stackforge/puppet-openstack-cloud
Code Issues Proposed changes
puppet-openstack-cloud/manifests/identity.pp
Emilien Macchi d657eb30bf identity: flush tokens every days at midnight 
Install a crontab to flush expired keystone tokens every days at
midnight.
The reason is that we are using MySQL backend for token storage and when
having a big deployment, Database could grow faster than we expect.

While we find another backend for Keystone which scale, let's create a
crontab which will avoid a lot of issues in production :-)
2014-05-21 21:56:16 +02:00

577 lines
19 KiB
Puppet
Raw Blame History

#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::identity
#
# Install Identity Server (Keystone)
#
# === Parameters:
#
# [*identity_roles_addons*]
# (optional) Extra keystone roles to create
# Defaults to ['SwiftOperator', 'ResellerAdmin']
#
# [*keystone_db_host*]
# (optional) Hostname or IP address to connect to keystone database
# Defaults to '127.0.0.1'
#
# [*keystone_db_user*]
# (optional) Username to connect to keystone database
# Defaults to 'keystone'
#
# [*keystone_db_password*]
# (optional) Password to connect to keystone database
# Defaults to 'keystonepassword'
#
# [*ks_admin_email*]
# (optional) Email address of admin user in Keystone
# Defaults to 'no-reply@keystone.openstack'
#
# [*ks_admin_password*]
# (optional) Password of admin user in Keystone
# Defaults to 'adminpassword'
#
# [*ks_admin_tenant*]
# (optional) Admin tenant name in Keystone
# Defaults to 'admin'
#
# [*ks_admin_token*]
# (required) Admin token used by Keystone.
#
# [*ks_glance_internal_host*]
# (optional) Internal Hostname or IP to connect to Glance API
# Defaults to '127.0.0.1'
#
# [*ks_glance_admin_host*]
# (optional) Admin Hostname or IP to connect to Glance API
# Defaults to '127.0.0.1'
#
# [*ks_glance_public_host*]
# (optional) Public Hostname or IP to connect to Glance API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_internal_host*]
# (optional) Internal Hostname or IP to connect to Ceilometer API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_admin_host*]
# (optional) Admin Hostname or IP to connect to Ceilometer API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_public_host*]
# (optional) Public Hostname or IP to connect to Ceilometer API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_internal_host*]
# (optional) Internal Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_admin_host*]
# (optional) Admin Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_keystone_public_host*]
# (optional) Public Hostname or IP to connect to Keystone API
# Defaults to '127.0.0.1'
#
# [*ks_nova_internal_host*]
# (optional) Internal Hostname or IP to connect to Nova API
# Defaults to '127.0.0.1'
#
# [*ks_nova_admin_host*]
# (optional) Admin Hostname or IP to connect to Nova API
# Defaults to '127.0.0.1'
#
# [*ks_nova_public_host*]
# (optional) Public Hostname or IP to connect to Nova API
# Defaults to '127.0.0.1'
#
# [*ks_cinder_internal_host*]
# (optional) Internal Hostname or IP to connect to Cinder API
# Defaults to '127.0.0.1'
#
# [*ks_cinder_admin_host*]
# (optional) Admin Hostname or IP to connect to Cinder API
# Defaults to '127.0.0.1'
#
# [*ks_cinder_public_host*]
# (optional) Public Hostname or IP to connect to Cinder API
# Defaults to '127.0.0.1'
#
# [*ks_neutron_internal_host*]
# (optional) Internal Hostname or IP to connect to Neutron API
# Defaults to '127.0.0.1'
#
# [*ks_neutron_admin_host*]
# (optional) Admin Hostname or IP to connect to Neutron API
# Defaults to '127.0.0.1'
#
# [*ks_neutron_public_host*]
# (optional) Public Hostname or IP to connect to Neutron API
# Defaults to '127.0.0.1'
#
# [*ks_heat_internal_host*]
# (optional) Internal Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_heat_admin_host*]
# (optional) Admin Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_heat_public_host*]
# (optional) Public Hostname or IP to connect to Heat API
# Defaults to '127.0.0.1'
#
# [*ks_swift_internal_host*]
# (optional) Internal Hostname or IP to connect to Swift API
# Defaults to '127.0.0.1'
#
# [*ks_swift_admin_host*]
# (optional) Admin Hostname or IP to connect to Swift API
# Defaults to '127.0.0.1'
#
# [*ks_swift_public_host*]
# (optional) Public Hostname or IP to connect to Swift API
# Defaults to '127.0.0.1'
#
# [*ks_ceilometer_password*]
# (optional) Password used by Ceilometer to connect to Keystone API
# Defaults to 'ceilometerpassword'
#
# [*ks_swift_password*]
# (optional) Password used by Swift to connect to Keystone API
# Defaults to 'swiftpassword'
#
# [*ks_nova_password*]
# (optional) Password used by Nova to connect to Keystone API
# Defaults to 'novapassword'
#
# [*ks_neutron_password*]
# (optional) Password used by Neutron to connect to Keystone API
# Defaults to 'neutronpassword'
#
# [*ks_heat_password*]
# (optional) Password used by Heat to connect to Keystone API
# Defaults to 'heatpassword'
#
# [*ks_glance_password*]
# (optional) Password used by Glance to connect to Keystone API
# Defaults to 'glancepassword'
#
# [*ks_cinder_password*]
# (optional) Password used by Cinder to connect to Keystone API
# Defaults to 'cinderpassword'
#
# [*ks_swift_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_ceilometer_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_heat_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_nova_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_neutron_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_glance_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_cinder_public_proto*]
