openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
openstack-ansible-os_keystone/defaults/main.yml
Jesse Pretorius 57d0caf087 Default MQ RPC/Notify credentials/vhosts to match 
When the RPC and Notify service are the same, the credentials
must match - otherwise the tasks to create the user/password
will overwrite with each other.

If the two clusters are different, then the matching credentials
and vhost will not be a problem. However, if the deployer really
wishes to make sure they're different, then the vars can be
overridden.

Also, to ensure that the SSL value is consistently set in the
conf file, we apply the bool filter. We also use the 'notify'
SSL setting as the messaging system for Notifications is more
likely to remain rabbitmq in our default deployment with qrouterd
becoming the default for RPC messaging.

Change-Id: I0293fef6effefb1e3e7b74e11a10421eb1621b39
2018-07-30 12:49:17 +01:00

507 lines
19 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Verbosity Options
debug: False
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
keystone_package_state: "latest"
keystone_pip_package_state: "latest"
# Set installation method.
keystone_install_method: "source"
# Role standard API override this option in the OS variable files
keystone_shibboleth_repo: {}
# These variables are used in 'developer mode' in order to allow the role
# to build an environment directly from a git source without the presence
# of an OpenStack-Ansible repo_server.
keystone_git_repo: https://git.openstack.org/openstack/keystone
keystone_git_install_branch: master
keystone_developer_mode: false
keystone_developer_constraints:
- "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone"
# Name of the virtual env to deploy into
keystone_venv_tag: untagged
keystone_bin: "{{ _keystone_bin }}"
# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
keystone_venv_download: "{{ not keystone_developer_mode | bool }}"
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
keystone_fatal_deprecations: False
## System info
keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
- ssl_cert
keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
## Drivers
keystone_auth_methods: "password,token"
keystone_identity_driver: sql
keystone_token_provider: fernet
keystone_token_expiration: 43200
keystone_token_cache_time: 3600
# Set the revocation driver used within keystone.
keystone_revocation_driver: sql
keystone_revocation_cache_time: 3600
keystone_revocation_expiration_buffer: 1800
## Fernet config vars
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
keystone_fernet_tokens_max_active_keys: 7
# Any of the following rotation times are valid:
# reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_fernet_rotation: daily
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
## Credentials config vars
keystone_credential_key_repository: /etc/keystone/credential-keys
# Any of the following rotation times are valid:
# reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_credential_rotation: weekly
keystone_credential_auto_rotation_script: /opt/keystone-credential-rotate.sh
keystone_assignment_driver: sql
keystone_resource_cache_time: 3600
keystone_resource_driver: sql
keystone_bind_address: 0.0.0.0
## Database info
keystone_db_setup_host: "{{ ('galera_all' in groups) | ternary(groups['galera_all'][0], 'localhost') }}"
keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}"
keystone_galera_user: keystone
keystone_galera_database: keystone
keystone_database_connection_string: >-
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}
## Database SSL
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
# Database tuning
keystone_database_enabled: true
keystone_database_idle_timeout: 200
keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120
keystone_database_pool_timeout: 30
## Oslo Messaging
keystone_messaging_enabled: true
# RPC
keystone_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
keystone_oslomsg_rpc_setup_host: "{{ (keystone_oslomsg_rpc_host_group in groups) | ternary(groups[keystone_oslomsg_rpc_host_group][0], 'localhost') }}"
keystone_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
keystone_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
keystone_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
keystone_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
keystone_oslomsg_rpc_userid: keystone
keystone_oslomsg_rpc_vhost: /keystone
# Notify
keystone_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
keystone_oslomsg_notify_setup_host: "{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}"
keystone_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
keystone_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
keystone_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
keystone_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
keystone_oslomsg_notify_userid: "{{ keystone_oslomsg_rpc_userid }}"
keystone_oslomsg_notify_password: "{{ keystone_oslomsg_rpc_password }}"
keystone_oslomsg_notify_vhost: "{{ keystone_oslomsg_rpc_vhost }}"
## Role info
keystone_role_name: admin
keystone_default_role_name: _member_
## Admin info
keystone_admin_port: 35357
keystone_admin_user_name: admin
keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant
## Service Type and Data
keystone_service_setup: true
keystone_service_region: RegionOne
keystone_service_name: keystone
keystone_service_port: 5000
keystone_service_type: identity
keystone_service_description: "Keystone Identity Service"
keystone_service_user_name: keystone
keystone_service_tenant_name: service
keystone_service_proto: http
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_insecure: false
keystone_service_adminuri_insecure: false
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
# This is the web server that will handle all requests and will act as a
# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
# they are implemented in this web server's configuration. Using a web server
# for endpoints is far better for scale and allows the use of additional
# modules to improve performance or security, leaving uWSGI to only have
# to be used for running the service.
#
# Note:
# The default is nginx, but apache will be used if Keystone is configured
# as a Federated Service provider.
# TODO (odyssey4me): Convert the SP implementation to use nginx instead
# so that we do not have to be concerned with multiple web servers.
#
keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
## Apache setup
keystone_apache_log_level: info
keystone_apache_custom_log_format: combined
keystone_apache_servertokens: "Prod"
keystone_apache_serversignature: "Off"
## Apache MPM tunables
keystone_httpd_mpm_backend: event
keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25
keystone_httpd_mpm_max_spare_threads: 75
keystone_httpd_mpm_thread_limit: 64
keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_conn_child: 0
## Nginx setup
keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
keystone_nginx_ports:
keystone-wsgi-public: "{{ keystone_service_port }}"
keystone-wsgi-admin: "{{ keystone_admin_port }}"
