openstack
/
tripleo-heat-templates
Code Issues Proposed changes

[train-squash] Backport "all Keystone resources with Ansible" 

Manage all Keystone resources with Ansible

Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
(cherry picked from commit 7f40baabcd)

keystone: fix trailing space

Change-Id: Id3642bd4f539f496d00298ab7996720f14cd0a3c
(cherry picked from commit 4c167191dc)

deployment: document keystone_resources

Bring some documentation into the deployment README about the new
keystone_resources interface.

Change-Id: I17c2c451136eb4729e4751a250d5545019ea84ff
(cherry picked from commit 362e92fb82)

Add novajoin to EndpointMap

Previously, novajoin was relying on hiera data to populate endpoints in
keystone, but that recently changed for the rest of the OpenStack
services. This commit updates novajoin to use the same approach with
EndpointMap. Otherwise, deploying the undercloud fails with an error
message similar to the following:

  Cannot create an endpoint with an invalid URL: http://%{hiera('ctlplane')}:9090/v1/.

Change-Id: I0e177a5e21ed9fb5eacba7a766c153ba99af34ae
(cherry picked from commit 18e51ca533)

keystone/ldap: add missing cloud name

... or Ansible will use the default "openstack" cloud, which isn't good.
We need to create domains in the actual overcloud.

Change-Id: I129d7355364c87c40f51372b402620790a31ec81
(cherry picked from commit b3538251d6)
This commit is contained in:
Emilien Macchi 2019-12-02 17:08:11 -05:00
parent a1824a3faf
commit 32279c4a32
43 changed files with 908 additions and 224 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
common/deploy-steps.j2
View File

@ -218,6 +218,10 @@ parameters:
default: []
description: List of VIP (virtual IP) hosts entries to be appended to /etc/hosts
type: comma_delimited_list
KeystoneResourcesConfigs:
description: The keystone resources config.
type: json
default: {}
conditions:
{% for role in enabled_roles %}
@ -389,6 +393,7 @@ outputs:
undercloud_hosts_entries: {get_param: UndercloudHostsEntries}
extra_hosts_entries: {get_param: ExtraHostsEntries}
vip_hosts_entries: {get_param: VipHostsEntries}
keystone_resources: {get_param: KeystoneResourcesConfigs}
common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml}
hiera_steps_tasks: {get_file: hiera-steps-tasks.yaml}
deploy_steps_tasks_step_0: {get_file: deploy-steps-tasks-step-0.yaml}

11
common/services/role.role.j2.yaml
View File

@ -133,6 +133,16 @@ resources:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('global_config_settings')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
KeystoneResourcesConfigs:
type: OS::Heat::Value
properties:
type: json
value:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('keystone_resources')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
ServiceConfigSettings:
type: OS::Heat::Value
properties:
@ -371,6 +381,7 @@ outputs:
upgrade_batch_tasks: {get_attr: [UpgradeBatchTasks, value]}
service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]}
ansible_group_vars: {get_attr: [AnsibleGroupVars, value]}
keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]}
# Keys to support docker/services
puppet_config: {get_attr: [PuppetConfig, value]}

8
deployment/README.rst
View File

@ -328,3 +328,11 @@ implementation of this hook needs to conform to the following:
* This needs to define an output called `metadata` which will be given to the
Nova Server resource as the instance's metadata.
Keystone resources management
-----------------------------
Keystone resources, such as users, roles, domains, endpoints, services, role
assignments, are now managed by `tripleo-keystone-resources`_ Ansible role.
.. _tripleo-keystone-resources: https://docs.openstack.org/tripleo-ansible/latest/roles/role-tripleo-keystone-resources.html

19
deployment/aodh/aodh-api-container-puppet.yaml
View File

@ -58,6 +58,14 @@ parameters:
e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
AodhPassword:
description: The password for the aodh services.
type: string
hidden: true
conditions:
@ -97,6 +105,17 @@ outputs:
description: Role data for the aodh API role.
value:
service_name: aodh_api
keystone_resources:
aodh:
endpoints:
public: {get_param: [EndpointMap, AodhPublic, uri]}
internal: {get_param: [EndpointMap, AodhInternal, uri]}
admin: {get_param: [EndpointMap, AodhAdmin, uri]}
users:
aodh:
password: {get_param: AodhPassword}
region: {get_param: KeystoneRegion}
service: 'alarming'
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
config_settings:
map_merge:

7
deployment/aodh/aodh-base.yaml
View File

@ -95,13 +95,6 @@ outputs:
aodh::auth::auth_region: {get_param: KeystoneRegion}
aodh::auth::auth_tenant_name: 'service'
service_config_settings:
keystone:
aodh::keystone::auth::public_url: {get_param: [EndpointMap, AodhPublic, uri]}
aodh::keystone::auth::internal_url: {get_param: [EndpointMap, AodhInternal, uri]}
aodh::keystone::auth::admin_url: {get_param: [EndpointMap, AodhAdmin, uri]}
aodh::keystone::auth::password: {get_param: AodhPassword}
aodh::keystone::auth::region: {get_param: KeystoneRegion}
aodh::keystone::auth::tenant: 'service'
mysql:
aodh::db::mysql::user: aodh
aodh::db::mysql::password: {get_param: AodhPassword}

22
deployment/barbican/barbican-api-container-puppet.yaml
View File

@ -181,6 +181,22 @@ outputs:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
keystone_resources:
barbican:
endpoints:
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
users:
barbican:
password: {get_param: BarbicanPassword}
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:
- key-manager:service-admin
- creator
- observer
- audit
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@ -244,12 +260,6 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
barbican::keystone::auth::password: {get_param: BarbicanPassword}
barbican::keystone::auth::region: {get_param: KeystoneRegion}
barbican::keystone::auth::tenant: 'service'
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
nova_compute:
nova::compute::keymgr_backend: >

11
deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml
View File

@ -52,6 +52,10 @@ parameters:
default: false
description: Whether to enable gnocchi usage.
type: boolean
CeilometerPassword:
description: The password for the ceilometer service account.
type: string
hidden: true
conditions:
ceilometer_enable_gnocchi: {equals: [{get_param: CeilometerEnableGnocchi}, True]}
@ -77,6 +81,13 @@ outputs:
value:
service_name: ceilometer_agent_central
monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCentral}
keystone_resources:
ceilometer:
users:
ceilometer:
password: {get_param: CeilometerPassword}
roles:
- admin
config_settings:
map_merge:
- get_attr: [CeilometerServiceBase, role_data, config_settings]

6
deployment/ceilometer/ceilometer-base-container-puppet.yaml
View File

@ -179,11 +179,5 @@ outputs:
- {}
service_config_settings:
keystone:
ceilometer_auth_enabled: true
# NOTE(aschultz): no endpoints since ceilometer api removal
ceilometer::keystone::auth::configure_endpoint: false
ceilometer::keystone::auth::password: {get_param: CeilometerPassword}
ceilometer::keystone::auth::region: {get_param: KeystoneRegion}
ceilometer::keystone::auth::tenant: 'service'
# Enable default notification queue
tripleo::profile::base::keystone::ceilometer_notification_topics: ["notifications"]

26
deployment/ceph-ansible/ceph-rgw.yaml
View File

@ -76,6 +76,22 @@ outputs:
description: Role data for the Ceph RadosGW service.
value:
service_name: ceph_rgw
keystone_resources:
swift:
endpoints:
public: {get_param: [EndpointMap, CephRgwPublic, uri]}
internal: {get_param: [EndpointMap, CephRgwInternal, uri]}
admin: {get_param: [EndpointMap, CephRgwAdmin, uri]}
users:
swift:
password: {get_param: SwiftPassword}
roles:
- admin
- member
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- member
upgrade_tasks: []
puppet_config:
config_image: ''
@ -110,13 +126,3 @@ outputs:
- - '9100'
- []
- {}
service_config_settings:
keystone:
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
ceph::rgw::keystone::auth::roles: [ 'admin', 'member' ]
ceph::rgw::keystone::auth::tenant: service
ceph::rgw::keystone::auth::user: swift
ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}

