openstack
/
fuel-library
Code Issues Proposed changes
fuel-library/deployment/puppet/openstack_tasks/manifests/keystone/keystone.pp

362 lines
14 KiB
Puppet
Raw Blame History

class openstack_tasks::keystone::keystone {
notice('MODULAR: keystone/keystone.pp')
$network_scheme = hiera_hash('network_scheme', {})
$network_metadata = hiera_hash('network_metadata', {})
prepare_network_config($network_scheme)
$keystone_hash = hiera_hash('keystone', {})
$debug = pick($keystone_hash['debug'], hiera('debug', false))
$use_syslog = hiera('use_syslog', true)
$use_stderr = hiera('use_stderr', false)
$access_hash = hiera_hash('access', {})
$management_vip = hiera('management_vip')
$database_vip = hiera('database_vip')
$public_vip = hiera('public_vip')
$service_endpoint = hiera('service_endpoint')
$glance_hash = hiera_hash('glance', {})
$nova_hash = hiera_hash('nova', {})
$cinder_hash = hiera_hash('cinder', {})
$ceilometer_hash = hiera_hash('ceilometer', {})
$syslog_log_facility = hiera('syslog_log_facility_keystone')
$rabbit_hash = hiera_hash('rabbit', {})
$neutron_user_password = hiera('neutron_user_password', false)
$workers_max = hiera('workers_max', $::os_workers)
$service_workers = pick($keystone_hash['workers'],
min(max($::processorcount, 2), $workers_max))
$default_log_levels = hiera_hash('default_log_levels')
$primary_keystone = has_primary_role(intersection(hiera('keystone_roles'), hiera('roles')))
$kombu_compression = hiera('kombu_compression', $::os_service_default)
$default_role = '_member_'
$user_admin_role = hiera('user_admin_role')
$user_admin_domain = hiera('user_admin_domain')
$db_type = pick($keystone_hash['db_type'], 'mysql+pymysql')
$db_host = pick($keystone_hash['db_host'], $database_vip)
$db_password = $keystone_hash['db_password']
$db_name = pick($keystone_hash['db_name'], 'keystone')
$db_user = pick($keystone_hash['db_user'], 'keystone')
# LP#1526938 - python-mysqldb supports this, python-pymysql does not
if $::os_package_type == 'debian' {
$extra_params = { 'charset' => 'utf8', 'read_timeout' => 60 }
} else {
$extra_params = { 'charset' => 'utf8' }
}
$db_connection = os_database_connection({
'dialect' => $db_type,
'host' => $db_host,
'database' => $db_name,
'username' => $db_user,
'password' => $db_password,
'extra' => $extra_params
})
$transport_url = hiera('transport_url','rabbit://guest:password@127.0.0.1:5672/')
$admin_token = $keystone_hash['admin_token']
$admin_tenant = $access_hash['tenant']
$admin_email = $access_hash['email']
$admin_user = $access_hash['user']
$admin_password = $access_hash['password']
$region = hiera('region', 'RegionOne')
$public_ssl_hash = hiera_hash('public_ssl')
$ssl_hash = hiera_hash('use_ssl', {})
$public_cert = get_ssl_property($ssl_hash, $public_ssl_hash, 'keystone', 'public', 'path', [''])
$public_protocol = get_ssl_property($ssl_hash, $public_ssl_hash, 'keystone', 'public', 'protocol', 'http')
$public_address = get_ssl_property($ssl_hash, $public_ssl_hash, 'keystone', 'public', 'hostname', [$public_vip])
$public_port = '5000'
$internal_protocol = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'protocol', 'http')
$internal_address = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'hostname', [$service_endpoint, $management_vip])
$internal_port = '5000'
$admin_protocol = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
$admin_address = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
$admin_port = '35357'
$local_address_for_bind = get_network_role_property('keystone/api', 'ipaddr')
$memcache_pool_maxsize = '100'
$memcache_servers = hiera('memcached_servers')
$cache_backend = 'oslo_cache.memcache_pool'
$token_caching = false
$token_driver = 'keystone.token.persistence.backends.memcache_pool.Token'
$token_provider = hiera('token_provider')
$public_url = "${public_protocol}://${public_address}:${public_port}"
$admin_url = "${admin_protocol}://${admin_address}:${admin_port}"
$internal_url = "${internal_protocol}://${internal_address}:${internal_port}"
