Add missing puppetdoc and lint all parameter documentation

Un-pin puppet-lint gem and add puppet-lint-param-docs, this commit also add missing puppetdoc and fixes lint issues. Change-Id: I1eefc743c68c75eb54a65b3cc539922ef3a3b04d
2015-03-15 16:23:09 +01:00 · 2015-03-15 16:23:09 +01:00 · a3bdaad473
parent b182ff0706
commit a3bdaad473
13 changed files with 836 additions and 297 deletions
--- a/2
+++ b/2
@ -2,7 +2,7 @@ source 'https://rubygems.org'

 group :development, :test do
  gem 'puppetlabs_spec_helper', :require => false
-  gem 'puppet-lint', '~> 0.3.2'
+  gem 'puppet-lint-param-docs'
  gem 'rspec-puppet', '~> 1.0.1'
  gem 'rake', '10.1.1'
 end
--- a/examples/ldap_full.pp
+++ b/examples/ldap_full.pp
@ -16,57 +16,57 @@ class { 'keystone::roles::admin':
 # "uid=bind,cn=users,cn=accounts,dc=example,dc=com" -w SecretPass \
 # -b cn=users,cn=accounts,dc=example,dc=com
 class { 'keystone:ldap':
-  url                         => 'ldap://ldap.example.com:389',
-  user                        => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
-  password                    => 'SecretPass',
-  suffix                      => 'dc=example,dc=com',
-  query_scope                 => 'sub',
-  user_tree_dn                => 'cn=users,cn=accounts,dc=example,dc=com',
-  user_id_attribute           => 'uid',
-  user_name_attribute         => 'uid',
-  user_mail_attribute         => 'mail',
-  user_allow_create           => 'False',
-  user_allow_update           => 'False',
-  user_allow_delete           => 'False',
-  user_enabled_emulation      => 'True',
-  user_enabled_emulation_dn   => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
-  group_tree_dn               => 'ou=groups,ou=openstack,dc=example,dc=com',
-  group_objectclass           => 'organizationalRole',
-  group_id_attribute          => 'cn',
-  group_name_attribute        => 'cn',
-  group_member_attribute      => 'RoleOccupant',
-  group_desc_attribute        => 'description',
-  group_allow_create          => 'True',
-  group_allow_update          => 'True',
-  group_allow_delete          => 'True',
-  project_tree_dn             => 'ou=projects,ou=openstack,dc=example,dc=com',
-  project_objectclass         => 'organizationalUnit',
-  project_id_attribute        => 'ou',
-  project_member_attribute    => 'member',
-  project_name_attribute      => 'ou',
-  project_desc_attribute      => 'description',
-  project_allow_create        => 'True',
-  project_allow_update        => 'True',
-  project_allow_delete        => 'True',
-  project_enabled_emulation   => 'True',
-  project_enabled_emulation_dn=> 'cn=enabled,ou=openstack,dc=example,dc=com',
-  role_tree_dn                => 'ou=roles,ou=openstack,dc=example,dc=com',
-  role_objectclass            => 'organizationalRole',
-  role_id_attribute           => 'cn',
-  role_name_attribute         => 'cn',
-  role_member_attribute       => 'roleOccupant',
-  role_allow_create           => 'True',
-  role_allow_update           => 'True',
-  role_allow_delete           => 'True',
-  identity_driver             => 'keystone.identity.backends.ldap.Identity',
-  assignment_driver           => 'keystone.assignment.backends.ldap.Assignment',
-  use_tls                     => 'True',
-  tls_cacertfile              => '/etc/ssl/certs/ca-certificates.crt',
-  tls_req_cert                => 'demand',
-  use_pool                    => 'True',
-  use_auth_pool               => 'True',
-  pool_size                   => 5,
-  auth_pool_size              => 5,
-  pool_retry_max              => 3,
-  pool_connection_timeout     => 120,
+  url                          => 'ldap://ldap.example.com:389',
+  user                         => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
+  password                     => 'SecretPass',
+  suffix                       => 'dc=example,dc=com',
+  query_scope                  => 'sub',
+  user_tree_dn                 => 'cn=users,cn=accounts,dc=example,dc=com',
+  user_id_attribute            => 'uid',
+  user_name_attribute          => 'uid',
+  user_mail_attribute          => 'mail',
+  user_allow_create            => 'False',
+  user_allow_update            => 'False',
+  user_allow_delete            => 'False',
+  user_enabled_emulation       => 'True',
+  user_enabled_emulation_dn    => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
+  group_tree_dn                => 'ou=groups,ou=openstack,dc=example,dc=com',
+  group_objectclass            => 'organizationalRole',
+  group_id_attribute           => 'cn',
+  group_name_attribute         => 'cn',
+  group_member_attribute       => 'RoleOccupant',
+  group_desc_attribute         => 'description',
+  group_allow_create           => 'True',
+  group_allow_update           => 'True',
+  group_allow_delete           => 'True',
+  project_tree_dn              => 'ou=projects,ou=openstack,dc=example,dc=com',
+  project_objectclass          => 'organizationalUnit',
+  project_id_attribute         => 'ou',
+  project_member_attribute     => 'member',
+  project_name_attribute       => 'ou',
+  project_desc_attribute       => 'description',
+  project_allow_create         => 'True',
+  project_allow_update         => 'True',
+  project_allow_delete         => 'True',
+  project_enabled_emulation    => 'True',
+  project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
+  role_tree_dn                 => 'ou=roles,ou=openstack,dc=example,dc=com',
+  role_objectclass             => 'organizationalRole',
+  role_id_attribute            => 'cn',
+  role_name_attribute          => 'cn',
+  role_member_attribute        => 'roleOccupant',
+  role_allow_create            => 'True',
+  role_allow_update            => 'True',
+  role_allow_delete            => 'True',
+  identity_driver              => 'keystone.identity.backends.ldap.Identity',
+  assignment_driver            => 'keystone.assignment.backends.ldap.Assignment',
+  use_tls                      => 'True',
+  tls_cacertfile               => '/etc/ssl/certs/ca-certificates.crt',
+  tls_req_cert                 => 'demand',
+  use_pool                     => 'True',
+  use_auth_pool                => 'True',
+  pool_size                    => 5,
+  auth_pool_size               => 5,
+  pool_retry_max               => 3,
+  pool_connection_timeout      => 120,
 }
--- a/examples/ldap_identity.pp
+++ b/examples/ldap_identity.pp
@ -12,17 +12,17 @@ class { 'keystone::roles::admin':
