25c8e457b3
Workarounding the upstream ansible apt module bug documented here: https://github.com/ansible/ansible-modules-core/pull/1517 For the next versions of ansible we'll be using, we should check if the apt bug is fixed. When it's fixed, we could abandon this change and use the standard apt module with correct cache handling. Change-Id: I2aaf00da175f31d0157bbc4ae30a4e176b055078
390 lines
13 KiB
YAML
390 lines
13 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
verbose: True
|
|
|
|
## APT Cache options
|
|
cache_timeout: 600
|
|
|
|
# Name of the virtual env to deploy into
|
|
keystone_venv_tag: untagged
|
|
keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
|
|
|
|
# Set this to enable or disable installing in a venv
|
|
keystone_venv_enabled: true
|
|
|
|
# The bin path defaults to the venv path however if installation in a
|
|
# venv is disabled the bin path will be dynamically set based on the
|
|
# system path used when the installing.
|
|
keystone_bin: "{{ keystone_venv_bin }}"
|
|
|
|
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
|
|
|
|
keystone_fatal_deprecations: False
|
|
|
|
## System info
|
|
keystone_system_user_name: keystone
|
|
keystone_system_group_name: keystone
|
|
keystone_system_additional_groups:
|
|
- ssl_cert
|
|
keystone_system_service_name: apache2
|
|
keystone_system_shell: /bin/bash
|
|
keystone_system_comment: keystone system user
|
|
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
|
|
|
|
keystone_rpc_backend: rabbit
|
|
|
|
## Drivers
|
|
keystone_auth_methods: "password,token"
|
|
keystone_identity_driver: sql
|
|
# For a sql backed token storage use: "sql"
|
|
keystone_token_driver: memcache
|
|
keystone_token_provider: fernet
|
|
keystone_token_expiration: 43200
|
|
keystone_token_cache_time: 3600
|
|
|
|
# Set the revocation driver used within keystone.
|
|
keystone_revocation_driver: sql
|
|
keystone_revocation_cache_time: 3600
|
|
keystone_revocation_expiration_buffer: 1800
|
|
|
|
## Fernet config vars
|
|
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
|
keystone_fernet_tokens_max_active_keys: 7
|
|
# Any of the following rotation times are valid:
|
|
# reboot, yearly, annually, monthly, weekly, daily, hourly
|
|
keystone_fernet_rotation: daily
|
|
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
|
|
|
|
keystone_assignment_driver: sql
|
|
|
|
keystone_resource_cache_time: 3600
|
|
keystone_resource_driver: sql
|
|
|
|
keystone_bind_address: 0.0.0.0
|
|
|
|
## Memcached servers used within keystone.
|
|
# String or Comma separated list of servers.
|
|
keystone_memcached_servers: 127.0.0.1
|
|
keystone_memcached_max_compare_and_set_retry: 16
|
|
|
|
## DB info
|
|
keystone_galera_user: keystone
|
|
keystone_galera_database: keystone
|
|
# Database tuning
|
|
keystone_database_idle_timeout: 200
|
|
keystone_database_min_pool_size: 5
|
|
keystone_database_max_pool_size: 120
|
|
keystone_database_pool_timeout: 30
|
|
|
|
## RabbitMQ info
|
|
keystone_rabbitmq_userid: keystone
|
|
keystone_rabbitmq_vhost: /keystone
|
|
|
|
## Role info
|
|
keystone_role_name: admin
|
|
keystone_default_role_name: _member_
|
|
|
|
## Admin info
|
|
keystone_admin_port: 35357
|
|
keystone_admin_user_name: admin
|
|
keystone_admin_tenant_name: admin
|
|
keystone_admin_description: Admin Tenant
|
|
|
|
## Secure Proxy SSL Information
|
|
#keystone_secure_proxy_ssl_header: X-Forwarded-For
|
|
|
|
## Service Type and Data
|
|
keystone_service_region: RegionOne
|
|
keystone_service_name: keystone
|
|
keystone_service_port: 5000
|
|
keystone_service_proto: http
|
|
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_type: identity
|
|
keystone_service_description: "Keystone Identity Service"
|
|
keystone_service_user_name: keystone
|
|
keystone_service_tenant_name: service
|
|
|
|
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
|
|
keystone_service_publicurl_v2: "{{ keystone_service_publicuri }}/v2.0"
|
|
keystone_service_internalurl_v2: "{{ keystone_service_internaluri }}/v2.0"
|
|
keystone_service_adminurl_v2: "{{ keystone_service_adminuri }}/v2.0"
|
|
|
|
keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3"
|
|
keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3"
|
|
keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3"
|
|
|
|
keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
|
|
keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
|
|
keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
|
|
|
|
## Set this value to override the "public_endpoint" keystone.conf variable
|
|
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
|
|
|
## Apache setup
|
|
keystone_apache_log_level: info
|
|
keystone_apache_servertokens: "Prod"
|
|
keystone_apache_serversignature: "Off"
|
|
keystone_wsgi_threads: 1
|
|
keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
|
|
|
|
# set keystone_ssl to true to enable SSL configuration on the keystone containers
|
|
keystone_ssl: false
|
|
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
|
|
keystone_ssl_key: /etc/ssl/private/keystone.key
|
|
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
|
|
keystone_ssl_protocol: "{{ ssl_protocol }}"
