openstack/puppet-keystone
Code Issues Proposed changes
Files
10f0bc209e5193e37b72441e3e7c98cdaa40cecd
puppet-keystone/manifests/init.pp
Emilien Macchi c11b0408ef Use an Anchor when service is managed 
Today, Keystone resources (domains, tenants, etc) are created only if
'keystone' service is started.
When running Keystone in WSGI, the autorequire is broken for those
resources.
Adding 'httpd' in autorequire is not enough because it could fail to
orchestration issues if running another httpd resource (Horizon) that
depends on having Keystone started.

This patch is about to create an Anchor (keystone_started) in
keystone::service that require Service['keystone'] resource to be
created.
In resource types, change the autorequire to depend on the new Anchor.

With that patch, we are sure Keystone resources won't be created before
service is actually managed (running or stopped) and other resources
(Horizon, using httpd server) can also depend on this Anchor if needed.

Change-Id: Ie72b65b6be224cadc8730e050bec38d2face5dfd
Closes-bug: #1474059
2015-07-13 18:14:46 -04:00

985 lines
33 KiB
Puppet
Raw Blame History

#
# Module for managing keystone config.
#
# == Parameters
#
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
#
# [*client_package_ensure*]
# (optional) Desired ensure state of the client package.
# accepts latest or specific versions.
# Defaults to present.
#
# [*public_port*]
# (optional) Port that keystone binds to.
# Defaults to '5000'
#
# [*compute_port*]
# (optional) DEPRECATED The port for compute servie.
# Defaults to '8774'
#
# [*admin_port*]
# (optional) Port that can be used for admin tasks.
# Defaults to '35357'
#
# [*admin_token*]
# Admin token that can be used to authenticate as a keystone
# admin. Required.
#
# [*verbose*]
# (optional) Rather keystone should log at verbose level.
# Defaults to false.
#
# [*debug*]
# (optional) Rather keystone should log at debug level.
# Defaults to False.
#
# [*use_syslog*]
# (optional) Use syslog for logging.
# Defaults to false.
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines.