 # This was tested against a FreeIPA box, you will likely need to change the
 # attributes to match your configuration.
 class { 'keystone:ldap':
-  identity_driver       => 'keystone.identity.backends.ldap.Identity',
-  url                   => 'ldap://ldap.example.com:389',
-  user                  => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
-  password              => 'SecretPass',
-  suffix                => 'dc=example,dc=com',
-  query_scope           => 'sub',
-  user_tree_dn          => 'cn=users,cn=accounts,dc=example,dc=com',
-  user_id_attribute     => 'uid',
-  user_name_attribute   => 'uid',
-  user_mail_attribute   => 'mail',
-  user_allow_create     => 'False',
-  user_allow_update     => 'False',
-  user_allow_delete     => 'False'
+  identity_driver     => 'keystone.identity.backends.ldap.Identity',
+  url                 => 'ldap://ldap.example.com:389',
+  user                => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
+  password            => 'SecretPass',
+  suffix              => 'dc=example,dc=com',
+  query_scope         => 'sub',
+  user_tree_dn        => 'cn=users,cn=accounts,dc=example,dc=com',
+  user_id_attribute   => 'uid',
+  user_name_attribute => 'uid',
+  user_mail_attribute => 'mail',
+  user_allow_create   => 'False',
+  user_allow_update   => 'False',
+  user_allow_delete   => 'False'
 }
--- a/manifests/client.pp
+++ b/manifests/client.pp
@ -5,7 +5,8 @@
 # === Parameters
 #
 # [*ensure*]
-#   (optional) Ensure state of the package. Defaults to 'present'.
+#   (optional) Ensure state of the package.
+#   Defaults to 'present'.
 #
 class keystone::client (
  $ensure = 'present'
--- a/manifests/db/mysql.pp
+++ b/manifests/db/mysql.pp
@ -5,19 +5,39 @@
 #
 # == parameters
 #
-# [password] Password that will be used for the keystone db user.
-#   Optional. Defaults to: 'keystone_default_password'
+# [*password*]
+#   (Mandatory) Password to connect to the database.
+#   Defaults to 'false'.
 #
-# [dbname] Name of keystone database. Optional. Defaults to keystone.
+# [*dbname*]
+#   (Optional) Name of the database.
+#   Defaults to 'keystone'.
 #
-# [user] Name of keystone user. Optional. Defaults to keystone.
+# [*user*]
+#   (Optional) User to connect to the database.
+#   Defaults to 'keystone'.
 #
-# [host] Host where user should be allowed all priveleges for database.
-# Optional. Defaults to 127.0.0.1.
+# [*host*]
+#   (Optional) The default source host user is allowed to connect from.
+#   Defaults to '127.0.0.1'
 #
-# [allowed_hosts] Hosts allowed to use the database
+# [*allowed_hosts*]
+#   (Optional) Other hosts the user is allowed to connect from.
+#   Defaults to 'undef'.
 #
-# [*mysql_module*] Deprecated. Does nothing.
+# [*charset*]
+#   (Optional) The database charset.
+#   Defaults to 'utf8'
+#
+# [*collate*]
+#   (Optional) The database collate.
+#   Only used with mysql modules >= 2.2.
+#   Defaults to 'utf8_unicode_ci'
+#
+# === Deprecated Parameters
+#
+# [*mysql_module*]
+#   (Optional) Does nothing.
 #
 # == Dependencies
 #   Class['mysql::server']
--- a/manifests/dev/install.pp
+++ b/manifests/dev/install.pp
@ -1,6 +1,12 @@
 #
 # Installs keystone from source. This is not yet fully implemented
 #
+# == Parameters
+#
+# [*source_dir*]
+#   (optional) The source dire for dev installation
+#   Defaults to '/usr/local/keystone'
+#
 # == Dependencies
 # == Examples
 # == Authors
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -3,157 +3,232 @@
 #
 # == Parameters
 #
-#   [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
-#     accepts latest or specific versions.
-#   [client_package_ensure] Desired ensure state of the client package. Optional. Defaults to present.
-#     accepts latest or specific versions.
-#   [public_port]
+# [*package_ensure*]
+#   (optional) Desired ensure state of packages.
+#   accepts latest or specific versions.
+#   Defaults to present.
 #
-#   [compute_port]
-#     (optional) DEPRECATED. The port for the compute service.
-#     Defaults to 8774.
+# [*client_package_ensure*]
+#   (optional) Desired ensure state of the client package.
+#   accepts latest or specific versions.
+#   Defaults to present.
 #
-#   [admin_port]
-#   [admin_port] Port that can be used for admin tasks.
-#   [admin_token] Admin token that can be used to authenticate as a keystone
-#     admin. Required.
-#   [verbose] Rather keystone should log at verbose level. Optional.
-#     Defaults to False.
-#   [debug] Rather keystone should log at debug level. Optional.
-#     Defaults to False.
-#   [use_syslog] Use syslog for logging. Optional.
-#     Defaults to False.
-#   [log_facility] Syslog facility to receive log lines. Optional.
-#   [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
-#     Defaults to sql. (Also accepts template)
-#   [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
-#     Setting this value will override and ignore catalog_type.
-#   [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
-#     Defaults to '/etc/keystone/default_catalog.templates'
-#   [token_provider] Format keystone uses for tokens. Optional.
-#     Defaults to 'keystone.token.providers.uuid.Provider'
-#     Supports PKI and UUID.
-#   [token_driver] Driver to use for managing tokens.
-#     Optional.  Defaults to 'keystone.token.persistence.backends.sql.Token'
-#   [token_expiration] Amount of time a token should remain valid (seconds).
-#     Optional.  Defaults to 3600 (1 hour).
-#   [revoke_driver] Driver for token revocation.
-#     Optional.  Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
-#   [cache_dir] Directory created when token_provider is pki. Optional.
-#     Defaults to /var/cache/keystone.
