#
# == Parameters
#
-# [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
-# accepts latest or specific versions.
-# [bind_host] Host that keystone binds to.
-# [bind_port] Port that keystone binds to.
-# [public_port]
-# [compute_port]
-# [admin_port]
-# [admin_port] Port that can be used for admin tasks.
-# [admin_token] Admin token that can be used to authenticate as a keystone
-# admin. Required.
-# [verbose] Rather keystone should log at verbose level. Optional.
-# Defaults to False.
-# [debug] Rather keystone should log at debug level. Optional.
-# Defaults to False.
-# [use_syslog] Use syslog for logging. Optional.
-# Defaults to False.
-# [log_facility] Syslog facility to receive log lines. Optional.
-# [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
-# Defaults to sql. (Also accepts template)
-# [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
-# Setting this value will override and ignore catalog_type.
-# [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
-# Defaults to '/etc/keystone/default_catalog.templates'
-# [token_provider] Format keystone uses for tokens. Optional.
-# Defaults to 'keystone.token.providers.uuid.Provider'
-# Supports PKI and UUID.
-# [token_driver] Driver to use for managing tokens.
-# Optional. Defaults to 'keystone.token.persistence.backends.sql.Token'
-# [token_expiration] Amount of time a token should remain valid (seconds).
-# Optional. Defaults to 3600 (1 hour).
-# [token_format] Deprecated: Use token_provider instead.
-# [cache_dir] Directory created when token_provider is pki. Optional.
-# Defaults to /var/cache/keystone.
-#
-# [memcache_servers]
-# List of memcache servers in format of server:port.
-# Used with token_driver 'keystone.token.backends.memcache.Token'.
-# Optional. Defaults to false. Example: ['localhost:11211']
-#
-# [cache_backend]
-# Dogpile.cache backend module. It is recommended that Memcache with pooling
-# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Defaults to 'keystone.common.cache.noop'
-#
-# [cache_backend_argument]
-# List of arguments in format of argname:value supplied to the backend module.
-# Specify this option once per argument to be passed to the dogpile.cache backend.
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Default to undef.
-#
-# [debug_cache_backend]
-# Extra debugging from the cache backend (cache keys, get/set/delete calls).
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Default to false.
-#
-# [token_caching]
-# Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
-# Optional. Default to true.
-#
-# [enabled] If the keystone services should be enabled. Optional. Default to true.
-#
-# [*database_connection*]
-# (optional) Url used to connect to database.
-# Defaults to sqlite:////var/lib/keystone/keystone.db
-#
-# [*sql_connection*]
-# (optional) Deprecated. Use database_connection instead.
-#
-# [*database_idle_timeout*]
-# (optional) Timeout when db connections should be reaped.
-# Defaults to 200.
-#
-# [*idle_timeout*]
-# (optional) Deprecated. Use database_idle_timeout instead.
-#
-# [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
-# revocation lists if it doesn't already exist. This generates a cert and key stored in file
-# locations based on the signing_certfile and signing_keyfile paramters below. If you are
-# providing your own signing cert, make this false.
-# [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
-# Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
-# the file will not be overwritten, even if enable_pki_setup is set to true.
-# Default: /etc/keystone/ssl/certs/signing_cert.pem
-# [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
-# Note that if this file already exists (i.e. you are providing your own signing cert), the file
-# will not be overwritten, even if enable_pki_setup is set to true.
-# Default: /etc/keystone/ssl/private/signing_key.pem
-# [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
-# signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
-# [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
-# pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
-#
-# [*signing_cert_subject*]
+# [*package_ensure*]
+# (optional) Desired ensure state of packages.
+# accepts latest or specific versions.
+# Defaults to present.
+#
+# [*client_package_ensure*]
+# (optional) Desired ensure state of the client package.
+# accepts latest or specific versions.
+# Defaults to present.
+#
+# [*public_port*]
+# (optional) Port that keystone binds to.
+# Defaults to '5000'
+#
+# [*compute_port*]
+# (optional) DEPRECATED The port for compute servie.