# Defaults to 'LOG_USER'.
#
# [*catalog_type*]
# (optional) Type of catalog that keystone uses to store endpoints,services.
# Defaults to sql. (Also accepts template)
#
# [*catalog_driver*]
# (optional) Catalog driver used by Keystone to store endpoints and services.
# Setting this value will override and ignore catalog_type.
# Defaults to false.
#
# [*catalog_template_file*]
# (optional) Path to the catalog used if catalog_type equals 'template'.
# Defaults to '/etc/keystone/default_catalog.templates'
#
# [*token_provider*]
# (optional) Format keystone uses for tokens.
# Defaults to 'keystone.token.providers.uuid.Provider'
# Supports PKI, PKIZ, Fernet, and UUID.
#
# [*token_driver*]
# (optional) Driver to use for managing tokens.
# Defaults to 'keystone.token.persistence.backends.sql.Token'
#
# [*token_expiration*]
# (optional) Amount of time a token should remain valid (seconds).
# Defaults to 3600 (1 hour).
#
# [*revoke_driver*]
# (optional) Driver for token revocation.
# Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
#
# [*cache_dir*]
# (optional) Directory created when token_provider is pki.
# Defaults to /var/cache/keystone.
#
# [*memcache_servers*]
# (optional) List of memcache servers in format of server:port.
# Used with token_driver 'keystone.token.backends.memcache.Token'.
# Defaults to false. Example: ['localhost:11211']
#
# [*cache_backend*]
# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
# This has no effects unless 'memcache_servers' is set.
# Defaults to 'keystone.common.cache.noop'
#
# [*cache_backend_argument*]
# (optional) List of arguments in format of argname:value supplied to the backend module.
# Specify this option once per argument to be passed to the dogpile.cache backend.
# This has no effects unless 'memcache_servers' is set.
# Default to undef.
#
# [*debug_cache_backend*]
# (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
# This has no effects unless 'memcache_servers' is set.
# Default to false.
#
# [*token_caching*]
# (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
# Default to true.
#
# [*manage_service*]
# (Optional) If Puppet should manage service startup / shutdown.
# Defaults to true.
#
# [*enabled*]
# (optional) If the keystone services should be enabled.
# Default to true.
#
# [*database_connection*]
# (optional) Url used to connect to database.
# Defaults to sqlite:////var/lib/keystone/keystone.db
#
# [*database_idle_timeout*]
# (optional) Timeout when db connections should be reaped.
# Defaults to 200.
#
# [*enable_pki_setup*]
# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
# revocation lists if it doesn't already exist. This generates a cert and key stored in file
# locations based on the signing_certfile and signing_keyfile paramters below. If you are
# providing your own signing cert, make this false.
# Default to true.
#
# [*signing_certfile*]
# (optional) Location of the cert file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert),
# the file will not be overwritten, even if enable_pki_setup is set to true.
# Default: /etc/keystone/ssl/certs/signing_cert.pem
#
# [*signing_keyfile*]
# (optional) Location of the key file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert), the file
# will not be overwritten, even if enable_pki_setup is set to true.
# Default: /etc/keystone/ssl/private/signing_key.pem
#
# [*signing_ca_certs*]
# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
# signing pki tokens and revocation lists.
# Default: /etc/keystone/ssl/certs/ca.pem
#
# [*signing_ca_key*]
# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
# pki tokens and revocation lists.
# Default: /etc/keystone/ssl/private/cakey.pem
#
# [*signing_cert_subject*]
# (optional) Certificate subject (auto generated certificate) for token signing.
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
#
# [*signing_key_size*]
# (optional) Key size (in bits) for token signing cert (auto generated certificate)
# Defaults to 2048
#
# [*rabbit_host*]
# (optional) Location of rabbitmq installation.
# Defaults to localhost.
#
# [*rabbit_port*]
# (optional) Port for rabbitmq instance.
# Defaults to 5672.
#
# [*rabbit_hosts*]
# (optional) Location of rabbitmq installation.
# Defaults to undef.
#
# [*rabbit_password*]
# (optional) Password used to connect to rabbitmq.
# Defaults to guest.
#
# [*rabbit_userid*]
# (optional) User used to connect to rabbitmq.
# Defaults to guest.
#
# [*rabbit_virtual_host*]
# (optional) The RabbitMQ virtual host.
# Defaults to /.
