fb0e8f62fc
With the upgrade to puppet 5, we can no longer use dots in the hieradata key lookups. This change updates the THT for firewall_rules, haproxy_endpoints and haproxy_userlists to use the colon notation. Change-Id: I6f67153e04aed191acb715fe8cfa976ee2e75878 Related-Bug: #1803024
598 lines
24 KiB
YAML
598 lines
24 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Keystone service configured with Puppet
|
|
|
|
parameters:
|
|
KeystoneEnableDBPurge:
|
|
default: true
|
|
description: |
|
|
Whether to create cron job for purging soft deleted rows in Keystone database.
|
|
type: boolean
|
|
KeystoneSSLCertificate:
|
|
default: ''
|
|
description: Keystone certificate for verifying token validity.
|
|
type: string
|
|
KeystoneSSLCertificateKey:
|
|
default: ''
|
|
description: Keystone key for signing tokens.
|
|
type: string
|
|
hidden: true
|
|
KeystoneNotificationDriver:
|
|
description: Comma-separated list of Oslo notification drivers used by Keystone
|
|
default: ['messaging']
|
|
type: comma_delimited_list
|
|
KeystoneNotificationFormat:
|
|
description: The Keystone notification format
|
|
default: 'basic'
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ 'basic', 'cadf' ]
|
|
KeystoneNotificationTopics:
|
|
description: Keystone notification topics to enable
|
|
default: []
|
|
type: comma_delimited_list
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
KeystoneTokenProvider:
|
|
description: The keystone token format
|
|
type: string
|
|
default: 'fernet'
|
|
constraints:
|
|
- allowed_values: ['uuid', 'fernet']
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
KeystoneDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging Keystone service.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
AdminEmail:
|
|
default: 'admin@example.com'
|
|
description: The email for the keystone admin account.
|
|
type: string
|
|
hidden: true
|
|
AdminPassword:
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
type: string
|
|
hidden: true
|
|
AdminToken:
|
|
description: The keystone auth secret and db password.
|
|
type: string
|
|
hidden: true
|
|
RpcPort:
|
|
default: 5672
|
|
description: The network port for messaging backend
|
|
type: number
|
|
RpcUserName:
|
|
default: guest
|
|
description: The username for messaging backend
|
|
type: string
|
|
RpcPassword:
|
|
description: The password for messaging backend
|
|
type: string
|
|
hidden: true
|
|
RpcUseSSL:
|
|
default: false
|
|
description: >
|
|
Messaging client subscriber parameter to specify
|
|
an SSL connection to the messaging host.
|
|
type: string
|
|
TokenExpiration:
|
|
default: 3600
|
|
description: Set a token expiration time in seconds.
|
|
type: number
|
|
KeystoneWorkers:
|
|
type: string
|
|
description: Set the number of workers for keystone::wsgi::apache
|
|
default: '%{::os_workers}'
|
|
MonitoringSubscriptionKeystone:
|
|
default: 'overcloud-keystone'
|
|
type: string
|
|
KeystoneCredential0:
|
|
type: string
|
|
description: The first Keystone credential key. Must be a valid key.
|
|
KeystoneCredential1:
|
|
type: string
|
|
description: The second Keystone credential key. Must be a valid key.
|
|
KeystoneFernetKey0:
|
|
type: string
|
|
default: ''
|
|
description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
|
|
KeystoneFernetKey1:
|
|
type: string
|
|
default: ''
|
|
description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
|
|
KeystoneFernetKeys:
|
|
type: json
|
|
description: Mapping containing keystone's fernet keys and their paths.
|
|
KeystoneFernetMaxActiveKeys:
|
|
type: number
|
|
description: The maximum active keys in the keystone fernet key repository.
|
|
default: 5
|
|
ManageKeystoneFernetKeys:
|
|
type: boolean
|
|
default: true
|
|
description: Whether TripleO should manage the keystone fernet keys or not.
|
|
If set to true, the fernet keys will get the values from the
|
|
saved keys repository in mistral (the KeystoneFernetKeys
|
|
variable). If set to false, only the stack creation
|
|
initializes the keys, but subsequent updates won't touch them.