+# Defaults to '8774'
+#
+# [*admin_port*]
+# (optional) Port that can be used for admin tasks.
+# Defaults to '35357'
+#
+# [*admin_token*]
+# Admin token that can be used to authenticate as a keystone
+# admin. Required.
+#
+# [*verbose*]
+# (optional) Rather keystone should log at verbose level.
+# Defaults to false.
+#
+# [*debug*]
+# (optional) Rather keystone should log at debug level.
+# Defaults to False.
+#
+# [*use_syslog*]
+# (optional) Use syslog for logging.
+# Defaults to false.
+#
+# [*log_facility*]
+# (optional) Syslog facility to receive log lines.
+# Defaults to 'LOG_USER'.
+#
+# [*catalog_type*]
+# (optional) Type of catalog that keystone uses to store endpoints,services.
+# Defaults to sql. (Also accepts template)
+#
+# [*catalog_driver*]
+# (optional) Catalog driver used by Keystone to store endpoints and services.
+# Setting this value will override and ignore catalog_type.
+# Defaults to false.
+#
+# [*catalog_template_file*]
+# (optional) Path to the catalog used if catalog_type equals 'template'.
+# Defaults to '/etc/keystone/default_catalog.templates'
+#
+# [*token_provider*]
+# (optional) Format keystone uses for tokens.
+# Defaults to 'keystone.token.providers.uuid.Provider'
+# Supports PKI, PKIZ, Fernet, and UUID.
+#
+# [*token_driver*]
+# (optional) Driver to use for managing tokens.
+# Defaults to 'keystone.token.persistence.backends.sql.Token'
+#
+# [*token_expiration*]
+# (optional) Amount of time a token should remain valid (seconds).
+# Defaults to 3600 (1 hour).
+#
+# [*revoke_driver*]
+# (optional) Driver for token revocation.
+# Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
+#
+# [*cache_dir*]
+# (optional) Directory created when token_provider is pki.
+# Defaults to /var/cache/keystone.
+#
+# [*memcache_servers*]
+# (optional) List of memcache servers in format of server:port.
+# Used with token_driver 'keystone.token.backends.memcache.Token'.
+# Defaults to false. Example: ['localhost:11211']
+#
+# [*cache_backend*]
+# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
+# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
+# This has no effects unless 'memcache_servers' is set.
+# Defaults to 'keystone.common.cache.noop'
+#
+# [*cache_backend_argument*]
+# (optional) List of arguments in format of argname:value supplied to the backend module.
+# Specify this option once per argument to be passed to the dogpile.cache backend.
+# This has no effects unless 'memcache_servers' is set.
+# Default to undef.
+#
+# [*debug_cache_backend*]
+# (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
+# This has no effects unless 'memcache_servers' is set.
+# Default to false.
+#
+# [*token_caching*]
+# (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
+# Default to true.
+#
+# [*manage_service*]
+# (Optional) If Puppet should manage service startup / shutdown.
+# Defaults to true.
+#
+# [*enabled*]
+# (optional) If the keystone services should be enabled.
+# Default to true.
+#
+# [*database_connection*]
+# (optional) Url used to connect to database.
+# Defaults to sqlite:////var/lib/keystone/keystone.db
+#
+# [*database_idle_timeout*]
+# (optional) Timeout when db connections should be reaped.
+# Defaults to 200.
+#
+# [*enable_pki_setup*]
+# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
+# revocation lists if it doesn't already exist. This generates a cert and key stored in file
+# locations based on the signing_certfile and signing_keyfile paramters below. If you are
+# providing your own signing cert, make this false.
+# Default to true.
+#
+# [*signing_certfile*]
+# (optional) Location of the cert file for signing pki tokens and revocation lists.
+# Note that if this file already exists (i.e. you are providing your own signing cert),
+# the file will not be overwritten, even if enable_pki_setup is set to true.
+# Default: /etc/keystone/ssl/certs/signing_cert.pem
+#
+# [*signing_keyfile*]
+# (optional) Location of the key file for signing pki tokens and revocation lists.