#
# [*rabbit_heartbeat_timeout_threshold*]
# (optional) Number of seconds after which the RabbitMQ broker is considered
# down if the heartbeat keepalive fails. Any value >0 enables heartbeats.
# Heartbeating helps to ensure the TCP connection to RabbitMQ isn't silently
# closed, resulting in missed or lost messages from the queue.
# (Requires kombu >= 3.0.7 and amqp >= 1.4.0)
# Defaults to 0
#
# [*rabbit_heartbeat_rate*]
# (optional) How often during the rabbit_heartbeat_timeout_threshold period to
# check the heartbeat on RabbitMQ connection. (i.e. rabbit_heartbeat_rate=2
# when rabbit_heartbeat_timeout_threshold=60, the heartbeat will be checked
# every 30 seconds.
# Defaults to 2
#
# [*rabbit_use_ssl*]
# (optional) Connect over SSL for RabbitMQ
# Defaults to false
#
# [*kombu_ssl_ca_certs*]
# (optional) SSL certification authority file (valid only if SSL enabled).
# Defaults to undef
#
# [*kombu_ssl_certfile*]
# (optional) SSL cert file (valid only if SSL enabled).
# Defaults to undef
#
# [*kombu_ssl_keyfile*]
# (optional) SSL key file (valid only if SSL enabled).
# Defaults to undef
#
# [*kombu_ssl_version*]
# (optional) SSL version to use (valid only if SSL enabled).
# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
# available on some distributions.
# Defaults to 'TLSv1'
#
# [*notification_driver*]
# RPC driver. Not enabled by default
#
# [*notification_topics*]
# (optional) AMQP topics to publish to when using the RPC notification driver.
# Default to false.
#
# [*notification_format*]
# Format for the notifications. Valid values are 'basic' and 'cadf'.
# Default to undef
#
# [*control_exchange*]
# (optional) AMQP exchange to connect to if using RabbitMQ or Qpid
# Default to false.
#
# [*public_bind_host*]
# (optional) The IP address of the public network interface to listen on
# Default to '0.0.0.0'.
#
# [*admin_bind_host*]
# (optional) The IP address of the public network interface to listen on
# Default to '0.0.0.0'.
#
# [*log_dir*]
# (optional) Directory where logs should be stored
# If set to boolean false, it will not log to any directory
# Defaults to '/var/log/keystone'
#
# [*log_file*]
# (optional) Where to log
# Defaults to false
#
# [*public_endpoint*]
# (optional) The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value)
# If set to false, no public_endpoint will be defined in keystone.conf.
# Sample value: 'http://localhost:5000/'
# Defaults to false
#
# [*admin_endpoint*]
# (optional) The base admin endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value)
# If set to false, no admin_endpoint will be defined in keystone.conf.
# Sample value: 'http://localhost:35357/'
# Defaults to false
#
# [*enable_ssl*]
# (optional) Toggle for SSL support on the keystone eventlet servers.
# (boolean value)
# Defaults to false
#
# [*ssl_certfile*]
# (optional) Path of the certfile for SSL. (string value)
# Defaults to '/etc/keystone/ssl/certs/keystone.pem'
#
# [*ssl_keyfile*]
# (optional) Path of the keyfile for SSL. (string value)
# Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
#
# [*ssl_ca_certs*]
# (optional) Path of the ca cert file for SSL. (string value)
# Defaults to '/etc/keystone/ssl/certs/ca.pem'
#
# [*ssl_ca_key*]
# (optional) Path of the CA key file for SSL (string value)
# Defaults to '/etc/keystone/ssl/private/cakey.pem'
#
# [*ssl_cert_subject*]
# (optional) SSL Certificate Subject (auto generated certificate)
# (string value)
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
#
# [*mysql_module*]
# (optional) Deprecated. Does nothing.
#
# [*validate_service*]
# (optional) Whether to validate keystone connections after
# the service is started.
# Defaults to false
#
# [*validate_insecure*]
# (optional) Whether to validate keystone connections
# using the --insecure option with keystone client.
# Defaults to false
#
# [*validate_cacert*]
# (optional) Whether to validate keystone connections
# using the specified argument with the --os-cacert option
# with keystone client.
# Defaults to undef
#
# [*validate_auth_url*]
# (optional) The url to validate keystone against
# Defaults to undef
#
# [*service_provider*]
# (optional) Provider, that can be used for keystone service.
# Default value defined in keystone::params for given operation system.
# If you use Pacemaker or another Cluster Resource Manager, you can make
# custom service provider for changing start/stop/status behavior of service,
# and set it here.
#
# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of keystone. For example, the default
