puppet-keystone/examples/apache_with_paths.pp

# Example using apache to serve keystone
#
# To be sure everything is working, run:
#   $ export OS_USERNAME=admin
#   $ export OS_PASSWORD=ChangeMe
#   $ export OS_TENANT_NAME=openstack
#   $ export OS_AUTH_URL=http://keystone.local/keystone/main/v3
#   $ keystone catalog
#   Service: identity
#   +-------------+----------------------------------------------+
#   |   Property  |                    Value                     |
#   +-------------+----------------------------------------------+
#   |   adminURL  | http://keystone.local:80/keystone/admin/v3   |
#   |      id     |       4f0f55f6789d4c73a53c51f991559b72       |
#   | internalURL | http://keystone.local:80/keystone/main/v3    |
#   |  publicURL  | http://keystone.local:80/keystone/main/v3    |
#   |    region   |                  RegionOne                   |
#   +-------------+----------------------------------------------+
#

Exec { logoutput => 'on_failure' }

class { 'mysql::server': }
class { 'keystone::db::mysql':
  password => 'keystone',
}
class { 'keystone':
  debug               => true,
  database_connection => 'mysql://keystone_admin:keystone@127.0.0.1/keystone',
  catalog_type        => 'sql',
  enabled             => true,
}
class { 'keystone::bootstrap':
  password   => 'ChangeMe',
  public_url => "https://${::fqdn}:443/main",
  admin_url  => "https://${::fqdn}:443/admin",
}

keystone_config { 'ssl/enable': ensure  => absent }

include apache
class { 'keystone::wsgi::apache':
  ssl         => true,
  public_port => 443,
  admin_port  => 443,
  public_path => '/main/',
  admin_path  => '/admin/'
}
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`# Example using apache to serve keystone`
			`#`
			`# To be sure everything is working, run:`
			`# $ export OS_USERNAME=admin`
			`# $ export OS_PASSWORD=ChangeMe`
			`# $ export OS_TENANT_NAME=openstack`
Change keystone v2.0 to v3 And fix some formatting for docs. Depends-On: https://review.openstack.org/#/c/639215/ Change-Id: I349d2803a11bd0ca4318f9b6057c338835bee9d6 2019-02-24 13:19:06 +01:00			`# $ export OS_AUTH_URL=http://keystone.local/keystone/main/v3`
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`# $ keystone catalog`
			`# Service: identity`
			`# +-------------+----------------------------------------------+`
			`# \| Property \| Value \|`
			`# +-------------+----------------------------------------------+`
Change keystone v2.0 to v3 And fix some formatting for docs. Depends-On: https://review.openstack.org/#/c/639215/ Change-Id: I349d2803a11bd0ca4318f9b6057c338835bee9d6 2019-02-24 13:19:06 +01:00			`# \| adminURL \| http://keystone.local:80/keystone/admin/v3 \|`
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`# \| id \| 4f0f55f6789d4c73a53c51f991559b72 \|`
Change keystone v2.0 to v3 And fix some formatting for docs. Depends-On: https://review.openstack.org/#/c/639215/ Change-Id: I349d2803a11bd0ca4318f9b6057c338835bee9d6 2019-02-24 13:19:06 +01:00			`# \| internalURL \| http://keystone.local:80/keystone/main/v3 \|`
			`# \| publicURL \| http://keystone.local:80/keystone/main/v3 \|`
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`# \| region \| RegionOne \|`
			`# +-------------+----------------------------------------------+`
			`#`

			`Exec { logoutput => 'on_failure' }`

Convert all class usage to relative names Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf 2019-12-08 23:09:22 +01:00			`class { 'mysql::server': }`
			`class { 'keystone::db::mysql':`
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`password => 'keystone',`
			`}`
Convert all class usage to relative names Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf 2019-12-08 23:09:22 +01:00			`class { 'keystone':`
Remove deprecated parameters * keystone::endpoint::public_port (deprecated since 4.0.0) * keystone::endpoint::public_protocol (deprecated since 4.0.0) * keystone::endpoint::public_address (deprecated since 4.0.0) * keystone::endpoint::internal_address (deprecated since 4.0.0) * keystone::endpoint::internal_port (deprecated since 4.0.0) * keystone::endpoint::admin_address (deprecated since 4.0.0) * keystone::endpoint::admin_port (deprecated since 4.0.0) * keystone::sql_connection (deprecated since 4.1.0) * keystone::idle_timeout (deprecated since 4.1.0) * keystone::bind_host (deprecated since 4.0.0) * keystone::token_format (deprecated since 3.0.0) Change-Id: I8b8ed42d4d81aa8091f2fae38f05cb74428051a9 2014-11-25 14:14:38 -05:00			`debug => true,`
			`database_connection => 'mysql://keystone_admin:keystone@127.0.0.1/keystone',`
			`catalog_type => 'sql',`
			`enabled => true,`
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`}`
Add keystone::bootstrap class This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db 2019-11-02 12:32:24 +01:00			`class { 'keystone::bootstrap':`
			`password => 'ChangeMe',`
			`public_url => "https://${::fqdn}:443/main",`
			`admin_url => "https://${::fqdn}:443/admin",`
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`}`

			`keystone_config { 'ssl/enable': ensure => absent }`

Convert all class usage to relative names Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf 2019-12-08 23:09:22 +01:00			`include apache`
			`class { 'keystone::wsgi::apache':`
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c 2013-05-02 18:03:12 +02:00			`ssl => true,`
			`public_port => 443,`
			`admin_port => 443,`
			`public_path => '/main/',`
			`admin_path => '/admin/'`
			`}`