Browse Source

[train-squash] Backport "all Keystone resources with Ansible"

Manage all Keystone resources with Ansible

Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
(cherry picked from commit 7f40baabcd)

keystone: fix trailing space

Change-Id: Id3642bd4f539f496d00298ab7996720f14cd0a3c
(cherry picked from commit 4c167191dc)

deployment: document keystone_resources

Bring some documentation into the deployment README about the new
keystone_resources interface.

Change-Id: I17c2c451136eb4729e4751a250d5545019ea84ff
(cherry picked from commit 362e92fb82)

Add novajoin to EndpointMap

Previously, novajoin was relying on hiera data to populate endpoints in
keystone, but that recently changed for the rest of the OpenStack
services. This commit updates novajoin to use the same approach with
EndpointMap. Otherwise, deploying the undercloud fails with an error
message similar to the following:

  Cannot create an endpoint with an invalid URL: http://%{hiera('ctlplane')}:9090/v1/.

Change-Id: I0e177a5e21ed9fb5eacba7a766c153ba99af34ae
(cherry picked from commit 18e51ca533)

keystone/ldap: add missing cloud name

... or Ansible will use the default "openstack" cloud, which isn't good.
We need to create domains in the actual overcloud.

Change-Id: I129d7355364c87c40f51372b402620790a31ec81
(cherry picked from commit b3538251d6)
changes/44/708044/5
Emilien Macchi 2 years ago
parent
commit
32279c4a32
43 changed files with 908 additions and 224 deletions
  1. +5
    -0
      common/deploy-steps.j2
  2. +11
    -0
      common/services/role.role.j2.yaml
  3. +8
    -0
      deployment/README.rst
  4. +19
    -0
      deployment/aodh/aodh-api-container-puppet.yaml
  5. +0
    -7
      deployment/aodh/aodh-base.yaml
  6. +16
    -6
      deployment/barbican/barbican-api-container-puppet.yaml
  7. +11
    -0
      deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml
  8. +0
    -6
      deployment/ceilometer/ceilometer-base-container-puppet.yaml
  9. +16
    -10
      deployment/ceph-ansible/ceph-rgw.yaml
  10. +55
    -11
      deployment/cinder/cinder-api-container-puppet.yaml
  11. +11
    -7
      deployment/experimental/designate/designate-api-container-puppet.yaml
  12. +11
    -7
      deployment/glance/glance-api-container-puppet.yaml
  13. +11
    -7
      deployment/gnocchi/gnocchi-api-container-puppet.yaml
  14. +11
    -9
      deployment/heat/heat-api-cfn-container-puppet.yaml
  15. +24
    -9
      deployment/heat/heat-api-container-puppet.yaml
  16. +0
    -5
      deployment/heat/heat-base-puppet.yaml
  17. +0
    -4
      deployment/heat/heat-engine-container-puppet.yaml
  18. +2
    -3
      deployment/horizon/horizon-container-puppet.yaml
  19. +14
    -9
      deployment/ironic/ironic-api-container-puppet.yaml
  20. +11
    -7
      deployment/ironic/ironic-inspector-container-puppet.yaml
  21. +37
    -1
      deployment/keystone/keystone-container-puppet.yaml
  22. +22
    -13
      deployment/manila/manila-api-container-puppet.yaml
  23. +19
    -0
      deployment/mistral/mistral-api-container-puppet.yaml
  24. +0
    -11
      deployment/mistral/mistral-base.yaml
  25. +11
    -7
      deployment/neutron/neutron-api-container-puppet.yaml
  26. +14
    -8
      deployment/nova/nova-api-container-puppet.yaml
  27. +0
    -7
      deployment/nova/nova-metadata-container-puppet.yaml
  28. +11
    -4
      deployment/nova/novajoin-container-puppet.yaml
  29. +11
    -7
      deployment/octavia/octavia-api-container-puppet.yaml
  30. +11
    -7
      deployment/placement/placement-api-container-puppet.yaml
  31. +11
    -7
      deployment/sahara/sahara-api-container-puppet.yaml
  32. +24
    -15
      deployment/swift/external-swift-proxy-baremetal-puppet.yaml
  33. +14
    -16
      deployment/swift/swift-proxy-container-puppet.yaml
  34. +26
    -2
      deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml
  35. +21
    -12
      deployment/zaqar/zaqar-container-puppet.yaml
  36. +3
    -0
      environments/ssl/no-tls-endpoints-public-ip.yaml
  37. +3
    -0
      environments/ssl/tls-endpoints-public-dns.yaml
  38. +3
    -0
      environments/ssl/tls-endpoints-public-ip.yaml
  39. +3
    -0
      environments/ssl/tls-everywhere-endpoints-dns.yaml
  40. +15
    -0
      network/endpoints/endpoint_data.yaml
  41. +396
    -0
      network/endpoints/endpoint_map.yaml
  42. +5
    -0
      overcloud.j2.yaml
  43. +12
    -0
      sample-env-generator/ssl.yaml

+ 5
- 0
common/deploy-steps.j2 View File

@ -218,6 +218,10 @@ parameters:
default: []
description: List of VIP (virtual IP) hosts entries to be appended to /etc/hosts
type: comma_delimited_list
KeystoneResourcesConfigs:
description: The keystone resources config.
type: json
default: {}
conditions:
{% for role in enabled_roles %}
@ -389,6 +393,7 @@ outputs:
undercloud_hosts_entries: {get_param: UndercloudHostsEntries}
extra_hosts_entries: {get_param: ExtraHostsEntries}
vip_hosts_entries: {get_param: VipHostsEntries}
keystone_resources: {get_param: KeystoneResourcesConfigs}
common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml}
hiera_steps_tasks: {get_file: hiera-steps-tasks.yaml}
deploy_steps_tasks_step_0: {get_file: deploy-steps-tasks-step-0.yaml}


+ 11
- 0
common/services/role.role.j2.yaml View File

@ -133,6 +133,16 @@ resources:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('global_config_settings')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
KeystoneResourcesConfigs:
type: OS::Heat::Value
properties:
type: json
value:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('keystone_resources')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
ServiceConfigSettings:
type: OS::Heat::Value
properties:
@ -371,6 +381,7 @@ outputs:
upgrade_batch_tasks: {get_attr: [UpgradeBatchTasks, value]}
service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]}
ansible_group_vars: {get_attr: [AnsibleGroupVars, value]}
keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]}
# Keys to support docker/services
puppet_config: {get_attr: [PuppetConfig, value]}


+ 8
- 0
deployment/README.rst View File

@ -328,3 +328,11 @@ implementation of this hook needs to conform to the following:
* This needs to define an output called `metadata` which will be given to the
Nova Server resource as the instance's metadata.
Keystone resources management
-----------------------------
Keystone resources, such as users, roles, domains, endpoints, services, role
assignments, are now managed by `tripleo-keystone-resources`_ Ansible role.
.. _tripleo-keystone-resources: https://docs.openstack.org/tripleo-ansible/latest/roles/role-tripleo-keystone-resources.html

+ 19
- 0
deployment/aodh/aodh-api-container-puppet.yaml View File

@ -58,6 +58,14 @@ parameters:
e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
AodhPassword:
description: The password for the aodh services.
type: string
hidden: true
conditions:
@ -97,6 +105,17 @@ outputs:
description: Role data for the aodh API role.
value:
service_name: aodh_api
keystone_resources:
aodh:
endpoints:
public: {get_param: [EndpointMap, AodhPublic, uri]}
internal: {get_param: [EndpointMap, AodhInternal, uri]}
admin: {get_param: [EndpointMap, AodhAdmin, uri]}
users:
aodh:
password: {get_param: AodhPassword}
region: {get_param: KeystoneRegion}
service: 'alarming'
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
config_settings:
map_merge:


+ 0
- 7
deployment/aodh/aodh-base.yaml View File

@ -95,13 +95,6 @@ outputs:
aodh::auth::auth_region: {get_param: KeystoneRegion}
aodh::auth::auth_tenant_name: 'service'
service_config_settings:
keystone:
aodh::keystone::auth::public_url: {get_param: [EndpointMap, AodhPublic, uri]}
aodh::keystone::auth::internal_url: {get_param: [EndpointMap, AodhInternal, uri]}
aodh::keystone::auth::admin_url: {get_param: [EndpointMap, AodhAdmin, uri]}
aodh::keystone::auth::password: {get_param: AodhPassword}
aodh::keystone::auth::region: {get_param: KeystoneRegion}
aodh::keystone::auth::tenant: 'service'
mysql:
aodh::db::mysql::user: aodh
aodh::db::mysql::password: {get_param: AodhPassword}


+ 16
- 6
deployment/barbican/barbican-api-container-puppet.yaml View File

@ -181,6 +181,22 @@ outputs:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
keystone_resources:
barbican:
endpoints:
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
users:
barbican:
password: {get_param: BarbicanPassword}
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:
- key-manager:service-admin
- creator
- observer
- audit
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@ -244,12 +260,6 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
barbican::keystone::auth::password: {get_param: BarbicanPassword}
barbican::keystone::auth::region: {get_param: KeystoneRegion}
barbican::keystone::auth::tenant: 'service'
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
nova_compute:
nova::compute::keymgr_backend: >


+ 11
- 0
deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml View File

@ -52,6 +52,10 @@ parameters:
default: false
description: Whether to enable gnocchi usage.
type: boolean
CeilometerPassword:
description: The password for the ceilometer service account.
type: string
hidden: true
conditions:
ceilometer_enable_gnocchi: {equals: [{get_param: CeilometerEnableGnocchi}, True]}
@ -77,6 +81,13 @@ outputs:
value:
service_name: ceilometer_agent_central
monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCentral}
keystone_resources:
ceilometer:
users:
ceilometer:
password: {get_param: CeilometerPassword}
roles:
- admin
config_settings:
map_merge:
- get_attr: [CeilometerServiceBase, role_data, config_settings]


+ 0
- 6
deployment/ceilometer/ceilometer-base-container-puppet.yaml View File

@ -179,11 +179,5 @@ outputs:
- {}
service_config_settings:
keystone:
ceilometer_auth_enabled: true
# NOTE(aschultz): no endpoints since ceilometer api removal
ceilometer::keystone::auth::configure_endpoint: false
ceilometer::keystone::auth::password: {get_param: CeilometerPassword}
ceilometer::keystone::auth::region: {get_param: KeystoneRegion}
ceilometer::keystone::auth::tenant: 'service'
# Enable default notification queue
tripleo::profile::base::keystone::ceilometer_notification_topics: ["notifications"]

+ 16
- 10
deployment/ceph-ansible/ceph-rgw.yaml View File

@ -76,6 +76,22 @@ outputs:
description: Role data for the Ceph RadosGW service.
value:
service_name: ceph_rgw
keystone_resources:
swift:
endpoints:
public: {get_param: [EndpointMap, CephRgwPublic, uri]}
internal: {get_param: [EndpointMap, CephRgwInternal, uri]}
admin: {get_param: [EndpointMap, CephRgwAdmin, uri]}
users:
swift:
password: {get_param: SwiftPassword}
roles:
- admin
- member
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- member
upgrade_tasks: []
puppet_config:
config_image: ''
@ -110,13 +126,3 @@ outputs:
- - '9100'
- []
- {}
service_config_settings:
keystone:
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
ceph::rgw::keystone::auth::roles: [ 'admin', 'member' ]
ceph::rgw::keystone::auth::tenant: service
ceph::rgw::keystone::auth::user: swift
ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}

+ 55
- 11
deployment/cinder/cinder-api-container-puppet.yaml View File

@ -84,6 +84,9 @@ parameters:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
RootStackName:
description: The name of the stack/plan.
type: string
conditions:
@ -124,11 +127,46 @@ outputs:
description: Role data for the Cinder API role.
value:
service_name: cinder_api
keystone_resources:
cinder:
users:
cinder:
password: {get_param: CinderPassword}
roles:
- admin
- service
cinderv2:
endpoints:
public: {get_param: [EndpointMap, CinderV2Public, uri]}
internal: {get_param: [EndpointMap, CinderV2Internal, uri]}
admin: {get_param: [EndpointMap, CinderV2Admin, uri]}
users:
cinderv2:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev2'
cinderv3:
endpoints:
public: {get_param: [EndpointMap, CinderV3Public, uri]}
internal: {get_param: [EndpointMap, CinderV3Internal, uri]}
admin: {get_param: [EndpointMap, CinderV3Admin, uri]}
users:
cinderv3:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev3'
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- keystone_resources_managed: false
- cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
@ -191,17 +229,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_cinder_api:
- {get_param: CinderApiLoggingSource}
keystone:
cinder::keystone::auth::tenant: 'service'
cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]}
cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]}
cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]}
cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]}
cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]}
cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]}
cinder::keystone::auth::password: {get_param: CinderPassword}
cinder::keystone::auth::region: {get_param: KeystoneRegion}
cinder::keystone::auth::roles: ['admin', 'service']
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
@ -419,3 +446,20 @@ outputs:
when:
- step|int == 8
- is_bootstrap_node|bool
external_deploy_tasks:
- name: Manage Cinder Volume Type
become: true
vars:
default_volume_type: {get_param: CinderDefaultVolumeType}
environment:
OS_CLOUD: {get_param: RootStackName}
when:
- step|int == 5
- not ansible_check_mode|bool
shell: |
if ! openstack volume type show "{{ default_volume_type }}"; then
openstack volume type create --public "{{ default_volume_type }}"
fi
args:
executable: /bin/bash
changed_when: false

+ 11
- 7
deployment/experimental/designate/designate-api-container-puppet.yaml View File

@ -79,6 +79,17 @@ outputs:
description: Role data for the Designate API role.
value:
service_name: designate_api
keystone_resources:
designate:
endpoints:
public: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]}
internal: {get_param: [EndpointMap, DesignateInternal, uri_no_suffix]}
admin: {get_param: [EndpointMap, DesignateAdmin, uri_no_suffix]}
users:
designate:
password: {get_param: DesignatePassword}
region: {get_param: KeystoneRegion}
service: 'dns'
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
config_settings:
map_merge:
@ -105,13 +116,6 @@ outputs:
- {}
- designate::api::workers: {get_param: DesignateWorkers}
service_config_settings:
keystone:
designate::keystone::auth::tenant: 'service'
designate::keystone::auth::public_url: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]}
designate::keystone::auth::internal_url: { get_param: [ EndpointMap, DesignateInternal, uri_no_suffix ] }
designate::keystone::auth::admin_url: { get_param: [ EndpointMap, DesignateAdmin, uri_no_suffix ] }
designate::keystone::auth::password: {get_param: DesignatePassword}
designate::keystone::auth::region: {get_param: KeystoneRegion}
neutron_api:
neutron::designate::password: {get_param: NeutronPassword}
neutron::designate::url: {get_param: [EndpointMap, DesignateInternal, uri]}


+ 11
- 7
deployment/glance/glance-api-container-puppet.yaml View File

@ -294,6 +294,17 @@ outputs:
description: Role data for the Glance API role.
value:
service_name: glance_api
keystone_resources:
glance:
endpoints:
public: {get_param: [EndpointMap, GlancePublic, uri]}
internal: {get_param: [EndpointMap, GlanceInternal, uri]}
admin: {get_param: [EndpointMap, GlanceAdmin, uri]}
users:
glance:
password: {get_param: GlancePassword}
region: {get_param: KeystoneRegion}
service: 'image'
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
@ -428,13 +439,6 @@ outputs:
- {}
- glance::api::sync_db: false
service_config_settings:
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
glance::keystone::auth::region: {get_param: KeystoneRegion}
glance::keystone::auth::tenant: 'service'
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance


+ 11
- 7
deployment/gnocchi/gnocchi-api-container-puppet.yaml View File

@ -143,6 +143,17 @@ outputs:
description: Role data for the gnocchi API role.
value:
service_name: gnocchi_api
keystone_resources:
gnocchi:
endpoints:
public: {get_param: [EndpointMap, GnocchiPublic, uri]}
internal: {get_param: [EndpointMap, GnocchiInternal, uri]}
admin: {get_param: [EndpointMap, GnocchiAdmin, uri]}
users:
gnocchi:
password: {get_param: GnocchiPassword}
region: {get_param: KeystoneRegion}
service: 'metric'
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
config_settings:
map_merge:
@ -203,13 +214,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_gnocchi_api:
- {get_param: GnocchiApiLoggingSource}
keystone:
gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] }
gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]}
gnocchi::keystone::auth::password: {get_param: GnocchiPassword}
gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] }
gnocchi::keystone::auth::region: {get_param: KeystoneRegion}
gnocchi::keystone::auth::tenant: 'service'
mysql:
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
gnocchi::db::mysql::user: gnocchi


+ 11
- 9
deployment/heat/heat-api-cfn-container-puppet.yaml View File

@ -100,6 +100,17 @@ outputs:
description: Role data for the Heat API CFN role.
value:
service_name: heat_api_cfn
keystone_resources:
heat-cfn:
endpoints:
public: {get_param: [EndpointMap, HeatCfnPublic, uri]}
internal: {get_param: [EndpointMap, HeatCfnInternal, uri]}
admin: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
users:
heat-cfn:
password: {get_param: HeatPassword}
region: {get_param: KeystoneRegion}
service: 'cloudformation'
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
config_settings:
map_merge:
@ -145,15 +156,6 @@ outputs:
rsyslog:
tripleo_logging_sources_heat_api_cfn:
- {get_param: HeatApiCfnLoggingSource}
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- heat::keystone::auth_cfn::tenant: 'service'
heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]}
heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]}
heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
heat::keystone::auth_cfn::password: {get_param: HeatPassword}
heat::keystone::auth_cfn::region: {get_param: KeystoneRegion}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api_cfn


+ 24
- 9
deployment/heat/heat-api-container-puppet.yaml View File

@ -74,6 +74,10 @@ parameters:
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
HeatStackDomainAdminPassword:
description: Password for heat_stack_domain_admin user.
type: string
hidden: true
conditions:
@ -114,6 +118,26 @@ outputs:
description: Role data for the Heat API role.
value:
service_name: heat_api
keystone_resources:
heat:
endpoints:
public: {get_param: [EndpointMap, HeatPublic, uri]}
internal: {get_param: [EndpointMap, HeatInternal, uri]}
admin: {get_param: [EndpointMap, HeatAdmin, uri]}
users:
heat:
password: {get_param: HeatPassword}
heat_stack_domain_admin:
password: {get_param: HeatStackDomainAdminPassword}
roles:
- admin
domain: heat_stack
region: {get_param: KeystoneRegion}
service: 'orchestration'
roles:
- heat_stack_user
domains:
- heat_stack
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
config_settings:
map_merge:
@ -162,15 +186,6 @@ outputs:
rsyslog:
tripleo_logging_sources_heat_api:
- {get_param: HeatApiLoggingSource}
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- heat::keystone::auth::tenant: 'service'
heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
heat::keystone::auth::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api


+ 0
- 5
deployment/heat/heat-base-puppet.yaml View File

@ -186,8 +186,3 @@ outputs:
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
service_config_settings:
keystone:
tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'
tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin'
tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost'

+ 0
- 4
deployment/heat/heat-engine-container-puppet.yaml View File

@ -201,10 +201,6 @@ outputs:
heat::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat


+ 2
- 3
deployment/horizon/horizon-container-puppet.yaml View File

@ -203,9 +203,8 @@ outputs:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
service_config_settings:
keystone:
keystone_enable_member: true
ansible_group_vars:
keystone_enable_member: true
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon


+ 14
- 9
deployment/ironic/ironic-api-container-puppet.yaml View File

@ -106,6 +106,20 @@ outputs:
description: Role data for the Ironic API role.
value:
service_name: ironic_api
keystone_resources:
ironic:
endpoints:
public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
users:
ironic:
password: {get_param: IronicPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'baremetal'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
config_settings:
map_merge:
@ -166,15 +180,6 @@ outputs:
- 13385
- apache::default_vhost: false
service_config_settings:
keystone:
ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
ironic::keystone::auth::auth_name: 'ironic'
ironic::keystone::auth::password: {get_param: IronicPassword }
ironic::keystone::auth::tenant: 'service'
ironic::keystone::auth::region: {get_param: KeystoneRegion}
ironic::keystone::auth::roles: ['admin', 'service']
mysql:
ironic::db::mysql::password: {get_param: IronicPassword}
ironic::db::mysql::user: ironic


+ 11
- 7
deployment/ironic/ironic-inspector-container-puppet.yaml View File

@ -181,6 +181,17 @@ outputs:
description: Role data for the Ironic Inspector role.
value:
service_name: ironic_inspector
keystone_resources:
ironic-inspector:
endpoints:
public: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
internal: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
admin: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
users:
ironic-inspector:
password: {get_param: IronicPassword}
region: {get_param: KeystoneRegion}
service: 'baremetal-introspection'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
config_settings:
map_merge:
@ -304,13 +315,6 @@ outputs:
- ironic::inspector::tftp_root: /var/lib/ironic/tftpboot
- ironic::inspector::http_root: /var/lib/ironic/httpboot
service_config_settings:
keystone:
ironic::keystone::auth_inspector::tenant: 'service'
ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
ironic::keystone::auth_inspector::password: {get_param: IronicPassword}
ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion}
mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector


+ 37
- 1
deployment/keystone/keystone-container-puppet.yaml View File

@ -343,6 +343,7 @@ outputs:
- {}
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
- keystone_enable_member: {get_param: KeystoneEnableMember}
- keystone_resources_managed: false
- keystone::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
@ -688,11 +689,46 @@ outputs:
username: admin
identity_api_version: '3'
region_name: {get_param: KeystoneRegion}
- name: Manage Keystone resources
become: true
when:
- step|int == 4
- not ansible_check_mode|bool
block:
- name: Manage Keystone resources for OpenStack services
include_role:
name: tripleo-keystone-resources
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
tripleo_keystone_resources_service_project: 'service'
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
tripleo_keystone_resources_region: {get_param: KeystoneRegion}
tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
- name: is Keystone LDAP enabled
set_fact:
keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
- name: Set fact for tripleo_keystone_ldap_domains
set_fact:
tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
when: keystone_ldap_domain_enabled|bool
- name: Manage Keystone domains from LDAP config
when: keystone_ldap_domain_enabled|bool
include_role:
name: tripleo-keystone-resources
tasks_from: domains
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
container_puppet_tasks:
# Keystone endpoint creation occurs only on single node
step_3:
config_volume: 'keystone_init_tasks'
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
puppet_tags: 'keystone_config'
step_config: 'include ::tripleo::profile::base::keystone'
config_image: *keystone_config_image
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}


+ 22
- 13
deployment/manila/manila-api-container-puppet.yaml View File

@ -94,6 +94,27 @@ outputs:
description: Role data for the Manila API role.
value:
service_name: manila_api
keystone_resources:
manila:
endpoints:
public: {get_param: [EndpointMap, ManilaV1Public, uri]}
internal: {get_param: [EndpointMap, ManilaV1Internal, uri]}
admin: {get_param: [EndpointMap, ManilaV1Admin, uri]}
users:
manila:
password: {get_param: ManilaPassword}
region: {get_param: KeystoneRegion}
service: 'share'
manilav2:
endpoints:
public: {get_param: [EndpointMap, ManilaPublic, uri]}
internal: {get_param: [EndpointMap, ManilaInternal, uri]}
admin: {get_param: [EndpointMap, ManilaAdmin, uri]}
users:
manilav2:
password: {get_param: ManilaPassword}
region: {get_param: KeystoneRegion}
service: 'sharev2'
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
config_settings:
map_merge:
@ -142,19 +163,7 @@ outputs:
- manila_workers_zero
- {}
- manila::wsgi::apache::workers: {get_param: ManilaWorkers}
service_config_settings:
map_merge:
- get_attr: [ManilaBase, role_data, service_config_settings]
- keystone:
manila::keystone::auth::tenant: 'service'
manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]}
manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]}
manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]}
manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]}
manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]}
manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]}
manila::keystone::auth::password: {get_param: ManilaPassword}
manila::keystone::auth::region: {get_param: KeystoneRegion}
service_config_settings: {get_attr: [ManilaBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: manila


+ 19
- 0
deployment/mistral/mistral-api-container-puppet.yaml View File

@ -66,6 +66,14 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
MistralPassword:
description: The password for the Mistral service and db account, used by the Mistral services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
conditions:
mistral_workers_zero: {equals : [{get_param: MistralWorkers}, 0]}
@ -94,6 +102,17 @@ outputs:
description: Role data for the Mistral API role.
value:
service_name: mistral_api
keystone_resources:
mistral:
endpoints:
public: {get_param: [EndpointMap, MistralPublic, uri]}
internal: {get_param: [EndpointMap, MistralInternal, uri]}
admin: {get_param: [EndpointMap, MistralAdmin, uri]}
users:
mistral:
password: {get_param: MistralPassword}
region: {get_param: KeystoneRegion}
service: 'workflowv2'
config_settings:
map_merge:
- get_attr: [MistralBase, role_data, config_settings]


+ 0
- 11
deployment/mistral/mistral-base.yaml View File

@ -45,10 +45,6 @@ parameters:
description: The password for the Mistral service and db account, used by the Mistral services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NotificationDriver:
type: string
default: 'messagingv2'
@ -93,13 +89,6 @@ outputs:
- - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
- '/ec2tokens'
service_config_settings:
keystone:
mistral::keystone::auth::tenant: 'service'
mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]}
mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]}
mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]}
mistral::keystone::auth::password: {get_param: MistralPassword}
mistral::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
mistral::db::mysql::user: mistral
mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}


+ 11
- 7
deployment/neutron/neutron-api-container-puppet.yaml View File

@ -224,6 +224,17 @@ outputs:
description: Role data for the Neutron API role.
value:
service_name: neutron_api
keystone_resources:
neutron:
endpoints:
public: {get_param: [EndpointMap, NeutronPublic, uri]}
internal: {get_param: [EndpointMap, NeutronInternal, uri]}
admin: {get_param: [EndpointMap, NeutronAdmin, uri]}
users:
neutron:
password: {get_param: NeutronPassword}
region: {get_param: KeystoneRegion}
service: 'network'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
config_settings:
map_merge:
@ -371,13 +382,6 @@ outputs:
rsyslog:
tripleo_logging_sources_neutron_api:
- {get_param: NeutronApiLoggingSource}
keystone:
neutron::keystone::auth::tenant: 'service'
neutron::keystone::auth::public_url: {get_param: [EndpointMap, NeutronPublic, uri]}
neutron::keystone::auth::internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] }
neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
neutron::keystone::auth::password: {get_param: NeutronPassword}
neutron::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron


+ 14
- 8
deployment/nova/nova-api-container-puppet.yaml View File

@ -152,6 +152,20 @@ outputs:
description: Role data for the Nova API role.
value:
service_name: nova_api
keystone_resources:
nova:
endpoints:
public: {get_param: [EndpointMap, NovaPublic, uri]}
internal: {get_param: [EndpointMap, NovaInternal, uri]}
admin: {get_param: [EndpointMap, NovaAdmin, uri]}
users:
nova:
roles:
- admin
- service
password: {get_param: NovaPassword}
region: {get_param: KeystoneRegion}
service: 'compute'
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
config_settings:
map_merge:
@ -231,14 +245,6 @@ outputs:
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
nova::keystone::auth::tenant: 'service'
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
nova::keystone::auth::roles: ['admin', 'service']
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova


+ 0
- 7
deployment/nova/nova-metadata-container-puppet.yaml View File

@ -172,13 +172,6 @@ outputs:
rsyslog:
tripleo_logging_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
keystone:
nova::keystone::auth::tenant: 'service'
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
map_merge:
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}


+ 11
- 4
deployment/nova/novajoin-container-puppet.yaml View File

@ -89,6 +89,17 @@ outputs:
description: Role data for the novajoin API role.
value:
service_name: novajoin
keystone_resources:
novajoin:
endpoints:
public: {get_param: [EndpointMap, NovajoinPublic, uri]}
internal: {get_param: [EndpointMap, NovajoinInternal, uri]}
admin: {get_param: [EndpointMap, NovajoinAdmin, uri]}
users:
novajoin:
password: {get_param: NovajoinPassword}
region: {get_param: KeystoneRegion}
service: 'compute-vendordata-plugin'
config_settings:
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
@ -118,10 +129,6 @@ outputs:
dport:
- 9090
service_config_settings:
keystone:
nova::metadata::novajoin::auth::tenant: 'service'
nova::metadata::novajoin::auth::password: {get_param: NovajoinPassword}
nova::metadata::novajoin::auth::region: {get_param: KeystoneRegion}
nova_metadata: &nova_vendordata
novajoin_address:
str_replace:


+ 11
- 7
deployment/octavia/octavia-api-container-puppet.yaml View File

@ -131,6 +131,17 @@ outputs:
description: Role data for the Octavia API role.
value:
service_name: octavia_api
keystone_resources:
octavia:
endpoints:
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
users:
octavia:
password: {get_param: OctaviaPassword}
region: {get_param: KeystoneRegion}
service: 'load-balancer'
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
@ -191,13 +202,6 @@ outputs:
rsyslog:
tripleo_logging_sources_octavia_api:
- {get_param: OctaviaApiLoggingSource}
keystone:
octavia::keystone::auth::tenant: {get_param: OctaviaProjectName}
octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]}
octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] }
octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] }
octavia::keystone::auth::password: {get_param: OctaviaPassword}
octavia::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}


+ 11
- 7
deployment/placement/placement-api-container-puppet.yaml View File

@ -110,6 +110,17 @@ outputs:
description: Role data for the Placement API role.
value:
service_name: placement
keystone_resources:
placement:
endpoints:
public: {get_param: [EndpointMap, PlacementPublic, uri]}
internal: {get_param: [EndpointMap, PlacementInternal, uri]}
admin: {get_param: [EndpointMap, PlacementAdmin, uri]}
users:
placement:
password: {get_param: PlacementPassword}
region: {get_param: KeystoneRegion}
service: 'placement'
config_settings:
map_merge:
- get_attr: [PlacementLogging, config_settings]
@ -163,13 +174,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_placement:
- {get_param: PlacementLoggingSource}
keystone:
placement::keystone::auth::tenant: 'service'
placement::keystone::auth::public_url: {get_param: [EndpointMap, PlacementPublic, uri]}
placement::keystone::auth::internal_url: {get_param: [EndpointMap, PlacementInternal, uri]}
placement::keystone::auth::admin_url: {get_param: [EndpointMap, PlacementAdmin, uri]}
placement::keystone::auth::password: {get_param: PlacementPassword}
placement::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
placement::db::mysql::password: {get_param: PlacementPassword}
placement::db::mysql::user: placement


+ 11
- 7
deployment/sahara/sahara-api-container-puppet.yaml View File

@ -92,6 +92,17 @@ outputs:
description: Role data for the Sahara API role.
value:
service_name: sahara_api
keystone_resources:
sahara:
endpoints:
public: {get_param: [EndpointMap, SaharaPublic, uri]}
internal: {get_param: [EndpointMap, SaharaInternal, uri]}
admin: {get_param: [EndpointMap, SaharaAdmin, uri]}
users:
sahara:
password: {get_param: SaharaPassword}
region: {get_param: KeystoneRegion}
service: 'data-processing'
monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi}
config_settings:
map_merge:
@ -120,13 +131,6 @@ outputs:
rsyslog:
tripleo_logging_sources_sahara_api:
- {get_param: SaharaApiLoggingSource}
keystone:
sahara::keystone::auth::tenant: 'service'
sahara::keystone::auth::public_url: {get_param: [EndpointMap, SaharaPublic, uri]}
sahara::keystone::auth::internal_url: {get_param: [EndpointMap, SaharaInternal, uri]}
sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
sahara::keystone::auth::password: {get_param: SaharaPassword }
sahara::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
sahara::db::mysql::password: {get_param: SaharaPassword}
sahara::db::mysql::user: sahara


+ 24
- 15
deployment/swift/external-swift-proxy-baremetal-puppet.yaml View File

@ -63,20 +63,29 @@ outputs:
step_config:
service_config_settings:
keystone:
swift::keystone::auth::public_url: {get_param: ExternalPublicUrl}
swift::keystone::auth::internal_url: {get_param: ExternalInternalUrl}
swift::keystone::auth::admin_url: {get_param: ExternalAdminUrl}
swift::keystone::auth::public_url_s3: ''
swift::keystone::auth::internal_url_s3: ''
swift::keystone::auth::admin_url_s3: ''
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant}
swift::keystone::auth::configure_s3_endpoint: false
swift::keystone::auth::operator_roles:
- admin
keystone_resources:
swift:
endpoints:
public:
if:
- deprecated_external_public_url
- {get_param: ExternalPublicUrl}
- {get_param: ExternalSwiftPublicUrl}
internal:
if:
- deprecated_external_internal_url
- {get_param: ExternalInternalUrl}
- {get_param: ExternalSwiftInternalUrl}
admin:
if:
- deprecated_external_admin_url
- {get_param: ExternalAdminUrl}
- {get_param: ExternalSwiftAdminUrl}
users:
swift:
password: {get_param: SwiftPassword}
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- swiftoperator
- ResellerAdmin

+ 14
- 16
deployment/swift/swift-proxy-container-puppet.yaml View File

@ -126,6 +126,20 @@ outputs:
description: Role data for the swift proxy.
value:
service_name: swift_proxy
keystone_resources:
swift:
endpoints:
public: {get_param: [EndpointMap, SwiftPublic, uri]}
internal: {get_param: [EndpointMap, SwiftInternal, uri]}
admin: {get_param: [EndpointMap, SwiftAdmin, uri]}
users:
swift:
password: {get_param: SwiftPassword}
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- swiftoperator
- ResellerAdmin
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
config_settings:
map_merge:
@ -253,22 +267,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
service_config_settings:
keystone:
swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
swift::keystone::auth::tenant: 'service'
swift::keystone::auth::configure_s3_endpoint: false
swift::keystone::auth::operator_roles:
- admin
- swiftoperator
- ResellerAdmin
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: swift


+ 26
- 2
deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml View File

@ -80,6 +80,10 @@ parameters:
type: json
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
outputs:
role_data:
@ -100,7 +104,27 @@ outputs:
service_config_settings:
rabbitmq:
vrts_rabbitmq_passwd: {get_param: VrtsRabbitPassword}
keystone:
vrts_keystone_passwd: {get_param: VrtsKeystonePassword}
mysql:
vrts_mysql_passwd: {get_param: VrtsMysqlPassword}
keystone_resources:
hyperscale:
# Replicating what was done with Puppet manifest:
# https://github.com/vtas-hyperscale-ci/puppet-veritas_hyperscale/blob/7c7868adb027c5bcfdcb6fc9d86610470759ae28/manifests/hs_keystone.pp#L17
# Moving forward, we should have the Veritas part of EndpointMap so the service
# can live outside of the Keystone node.
endpoints:
public: &veritas_endpoint
make_url:
scheme: {get_param: [EndpointMap, KeystoneAdmin, protocol]}
host: {get_param: [EndpointMap, KeystoneAdmin, host]}
port: 8753
path: /v1/%(tenant_id)s
internal: *veritas_endpoint
admin: *veritas_endpoint
users:
hyperscale:
password: {get_param: VrtsKeystonePassword}
region: {get_param: KeystoneRegion}
service: 'infrastructure'
roles:
- infra_admin

+ 21
- 12
deployment/zaqar/zaqar-container-puppet.yaml View File

@ -116,6 +116,27 @@ outputs:
description: Role data for the Zaqar API role.
value:
service_name: zaqar_api
keystone_resources:
zaqar:
endpoints:
public: {get_param: [EndpointMap, ZaqarPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarAdmin, uri]}
users:
zaqar:
password: {get_param: ZaqarPassword}
region: {get_param: KeystoneRegion}
service: 'messaging'
zaqar-websocket:
endpoints:
public: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]}
users:
zaqar-websocket:
password: {get_param: ZaqarPassword}
region: {get_param: KeystoneRegion}
service: 'messaging-websocket'
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@ -204,18 +225,6 @@ outputs:
service_config_settings:
map_merge:
- keystone:
zaqar::keystone::auth::password: {get_param: ZaqarPassword}
zaqar::keystone::auth::public_url: {get_param: [EndpointMap, ZaqarPublic, uri]}
zaqar::keystone::auth::admin_url: {get_param: [EndpointMap, ZaqarAdmin, uri]}
zaqar::keystone::auth::internal_url: {get_param: [EndpointMap, ZaqarInternal, uri]}
zaqar::keystone::auth::region: {get_param: KeystoneRegion}
zaqar::keystone::auth::tenant: 'service'
zaqar::keystone::auth_websocket::password: {get_param: ZaqarPassword}
zaqar::keystone::auth_websocket::public_url: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]}
zaqar::keystone::auth_websocket::admin_url: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]}
zaqar::keystone::auth_websocket::internal_url: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]}
zaqar::keystone::auth_websocket::region: {get_param: KeystoneRegion}
zaqar::keystone::auth_websocket::tenant: 'service'
zaqar::keystone::trust::password: {get_param: ZaqarPassword}
zaqar::keystone::trust::user_domain_name: 'Default'
tripleo::zaqar_api::firewall_rules:


+ 3
- 0
environments/ssl/no-tls-endpoints-public-ip.yaml View File

@ -78,6 +78,9 @@ parameter_defaults:
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS}
NovajoinAdmin: {protocol: http, port: '9090', host: IP_ADDRESS}
NovajoinInternal: {protocol: http, port: '9090', host: IP_ADDRESS}
NovajoinPublic: {protocol: http, port: '9090', host: IP_ADDRESS}
NovaMetadataInternal: {protocol: http, port: '8775', host: IP_ADDRESS}
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
PlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}


+ 3
- 0
environments/ssl/tls-endpoints-public-dns.yaml View File

@ -74,6 +74,9 @@ parameter_defaults:
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}


+ 3
- 0
environments/ssl/tls-endpoints-public-ip.yaml View File

@ -74,6 +74,9 @@ parameter_defaults:
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'IP_ADDRESS'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}


+ 3
- 0
environments/ssl/tls-everywhere-endpoints-dns.yaml View File

@ -74,6 +74,9 @@ parameter_defaults:
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovajoinAdmin: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
NovajoinInternal: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}


+ 15
- 0
network/endpoints/endpoint_data.yaml View File

@ -398,3 +398,18 @@ NovaMetadata:
Internal:
net_param: NovaMetadata
port: 8775
Novajoin:
Internal:
net_param: Novajoin
uri_suffixes:
'': /v1
Public:
net_param: Public
uri_suffixes:
'': /v1
Admin:
net_param: Novajoin
uri_suffixes:
'': /v1
port: 9090

+ 396
- 0
network/endpoints/endpoint_map.yaml View File

@ -287,6 +287,18 @@ parameters:
protocol: http
port: '6080'
host: IP_ADDRESS
NovajoinAdmin:
protocol: http
port: '9090'
host: IP_ADDRESS
NovajoinInternal:
protocol: http
port: '9090'
host: IP_ADDRESS
NovajoinPublic:
protocol: http
port: '9090'
host: IP_ADDRESS
OctaviaAdmin:
protocol: http
port: '9876'
@ -10918,6 +10930,390 @@ outputs:
- EndpointMap
- OctaviaPublic
- port
NovajoinAdmin:
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinAdmin
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
host_nobrackets:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinAdmin
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- get_param:
- ServiceNetMap
- NovajoinNetwork
port:
get_param:
- EndpointMap
- NovajoinAdmin
- port
protocol:
get_param:
- EndpointMap
- NovajoinAdmin
- protocol
uri:
make_url:
scheme:
get_param:
- EndpointMap
- NovajoinAdmin
- protocol
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinAdmin
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
port:
get_param:
- EndpointMap
- NovajoinAdmin
- port
path: /v1