# (optional) Protocol used to connect to API. Could be 'http' or 'https'.
# Defaults to 'http'
#
# [*ks_ceilometer_public_port*]
# (optional) TCP port to connect to Ceilometer API from public network
# Defaults to '8777'
#
# [*ks_ceilometer_admin_port*]
# (optional) TCP port to connect to Ceilometer API from admin network
# Defaults to '8777'
#
# [*ks_ceilometer_internal_port*]
# (optional) TCP port to connect to Ceilometer API from internal network
# Defaults to '8777'
#
# [*ks_keystone_internal_port*]
# (optional) TCP port to connect to Keystone API from internal network
# Defaults to '5000'
#
# [*ks_keystone_public_port*]
# (optional) TCP port to connect to Keystone API from public network
# Defaults to '5000'
#
# [*ks_keystone_admin_port*]
# (optional) TCP port to connect to Keystone API from admin network
# Defaults to '35357'
#
# [*ks_swift_public_port*]
# (optional) TCP port to connect to Swift API from public network
# Defaults to '8080'
#
# [*ks_nova_internal_port*]
# (optional) TCP port to connect to Nova API from internal network
# Defaults to '8774'
#
# [*ks_nova_public_port*]
# (optional) TCP port to connect to Nova API from public network
# Defaults to '8774'
#
# [*ks_ec2_public_port*]
# (optional) TCP port to connect to EC2 API from public network
# Defaults to '8773'
#
# [*ks_nova_admin_port*]
# (optional) TCP port to connect to Nova API from admin network
# Defaults to '8774'
#
# [*ks_cinder_internal_port*]
# (optional) TCP port to connect to Cinder API from internal network
# Defaults to '8776'
#
# [*ks_cinder_public_port*]
# (optional) TCP port to connect to Cinder API from public network
# Defaults to '8776'
#
# [*ks_cinder_admin_port*]
# (optional) TCP port to connect to Cinder API from admin network
# Defaults to '8776'
#
# [*ks_neutron_internal_port*]
# (optional) TCP port to connect to Neutron API from internal network
# Defaults to '9696'
#
# [*ks_neutron_public_port*]
# (optional) TCP port to connect to Neutron API from public network
# Defaults to '9696'
#
# [*ks_neutron_admin_port*]
# (optional) TCP port to connect to Neutron API from admin network
# Defaults to '9696'
#
# [*ks_heat_public_port*]
# (optional) TCP port to connect to Heat API from public network
# Defaults to '8000'
#
# [*ks_glance_api_internal_port*]
# (optional) TCP port to connect to Glance API from internal network
# Defaults to '9292'
#
# [*ks_glance_api_public_port*]
# (optional) TCP port to connect to Glance API from public network
# Defaults to '9292'
#
# [*ks_glance_api_admin_port*]
# (optional) TCP port to connect to Glance API from admin network
# Defaults to '9292'
#
# [*api_eth*]
# (optional) Which interface we bind the Keystone server.
# Defaults to '127.0.0.1'
#
# [*region*]
# (optional) OpenStack Region Name
# Defaults to 'RegionOne'
#
# [*verbose*]
# (optional) Set log output to verbose output
# Defaults to true
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to true
#
# [*use_syslog*]
# (optional) Use syslog for logging
# Defaults to true
#
# [*log_facility*]
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*token_driver*]
# (optional) Driver to store tokens
# Defaults to 'keystone.token.backends.sql.Token'
#
# [*token_expiration*]
# (optional) Amount of time a token should remain valid (in seconds)
# Defaults to '3600' (1 hour)
#
class cloud::identity (
$swift_enabled = true,
$identity_roles_addons = ['SwiftOperator', 'ResellerAdmin'],
$keystone_db_host = '127.0.0.1',
$keystone_db_user = 'keystone',
$keystone_db_password = 'keystonepassword',
$memcache_servers = ['127.0.0.1:11211'],
$ks_admin_email = 'no-reply@keystone.openstack',
$ks_admin_password = 'adminpassword',