66
deployment/cinder/cinder-api-container-puppet.yaml
View File

@ -84,6 +84,9 @@ parameters:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
RootStackName:
description: The name of the stack/plan.
type: string
conditions:
@ -124,11 +127,46 @@ outputs:
description: Role data for the Cinder API role.
value:
service_name: cinder_api
keystone_resources:
cinder:
users:
cinder:
password: {get_param: CinderPassword}
roles:
- admin
- service
cinderv2:
endpoints:
public: {get_param: [EndpointMap, CinderV2Public, uri]}
internal: {get_param: [EndpointMap, CinderV2Internal, uri]}
admin: {get_param: [EndpointMap, CinderV2Admin, uri]}
users:
cinderv2:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev2'
cinderv3:
endpoints:
public: {get_param: [EndpointMap, CinderV3Public, uri]}
internal: {get_param: [EndpointMap, CinderV3Internal, uri]}
admin: {get_param: [EndpointMap, CinderV3Admin, uri]}
users:
cinderv3:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev3'
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- keystone_resources_managed: false
- cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
@ -191,17 +229,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_cinder_api:
- {get_param: CinderApiLoggingSource}
keystone:
cinder::keystone::auth::tenant: 'service'
cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]}
cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]}
cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]}
cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]}
cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]}
cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]}
cinder::keystone::auth::password: {get_param: CinderPassword}
cinder::keystone::auth::region: {get_param: KeystoneRegion}
cinder::keystone::auth::roles: ['admin', 'service']
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
@ -419,3 +446,20 @@ outputs:
when:
- step|int == 8
- is_bootstrap_node|bool
external_deploy_tasks:
- name: Manage Cinder Volume Type
become: true
vars:
default_volume_type: {get_param: CinderDefaultVolumeType}
environment:
OS_CLOUD: {get_param: RootStackName}
when:
- step|int == 5
- not ansible_check_mode|bool
shell: |
if ! openstack volume type show "{{ default_volume_type }}"; then
openstack volume type create --public "{{ default_volume_type }}"
fi
args:
executable: /bin/bash
changed_when: false

18
deployment/experimental/designate/designate-api-container-puppet.yaml
View File

@ -79,6 +79,17 @@ outputs:
description: Role data for the Designate API role.
value:
service_name: designate_api
keystone_resources:
designate:
endpoints:
public: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]}
internal: {get_param: [EndpointMap, DesignateInternal, uri_no_suffix]}
admin: {get_param: [EndpointMap, DesignateAdmin, uri_no_suffix]}
users:
designate:
password: {get_param: DesignatePassword}
region: {get_param: KeystoneRegion}
service: 'dns'
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
config_settings:
map_merge:
@ -105,13 +116,6 @@ outputs:
- {}
- designate::api::workers: {get_param: DesignateWorkers}
service_config_settings:
keystone:
designate::keystone::auth::tenant: 'service'
designate::keystone::auth::public_url: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]}
designate::keystone::auth::internal_url: { get_param: [ EndpointMap, DesignateInternal, uri_no_suffix ] }
designate::keystone::auth::admin_url: { get_param: [ EndpointMap, DesignateAdmin, uri_no_suffix ] }
designate::keystone::auth::password: {get_param: DesignatePassword}
designate::keystone::auth::region: {get_param: KeystoneRegion}
neutron_api:
neutron::designate::password: {get_param: NeutronPassword}
neutron::designate::url: {get_param: [EndpointMap, DesignateInternal, uri]}

18
deployment/glance/glance-api-container-puppet.yaml
View File

@ -294,6 +294,17 @@ outputs:
description: Role data for the Glance API role.
value:
service_name: glance_api
keystone_resources:
glance:
endpoints:
public: {get_param: [EndpointMap, GlancePublic, uri]}
internal: {get_param: [EndpointMap, GlanceInternal, uri]}
admin: {get_param: [EndpointMap, GlanceAdmin, uri]}
users:
glance:
password: {get_param: GlancePassword}
region: {get_param: KeystoneRegion}
service: 'image'
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
@ -428,13 +439,6 @@ outputs:
- {}
- glance::api::sync_db: false
service_config_settings:
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
glance::keystone::auth::region: {get_param: KeystoneRegion}
glance::keystone::auth::tenant: 'service'
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance

18
deployment/gnocchi/gnocchi-api-container-puppet.yaml
View File

@ -143,6 +143,17 @@ outputs:
description: Role data for the gnocchi API role.
value:
service_name: gnocchi_api
keystone_resources:
gnocchi:
endpoints:
public: {get_param: [EndpointMap, GnocchiPublic, uri]}
internal: {get_param: [EndpointMap, GnocchiInternal, uri]}
admin: {get_param: [EndpointMap, GnocchiAdmin, uri]}
users:
gnocchi:
password: {get_param: GnocchiPassword}
region: {get_param: KeystoneRegion}
service: 'metric'
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
config_settings:
map_merge:
@ -203,13 +214,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_gnocchi_api:
- {get_param: GnocchiApiLoggingSource}
keystone:
gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] }
gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]}
gnocchi::keystone::auth::password: {get_param: GnocchiPassword}
gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] }
gnocchi::keystone::auth::region: {get_param: KeystoneRegion}
gnocchi::keystone::auth::tenant: 'service'
mysql:
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
gnocchi::db::mysql::user: gnocchi

20
deployment/heat/heat-api-cfn-container-puppet.yaml
View File

@ -100,6 +100,17 @@ outputs:
description: Role data for the Heat API CFN role.
value:
service_name: heat_api_cfn
keystone_resources:
heat-cfn:
endpoints:
public: {get_param: [EndpointMap, HeatCfnPublic, uri]}
internal: {get_param: [EndpointMap, HeatCfnInternal, uri]}
admin: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
users:
heat-cfn:
password: {get_param: HeatPassword}
region: {get_param: KeystoneRegion}
service: 'cloudformation'
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
config_settings:
map_merge:
@ -145,15 +156,6 @@ outputs:
rsyslog:
tripleo_logging_sources_heat_api_cfn:
- {get_param: HeatApiCfnLoggingSource}
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- heat::keystone::auth_cfn::tenant: 'service'
heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]}
heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]}
heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
heat::keystone::auth_cfn::password: {get_param: HeatPassword}
heat::keystone::auth_cfn::region: {get_param: KeystoneRegion}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api_cfn

33
deployment/heat/heat-api-container-puppet.yaml
View File

@ -74,6 +74,10 @@ parameters:
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
HeatStackDomainAdminPassword:
description: Password for heat_stack_domain_admin user.
type: string
hidden: true
conditions:
@ -114,6 +118,26 @@ outputs:
description: Role data for the Heat API role.
value:
service_name: heat_api
keystone_resources:
heat:
endpoints:
public: {get_param: [EndpointMap, HeatPublic, uri]}
internal: {get_param: [EndpointMap, HeatInternal, uri]}
admin: {get_param: [EndpointMap, HeatAdmin, uri]}
users:
heat:
password: {get_param: HeatPassword}
heat_stack_domain_admin:
password: {get_param: HeatStackDomainAdminPassword}
roles:
- admin
domain: heat_stack
region: {get_param: KeystoneRegion}
service: 'orchestration'
roles:
- heat_stack_user
domains:
- heat_stack
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
config_settings:
map_merge:
@ -162,15 +186,6 @@ outputs:
rsyslog:
tripleo_logging_sources_heat_api:
- {get_param: HeatApiLoggingSource}
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- heat::keystone::auth::tenant: 'service'
heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
heat::keystone::auth::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api

5
deployment/heat/heat-base-puppet.yaml
View File

@ -186,8 +186,3 @@ outputs:
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
service_config_settings:
keystone:
tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'
tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin'
tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost'

4
deployment/heat/heat-engine-container-puppet.yaml
View File

@ -201,10 +201,6 @@ outputs:
heat::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat

5
deployment/horizon/horizon-container-puppet.yaml
View File

@ -203,9 +203,8 @@ outputs:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
service_config_settings:
keystone:
keystone_enable_member: true
ansible_group_vars:
keystone_enable_member: true
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon

23
deployment/ironic/ironic-api-container-puppet.yaml
View File

@ -106,6 +106,20 @@ outputs:
description: Role data for the Ironic API role.
value:
service_name: ironic_api
keystone_resources:
ironic:
endpoints:
public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
users:
ironic:
password: {get_param: IronicPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'baremetal'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
config_settings:
map_merge:
@ -166,15 +180,6 @@ outputs:
- 13385
- apache::default_vhost: false
service_config_settings:
keystone:
ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
ironic::keystone::auth::auth_name: 'ironic'
ironic::keystone::auth::password: {get_param: IronicPassword }
ironic::keystone::auth::tenant: 'service'
ironic::keystone::auth::region: {get_param: KeystoneRegion}
ironic::keystone::auth::roles: ['admin', 'service']
mysql:
ironic::db::mysql::password: {get_param: IronicPassword}
ironic::db::mysql::user: ironic