# is just 'keystone', which means keystone will be run as a
# standalone eventlet service, and will able to be managed
# separately by the operating system's service manager. For
# example, you will be able to use
# service openstack-keystone restart
# to restart the service.
# If the value is 'httpd', this means keystone will be a web
# service, and you must use another class to configure that
# web service. For example, after calling class {'keystone'...}
# use class { 'keystone::wsgi::apache'...} to make keystone be
# a web app using apache mod_wsgi.
# Defaults to '$::keystone::params::service_name'
# NOTE: validate_service only applies if the default value is used.
#
# [*paste_config*]
# (optional) Name of the paste configuration file that defines the
# available pipelines. (string value)
# Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and
# undef on other platforms.
#
# [*max_token_size*]
# (optional) maximum allowable Keystone token size
# Defaults to undef
#
# [*admin_workers*]
# (optional) The number of worker processes to serve the admin WSGI application.
# Defaults to max($::processorcount, 2)
#
# [*public_workers*]
# (optional) The number of worker processes to serve the public WSGI application.
# Defaults to max($::processorcount, 2)
#
# [*sync_db*]
# (Optional) Run db sync on the node.
# Defaults to true
#
# [*enable_fernet_setup*]
# (Optional) Setup keystone for fernet tokens. This is typically only
# run on a single node, then the keys are replicated to the other nodes
# in a cluster. You would typically also pair this with a fernet token
# provider setting.
# Defaults to false
#
# [*fernet_key_repository*]
# (Optional) Location for the fernet key repository. This value must
# be set if enable_fernet_setup is set to true.
# Defaults to '/etc/keystone/fernet-keys'
#
# [*fernet_max_active_keys*]
# (Optional) Number of maximum active Fernet keys. Integer > 0.
# Defaults to undef
#
# [*default_domain*]
# (optional) When Keystone v3 support is enabled, v2 clients will need
# to have a domain assigned for certain operations. For example,
# doing a user create operation must have a domain associated with it.
# This is the domain which will be used if a domain is needed and not
# explicitly set in the request.
# Defaults to undef (will use built-in Keystone default)
#
# == Dependencies
# None
#
# == Examples
#
# class { 'keystone':
# log_verbose => 'True',
# admin_token => 'my_special_token',
# }
#
# OR
#
# class { 'keystone':
# ...
# service_name => 'httpd',
# ...
# }
# class { 'keystone::wsgi::apache':
# ...
# }
#
# == Authors
#
# Dan Bode dan@puppetlabs.com
#
# == Copyright
#
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class keystone(
$admin_token,
$package_ensure = 'present',
$client_package_ensure = 'present',
$public_bind_host = '0.0.0.0',
$admin_bind_host = '0.0.0.0',
$public_port = '5000',
$admin_port = '35357',
$verbose = false,
$debug = false,
$log_dir = '/var/log/keystone',
$log_file = false,
$use_syslog = false,
$log_facility = 'LOG_USER',
$catalog_type = 'sql',
$catalog_driver = false,
$catalog_template_file = '/etc/keystone/default_catalog.templates',
$token_provider = 'keystone.token.providers.uuid.Provider',
$token_driver = 'keystone.token.persistence.backends.sql.Token',
$token_expiration = 3600,
$revoke_driver = 'keystone.contrib.revoke.backends.sql.Revoke',
$public_endpoint = false,
$admin_endpoint = false,
$enable_ssl = false,
$ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
$ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
$ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
$ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
$ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
$cache_dir = '/var/cache/keystone',
$memcache_servers = false,
$manage_service = true,
$cache_backend = 'keystone.common.cache.noop',
$cache_backend_argument = undef,
$debug_cache_backend = false,
$token_caching = true,
$enabled = true,
$database_connection = 'sqlite:////var/lib/keystone/keystone.db',
$database_idle_timeout = '200',
$enable_pki_setup = true,
$signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
$signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
$signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
$signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
$signing_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
$signing_key_size = 2048,
$rabbit_host = 'localhost',
$rabbit_hosts = false,
$rabbit_password = 'guest',
$rabbit_port = '5672',
$rabbit_userid = 'guest',
$rabbit_virtual_host = '/',
$rabbit_heartbeat_timeout_threshold = 0,
$rabbit_heartbeat_rate = 2,
$rabbit_use_ssl = false,
$kombu_ssl_ca_certs = undef,
$kombu_ssl_certfile = undef,
$kombu_ssl_keyfile = undef,
$kombu_ssl_version = 'TLSv1',
$notification_driver = false,
$notification_topics = false,
$notification_format = undef,
$control_exchange = false,
$validate_service = false,
$validate_insecure = false,
$validate_auth_url = false,
$validate_cacert = undef,
$paste_config = $::keystone::params::paste_config,
$service_provider = $::keystone::params::service_provider,
$service_name = $::keystone::params::service_name,
$max_token_size = undef,
$admin_workers = max($::processorcount, 2),
$public_workers = max($::processorcount, 2),
$sync_db = true,
$enable_fernet_setup = false,
$fernet_key_repository = '/etc/keystone/fernet-keys',
$fernet_max_active_keys = undef,
$default_domain = undef,
# DEPRECATED PARAMETERS
$mysql_module = undef,
$compute_port = undef,
) inherits keystone::params {
if ! $catalog_driver {
validate_re($catalog_type, 'template|sql')
}
if $mysql_module {
warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.')
