--- /dev/null
+#
+# Module for managing keystone config.
+#
+# == Parameters
+#
+# [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
+# accepts latest or specific versions.
+# [bind_host] Host that keystone binds to.
+# [bind_port] Port that keystone binds to.
+# [public_port]
+# [compute_port]
+# [admin_port]
+# [admin_port] Port that can be used for admin tasks.
+# [admin_token] Admin token that can be used to authenticate as a keystone
+# admin. Required.
+# [verbose] Rather keystone should log at verbose level. Optional.
+# Defaults to False.
+# [debug] Rather keystone should log at debug level. Optional.
+# Defaults to False.
+# [use_syslog] Use syslog for logging. Optional.
+# Defaults to False.
+# [log_facility] Syslog facility to receive log lines. Optional.
+# [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
+# Defaults to sql. (Also accepts template)
+# [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
+# Setting this value will override and ignore catalog_type.
+# [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
+# Defaults to '/etc/keystone/default_catalog.templates'
+# [token_provider] Format keystone uses for tokens. Optional.
+# Defaults to 'keystone.token.providers.uuid.Provider'
+# Supports PKI and UUID.
+# [token_driver] Driver to use for managing tokens.
+# Optional. Defaults to 'keystone.token.persistence.backends.sql.Token'
+# [token_expiration] Amount of time a token should remain valid (seconds).
+# Optional. Defaults to 3600 (1 hour).
+# [token_format] Deprecated: Use token_provider instead.
+# [cache_dir] Directory created when token_provider is pki. Optional.
+# Defaults to /var/cache/keystone.
+#
+# [memcache_servers]
+# List of memcache servers in format of server:port.
+# Used with token_driver 'keystone.token.backends.memcache.Token'.
+# Optional. Defaults to false. Example: ['localhost:11211']
+#
+# [cache_backend]
+# Dogpile.cache backend module. It is recommended that Memcache with pooling
+# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
+# This has no effects unless 'memcache_servers' is set.
+# Optional. Defaults to 'keystone.common.cache.noop'
+#
+# [cache_backend_argument]
+# List of arguments in format of argname:value supplied to the backend module.
+# Specify this option once per argument to be passed to the dogpile.cache backend.
+# This has no effects unless 'memcache_servers' is set.
+# Optional. Default to undef.
+#
+# [debug_cache_backend]
+# Extra debugging from the cache backend (cache keys, get/set/delete calls).
+# This has no effects unless 'memcache_servers' is set.
+# Optional. Default to false.
+#
+# [token_caching]
+# Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
+# Optional. Default to true.
+#
+# [enabled] If the keystone services should be enabled. Optional. Default to true.
+#
+# [*database_connection*]
+# (optional) Url used to connect to database.
+# Defaults to sqlite:////var/lib/keystone/keystone.db
+#
+# [*sql_connection*]
+# (optional) Deprecated. Use database_connection instead.
+#
+# [*database_idle_timeout*]
+# (optional) Timeout when db connections should be reaped.
+# Defaults to 200.
+#
+# [*idle_timeout*]
+# (optional) Deprecated. Use database_idle_timeout instead.
+#
+# [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
+# revocation lists if it doesn't already exist. This generates a cert and key stored in file
+# locations based on the signing_certfile and signing_keyfile paramters below. If you are
+# providing your own signing cert, make this false.
+# [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
+# Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
+# the file will not be overwritten, even if enable_pki_setup is set to true.
+# Default: /etc/keystone/ssl/certs/signing_cert.pem
+# [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
+# Note that if this file already exists (i.e. you are providing your own signing cert), the file
+# will not be overwritten, even if enable_pki_setup is set to true.
+# Default: /etc/keystone/ssl/private/signing_key.pem
+# [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
+# signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
+# [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
+# pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
+#
+# [*signing_cert_subject*]
+# (optional) Certificate subject (auto generated certificate) for token signing.
+# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
+#
+# [*signing_key_size*]
+# (optional) Key size (in bits) for token signing cert (auto generated certificate)
+# Defaults to 2048
+#
+# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
+# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
+# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
+# [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest.