|
|
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
|
|
|
# if using a self-signed certificate, set this to true to regenerate it
|
|
keystone_ssl_self_signed_regen: false
|
|
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
|
|
|
# Set these in user_variables to deploy custom certificates
|
|
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
|
|
#keystone_user_ssl_key: <path to cert on ansible deployment host>
|
|
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
|
|
|
## Caching
|
|
# If set this will enable dog pile cache for keystone.
|
|
# keystone_cache_backend_argument: url:127.0.0.1:11211
|
|
|
|
## LDAP Section
|
|
# Define Keystone LDAP domain configuration here.
|
|
# This may be used to add configuration for a LDAP identity back-end.
|
|
# See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
|
|
#
|
|
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
|
|
# the ldap section in the domain-specific configuraiton file.
|
|
#
|
|
# (EXAMPLE LAYOUT)
|
|
# keystone_ldap:
|
|
# Users:
|
|
# url: "ldap://127.0.0.1"
|
|
# user: "root"
|
|
# password: "secrete"
|
|
# ...
|
|
|
|
keystone_ldap: {}
|
|
keystone_ldap_domain_config_dir: /etc/keystone/domains
|
|
|
|
|
|
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
|
|
# Otherwise keys will be generated on the first run and not regenerated each run.
|
|
keystone_recreate_keys: False
|
|
|
|
## Policy vars
|
|
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
|
# with the access controls in the default policy.json. E.g.
|
|
#keystone_policy_overrides:
|
|
# identity:create_region: "rule:admin_required"
|
|
# identity:update_region: "rule:admin_required"
|
|
|
|
## Federation
|
|
|
|
# Enable the following section on the Keystone IdP
|
|
#keystone_idp:
|
|
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
|
|
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
|
|
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
|
|
# regen_cert: false
|
|
# idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
|
|
# idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
|
|
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
|
|
# service_providers:
|
|
# - id: "sp_1"
|
|
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
|
|
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
|
|
# # the following settings are optional
|
|
# organization_name: example_company
|
|
# organization_display_name: Example Corp.
|
|
# organization_url: example.com
|
|
# contact_company: example_company
|
|
# contact_name: John
|
|
# contact_surname: Smith
|
|
# contact_email: jsmith@example.com
|
|
# contact_telephone: 555-55-5555
|
|
# contact_type: technical
|
|
|
|
# Enable the following section in order to install and configure
|
|
# Keystone as a Resource Service Provider (SP) and to configure
|
|
# trusts with specific Identity Providers (IdP).
|
|
#keystone_sp:
|
|
# cert_duration_years: 5
|
|
# trusted_dashboard_list:
|
|
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
|
# - "https://{{ horizon_server_name }}/auth/websso/"
|
|
# trusted_idp_list:
|
|
# note that only one of these is supported at any one time for now
|
|
# - name: "keystone-idp"
|
|
# entity_ids:
|
|
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
|
|
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
|
|
# metadata_file: 'metadata-keystone-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: keystone-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: openstack_user
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# user:
|
|
# name: '{0}'
|
|
# attributes:
|
|
# - name: openstack_user
|
|
# id: openstack_user
|
|
# - name: openstack_roles
|
|
# id: openstack_roles
|
|
# - name: openstack_project
|
|
# id: openstack_project
|
|
# - name: openstack_user_domain
|
|
# id: openstack_user_domain
|
|
# - name: openstack_project_domain
|
|
# id: openstack_project_domain
|
|
#
|
|
# - name: 'testshib-idp'
|
|
# entity_ids:
|
|
# - 'https://idp.testshib.org/idp/shibboleth'
|
|
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
|
|
# metadata_file: 'metadata-testshib-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: testshib-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: eppn
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# - user:
|
|
# name: '{0}'
|
|
#
|
|
# - name: 'adfs-idp'
|
|
# entity_ids:
|
|
# - 'http://adfs.contoso.com/adfs/services/trust'
|
|
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
|
|
# metadata_file: 'metadata-adfs-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: adfs-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: upn
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# - user:
|
|
# name: '{0}'
|
|
# attributes:
|
|
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
|
# id: upn
|
|
|
|
keystone_service_in_ldap: false
|
|
|
|
# Keystone Federation SP Packages
|
|
keystone_sp_apt_packages:
|
|
- libapache2-mod-shib2
|
|
|
|
# Keystone notification settings
|
|
keystone_ceilometer_enabled: false
|
|
|
|
# Common apt packages
|
|
keystone_apt_packages:
|
|
- apache2
|
|
- apache2-utils
|
|
- debhelper
|
|
- dh-apparmor
|
|
- docutils-common
|
|
- git
|
|
- libapache2-mod-wsgi
|
|
- libjs-sphinxdoc
|
|
- libjs-underscore
|
|
- libldap2-dev
|
|
- libsasl2-dev
|
|
- libxslt1.1
|
|
- rsync
|
|
|
|
keystone_idp_apt_packages:
|
|
- ssl-cert
|
|
- xmlsec1
|
|
|
|
# Keystone packages that must be installed before anything else
|
|
keystone_requires_pip_packages:
|
|
- virtualenv
|
|
- virtualenv-tools
|
|
- python-keystoneclient # Keystoneclient needed to OSA keystone lib
|
|
- httplib2
|
|
|
|
# Common pip packages
|
|
keystone_pip_packages:
|
|
- argparse
|
|
- keystone
|
|
- keystonemiddleware
|
|
- ldappool
|
|
- lxml
|
|
- PyMySQL
|
|
- oslo.log
|
|
- oslo.middleware
|
|
- pbr
|
|
- pycrypto
|
|
- pysaml2
|
|
- python-keystoneclient
|
|
- python-ldap
|
|
- python-memcached
|
|
- python-openstackclient
|
|
- repoze.lru
|
|
|
|
## Tunable overrides
|
|
keystone_keystone_conf_overrides: {}
|
|
keystone_keystone_default_conf_overrides: {}
|
|
keystone_keystone_paste_ini_overrides: {}
|
|
keystone_policy_overrides: {}
|