3874255b9f
* Deploy Self-Signed Certificates for both IPv6 & IPv4 deployments. * Disable IPv6 for RabbitMQ now, for SSL reasons, will be enabled again later in a next iteration. * Deploy Ironic API under WSGI instead of eventlet. * Switch Glance API, Ironic API and Keystone to SSL. * Configure Tempest with SSL endpoints when needed. * Reduce the Ironic tests because of [1]. [1] https://bugs.launchpad.net/ironic/+bug/1554237 Note #1: puppet-swift, and puppet-cinder will require some work to support SSL, so it's not implemented in this patch. Note #2: we don't enable SSL for Neutron because of https://bugs.launchpad.net/neutron/+bug/1514424 Change-Id: Ib2b5289b6f5e82f43cf60dee3152b2c2ddd5a014
71 lines
2.3 KiB
Puppet
71 lines
2.3 KiB
Puppet
# Configure the Keystone service
|
|
#
|
|
# [*default_domain*]
|
|
# (optional) Define the default domain id.
|
|
# Set to 'undef' for 'Default' domain.
|
|
# Default to undef.
|
|
#
|
|
# [*using_domain_config*]
|
|
# (optional) Eases the use of the keystone_domain_config resource type.
|
|
# It ensures that a directory for holding the domain configuration is present
|
|
# and the associated configuration in keystone.conf is set up right.
|
|
# Defaults to false
|
|
#
|
|
class openstack_integration::keystone (
|
|
$default_domain = undef,
|
|
$using_domain_config = false,
|
|
) {
|
|
|
|
include ::openstack_integration::config
|
|
include ::openstack_integration::params
|
|
|
|
if $::openstack_integration::config::ssl {
|
|
openstack_integration::ssl_key { 'keystone':
|
|
notify => Service['httpd'],
|
|
require => Package['keystone'],
|
|
}
|
|
Exec['update-ca-certificates'] ~> Service['httpd']
|
|
}
|
|
|
|
class { '::keystone::client': }
|
|
class { '::keystone::cron::token_flush': }
|
|
class { '::keystone::db::mysql':
|
|
password => 'keystone',
|
|
}
|
|
class { '::keystone':
|
|
verbose => true,
|
|
debug => true,
|
|
database_connection => 'mysql+pymysql://keystone:keystone@127.0.0.1/keystone',
|
|
admin_token => 'admin_token',
|
|
enabled => true,
|
|
service_name => 'httpd',
|
|
default_domain => $default_domain,
|
|
using_domain_config => $using_domain_config,
|
|
enable_ssl => $::openstack_integration::config::ssl,
|
|
}
|
|
include ::apache
|
|
class { '::keystone::wsgi::apache':
|
|
ssl => $::openstack_integration::config::ssl,
|
|
ssl_key => "/etc/keystone/ssl/private/${::fqdn}.pem",
|
|
ssl_cert => $::openstack_integration::params::cert_path,
|
|
workers => 2,
|
|
}
|
|
class { '::keystone::roles::admin':
|
|
email => 'test@example.tld',
|
|
password => 'a_big_secret',
|
|
}
|
|
class { '::keystone::endpoint':
|
|
default_domain => $default_domain,
|
|
public_url => $::openstack_integration::config::keystone_auth_uri,
|
|
admin_url => $::openstack_integration::config::keystone_admin_uri,
|
|
}
|
|
class { '::keystone::disable_admin_token_auth': }
|
|
|
|
class { '::openstack_extras::auth_file':
|
|
password => 'a_big_secret',
|
|
project_domain => 'default',
|
|
user_domain => 'default',
|
|
auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/",
|
|
}
|
|
}
|