+# Note that if this file already exists (i.e. you are providing your own signing cert), the file
+# will not be overwritten, even if enable_pki_setup is set to true.
+# Default: /etc/keystone/ssl/private/signing_key.pem
+#
+# [*signing_ca_certs*]
+# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
+# signing pki tokens and revocation lists.
+# Default: /etc/keystone/ssl/certs/ca.pem
+#
+# [*signing_ca_key*]
+# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
+# pki tokens and revocation lists.
+# Default: /etc/keystone/ssl/private/cakey.pem
+#
+# [*signing_cert_subject*]
# (optional) Certificate subject (auto generated certificate) for token signing.
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
#
-# [*signing_key_size*]
+# [*signing_key_size*]
# (optional) Key size (in bits) for token signing cert (auto generated certificate)
# Defaults to 2048
#
-# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
-# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
-# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
-# [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest.
-# [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest.
-# [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /.
+# [*rabbit_host*]
+# (optional) Location of rabbitmq installation.
+# Defaults to localhost.
#
-# [*rabbit_use_ssl*]
-# (optional) Connect over SSL for RabbitMQ
-# Defaults to false
+# [*rabbit_port*]
+# (optional) Port for rabbitmq instance.
+# Defaults to 5672.
#
-# [*kombu_ssl_ca_certs*]
-# (optional) SSL certification authority file (valid only if SSL enabled).
-# Defaults to undef
+# [*rabbit_hosts*]
+# (optional) Location of rabbitmq installation.
+# Defaults to undef.
#
-# [*kombu_ssl_certfile*]
-# (optional) SSL cert file (valid only if SSL enabled).
-# Defaults to undef
+# [*rabbit_password*]
+# (optional) Password used to connect to rabbitmq.
+# Defaults to guest.
#
-# [*kombu_ssl_keyfile*]
-# (optional) SSL key file (valid only if SSL enabled).
-# Defaults to undef
+# [*rabbit_userid*]
+# (optional) User used to connect to rabbitmq.
+# Defaults to guest.
#
-# [*kombu_ssl_version*]
-# (optional) SSL version to use (valid only if SSL enabled).
-# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
-# available on some distributions.
-# Defaults to 'TLSv1'
+# [*rabbit_virtual_host*]
+# (optional) The RabbitMQ virtual host.
+# Defaults to /.
#
-# [notification_driver] RPC driver. Not enabled by default
-# [notification_topics] AMQP topics to publish to when using the RPC notification driver.
-# [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid
+# [*rabbit_use_ssl*]
+# (optional) Connect over SSL for RabbitMQ
+# Defaults to false
+#
+# [*kombu_ssl_ca_certs*]
+# (optional) SSL certification authority file (valid only if SSL enabled).
+# Defaults to undef
+#
+# [*kombu_ssl_certfile*]
+# (optional) SSL cert file (valid only if SSL enabled).
+# Defaults to undef
+#
+# [*kombu_ssl_keyfile*]
+# (optional) SSL key file (valid only if SSL enabled).
+# Defaults to undef
#
-# [*public_bind_host*]
+# [*kombu_ssl_version*]
+# (optional) SSL version to use (valid only if SSL enabled).
+# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
+# available on some distributions.
+# Defaults to 'TLSv1'
+#
+# [*notification_driver*]
+# RPC driver. Not enabled by default
+#
+# [*notification_topics*]
+# (optional) AMQP topics to publish to when using the RPC notification driver.
+# Default to false.
+#
+# [*notification_format*]
+# Format for the notifications. Valid values are 'basic' and 'cadf'.
+# Default to undef
+#
+# [*control_exchange*]
+# (optional) AMQP exchange to connect to if using RabbitMQ or Qpid
+# Default to false.
