Add oslo.service templates update keystoneauth
This patch adds more templates to oslo.service
* ssl
* wsgi
Add keystonemiddleware/_auth_token template
Update keystoneauth/_type_password
Change-Id: I6a41a7bc5826f41e0a8a8de57e1a5f91f4a96401
diff --git a/oslo_templates/files/queens/keystoneauth/_type_password.conf b/oslo_templates/files/queens/keystoneauth/_type_password.conf
index d6f05b7..1e369ff 100644
--- a/oslo_templates/files/queens/keystoneauth/_type_password.conf
+++ b/oslo_templates/files/queens/keystoneauth/_type_password.conf
@@ -1,17 +1,22 @@
-#
-# From keystonemiddleware.auth_token
-#
+# Name of nova region to use. Useful if keystone manages more than one region.
+# (string value)
+#region_name = <None>
+{%- if _data.region is defined %}
+region_name = {{ _data.region }}
+{%- endif %}
-# Complete "public" Identity API endpoint. This endpoint should not be an
-# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
-# clients are redirected to this endpoint to authenticate. Although this
-# endpoint should ideally be unversioned, client support in the wild varies. If
-# you're using a versioned v2 endpoint here, then this should *not* be the same
-# endpoint the service user utilizes for validating tokens, because normal end
-# users may not be able to reach that endpoint. (string value)
-# Deprecated group/name - [keystone_authtoken]/auth_uri
-www_authenticate_uri = {{ _data.get('protocol', 'http') }}://{{ _data.host }}:{{ _data.port }}
+# Type of the nova endpoint to use. This endpoint will be looked up in the
+# keystone catalog and should be one of public, internal or admin. (string
+# value)
+# Possible values:
+# public - <No description provided>
+# admin - <No description provided>
+# internal - <No description provided>
+#endpoint_type = public
+{%- if _data.endpoint_type is defined %}
+endpoint_type = {{ _data.endpoint_type }}
+{%- endif %}
# API version of the admin Identity API endpoint. (string value)
#auth_version = <None>
@@ -19,11 +24,20 @@
auth_version = {{ _data.version }}
{%- endif %}
-# Required if identity server requires client certificate (string value)
-#certfile = <None>
+
+# Authentication URL (string value)
+#auth_url = <None>
+auth_url = {{ _data.get('protocol', 'http') }}://{{ _data.host }}:{{ _data.get('port', '5000') }}/identity
+
+# Authentication type to load (string value)
+# Deprecated group/name - [nova]/auth_plugin
+#auth_type = <None>
+{%- if _data.get('auth_type', 'password') %}
+auth_type = {{ _data.get('auth_type', 'password') }}
+{%- endif %}
# Required if identity server requires client certificate (string value)
-#keyfile = <None>
+#certfile = <None>
# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
# Defaults to system CAs. (string value)
@@ -32,80 +46,6 @@
cafile={{ _data.get('cacert_file', cfg.cacert_file) }}
{%- endif %}
-# Verify HTTPS connections. (boolean value)
-#insecure = false
-
-# Timeout value for http requests (integer value)
-#timeout = <None>
-
-# Authentication type to load (string value)
-# Deprecated group/name - [keystone_authtoken]/auth_plugin
-#auth_type = <None>
-{%- if _data.get('auth_type', 'password') %}
-auth_type = {{ _data.get('auth_type', 'password') }}
-{%- endif %}
-
-# Config Section from which to load plugin specific options (string value)
-#auth_section = <None>
-
-
-# DEPRICATED: Complete "public" Identity API endpoint. This endpoint should not
-# be an "admin" endpoint, as it should be accessible by all end users.
-# Unauthenticated clients are redirected to this endpoint to authenticate.
-# Although this endpoint should ideally be unversioned, client support in the
-# wild varies. If you're using a versioned v2 endpoint here, then this should
-# *not* be the same endpoint the service user utilizes for validating tokens,
-# because normal end users may not be able to reach that endpoint. This option
-# is deprecated in favor of www_authenticate_uri and will be removed in the S
-# release. (string value)
-# This option is deprecated for removal since Queens.
-# Its value may be silently ignored in the future.
-# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and
-# will be removed in the S release.
