openstack/puppet-openstack-integration
Code Issues Proposed changes
puppet-openstack-integration/manifests/keystone.pp
Alfredo Moralejo fc3f3e14f5 Reduce fernet_rotate frequency 
Currently it's every 10 minutes. When using expiration time of 40
minutes (scenario001) or longer, this is too frequent and in some cases,
jobs are failing with InvalidToken in scenario001. To avoid this we can
run fernet_rotate less often or increase max_active_keys [1]. In this
case i'm making it to rotate every 30 minutes instead of 10.

[1] https://docs.openstack.org/keystone/latest/admin/fernet-token-faq.html#i-rotated-keys-and-now-tokens-are-invalidating-early-what-did-i-do

Change-Id: Ia19612b668313752b62545ce5cae49396671b939
2019-11-15 15:48:04 +01:00

137 lines
4.8 KiB
Puppet
Raw Blame History

# Configure the Keystone service
#
# [*default_domain*]
# (optional) Define the default domain id.
# Set to 'undef' for 'Default' domain.
# Default to undef.
#
# [*using_domain_config*]
# (optional) Eases the use of the keystone_domain_config resource type.
# It ensures that a directory for holding the domain configuration is present
# and the associated configuration in keystone.conf is set up right.
# Defaults to false
#
# [*token_expiration*]
# (optional) Define the token expiration to use.
# Default to '600'.
#
class openstack_integration::keystone (
$default_domain = undef,
$using_domain_config = false,
$token_expiration = '600',
) {
include ::openstack_integration::config
include ::openstack_integration::params
openstack_integration::mq_user { 'keystone':
password => 'an_even_bigger_secret',
before => Anchor['keystone::service::begin'],
}
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'keystone':
notify => Service['httpd'],
require => Package['keystone'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
# Keystone credential setup is not packaged in UCA yet.
# It should be done when Newton is released.
if $::osfamily == 'RedHat' {
$enable_credential_setup = true
} else {
$enable_credential_setup = false
}
class { '::keystone::client': }
class { '::keystone::cron::token_flush': }
class { '::keystone::cron::fernet_rotate':
hour => '*',
minute => '*/30',
}
class { '::keystone::db::mysql':
password => 'keystone',
}
class { '::keystone::logging':
debug => true,
}
class { '::keystone':
database_connection => 'mysql+pymysql://keystone:keystone@127.0.0.1/keystone',
admin_token => 'a_big_token',
admin_password => 'a_big_secret',
enabled => true,
service_name => 'httpd',
default_domain => $default_domain,
using_domain_config => $using_domain_config,
enable_ssl => $::openstack_integration::config::ssl,
public_bind_host => $::openstack_integration::config::host,
admin_bind_host => $::openstack_integration::config::host,
manage_policyrcd => true,
enable_credential_setup => $enable_credential_setup,
fernet_key_repository => '/etc/keystone/fernet-keys/',
fernet_max_active_keys => '5',
token_expiration => $token_expiration,
default_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_default_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_default_port,
'username' => 'keystone',
'password' => 'an_even_bigger_secret',
}),
notification_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_notify_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_notify_port,
'username' => 'keystone',
'password' => 'an_even_bigger_secret',
}),
rabbit_use_ssl => $::openstack_integration::config::ssl,
}
class { '::keystone::messaging::amqp':
amqp_sasl_mechanisms => 'PLAIN',
}
include ::apache
class { '::keystone::wsgi::apache':
bind_host => $::openstack_integration::config::ip_for_url,
ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/keystone/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => 2,
}
class { '::keystone::roles::admin':
email => 'test@example.tld',
password => 'a_big_secret',
}
class { '::keystone::endpoint':
default_domain => $default_domain,
public_url => $::openstack_integration::config::keystone_auth_uri,
admin_url => $::openstack_integration::config::keystone_admin_uri,
version => '',
}
class { '::openstack_extras::auth_file':
password => 'a_big_secret',
project_domain => 'default',
user_domain => 'default',
auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/",
}
# We need tempest users to have the creator role to be able to store
# secrets in barbican. We do this by adding the creator role to the
# tempest_roles list in tempest.conf.
# We also need the member role for some swift container tests.
# Ordinarily tempest code in dynamic_creds.py would create
# this role and assign users to it. This code is not executed, however,
# when tempest_roles is defined. Therefore we need to make sure this
# role is created here, and added to tempest_roles.
keystone_role { 'creator':
ensure => present,
}
keystone_role { 'member':
ensure => present,
}
}
View Git Blame Copy Permalink