+#
+# [*public_bind_host*]
# (optional) The IP address of the public network interface to listen on
-# Deprecates bind_host
# Default to '0.0.0.0'.
#
-# [*admin_bind_host*]
+# [*admin_bind_host*]
# (optional) The IP address of the public network interface to listen on
-# Deprecates bind_host
# Default to '0.0.0.0'.
#
-# [*log_dir*]
+# [*log_dir*]
# (optional) Directory where logs should be stored
# If set to boolean false, it will not log to any directory
# Defaults to '/var/log/keystone'
#
-# [*log_file*]
+# [*log_file*]
# (optional) Where to log
# Defaults to false
#
-# [*public_endpoint*]
+# [*public_endpoint*]
# (optional) The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value)
# Sample value: 'http://localhost:5000/'
# Defaults to false
#
-# [*admin_endpoint*]
+# [*admin_endpoint*]
# (optional) The base admin endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value)
# Sample value: 'http://localhost:35357/'
# Defaults to false
#
-# [*enable_ssl*]
+# [*enable_ssl*]
# (optional) Toggle for SSL support on the keystone eventlet servers.
# (boolean value)
# Defaults to false
#
-# [*ssl_certfile*]
+# [*ssl_certfile*]
# (optional) Path of the certfile for SSL. (string value)
# Defaults to '/etc/keystone/ssl/certs/keystone.pem'
#
-# [*ssl_keyfile*]
+# [*ssl_keyfile*]
# (optional) Path of the keyfile for SSL. (string value)
# Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
#
-# [*ssl_ca_certs*]
+# [*ssl_ca_certs*]
# (optional) Path of the ca cert file for SSL. (string value)
# Defaults to '/etc/keystone/ssl/certs/ca.pem'
#
-# [*ssl_ca_key*]
+# [*ssl_ca_key*]
# (optional) Path of the CA key file for SSL (string value)
# Defaults to '/etc/keystone/ssl/private/cakey.pem'
#
-# [*ssl_cert_subject*]
+# [*ssl_cert_subject*]
# (optional) SSL Certificate Subject (auto generated certificate)
# (string value)
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
#
-# [*mysql_module*]
+# [*mysql_module*]
# (optional) Deprecated. Does nothing.
#
-# [*validate_service*]
+# [*validate_service*]
# (optional) Whether to validate keystone connections after
# the service is started.
# Defaults to false
#
-# [*validate_insecure*]
+# [*validate_insecure*]
# (optional) Whether to validate keystone connections
# using the --insecure option with keystone client.
# Defaults to false
#
-# [*validate_cacert*]
+# [*validate_cacert*]
# (optional) Whether to validate keystone connections
# using the specified argument with the --os-cacert option
# with keystone client.
# Defaults to undef
#
-# [*validate_auth_url*]
+# [*validate_auth_url*]
# (optional) The url to validate keystone against
# Defaults to undef
#
-# [*service_provider*]
+# [*service_provider*]
# (optional) Provider, that can be used for keystone service.
# Default value defined in keystone::params for given operation system.
# If you use Pacemaker or another Cluster Resource Manager, you can make
# custom service provider for changing start/stop/status behavior of service,
# and set it here.
#
-# [*service_name*]
+# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of keystone. For example, the default
# is just 'keystone', which means keystone will be run as a
# web service. For example, after calling class {'keystone'...}
# use class { 'keystone::wsgi::apache'...} to make keystone be
# a web app using apache mod_wsgi.
-# Defaults to 'keystone'
-# NOTE: validate_service only applies if the value is 'keystone'
+# Defaults to '$::keystone::params::service_name'
+# NOTE: validate_service only applies if the default value is used.
+#
+# [*paste_config*]
+# (optional) Name of the paste configuration file that defines the
+# available pipelines. (string value)
+# Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and
+# undef on other platforms.
+#
+# [*max_token_size*]
+# (optional) maximum allowable Keystone token size
+# Defaults to undef
+#
+# [*admin_workers*]
+# (optional) The number of worker processes to serve the admin WSGI application.
+# Defaults to max($::processorcount, 2)
+#
+# [*public_workers*]
+# (optional) The number of worker processes to serve the public WSGI application.