}
if ($admin_endpoint and 'v2.0' in $admin_endpoint) {
warning('Version string /v2.0/ should not be included in keystone::admin_endpoint')
}
if ($public_endpoint and 'v2.0' in $public_endpoint) {
warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
}
if $rabbit_use_ssl {
if !$kombu_ssl_ca_certs {
fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
}
if !$kombu_ssl_certfile {
fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true')
}
if !$kombu_ssl_keyfile {
fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true')
}
}
File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|>
include ::keystone::params
package { 'keystone':
ensure => $package_ensure,
name => $::keystone::params::package_name,
tag => 'openstack',
}
if $client_package_ensure == 'present' {
include '::openstacklib::openstackclient'
} else {
class { '::openstacklib::openstackclient':
package_ensure => $client_package_ensure,
}
}
group { 'keystone':
ensure => present,
system => true,
require => Package['keystone'],
}
user { 'keystone':
ensure => 'present',
gid => 'keystone',
system => true,
require => Package['keystone'],
}
file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']:
ensure => directory,
mode => '0750',
owner => 'keystone',
group => 'keystone',
require => Package['keystone'],
notify => Service[$service_name],
}
file { '/etc/keystone/keystone.conf':
ensure => present,
mode => '0600',
owner => 'keystone',
group => 'keystone',
require => Package['keystone'],
notify => Service[$service_name],
}
keystone_config {
'DEFAULT/admin_token': value => $admin_token, secret => true;
'DEFAULT/public_bind_host': value => $public_bind_host;
'DEFAULT/admin_bind_host': value => $admin_bind_host;
'DEFAULT/public_port': value => $public_port;
'DEFAULT/admin_port': value => $admin_port;
'DEFAULT/verbose': value => $verbose;
'DEFAULT/debug': value => $debug;
}
if $compute_port {
warning('The compute_port parameter is deprecated and will be removed in L')
keystone_config {
'DEFAULT/compute_port': value => $compute_port;
}
} else {
keystone_config {
'DEFAULT/compute_port': ensure => absent;
}
}
# Endpoint configuration
if $public_endpoint {
keystone_config {
'DEFAULT/public_endpoint': value => $public_endpoint;
}
} else {
keystone_config {
'DEFAULT/public_endpoint': ensure => absent;
}
}
if $admin_endpoint {
keystone_config {
'DEFAULT/admin_endpoint': value => $admin_endpoint;
}
} else {
keystone_config {
'DEFAULT/admin_endpoint': ensure => absent;
}
}
# requirements for memcache token driver
if ($token_driver =~ /memcache/ ) {
package { 'python-memcache':
ensure => present,
name => $::keystone::params::python_memcache_package_name,
}
}
# token driver config
keystone_config {
'token/driver': value => $token_driver;
'token/expiration': value => $token_expiration;
}
if $revoke_driver {
keystone_config {
'revoke/driver': value => $revoke_driver;
}
} else {
keystone_config {
'revoke/driver': ensure => absent;
}
}
# ssl config
if ($enable_ssl) {
keystone_config {
'ssl/enable': value => true;
'ssl/certfile': value => $ssl_certfile;
'ssl/keyfile': value => $ssl_keyfile;
'ssl/ca_certs': value => $ssl_ca_certs;
'ssl/ca_key': value => $ssl_ca_key;
'ssl/cert_subject': value => $ssl_cert_subject;
}
} else {
keystone_config {
'ssl/enable': value => false;
}
}
if($database_connection =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) {
require 'mysql::bindings'
require 'mysql::bindings::python'
} elsif($database_connection =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) {
} elsif($database_connection =~ /sqlite:\/\//) {
} else {
fail("Invalid db connection ${database_connection}")
}
# memcache connection config
if $memcache_servers {
validate_array($memcache_servers)
Service<| title == 'memcached' |> -> Service['keystone']
keystone_config {
'cache/enabled': value => true;
'cache/backend': value => $cache_backend;
'cache/debug_cache_backend': value => $debug_cache_backend;
'token/caching': value => $token_caching;
'memcache/servers': value => join($memcache_servers, ',');
}
if $cache_backend_argument {
validate_array($cache_backend_argument)
keystone_config {
'cache/backend_argument': value => join($cache_backend_argument, ',');
}
} else {
keystone_config {
'cache/backend_argument': ensure => absent;
}
}
} else {
keystone_config {
'cache/enabled': ensure => absent;
'cache/backend': ensure => absent;
'cache/backend_argument': ensure => absent;
'cache/debug_cache_backend': ensure => absent;
'token/caching': ensure => absent;
'memcache/servers': ensure => absent;
}
}
# db connection config
keystone_config {
'database/connection': value => $database_connection, secret => true;
'database/idle_timeout': value => $database_idle_timeout;
}
# configure based on the catalog backend
if $catalog_driver {
$catalog_driver_real = $catalog_driver
}
elsif ($catalog_type == 'template') {
$catalog_driver_real = 'keystone.catalog.backends.templated.Catalog'
}
elsif ($catalog_type == 'sql') {
$catalog_driver_real = 'keystone.catalog.backends.sql.Catalog'
}
keystone_config {
'catalog/driver': value => $catalog_driver_real;
'catalog/template_file': value => $catalog_template_file;
