packstack/packstack/puppet/modules/packstack/manifests/keystone.pp

137 lines
7.4 KiB
Puppet

class packstack::keystone ()
{
create_resources(packstack::firewall, hiera('FIREWALL_KEYSTONE_RULES', {}))
$keystone_use_ssl = false
$keystone_cfg_ks_db_pw = hiera('CONFIG_KEYSTONE_DB_PW')
$keystone_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
$keystone_token_provider_str = downcase(hiera('CONFIG_KEYSTONE_TOKEN_FORMAT'))
$keystone_url = regsubst(regsubst(hiera('CONFIG_KEYSTONE_PUBLIC_URL'),'/v2.0',''),'/v3','')
$keystone_admin_url = hiera('CONFIG_KEYSTONE_ADMIN_URL')
$bind_host = hiera('CONFIG_IP_VERSION') ? {
'ipv6' => '::0',
default => '0.0.0.0',
# TO-DO(mmagr): Add IPv6 support when hostnames are used
}
class { '::keystone::client': }
if hiera('CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',false) {
class { '::keystone::cron::fernet_rotate':
require => Service['crond'],
}
service { 'crond':
ensure => 'running',
enable => true,
}
}
class { '::keystone::logging':
debug => hiera('CONFIG_DEBUG_MODE'),
}
class { '::keystone':
admin_token => hiera('CONFIG_KEYSTONE_ADMIN_TOKEN'),
admin_password => hiera('CONFIG_KEYSTONE_ADMIN_PW'),
database_connection => "mysql+pymysql://keystone_admin:${keystone_cfg_ks_db_pw}@${keystone_cfg_mariadb_host}/keystone",
token_provider => "${keystone_token_provider_str}",
enable_fernet_setup => true,
service_name => 'httpd',
enable_ssl => $keystone_use_ssl,
public_bind_host => $bind_host,
admin_bind_host => $bind_host,
default_domain => 'Default',
}
class { '::keystone::wsgi::apache':
workers => hiera('CONFIG_SERVICE_WORKERS'),
ssl => $keystone_use_ssl
}
if hiera('CONFIG_HEAT_INSTALL') == 'y' {
$keystone_admin_roles = ['admin', '_member_', 'heat_stack_owner']
} else {
$keystone_admin_roles = ['admin']
}
# Ensure the default _member_ role is present
keystone_role { '_member_':
ensure => present,
} ->
class { '::keystone::roles::admin':
email => hiera('CONFIG_KEYSTONE_ADMIN_EMAIL'),
admin => hiera('CONFIG_KEYSTONE_ADMIN_USERNAME'),
password => hiera('CONFIG_KEYSTONE_ADMIN_PW'),
admin_tenant => 'admin',
admin_roles => $keystone_admin_roles,
}
class { '::keystone::endpoint':
default_domain => 'Default',
public_url => $keystone_url,
internal_url => $keystone_url,
admin_url => $keystone_admin_url,
region => hiera('CONFIG_KEYSTONE_REGION'),
version => 'v3',
}
# default assignment driver is SQL
$assignment_driver = 'keystone.assignment.backends.sql.Assignment'
if hiera('CONFIG_KEYSTONE_IDENTITY_BACKEND') == 'ldap' {
if hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN', undef) {
$user_enabled_emulation = true
} else {
$user_enabled_emulation = false
}
class { '::keystone::ldap':
url => hiera_undef('CONFIG_KEYSTONE_LDAP_URL', undef),
user => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_DN', undef),
password => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_PASSWORD', undef),
suffix => hiera_undef('CONFIG_KEYSTONE_LDAP_SUFFIX', undef),
query_scope => hiera_undef('CONFIG_KEYSTONE_LDAP_QUERY_SCOPE', undef),
page_size => hiera_undef('CONFIG_KEYSTONE_LDAP_PAGE_SIZE', undef),
user_tree_dn => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_SUBTREE', undef),
user_filter => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_FILTER', undef),
user_objectclass => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_OBJECTCLASS', undef),
user_id_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ID_ATTRIBUTE', undef),
user_name_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_NAME_ATTRIBUTE', undef),
user_mail_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_MAIL_ATTRIBUTE', undef),
user_enabled_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_ATTRIBUTE', undef),
user_enabled_mask => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK', undef),
user_enabled_default => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_DEFAULT', undef),
user_enabled_invert => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT', undef),
user_attribute_ignore => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ATTRIBUTE_IGNORE', undef),
user_default_project_id_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_DEFAULT_PROJECT_ID_ATTRIBUTE', undef),
user_allow_create => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE', undef),
user_allow_update => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE', undef),
user_allow_delete => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE', undef),
user_pass_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_PASS_ATTRIBUTE', undef),
user_enabled_emulation => $user_enabled_emulation,
user_enabled_emulation_dn => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN', undef),
user_additional_attribute_mapping => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ADDITIONAL_ATTRIBUTE_MAPPING', undef),
group_tree_dn => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_SUBTREE', undef),
group_filter => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_FILTER', undef),
group_objectclass => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_OBJECTCLASS', undef),
group_id_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ID_ATTRIBUTE', undef),
group_name_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_NAME_ATTRIBUTE', undef),
group_member_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_MEMBER_ATTRIBUTE', undef),
group_desc_attribute => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_DESC_ATTRIBUTE', undef),
group_attribute_ignore => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ATTRIBUTE_IGNORE', undef),
group_allow_create => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE', undef),
group_allow_update => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE', undef),
group_allow_delete => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE', undef),
group_additional_attribute_mapping => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ADDITIONAL_ATTRIBUTE_MAPPING', undef),
use_tls => hiera_undef('CONFIG_KEYSTONE_LDAP_USE_TLS', undef),
tls_cacertdir => hiera_undef('CONFIG_KEYSTONE_LDAP_TLS_CACERTDIR', undef),
tls_cacertfile => hiera_undef('CONFIG_KEYSTONE_LDAP_TLS_CACERTFILE', undef),
tls_req_cert => hiera_undef('CONFIG_KEYSTONE_LDAP_TLS_REQ_CERT', undef),
identity_driver => 'keystone.identity.backends.ldap.Identity',
assignment_driver => $assignment_driver,
}
}
}