-auth_url = {{ _data.get('protocol', 'http') }}://{{ _data.host }}:{{ _data.port }}/identity
-
-# Scope for system operations (string value)
-#system_scope = <None>
-
-# Domain ID to scope to (string value)
-#domain_id = <None>
-{%- if _data.get('domain_id') %}
-domain_id = {{ _data.domain_id }}
-{%- endif %}
-
-# Domain name to scope to (string value)
-#domain_name = <None>
-{%- if _data.get('domain_name') %}
-domain_name = {{ _data.domain_name }}
-{%- endif %}
-
-# Project ID to scope to (string value)
-#project_id = <None>
-{%- if _data.get('project_id') %}
-project_id = {{ _data.project_id }}
-{%- endif %}
-
-# Project name to scope to (string value)
-#project_name = <None>
-{%- if _data.get('project_name') %}
-project_name = {{ _data.project_name }}
-{%- endif %}
-
-# Domain ID containing project (string value)
-#project_domain_id = <None>
-{%- if _data.get('project_domain_id','default') %}
-project_domain_id = {{ _data.get('project_domain_id','default') }}
-{%- endif %}
-
-# Domain name containing project (string value)
-#project_domain_name = <None>
-{%- if _data.get('project_domain_name') %}
-project_domain_name = {{ _data.project_domain_name }}
-{%- endif %}
-
-# Trust ID (string value)
-#trust_id = <None>
-
# Optional domain ID to use with v3 and v2 parameters. It will be used for both
# the user and project domain in v3 and ignored in v2 authentication. (string
# value)
@@ -123,30 +63,23 @@
default_domain_name = {{ _data.default_domain_name }}
{%- endif %}
-# User ID (string value)
-#user_id = <None>
-{%- if _data.get('user_id') %}
-user_id = {{ _data.user_id }}
+# Domain ID to scope to (string value)
+#domain_id = <None>
+{%- if _data.get('domain_id') %}
+domain_id = {{ _data.domain_id }}
{%- endif %}
-# Username (string value)
-# Deprecated group/name - [neutron]/user_name
-#username = <None>
-{%- if _data.get('user') %}
-username = {{ _data.user }}
+# Domain name to scope to (string value)
+#domain_name = <None>
+{%- if _data.get('domain_name') %}
+domain_name = {{ _data.domain_name }}
{%- endif %}
-# User's domain id (string value)
-#user_domain_id = <None>
-{%- if _data.get('user_domain_id','default') %}
-user_domain_id = {{ _data.get('user_domain_id','default') }}
-{%- endif %}
+# Verify HTTPS connections. (boolean value)
+#insecure = false
-# User's domain name (string value)
-#user_domain_name = <None>
-{%- if _data.get('user_domain_name') %}
-user_domain_name = {{ _data.user_domain_name }}
-{%- endif %}
+# Required if identity server requires client certificate (string value)
+#keyfile = <None>
# User's password (string value)
#password = <None>
@@ -154,6 +87,33 @@
password = {{ _data.password }}
{%- endif %}
+# Domain ID containing project (string value)
+#project_domain_id = <None>
+{%- if _data.get('project_domain_id','default') %}
+project_domain_id = {{ _data.get('project_domain_id','default') }}
+{%- endif %}
+
+# Domain name containing project (string value)
+#project_domain_name = <None>
+{%- if _data.get('project_domain_name') %}
+project_domain_name = {{ _data.project_domain_name }}
+{%- endif %}
+
+# Project ID to scope to (string value)
+#project_id = <None>
+{%- if _data.get('project_id') %}
+project_id = {{ _data.project_id }}
+{%- endif %}
+
+# Project name to scope to (string value)
+#project_name = <None>
+{%- if _data.get('project_name') or _data.get('tenant') %}
+project_name = {{ _data.get('project_name', _data.tenant) }}
+{%- endif %}
+
+# Scope for system operations (string value)
+#system_scope = <None>
+
# Tenant ID (string value)
#tenant_id = <None>
{%- if _data.get('tenant_id') %}
@@ -166,14 +126,33 @@
tenant_name = {{ _data.tenant_name }}
{%- endif %}
-# The default service_type for endpoint URL discovery. (string value)
-#service_type = network
+# Timeout value for http requests (integer value)
+#timeout = <None>
-# The default service_name for endpoint URL discovery. (string value)
-#service_name = <None>
+# Trust ID (string value)
+#trust_id = <None>
-# List of interfaces, in order of preference, for endpoint URL. (list value)
-#valid_interfaces = internal,public