+# [*public_port*]
+#   (optional) Port that keystone binds to.
+#   Defaults to '5000'
 #
-#   [memcache_servers]
-#     List of memcache servers in format of server:port.
-#     Used with token_driver 'keystone.token.backends.memcache.Token'.
-#     Optional. Defaults to false. Example: ['localhost:11211']
+# [*compute_port*]
+#   (optional) DEPRECATED The port for compute servie.
+#   Defaults to '8774'
 #
-#   [cache_backend]
-#     Dogpile.cache backend module. It is recommended that Memcache with pooling
-#     (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
-#     This has no effects unless 'memcache_servers' is set.
-#     Optional. Defaults to 'keystone.common.cache.noop'
+# [*admin_port*]
+#   (optional) Port that can be used for admin tasks.
+#   Defaults to '35357'
 #
-#   [cache_backend_argument]
-#     List of arguments in format of argname:value supplied to the backend module.
-#     Specify this option once per argument to be passed to the dogpile.cache backend.
-#     This has no effects unless 'memcache_servers' is set.
-#     Optional. Default to undef.
+# [*admin_token*]
+#   Admin token that can be used to authenticate as a keystone
+#   admin. Required.
 #
-#   [debug_cache_backend]
-#     Extra debugging from the cache backend (cache keys, get/set/delete calls).
-#     This has no effects unless 'memcache_servers' is set.
-#     Optional. Default to false.
+# [*verbose*]
+#   (optional) Rather keystone should log at verbose level.
+#   Defaults to false.
 #
-#   [token_caching]
-#     Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
-#     Optional. Default to true.
+# [*debug*]
+#   (optional) Rather keystone should log at debug level.
+#   Defaults to False.
 #
-#   [enabled] If the keystone services should be enabled. Optional. Default to true.
+# [*use_syslog*]
+#   (optional) Use syslog for logging.
+#   Defaults to false.
 #
-#   [*database_connection*]
-#     (optional) Url used to connect to database.
-#     Defaults to sqlite:////var/lib/keystone/keystone.db
+# [*log_facility*]
+#   (optional) Syslog facility to receive log lines.
+#   Defaults to 'LOG_USER'.
 #
-#   [*database_idle_timeout*]
-#     (optional) Timeout when db connections should be reaped.
-#     Defaults to 200.
+# [*catalog_type*]
+#   (optional) Type of catalog that keystone uses to store endpoints,services.
+#   Defaults to sql. (Also accepts template)
 #
-#   [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
-#     revocation lists if it doesn't already exist. This generates a cert and key stored in file
-#     locations based on the signing_certfile and signing_keyfile paramters below. If you are
-#     providing your own signing cert, make this false.
-#   [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
-#     Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
-#     the file will not be overwritten, even if enable_pki_setup is set to true.
-#     Default: /etc/keystone/ssl/certs/signing_cert.pem
-#   [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
-#     Note that if this file already exists (i.e. you are providing your own signing cert), the file
-#     will not be overwritten, even if enable_pki_setup is set to true.
-#     Default: /etc/keystone/ssl/private/signing_key.pem
-#   [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
-#     signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
-#   [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
-#     pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
+# [*catalog_driver*]
+#   (optional) Catalog driver used by Keystone to store endpoints and services.
+#   Setting this value will override and ignore catalog_type.
+#   Defaults to false.
 #
-#   [*signing_cert_subject*]
+# [*catalog_template_file*]
+#   (optional) Path to the catalog used if catalog_type equals 'template'.
+#   Defaults to '/etc/keystone/default_catalog.templates'
+#
+# [*token_provider*]
+#   (optional) Format keystone uses for tokens.
+#   Defaults to 'keystone.token.providers.uuid.Provider'
+#   Supports PKI and UUID.
+#
+# [*token_driver*]
+#   (optional) Driver to use for managing tokens.
+#   Defaults to 'keystone.token.persistence.backends.sql.Token'
+#
+# [*token_expiration*]
+#   (optional) Amount of time a token should remain valid (seconds).
+#   Defaults to 3600 (1 hour).
+#
+# [*revoke_driver*]
+#   (optional) Driver for token revocation.
+#   Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
+#
+# [*cache_dir*]
+#   (optional) Directory created when token_provider is pki.
+#   Defaults to /var/cache/keystone.
+#
+# [*memcache_servers*]
+#   (optional) List of memcache servers in format of server:port.
+#   Used with token_driver 'keystone.token.backends.memcache.Token'.
+#   Defaults to false. Example: ['localhost:11211']
+#
+# [*cache_backend*]
+#   (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
+#   (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
+#   This has no effects unless 'memcache_servers' is set.
+#   Defaults to 'keystone.common.cache.noop'
+#
+# [*cache_backend_argument*]
+#   (optional) List of arguments in format of argname:value supplied to the backend module.
+#   Specify this option once per argument to be passed to the dogpile.cache backend.
+#   This has no effects unless 'memcache_servers' is set.
+#   Default to undef.
+#
+# [*debug_cache_backend*]
+#   (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
+#   This has no effects unless 'memcache_servers' is set.
+#   Default to false.
+#
+# [*token_caching*]
+#   (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
+#   Default to true.
+#
+# [*enabled*]
+#  (optional) If the keystone services should be enabled.
+#   Default to true.
+#
+# [*database_connection*]
+#   (optional) Url used to connect to database.
+#   Defaults to sqlite:////var/lib/keystone/keystone.db
+#
+# [*database_idle_timeout*]
+#   (optional) Timeout when db connections should be reaped.
+#   Defaults to 200.
+#
+# [*enable_pki_setup*]
+#   (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
+#   revocation lists if it doesn't already exist. This generates a cert and key stored in file
+#   locations based on the signing_certfile and signing_keyfile paramters below. If you are
+#   providing your own signing cert, make this false.
+#   Default to true.
+#
+# [*signing_certfile*]
+#   (optional) Location of the cert file for signing pki tokens and revocation lists.
+#   Note that if this file already exists (i.e. you are providing your own signing cert),
+#   the file will not be overwritten, even if enable_pki_setup is set to true.
+#   Default: /etc/keystone/ssl/certs/signing_cert.pem
+#
+# [*signing_keyfile*]
+#   (optional) Location of the key file for signing pki tokens and revocation lists.
