[train-squash] Backport tripleo-keystone-resources role
The role has proven to be stable and made the deployment a bit faster since it's only taking a minute to create all Keystone resources with Ansible vs more than 8 minutes with Puppet. This effort is worth a backport to stable/train. Introduce tripleo-keystone-resources role This role will manage Keystone resources, like /etc/openstack/clouds.yaml, Keystone endpoints/users/roles/etc and everything that was managed by Puppet before regarding Keystone. Management of Keystone resources for each OpenStack service: - services - projects - endpoints - roles - users and their assignment to roles - admin resources It's using batch + async so it runs faster than with Puppet where it calls openstack client for each resource. Here it's using the python openstacksdk with concurrency. Change-Id: Ib9615c55d0fb4ea71208d74c5ee22594db52f46a (cherry picked from commit566bcf66ce
) Update override for keystone resources The existing override was double quoting the override options which would lead the config generator to double quote keys in the rendered data. This change modifies the override data to make it use a jinja data structure which will ensure we're not having to deal with quoting issues. Change-Id: If3000457cb0c4fcd07082057ee801d30ff4a10e9 Signed-off-by: Kevin Carter <kecarter@redhat.com> (cherry picked from commit30c7de49b0
) tripleo-keystone-resources: fix a typo for domains creation The variable was wrong for the loop item, this patch fixes it. Change-Id: I095a60421ec1ecb60fdbf14cf7788a82492ed651 (cherry picked from commit71d0997328
) tripleo-keystone-resources: handle multiple roles per user os_user_role module can only assign one role to a user. If a user needs multiple roles, we need a filter to build a dict where each key is a user with a list of the assigned roles. Change-Id: I3aff5f25b90affceacdf95d0f2725ed740761b70 (cherry picked from commit478daa5471
) Data structure changes for tripleo-keystone-resources role While reviewing the first implementation it appears that we can extend the data structure to make it so we wouldn't need extra Ansible tasks to handle other Keystone resources needed by some services like barbican, ceilometer or heat. This change does the following: - remove "container" related variable name from "haskey" filter, as we will recycle it from the tripleo-keystone-resources role. - keystone endpoints will be found under "endpoints" and not "urls". - keystone endpoints data will be built from the keystone_resources dictionary only if endpoints are specified in the dict items. The loop-endpoints will loop over a list of keystone resources which contain "endpoints" key. However, it needs access to some other keys during the endpoint creation so we re-used that filter. - Same for Keystone Services, with "service" attribute. - Re-use "get_key_from_dict" filter to get all Keystone users to create. This can be done because the function will return only the key and its value when present, create a list and then we pass it to the users playbook. We do the same for the user roles assignment, but we also apply the "get_role_assignments" filter, to build the proper data structure so role assignement is done correctly. - Allow to create extra roles and domains. - Allow to override the default domain when creating a user. - Modify "get_role_assignments" filter so if a domain is specified, the user is assigned to the role in a domain and not in a project. If on domain is specified, we assign it into a project, and the default is set by tripleo_keystone_resources_service_project where the default is "service" by legacy. The data structure of the returned value changed, to work with this complex situation (in Keystone v3, domain & project are mutually exclusive when doing role assignment). - Add tripleo_keystone_resources_batch variable and set to 10 by default, so we'll manage 10 resources at the same time in async to speed things up. - Create get_domain_id() filter to go over all domains and get a domain id from a domain name. Unfortunately, the module that list all domains changed in Ansible 2.9.1 so we have 2 kind of playbooks to support old and new style to gather all domains infos. The new structure looks like the following: keystone_resources: nova: service: compute region: RegionOne endpoints: public: https://public-nova:8774 admin: https://admin-nova:8774 internal: https://internal-nova:8774 users: nova: password: secretenova roles: - admin - service domain: nova_extra_domain roles: - nova_extra_role domains: - nova_extra_domain Change-Id: Ia68f8852662fb4abbd194954a246afb740bf3f71 (cherry picked from commit44204ec6b2
)
This commit is contained in:
parent
ad0818ec56
commit
edbaa07ea4
|
@ -0,0 +1,6 @@
|
|||
=================================
|
||||
Role - tripleo-keystone-resources
|
||||
=================================
|
||||
|
||||
.. ansibleautoplugin::
|
||||
:role: tripleo_ansible/roles/tripleo-keystone-resources
|
|
@ -37,7 +37,10 @@ class FilterModule(object):
|
|||
'needs_delete': self.needs_delete,
|
||||
'haskey': self.haskey,
|
||||
'list_of_keys': self.list_of_keys,
|
||||
'container_exec_cmd': self.container_exec_cmd
|
||||
'container_exec_cmd': self.container_exec_cmd,
|
||||
'get_key_from_dict': self.get_key_from_dict,
|
||||
'get_role_assignments': self.get_role_assignments,
|
||||
'get_domain_id': self.get_domain_id
|
||||
}
|
||||
|
||||
def subsort(self, dict_to_sort, attribute, null_value=0):
|
||||
|
@ -157,11 +160,10 @@ class FilterModule(object):
|
|||
|
||||
return to_delete
|
||||
|
||||
def haskey(self, batched_container_data, attribute, value=None,
|
||||
reverse=False, any=False):
|
||||
"""Return container data with a specific config key.
|
||||
def haskey(self, data, attribute, value=None, reverse=False, any=False):
|
||||
"""Return dict data with a specific key.
|
||||
|
||||
This filter will take a list of dictionaries (batched_container_data)
|
||||
This filter will take a list of dictionaries (data)
|
||||
and will return the dictionnaries which have a certain key given
|
||||
in parameter with 'attribute'.
|
||||
If reverse is set to True, the returned list won't contain dictionaries
|
||||
|
@ -170,11 +172,11 @@ class FilterModule(object):
|
|||
the list of values for "value" parameter which has to be a list.