+# User's domain id (string value)
+#user_domain_id = <None>
+{%- if _data.get('user_domain_id','default') %}
+user_domain_id = {{ _data.get('user_domain_id','default') }}
+{%- endif %}
-# The default region_name for endpoint URL discovery. (string value)
-#region_name = <None>
+# User's domain name (string value)
+#user_domain_name = <None>
+{%- if _data.get('user_domain_name') %}
+user_domain_name = {{ _data.user_domain_name }}
+{%- endif %}
+
+# User ID (string value)
+#user_id = <None>
+{%- if _data.get('user_id') %}
+user_id = {{ _data.user_id }}
+{%- endif %}
+
+# Username (string value)
+# Deprecated group/name - [neutron]/user_name
+#username = <None>
+{%- if _data.get('user') %}
+username = {{ _data.user }}
+{%- endif %}
diff --git a/oslo_templates/files/queens/keystonemiddleware/_auth_token.conf b/oslo_templates/files/queens/keystonemiddleware/_auth_token.conf
new file mode 100644
index 0000000..6b77838
--- /dev/null
+++ b/oslo_templates/files/queens/keystonemiddleware/_auth_token.conf
@@ -0,0 +1,208 @@
+
+#
+# From keystonemiddleware.auth_token
+#
+
+# Complete "public" Identity API endpoint. This endpoint should not be an
+# "admin" endpoint, as it should be accessible by all end users.
+# Unauthenticated clients are redirected to this endpoint to authenticate.
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. (string
+# value)
+# Deprecated group/name - [keystone_authtoken]/auth_uri
+#www_authenticate_uri = <None>
+www_authenticate_uri = {{ _data.get('protocol', 'http') }}://{{ _data.host }}:5000
+
+# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
+# be an "admin" endpoint, as it should be accessible by all end users.
+# Unauthenticated clients are redirected to this endpoint to authenticate.
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. This option
+# is deprecated in favor of www_authenticate_uri and will be removed in the S
+# release. (string value)
+# This option is deprecated for removal since Queens.
+# Its value may be silently ignored in the future.
+# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri
+# and will be removed in the S release.
+#auth_uri = <None>
+auth_uri = {{ _data.get('protocol', 'http') }}://{{ _data.host }}:5000
+
+# API version of the admin Identity API endpoint. (string value)
+#auth_version = <None>
+{%- if _data.get('version') %}
+auth_version = {{ _data.version }}
+{%- endif %}
+
+# Do not handle authorization requests within the middleware, but delegate the
+# authorization decision to downstream WSGI components. (boolean value)
+#delay_auth_decision = false
+
+# Request timeout value for communicating with Identity API server. (integer
+# value)
+#http_connect_timeout = <None>
+
+# How many times are we trying to reconnect when communicating with Identity
+# API Server. (integer value)
+#http_request_max_retries = 3
+
+# Request environment key where the Swift cache object is stored. When
+# auth_token middleware is deployed with a Swift cache, use this option to have
+# the middleware share a caching backend with swift. Otherwise, use the
+# ``memcached_servers`` option instead. (string value)
+#cache = <None>
+
+# Required if identity server requires client certificate (string value)
+#certfile = <None>
+
+# Required if identity server requires client certificate (string value)
+#keyfile = <None>
+
+# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+# Defaults to system CAs. (string value)
+#cafile = <None>
+{%- if _data.get('protocol', 'http') == 'https' %}
+cafile={{ _data.cacert_file }}
+{%- endif %}
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+
+# The region in which the identity server can be found. (string value)
+#region_name = <None>
+{%- if _data.region is defined %}
+region_name = {{ _data.region }}
+{%- endif %}
+
+# DEPRECATED: Directory used to cache files related to PKI tokens. This option
+# has been deprecated in the Ocata release and will be removed in the P
+# release. (string value)
+# This option is deprecated for removal since Ocata.
+# Its value may be silently ignored in the future.
+# Reason: PKI token format is no longer supported.