+#   Note that if this file already exists (i.e. you are providing your own signing cert), the file
+#   will not be overwritten, even if enable_pki_setup is set to true.
+#   Default: /etc/keystone/ssl/private/signing_key.pem
+#
+# [*signing_ca_certs*]
+#   (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
+#   signing pki tokens and revocation lists.
+#   Default: /etc/keystone/ssl/certs/ca.pem
+#
+# [*signing_ca_key*]
+#   (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
+#   pki tokens and revocation lists.
+#   Default: /etc/keystone/ssl/private/cakey.pem
+#
+# [*signing_cert_subject*]
 #   (optional) Certificate subject (auto generated certificate) for token signing.
 #   Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
 #
-#   [*signing_key_size*]
+# [*signing_key_size*]
 #   (optional) Key size (in bits) for token signing cert (auto generated certificate)
 #   Defaults to 2048
 #
-#   [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
-#   [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
-#   [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
-#   [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest.
-#   [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest.
-#   [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /.
+# [*rabbit_host*]
+#   (optional) Location of rabbitmq installation.
+#    Defaults to localhost.
 #
-#   [*rabbit_use_ssl*]
-#     (optional) Connect over SSL for RabbitMQ
-#     Defaults to false
+# [*rabbit_port*]
+#   (optional) Port for rabbitmq instance.
+#   Defaults to 5672.
 #
-#   [*kombu_ssl_ca_certs*]
-#     (optional) SSL certification authority file (valid only if SSL enabled).
-#     Defaults to undef
+# [*rabbit_hosts*]
+#   (optional) Location of rabbitmq installation.
+#   Defaults to undef.
 #
-#   [*kombu_ssl_certfile*]
-#     (optional) SSL cert file (valid only if SSL enabled).
-#     Defaults to undef
+# [*rabbit_password*]
+#   (optional) Password used to connect to rabbitmq.
+#   Defaults to guest.
 #
-#   [*kombu_ssl_keyfile*]
-#     (optional) SSL key file (valid only if SSL enabled).
-#     Defaults to undef
+# [*rabbit_userid*]
+#   (optional) User used to connect to rabbitmq.
+#   Defaults to guest.
 #
-#   [*kombu_ssl_version*]
-#     (optional) SSL version to use (valid only if SSL enabled).
-#     Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
-#     available on some distributions.
-#     Defaults to 'TLSv1'
+# [*rabbit_virtual_host*]
+#   (optional) The RabbitMQ virtual host.
+#   Defaults to /.
 #
-#   [notification_driver] RPC driver. Not enabled by default
-#   [notification_topics] AMQP topics to publish to when using the RPC notification driver.
-#   [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid
+# [*rabbit_use_ssl*]
+#   (optional) Connect over SSL for RabbitMQ
+#   Defaults to false
 #
-#   [*public_bind_host*]
+# [*kombu_ssl_ca_certs*]
+#   (optional) SSL certification authority file (valid only if SSL enabled).
+#   Defaults to undef
+#
+# [*kombu_ssl_certfile*]
+#   (optional) SSL cert file (valid only if SSL enabled).
+#   Defaults to undef
+#
+# [*kombu_ssl_keyfile*]
+#   (optional) SSL key file (valid only if SSL enabled).
+#   Defaults to undef
+#
+# [*kombu_ssl_version*]
+#   (optional) SSL version to use (valid only if SSL enabled).
+#   Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
+#   available on some distributions.
+#   Defaults to 'TLSv1'
+#
+# [*notification_driver*]
+#   RPC driver. Not enabled by default
+#
+# [*notification_topics*]
+#   (optional) AMQP topics to publish to when using the RPC notification driver.
+#   Default to false.
+#
+# [*control_exchange*]
+#   (optional) AMQP exchange to connect to if using RabbitMQ or Qpid
+#   Default to false.
+#
+# [*public_bind_host*]
 #   (optional) The IP address of the public network interface to listen on
 #   Default to '0.0.0.0'.
 #
-#   [*admin_bind_host*]
+# [*admin_bind_host*]
 #   (optional) The IP address of the public network interface to listen on
 #   Default to '0.0.0.0'.
 #
-#   [*log_dir*]
+# [*log_dir*]
 #   (optional) Directory where logs should be stored
 #   If set to boolean false, it will not log to any directory
 #   Defaults to '/var/log/keystone'
 #
-#   [*log_file*]
+# [*log_file*]
 #   (optional) Where to log
 #   Defaults to false
 #
-#   [*public_endpoint*]
+# [*public_endpoint*]
 #   (optional) The base public endpoint URL for keystone that are
 #   advertised to clients (NOTE: this does NOT affect how
 #   keystone listens for connections) (string value)
@ -161,7 +236,7 @@
 #   Sample value: 'http://localhost:5000/'
 #   Defaults to false
 #
-#   [*admin_endpoint*]
+# [*admin_endpoint*]
 #   (optional) The base admin endpoint URL for keystone that are
 #   advertised to clients (NOTE: this does NOT affect how keystone listens
 #   for connections) (string value)
@ -169,63 +244,63 @@
 #   Sample value: 'http://localhost:35357/'
 #   Defaults to false
 #
-#   [*enable_ssl*]
+# [*enable_ssl*]
 #   (optional) Toggle for SSL support on the keystone eventlet servers.
 #   (boolean value)
 #   Defaults to false
 #
-#   [*ssl_certfile*]
+# [*ssl_certfile*]
 #   (optional) Path of the certfile for SSL. (string value)
 #   Defaults to '/etc/keystone/ssl/certs/keystone.pem'
 #
-#   [*ssl_keyfile*]
+# [*ssl_keyfile*]
 #   (optional) Path of the keyfile for SSL. (string value)
 #   Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
 #
-#   [*ssl_ca_certs*]
+# [*ssl_ca_certs*]
 #   (optional) Path of the ca cert file for SSL. (string value)
 #   Defaults to '/etc/keystone/ssl/certs/ca.pem'
 #
-#   [*ssl_ca_key*]
+# [*ssl_ca_key*]
 #   (optional) Path of the CA key file for SSL (string value)
 #   Defaults to '/etc/keystone/ssl/private/cakey.pem'
 #
-#   [*ssl_cert_subject*]
+# [*ssl_cert_subject*]
 #   (optional) SSL Certificate Subject (auto generated certificate)
 #   (string value)
 #   Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
 #
-#   [*mysql_module*]
+# [*mysql_module*]