+# [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest.
+# [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /.
+#
+# [*rabbit_use_ssl*]
+# (optional) Connect over SSL for RabbitMQ
+# Defaults to false
+#
+# [*kombu_ssl_ca_certs*]
+# (optional) SSL certification authority file (valid only if SSL enabled).
+# Defaults to undef
+#
+# [*kombu_ssl_certfile*]
+# (optional) SSL cert file (valid only if SSL enabled).
+# Defaults to undef
+#
+# [*kombu_ssl_keyfile*]
+# (optional) SSL key file (valid only if SSL enabled).
+# Defaults to undef
+#
+# [*kombu_ssl_version*]
+# (optional) SSL version to use (valid only if SSL enabled).
+# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
+# available on some distributions.
+# Defaults to 'TLSv1'
+#
+# [notification_driver] RPC driver. Not enabled by default
+# [notification_topics] AMQP topics to publish to when using the RPC notification driver.
+# [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid
+#
+# [*public_bind_host*]
+# (optional) The IP address of the public network interface to listen on
+# Deprecates bind_host
+# Default to '0.0.0.0'.
+#
+# [*admin_bind_host*]
+# (optional) The IP address of the public network interface to listen on
+# Deprecates bind_host
+# Default to '0.0.0.0'.
+#
+# [*log_dir*]
+# (optional) Directory where logs should be stored
+# If set to boolean false, it will not log to any directory
+# Defaults to '/var/log/keystone'
+#
+# [*log_file*]
+# (optional) Where to log
+# Defaults to false
+#
+# [*public_endpoint*]
+# (optional) The base public endpoint URL for keystone that are
+# advertised to clients (NOTE: this does NOT affect how
+# keystone listens for connections) (string value)
+# If set to false, no public_endpoint will be defined in keystone.conf.
+# Sample value: 'http://localhost:5000/'
+# Defaults to false
+#
+# [*admin_endpoint*]
+# (optional) The base admin endpoint URL for keystone that are
+# advertised to clients (NOTE: this does NOT affect how keystone listens
+# for connections) (string value)
+# If set to false, no admin_endpoint will be defined in keystone.conf.
+# Sample value: 'http://localhost:35357/'
+# Defaults to false
+#
+# [*enable_ssl*]
+# (optional) Toggle for SSL support on the keystone eventlet servers.
+# (boolean value)
+# Defaults to false
+#
+# [*ssl_certfile*]
+# (optional) Path of the certfile for SSL. (string value)
+# Defaults to '/etc/keystone/ssl/certs/keystone.pem'
+#
+# [*ssl_keyfile*]
+# (optional) Path of the keyfile for SSL. (string value)
+# Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
+#
+# [*ssl_ca_certs*]
+# (optional) Path of the ca cert file for SSL. (string value)
+# Defaults to '/etc/keystone/ssl/certs/ca.pem'
+#
+# [*ssl_ca_key*]
+# (optional) Path of the CA key file for SSL (string value)
+# Defaults to '/etc/keystone/ssl/private/cakey.pem'
+#
+# [*ssl_cert_subject*]
+# (optional) SSL Certificate Subject (auto generated certificate)
+# (string value)
+# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
+#
+# [*mysql_module*]
+# (optional) Deprecated. Does nothing.
+#
+# [*validate_service*]
+# (optional) Whether to validate keystone connections after
+# the service is started.
+# Defaults to false
+#
+# [*validate_insecure*]
+# (optional) Whether to validate keystone connections
+# using the --insecure option with keystone client.
+# Defaults to false
+#
+# [*validate_cacert*]
+# (optional) Whether to validate keystone connections
+# using the specified argument with the --os-cacert option
+# with keystone client.
+# Defaults to undef
+#
+# [*validate_auth_url*]
+# (optional) The url to validate keystone against
+# Defaults to undef
+#
+# [*service_provider*]
+# (optional) Provider, that can be used for keystone service.
+# Default value defined in keystone::params for given operation system.
+# If you use Pacemaker or another Cluster Resource Manager, you can make
+# custom service provider for changing start/stop/status behavior of service,
+# and set it here.