$ks_admin_tenant = 'admin',
$ks_admin_token = undef,
$ks_ceilometer_admin_host = '127.0.0.1',
$ks_ceilometer_internal_host = '127.0.0.1',
$ks_ceilometer_password = 'ceilometerpassword',
$ks_ceilometer_public_host = '127.0.0.1',
$ks_ceilometer_public_port = 8777,
$ks_ceilometer_public_proto = 'http',
$ks_cinder_admin_host = '127.0.0.1',
$ks_cinder_internal_host = '127.0.0.1',
$ks_cinder_password = 'cinderpassword',
$ks_cinder_public_host = '127.0.0.1',
$ks_cinder_public_proto = 'http',
$ks_cinder_public_port = 8776,
$ks_glance_admin_host = '127.0.0.1',
$ks_glance_internal_host = '127.0.0.1',
$ks_glance_password = 'glancepassword',
$ks_glance_public_host = '127.0.0.1',
$ks_glance_public_proto = 'http',
$ks_glance_api_public_port = 9292,
$ks_heat_admin_host = '127.0.0.1',
$ks_heat_internal_host = '127.0.0.1',
$ks_heat_password = 'heatpassword',
$ks_heat_public_host = '127.0.0.1',
$ks_heat_public_proto = 'http',
$ks_heat_public_port = 8004,
$ks_heat_cfn_public_port = 8000,
$ks_keystone_admin_host = '127.0.0.1',
$ks_keystone_admin_port = 35357,
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = 5000,
$ks_keystone_public_host = '127.0.0.1',
$ks_keystone_public_port = 5000,
$ks_keystone_public_proto = 'http',
$ks_neutron_admin_host = '127.0.0.1',
$ks_neutron_internal_host = '127.0.0.1',
$ks_neutron_password = 'neutronpassword',
$ks_neutron_public_host = '127.0.0.1',
$ks_neutron_public_proto = 'http',
$ks_neutron_public_port = 9696,
$ks_nova_admin_host = '127.0.0.1',
$ks_nova_internal_host = '127.0.0.1',
$ks_nova_password = 'novapassword',
$ks_nova_public_host = '127.0.0.1',
$ks_nova_public_proto = 'http',
$ks_nova_public_port = 8774,
$ks_ec2_public_port = 8773,
$ks_swift_dispersion_password = 'dispersion',
$ks_swift_internal_host = '127.0.0.1',
$ks_swift_admin_host = '127.0.0.1',
$ks_swift_password = 'swiftpassword',
$ks_swift_public_host = '127.0.0.1',
$ks_swift_public_port = 8080,
$ks_swift_public_proto = 'http',
$api_eth = '127.0.0.1',
$region = 'RegionOne',
$verbose = true,
$debug = true,
$log_facility = 'LOG_LOCAL0',
$use_syslog = true,
$ks_token_expiration = 3600,
$token_driver = 'keystone.token.backends.sql.Token'
){
$encoded_user = uriescape($keystone_db_user)
$encoded_password = uriescape($keystone_db_password)
if $use_syslog {
$log_dir = false
$log_file = false
} else {
$log_dir = '/var/log/keystone'
$log_file = 'keystone.log'
}
# Configure Keystone
class { 'keystone':
enabled => true,
admin_token => $ks_admin_token,
compute_port => $ks_nova_public_port,
debug => $debug,
idle_timeout => 60,
log_facility => $log_facility,
sql_connection => "mysql://${encoded_user}:${encoded_password}@${keystone_db_host}/keystone?charset=utf8",
token_provider => 'keystone.token.providers.uuid.Provider',
use_syslog => $use_syslog,
verbose => $verbose,
bind_host => $api_eth,
log_dir => $log_dir,
log_file => $log_file,
public_port => $ks_keystone_public_port,
admin_port => $ks_keystone_admin_port,
token_driver => $token_driver,
token_expiration => $ks_token_expiration
}
keystone_config {
'ec2/driver': value => 'keystone.contrib.ec2.backends.sql.Ec2';
}
# Keystone Endpoints + Users
class { 'keystone::roles::admin':
email => $ks_admin_email,
password => $ks_admin_password,
admin_tenant => $ks_admin_tenant,
}
keystone_role { $identity_roles_addons: ensure => present }
class {'keystone::endpoint':
admin_address => $ks_keystone_admin_host,
admin_port => $ks_keystone_admin_port,
internal_address => $ks_keystone_internal_host,
internal_port => $ks_keystone_internal_port,
public_address => $ks_keystone_public_host,
public_port => $ks_keystone_public_port,
public_protocol => $ks_keystone_public_proto,