+# Defaults to max($::processorcount, 2)
+#
+# [*sync_db*]
+# (Optional) Run db sync on the node.
+# Defaults to true
+#
+# [*enable_fernet_setup*]
+# (Optional) Setup keystone for fernet tokens. This is typically only
+# run on a single node, then the keys are replicated to the other nodes
+# in a cluster. You would typically also pair this with a fernet token
+# provider setting.
+# Defaults to false
+#
+# [*fernet_key_repository*]
+# (Optional) Location for the fernet key repository. This value must
+# be set if enable_fernet_setup is set to true.
+# Defaults to '/etc/keystone/fernet-keys'
+#
+# [*fernet_max_active_keys*]
+# (Optional) Number of maximum active Fernet keys. Integer > 0.
+# Defaults to undef
+#
+# [*default_domain*]
+# (optional) When Keystone v3 support is enabled, v2 clients will need
+# to have a domain assigned for certain operations. For example,
+# doing a user create operation must have a domain associated with it.
+# This is the domain which will be used if a domain is needed and not
+# explicitly set in the request.
+# Defaults to undef (will use built-in Keystone default)
#
# == Dependencies
# None
class keystone(
$admin_token,
$package_ensure = 'present',
- $bind_host = false,
+ $client_package_ensure = 'present',
$public_bind_host = '0.0.0.0',
$admin_bind_host = '0.0.0.0',
$public_port = '5000',
$admin_port = '35357',
- $compute_port = '8774',
$verbose = false,
$debug = false,
$log_dir = '/var/log/keystone',
$catalog_type = 'sql',
$catalog_driver = false,
$catalog_template_file = '/etc/keystone/default_catalog.templates',
- $token_format = false,
$token_provider = 'keystone.token.providers.uuid.Provider',
$token_driver = 'keystone.token.persistence.backends.sql.Token',
$token_expiration = 3600,
+ $revoke_driver = 'keystone.contrib.revoke.backends.sql.Revoke',
$public_endpoint = false,
$admin_endpoint = false,
$enable_ssl = false,
$ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
$cache_dir = '/var/cache/keystone',
$memcache_servers = false,
+ $manage_service = true,
$cache_backend = 'keystone.common.cache.noop',
$cache_backend_argument = undef,
$debug_cache_backend = false,
$kombu_ssl_version = 'TLSv1',
$notification_driver = false,
$notification_topics = false,
+ $notification_format = undef,
$control_exchange = false,
$validate_service = false,
$validate_insecure = false,
$validate_auth_url = false,
$validate_cacert = undef,
+ $paste_config = $::keystone::params::paste_config,
$service_provider = $::keystone::params::service_provider,
- $service_name = 'keystone',
+ $service_name = $::keystone::params::service_name,
+ $max_token_size = undef,
+ $admin_workers = max($::processorcount, 2),
+ $public_workers = max($::processorcount, 2),
+ $sync_db = true,
+ $enable_fernet_setup = false,
+ $fernet_key_repository = '/etc/keystone/fernet-keys',
+ $fernet_max_active_keys = undef,
+ $default_domain = undef,
# DEPRECATED PARAMETERS
$mysql_module = undef,
- $sql_connection = undef,
- $idle_timeout = undef,
+ $compute_port = undef,
) inherits keystone::params {
if ! $catalog_driver {
warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.')
}
- if $sql_connection {
- warning('The sql_connection parameter is deprecated, use database_connection instead.')
- $database_connection_real = $sql_connection
- } else {
- $database_connection_real = $database_connection
- }
-
- if $idle_timeout {
- warning('The idle_timeout parameter is deprecated, use database_idle_timeout instead.')