|
|
KeystoneLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone
|
|
path: /var/log/keystone/keystone.log
|
|
KeystoneErrorLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone.error
|
|
path: /var/log/httpd/keystone/error_log
|
|
KeystoneAdminAccessLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone.admin.access
|
|
path: /var/log/httpd/keystone/keystone_wsgi_admin_access.log
|
|
KeystoneAdminErrorLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone.admin.error
|
|
path: /var/log/httpd/keystone/keystone_wsgi_admin_error.log
|
|
KeystoneMainAcccessLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone.main.access
|
|
path: /var/log/httpd/keystone/keystone_wsgi_main_access.log
|
|
KeystoneMainErrorLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone.wsgi.main.error
|
|
path: /var/log/httpd/keystone/keystone_wsgi_main_error.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
KeystoneCronTokenFlushEnsure:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Ensure
|
|
default: 'present'
|
|
KeystoneCronTokenFlushMinute:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Minute
|
|
default: '1'
|
|
KeystoneCronTokenFlushHour:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Hour
|
|
default: '*'
|
|
KeystoneCronTokenFlushMonthday:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Month Day
|
|
default: '*'
|
|
KeystoneCronTokenFlushMonth:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Month
|
|
default: '*'
|
|
KeystoneCronTokenFlushWeekday:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Week Day
|
|
default: '*'
|
|
KeystoneCronTokenFlushMaxDelay:
|
|
type: number
|
|
description: >
|
|
Cron to purge expired tokens - Max Delay
|
|
default: 0
|
|
KeystoneCronTokenFlushDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Log destination
|
|
default: '/var/log/keystone/keystone-tokenflush.log'
|
|
KeystoneCronTokenFlushUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - User
|
|
default: 'keystone'
|
|
KeystonePolicies:
|
|
description: |
|
|
A hash of policies to configure for Keystone.
|
|
e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
KeystoneLDAPDomainEnable:
|
|
description: Trigger to call ldap_backend puppet keystone define.
|
|
type: boolean
|
|
default: False
|
|
KeystoneLDAPBackendConfigs:
|
|
description: Hash containing the configurations for the LDAP backends
|
|
configured in keystone.
|
|
type: json
|
|
default: {}
|
|
hidden: true
|
|
NotificationDriver:
|
|
type: string
|
|
default: 'messagingv2'
|
|
description: Driver or drivers to handle sending notifications.
|
|
KeystoneChangePasswordUponFirstUse:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
Enabling this option requires users to change their password when the
|
|
user is created, or upon administrative reset.
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
KeystoneDisableUserAccountDaysInactive:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The maximum number of days a user can go without authenticating before
|
|
being considered "inactive" and automatically disabled (locked).
|
|
KeystoneLockoutDuration:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The number of seconds a user account will be locked when the maximum
|
|
number of failed authentication attempts (as specified by
|
|
KeystoneLockoutFailureAttempts) is exceeded.
|
|
KeystoneLockoutFailureAttempts:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The maximum number of times that a user can fail to authenticate before
|
|
the user account is locked for the number of seconds specified by
|
|
KeystoneLockoutDuration.
|
|
KeystoneMinimumPasswordAge:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The number of days that a password must be used before the user can
|
|
change it. This prevents users from changing their passwords immediately
|
|
in order to wipe out their password history and reuse an old password.
|
|
KeystonePasswordExpiresDays:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The number of days for which a password will be considered valid before
|
|
requiring it to be changed.
|
|
KeystonePasswordRegex:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The regular expression used to validate password strength requirements.
|
|
KeystonePasswordRegexDescription:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
Describe your password regular expression here in language for humans.
|
|
KeystoneUniqueLastPasswordCount:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
This controls the number of previous user password iterations to keep in
|
|
history, in order to enforce that newly created passwords are unique.
|
|
KeystoneCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
KeystoneEnableMember:
|
|
description: Create the _member_ role, useful for undercloud deployment.
|
|
type: boolean
|
|
default: False
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- KeystoneFernetKey0
|
|
- KeystoneFernetKey1
|
|
- KeystoneNotificationDriver
|
|
|
|
resources:
|
|
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
conditions:
|
|
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
|
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
|
|
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
|
|
|
|
# Security compliance
|
|
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
|
|
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
|
|
lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
|
|
lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
|
|
minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
|
|
password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
|
|
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
|
|
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
|
|
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
|
|
cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Keystone role.
|
|
value:
|
|
service_name: keystone
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
-
|
|
if:
|
|
- cors_allowed_origin_unset
|
|
- {}
|
|
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
|
|
- keystone_enable_member: {get_param: KeystoneEnableMember}
|
|
- keystone::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: keystone
|
|
password: {get_param: AdminToken}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /keystone
|
|
query:
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
keystone::token_expiration: {get_param: TokenExpiration}