 #   (optional) Deprecated. Does nothing.
 #
-#   [*validate_service*]
+# [*validate_service*]
 #   (optional) Whether to validate keystone connections after
 #   the service is started.
 #   Defaults to false
 #
-#   [*validate_insecure*]
+# [*validate_insecure*]
 #   (optional) Whether to validate keystone connections
 #   using the --insecure option with keystone client.
 #   Defaults to false
 #
-#   [*validate_cacert*]
+# [*validate_cacert*]
 #   (optional) Whether to validate keystone connections
 #   using the specified argument with the --os-cacert option
 #   with keystone client.
 #   Defaults to undef
 #
-#   [*validate_auth_url*]
+# [*validate_auth_url*]
 #   (optional) The url to validate keystone against
 #   Defaults to undef
 #
-#   [*service_provider*]
+# [*service_provider*]
 #   (optional) Provider, that can be used for keystone service.
 #   Default value defined in keystone::params for given operation system.
 #   If you use Pacemaker or another Cluster Resource Manager, you can make
 #   custom service provider for changing start/stop/status behavior of service,
 #   and set it here.
 #
-#   [*service_name*]
+# [*service_name*]
 #   (optional) Name of the service that will be providing the
 #   server functionality of keystone.  For example, the default
 #   is just 'keystone', which means keystone will be run as a
@ -242,23 +317,23 @@
 #   Defaults to 'keystone'
 #   NOTE: validate_service only applies if the value is 'keystone'
 #
-#   [*paste_config*]
+# [*paste_config*]
 #   (optional) Name of the paste configuration file that defines the
 #   available pipelines. (string value)
 #   Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and
 #   undef on other platforms.
 #
-#   [*max_token_size*]
-#     (optional) maximum allowable Keystone token size
-#     Defaults to undef
+# [*max_token_size*]
+#   (optional) maximum allowable Keystone token size
+#   Defaults to undef
 #
-#   [*admin_workers*]
-#     (optional) The number of worker processes to serve the admin WSGI application.
-#     Defaults to max($::processorcount, 2)
+# [*admin_workers*]
+#   (optional) The number of worker processes to serve the admin WSGI application.
+#   Defaults to max($::processorcount, 2)
 #
-#   [*public_workers*]
-#     (optional) The number of worker processes to serve the public WSGI application.
-#     Defaults to max($::processorcount, 2)
+# [*public_workers*]
+#   (optional) The number of worker processes to serve the public WSGI application.
+#   Defaults to max($::processorcount, 2)
 #
 # == Dependencies
 #  None
--- a/manifests/ldap.pp
+++ b/manifests/ldap.pp
@ -1,6 +1,376 @@
+# == class: keystone::ldap
 #
 # Implements ldap configuration for keystone.
 #
+# === parameters:
+#
+# [*url*]
+#   URL for connecting to the LDAP server. (string value)
+#   Defaults to 'undef'
+#
+# [*user*]
+#   User BindDN to query the LDAP server. (string value)
+#   Defaults to 'undef'
+#
+# [*password*]
+#   Password for the BindDN to query the LDAP server. (string value)
+#   Defaults to 'undef'
+#
+# [*suffix*]
+#   LDAP server suffix (string value)
+#   Defaults to 'undef'
+#
+# [*query_scope*]
+#   The LDAP scope for queries, this can be either "one"
+#   (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
+#   Defaults to 'undef'
+#
+# [*page_size*]
+#   Maximum results per page; a value of zero ("0") disables paging. (integer value)
+#   Defaults to 'undef'
+#
+# [*user_tree_dn*]
+#   Search base for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_filter*]
+#   LDAP search filter for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_objectclass*]
+#   LDAP objectclass for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_id_attribute*]
+#   LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
+#   Defaults to 'undef'
+#
+# [*user_name_attribute*]
+#   LDAP attribute mapped to user name. (string value)
+#   Defaults to 'undef'
+#
+# [*user_mail_attribute*]
+#   LDAP attribute mapped to user email. (string value)
+#
+# [*user_enabled_attribute*]
+#   LDAP attribute mapped to user enabled flag. (string value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_mask*]
+#   Bitmask integer to indicate the bit that the enabled value is stored in if
+#   the LDAP server represents "enabled" as a bit on an integer rather than a
+#   boolean. A value of "0" indicates the mask is not used. If this is not set
+#   to "0" the typical value is "2". This is typically used when
+#   "user_enabled_attribute = userAccountControl". (integer value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_default*]
+#   Default value to enable users. This should match an appropriate int value
+#   if the LDAP server uses non-boolean (bitmask) values to indicate if a user
+#   is enabled or disabled. If this is not set to "True" the typical value is
+#   "512". This is typically used when "user_enabled_attribute =
+#   userAccountControl". (string value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_invert*]
+#   Invert the meaning of the boolean enabled values. Some LDAP servers use a
+#   boolean lock attribute where "true" means an account is disabled. Setting
+#   "user_enabled_invert = true" will allow these lock attributes to be used.
+#   This setting will have no effect if "user_enabled_mask" or
+#   "user_enabled_emulation" settings are in use. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_attribute_ignore*]
+#   List of attributes stripped off the user on update. (list value)
+#   Defaults to 'undef'
+#
+# [*user_default_project_id_attribute*]
+#   LDAP attribute mapped to default_project_id for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_allow_create*]
+#   Allow user creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_allow_update*]
+#   Allow user updates in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_allow_delete*]
+#   Allow user deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_pass_attribute*]
+#   LDAP attribute mapped to password. (string value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_emulation*]
+#   If true, Keystone uses an alternative method to determine if
+#   a user is enabled or not by checking if they are a member of
+#   the "user_enabled_emulation_dn" group. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_emulation_dn*]
+#   DN of the group entry to hold enabled users when using enabled emulation.
