-# [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
-# accepts latest or specific versions.
-# [bind_host] Host that keystone binds to.
-# [bind_port] Port that keystone binds to.
-# [public_port]
-# [compute_port]
-# [admin_port]
-# [admin_port] Port that can be used for admin tasks.
-# [admin_token] Admin token that can be used to authenticate as a keystone
-# admin. Required.
-# [verbose] Rather keystone should log at verbose level. Optional.
-# Defaults to False.
-# [debug] Rather keystone should log at debug level. Optional.
-# Defaults to False.
-# [use_syslog] Use syslog for logging. Optional.
-# Defaults to False.
-# [log_facility] Syslog facility to receive log lines. Optional.
-# [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
-# Defaults to sql. (Also accepts template)
-# [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
-# Setting this value will override and ignore catalog_type.
-# [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
-# Defaults to '/etc/keystone/default_catalog.templates'
-# [token_provider] Format keystone uses for tokens. Optional.
-# Defaults to 'keystone.token.providers.uuid.Provider'
-# Supports PKI and UUID.
-# [token_driver] Driver to use for managing tokens.
-# Optional. Defaults to 'keystone.token.persistence.backends.sql.Token'
-# [token_expiration] Amount of time a token should remain valid (seconds).
-# Optional. Defaults to 3600 (1 hour).
-# [token_format] Deprecated: Use token_provider instead.
-# [cache_dir] Directory created when token_provider is pki. Optional.
-# Defaults to /var/cache/keystone.
-#
-# [memcache_servers]
-# List of memcache servers in format of server:port.
-# Used with token_driver 'keystone.token.backends.memcache.Token'.
-# Optional. Defaults to false. Example: ['localhost:11211']
-#
-# [cache_backend]
-# Dogpile.cache backend module. It is recommended that Memcache with pooling
-# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Defaults to 'keystone.common.cache.noop'
-#
-# [cache_backend_argument]
-# List of arguments in format of argname:value supplied to the backend module.
-# Specify this option once per argument to be passed to the dogpile.cache backend.
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Default to undef.
-#
-# [debug_cache_backend]
-# Extra debugging from the cache backend (cache keys, get/set/delete calls).
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Default to false.
-#
-# [token_caching]
-# Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
-# Optional. Default to true.
-#
-# [enabled] If the keystone services should be enabled. Optional. Default to true.
-#
-# [*database_connection*]
-# (optional) Url used to connect to database.
-# Defaults to sqlite:////var/lib/keystone/keystone.db
-#
-# [*sql_connection*]
-# (optional) Deprecated. Use database_connection instead.
-#
-# [*database_idle_timeout*]
-# (optional) Timeout when db connections should be reaped.
-# Defaults to 200.
-#
-# [*idle_timeout*]
-# (optional) Deprecated. Use database_idle_timeout instead.
-#
-# [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
-# revocation lists if it doesn't already exist. This generates a cert and key stored in file
-# locations based on the signing_certfile and signing_keyfile paramters below. If you are
-# providing your own signing cert, make this false.
-# [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
-# Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
-# the file will not be overwritten, even if enable_pki_setup is set to true.
-# Default: /etc/keystone/ssl/certs/signing_cert.pem
-# [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
-# Note that if this file already exists (i.e. you are providing your own signing cert), the file
-# will not be overwritten, even if enable_pki_setup is set to true.
-# Default: /etc/keystone/ssl/private/signing_key.pem
-# [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
-# signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
-# [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
-# pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
-#
-# [*signing_cert_subject*]
+# [*package_ensure*]
+# (optional) Desired ensure state of packages.
+# accepts latest or specific versions.
+# Defaults to present.
+#
+# [*client_package_ensure*]
+# (optional) Desired ensure state of the client package.
+# accepts latest or specific versions.
+# Defaults to present.
+#
+# [*public_port*]
+# (optional) Port that keystone binds to.
+# Defaults to '5000'
+#
+# [*compute_port*]
+# (optional) DEPRECATED The port for compute servie.
+# Defaults to '8774'
+#
+# [*admin_port*]
+# (optional) Port that can be used for admin tasks.
+# Defaults to '35357'
+#
+# [*admin_token*]
+# Admin token that can be used to authenticate as a keystone
+# admin. Required.
+#
+# [*verbose*]
+# (optional) Rather keystone should log at verbose level.