- $database_idle_timeout_real = $idle_timeout
- } else {
- $database_idle_timeout_real = $database_idle_timeout
- }
-
if ($admin_endpoint and 'v2.0' in $admin_endpoint) {
warning('Version string /v2.0/ should not be included in keystone::admin_endpoint')
}
File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
+ Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|>
+
include ::keystone::params
package { 'keystone':
name => $::keystone::params::package_name,
tag => 'openstack',
}
- # TODO: Move this to openstacklib::openstackclient in Kilo
- package { 'python-openstackclient':
- ensure => present,
- tag => 'openstack',
+ if $client_package_ensure == 'present' {
+ include '::openstacklib::openstackclient'
+ } else {
+ class { '::openstacklib::openstackclient':
+ package_ensure => $client_package_ensure,
+ }
}
group { 'keystone':
notify => Service[$service_name],
}
- if $bind_host {
- warning('The bind_host parameter is deprecated, use public_bind_host and admin_bind_host instead.')
- $public_bind_host_real = $bind_host
- $admin_bind_host_real = $bind_host
- } else {
- $public_bind_host_real = $public_bind_host
- $admin_bind_host_real = $admin_bind_host
- }
-
- # default config
keystone_config {
'DEFAULT/admin_token': value => $admin_token, secret => true;
- 'DEFAULT/public_bind_host': value => $public_bind_host_real;
- 'DEFAULT/admin_bind_host': value => $admin_bind_host_real;
+ 'DEFAULT/public_bind_host': value => $public_bind_host;
+ 'DEFAULT/admin_bind_host': value => $admin_bind_host;
'DEFAULT/public_port': value => $public_port;
'DEFAULT/admin_port': value => $admin_port;
- 'DEFAULT/compute_port': value => $compute_port;
'DEFAULT/verbose': value => $verbose;
'DEFAULT/debug': value => $debug;
}
+ if $compute_port {
+ warning('The compute_port parameter is deprecated and will be removed in L')
+ keystone_config {
+ 'DEFAULT/compute_port': value => $compute_port;
+ }
+ } else {
+ keystone_config {
+ 'DEFAULT/compute_port': ensure => absent;
+ }
+ }
+
# Endpoint configuration
if $public_endpoint {
keystone_config {
'token/expiration': value => $token_expiration;
}
+ if $revoke_driver {
+ keystone_config {
+ 'revoke/driver': value => $revoke_driver;
+ }
+ } else {
+ keystone_config {
+ 'revoke/driver': ensure => absent;
+ }
+ }
+
# ssl config
if ($enable_ssl) {
keystone_config {
}
}
- if($database_connection_real =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) {
+ if($database_connection =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) {
require 'mysql::bindings'
require 'mysql::bindings::python'
- } elsif($database_connection_real =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) {
+ } elsif($database_connection =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) {
- } elsif($database_connection_real =~ /sqlite:\/\//) {
+ } elsif($database_connection =~ /sqlite:\/\//) {
} else {
- fail("Invalid db connection ${database_connection_real}")
+ fail("Invalid db connection ${database_connection}")
}
# memcache connection config
# db connection config
keystone_config {
- 'database/connection': value => $database_connection_real, secret => true;
- 'database/idle_timeout': value => $database_idle_timeout_real;
+ 'database/connection': value => $database_connection, secret => true;
+ 'database/idle_timeout': value => $database_idle_timeout;
}
# configure based on the catalog backend
'catalog/template_file': value => $catalog_template_file;
}
- if $token_format {
- warning('token_format parameter is deprecated. Use token_provider instead.')