+#
+# [*service_name*]
+# (optional) Name of the service that will be providing the
+# server functionality of keystone. For example, the default
+# is just 'keystone', which means keystone will be run as a
+# standalone eventlet service, and will able to be managed
+# separately by the operating system's service manager. For
+# example, you will be able to use
+# service openstack-keystone restart
+# to restart the service.
+# If the value is 'httpd', this means keystone will be a web
+# service, and you must use another class to configure that
+# web service. For example, after calling class {'keystone'...}
+# use class { 'keystone::wsgi::apache'...} to make keystone be
+# a web app using apache mod_wsgi.
+# Defaults to 'keystone'
+# NOTE: validate_service only applies if the value is 'keystone'
+#
+# == Dependencies
+# None
+#
+# == Examples
+#
+# class { 'keystone':
+# log_verbose => 'True',
+# admin_token => 'my_special_token',
+# }
+#
+# OR
+#
+# class { 'keystone':
+# ...
+# service_name => 'httpd',
+# ...
+# }
+# class { 'keystone::wsgi::apache':
+# ...
+# }
+#
+# == Authors
+#
+# Dan Bode dan@puppetlabs.com
+#
+# == Copyright
+#
+# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
+#
+class keystone(
+ $admin_token,
+ $package_ensure = 'present',
+ $bind_host = false,
+ $public_bind_host = '0.0.0.0',
+ $admin_bind_host = '0.0.0.0',
+ $public_port = '5000',
+ $admin_port = '35357',
+ $compute_port = '8774',
+ $verbose = false,
+ $debug = false,
+ $log_dir = '/var/log/keystone',
+ $log_file = false,
+ $use_syslog = false,
+ $log_facility = 'LOG_USER',
+ $catalog_type = 'sql',
+ $catalog_driver = false,
+ $catalog_template_file = '/etc/keystone/default_catalog.templates',
+ $token_format = false,
+ $token_provider = 'keystone.token.providers.uuid.Provider',
+ $token_driver = 'keystone.token.persistence.backends.sql.Token',
+ $token_expiration = 3600,
+ $public_endpoint = false,
+ $admin_endpoint = false,
+ $enable_ssl = false,
+ $ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
+ $ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
+ $ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
+ $ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
+ $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
+ $cache_dir = '/var/cache/keystone',
+ $memcache_servers = false,
+ $cache_backend = 'keystone.common.cache.noop',
+ $cache_backend_argument = undef,
+ $debug_cache_backend = false,
+ $token_caching = true,
+ $enabled = true,
+ $database_connection = 'sqlite:////var/lib/keystone/keystone.db',
+ $database_idle_timeout = '200',
+ $enable_pki_setup = true,
+ $signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
+ $signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
+ $signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
+ $signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
+ $signing_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
+ $signing_key_size = 2048,
+ $rabbit_host = 'localhost',
+ $rabbit_hosts = false,
+ $rabbit_password = 'guest',
+ $rabbit_port = '5672',
+ $rabbit_userid = 'guest',
+ $rabbit_virtual_host = '/',
+ $rabbit_use_ssl = false,
+ $kombu_ssl_ca_certs = undef,
+ $kombu_ssl_certfile = undef,
+ $kombu_ssl_keyfile = undef,
+ $kombu_ssl_version = 'TLSv1',
+ $notification_driver = false,
+ $notification_topics = false,
+ $control_exchange = false,
+ $validate_service = false,
+ $validate_insecure = false,
+ $validate_auth_url = false,
+ $validate_cacert = undef,
+ $service_provider = $::keystone::params::service_provider,
+ $service_name = 'keystone',
+ # DEPRECATED PARAMETERS
+ $mysql_module = undef,
+ $sql_connection = undef,
+ $idle_timeout = undef,
+) inherits keystone::params {
+
+ if ! $catalog_driver {
+ validate_re($catalog_type, 'template|sql')
+ }
+
+ if $mysql_module {
+ warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.')
