrc (e.g. 'option=value')
default['openstack']['misc_openrc'] = nil

%w(openrc cloud_config).each do |file_type|
  default['openstack']['identity'][file_type]['path'] = '/root'
  default['openstack']['identity'][file_type]['path_mode'] = '0700'
  default['openstack']['identity'][file_type]['file_mode'] = '0600'
  default['openstack']['identity'][file_type]['user'] = 'root'
  default['openstack']['identity'][file_type]['group'] = 'root'
end

# openrc file name
default['openstack']['identity']['openrc']['file'] = 'openrc'
# cloud_config file name
default['openstack']['identity']['cloud_config']['file'] = 'clouds.yaml'
# cloud_config cloud name
default['openstack']['identity']['cloud_config']['cloud_name'] = 'default'