- }
-
- # remove the old format in case of an upgrade
- keystone_config { 'signing/token_format': ensure => absent }
-
# Set the signing key/cert configuration values.
keystone_config {
'signing/certfile': value => $signing_certfile;
}
}
- if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
- keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
- } elsif $token_format == 'UUID' {
- keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
+ keystone_config { 'token/provider': value => $token_provider }
+
+ if $max_token_size {
+ keystone_config { 'DEFAULT/max_token_size': value => $max_token_size }
} else {
- keystone_config { 'token/provider': value => $token_provider }
+ keystone_config { 'DEFAULT/max_token_size': ensure => absent }
}
if $notification_driver {
} else {
keystone_config { 'DEFAULT/notification_topics': ensure => absent }
}
+ if $notification_format {
+ keystone_config { 'DEFAULT/notification_format': value => $notification_format }
+ } else {
+ keystone_config { 'DEFAULT/notification_format': ensure => absent }
+ }
if $control_exchange {
keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
} else {
}
}
- if $enabled {
- $service_ensure = 'running'
+ keystone_config {
+ 'DEFAULT/admin_workers': value => $admin_workers;
+ 'DEFAULT/public_workers': value => $public_workers;
+ }
+
+ if $manage_service {
+ if $enabled {
+ $service_ensure = 'running'
+ } else {
+ $service_ensure = 'stopped'
+ }
} else {
- $service_ensure = 'stopped'
+ warning('Execution of db_sync does not depend on $enabled anymore. Please use sync_db instead.')
}
- if $service_name == 'keystone' {
+ if $service_name == $::keystone::params::service_name {
if $validate_service {
if $validate_auth_url {
$v_auth_url = $validate_auth_url
$v_auth_url = $admin_endpoint
}
- class { 'keystone::service':
+ class { '::keystone::service':
ensure => $service_ensure,
- service_name => $::keystone::params::service_name,
+ service_name => $service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
cacert => $validate_cacert,
}
} else {
- class { 'keystone::service':
+ class { '::keystone::service':
ensure => $service_ensure,
- service_name => $::keystone::params::service_name,
+ service_name => $service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
validate => false,
}
}
+ } elsif $service_name == 'httpd' {
+ class { '::keystone::service':
+ ensure => 'stopped',
+ service_name => $::keystone::params::service_name,
+ enable => false,
+ provider => $service_provider,
+ validate => false,
+ }
+ } else {
+ fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server')
}
- if $enabled {
+ if $sync_db {
include ::keystone::db::sync
Class['::keystone::db::sync'] ~> Service[$service_name]
}
}
}
+ if $paste_config {
+ keystone_config {
+ 'paste_deploy/config_file': value => $paste_config;
+ }
+ } else {
+ keystone_config {
+ 'paste_deploy/config_file': ensure => absent;
+ }
+ }
+
+ # Fernet tokens support
+ if $enable_fernet_setup {
+ validate_string($fernet_key_repository)
+
+ exec { 'keystone-manage fernet_setup':
+ path => '/usr/bin',
+ user => 'keystone',
+ refreshonly => true,
+ creates => "${fernet_key_repository}/0",
+ notify => Service[$service_name],
+ subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']],
+ }
+ }
+
+ if $fernet_key_repository {
+ keystone_config {
+ 'fernet_tokens/key_repository': value => $fernet_key_repository;
+ }
+ } else {
+ keystone_config {
+ 'fernet_tokens/key_repository': ensure => absent;
+ }
+ }
+
+ if $fernet_max_active_keys {
+ keystone_config {
+ 'fernet_tokens/max_active_keys': value => $fernet_max_active_keys;
+ }
+ } else {
+ keystone_config {
+ 'fernet_tokens/max_active_keys': ensure => absent;
+ }
+ }
+
+ if $default_domain {
+ keystone_domain { $default_domain:
+ ensure => present,
+ enabled => true,
+ is_default => true,
+ require => File['/etc/keystone/keystone.conf'],
+ notify => Exec['restart_keystone'],
+ }
+ # Update this code when https://bugs.launchpad.net/keystone/+bug/1472285 is addressed.
+ # 1/ Keystone needs to be started before creating the default domain
+ # 2/ Once the default domain is created, we can query Keystone to get the default domain ID
+ # 3/ The Keystone_domain provider has in charge of doing the query and configure keystone.conf
+ # 4/ After such a change, we need to restart Keystone service.
+ # restart_keystone exec is doing 4/, it restart Keystone if we have a new default domain setted
+ # and if we manage the service to be enabled.
+ if $manage_service and $enabled {
+ exec { 'restart_keystone':
+ path => ['/usr/sbin', '/usr/bin', '/sbin', '/bin/'],
+ command => "service ${service_name} restart",
+ refreshonly => true,
+ }
+ }
+ }
}