openstack
/
tripleo-heat-templates
Code Issues Proposed changes
tripleo-heat-templates/puppet/services/keystone.yaml

349 lines
14 KiB
YAML
Raw Blame History

heat_template_version: ocata
description: >
OpenStack Keystone service configured with Puppet
parameters:
KeystoneEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Keystone database.
type: boolean
KeystoneSSLCertificate:
default: ''
description: Keystone certificate for verifying token validity.
type: string
KeystoneSSLCertificateKey:
default: ''
description: Keystone key for signing tokens.
type: string
hidden: true
KeystoneNotificationDriver:
description: Comma-separated list of Oslo notification drivers used by Keystone
default: ['messaging']
type: comma_delimited_list
KeystoneNotificationFormat:
description: The Keystone notification format
default: 'basic'
type: string
constraints:
- allowed_values: [ 'basic', 'cadf' ]
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
KeystoneTokenProvider:
description: The keystone token format
type: string
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
Debug:
type: string
default: ''
AdminEmail:
default: 'admin@example.com'
description: The email for the keystone admin account.
type: string
hidden: true
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
AdminToken:
description: The keystone auth secret and db password.
type: string
hidden: true
RabbitPassword:
description: The password for RabbitMQ
type: string
hidden: true
RabbitUserName:
default: guest
description: The username for RabbitMQ
type: string
RabbitClientUseSSL:
default: false
description: >
Rabbit client subscriber parameter to specify
an SSL connection to the RabbitMQ host.
type: string
RabbitClientPort:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
KeystoneWorkers:
type: string
description: Set the number of workers for keystone::wsgi::apache
default: '%{::os_workers}'
MonitoringSubscriptionKeystone:
default: 'overcloud-keystone'
type: string
KeystoneCredential0:
type: string
description: The first Keystone credential key. Must be a valid key.
KeystoneCredential1:
type: string
description: The second Keystone credential key. Must be a valid key.
KeystoneFernetKey0:
type: string
description: The first Keystone fernet key. Must be a valid key.
KeystoneFernetKey1:
type: string
description: The second Keystone fernet key. Must be a valid key.
KeystoneLoggingSource:
type: json
default:
tag: openstack.keystone
path: /var/log/keystone/keystone.log
EnableInternalTLS:
type: boolean
default: false
KeystoneCronTokenFlushEnsure:
type: string
description: >
Cron to purge expired tokens - Ensure
default: 'present'
KeystoneCronTokenFlushMinute:
type: comma_delimited_list
description: >
Cron to purge expired tokens - Minute
default: '1'
KeystoneCronTokenFlushHour:
type: comma_delimited_list
description: >
Cron to purge expired tokens - Hour
default: '0'
KeystoneCronTokenFlushMonthday:
type: comma_delimited_list
description: >
Cron to purge expired tokens - Month Day
default: '*'
KeystoneCronTokenFlushMonth:
type: comma_delimited_list
description: >
Cron to purge expired tokens - Month
default: '*'
KeystoneCronTokenFlushWeekday:
type: comma_delimited_list
description: >
Cron to purge expired tokens - Week Day
default: '*'
KeystoneCronTokenFlushMaxDelay:
type: string
description: >
Cron to purge expired tokens - Max Delay
default: '0'
KeystoneCronTokenFlushDestination:
type: string
description: >
Cron to purge expired tokens - Log destination
default: '/var/log/keystone/keystone-tokenflush.log'
KeystoneCronTokenFlushUser:
type: string
description: >
Cron to purge expired tokens - User
default: 'keystone'
KeystonePolicies:
description: |
A hash of policies to configure for Keystone.
e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
KeystoneLDAPDomainEnable:
description: Trigger to call ldap_backend puppet keystone define.
type: boolean
default: False
KeystoneLDAPBackendConfigs:
description: Hash containing the configurations for the LDAP backends
configured in keystone.
type: json
default: {}
hidden: true
resources:
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
EnableInternalTLS: {get_param: EnableInternalTLS}
conditions:
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
outputs:
role_data:
description: Role data for the Keystone role.
value:
service_name: keystone
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
logging_source: {get_param: KeystoneLoggingSource}
logging_groups:
- keystone
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- keystone::database_connection:
list_join:
- ''
- - {get_param: [EndpointMap, MysqlInternal, protocol]}
- '://keystone:'
- {get_param: AdminToken}
- '@'
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/keystone'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
keystone::admin_token: {get_param: AdminToken}
keystone::admin_password: {get_param: AdminPassword}
keystone::roles::admin::password: {get_param: AdminPassword}
keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
keystone::enable_proxy_headers_parsing: true
keystone::enable_credential_setup: true
keystone::credential_keys:
'/etc/keystone/credential-keys/0':
content: {get_param: KeystoneCredential0}
'/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1}
keystone::fernet_keys:
'/etc/keystone/fernet-keys/0':
content: {get_param: KeystoneFernetKey0}
'/etc/keystone/fernet-keys/1':
content: {get_param: KeystoneFernetKey1}
keystone::debug: {get_param: Debug}
keystone::rabbit_userid: {get_param: RabbitUserName}
keystone::rabbit_password: {get_param: RabbitPassword}
keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
keystone::rabbit_port: {get_param: RabbitClientPort}
keystone::notification_driver: {get_param: KeystoneNotificationDriver}
keystone::notification_format: {get_param: KeystoneNotificationFormat}
keystone::roles::admin::email: {get_param: AdminEmail}
keystone::roles::admin::password: {get_param: AdminPassword}
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
keystone::endpoint::region: {get_param: KeystoneRegion}
keystone::endpoint::version: ''
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
keystone::rabbit_heartbeat_timeout_threshold: 60
keystone::cron::token_flush::maxdelay: 3600
keystone::roles::admin::service_tenant: 'service'
keystone::roles::admin::admin_tenant: 'admin'
keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
keystone::config::keystone_config:
ec2/driver:
value: 'keystone.contrib.ec2.backends.sql.Ec2'
keystone::service_name: 'httpd'
keystone::enable_ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::servername_admin:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
# override via extraconfig:
keystone::wsgi::apache::threads: 1
keystone::db::database_db_max_retries: -1
keystone::db::database_max_retries: -1
tripleo.keystone.firewall_rules:
'111 keystone':
dport:
- 5000
- 13000
- 35357
- 13357
keystone::admin_bind_host:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::public_bind_host:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
# NOTE: this applies to all 2 bind IP settings below...
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
-
if:
- keystone_ldap_domain_enabled
-
tripleo::profile::base::keystone::ldap_backend_enable: True
keystone::using_domain_config: True
tripleo::profile::base::keystone::ldap_backends_config:
get_param: KeystoneLDAPBackendConfigs
- {}
step_config: |
include ::tripleo::profile::base::keystone
service_config_settings:
mysql:
keystone::db::mysql::password: {get_param: AdminToken}
keystone::db::mysql::user: keystone
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
keystone::db::mysql::dbname: keystone
keystone::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
horizon:
if:
- keystone_ldap_domain_enabled
-
horizon::keystone_multidomain_support: true
horizon::keystone_default_domain: 'Default'
- {}
# Ansible tasks to handle upgrade
upgrade_tasks:
- name: Stop keystone service (running under httpd)
tags: step1
service: name=httpd state=stopped
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
View Git Blame Copy Permalink