+ }
+
+ if $sql_connection {
+ warning('The sql_connection parameter is deprecated, use database_connection instead.')
+ $database_connection_real = $sql_connection
+ } else {
+ $database_connection_real = $database_connection
+ }
+
+ if $idle_timeout {
+ warning('The idle_timeout parameter is deprecated, use database_idle_timeout instead.')
+ $database_idle_timeout_real = $idle_timeout
+ } else {
+ $database_idle_timeout_real = $database_idle_timeout
+ }
+
+ if ($admin_endpoint and 'v2.0' in $admin_endpoint) {
+ warning('Version string /v2.0/ should not be included in keystone::admin_endpoint')
+ }
+
+ if ($public_endpoint and 'v2.0' in $public_endpoint) {
+ warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
+ }
+
+ if $rabbit_use_ssl {
+ if !$kombu_ssl_ca_certs {
+ fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
+ }
+ if !$kombu_ssl_certfile {
+ fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true')
+ }
+ if !$kombu_ssl_keyfile {
+ fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true')
+ }
+ }
+
+ File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
+ Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
+ Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
+ include ::keystone::params
+
+ package { 'keystone':
+ ensure => $package_ensure,
+ name => $::keystone::params::package_name,
+ tag => 'openstack',
+ }
+ # TODO: Move this to openstacklib::openstackclient in Kilo
+ package { 'python-openstackclient':
+ ensure => present,
+ tag => 'openstack',
+ }
+
+ group { 'keystone':
+ ensure => present,
+ system => true,
+ require => Package['keystone'],
+ }
+
+ user { 'keystone':
+ ensure => 'present',
+ gid => 'keystone',
+ system => true,
+ require => Package['keystone'],
+ }
+
+ file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']:
+ ensure => directory,
+ mode => '0750',
+ owner => 'keystone',
+ group => 'keystone',
+ require => Package['keystone'],
+ notify => Service[$service_name],
+ }
+
+ file { '/etc/keystone/keystone.conf':
+ ensure => present,
+ mode => '0600',
+ owner => 'keystone',
+ group => 'keystone',
+ require => Package['keystone'],
+ notify => Service[$service_name],
+ }
+
+ if $bind_host {
+ warning('The bind_host parameter is deprecated, use public_bind_host and admin_bind_host instead.')
+ $public_bind_host_real = $bind_host
+ $admin_bind_host_real = $bind_host
+ } else {
+ $public_bind_host_real = $public_bind_host
+ $admin_bind_host_real = $admin_bind_host
+ }
+
+ # default config
+ keystone_config {
+ 'DEFAULT/admin_token': value => $admin_token, secret => true;
+ 'DEFAULT/public_bind_host': value => $public_bind_host_real;
+ 'DEFAULT/admin_bind_host': value => $admin_bind_host_real;
+ 'DEFAULT/public_port': value => $public_port;
+ 'DEFAULT/admin_port': value => $admin_port;
+ 'DEFAULT/compute_port': value => $compute_port;
+ 'DEFAULT/verbose': value => $verbose;
+ 'DEFAULT/debug': value => $debug;
+ }
+
+ # Endpoint configuration
+ if $public_endpoint {
+ keystone_config {
+ 'DEFAULT/public_endpoint': value => $public_endpoint;
+ }
+ } else {
+ keystone_config {
+ 'DEFAULT/public_endpoint': ensure => absent;
+ }
+ }
+ if $admin_endpoint {
+ keystone_config {
+ 'DEFAULT/admin_endpoint': value => $admin_endpoint;
+ }
+ } else {
+ keystone_config {
+ 'DEFAULT/admin_endpoint': ensure => absent;
+ }
+ }
+ # requirements for memcache token driver
+ if ($token_driver =~ /memcache/ ) {
+ package { 'python-memcache':
+ ensure => present,