|
||||
"""
|
||||
return_list = []
|
||||
for container in batched_container_data:
|
||||
for k, v in json.loads(json.dumps(container)).items():
|
||||
for i in data:
|
||||
for k, v in json.loads(json.dumps(i)).items():
|
||||
if attribute in v and not reverse:
|
||||
if value is None:
|
||||
return_list.append({k: v})
|
||||
return_list.append(i)
|
||||
else:
|
||||
if isinstance(value, list) and any:
|
||||
if v[attribute] in value:
|
||||
|
@ -201,6 +203,39 @@ class FilterModule(object):
|
|||
list_of_keys.append(k)
|
||||
return list_of_keys
|
||||
|
||||
def get_key_from_dict(self, data, key, strict=False, default=None):
|
||||
"""Return a list of unique values from a specific key from a dict.
|
||||
|
||||
This filter takes in input a list of dictionaries and for each of them
|
||||
it will add the value of a specific key into returned_list and
|
||||
returns it sorted. If the key has to be part of the dict, set strict to
|
||||
True. A default can be set if the key doesn't exist but strict has to
|
||||
be set to False.
|
||||
"""
|
||||
returned_list = []
|
||||
for i in data.items():
|
||||
value = i[1].get(key)
|
||||
if value is None and not strict and default is not None:
|
||||
value = default
|
||||
if value is None:
|
||||
if strict:
|
||||
raise TypeError('Missing %s key in '
|
||||
'%s' % (key, i[0]))
|
||||
else:
|
||||
continue
|
||||
if isinstance(value, list):
|
||||
for v in value:
|
||||
if v not in returned_list:
|
||||
returned_list.append(v)
|
||||
elif isinstance(value, dict):
|
||||
for k, v in value.items():
|
||||
if v not in returned_list:
|
||||
returned_list.append({k: v})
|
||||
else:
|
||||
if value not in returned_list:
|
||||
returned_list.append(value)
|
||||
return returned_list
|
||||
|
||||
def list_or_dict_arg(self, data, cmd, key, arg):
|
||||
"""Utility to build a command and its argument with list or dict data.
|
||||
|
||||
|
@ -235,3 +270,59 @@ class FilterModule(object):
|
|||
self.list_or_dict_arg(data, cmd, 'environment', '--env')
|
||||
cmd.extend(data['command'])
|
||||
return cmd
|
||||
|
||||
def get_role_assignments(self, data, default_role='admin',
|
||||
default_project='service'):
|
||||
"""Return a dict of all roles and their users.
|
||||
|
||||
This filter takes in input the keystone resources data and
|
||||
returns a dict where each key is a role and its users assigned.
|
||||
If 'domain' or 'project' are specified, they are added to the user
|
||||
entry; so the user will be assign to the domain or the project.
|
||||
If no domain and no project are specified, default_project will be
|
||||
used.
|
||||
Note that domain and project are mutually exclusive in Keystone v3.
|
||||
"""
|
||||
returned_dict = {}
|
||||
for d in data:
|
||||
for k, v in d.items():
|
||||
roles = v.get('roles', default_role)
|
||||
domain = v.get('domain')
|
||||
project = v.get('project')
|
||||
|
||||
if domain is not None and project is not None:
|
||||
raise TypeError('domain and project need to be mutually '
|
||||
'exclusive for user: %s' % k)
|
||||
|
||||
if isinstance(roles, list):
|
||||
for r in roles:
|
||||
if r not in returned_dict:
|
||||
returned_dict[r] = []
|
||||
if domain is not None:
|
||||
returned_dict[r].append({k: {'domain': domain}})
|
||||
elif project is not None:
|
||||
returned_dict[r].append({k: {'project': project}})
|
||||
else:
|
||||
returned_dict[r].append({k: {'project':
|
||||
default_project}})
|
||||
else:
|
||||
if roles not in returned_dict:
|
||||
returned_dict[roles] = []
|
||||
if domain is not None:
|
||||
returned_dict[roles].append({k: {'domain': domain}})
|
||||
elif project is not None:
|
||||
returned_dict[roles].append({k: {'project': project}})
|
||||
else:
|
||||
returned_dict[roles].append({k: {'project':
|
||||
default_project}})
|
||||
return returned_dict
|
||||
|
||||
def get_domain_id(self, domain_name, all_domains):
|
||||
"""Return the ID of a domain by its name.
|
||||
|
||||
This filter taks in input a domain name and a dictionary with all
|
||||
domain informations.
|
||||
"""
|
||||
for d in all_domains:
|
||||
if d.get('name') == domain_name:
|
||||
return d.get('id')
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# All variables intended for modification should be placed in this file.