+#signing_dir = <None>
+
+# Optionally specify a list of memcached server(s) to use for caching. If left
+# undefined, tokens will instead be cached in-process. (list value)
+# Deprecated group/name - [keystone_authtoken]/memcache_servers
+#memcached_servers = <None>
+{%- if _data.cache is defined %}
+memcached_servers={%- for member in _data.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+{%- endif %}
+
+# In order to prevent excessive effort spent validating tokens, the middleware
+# caches previously-seen tokens for a configurable duration (in seconds). Set
+# to -1 to disable caching completely. (integer value)
+#token_cache_time = 300
+
+# DEPRECATED: Determines the frequency at which the list of revoked tokens is
+# retrieved from the Identity service (in seconds). A high number of revocation
+# events combined with a low cache duration may significantly reduce
+# performance. Only valid for PKI tokens. This option has been deprecated in
+# the Ocata release and will be removed in the P release. (integer value)
+# This option is deprecated for removal since Ocata.
+# Its value may be silently ignored in the future.
+# Reason: PKI token format is no longer supported.
+#revocation_cache_time = 10
+
+# (Optional) If defined, indicate whether token data should be authenticated or
+# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
+# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+# cache. If the value is not one of these options or empty, auth_token will
+# raise an exception on initialization. (string value)
+# Possible values:
+# None - <No description provided>
+# MAC - <No description provided>
+# ENCRYPT - <No description provided>
+#memcache_security_strategy = None
+
+# (Optional, mandatory if memcache_security_strategy is defined) This string is
+# used for key derivation. (string value)
+#memcache_secret_key = <None>
+
+# (Optional) Number of seconds memcached server is considered dead before it is
+# tried again. (integer value)
+#memcache_pool_dead_retry = 300
+
+# (Optional) Maximum total number of open connections to every memcached
+# server. (integer value)
+#memcache_pool_maxsize = 10
+
+# (Optional) Socket timeout in seconds for communicating with a memcached
+# server. (integer value)
+#memcache_pool_socket_timeout = 3
+
+# (Optional) Number of seconds a connection to memcached is held unused in the
+# pool before it is closed. (integer value)
+#memcache_pool_unused_timeout = 60
+
+# (Optional) Number of seconds that an operation will wait to get a memcached
+# client connection from the pool. (integer value)
+#memcache_pool_conn_get_timeout = 10
+
+# (Optional) Use the advanced (eventlet safe) memcached client pool. The
+# advanced pool will only work under python 2.x. (boolean value)
+#memcache_use_advanced_pool = false
+
+# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+# middleware will not ask for service catalog on token validation and will not
+# set the X-Service-Catalog header. (boolean value)
+#include_service_catalog = true
+
+# Used to control the use and type of token binding. Can be set to: "disabled"
+# to not check token binding. "permissive" (default) to validate binding
+# information if the bind type is of a form known to the server and ignore it
+# if not. "strict" like "permissive" but if the bind type is unknown the token
+# will be rejected. "required" any form of token binding is needed to be
+# allowed. Finally the name of a binding method that must be present in tokens.
+# (string value)
+#enforce_token_bind = permissive
+
+# DEPRECATED: If true, the revocation list will be checked for cached tokens.
+# This requires that PKI tokens are configured on the identity server. (boolean
+# value)
+# This option is deprecated for removal since Ocata.
+# Its value may be silently ignored in the future.
+# Reason: PKI token format is no longer supported.
+#check_revocations_for_cached = false
+
+# DEPRECATED: Hash algorithms to use for hashing PKI tokens. This may be a
+# single algorithm or multiple. The algorithms are those supported by Python
+# standard hashlib.new(). The hashes will be tried in the order given, so put
+# the preferred one first for performance. The result of the first hash will be
+# stored in the cache. This will typically be set to multiple values only while
+# migrating from a less secure algorithm to a more secure one. Once all the old
+# tokens are expired this option should be set to a single value for better
+# performance. (list value)
+# This option is deprecated for removal since Ocata.
+# Its value may be silently ignored in the future.
+# Reason: PKI token format is no longer supported.
+#hash_algorithms = md5
+
+# A choice of roles that must be present in a service token. Service tokens are
+# allowed to request that an expired token can be used and so this check should
+# tightly control that only actual services should be sending this token. Roles
+# here are applied as an ANY check so any role in this list must be present.