+ name => $::keystone::params::python_memcache_package_name,
+ }
+ }
+
+ # token driver config
+ keystone_config {
+ 'token/driver': value => $token_driver;
+ 'token/expiration': value => $token_expiration;
+ }
+
+ # ssl config
+ if ($enable_ssl) {
+ keystone_config {
+ 'ssl/enable': value => true;
+ 'ssl/certfile': value => $ssl_certfile;
+ 'ssl/keyfile': value => $ssl_keyfile;
+ 'ssl/ca_certs': value => $ssl_ca_certs;
+ 'ssl/ca_key': value => $ssl_ca_key;
+ 'ssl/cert_subject': value => $ssl_cert_subject;
+ }
+ } else {
+ keystone_config {
+ 'ssl/enable': value => false;
+ }
+ }
+
+ if($database_connection_real =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) {
+ require 'mysql::bindings'
+ require 'mysql::bindings::python'
+ } elsif($database_connection_real =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) {
+
+ } elsif($database_connection_real =~ /sqlite:\/\//) {
+
+ } else {
+ fail("Invalid db connection ${database_connection_real}")
+ }
+
+ # memcache connection config
+ if $memcache_servers {
+ validate_array($memcache_servers)
+ Service<| title == 'memcached' |> -> Service['keystone']
+ keystone_config {
+ 'cache/enabled': value => true;
+ 'cache/backend': value => $cache_backend;
+ 'cache/debug_cache_backend': value => $debug_cache_backend;
+ 'token/caching': value => $token_caching;
+ 'memcache/servers': value => join($memcache_servers, ',');
+ }
+ if $cache_backend_argument {
+ validate_array($cache_backend_argument)
+ keystone_config {
+ 'cache/backend_argument': value => join($cache_backend_argument, ',');
+ }
+ } else {
+ keystone_config {
+ 'cache/backend_argument': ensure => absent;
+ }
+ }
+ } else {
+ keystone_config {
+ 'cache/enabled': ensure => absent;
+ 'cache/backend': ensure => absent;
+ 'cache/backend_argument': ensure => absent;
+ 'cache/debug_cache_backend': ensure => absent;
+ 'token/caching': ensure => absent;
+ 'memcache/servers': ensure => absent;
+ }
+ }
+
+ # db connection config
+ keystone_config {
+ 'database/connection': value => $database_connection_real, secret => true;
+ 'database/idle_timeout': value => $database_idle_timeout_real;
+ }
+
+ # configure based on the catalog backend
+ if $catalog_driver {
+ $catalog_driver_real = $catalog_driver
+ }
+ elsif ($catalog_type == 'template') {
+ $catalog_driver_real = 'keystone.catalog.backends.templated.Catalog'
+ }
+ elsif ($catalog_type == 'sql') {
+ $catalog_driver_real = 'keystone.catalog.backends.sql.Catalog'
+ }
+
+ keystone_config {
+ 'catalog/driver': value => $catalog_driver_real;
+ 'catalog/template_file': value => $catalog_template_file;
+ }
+
+ if $token_format {
+ warning('token_format parameter is deprecated. Use token_provider instead.')
+ }
+
+ # remove the old format in case of an upgrade
+ keystone_config { 'signing/token_format': ensure => absent }
+
+ # Set the signing key/cert configuration values.
+ keystone_config {
+ 'signing/certfile': value => $signing_certfile;
+ 'signing/keyfile': value => $signing_keyfile;
+ 'signing/ca_certs': value => $signing_ca_certs;
+ 'signing/ca_key': value => $signing_ca_key;
+ 'signing/cert_subject': value => $signing_cert_subject;
+ 'signing/key_size': value => $signing_key_size;
+ }
+
+ # Create cache directory used for signing.
+ file { $cache_dir:
+ ensure => directory,
+ }
+
+ # Only do pki_setup if we were asked to do so. This is needed
+ # regardless of the token provider since token revocation lists
+ # are always signed.
