X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Finit.pp;fp=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Finit.pp;h=0000000000000000000000000000000000000000;hb=6e1426dc77fb4e5d51f07c187c6f2219431dc31e;hp=b406e326c0910a48e0f5bdd703ecc4bc449da1bc;hpb=87423ba664cd5f2bb462ebadd08b1a90d0fe1c8d;p=mirror%2Fdsa-puppet.git diff --git a/3rdparty/modules/keystone/manifests/init.pp b/3rdparty/modules/keystone/manifests/init.pp deleted file mode 100644 index b406e326c..000000000 --- a/3rdparty/modules/keystone/manifests/init.pp +++ /dev/null @@ -1,962 +0,0 @@ -# -# Module for managing keystone config. -# -# == Parameters -# -# [*package_ensure*] -# (optional) Desired ensure state of packages. -# accepts latest or specific versions. -# Defaults to present. -# -# [*client_package_ensure*] -# (optional) Desired ensure state of the client package. -# accepts latest or specific versions. -# Defaults to present. -# -# [*public_port*] -# (optional) Port that keystone binds to. -# Defaults to '5000' -# -# [*compute_port*] -# (optional) DEPRECATED The port for compute servie. -# Defaults to '8774' -# -# [*admin_port*] -# (optional) Port that can be used for admin tasks. -# Defaults to '35357' -# -# [*admin_token*] -# Admin token that can be used to authenticate as a keystone -# admin. Required. -# -# [*verbose*] -# (optional) Rather keystone should log at verbose level. -# Defaults to false. -# -# [*debug*] -# (optional) Rather keystone should log at debug level. -# Defaults to False. -# -# [*use_syslog*] -# (optional) Use syslog for logging. -# Defaults to false. -# -# [*log_facility*] -# (optional) Syslog facility to receive log lines. -# Defaults to 'LOG_USER'. -# -# [*catalog_type*] -# (optional) Type of catalog that keystone uses to store endpoints,services. -# Defaults to sql. (Also accepts template) -# -# [*catalog_driver*] -# (optional) Catalog driver used by Keystone to store endpoints and services. -# Setting this value will override and ignore catalog_type. -# Defaults to false. -# -# [*catalog_template_file*] -# (optional) Path to the catalog used if catalog_type equals 'template'. -# Defaults to '/etc/keystone/default_catalog.templates' -# -# [*token_provider*] -# (optional) Format keystone uses for tokens. -# Defaults to 'keystone.token.providers.uuid.Provider' -# Supports PKI, PKIZ, Fernet, and UUID. -# -# [*token_driver*] -# (optional) Driver to use for managing tokens. -# Defaults to 'keystone.token.persistence.backends.sql.Token' -# -# [*token_expiration*] -# (optional) Amount of time a token should remain valid (seconds). -# Defaults to 3600 (1 hour). -# -# [*revoke_driver*] -# (optional) Driver for token revocation. -# Defaults to 'keystone.contrib.revoke.backends.sql.Revoke' -# -# [*cache_dir*] -# (optional) Directory created when token_provider is pki. -# Defaults to /var/cache/keystone. -# -# [*memcache_servers*] -# (optional) List of memcache servers in format of server:port. -# Used with token_driver 'keystone.token.backends.memcache.Token'. -# Defaults to false. Example: ['localhost:11211'] -# -# [*cache_backend*] -# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling -# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production. -# This has no effects unless 'memcache_servers' is set. -# Defaults to 'keystone.common.cache.noop' -# -# [*cache_backend_argument*] -# (optional) List of arguments in format of argname:value supplied to the backend module. -# Specify this option once per argument to be passed to the dogpile.cache backend. -# This has no effects unless 'memcache_servers' is set. -# Default to undef. -# -# [*debug_cache_backend*] -# (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls). -# This has no effects unless 'memcache_servers' is set. -# Default to false. -# -# [*token_caching*] -# (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set. -# Default to true. -# -# [*manage_service*] -# (Optional) If Puppet should manage service startup / shutdown. -# Defaults to true. -# -# [*enabled*] -# (optional) If the keystone services should be enabled. -# Default to true. -# -# [*database_connection*] -# (optional) Url used to connect to database. -# Defaults to sqlite:////var/lib/keystone/keystone.db -# -# [*database_idle_timeout*] -# (optional) Timeout