+# For backwards compatibility reasons this currently only affects the
+# allow_expired check. (list value)
+#service_token_roles = service
+
+# For backwards compatibility reasons we must let valid service tokens pass
+# that don't pass the service_token_roles check as valid. Setting this true
+# will become the default in a future release and should be enabled if
+# possible. (boolean value)
+#service_token_roles_required = false
+
+# Authentication type to load (string value)
+# Deprecated group/name - [keystone_authtoken]/auth_plugin
+#auth_type = <None>
+{%- if _data.get('auth_type', 'password') %}
+auth_type = {{ _data.get('auth_type', 'password') }}
+{%- endif %}
+
+# Config Section from which to load plugin specific options (string value)
+#auth_section = <None>
+
diff --git a/oslo_templates/files/queens/oslo/messaging/_default.conf b/oslo_templates/files/queens/oslo/messaging/_default.conf
index 0883fc2..988a40c 100644
--- a/oslo_templates/files/queens/oslo/messaging/_default.conf
+++ b/oslo_templates/files/queens/oslo/messaging/_default.conf
@@ -171,6 +171,9 @@
# (integer value)
# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
#executor_thread_pool_size = 64
+{%- if _data.executor_thread_pool_size is defined %}
+executor_thread_pool_size = {{ _data.executor_thread_pool_size }}
+{%- endif %}
# Seconds to wait for a response from a call. (integer value)
#rpc_response_timeout = 60
diff --git a/oslo_templates/files/queens/oslo/service/_ssl.conf b/oslo_templates/files/queens/oslo/service/_ssl.conf
new file mode 100644
index 0000000..cd6d77a
--- /dev/null
+++ b/oslo_templates/files/queens/oslo/service/_ssl.conf
@@ -0,0 +1,24 @@
+#
+# From oslo.service.sslutils
+#
+
+# CA certificate file to use to verify connecting clients. (string value)
+# Deprecated group/name - [DEFAULT]/ssl_ca_file
+#ca_file = <None>
+
+# Certificate file to use when starting the server securely. (string value)
+# Deprecated group/name - [DEFAULT]/ssl_cert_file
+#cert_file = <None>
+
+# Private key file to use when starting the server securely. (string value)
+# Deprecated group/name - [DEFAULT]/ssl_key_file
+#key_file = <None>
+
+# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
+# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
+# distributions. (string value)
+#version = <None>
+
+# Sets the list of available ciphers. value should be a string in the OpenSSL
+# cipher list format. (string value)
+#ciphers = <None>
diff --git a/oslo_templates/files/queens/oslo/service/_wsgi_default.conf b/oslo_templates/files/queens/oslo/service/_wsgi_default.conf
new file mode 100644
index 0000000..d5ac2a8
--- /dev/null
+++ b/oslo_templates/files/queens/oslo/service/_wsgi_default.conf
@@ -0,0 +1,32 @@
+#
+# From oslo.service.wsgi
+#
+
+# File name for the paste.deploy config for api service (string value)
+#api_paste_config = api-paste.ini
+
+# A python format string that is used as the template to generate log lines.
+# The following values can beformatted into it: client_ip, date_time,
+# request_line, status_code, body_length, wall_seconds. (string value)
+#wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f
+
+# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not
+# supported on OS X. (integer value)
+#tcp_keepidle = 600
+
+# Size of the pool of greenthreads used by wsgi (integer value)
+#wsgi_default_pool_size = 100
+
+# Maximum line size of message headers to be accepted. max_header_line may need
+# to be increased when using large tokens (typically those generated when
+# keystone is configured to use PKI tokens with big service catalogs). (integer
+# value)
+#max_header_line = 16384
+
+# If False, closes the client socket connection explicitly. (boolean value)
+#wsgi_keep_alive = true
+
+# Timeout for client connections' socket operations. If an incoming connection
+# is idle for this number of seconds it will be closed. A value of '0' means
+# wait forever. (integer value)
+#client_socket_timeout = 900
diff --git a/tests/pillar/queens/oslo/service/_ssl.sls b/tests/pillar/queens/oslo/service/_ssl.sls
new file mode 100644
index 0000000..7e04fcd
--- /dev/null
+++ b/tests/pillar/queens/oslo/service/_ssl.sls
@@ -0,0 +1 @@
+# TODO: Add data when template uses any variables
diff --git a/tests/pillar/queens/oslo/service/_wsgi_default.conf b/tests/pillar/queens/oslo/service/_wsgi_default.conf
new file mode 100644
index 0000000..7e04fcd
--- /dev/null
+++ b/tests/pillar/queens/oslo/service/_wsgi_default.conf
@@ -0,0 +1 @@
+# TODO: Add data when template uses any variables