|
|
keystone::admin_token: {get_param: AdminToken}
|
|
keystone::admin_password: {get_param: AdminPassword}
|
|
keystone::roles::admin::password: {get_param: AdminPassword}
|
|
keystone::policy::policies: {get_param: KeystonePolicies}
|
|
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
|
|
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
|
|
keystone::token_provider: {get_param: KeystoneTokenProvider}
|
|
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
|
|
keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
|
|
keystone::enable_proxy_headers_parsing: true
|
|
keystone::enable_credential_setup: true
|
|
keystone::credential_keys:
|
|
'/etc/keystone/credential-keys/0':
|
|
content: {get_param: KeystoneCredential0}
|
|
'/etc/keystone/credential-keys/1':
|
|
content: {get_param: KeystoneCredential1}
|
|
keystone::fernet_keys: {get_param: KeystoneFernetKeys}
|
|
keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
|
|
keystone::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: KeystoneDebug }
|
|
# TODO(ansmith): remove once p-t-o switches to oslo params
|
|
keystone::rabbit_userid: {get_param: RpcUserName}
|
|
keystone::rabbit_password: {get_param: RpcPassword}
|
|
keystone::rabbit_use_ssl: {get_param: RpcUseSSL}
|
|
keystone::rabbit_port: {get_param: RpcPort}
|
|
keystone::notification_driver: {get_param: NotificationDriver}
|
|
keystone::notification_format: {get_param: KeystoneNotificationFormat}
|
|
tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
|
|
keystone::roles::admin::email: {get_param: AdminEmail}
|
|
keystone::roles::admin::password: {get_param: AdminPassword}
|
|
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
keystone::endpoint::region: {get_param: KeystoneRegion}
|
|
keystone::endpoint::version: ''
|
|
keystone::admin_port: {get_param: [EndpointMap, KeystoneAdmin, port]}
|
|
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
|
|
keystone::rabbit_heartbeat_timeout_threshold: 60
|
|
keystone::cron::token_flush::maxdelay: 3600
|
|
keystone::roles::admin::service_tenant: 'service'
|
|
keystone::roles::admin::admin_tenant: 'admin'
|
|
keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
|
|
keystone::config::keystone_config:
|
|
ec2/driver:
|
|
value: 'keystone.contrib.ec2.backends.sql.Ec2'
|
|
keystone::service_name: 'httpd'
|
|
keystone::enable_ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::admin_port: {get_param: [EndpointMap, KeystoneAdmin, port]}
|
|
keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
keystone::wsgi::apache::servername_admin:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
|
|
# override via extraconfig:
|
|
keystone::wsgi::apache::threads: 1
|
|
keystone::db::database_db_max_retries: -1
|
|
keystone::db::database_max_retries: -1
|
|
tripleo::keystone::firewall_rules:
|
|
'111 keystone':
|
|
dport:
|
|
- 5000
|
|
- 13000
|
|
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
|
keystone::admin_bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::public_bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
# NOTE: this applies to all 2 bind IP settings below...
|
|
keystone::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
keystone::wsgi::apache::admin_bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
|
|
keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
|
|
keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
|
|
keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
|
|
keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
|
|
keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
|
|
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
|
|
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
|
|
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
|
|
-
|
|
if:
|
|
- keystone_ldap_domain_enabled
|
|
-
|
|
tripleo::profile::base::keystone::ldap_backend_enable: True
|
|
keystone::using_domain_config: True
|
|
tripleo::profile::base::keystone::ldap_backends_config:
|
|
get_param: KeystoneLDAPBackendConfigs
|
|
- {}
|
|
-
|
|
if:
|
|
- change_password_upon_first_use_set
|
|
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
|
|
- {}
|
|
-
|
|
if:
|
|
- disable_user_account_days_inactive_set
|
|
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
|
|
- {}
|
|
-
|
|
if:
|
|
- lockout_duration_set
|
|
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
|
|
- {}
|
|
-
|
|
if:
|
|
- lockout_failure_attempts_set
|
|
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
|
|
- {}
|
|
-
|
|
if:
|
|
- minimum_password_age_set
|
|
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
|
|
- {}
|
|
-
|
|
if:
|
|
- password_expires_days_set
|
|
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
|
|
- {}
|
|
-
|
|
if:
|
|
- password_regex_set
|
|
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
|
|
- {}
|
|
-
|
|
if:
|
|
- password_regex_description_set
|
|
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
|
|
- {}
|
|
-
|
|
if:
|
|
- unique_last_password_count_set
|
|
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
|
|
- {}
|
|
|
|
step_config: |
|
|
include ::tripleo::profile::base::keystone
|
|
service_config_settings:
|
|
fluentd:
|
|
tripleo_fluentd_groups_keystone:
|
|
- keystone
|
|
tripleo_fluentd_sources_keystone:
|
|
- {get_param: KeystoneLoggingSource}
|
|
- {get_param: KeystoneErrorLoggingSource}
|
|
- {get_param: KeystoneAdminAccessLoggingSource}
|
|
- {get_param: KeystoneAdminErrorLoggingSource}
|
|
- {get_param: KeystoneMainAcccessLoggingSource}
|
|
- {get_param: KeystoneMainErrorLoggingSource}
|
|
mysql:
|
|
keystone::db::mysql::password: {get_param: AdminToken}
|
|
keystone::db::mysql::user: keystone
|
|
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
keystone::db::mysql::dbname: keystone
|
|
keystone::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
pacemaker:
|
|
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
keystone::endpoint::region: {get_param: KeystoneRegion}
|
|
keystone::admin_password: {get_param: AdminPassword}
|
|
horizon:
|
|
if:
|
|
- keystone_ldap_domain_enabled
|
|
-
|
|
horizon::keystone_multidomain_support: true
|
|
horizon::keystone_default_domain: 'Default'
|
|
- {}
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
upgrade_tasks:
|
|
list_concat:
|
|
- get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
|
|
-
|
|
- name: Stop keystone service (running under httpd)
|
|
when: step|int == 1
|
|
service: name=httpd state=stopped
|