keystone_nginx_extra_conf:
- keepalive_timeout 70;
## uWSGI setup
keystone_wsgi_threads: 1
## Cap the maximun number of processes when a user value is unspecified.
keystone_wsgi_processes_max: 16
keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
keystone_uwsgi_ports:
keystone-wsgi-public:
http: 37358
socket: 35358
keystone-wsgi-admin:
http: 37359
socket: 5001
keystone_uwsgi_ini_overrides: {}
# set keystone_ssl to true to enable SSL configuration on the keystone containers
keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it
keystone_ssl_self_signed_regen: false
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
# Set these variables to deploy custom certificates
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
#keystone_user_ssl_key: <path to cert on ansible deployment host>
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: false
# External SSL forwarding proto
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
## Caching
# This is a list of strings, each string contains a cache server's
# information (IP:port for example)
# The cache_servers default backend is memcached, so this variable
# should point to a list of memcached servers.
# If empty, caching is disabled.
keystone_cache_servers: []
## LDAP Section
# Define Keystone LDAP domain configuration here.
# This may be used to add configuration for a LDAP identity back-end.
# See the http://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html
#
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
# the ldap section in the domain-specific configuraiton file.
#
# (EXAMPLE LAYOUT)
# keystone_ldap:
# Users:
# url: "ldap://127.0.0.1"
# user: "root"
# password: "secrete"
# ...
keystone_ldap: {}
keystone_ldap_domain_config_dir: /etc/keystone/domains
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
# Otherwise keys will be generated on the first run and not regenerated each run.
keystone_recreate_keys: False
## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
#keystone_policy_overrides:
# identity:create_region: "rule:admin_required"
# identity:update_region: "rule:admin_required"
## Federation
# Enable the following section on the Keystone IdP
keystone_idp: {}
#keystone_idp:
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
# regen_cert: false
# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp"
# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso"
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
# service_providers:
# - id: "sp_1"
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
# # the following settings are optional
# organization_name: example_company
# organization_display_name: Example Corp.
# organization_url: example.com
# contact_company: example_company
# contact_name: John
# contact_surname: Smith
# contact_email: jsmith@example.com
# contact_telephone: 555-55-5555
# contact_type: technical
# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
keystone_sp: {}
#keystone_sp:
# cert_duration_years: 5
# trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/"
# trusted_idp_list:
# note that only one of these is supported at any one time for now
# - name: "keystone-idp"
# entity_ids:
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
# metadata_file: 'metadata-keystone-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: keystone-idp-mapping
# rules:
# - remote:
# - type: openstack_user
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
# attributes:
# - name: openstack_user
# id: openstack_user
# - name: openstack_roles
# id: openstack_roles
# - name: openstack_project
# id: openstack_project
# - name: openstack_user_domain
# id: openstack_user_domain
# - name: openstack_project_domain
# id: openstack_project_domain
#
# - name: 'testshib-idp'
# entity_ids:
# - 'https://idp.testshib.org/idp/shibboleth'
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
# metadata_file: 'metadata-testshib-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: testshib-idp-mapping
# rules:
# - remote:
# - type: eppn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
#
# - name: 'adfs-idp'
# entity_ids:
# - 'http://adfs.contoso.com/adfs/services/trust'
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
# metadata_file: 'metadata-adfs-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: adfs-idp-mapping
# rules:
# - remote:
# - type: upn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
# attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn
keystone_service_in_ldap: false
# Keystone notification settings
keystone_ceilometer_enabled: false
# Common pip packages
keystone_pip_packages:
- keystone
- ldappool
- osprofiler
- PyMySQL
- python-memcached
- python-openstackclient
- systemd-python
- uWSGI
# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
keystone_role_project_group: keystone_all
#: Tunable file-based overrides
# The contents of these files, if they exist, are read from the
# specified path on the deployment host, interpreted by the
# template engine and copied to the target host. If they do
# not exist then the default files will be sourced from the
# service git repository.
keystone_paste_default_file_path: "/etc/openstack_deploy/keystone/keystone-paste.ini"
keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json"
keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
# If the above-mentioned files do not exist, then the defaults
# inside the venvs will be used, but cached at this location
# on the deployment host. Using the cache makes the re-use
# of the files faster when deploying, but is also required in
# order to still be able to apply the config_template override.
keystone_config_cache_path: "{{ lookup('env', 'HOME') | default('/opt', true) }}/cache/keystone"
keystone_config_cache_path_owner: "{{ lookup('env', 'USER') | default('root', true) }}"
#: Tunable var-based overrides
# The contents of these are templated over the default files.
keystone_keystone_conf_overrides: {}
keystone_keystone_default_conf_overrides: {}
keystone_keystone_paste_ini_overrides: {}
keystone_policy_overrides: {}
keystone_required_secrets:
- keystone_auth_admin_password
- keystone_container_mysql_password
- keystone_oslomsg_rpc_password
- keystone_oslomsg_notify_password
- keystone_rabbitmq_password
- keystone_service_password
keystone_uwsgi_init_overrides: {}
## Service Name-Group Mapping
keystone_services:
keystone-wsgi-public:
service_name: "keystone-wsgi-public"
init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-public.ini"
keystone-wsgi-admin:
service_name: "keystone-wsgi-admin"
init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-admin.ini"
## Extra HTTP headers for Keystone
# Add any additional headers here that Keystone should return.
#
# Example:
#
# keystone_extra_headers:
# - parameter: "Access-Control-Expose-Headers"
# value: "X-Subject-Token"
# - parameter: "Access-Control-Allow-Headers"
# value: "Content-Type, X-Auth-Token"
# - parameter: "Access-Control-Allow-Origin"
# value: "*"
keystone_extra_headers: []
# List of trusted IPs which can pass X-Forwarded-For
keystone_set_real_ip_from: []
View Git Blame Copy Permalink