Define keystone token provider

In order to eventually enable fernet tokens for keystone, we need to be
specify the token provider. This change codifies the current default
used by TripleO of uuid tokens and fernet token setup disabled.

Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a
Closes-Bug: #1641763

puppet/services/keystone.yaml

@@ -1,4 +1,4 @@
-heat_template_version: 2016-04-08
+heat_template_version: 2016-10-14
 
 description: >
   OpenStack Keystone service configured with Puppet
@@ -32,6 +32,12 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  KeystoneTokenProvider:
+    description: The keystone token format
+    type: string
+    default: 'uuid'
+    constraints:
+      - allowed_values: ['uuid', 'fernet']
   ServiceNetMap:
     default: {}
     description: Mapping of service_name -> network name. Typically set
@@ -112,6 +118,9 @@ resources:
       EndpointMap: {get_param: EndpointMap}
       EnableInternalTLS: {get_param: EnableInternalTLS}
 
+conditions:
+  keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+
 outputs:
   role_data:
     description: Role data for the Keystone role.
@@ -138,6 +147,8 @@ outputs:
             keystone::roles::admin::password: {get_param: AdminPassword}
             keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
             keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
+            keystone::token_provider: {get_param: KeystoneTokenProvider}
+            keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
             keystone::enable_proxy_headers_parsing: true
             keystone::enable_credential_setup: true
             keystone::credential_keys: