a096ddab34
When a service is enabled on multiple roles, the parameters for the service will be global. This change enables an option to provide role specific parameter to services and other templates. Two new parameters - RoleName and RoleParameters, are added to the service template. RoleName provides the role name of on which the current instance of the service is being applied on. RoleParameters provides the list of parameters which are configured specific to the role in the environment file, like below: parameters_default: # Default value for applied to all roles NovaReservedHostMemory: 2048 ComputeDpdkParameters: # Applied only to ComputeDpdk role NovaReservedHostMemory: 4096 In above sample, the cluster contains 2 roles - Compute, ComputeDpdk. The values of ComputeDpdkParameters will be passed on to the templates as RoleParameters while creating the stack for ComputeDpdk role. The parameter which supports role specific configuration, should find the parameter first in in the RoleParameters list, if not found, then the default (for all roles) should be used. Implements: blueprint tripleo-derive-parameters Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
365 lines
14 KiB
YAML
365 lines
14 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
OpenStack Keystone service configured with Puppet
|
|
|
|
parameters:
|
|
KeystoneEnableDBPurge:
|
|
default: true
|
|
description: |
|
|
Whether to create cron job for purging soft deleted rows in Keystone database.
|
|
type: boolean
|
|
KeystoneSSLCertificate:
|
|
default: ''
|
|
description: Keystone certificate for verifying token validity.
|
|
type: string
|
|
KeystoneSSLCertificateKey:
|
|
default: ''
|
|
description: Keystone key for signing tokens.
|
|
type: string
|
|
hidden: true
|
|
KeystoneNotificationDriver:
|
|
description: Comma-separated list of Oslo notification drivers used by Keystone
|
|
default: ['messaging']
|
|
type: comma_delimited_list
|
|
KeystoneNotificationFormat:
|
|
description: The Keystone notification format
|
|
default: 'basic'
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ 'basic', 'cadf' ]
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
KeystoneTokenProvider:
|
|
description: The keystone token format
|
|
type: string
|
|
default: 'fernet'
|
|
constraints:
|
|
- allowed_values: ['uuid', 'fernet']
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
type: string
|
|
default: ''
|
|
AdminEmail:
|
|
default: 'admin@example.com'
|
|
description: The email for the keystone admin account.
|
|
type: string
|
|
hidden: true
|
|
AdminPassword:
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
type: string
|
|
hidden: true
|
|
AdminToken:
|
|
description: The keystone auth secret and db password.
|
|
type: string
|
|
hidden: true
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
RabbitClientUseSSL:
|
|
default: false
|
|
description: >
|
|
Rabbit client subscriber parameter to specify
|
|
an SSL connection to the RabbitMQ host.
|
|
type: string
|
|
RabbitClientPort:
|
|
default: 5672
|
|
description: Set rabbit subscriber port, change this if using SSL
|
|
type: number
|
|
KeystoneWorkers:
|
|
type: string
|
|
description: Set the number of workers for keystone::wsgi::apache
|
|
default: '%{::os_workers}'
|
|
MonitoringSubscriptionKeystone:
|
|
default: 'overcloud-keystone'
|
|
type: string
|
|
KeystoneCredential0:
|
|
type: string
|
|
description: The first Keystone credential key. Must be a valid key.
|
|
KeystoneCredential1:
|
|
type: string
|
|
description: The second Keystone credential key. Must be a valid key.
|
|
KeystoneFernetKey0:
|
|
type: string
|
|
description: The first Keystone fernet key. Must be a valid key.
|
|
KeystoneFernetKey1:
|
|
type: string
|
|
description: The second Keystone fernet key. Must be a valid key.
|
|
KeystoneLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone
|
|
path: /var/log/keystone/keystone.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
KeystoneCronTokenFlushEnsure:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Ensure
|
|
default: 'present'
|
|
KeystoneCronTokenFlushMinute:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Minute
|
|
default: '1'
|
|
KeystoneCronTokenFlushHour:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Hour
|
|
default: '*'
|
|
KeystoneCronTokenFlushMonthday:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Month Day
|
|
default: '*'
|
|
KeystoneCronTokenFlushMonth:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Month
|
|
default: '*'
|
|
KeystoneCronTokenFlushWeekday:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired tokens - Week Day
|
|
default: '*'
|
|
KeystoneCronTokenFlushMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Max Delay
|
|
default: '0'
|
|
KeystoneCronTokenFlushDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Log destination
|
|
default: '/var/log/keystone/keystone-tokenflush.log'
|
|
KeystoneCronTokenFlushUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - User
|
|
default: 'keystone'
|
|
KeystonePolicies:
|
|
description: |
|
|
A hash of policies to configure for Keystone.
|
|
e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
KeystoneLDAPDomainEnable:
|
|
description: Trigger to call ldap_backend puppet keystone define.
|
|
type: boolean
|
|
default: False
|
|
KeystoneLDAPBackendConfigs:
|
|
description: Hash containing the configurations for the LDAP backends
|
|
configured in keystone.
|
|
type: json
|
|
default: {}
|
|
hidden: true
|
|
|
|
resources:
|
|
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
conditions:
|
|
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
|
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Keystone role.
|
|
value:
|
|
service_name: keystone
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
|
logging_source: {get_param: KeystoneLoggingSource}
|
|
logging_groups:
|
|
- keystone
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- keystone::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: keystone
|
|
password: {get_param: AdminToken}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /keystone
|
|
query:
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
keystone::admin_token: {get_param: AdminToken}
|
|
keystone::admin_password: {get_param: AdminPassword}
|
|
keystone::roles::admin::password: {get_param: AdminPassword}
|
|
keystone::policy::policies: {get_param: KeystonePolicies}
|
|
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
|
|
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
|
|
keystone::token_provider: {get_param: KeystoneTokenProvider}
|
|
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
|
|
keystone::enable_proxy_headers_parsing: true
|
|
keystone::enable_credential_setup: true
|
|
keystone::credential_keys:
|
|
'/etc/keystone/credential-keys/0':
|
|
content: {get_param: KeystoneCredential0}
|
|
'/etc/keystone/credential-keys/1':
|
|
content: {get_param: KeystoneCredential1}
|
|
keystone::fernet_keys:
|
|
'/etc/keystone/fernet-keys/0':
|
|
content: {get_param: KeystoneFernetKey0}
|
|
'/etc/keystone/fernet-keys/1':
|
|
content: {get_param: KeystoneFernetKey1}
|
|
keystone::fernet_replace_keys: false
|
|
keystone::debug: {get_param: Debug}
|
|
keystone::rabbit_userid: {get_param: RabbitUserName}
|
|
keystone::rabbit_password: {get_param: RabbitPassword}
|
|
keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
|
keystone::rabbit_port: {get_param: RabbitClientPort}
|
|
keystone::notification_driver: {get_param: KeystoneNotificationDriver}
|
|
keystone::notification_format: {get_param: KeystoneNotificationFormat}
|
|
keystone::roles::admin::email: {get_param: AdminEmail}
|
|
keystone::roles::admin::password: {get_param: AdminPassword}
|
|
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
keystone::endpoint::region: {get_param: KeystoneRegion}
|
|
keystone::endpoint::version: ''
|
|
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
|
|
keystone::rabbit_heartbeat_timeout_threshold: 60
|
|
keystone::cron::token_flush::maxdelay: 3600
|
|
keystone::roles::admin::service_tenant: 'service'
|
|
keystone::roles::admin::admin_tenant: 'admin'
|
|
keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
|
|
keystone::config::keystone_config:
|
|
ec2/driver:
|
|
value: 'keystone.contrib.ec2.backends.sql.Ec2'
|
|
keystone::service_name: 'httpd'
|
|
keystone::enable_ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
keystone::wsgi::apache::servername_admin:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
|
|
# override via extraconfig:
|
|
keystone::wsgi::apache::threads: 1
|
|
keystone::db::database_db_max_retries: -1
|
|
keystone::db::database_max_retries: -1
|
|
tripleo.keystone.firewall_rules:
|
|
'111 keystone':
|
|
dport:
|
|
- 5000
|
|
- 13000
|
|
- 35357
|
|
- 13357
|
|
keystone::admin_bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::public_bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
# NOTE: this applies to all 2 bind IP settings below...
|
|
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
|
|
keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
|
|
keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
|
|
keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
|
|
keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
|
|
keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
|
|
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
|
|
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
|
|
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
|
|
-
|
|
if:
|
|
- keystone_ldap_domain_enabled
|
|
-
|
|
tripleo::profile::base::keystone::ldap_backend_enable: True
|
|
keystone::using_domain_config: True
|
|
tripleo::profile::base::keystone::ldap_backends_config:
|
|
get_param: KeystoneLDAPBackendConfigs
|
|
- {}
|
|
|
|
step_config: |
|
|
include ::tripleo::profile::base::keystone
|
|
service_config_settings:
|
|
mysql:
|
|
keystone::db::mysql::password: {get_param: AdminToken}
|
|
keystone::db::mysql::user: keystone
|
|
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
keystone::db::mysql::dbname: keystone
|
|
keystone::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
horizon:
|
|
if:
|
|
- keystone_ldap_domain_enabled
|
|
-
|
|
horizon::keystone_multidomain_support: true
|
|
horizon::keystone_default_domain: 'Default'
|
|
- {}
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
upgrade_tasks:
|
|
yaql:
|
|
expression: $.data.apache_upgrade + $.data.keystone_upgrade
|
|
data:
|
|
apache_upgrade:
|
|
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
|
|
keystone_upgrade:
|
|
- name: Stop keystone service (running under httpd)
|
|
tags: step1
|
|
service: name=httpd state=stopped
|