+# Defaults to false.
+#
+# [*debug*]
+# (optional) Rather keystone should log at debug level.
+# Defaults to False.
+#
+# [*use_syslog*]
+# (optional) Use syslog for logging.
+# Defaults to false.
+#
+# [*log_facility*]
+# (optional) Syslog facility to receive log lines.
+# Defaults to 'LOG_USER'.
+#
+# [*catalog_type*]
+# (optional) Type of catalog that keystone uses to store endpoints,services.
+# Defaults to sql. (Also accepts template)
+#
+# [*catalog_driver*]
+# (optional) Catalog driver used by Keystone to store endpoints and services.
+# Setting this value will override and ignore catalog_type.
+# Defaults to false.
+#
+# [*catalog_template_file*]
+# (optional) Path to the catalog used if catalog_type equals 'template'.
+# Defaults to '/etc/keystone/default_catalog.templates'
+#
+# [*token_provider*]
+# (optional) Format keystone uses for tokens.
+# Defaults to 'keystone.token.providers.uuid.Provider'
+# Supports PKI, PKIZ, Fernet, and UUID.
+#
+# [*token_driver*]
+# (optional) Driver to use for managing tokens.
+# Defaults to 'keystone.token.persistence.backends.sql.Token'
+#
+# [*token_expiration*]
+# (optional) Amount of time a token should remain valid (seconds).
+# Defaults to 3600 (1 hour).
+#
+# [*revoke_driver*]
+# (optional) Driver for token revocation.
+# Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
+#
+# [*cache_dir*]
+# (optional) Directory created when token_provider is pki.
+# Defaults to /var/cache/keystone.
+#
+# [*memcache_servers*]
+# (optional) List of memcache servers in format of server:port.
+# Used with token_driver 'keystone.token.backends.memcache.Token'.
+# Defaults to false. Example: ['localhost:11211']
+#
+# [*cache_backend*]
+# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
+# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
+# This has no effects unless 'memcache_servers' is set.
+# Defaults to 'keystone.common.cache.noop'
+#
+# [*cache_backend_argument*]
+# (optional) List of arguments in format of argname:value supplied to the backend module.
+# Specify this option once per argument to be passed to the dogpile.cache backend.
+# This has no effects unless 'memcache_servers' is set.
+# Default to undef.
+#
+# [*debug_cache_backend*]
+# (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
+# This has no effects unless 'memcache_servers' is set.
+# Default to false.
+#
+# [*token_caching*]
+# (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
+# Default to true.
+#
+# [*manage_service*]
+# (Optional) If Puppet should manage service startup / shutdown.
+# Defaults to true.
+#
+# [*enabled*]
+# (optional) If the keystone services should be enabled.
+# Default to true.
+#
+# [*database_connection*]
+# (optional) Url used to connect to database.
+# Defaults to sqlite:////var/lib/keystone/keystone.db
+#
+# [*database_idle_timeout*]
+# (optional) Timeout when db connections should be reaped.
+# Defaults to 200.
+#
+# [*enable_pki_setup*]
+# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
+# revocation lists if it doesn't already exist. This generates a cert and key stored in file
+# locations based on the signing_certfile and signing_keyfile paramters below. If you are
+# providing your own signing cert, make this false.
+# Default to true.
+#
+# [*signing_certfile*]
+# (optional) Location of the cert file for signing pki tokens and revocation lists.
+# Note that if this file already exists (i.e. you are providing your own signing cert),
+# the file will not be overwritten, even if enable_pki_setup is set to true.
+# Default: /etc/keystone/ssl/certs/signing_cert.pem
+#
+# [*signing_keyfile*]
+# (optional) Location of the key file for signing pki tokens and revocation lists.
+# Note that if this file already exists (i.e. you are providing your own signing cert), the file
+# will not be overwritten, even if enable_pki_setup is set to true.
+# Default: /etc/keystone/ssl/private/signing_key.pem
+#
+# [*signing_ca_certs*]
+# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
+# signing pki tokens and revocation lists.
+# Default: /etc/keystone/ssl/certs/ca.pem
+#
+# [*signing_ca_key*]
+# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
+# pki tokens and revocation lists.
+# Default: /etc/keystone/ssl/private/cakey.pem
+#
+# [*signing_cert_subject*]