$auth_suffix = pick($keystone_hash['auth_suffix'], '/')
$auth_url = "${internal_url}${auth_suffix}"
$enabled = true
$ssl = false
$vhost_limit_request_field_size = 'LimitRequestFieldSize 81900'
$max_pool_size = hiera('max_pool_size')
$max_overflow = hiera('max_overflow')
$max_retries = '-1'
$database_idle_timeout = '3600'
$murano_settings_hash = hiera_hash('murano_settings', {})
if has_key($murano_settings_hash, 'murano_repo_url') {
$murano_repo_url = $murano_settings_hash['murano_repo_url']
} else {
$murano_repo_url = 'http://storage.apps.openstack.org'
}
$murano_hash = hiera_hash('murano', {})
$murano_plugins = pick($murano_hash['plugins'], {})
if has_key($murano_plugins, 'glance_artifacts_plugin') {
$murano_glare_plugin = $murano_plugins['glance_artifacts_plugin']['enabled']
} else {
$murano_glare_plugin = false
}
$external_lb = hiera('external_lb', false)
$operator_user_hash = hiera_hash('operator_user', {})
$service_user_hash = hiera_hash('service_user', {})
$operator_user_name = pick($operator_user_hash['name'], 'fueladmin')
$operator_user_homedir = pick($operator_user_hash['homedir'], '/home/fueladmin')
$service_user_name = pick($service_user_hash['name'], 'fuel')
$service_user_homedir = pick($service_user_hash['homedir'], '/var/lib/fuel')
$rabbit_heartbeat_timeout_threshold = pick($keystone_hash['rabbit_heartbeat_timeout_threshold'], $rabbit_hash['heartbeat_timeout_threshold'], 60)
$rabbit_heartbeat_rate = pick($keystone_hash['rabbit_heartbeat_rate'], $rabbit_hash['rabbit_heartbeat_rate'], 2)
####### WSGI ###########
# Listen directives with host required for ip_based vhosts
class { '::osnailyfacter::apache':
listen_ports => hiera_array('apache_ports', ['0.0.0.0:80', '0.0.0.0:8888', '0.0.0.0:5000', '0.0.0.0:35357']),
}
class { '::keystone::wsgi::apache':
priority => '05',
threads => 1,
workers => min($::processorcount, 6),
ssl => $ssl,
vhost_custom_fragment => $vhost_limit_request_field_size,
access_log_format => '%{X-Forwarded-For}i %l %u %{%d/%b/%Y:%T}t.%{msec_frac}t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"',
# ports and host should be set for ip_based vhost
public_port => $public_port,
admin_port => $admin_port,
bind_host => $local_address_for_bind,
wsgi_script_ensure => 'link',
}
include ::tweaks::apache_wrappers
###############################################################################
if $primary_keystone {
keystone_role { "$default_role":
ensure => present,
}
class { '::keystone::roles::admin':
admin => $admin_user,
password => $admin_password,
email => $admin_email,
admin_tenant => $admin_tenant,
}
#assign 'admin' role for 'admin' user in 'Default' domain
keystone_user_role { "${admin_user}@::${user_admin_domain}":
ensure => present,
roles => any2array($user_admin_role),
}
Exec <| title == 'keystone-manage db_sync' |> ->
Keystone_role["$default_role"] ->
Class['::keystone::roles::admin'] ->
Keystone_user_role["${admin_user}@::${user_admin_domain}"] ->
Osnailyfacter::Credentials_file <||>
Class['::osnailyfacter::wait_for_keystone_backends'] -> Keystone_role["$default_role"]
Class['::osnailyfacter::wait_for_keystone_backends'] -> Class['::keystone::roles::admin']
# tweak 'keystone-exec' exec
# TODO(mmalchuk) remove this after LP#1628580 merged
Exec<| tag == 'keystone-exec' |> {
tries => '10',
try_sleep => '5',
}
}
group { 'operator_group' :
name => $operator_user_name,
ensure => present,
}
user { 'operator_user':
name => $operator_user_name,
gid => $operator_user_name,
ensure => present,
managehome => true,
home => $operator_user_homedir,
}
group { 'service_group' :
name => $service_user_name,
ensure => present,
}
user { 'service_user':
name => $service_user_name,
gid => $service_user_name,
ensure => present,
managehome => true,
home => $service_user_homedir,
}
$users = {
"${operator_user_name}" => 'operator_user',
"${service_user_name}" => 'service_user',
}
$cred_users = {
'/root/openrc' => 'root',
"${operator_user_homedir}/openrc" => $operator_user_name,