}
# Set the signing key/cert configuration values.
keystone_config {
'signing/certfile': value => $signing_certfile;
'signing/keyfile': value => $signing_keyfile;
'signing/ca_certs': value => $signing_ca_certs;
'signing/ca_key': value => $signing_ca_key;
'signing/cert_subject': value => $signing_cert_subject;
'signing/key_size': value => $signing_key_size;
}
# Create cache directory used for signing.
file { $cache_dir:
ensure => directory,
}
# Only do pki_setup if we were asked to do so. This is needed
# regardless of the token provider since token revocation lists
# are always signed.
if $enable_pki_setup {
exec { 'keystone-manage pki_setup':
path => '/usr/bin',
user => 'keystone',
refreshonly => true,
creates => $signing_keyfile,
notify => Service[$service_name],
subscribe => Package['keystone'],
require => User['keystone'],
}
}
keystone_config { 'token/provider': value => $token_provider }
if $max_token_size {
keystone_config { 'DEFAULT/max_token_size': value => $max_token_size }
} else {
keystone_config { 'DEFAULT/max_token_size': ensure => absent }
}
if $notification_driver {
keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
} else {
keystone_config { 'DEFAULT/notification_driver': ensure => absent }
}
if $notification_topics {
keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
} else {
keystone_config { 'DEFAULT/notification_topics': ensure => absent }
}
if $notification_format {
keystone_config { 'DEFAULT/notification_format': value => $notification_format }
} else {
keystone_config { 'DEFAULT/notification_format': ensure => absent }
}
if $control_exchange {
keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
} else {
keystone_config { 'DEFAULT/control_exchange': ensure => absent }
}
keystone_config {
'oslo_messaging_rabbit/rabbit_password': value => $rabbit_password, secret => true;
'oslo_messaging_rabbit/rabbit_userid': value => $rabbit_userid;
'oslo_messaging_rabbit/rabbit_virtual_host': value => $rabbit_virtual_host;
'oslo_messaging_rabbit/heartbeat_timeout_threshold': value => $rabbit_heartbeat_timeout_threshold;
'oslo_messaging_rabbit/heartbeat_rate': value => $rabbit_heartbeat_rate;
}
if $rabbit_hosts {
keystone_config { 'oslo_messaging_rabbit/rabbit_hosts': value => join($rabbit_hosts, ',') }
keystone_config { 'oslo_messaging_rabbit/rabbit_ha_queues': value => true }
} else {
keystone_config { 'oslo_messaging_rabbit/rabbit_host': value => $rabbit_host }
keystone_config { 'oslo_messaging_rabbit/rabbit_port': value => $rabbit_port }
keystone_config { 'oslo_messaging_rabbit/rabbit_hosts': value => "${rabbit_host}:${rabbit_port}" }
keystone_config { 'oslo_messaging_rabbit/rabbit_ha_queues': value => false }
}
keystone_config { 'oslo_messaging_rabbit/rabbit_use_ssl': value => $rabbit_use_ssl }
if $rabbit_use_ssl {
keystone_config {
'oslo_messaging_rabbit/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs;
'oslo_messaging_rabbit/kombu_ssl_certfile': value => $kombu_ssl_certfile;
'oslo_messaging_rabbit/kombu_ssl_keyfile': value => $kombu_ssl_keyfile;
'oslo_messaging_rabbit/kombu_ssl_version': value => $kombu_ssl_version;
}
} else {
keystone_config {
'oslo_messaging_rabbit/kombu_ssl_ca_certs': ensure => absent;
'oslo_messaging_rabbit/kombu_ssl_certfile': ensure => absent;
'oslo_messaging_rabbit/kombu_ssl_keyfile': ensure => absent;
'oslo_messaging_rabbit/kombu_ssl_version': ensure => absent;
}
}
keystone_config {
'DEFAULT/admin_workers': value => $admin_workers;
'DEFAULT/public_workers': value => $public_workers;
}
if $manage_service {
if $enabled {
$service_ensure = 'running'
} else {
$service_ensure = 'stopped'
}
} else {
warning('Execution of db_sync does not depend on $enabled anymore. Please use sync_db instead.')