region => $region,
}
# TODO(EmilienM) Disable WSGI - bug #98
#include 'apache'
# class {'keystone::wsgi::apache':
# servername => $::fqdn,
# admin_port => $ks_keystone_admin_port,
# public_port => $ks_keystone_public_port,
# # TODO(EmilienM) not sure workers is useful when using WSGI backend
# workers => $::processorcount,
# ssl => false
# }
if $swift_enabled {
class {'swift::keystone::auth':
password => $ks_swift_password,
public_address => $ks_swift_public_host,
public_port => $ks_swift_public_port,
public_protocol => $ks_swift_public_proto,
admin_address => $ks_swift_admin_host,
internal_address => $ks_swift_internal_host,
region => $region
}
class {'swift::keystone::dispersion':
auth_pass => $ks_swift_dispersion_password
}
}
class {'ceilometer::keystone::auth':
admin_address => $ks_ceilometer_admin_host,
internal_address => $ks_ceilometer_internal_host,
public_address => $ks_ceilometer_public_host,
port => $ks_ceilometer_public_port,
region => $region,
password => $ks_ceilometer_password
}
class { 'nova::keystone::auth':
cinder => true,
admin_address => $ks_nova_admin_host,
internal_address => $ks_nova_internal_host,
public_address => $ks_nova_public_host,
compute_port => $ks_nova_public_port,
ec2_port => $ks_ec2_public_port,
region => $region,
password => $ks_nova_password
}
class { 'neutron::keystone::auth':
admin_address => $ks_neutron_admin_host,
internal_address => $ks_neutron_internal_host,
public_address => $ks_neutron_public_host,
port => $ks_neutron_public_port,
region => $region,
password => $ks_neutron_password
}
class { 'cinder::keystone::auth':
admin_address => $ks_cinder_admin_host,
internal_address => $ks_cinder_internal_host,
public_address => $ks_cinder_public_host,
port => $ks_cinder_public_port,
region => $region,
password => $ks_cinder_password
}
class { 'glance::keystone::auth':
admin_address => $ks_glance_admin_host,
internal_address => $ks_glance_internal_host,
public_address => $ks_glance_public_host,
port => $ks_glance_api_public_port,
region => $region,
password => $ks_glance_password
}
class { 'heat::keystone::auth':
admin_address => $ks_heat_admin_host,
internal_address => $ks_heat_internal_host,
public_address => $ks_heat_public_host,
port => $ks_heat_public_port,
region => $region,
password => $ks_heat_password
}
class { 'heat::keystone::auth_cfn':
admin_address => $ks_heat_admin_host,
internal_address => $ks_heat_internal_host,
public_address => $ks_heat_public_host,
port => $ks_heat_cfn_public_port,
region => $region,
password => $ks_heat_password
}
# Purge expored tokens every days at midnight
class { 'keystone::cron::token_flush': }
# Note(EmilienM):
# We check if DB tables are created, if not we populate Keystone DB.
# It's a hack to fit with our setup where we run MySQL/Galera
# TODO(Gonéri)
# We have to do this only on the primary node of the galera cluster to avoid race condition
# https://github.com/enovance/puppet-openstack-cloud/issues/156
exec {'keystone_db_sync':
command => 'keystone-manage db_sync',
path => '/usr/bin',
user => 'keystone',
unless => "/usr/bin/mysql keystone -h ${keystone_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables"
}
@@haproxy::balancermember{"${::fqdn}-keystone_api":
listening_service => 'keystone_api_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_keystone_public_port,
options => 'check inter 2000 rise 2 fall 5'
}
@@haproxy::balancermember{"${::fqdn}-keystone_api_admin":
listening_service => 'keystone_api_admin_cluster',
server_names => $::hostname,
ipaddresses => $api_eth,
ports => $ks_keystone_admin_port,
options => 'check inter 2000 rise 2 fall 5'
}
}
View Git Blame Copy Permalink