+#   (string value)
+#   Defaults to 'undef'
+#
+# [*user_additional_attribute_mapping*]
+#   List of additional LDAP attributes used for mapping
+#   additional attribute mappings for users. Attribute mapping
+#   format is <ldap_attr>:<user_attr>, where ldap_attr is the
+#   attribute in the LDAP entry and user_attr is the Identity
+#   API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*project_tree_dn*]
+#   Search base for projects (string value)
+#   Defaults to 'undef'
+#
+# [*project_filter*]
+#   LDAP search filter for projects. (string value)
+#   Defaults to 'undef'
+#
+# [*project_objectclass*]
+#   LDAP objectclass for projects. (string value)
+#   Defaults to 'undef'
+#
+# [*project_id_attribute*]
+#   LDAP attribute mapped to project id. (string value)
+#   Defaults to 'undef'
+#
+# [*project_member_attribute*]
+#   LDAP attribute mapped to project membership for user. (string value)
+#   Defaults to 'undef'
+#
+# [*project_name_attribute*]
+#   LDAP attribute mapped to project name. (string value)
+#   Defaults to 'undef'
+#
+# [*project_desc_attribute*]
+#   LDAP attribute mapped to project description. (string value)
+#   Defaults to 'undef'
+#
+# [*project_enabled_attribute*]
+#   LDAP attribute mapped to project enabled. (string value)
+#   Defaults to 'undef'
+#
+# [*project_domain_id_attribute*]
+#   LDAP attribute mapped to project domain_id. (string value)
+#   Defaults to 'undef'
+#
+# [*project_attribute_ignore*]
+#   List of attributes stripped off the project on update. (list value)
+#   Defaults to 'undef'
+#
+# [*project_allow_create*]
+#   Allow project creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_allow_update*]
+#   Allow project update in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_allow_delete*]
+#   Allow project deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_enabled_emulation*]
+#   If true, Keystone uses an alternative method to determine if
+#   a project is enabled or not by checking if they are a member
+#   of the "project_enabled_emulation_dn" group. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_enabled_emulation_dn*]
+#   DN of the group entry to hold enabled projects when using
+#   enabled emulation. (string value)
+#   Defaults to 'undef'
+#
+# [*project_additional_attribute_mapping*]
+#   Additional attribute mappings for projects. Attribute
+#   mapping format is <ldap_attr>:<user_attr>, where ldap_attr
+#   is the attribute in the LDAP entry and user_attr is the
+#   Identity API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*role_tree_dn*]
+#   Search base for roles. (string value)
+#   Defaults to 'undef'
+#
+# [*role_filter*]
+#   LDAP search filter for roles. (string value)
+#   Defaults to 'undef'
+#
+# [*role_objectclass*]
+#   LDAP objectclass for roles. (string value)
+#   Defaults to 'undef'
+#
+# [*role_id_attribute*]
+#   LDAP attribute mapped to role id. (string value)
+#   Defaults to 'undef'
+#
+# [*role_name_attribute*]
+#   LDAP attribute mapped to role name. (string value)
+#   Defaults to 'undef'
+#
+# [*role_member_attribute*]
+#   LDAP attribute mapped to role membership. (string value)
+#   Defaults to 'undef'
+#
+# [*role_attribute_ignore*]
+#   List of attributes stripped off the role on update. (list value)
+#   Defaults to 'undef'
+#
+# [*role_allow_create*]
+#   Allow role creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*role_allow_update*]
+#   Allow role update in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*role_allow_delete*]
+#   Allow role deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*role_additional_attribute_mapping*]
+#   Additional attribute mappings for roles. Attribute mapping
+#   format is <ldap_attr>:<user_attr>, where ldap_attr is the
+#   attribute in the LDAP entry and user_attr is the Identity
+#   API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*group_tree_dn*]
+#   Search base for groups. (string value)
+#   Defaults to 'undef'
+#
+# [*group_filter*]
+#   LDAP search filter for groups. (string value)
+#   Defaults to 'undef'
+#
+# [*group_objectclass*]
+#   LDAP objectclass for groups. (string value)
+#   Defaults to 'undef'
+#
+# [*group_id_attribute*]
+#   LDAP attribute mapped to group id. (string value)
+#   Defaults to 'undef'
+#
+# [*group_name_attribute*]
+#   LDAP attribute mapped to group name. (string value)
+#   Defaults to 'undef'
+#
+# [*group_member_attribute*]
+#   LDAP attribute mapped to show group membership. (string value)
+#   Defaults to 'undef'
+#
+# [*group_desc_attribute*]
+#   LDAP attribute mapped to group description. (string value)
+#   Defaults to 'undef'
+#
+# [*group_attribute_ignore*]
+#   List of attributes stripped off the group on update. (list value)
+#   Defaults to 'undef'
+#
+# [*group_allow_create*]
+#   Allow group creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_allow_update*]
+#   Allow group update in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_allow_delete*]
+#   Allow group deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_additional_attribute_mapping*]
+#   Additional attribute mappings for groups. Attribute mapping
+#   format is <ldap_attr>:<user_attr>, where ldap_attr is the
+#   attribute in the LDAP entry and user_attr is the Identity
+#   API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*use_tls*]
+#   Enable TLS for communicating with LDAP servers. (boolean value)
+#   Defaults to 'undef'
+#
+# [*tls_cacertfile*]
+#   CA certificate file path for communicating with LDAP servers. (string value)
+#   Defaults to 'undef'
+#
+# [*tls_cacertdir*]
+#   CA certificate directory path for communicating with LDAP servers. (string value)
+#   Defaults to 'undef'
+#
+# [*tls_req_cert*]
+#   Valid options for tls_req_cert are demand, never, and allow. (string value)
+#   Defaults to 'undef'
+#
+# [*identity_driver*]
+#   Identity backend driver. (string value)
+#   Defaults to 'undef'
+#
+# [*assignment_driver*]
+#   Assignment backend driver. (string value)
+#   Defaults to 'undef'
+#
+# [*use_pool*]
+#   Enable LDAP connection pooling. (boolean value)
+#   Defaults to false
+#
+# [*pool_size*]
+#   Connection pool size. (integer value)
+#   Defaults to '10'
+#
+# [*pool_retry_max*]
+#   Maximum count of reconnect trials. (integer value)
+#   Defaults to '3'
+#
+# [*pool_retry_delay*]
+#   Time span in seconds to wait between two reconnect trials. (floating point value)
+#   Defaults to '0.1'
+#
+# [*pool_connection_timeout*]
+#   Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
+#   Defaults to '-1'
+#
+# [*pool_connection_lifetime*]
+#   Connection lifetime in seconds. (integer value)
+#   Defaults to '600'
+#
+# [*use_auth_pool*]
+#   Enable LDAP connection pooling for end user authentication.