|
||||
|
||||
# All variables within this role should have a prefix of "tripleo_keystone_resources"
|
||||
tripleo_keystone_resources_cloud_name: openstack
|
||||
tripleo_keystone_resources_cloud_config: {}
|
||||
tripleo_keystone_resources_clouds_file_path: /etc/openstack/clouds.yaml
|
||||
tripleo_keystone_resources_clouds_file_owner: root
|
||||
tripleo_keystone_resources_clouds_file_group: root
|
||||
tripleo_keystone_resources_clouds_file_mode: '0644'
|
||||
tripleo_keystone_resources_catalog_config: {}
|
||||
tripleo_keystone_resources_member_role_enabled: false
|
||||
tripleo_keystone_resources_batch: 10
|
|
@ -0,0 +1,44 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
galaxy_info:
|
||||
author: OpenStack
|
||||
description: TripleO OpenStack Role -- tripleo-keystone-resources
|
||||
company: Red Hat
|
||||
license: Apache-2.0
|
||||
min_ansible_version: 2.7
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
platforms:
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 28
|
||||
- name: CentOS
|
||||
versions:
|
||||
- 7
|
||||
|
||||
galaxy_tags:
|
||||
- tripleo
|
||||
|
||||
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
dependencies: []
|
|
@ -0,0 +1,37 @@
|
|||
# Molecule managed
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
{% if item.registry is defined %}
|
||||
FROM {{ item.registry.url }}/{{ item.image }}
|
||||
{% else %}
|
||||
FROM {{ item.image }}
|
||||
{% endif %}
|
||||
|
||||
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
|
||||
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install sudo python*-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
|
||||
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
|
||||
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
|
||||
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
|
||||
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
|
||||
|
||||
{% for pkg in item.easy_install | default([]) %}
|
||||
# install pip for centos where there is no python-pip rpm in default repos
|
||||
RUN easy_install {{ pkg }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
CMD ["sh", "-c", "while true; do sleep 10000; done"]
|
|
@ -0,0 +1,15 @@
|
|||
FROM centos:7
|
||||
LABEL maintainer="dev@cloudesire.com"
|
||||
|
||||
ENV OS_RELEASE=train
|
||||
|
||||
RUN yum clean all \
|
||||
&& yum -y update \
|
||||
&& yum -y install centos-release-openstack-${OS_RELEASE} \
|
||||
&& yum -y install openstack-keystone openstack-utils python-openstackclient \
|
||||
&& yum clean all
|
||||
|
||||
COPY start_keystone.sh /
|
||||
EXPOSE 5000 35357
|
||||
|
||||
CMD ["/start_keystone.sh"]
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: centos7
|
||||
hostname: centos7
|
||||
image: centos:7
|
||||
dockerfile: Dockerfile
|
||||
network_mode: host
|
||||
easy_install:
|
||||
- pip
|
||||
environment: &env
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
|
||||
scenario:
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
- destroy
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: Create openstack directory
|
||||
file:
|
||||
path: /etc/openstack
|
||||
state: directory
|
||||
- name: Configure /etc/openstack/clouds.yaml
|
||||
include_role:
|
||||
name: tripleo-keystone-resources
|
||||
tasks_from: clouds
|
||||
vars:
|
||||
tripleo_keystone_resources_cloud_name: openstack
|
||||
tripleo_keystone_resources_cloud_config:
|
||||
auth:
|
||||
auth_url: http://localhost:5000/
|
||||
project_name: "admin"
|
||||
username: "admin"
|
||||
password: "ADMIN_PASS"
|
||||
project_domain_id: default
|
||||
user_domain_id: default
|
||||
identity_api_version: 3
|
||||
region_name: RegionOne
|
||||
- name: Create keystone admin resources
|
||||
include_role:
|
||||
name: tripleo-keystone-resources
|
||||
tasks_from: admin
|
||||
vars:
|
||||
tripleo_keystone_resources_cloud_name: openstack
|
||||
tripleo_keystone_resources_region: RegionOne
|
||||
tripleo_keystone_resources_admin_password: "ADMIN_PASS"
|
||||
tripleo_keystone_resources_admin_endpoint: "http://localhost:35357"
|
||||
tripleo_keystone_resources_internal_endpoint: "http://localhost:5000"
|
||||
tripleo_keystone_resources_public_endpoint: "http://localhost:5000"
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- hosts: localhost
|
||||
connection: local
|
||||
tasks:
|
||||
|
||||
- name: Build keystone container
|
||||
shell: docker build -t keystone-img -f Dockerfile.keystone .
|
||||
|
||||
- name: Run keystone container
|
||||
shell: docker run -d -p 5000:5000 --name keystone-docker keystone-img
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
tasks:
|
||||
|
||||
- include_role:
|
||||
name: test_deps
|
||||
vars:
|
||||
test_deps_setup_tripleo: true
|
||||
|
||||
- name: Instal pre packages
|
||||
package:
|
||||
name:
|
||||
- python-setuptools
|
||||
- python-openstacksdk
|
||||
- python-openstackclient
|
||||
- python-keystoneclient
|
||||
- ansible
|
|
@ -0,0 +1,93 @@
|
|||
#!/bin/bash
|
||||
set -x
|
||||
|
||||
### Openstack Keystone
|
||||
|
||||
: ${OS_RELEASE:=queens}
|
||||
: ${IPADDR:=127.0.0.1}
|
||||
# Identity service configuration
|
||||
: ${OS_IDENTITY_URL_IPADDR:=$IPADDR}
|
||||
: ${OS_IDENTITY_API_VERSION:=3}
|
||||
: ${OS_IDENTITY_SERVICE_REGION:=RegionOne}
|
||||
: ${OS_IDENTITY_SERVICE_NAME:=keystone}
|
||||
: ${OS_IDENTITY_ADMIN_DOMAIN:=default}
|
||||
: ${OS_IDENTITY_ADMIN_PROJECT:=admin}
|
||||
: ${OS_IDENTITY_ADMIN_USERNAME:=admin}
|
||||
: ${OS_IDENTITY_ADMIN_PASSWD:=ADMIN_PASS}
|
||||
: ${OS_IDENTITY_ADMIN_ROLE:=admin}
|
||||
: ${OS_IDENTITY_URL_ADMIN:=http://${IPADDR}:35357}
|
||||
: ${OS_IDENTITY_URL_INTERNAL:=http://${IPADDR}:5000}
|
||||
: ${OS_IDENTITY_URL_PUBLIC:=http://${IPADDR}:5000}
|
||||
# Object store configuration
|
||||
: ${OS_OBJECTSTORE_URL_IPADDR:=$IPADDR}
|
||||
: ${OS_OBJECTSTORE_SERVICE_REGION:=RegionOne}
|
||||
: ${OS_OBJECTSTORE_SERVICE_NAME:=openio-swift}
|
||||
: ${OS_OBJECTSTORE_SERVICE_DESC:=OpenIO Swift Object Storage Service}
|
||||
: ${OS_OBJECTSTORE_DOMAIN:=default}
|
||||
: ${OS_OBJECTSTORE_PROJECT:=service}
|
||||
: ${OS_OBJECTSTORE_USERNAME:=swift}
|
||||
: ${OS_OBJECTSTORE_PASSWD:=SWIFT_PASS}
|
||||
: ${OS_OBJECTSTORE_ROLE:=admin}
|
||||
: ${OS_OBJECTSTORE_URL_ADMIN:=http://${IPADDR}:6007/v1}
|
||||
: ${OS_OBJECTSTORE_URL_INTERNAL:=http://${IPADDR}:6007/v1/AUTH_%(tenant_id)s}
|
||||
: ${OS_OBJECTSTORE_URL_PUBLIC:=http://${IPADDR}:6007/v1/AUTH_%(tenant_id)s}
|
||||
# Demo user setup
|
||||
: ${OS_USER_DEMO_DOMAIN:=default}
|
||||
: ${OS_USER_DEMO_PROJECT:=demo}
|
||||
: ${OS_USER_DEMO_USERNAME:=demo}
|
||||
: ${OS_USER_DEMO_PASSWD:=DEMO_PASS}
|
||||
: ${OS_USER_DEMO_ROLE:=admin}
|
||||
|
||||
echo '> Configuring Keystone ...'
|
||||
# Set log to stderr for Docker
|
||||
openstack-config --set /etc/keystone/keystone.conf DEFAULT use_stderr True
|
||||
# Use a local sqlite database for demo purposes
|
||||
openstack-config --set /etc/keystone/keystone.conf database connection 'sqlite:////var/lib/keystone/keystone.db'
|
||||
keystone-manage credential_setup \
|
||||
--keystone-user keystone \
|
||||
--keystone-group keystone
|
||||
keystone-manage fernet_setup \
|
||||
--keystone-user keystone \
|
||||
--keystone-group keystone
|
||||
keystone-manage db_sync
|
||||
keystone-manage bootstrap \
|
||||
--bootstrap-project-name "$OS_IDENTITY_ADMIN_PROJECT" \
|
||||
--bootstrap-username "$OS_IDENTITY_ADMIN_USERNAME" \
|
||||
--bootstrap-username "$OS_IDENTITY_ADMIN_USERNAME" \
|
||||
--bootstrap-password "$OS_IDENTITY_ADMIN_PASSWD" \
|
||||
--bootstrap-role-name "$OS_IDENTITY_ADMIN_ROLE" \
|
||||
--bootstrap-service-name "$OS_IDENTITY_SERVICE_NAME" \
|
||||
--bootstrap-region-id "$OS_IDENTITY_SERVICE_REGION" \
|
||||
--bootstrap-admin-url "$OS_IDENTITY_URL_ADMIN" \
|
||||
--bootstrap-public-url "$OS_IDENTITY_URL_PUBLIC" \
|
||||
--bootstrap-internal-url "$OS_IDENTITY_URL_INTERNAL"
|
||||
|
||||
# Using uwsgi for demo purposes
|
||||
echo '> Starting Keystone admin service ...'
|
||||
/usr/bin/keystone-wsgi-admin --port 35357 &
|
||||
|
||||
|
||||
# Admin credentials
|
||||
cat <<EOF >/keystone_adminrc
|
||||
export OS_IDENTITY_API_VERSION="$OS_IDENTITY_API_VERSION"
|
||||
#export OS_AUTH_URL="$OS_IDENTITY_URL_PUBLIC"
|
||||
export OS_AUTH_URL="$OS_IDENTITY_URL_ADMIN"
|
||||
export OS_USER_DOMAIN_ID="$OS_IDENTITY_ADMIN_DOMAIN"
|
||||
export OS_PROJECT_DOMAIN_ID="$OS_IDENTITY_ADMIN_DOMAIN"
|
||||
export OS_PROJECT_NAME="$OS_IDENTITY_ADMIN_PROJECT"
|
||||
export OS_USERNAME="$OS_IDENTITY_ADMIN_USERNAME"
|
||||
export OS_PASSWORD="$OS_IDENTITY_ADMIN_PASSWD"
|
||||
EOF
|
||||
source /keystone_adminrc
|
||||
|
||||
# Keystone policy
|
||||
cat <<EOF >/etc/keystone/policy.json
|
||||
{
|
||||
"admin_or_owner": "role:admin or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "role:admin"
|
||||
}
|
||||
EOF
|
||||
|
||||
echo '> Starting Keystone public service ...'
|
||||
/usr/bin/keystone-wsgi-public --port 5000
|
|
@ -0,0 +1,93 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Create default domain
|
||||
os_keystone_domain:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: default
|
||||
|
||||
- name: Create admin and service projects
|
||||
include_tasks: projects.yml
|
||||
vars:
|
||||
batched_tripleo_keystone_resources_projects:
|
||||
- admin
|
||||
- service
|
||||
|
||||
- name: Create admin role
|
||||
os_keystone_role:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: admin
|
||||
|
||||
- name: Create _member_ role
|
||||
os_keystone_role:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: _member_
|
||||
when:
|
||||
- keystone_enable_member | default(tripleo_keystone_resources_member_role_enabled)
|
||||
|
||||
- name: Create admin user
|
||||
os_user:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: admin
|
||||
password: "{{ tripleo_keystone_resources_admin_password }}"
|
||||
email: "admin@localhost"
|
||||
domain: default
|
||||
|
||||
- name: Assign admin role to admin project for admin user
|
||||
os_user_role:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
user: admin
|
||||
project: admin
|
||||
role: admin
|
||||
|
||||
- name: Assign _member_ role to admin project for admin user
|
||||
os_user_role:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
user: admin
|
||||
project: admin
|
||||
role: '_member_'
|
||||
when:
|
||||
- keystone_enable_member | default(tripleo_keystone_resources_member_role_enabled)
|
||||
|
||||
- name: Create identity service
|
||||
os_keystone_service:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: keystone
|
||||
service_type: identity
|
||||
|
||||
- name: Create identity public endpoint
|
||||
os_keystone_endpoint:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
service: keystone
|
||||
url: "{{ tripleo_keystone_resources_public_endpoint }}"
|
||||
endpoint_interface: public
|
||||
region: "{{ tripleo_keystone_resources_region }}"
|
||||
|
||||
- name: Create identity internal endpoint
|
||||
os_keystone_endpoint:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
service: keystone
|
||||
url: "{{ tripleo_keystone_resources_internal_endpoint }}"
|
||||
endpoint_interface: internal
|
||||
region: "{{ tripleo_keystone_resources_region }}"
|
||||
|
||||
- name: Create identity admin endpoint
|
||||
os_keystone_endpoint:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
service: keystone
|
||||
url: "{{ tripleo_keystone_resources_admin_endpoint }}"
|
||||
endpoint_interface: admin
|
||||
region: "{{ tripleo_keystone_resources_region }}"
|
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
- name: "Check if {{ tripleo_keystone_resources_clouds_file_path }} exists"
|
||||
become: true
|
||||
stat:
|
||||
path: "{{ tripleo_keystone_resources_clouds_file_path }}"
|
||||
register: attr_clouds
|
||||
|
||||
# This task is required or config_template will fail if the src file didn't exist
|
||||
- name: "Create empty {{ tripleo_keystone_resources_clouds_file_path }} if it does not exist"
|
||||
become: true
|
||||
copy:
|
||||
content: |-
|
||||
---
|
||||
clouds: {}
|
||||
dest: "{{ tripleo_keystone_resources_clouds_file_path }}"
|
||||
when:
|
||||
- not attr_clouds.stat.exists
|
||||
|
||||
- name: "Configure {{ tripleo_keystone_resources_clouds_file_path }}"
|
||||
include_role:
|
||||
name: tripleo-config
|
||||
vars:
|
||||
tripleo_config_dest: "{{ tripleo_keystone_resources_clouds_file_path }}"
|
||||
tripleo_config_group: "{{ tripleo_keystone_resources_clouds_file_group }}"
|
||||
tripleo_config_mode: "{{ tripleo_keystone_resources_clouds_file_mode }}"
|
||||
tripleo_config_overrides: |-
|
||||
{% set cloud_config = {'clouds': {}} %}
|
||||
{% set _ = cloud_config['clouds'].__setitem__(
|
||||
tripleo_keystone_resources_cloud_name,
|
||||
tripleo_keystone_resources_cloud_config
|
||||
)
|
||||
%}
|
||||
{{ cloud_config }}
|
||||
tripleo_config_owner: "{{ tripleo_keystone_resources_clouds_file_owner }}"
|
||||
tripleo_config_remote_src: true
|
||||
tripleo_config_src: "{{ tripleo_keystone_resources_clouds_file_path }}"
|
||||
tripleo_config_type: yaml
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Async creation of Keystone domains
|
||||
os_keystone_domain:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: "{{ tripleo_keystone_resources_domain }}"
|
||||
state: present
|
||||
async: 60
|
||||
poll: 0
|
||||
register: tripleo_keystone_resources_domain_results
|
||||
loop: "{{ batched_tripleo_keystone_resources_data }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_domain
|
||||
|
||||
- name: Check Keystone domain status
|
||||
async_status:
|
||||
jid: "{{ tripleo_keystone_resources_domain_async_result_item.ansible_job_id }}"
|
||||
loop: "{{ tripleo_keystone_resources_domain_results.results }}"
|
||||
loop_control:
|
||||
loop_var: "tripleo_keystone_resources_domain_async_result_item"
|
||||
register: tripleo_keystone_resources_domain_async_poll_results
|
||||
until: tripleo_keystone_resources_domain_async_poll_results.finished
|
||||
retries: 30
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: "Async creation of Keystone {{ keystone_endpoint_type }} endpoint"
|
||||
os_keystone_endpoint:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
service: "{{ tripleo_keystone_resources_data.key }}"
|
||||
url: "{{ tripleo_keystone_resources_data['value']['endpoints'][keystone_endpoint_type] }}"
|
||||
endpoint_interface: "{{ keystone_endpoint_type }}"
|
||||
region: "{{ tripleo_keystone_resources_data.value.region }}"
|
||||
state: present
|
||||
async: 60
|
||||
poll: 0
|
||||
register: tripleo_keystone_resources_endpoint_results
|
||||
loop: "{{ batched_tripleo_keystone_resources_data }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_data
|
||||
|
||||
- name: "Check Keystone {{ keystone_endpoint_type }} endpoint status"
|
||||
async_status:
|
||||
jid: "{{ tripleo_keystone_resources_endpoint_async_result_item.ansible_job_id }}"
|
||||
loop: "{{ tripleo_keystone_resources_endpoint_results.results }}"
|
||||
loop_control:
|
||||
loop_var: "tripleo_keystone_resources_endpoint_async_result_item"
|
||||
register: tripleo_keystone_resources_endpoint_async_poll_results
|
||||
until: tripleo_keystone_resources_endpoint_async_poll_results.finished
|
||||
retries: 30
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Collect OpenStack Keystone domains infos
|
||||
os_keystone_domain_info:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
register: openstack_domains
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
- name: Collect OpenStack Keystone domains facts
|
||||
os_keystone_domain_facts:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
register: tripleo_domains_facts
|
||||
|
||||
- name: Create openstack_domains fact
|
||||
set_fact:
|
||||
openstack_domains: "{{ tripleo_domains_facts['ansible_facts']['openstack_domains'] }}"
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: "Create Keystone {{ keystone_endpoint_type }} endpoints"
|
||||
include_tasks: endpoints.yml
|
||||
loop: "{{ tripleo_keystone_resources_catalog_config | dict2items | haskey(attribute='endpoints') | batch(tripleo_keystone_resources_batch) | list }}"
|
||||
loop_control:
|
||||
loop_var: batched_tripleo_keystone_resources_data
|
|
@ -0,0 +1,101 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# "tripleo-keystone-resources" will search for and load any operating system variable file
|
||||
|
||||
# found within the "vars/" path. If no OS files are found the task will skip.
|
||||
- name: Gather variables for each operating system
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- skip: true
|
||||
files:
|
||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
|
||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
||||
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
||||
- "{{ ansible_distribution | lower }}.yml"
|
||||
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
||||
- "{{ ansible_os_family | lower }}.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Create Keystone Admin resources
|
||||
include_tasks: admin.yml
|
||||
|
||||
- name: Create Keystone Projects
|
||||
include_tasks: projects.yml
|
||||
loop: "{{ tripleo_keystone_resources_catalog_config | get_key_from_dict(key='project', default='service') | batch(tripleo_keystone_resources_batch) | list }}"
|
||||
loop_control:
|
||||
loop_var: batched_tripleo_keystone_resources_projects
|
||||
|
||||
- name: Create Keystone Domains
|
||||
include_tasks: domains.yml
|
||||
loop: "{{ tripleo_keystone_resources_catalog_config | get_key_from_dict(key='domains') | batch(tripleo_keystone_resources_batch) | list }}"
|
||||
loop_control:
|
||||
loop_var: batched_tripleo_keystone_resources_data
|
||||
|
||||
# We need to gather domains so later we can convert a domain name into a domain ID.
|
||||
# This is needed because os_user_role doesn't do the conversion yet in the version
|
||||
# of Ansible that we use. This block will disappear once we use the new modules
|
||||
# from OpenStack collections.
|
||||
# In recents version of Ansible, this module was renamed to os_keystone_domain_info.
|
||||
# Which is why we don't use the same module to gather domains infos.
|
||||
- name: Gather all OpenStack domains for Ansible < 2.9.2
|
||||
include_tasks: gather_domains_old.yml
|
||||
# See https://github.com/ansible/ansible/commit/c91929b2b302b37af22d785641a7fe704003662a
|
||||
when:
|
||||
- ansible_version.full is version_compare('2.9.2', '<')
|
||||
|
||||
- name: Gather all OpenStack domains for Ansible >= 2.9.2
|
||||
include_tasks: gather_domains_new.yml
|
||||
# See https://github.com/ansible/ansible/commit/c91929b2b302b37af22d785641a7fe704003662a
|
||||
when:
|
||||
- ansible_version.full is version_compare('2.9.2', '>=')
|
||||
|
||||
- name: Create Keystone Services
|
||||
include_tasks: services.yml
|
||||
loop: "{{ tripleo_keystone_resources_catalog_config | dict2items | haskey(attribute='service') | batch(tripleo_keystone_resources_batch) | list }}"
|
||||
loop_control:
|
||||
loop_var: batched_tripleo_keystone_resources_data
|
||||
|
||||
- name: Create Keystone Endpoints
|
||||
include_tasks: loop-endpoints.yml
|
||||
loop:
|
||||
- public
|
||||
- admin
|
||||
- internal
|
||||
loop_control:
|
||||
loop_var: keystone_endpoint_type
|
||||
|
||||
- name: Create Keystone Roles
|
||||
include_tasks: roles.yml
|
||||
loop: "{{ tripleo_keystone_resources_catalog_config | get_key_from_dict(key='roles', default='service') | batch(tripleo_keystone_resources_batch) | list }}"
|
||||
loop_control:
|
||||
loop_var: batched_tripleo_keystone_resources_roles
|
||||
|
||||
- name: "Create Keystone Users"
|
||||
include_tasks: users.yml
|
||||
loop: "{{ tripleo_keystone_resources_catalog_config | get_key_from_dict(key='users') | batch(tripleo_keystone_resources_batch) | list }}"
|
||||
loop_control:
|
||||
loop_var: batched_tripleo_keystone_resources_data
|
||||
|
||||
- name: "Assign Keystone Users to Roles"
|
||||
include_tasks: user_roles.yml
|
||||
loop: >-
|
||||
{{ tripleo_keystone_resources_catalog_config | get_key_from_dict(key='users') |
|
||||
get_role_assignments(default_project=tripleo_keystone_resources_service_project) | dict2items }}
|
||||
loop_control:
|
||||
loop_var: batched_tripleo_keystone_resources_roles_data
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Async creation of Keystone project
|
||||
os_project:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: "{{ tripleo_keystone_resources_project }}"
|
||||
domain_id: default
|
||||
state: present
|
||||
async: 60
|
||||
poll: 0
|
||||
register: tripleo_keystone_resources_project_results
|
||||
loop: "{{ batched_tripleo_keystone_resources_projects }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_project
|
||||
|
||||
- name: Check Keystone project status
|
||||
async_status:
|
||||
jid: "{{ tripleo_keystone_resources_project_async_result_item.ansible_job_id }}"
|
||||
loop: "{{ tripleo_keystone_resources_project_results.results }}"
|
||||
loop_control:
|
||||
loop_var: "tripleo_keystone_resources_project_async_result_item"
|
||||
register: tripleo_keystone_resources_project_async_poll_results
|
||||
until: tripleo_keystone_resources_project_async_poll_results.finished
|
||||
retries: 30
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Async creation of Keystone role
|
||||
os_keystone_role:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: "{{ tripleo_keystone_resources_role }}"
|
||||
state: present
|
||||
async: 60
|
||||
poll: 0
|
||||
register: tripleo_keystone_resources_role_results
|
||||
loop: "{{ batched_tripleo_keystone_resources_roles }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_role
|
||||
|
||||
- name: Check Keystone role status
|
||||
async_status:
|
||||
jid: "{{ tripleo_keystone_resources_role_async_result_item.ansible_job_id }}"
|
||||
loop: "{{ tripleo_keystone_resources_role_results.results }}"
|
||||
loop_control:
|
||||
loop_var: "tripleo_keystone_resources_role_async_result_item"
|
||||
register: tripleo_keystone_resources_role_async_poll_results
|
||||
until: tripleo_keystone_resources_role_async_poll_results.finished
|
||||
retries: 30
|
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Async creation of Keystone service
|
||||
os_keystone_service:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: "{{ tripleo_keystone_resources_data.key }}"
|
||||
service_type: "{{ tripleo_keystone_resources_data.value.service }}"
|
||||
description: "OpenStack {{ tripleo_keystone_resources_data.value.service | title() }} Service"
|
||||
state: present
|
||||
async: 60
|
||||
poll: 0
|
||||
register: tripleo_keystone_resources_service_results
|
||||
loop: "{{ batched_tripleo_keystone_resources_data }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_data
|
||||
|
||||
- name: Check Keystone service status
|
||||
async_status:
|
||||
jid: "{{ tripleo_keystone_resources_service_async_result_item.ansible_job_id }}"
|
||||
loop: "{{ tripleo_keystone_resources_service_results.results }}"
|
||||
loop_control:
|
||||
loop_var: "tripleo_keystone_resources_service_async_result_item"
|
||||
register: tripleo_keystone_resources_service_async_poll_results
|
||||
until: tripleo_keystone_resources_service_async_poll_results.finished
|
||||
retries: 30
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: "Async assignment of Keystone user to roles"
|
||||
os_user_role:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
user: "{{ lookup('dict', tripleo_keystone_resources_data_user).key }}"
|
||||
project: "{{ lookup('dict', tripleo_keystone_resources_data_user).value.project | default(omit) }}"
|
||||
# TODO(emilien) remove the custom filter once the module moved to OpenStack collections and we can make changes
|
||||
domain: >-
|
||||
{{ lookup('dict', tripleo_keystone_resources_data_user).value.domain | default(omit) |
|
||||
get_domain_id(all_domains=openstack_domains) | default(omit) }}
|
||||
role: "{{ batched_tripleo_keystone_resources_roles_data.key }}"
|
||||
state: present
|
||||
async: 60
|
||||
poll: 0
|
||||
register: tripleo_keystone_resources_user_role_results
|
||||
loop: "{{ tripleo_keystone_resources_data_users }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_data_user
|
||||
|
||||
- name: "Check Keystone user assignment to roles status"
|
||||
async_status:
|
||||
jid: "{{ tripleo_keystone_resources_user_role_async_result_item.ansible_job_id }}"
|
||||
loop: "{{ tripleo_keystone_resources_user_role_results.results }}"
|
||||
loop_control:
|
||||
loop_var: "tripleo_keystone_resources_user_role_async_result_item"
|
||||
register: tripleo_keystone_resources_user_role_async_poll_results
|
||||
until: tripleo_keystone_resources_user_role_async_poll_results.finished
|
||||
retries: 30
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: "Async assignment of Keystone user per role"
|
||||
include_tasks: user_per_role.yml
|
||||
# This loop is required as a user can have multiple roles but the os_user_role doesn't handle it.
|
||||
loop: "{{ batched_tripleo_keystone_resources_roles_data.value | batch(tripleo_keystone_resources_batch) | list }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_data_users
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: "Async creation of Keystone user"
|
||||
os_user:
|
||||
cloud: "{{ tripleo_keystone_resources_cloud_name }}"
|
||||
name: "{{ lookup('dict', tripleo_keystone_resources_data).key }}"
|
||||
password: "{{ lookup('dict', tripleo_keystone_resources_data).value.password }}"
|
||||
email: "{{ lookup('dict', tripleo_keystone_resources_data).key }}@localhost"
|
||||
domain: "{{ lookup('dict', tripleo_keystone_resources_data).value.domain | default('default') }}"
|
||||
state: present
|
||||
async: 60
|
||||
poll: 0
|
||||
register: tripleo_keystone_resources_user_results
|
||||
loop: "{{ batched_tripleo_keystone_resources_data }}"
|
||||
loop_control:
|
||||
loop_var: tripleo_keystone_resources_data
|
||||
|
||||
- name: "Check Keystone user status"
|
||||
async_status:
|
||||
jid: "{{ tripleo_keystone_resources_user_async_result_item.ansible_job_id }}"
|
||||
loop: "{{ tripleo_keystone_resources_user_results.results }}"
|
||||
loop_control:
|
||||
loop_var: "tripleo_keystone_resources_user_async_result_item"
|
||||
register: tripleo_keystone_resources_user_async_poll_results
|
||||
until: tripleo_keystone_resources_user_async_poll_results.finished
|
||||
retries: 30
|
|
@ -196,7 +196,7 @@ class TestHelperFilters(tests_base.TestCase):
|
|||
},
|
||||
}
|
||||
]
|
||||
result = self.filters.haskey(batched_container_data=data,
|
||||
result = self.filters.haskey(data=data,
|
||||
attribute='restart', value='always')
|
||||
self.assertEqual(result, expected_list)
|
||||
|
||||
|
@ -224,7 +224,7 @@ class TestHelperFilters(tests_base.TestCase):
|
|||
},
|
||||
}
|
||||
]
|
||||
result = self.filters.haskey(batched_container_data=data,
|
||||
result = self.filters.haskey(data=data,
|
||||
attribute='restart',
|
||||
value='always',
|
||||
reverse=True)
|
||||
|
@ -255,7 +255,7 @@ class TestHelperFilters(tests_base.TestCase):
|
|||
},
|
||||
}
|
||||
]
|
||||
result = self.filters.haskey(batched_container_data=data,
|
||||
result = self.filters.haskey(data=data,
|
||||
attribute='restart',
|
||||
any=True)
|
||||
self.assertEqual(result, expected_list)
|
||||
|
@ -284,7 +284,7 @@ class TestHelperFilters(tests_base.TestCase):
|
|||
},
|
||||
}
|
||||
]
|
||||
result = self.filters.haskey(batched_container_data=data,
|
||||
result = self.filters.haskey(data=data,
|
||||
attribute='restart',
|
||||
reverse=True,
|
||||
any=True)
|
||||
|
@ -397,6 +397,68 @@ class TestHelperFilters(tests_base.TestCase):
|
|||
config_id='tripleo_step1')
|
||||
self.assertEqual(result, expected_list)
|
||||
|
||||
def test_get_key_from_dict(self):
|
||||
data = {
|
||||
'nova_api': {
|
||||
'project': 'service1'
|
||||
},
|
||||
'glance_api': {
|
||||
'project': 'service1'
|
||||
},
|
||||
'heat_api': {
|
||||
'user': 'heat'
|
||||
},
|
||||
'cinder_api': {
|
||||
'project': 'service2'
|
||||
}
|
||||
}
|
||||
expected_list = ['service1', 'service3', 'service2']
|
||||
result = self.filters.get_key_from_dict(data, key='project',
|
||||
default='service3')
|
||||
self.assertEqual(result, expected_list)
|
||||
|
||||
def test_get_key_from_dict_with_list_input(self):
|
||||
data = {
|
||||
'nova_api': {
|
||||
'roles': ['service', 'admin']
|
||||
},
|
||||
'glance_api': {
|
||||
'roles': 'service1'
|
||||
},
|
||||
'heat_api': {
|
||||
'user': 'heat'
|
||||
},
|
||||
'cinder_api': {
|
||||
'project': 'service2',
|
||||
'roles': ['service', 'service4']
|
||||
}
|
||||
}
|
||||
expected_list = ['service', 'admin', 'service1', 'service4']
|
||||
result = self.filters.get_key_from_dict(data, key='roles',
|
||||
default='service')
|
||||
self.assertEqual(result, expected_list)
|
||||
|
||||
def test_get_key_from_dict_with_dict_input(self):
|
||||
data = {
|
||||
'nova_api': {
|
||||
'users': {'nova': {'password': 'secret',
|
||||
'roles': ['foo', 'bar']}},
|
||||
},
|
||||
'glance_api': {
|
||||
'roles': 'service1'
|
||||
},
|
||||
'heat_api': {
|
||||
'user': 'heat'
|
||||
},
|
||||
'cinder_api': {
|
||||
'project': 'service2'
|
||||
}
|
||||
}
|
||||
expected_list = [{'nova': {'password': 'secret', 'roles':
|
||||
['foo', 'bar']}}]
|
||||
result = self.filters.get_key_from_dict(data, key='users')
|
||||
self.assertEqual(result, expected_list)
|
||||
|
||||
def test_container_exec_cmd(self):
|
||||
data = {
|
||||
"action": "exec",
|
||||
|
@ -421,3 +483,48 @@ class TestHelperFilters(tests_base.TestCase):
|
|||
'keystone', 'keystone-manage', 'bootstrap']
|
||||
result = self.filters.container_exec_cmd(data=data)
|
||||
self.assertEqual(result, expected_cmd)
|
||||
|
||||
def test_get_role_assignments(self):
|
||||
data = [{
|
||||
'nova': {
|
||||
'roles': ['service', 'admin'],
|
||||
},
|
||||
'glance': {
|
||||
'roles': 'service1',
|
||||
'user': 'glance'
|
||||
},
|
||||
'cinder': {
|
||||
'project': 'service2'
|
||||
},
|
||||
'heat': {
|
||||
'domain': 'heat_domain'
|
||||
}
|
||||
}]
|
||||
expected_hash = {
|
||||
'admin': [{'nova': {'project': 'service'}},
|
||||
{'cinder': {'project': 'service2'}},
|
||||
{'heat': {'domain': 'heat_domain'}}
|
||||
],
|
||||
'service': [{'nova': {'project': 'service'}}],
|
||||
'service1': [{'glance': {'project': 'service'}}]
|
||||
}
|
||||
result = self.filters.get_role_assignments(data)
|
||||
self.assertEqual(result, expected_hash)
|
||||
|
||||
def test_get_domain_id(self):
|
||||
openstack_domains = [
|
||||
{
|
||||
"description": "The default domain",
|
||||
"enabled": "true",
|
||||
"id": "default",
|
||||
"name": "Default"
|
||||
},
|
||||
{
|
||||
"description": "The heat stack domain",
|
||||
"enabled": "true",
|
||||
"id": "fd85b560d4554fd8bf363728e4a3863e",
|
||||
"name": "heat_stack"
|
||||
}
|
||||
]
|
||||
result = self.filters.get_domain_id('heat_stack', openstack_domains)
|
||||
self.assertEqual(result, 'fd85b560d4554fd8bf363728e4a3863e')
|
||||
|
|
|
@ -40,6 +40,7 @@
|
|||
- tripleo-ansible-centos-7-molecule-tripleo-hosts-entries
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-container-manage
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-modules
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-keystone-resources
|
||||
gate:
|
||||
jobs:
|
||||
- tripleo-ansible-centos-7-molecule-aide
|
||||
|
@ -80,6 +81,7 @@
|
|||
- tripleo-ansible-centos-7-molecule-tripleo-hosts-entries
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-container-manage
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-modules
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-keystone-resources
|
||||
name: tripleo-ansible-molecule-jobs
|
||||
- job:
|
||||
files:
|
||||
|
@ -357,3 +359,11 @@
|
|||
- ^molecule-requirements.txt
|
||||
name: tripleo-ansible-centos-7-molecule-tripleo-modules
|
||||
parent: tripleo-ansible-centos-7-base
|
||||
|
||||
- job:
|
||||
files:
|
||||
- ^tripleo_ansible/roles/tripleo-keystone-resources/.*
|
||||
name: tripleo-ansible-centos-7-molecule-tripleo-keystone-resources
|
||||
parent: tripleo-ansible-centos-7-base
|
||||
vars:
|
||||
tripleo_role_name: tripleo-keystone-resources
|
||||
|
|
Loading…
Reference in New Issue