+ if $enable_pki_setup {
+ exec { 'keystone-manage pki_setup':
+ path => '/usr/bin',
+ user => 'keystone',
+ refreshonly => true,
+ creates => $signing_keyfile,
+ notify => Service[$service_name],
+ subscribe => Package['keystone'],
+ require => User['keystone'],
+ }
+ }
+
+ if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
+ keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
+ } elsif $token_format == 'UUID' {
+ keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
+ } else {
+ keystone_config { 'token/provider': value => $token_provider }
+ }
+
+ if $notification_driver {
+ keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
+ } else {
+ keystone_config { 'DEFAULT/notification_driver': ensure => absent }
+ }
+ if $notification_topics {
+ keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
+ } else {
+ keystone_config { 'DEFAULT/notification_topics': ensure => absent }
+ }
+ if $control_exchange {
+ keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
+ } else {
+ keystone_config { 'DEFAULT/control_exchange': ensure => absent }
+ }
+
+ keystone_config {
+ 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true;
+ 'DEFAULT/rabbit_userid': value => $rabbit_userid;
+ 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
+ }
+
+ if $rabbit_hosts {
+ keystone_config { 'DEFAULT/rabbit_hosts': value => join($rabbit_hosts, ',') }
+ keystone_config { 'DEFAULT/rabbit_ha_queues': value => true }
+ } else {
+ keystone_config { 'DEFAULT/rabbit_host': value => $rabbit_host }
+ keystone_config { 'DEFAULT/rabbit_port': value => $rabbit_port }
+ keystone_config { 'DEFAULT/rabbit_hosts': value => "${rabbit_host}:${rabbit_port}" }
+ keystone_config { 'DEFAULT/rabbit_ha_queues': value => false }
+ }
+
+ keystone_config { 'DEFAULT/rabbit_use_ssl': value => $rabbit_use_ssl }
+ if $rabbit_use_ssl {
+ keystone_config {
+ 'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs;
+ 'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile;
+ 'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile;
+ 'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version;
+ }
+ } else {
+ keystone_config {
+ 'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
+ 'DEFAULT/kombu_ssl_certfile': ensure => absent;
+ 'DEFAULT/kombu_ssl_keyfile': ensure => absent;
+ 'DEFAULT/kombu_ssl_version': ensure => absent;
+ }
+ }
+
+ if $enabled {
+ $service_ensure = 'running'
+ } else {
+ $service_ensure = 'stopped'
+ }
+
+ if $service_name == 'keystone' {
+ if $validate_service {
+ if $validate_auth_url {
+ $v_auth_url = $validate_auth_url
+ } else {
+ $v_auth_url = $admin_endpoint
+ }
+
+ class { 'keystone::service':
+ ensure => $service_ensure,
+ service_name => $::keystone::params::service_name,
+ enable => $enabled,
+ hasstatus => true,
+ hasrestart => true,
+ provider => $service_provider,
+ validate => true,
+ admin_endpoint => $v_auth_url,
+ admin_token => $admin_token,
+ insecure => $validate_insecure,
+ cacert => $validate_cacert,
+ }
+ } else {
+ class { 'keystone::service':
+ ensure => $service_ensure,
+ service_name => $::keystone::params::service_name,
+ enable => $enabled,
+ hasstatus => true,
+ hasrestart => true,
+ provider => $service_provider,
+ validate => false,
+ }
+ }
+ }
+
+ if $enabled {
+ include ::keystone::db::sync
+ Class['::keystone::db::sync'] ~> Service[$service_name]
+ }
+
+ # Syslog configuration
+ if $use_syslog {
+ keystone_config {
+ 'DEFAULT/use_syslog': value => true;
+ 'DEFAULT/syslog_log_facility': value => $log_facility;
+ }
+ } else {
+ keystone_config {
+ 'DEFAULT/use_syslog': value => false;
+ }
+ }
+
+ if $log_file {
+ keystone_config {
+ 'DEFAULT/log_file': value => $log_file;
+ 'DEFAULT/log_dir': value => $log_dir;
+ }
+ } else {
+ if $log_dir {
+ keystone_config {
+ 'DEFAULT/log_dir': value => $log_dir;
+ 'DEFAULT/log_file': ensure => absent;
+ }
+ } else {
+ keystone_config {
+ 'DEFAULT/log_dir': ensure => absent;
+ 'DEFAULT/log_file': ensure => absent;
+ }
+ }
+ }
+
+}
projects / dsa-puppet.git / blobdiff