+#   If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
+#   Defaults to false
+#
+# [*auth_pool_size*]
+#   End user auth connection pool size. (integer value)
+#   Defaults to '100'
+#
+# [*auth_pool_connection_lifetime*]
+#   End user auth connection lifetime in seconds. (integer value)
+#   Defaults to '60'
+#
+# === DEPRECATED group/name
+#
+# [*tenant_tree_dn*]
+# [*tenant_filter*]
+# [*tenant_objectclass*]
+# [*tenant_id_attribute*]
+# [*tenant_member_attribute*]
+# [*tenant_name_attribute*]
+# [*tenant_desc_attribute*]
+# [*tenant_enabled_attribute*]
+# [*tenant_domain_id_attribute*]
+# [*tenant_attribute_ignore*]
+# [*tenant_allow_create*]
+# [*tenant_allow_update*]
+# [*tenant_enabled_emulation*]
+# [*tenant_enabled_emulation_dn*]
+# [*tenant_additional_attribute_mapping*]
+# [*tenant_allow_delete*]
+#
 # == Dependencies
 # == Examples
 # == Authors
--- a/manifests/python.pp
+++ b/manifests/python.pp
@ -1,6 +1,16 @@
+# == Class keystone::python
 #
 # installs client python libraries for keystone
 #
+# === Parameters:
+#
+# [*client_package_name*]
+#   (optional) The name of python keystone client package
+#   Defaults to $keystone::params::client_package_name
+#
+# [*ensure*]
+#   (optional) The state for the keystone client package
+#   Defaults to 'present'
 #
 class keystone::python (
  $client_package_name = $keystone::params::client_package_name,
--- a/manifests/resource/service_identity.pp
+++ b/manifests/resource/service_identity.pp
@ -22,76 +22,76 @@
 # == Parameters:
 #
 # [*password*]
-# Password to create for the service user;
-# string; required
+#   Password to create for the service user;
+#   string; required
 #
 # [*auth_name*]
-# The name of the service user;
-# string; optional; default to the $title of the resource, i.e. 'nova'
+#   The name of the service user;
+#   string; optional; default to the $title of the resource, i.e. 'nova'
 #
 # [*service_name*]
-# Name of the service;
-# string; required
+#   Name of the service;
+#   string; required
 #
 # [*service_type*]
-# Type of the service;
-# string; required
+#   Type of the service;
+#   string; required
 #
 # [*service_description*]
-# Description of the service;
-# string; optional: default to '$name service'
+#   Description of the service;
+#   string; optional: default to '$name service'
 #
 # [*public_url*]
-# Public endpoint URL;
-# string; required
+#   Public endpoint URL;
+#   string; required
 #
 # [*internal_url*]
-# Internal endpoint URL;
-# string; required
+#   Internal endpoint URL;
+#   string; required
 #
 # [*admin_url*]
-# Admin endpoint URL;
-# string; required
+#   Admin endpoint URL;
+#   string; required
 #
 # [*region*]
-# Endpoint region;
-# string; optional: default to 'RegionOne'
+#   Endpoint region;
+#   string; optional: default to 'RegionOne'
 #
 # [*tenant*]
-# Service tenant;
-# string; optional: default to 'services'
+#   Service tenant;
+#   string; optional: default to 'services'
 #
 # [*ignore_default_tenant*]
-# Ignore setting the default tenant value when the user is created.
-# string; optional: default to false
+#   Ignore setting the default tenant value when the user is created.
+#   string; optional: default to false
 #
 # [*roles*]
-# List of roles;
-# string; optional: default to ['admin']
+#   List of roles;
+#   string; optional: default to ['admin']
 #
 # [*domain*]
-# User domain (keystone v3), not implemented yet.
-# string; optional: default to undef
+#   User domain (keystone v3), not implemented yet.
+#   string; optional: default to undef
 #
 # [*email*]
-# Service email;
-# string; optional: default to '$auth_name@localhost'
+#   Service email;
+#   string; optional: default to '$auth_name@localhost'
 #
 # [*configure_endpoint*]
-# Whether to create the endpoint.
-# string; optional: default to True
+#   Whether to create the endpoint.
+#   string; optional: default to True
 #
 # [*configure_user*]
-# Whether to create the user.
-# string; optional: default to True
+#   Whether to create the user.
+#   string; optional: default to True
 #
 # [*configure_user_role*]
-# Whether to create the user role.
-# string; optional: default to True
+#   Whether to create the user role.
+#   string; optional: default to True
 #
 # [*configure_service*]
-# Whether to create the service.
-# string; optional: default to True
+#   Whether to create the service.
+#   string; optional: default to True
 #
 define keystone::resource::service_identity(
  $admin_url             = false,
--- a/manifests/roles/admin.pp
+++ b/manifests/roles/admin.pp
@ -1,3 +1,4 @@
+# == Class: keystone::roles::admin
 #
 # This class implements some reasonable admin defaults for keystone.
 #
@ -8,18 +9,49 @@
 #   * admin role
 #   * adds admin role to admin user on the "admin" tenant
 #
-# [*Parameters*]
+# === Parameters:
 #
-# [email] The email address for the admin. Required.
-# [password] The admin password. Required.
-# [admin_roles] The list of the roles with admin privileges. Optional. Defaults to ['admin'].
-# [admin_tenant] The name of the tenant to be used for admin privileges. Optional. Defaults to openstack.
-# [admin] Admin user. Optional. Defaults to admin.
-# [ignore_default_tenant] Ignore setting the default tenant value when the user is created. Optional. Defaults to false.
-# [admin_tenant_desc] Optional. Description for admin tenant, defaults to 'admin tenant'
-# [service_tenant_desc] Optional. Description for admin tenant, defaults to 'Tenant for the openstack services'
-# [configure_user] Optional. Should the admin user be created? Defaults to 'true'.