when db connections should be reaped. -# Defaults to 200. -# -# [*enable_pki_setup*] -# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and -# revocation lists if it doesn't already exist. This generates a cert and key stored in file -# locations based on the signing_certfile and signing_keyfile paramters below. If you are -# providing your own signing cert, make this false. -# Default to true. -# -# [*signing_certfile*] -# (optional) Location of the cert file for signing pki tokens and revocation lists. -# Note that if this file already exists (i.e. you are providing your own signing cert), -# the file will not be overwritten, even if enable_pki_setup is set to true. -# Default: /etc/keystone/ssl/certs/signing_cert.pem -# -# [*signing_keyfile*] -# (optional) Location of the key file for signing pki tokens and revocation lists. -# Note that if this file already exists (i.e. you are providing your own signing cert), the file -# will not be overwritten, even if enable_pki_setup is set to true. -# Default: /etc/keystone/ssl/private/signing_key.pem -# -# [*signing_ca_certs*] -# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for -# signing pki tokens and revocation lists. -# Default: /etc/keystone/ssl/certs/ca.pem -# -# [*signing_ca_key*] -# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing -# pki tokens and revocation lists. -# Default: /etc/keystone/ssl/private/cakey.pem -# -# [*signing_cert_subject*] -# (optional) Certificate subject (auto generated certificate) for token signing. -# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com' -# -# [*signing_key_size*] -# (optional) Key size (in bits) for token signing cert (auto generated certificate) -# Defaults to 2048 -# -# [*rabbit_host*] -# (optional) Location of rabbitmq installation. -# Defaults to localhost. -# -# [*rabbit_port*] -# (optional) Port for rabbitmq instance. -# Defaults to 5672. -# -# [*rabbit_hosts*] -# (optional) Location of rabbitmq installation. -# Defaults to undef. -# -# [*rabbit_password*] -# (optional) Password used to connect to rabbitmq. -# Defaults to guest. -# -# [*rabbit_userid*] -# (optional) User used to connect to rabbitmq. -# Defaults to guest. -# -# [*rabbit_virtual_host*] -# (optional) The RabbitMQ virtual host. -# Defaults to /. -# -# [*rabbit_use_ssl*] -# (optional) Connect over SSL for RabbitMQ -# Defaults to false -# -# [*kombu_ssl_ca_certs*] -# (optional) SSL certification authority file (valid only if SSL enabled). -# Defaults to undef -# -# [*kombu_ssl_certfile*] -# (optional) SSL cert file (valid only if SSL enabled). -# Defaults to undef -# -# [*kombu_ssl_keyfile*] -# (optional) SSL key file (valid only if SSL enabled). -# Defaults to undef -# -# [*kombu_ssl_version*] -# (optional) SSL version to use (valid only if SSL enabled). -# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be -# available on some distributions. -# Defaults to 'TLSv1' -# -# [*notification_driver*] -# RPC driver. Not enabled by default -# -# [*notification_topics*] -# (optional) AMQP topics to publish to when using the RPC notification driver. -# Default to false. -# -# [*notification_format*] -# Format for the notifications. Valid values are 'basic' and 'cadf'. -# Default to undef -# -# [*control_exchange*] -# (optional) AMQP exchange to connect to if using RabbitMQ or Qpid -# Default to false. -# -# [*public_bind_host*] -# (optional) The IP address of the public network interface to listen on -# Default to '0.0.0.0'. -# -# [*admin_bind_host*] -# (optional) The IP address of the public network interface to listen on -# Default to '0.0.0.0'. -# -# [*log_dir*] -# (optional) Directory where logs should be stored -# If set to boolean false, it will not log to any directory -# Defaults to '/var/log/keystone' -# -# [*log_file*] -# (optional) Where to log -# Defaults to false -# -# [*public_endpoint*] -# (optional) The base public endpoint URL for keystone that are -# advertised to clients (NOTE: this does NOT affect how -# keystone listens for connections) (string value) -# If set to false, no public_endpoint will be defined in keystone.conf. -# Sample value: 'http://localhost:5000/' -# Defaults to false -# -# [*admin_endpoint*] -# (optional) The base admin endpoint