}
if $service_name == $::keystone::params::service_name {
if $validate_service {
if $validate_auth_url {
$v_auth_url = $validate_auth_url
} else {
$v_auth_url = $admin_endpoint
}
class { '::keystone::service':
ensure => $service_ensure,
service_name => $service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
provider => $service_provider,
validate => true,
admin_endpoint => $v_auth_url,
admin_token => $admin_token,
insecure => $validate_insecure,
cacert => $validate_cacert,
}
} else {
class { '::keystone::service':
ensure => $service_ensure,
service_name => $service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
provider => $service_provider,
validate => false,
}
}
} elsif $service_name == 'httpd' {
class { '::keystone::service':
ensure => 'stopped',
service_name => $::keystone::params::service_name,
enable => false,
provider => $service_provider,
validate => false,
}
} else {
fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server')
}
if $sync_db {
include ::keystone::db::sync
Class['::keystone::db::sync'] ~> Service[$service_name]
}
# Syslog configuration
if $use_syslog {
keystone_config {
'DEFAULT/use_syslog': value => true;
'DEFAULT/syslog_log_facility': value => $log_facility;
}
} else {
keystone_config {
'DEFAULT/use_syslog': value => false;
}
}
if $log_file {
keystone_config {
'DEFAULT/log_file': value => $log_file;
'DEFAULT/log_dir': value => $log_dir;
}
} else {
if $log_dir {
keystone_config {
'DEFAULT/log_dir': value => $log_dir;
'DEFAULT/log_file': ensure => absent;
}
} else {
keystone_config {
'DEFAULT/log_dir': ensure => absent;
'DEFAULT/log_file': ensure => absent;
}
}
}
if $paste_config {
keystone_config {
'paste_deploy/config_file': value => $paste_config;
}
} else {
keystone_config {
'paste_deploy/config_file': ensure => absent;
}
}
# Fernet tokens support
if $enable_fernet_setup {
validate_string($fernet_key_repository)
exec { 'keystone-manage fernet_setup':
path => '/usr/bin',
user => 'keystone',
refreshonly => true,
creates => "${fernet_key_repository}/0",
notify => Service[$service_name],
subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']],
}
}
if $fernet_key_repository {
keystone_config {
'fernet_tokens/key_repository': value => $fernet_key_repository;
}
} else {
keystone_config {
'fernet_tokens/key_repository': ensure => absent;
}
}
if $fernet_max_active_keys {
keystone_config {
'fernet_tokens/max_active_keys': value => $fernet_max_active_keys;
}
} else {
keystone_config {
'fernet_tokens/max_active_keys': ensure => absent;
}
}
if $default_domain {
keystone_domain { $default_domain:
ensure => present,
enabled => true,
is_default => true,
require => File['/etc/keystone/keystone.conf'],
notify => Exec['restart_keystone'],
}
# Update this code when https://bugs.launchpad.net/keystone/+bug/1472285 is addressed.
# 1/ Keystone needs to be started before creating the default domain
# 2/ Once the default domain is created, we can query Keystone to get the default domain ID
# 3/ The Keystone_domain provider has in charge of doing the query and configure keystone.conf
# 4/ After such a change, we need to restart Keystone service.
# restart_keystone exec is doing 4/, it restart Keystone if we have a new default domain setted
# and if we manage the service to be enabled.
if $manage_service and $enabled {
exec { 'restart_keystone':
path => ['/usr/sbin', '/usr/bin', '/sbin', '/bin/'],
command => "service ${service_name} restart",
refreshonly => true,
}
}
}
anchor { 'keystone_started':
require => Service[$service_name]
}
}
View Git Blame Copy Permalink