"${service_user_homedir}/openrc" => $service_user_name,
}
$cred_params = {
'admin_user' => $admin_user,
'admin_password' => $admin_password,
'admin_tenant' => $admin_tenant,
'region_name' => $region,
'auth_url' => $auth_url,
'murano_repo_url' => $murano_repo_url,
'murano_glare_plugin' => $murano_glare_plugin
}
create_resources('osnailyfacter::credentials_file', get_cred_files_hash($cred_users, $cred_params, $users))
# Get paste.ini source
include ::keystone::params
$keystone_paste_ini = $::keystone::params::paste_config ? {
undef => '/etc/keystone/keystone-paste.ini',
default => $::keystone::params::paste_config,
}
# Make sure admin token auth middleware is in place
exec { 'add_admin_token_auth_middleware':
path => ['/bin', '/usr/bin'],
command => "sed -i 's/\\( token_auth \\)/\\1admin_token_auth /' ${keystone_paste_ini}",
unless => "fgrep -q ' admin_token_auth' ${keystone_paste_ini}",
require => Package['keystone'],
}
Exec['add_admin_token_auth_middleware'] ->
Exec <| title == 'keystone-manage db_sync' |> ->
Osnailyfacter::Credentials_file <||>
$haproxy_stats_url = "http://${service_endpoint}:10000/;csv"
class { '::osnailyfacter::wait_for_keystone_backends':}
Service['keystone'] -> Class['::osnailyfacter::wait_for_keystone_backends']
Service<| title == 'httpd' |> -> Class['::osnailyfacter::wait_for_keystone_backends']
Class['::osnailyfacter::wait_for_keystone_backends'] -> Class['::keystone::endpoint']
####### Disable upstart startup on install #######
if ($::operatingsystem == 'Ubuntu') {
tweaks::ubuntu_service_override { 'keystone':
package_name => 'keystone',
}
}
#### Fernet Token ####
if $token_provider == 'keystone.token.providers.fernet.Provider' {
file { '/etc/keystone/fernet-keys':
source => '/var/lib/astute/keystone',
mode => '0600',
owner => 'keystone',
group => 'keystone',
recurse => true,
require => Anchor['keystone::install::end'],
notify => Anchor['keystone::config::end'],
}
}
if $enabled {
class { '::keystone':
enable_bootstrap => true,
debug => $debug,
catalog_type => 'sql',
admin_token => $admin_token,
admin_password => $admin_password,
enabled => false,
database_connection => $db_connection,
default_transport_url => $transport_url,
database_max_retries => $max_retries,
database_max_pool_size => $max_pool_size,
database_max_overflow => $max_overflow,
public_bind_host => $local_address_for_bind,
admin_bind_host => $local_address_for_bind,
admin_workers => $service_workers,
public_workers => $service_workers,
use_syslog => $use_syslog,
use_stderr => $use_stderr,
database_idle_timeout => $database_idle_timeout,
sync_db => $primary_keystone,
memcache_servers => $memcache_servers,
token_driver => $token_driver,
token_provider => $token_provider,
# Fernet keys are generated on master
enable_fernet_setup => false,
notification_driver => $ceilometer_hash['notification_driver'],
token_caching => $token_caching,
cache_backend => $cache_backend,
admin_endpoint => $admin_url,
memcache_dead_retry => '60',
memcache_socket_timeout => '1',
memcache_pool_maxsize => '1000',
memcache_pool_unused_timeout => '60',
cache_memcache_servers => $memcache_servers,
policy_driver => 'keystone.policy.backends.sql.Policy',
rabbit_heartbeat_timeout_threshold => $rabbit_heartbeat_timeout_threshold,
rabbit_heartbeat_rate => $rabbit_heartbeat_rate,
kombu_compression => $kombu_compression,
# Set revoke_by_id to false according to LP #1625077
revoke_by_id => false,
}
Package<| title == 'keystone'|> ~> Service<| title == 'keystone'|>
if !defined(Service['keystone']) {
notify{ "Module ${module_name} cannot notify service keystone on package update": }
}
if $use_syslog {
keystone_config {
'DEFAULT/use_syslog_rfc_format': value => true;
}
}
class { '::keystone::endpoint':
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
region => $region,
# TODO: Remove version when #1668574 will be fixed in OSTF
version => 'unset',
}
Exec <| title == 'keystone-manage db_sync' |> -> Class['::keystone::endpoint']
}
}
View Git Blame Copy Permalink