URL for keystone that are -# advertised to clients (NOTE: this does NOT affect how keystone listens -# for connections) (string value) -# If set to false, no admin_endpoint will be defined in keystone.conf. -# Sample value: 'http://localhost:35357/' -# Defaults to false -# -# [*enable_ssl*] -# (optional) Toggle for SSL support on the keystone eventlet servers. -# (boolean value) -# Defaults to false -# -# [*ssl_certfile*] -# (optional) Path of the certfile for SSL. (string value) -# Defaults to '/etc/keystone/ssl/certs/keystone.pem' -# -# [*ssl_keyfile*] -# (optional) Path of the keyfile for SSL. (string value) -# Defaults to '/etc/keystone/ssl/private/keystonekey.pem' -# -# [*ssl_ca_certs*] -# (optional) Path of the ca cert file for SSL. (string value) -# Defaults to '/etc/keystone/ssl/certs/ca.pem' -# -# [*ssl_ca_key*] -# (optional) Path of the CA key file for SSL (string value) -# Defaults to '/etc/keystone/ssl/private/cakey.pem' -# -# [*ssl_cert_subject*] -# (optional) SSL Certificate Subject (auto generated certificate) -# (string value) -# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost' -# -# [*mysql_module*] -# (optional) Deprecated. Does nothing. -# -# [*validate_service*] -# (optional) Whether to validate keystone connections after -# the service is started. -# Defaults to false -# -# [*validate_insecure*] -# (optional) Whether to validate keystone connections -# using the --insecure option with keystone client. -# Defaults to false -# -# [*validate_cacert*] -# (optional) Whether to validate keystone connections -# using the specified argument with the --os-cacert option -# with keystone client. -# Defaults to undef -# -# [*validate_auth_url*] -# (optional) The url to validate keystone against -# Defaults to undef -# -# [*service_provider*] -# (optional) Provider, that can be used for keystone service. -# Default value defined in keystone::params for given operation system. -# If you use Pacemaker or another Cluster Resource Manager, you can make -# custom service provider for changing start/stop/status behavior of service, -# and set it here. -# -# [*service_name*] -# (optional) Name of the service that will be providing the -# server functionality of keystone. For example, the default -# is just 'keystone', which means keystone will be run as a -# standalone eventlet service, and will able to be managed -# separately by the operating system's service manager. For -# example, you will be able to use -# service openstack-keystone restart -# to restart the service. -# If the value is 'httpd', this means keystone will be a web -# service, and you must use another class to configure that -# web service. For example, after calling class {'keystone'...} -# use class { 'keystone::wsgi::apache'...} to make keystone be -# a web app using apache mod_wsgi. -# Defaults to '$::keystone::params::service_name' -# NOTE: validate_service only applies if the default value is used. -# -# [*paste_config*] -# (optional) Name of the paste configuration file that defines the -# available pipelines. (string value) -# Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and -# undef on other platforms. -# -# [*max_token_size*] -# (optional) maximum allowable Keystone token size -# Defaults to undef -# -# [*admin_workers*] -# (optional) The number of worker processes to serve the admin WSGI application. -# Defaults to max($::processorcount, 2) -# -# [*public_workers*] -# (optional) The number of worker processes to serve the public WSGI application. -# Defaults to max($::processorcount, 2) -# -# [*sync_db*] -# (Optional) Run db sync on the node. -# Defaults to true -# -# [*enable_fernet_setup*] -# (Optional) Setup keystone for fernet tokens. This is typically only -# run on a single node, then the keys are replicated to the other nodes -# in a cluster. You would typically also pair this with a fernet token -# provider setting. -# Defaults to false -# -# [*fernet_key_repository*] -# (Optional) Location for the fernet key repository. This value must -# be set if enable_fernet_setup is set to true. -# Defaults to '/etc/keystone/fernet-keys' -# -# [*fernet_max_active_keys*] -# (Optional) Number of maximum active Fernet keys. Integer > 0. -# Defaults to undef -# -# [*default_domain*] -# (optional) When Keystone v3 support is enabled, v2 clients will need -# to have a domain assigned for certain operations. For example, -# doing a user create operation must have a domain associated with it. -# This is the domain which will be used if a domain is needed and not -# explicitly set in the request. -# Defaults to undef (will use built-in Keystone default) -# -# == Dependencies -# None -# -# == Examples -# -# class { 'keystone': -# log_verbose => 'True', -# admin_token => 'my_special_token', -# } -# -# OR -# -# class { 'keystone': -# ... -# service_name => 'httpd', -# ... -# } -# class { 'keystone::wsgi::apache': -# ... -# } -# -# == Authors -# -# Dan Bode dan@puppetlabs.com -# -# == Copyright -# -# Copyright 2012 Puppetlabs Inc, unless otherwise noted. -# -class keystone( - $admin_token, - $package_ensure = 'present', - $client_package_ensure = 'present', - $public_bind_host = '0.0.0.0', - $admin_bind_host = '0.0.0.0', - $public_port = '5000', - $admin_port = '35357', - $verbose = false, - $debug = false, - $log_dir = '/var/log/keystone', - $log_file = false, - $use_syslog = false, - $log_facility = 'LOG_USER', - $catalog_type = 'sql', - $catalog_driver = false, - $catalog_template_file = '/etc/keystone/default_catalog.templates', - $token_provider = 'keystone.token.providers.uuid.Provider', - $token_driver = 'keystone.token.persistence.backends.sql.Token', - $token_expiration = 3600, - $revoke_driver = 'keystone.contrib.revoke.backends.sql.Revoke', - $public_endpoint = false, - $admin_endpoint = false, - $enable_ssl = false, - $ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem', - $ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem', - $ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem', - $ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem', - $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost', - $cache_dir = '/var/cache/keystone', - $memcache_servers = false, - $manage_service = true, - $cache_backend = 'keystone.common.cache.noop', - $cache_backend_argument = undef, - $debug_cache_backend = false, - $token_caching = true, - $enabled = true, - $database_connection = 'sqlite:////var/lib/keystone/keystone.db', - $database_idle_timeout = '200', - $enable_pki_setup = true, - $signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem', - $signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem', - $signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem', - $signing_ca_key = '/etc/keystone/ssl/private/cakey.pem', - $signing_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com', - $signing_key_size = 2048, - $rabbit_host = 'localhost', - $rabbit_hosts = false, - $rabbit_password = 'guest', - $rabbit_port = '5672', - $rabbit_userid = 'guest', - $rabbit_virtual_host = '/', - $rabbit_use_ssl = false, - $kombu_ssl_ca_certs = undef, - $kombu_ssl_certfile = undef, - $kombu_ssl_keyfile = undef, - $kombu_ssl_version = 'TLSv1', - $notification_driver = false, - $notification_topics = false, - $notification_format = undef, - $control_exchange = false, - $validate_service = false, - $validate_insecure = false, - $validate_auth_url = false, - $validate_cacert = undef, - $paste_config = $::keystone::params::paste_config, - $service_provider = $::keystone::params::service_provider, - $service_name = $::keystone::params::service_name, - $max_token_size = undef, - $admin_workers = max($::processorcount, 2), - $public_workers = max($::processorcount, 2), - $sync_db = true, - $enable_fernet_setup = false, - $fernet_key_repository = '/etc/keystone/fernet-keys', - $fernet_max_active_keys = undef, - $default_domain = undef, - # DEPRECATED PARAMETERS - $mysql_module = undef, - $compute_port = undef, -) inherits keystone::params { - - if ! $catalog_driver { - validate_re($catalog_type, 'template|sql') - } - - if $mysql_module { - warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.') - } - - if ($admin_endpoint and 'v2.0' in $admin_endpoint) { - warning('Version string /v2.0/ should not be included in keystone::admin_endpoint') - } - - if ($public_endpoint and 'v2.0' in $public_endpoint) { - warning('Version string /v2.0/ should not be included in keystone::public_endpoint') - } - - if $rabbit_use_ssl { - if !