-# [configure_user_role] Optional. Should the admin role be configured for the admin user? Defaulst to 'true'.
+# [*email*]
+#   The email address for the admin. Required.
+#
+# [*password*]
+#   The admin password. Required.
+#
+# [*admin_roles*]
+#   The list of the roles with admin privileges. Optional.
+#   Defaults to ['admin'].
+#
+# [*admin_tenant*]
+#   The name of the tenant to be used for admin privileges. Optional.
+#   Defaults to openstack.
+#
+# [*service_tenant*]
+#   The name of service keystone tenant. Optional.
+#   Defaults to 'services'.
+#
+# [*admin*]
+#   Admin user. Optional.
+#   Defaults to admin.
+#
+# [*ignore_default_tenant*]
+#   Ignore setting the default tenant value when the user is created. Optional.
+#   Defaults to false.
+#
+# [*admin_tenant_desc*]
+#   Optional. Description for admin tenant,
+#   Defaults to 'admin tenant'
+#
+# [*service_tenant_desc*]
+#   Optional. Description for admin tenant,
+#   Defaults to 'Tenant for the openstack services'
+#
+# [*configure_user*]
+#   Optional. Should the admin user be created?
+#   Defaults to 'true'.
+#
+# [*configure_user_role*]
+#   Optional. Should the admin role be configured for the admin user?
+#   Defaulst to 'true'.
 #
 # == Dependencies
 # == Examples
--- a/manifests/service.pp
+++ b/manifests/service.pp
@ -9,60 +9,59 @@
 # === Parameters
 #
 # [*ensure*]
-# (optional) The desired state of the keystone service
-# Defaults to 'running'
+#   (optional) The desired state of the keystone service
+#   Defaults to 'running'
 #
 # [*service_name*]
-# (optional) The name of the keystone service
-# Defaults to $::keystone::params::service_name
+#   (optional) The name of the keystone service
+#   Defaults to $::keystone::params::service_name
 #
 # [*enable*]
-# (optional) Whether to enable the keystone service
-# Defaults to true
+#   (optional) Whether to enable the keystone service
+#   Defaults to true
 #
 # [*hasstatus*]
-# (optional) Whether the keystone service has status
-# Defaults to true
+#   (optional) Whether the keystone service has status
+#   Defaults to true
 #
 # [*hasrestart*]
-# (optional) Whether the keystone service has restart
-# Defaults to true
+#   (optional) Whether the keystone service has restart
+#   Defaults to true
 #
 # [*provider*]
-# (optional) Provider for keystone service
-# Defaults to $::keystone::params::service_provider
+#   (optional) Provider for keystone service
+#   Defaults to $::keystone::params::service_provider
 #
 # [*validate*]
-# (optional) Whether to validate the service is working
-# after any service refreshes
-# Defaults to false
+#   (optional) Whether to validate the service is working after any service refreshes
+#   Defaults to false
 #
 # [*admin_token*]
-# (optional) The admin token to use for validation
-# Defaults to undef
+#   (optional) The admin token to use for validation
+#   Defaults to undef
 #
 # [*admin_endpoint*]
-# (optional) The admin endpont to use for validation
-# Defaults to 'http://localhost:35357/v2.0'
+#   (optional) The admin endpont to use for validation
+#   Defaults to 'http://localhost:35357/v2.0'
 #
 # [*retries*]
-# (optional) Number of times to retry validation
-# Defaults to 10
+#   (optional) Number of times to retry validation
+#   Defaults to 10
 #
 # [*delay*]
-# (optional) Number of seconds between validation attempts
-# Defaults to 2
+#   (optional) Number of seconds between validation attempts
+#   Defaults to 2
 #
 # [*insecure*]
-# (optional) Whether to validate keystone connections
-# using the --insecure option with keystone client.
-# Defaults to false
+#   (optional) Whether to validate keystone connections
+#   using the --insecure option with keystone client.
+#   Defaults to false
 #
 # [*cacert*]
-# (optional) Whether to validate keystone connections
-# using the specified argument with the --os-cacert option
-# with keystone client.
-# Defaults to undef
+#   (optional) Whether to validate keystone connections
+#   using the specified argument with the --os-cacert option
+#   with keystone client.
+#   Defaults to undef
 #
 class keystone::service(
  $ensure         = 'running',
@ -106,13 +105,13 @@ class keystone::service(
    $cmd = "openstack --os-auth-url ${admin_endpoint} --os-token ${admin_token} ${insecure_s} ${cacert_s} user list"
    $catch = 'name'
    exec { 'validate_keystone_connection':
-      path          => '/usr/bin:/bin:/usr/sbin:/sbin',
-      provider      => shell,
-      command       => $cmd,
-      subscribe     => Service['keystone'],
-      refreshonly   => true,
-      tries         => $retries,
-      try_sleep     => $delay
+      path        => '/usr/bin:/bin:/usr/sbin:/sbin',
+      provider    => shell,
+      command     => $cmd,
+      subscribe   => Service['keystone'],
+      refreshonly => true,
+      tries       => $retries,
+      try_sleep   => $delay
    }

    Exec['validate_keystone_connection'] -> Keystone_user<||>
--- a/manifests/wsgi/apache.pp
+++ b/manifests/wsgi/apache.pp
@ -46,15 +46,41 @@
 #     Optional. Defaults to 1
 #
 #   [*ssl_cert*]
+#     (optional) Path to SSL certificate
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_key*]
+#     (optional) Path to SSL key
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_chain*]
+#     (optional) SSL chain
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_ca*]
+#     (optional) Path to SSL certificate authority
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_crl_path*]
+#     (optional) Path to SSL certificate revocation list
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_crl*]
+#     (optional) SSL certificate revocation list name
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_certs_dir*]
 #     apache::vhost ssl parameters.
 #     Optional. Default to apache::vhost 'ssl_*' defaults.
 #
+# [*priority*]
+#   (optional) The priority for the vhost.
+#   Defaults to '10'
+#
+# [*threads*]
+#   (optional) The number of threads for the vhost.
+#   Defaults to $::processorcount
+#
 # == Dependencies
 #
 #   requires Class['apache'] & Class['keystone']