$kombu_ssl_ca_certs { - fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true') - } - if !$kombu_ssl_certfile { - fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true') - } - if !$kombu_ssl_keyfile { - fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true') - } - } - - File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name] - Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|> - Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|> - Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|> - - include ::keystone::params - - package { 'keystone': - ensure => $package_ensure, - name => $::keystone::params::package_name, - tag => 'openstack', - } - if $client_package_ensure == 'present' { - include '::openstacklib::openstackclient' - } else { - class { '::openstacklib::openstackclient': - package_ensure => $client_package_ensure, - } - } - - group { 'keystone': - ensure => present, - system => true, - require => Package['keystone'], - } - - user { 'keystone': - ensure => 'present', - gid => 'keystone', - system => true, - require => Package['keystone'], - } - - file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']: - ensure => directory, - mode => '0750', - owner => 'keystone', - group => 'keystone', - require => Package['keystone'], - notify => Service[$service_name], - } - - file { '/etc/keystone/keystone.conf': - ensure => present, - mode => '0600', - owner => 'keystone', - group => 'keystone', - require => Package['keystone'], - notify => Service[$service_name], - } - - keystone_config { - 'DEFAULT/admin_token': value => $admin_token, secret => true; - 'DEFAULT/public_bind_host': value => $public_bind_host; - 'DEFAULT/admin_bind_host': value => $admin_bind_host; - 'DEFAULT/public_port': value => $public_port; - 'DEFAULT/admin_port': value => $admin_port; - 'DEFAULT/verbose': value => $verbose; - 'DEFAULT/debug': value => $debug; - } - - if $compute_port { - warning('The compute_port parameter is deprecated and will be removed in L') - keystone_config { - 'DEFAULT/compute_port': value => $compute_port; - } - } else { - keystone_config { - 'DEFAULT/compute_port': ensure => absent; - } - } - - # Endpoint configuration - if $public_endpoint { - keystone_config { - 'DEFAULT/public_endpoint': value => $public_endpoint; - } - } else { - keystone_config { - 'DEFAULT/public_endpoint': ensure => absent; - } - } - if $admin_endpoint { - keystone_config { - 'DEFAULT/admin_endpoint': value => $admin_endpoint; - } - } else { - keystone_config { - 'DEFAULT/admin_endpoint': ensure => absent; - } - } - # requirements for memcache token driver - if ($token_driver =~ /memcache/ ) { - package { 'python-memcache': - ensure => present, - name => $::keystone::params::python_memcache_package_name, - } - } - - # token driver config - keystone_config { - 'token/driver': value => $token_driver; - 'token/expiration': value => $token_expiration; - } - - if $revoke_driver { - keystone_config { - 'revoke/driver': value => $revoke_driver; - } - } else { - keystone_config { - 'revoke/driver': ensure => absent; - } - } - - # ssl config - if ($enable_ssl) { - keystone_config { - 'ssl/enable': value => true; - 'ssl/certfile': value => $ssl_certfile; - 'ssl/keyfile': value => $ssl_keyfile; - 'ssl/ca_certs': value => $ssl_ca_certs; - 'ssl/ca_key': value => $ssl_ca_key; - 'ssl/cert_subject': value => $ssl_cert_subject; - } - } else { - keystone_config { - 'ssl/enable': value => false; - } - } - - if($database_connection =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) { - require 'mysql::bindings' - require 'mysql::bindings::python' - } elsif($database_connection =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) { - - } elsif($database_connection =~ /sqlite:\/\//) { - - } else { - fail("Invalid db connection ${database_connection}") - } - - # memcache connection config - if $memcache_servers { - validate_array($memcache_servers) - Service<| title == 'memcached' |> -> Service['keystone'] - keystone_config { - 'cache/enabled': value => true; - 'cache/backend': value => $cache_backend; - 'cache/debug_cache_backend': value => $debug_cache_backend; - 'token/caching': value => $token_caching; - 'memcache/servers': value => join($memcache_servers, ','); - } - if $cache_backend_argument { - validate_array($cache_backend_argument) - keystone_config { - 'cache/backend_argument': value => join($cache_backend_argument, ','); - } - } else { - keystone_config { - 'cache/backend_argument': ensure => absent; - } - } - } else { - keystone_config { - 'cache/enabled': ensure => absent; - 'cache/backend': ensure => absent; - 'cache/backend_argument': ensure => absent; - 'cache/debug_cache_backend': ensure => absent; - 'token/caching': ensure => absent; - 'memcache/servers': ensure => absent; - } - } - - # db connection config - keystone_config { - 'database/connection': value => $database_connection, secret => true; - 'database/idle_timeout': value => $database_idle_timeout; - } - - # configure based on the catalog backend - if $catalog_driver { - $catalog_driver_real = $catalog_driver - } - elsif ($catalog_type == 'template') { - $catalog_driver_real = 'keystone.catalog.backends.templated.Catalog' - } - elsif ($catalog_type == 'sql') { - $catalog_driver_real = 'keystone.catalog.backends.sql.Catalog' - } - - keystone_config { - 'catalog/driver': value => $catalog_driver_real; - 'catalog/template_file': value => $catalog_template_file; - } - - # Set the signing key/cert configuration values. - keystone_config { - 'signing/certfile': value => $signing_certfile; - 'signing/keyfile': value => $signing_keyfile; - 'signing/ca_certs': value => $signing_ca_certs; - 'signing/ca_key': value => $signing_ca_key; - 'signing/cert_subject': value => $signing_cert_subject; - 'signing/key_size': value => $signing_key_size; - } - - # Create cache directory used for signing. - file { $cache_dir: - ensure => directory, - } - - # Only do pki_setup if we were asked to do so. This is needed - # regardless of the token provider since token revocation lists - # are always signed. - if $enable_pki_setup { - exec { 'keystone-manage pki_setup': - path => '/usr/bin', - user => 'keystone', - refreshonly => true, - creates => $signing_keyfile, - notify => Service[$service_name], - subscribe => Package['keystone'], - require => User['keystone'], - } - } - - keystone_config { 'token/provider': value => $token_provider } - - if $max_token_size { - keystone_config { 'DEFAULT/max_token_size': value => $max_token_size } - } else { - keystone_config { 'DEFAULT/max_token_size': ensure => absent } - } - - if $notification_driver { - keystone_config { 'DEFAULT/notification_driver': value => $notification_driver } - } else { - keystone_config { 'DEFAULT/notification_driver': ensure => absent } - } - if $notification_topics { - keystone_config { 'DEFAULT/notification_topics': value => $notification_topics } - } else { - keystone_config { 'DEFAULT/notification_topics': ensure => absent } - } - if $notification_format { - keystone_config { 'DEFAULT/notification_format': value => $notification_format } - } else { - keystone_config { 'DEFAULT/notification_format': ensure => absent } - } - if $control_exchange { - keystone_config { 'DEFAULT/control_exchange': value => $control_exchange } - } else { - keystone_config { 'DEFAULT/control_exchange': ensure => absent } - } - - keystone_config { - 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true; - 'DEFAULT/rabbit_userid': value => $rabbit_userid; - 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host; - } - - if $rabbit_hosts { - keystone_config { 'DEFAULT/rabbit_hosts': value => join($rabbit_hosts, ',') } - keystone_config { 'DEFAULT/rabbit_ha_queues': value => true } - } else { - keystone_config { 'DEFAULT/rabbit_host': value => $rabbit_host } - keystone_config { 'DEFAULT/rabbit_port': value => $rabbit_port } - keystone_config { 'DEFAULT/rabbit_hosts': value => "${rabbit_host}:${rabbit_port}" } - keystone_config { 'DEFAULT/rabbit_ha_queues': value => false } - } - - keystone_config { 'DEFAULT/rabbit_use_ssl': value => $rabbit_use_ssl } - if $rabbit_use_ssl { - keystone_config { - 'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs; - 'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile; - 'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile; - 'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version; - } - } else { - keystone_config { - 'DEFAULT/kombu_ssl_ca_certs': ensure => absent; - 'DEFAULT/kombu_ssl_certfile': ensure => absent; - 'DEFAULT/kombu_ssl_keyfile': ensure => absent; - 'DEFAULT/kombu_ssl_version': ensure => absent; - } - } - - keystone_config { - 'DEFAULT/admin_workers': value => $admin_workers; - 'DEFAULT/public_workers': value => $public_workers; - } - - if $manage_service { - if $enabled { - $service_ensure = 'running' - } else { - $service_ensure = 'stopped' - } - } else { - warning('Execution of db_sync does not depend on $enabled anymore. Please use sync_db instead.') - } - - if $service_name == $::keystone::params::service_name { - if $validate_service { - if $validate_auth_url { - $v_auth_url = $validate_auth_url - } else { - $v_auth_url = $admin_endpoint - } - - class { '::keystone::service': - ensure => $service_ensure, - service_name => $service_name, - enable => $enabled, - hasstatus => true, - hasrestart => true, - provider => $service_provider, - validate => true, - admin_endpoint => $v_auth_url, - admin_token => $admin_token, - insecure => $validate_insecure, - cacert => $validate_cacert, - } - } else { - class { '::keystone::service': - ensure => $service_ensure, - service_name => $service_name, - enable => $enabled, - hasstatus => true, - hasrestart => true, - provider => $service_provider, - validate => false, - } - } - } elsif $service_name == 'httpd' { - class { '::keystone::service': - ensure => 'stopped', - service_name => $::keystone::params::service_name, - enable => false, - provider => $service_provider, - validate => false, - } - } else { - fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server') - } - - if $sync_db { - include ::keystone::db::sync - Class['::keystone::db::sync'] ~> Service[$service_name] - } - - # Syslog configuration - if $use_syslog { - keystone_config { - 'DEFAULT/use_syslog': value => true; - 'DEFAULT/syslog_log_facility': value => $log_facility; - } - } else { - keystone_config { - 'DEFAULT/use_syslog': value => false; - } - } - - if $log_file { - keystone_config { - 'DEFAULT/log_file': value => $log_file; - 'DEFAULT/log_dir': value => $log_dir; - } - } else { - if $log_dir { - keystone_config { - 'DEFAULT/log_dir': value => $log_dir; - 'DEFAULT/log_file': ensure => absent; - } - } else { - keystone_config { - 'DEFAULT/log_dir': ensure => absent; - 'DEFAULT/log_file': ensure => absent; - } - } - } - - if $paste_config { - keystone_config { - 'paste_deploy/config_file': value => $paste_config; - } - } else { - keystone_config { - 'paste_deploy/config_file': ensure => absent; - } - } - - # Fernet tokens support - if $enable_fernet_setup { - validate_string($fernet_key_repository) - - exec { 'keystone-manage fernet_setup': - path => '/usr/bin', - user => 'keystone', - refreshonly => true, - creates => "${fernet_key_repository}/0", - notify => Service[$service_name], - subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']], - } - } - - if $fernet_key_repository { - keystone_config { - 'fernet_tokens/key_repository': value => $fernet_key_repository; - } - } else { - keystone_config { - 'fernet_tokens/key_repository': ensure => absent; - } - } - - if $fernet_max_active_keys { - keystone_config { - 'fernet_tokens/max_active_keys': value => $fernet_max_active_keys; - } - } else { - keystone_config { - 'fernet_tokens/max_active_keys': ensure => absent; - } - } - - if $default_domain { - keystone_domain { $default_domain: - ensure => present, - enabled => true, - is_default => true, - require => File['/etc/keystone/keystone.conf'], - notify => Exec['restart_keystone'], - } - # Update this code when https://bugs.launchpad.net/keystone/+bug/1472285 is addressed. - # 1/ Keystone needs to be started before creating the default domain - # 2/ Once the default domain is created, we can query Keystone to get the default domain ID - # 3/ The Keystone_domain provider has in charge of doing the query and configure keystone.conf - # 4/ After such a change, we need to restart Keystone service. - # restart_keystone exec is doing 4/, it restart Keystone if we have a new default domain setted - # and if we manage the service to be enabled. - if $manage_service and $enabled { - exec { 'restart_keystone': - path => ['/usr/sbin', '/usr/bin', '/sbin', '/bin/'], - command => "service ${service_name} restart", - refreshonly => true, - } - } - } -}