18
deployment/ironic/ironic-inspector-container-puppet.yaml
View File

@ -181,6 +181,17 @@ outputs:
description: Role data for the Ironic Inspector role.
value:
service_name: ironic_inspector
keystone_resources:
ironic-inspector:
endpoints:
public: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
internal: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
admin: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
users:
ironic-inspector:
password: {get_param: IronicPassword}
region: {get_param: KeystoneRegion}
service: 'baremetal-introspection'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
config_settings:
map_merge:
@ -304,13 +315,6 @@ outputs:
- ironic::inspector::tftp_root: /var/lib/ironic/tftpboot
- ironic::inspector::http_root: /var/lib/ironic/httpboot
service_config_settings:
keystone:
ironic::keystone::auth_inspector::tenant: 'service'
ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
ironic::keystone::auth_inspector::password: {get_param: IronicPassword}
ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion}
mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector

38
deployment/keystone/keystone-container-puppet.yaml
View File

@ -343,6 +343,7 @@ outputs:
- {}
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
- keystone_enable_member: {get_param: KeystoneEnableMember}
- keystone_resources_managed: false
- keystone::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
@ -688,11 +689,46 @@ outputs:
username: admin
identity_api_version: '3'
region_name: {get_param: KeystoneRegion}
- name: Manage Keystone resources
become: true
when:
- step|int == 4
- not ansible_check_mode|bool
block:
- name: Manage Keystone resources for OpenStack services
include_role:
name: tripleo-keystone-resources
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
tripleo_keystone_resources_service_project: 'service'
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
tripleo_keystone_resources_region: {get_param: KeystoneRegion}
tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
- name: is Keystone LDAP enabled
set_fact:
keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
- name: Set fact for tripleo_keystone_ldap_domains
set_fact:
tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
when: keystone_ldap_domain_enabled|bool
- name: Manage Keystone domains from LDAP config
when: keystone_ldap_domain_enabled|bool
include_role:
name: tripleo-keystone-resources
tasks_from: domains
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
container_puppet_tasks:
# Keystone endpoint creation occurs only on single node
step_3:
config_volume: 'keystone_init_tasks'
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
puppet_tags: 'keystone_config'
step_config: 'include ::tripleo::profile::base::keystone'
config_image: *keystone_config_image
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}

35
deployment/manila/manila-api-container-puppet.yaml
View File

@ -94,6 +94,27 @@ outputs:
description: Role data for the Manila API role.
value:
service_name: manila_api
keystone_resources:
manila:
endpoints:
public: {get_param: [EndpointMap, ManilaV1Public, uri]}
internal: {get_param: [EndpointMap, ManilaV1Internal, uri]}
admin: {get_param: [EndpointMap, ManilaV1Admin, uri]}
users:
manila:
password: {get_param: ManilaPassword}
region: {get_param: KeystoneRegion}
service: 'share'
manilav2:
endpoints:
public: {get_param: [EndpointMap, ManilaPublic, uri]}
internal: {get_param: [EndpointMap, ManilaInternal, uri]}
admin: {get_param: [EndpointMap, ManilaAdmin, uri]}
users:
manilav2:
password: {get_param: ManilaPassword}
region: {get_param: KeystoneRegion}
service: 'sharev2'
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
config_settings:
map_merge:
@ -142,19 +163,7 @@ outputs:
- manila_workers_zero
- {}
- manila::wsgi::apache::workers: {get_param: ManilaWorkers}
service_config_settings:
map_merge:
- get_attr: [ManilaBase, role_data, service_config_settings]
- keystone:
manila::keystone::auth::tenant: 'service'
manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]}
manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]}
manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]}
manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]}
manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]}
manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]}
manila::keystone::auth::password: {get_param: ManilaPassword}
manila::keystone::auth::region: {get_param: KeystoneRegion}
service_config_settings: {get_attr: [ManilaBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: manila

19
deployment/mistral/mistral-api-container-puppet.yaml
View File

@ -66,6 +66,14 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
MistralPassword:
description: The password for the Mistral service and db account, used by the Mistral services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
conditions:
mistral_workers_zero: {equals : [{get_param: MistralWorkers}, 0]}
@ -94,6 +102,17 @@ outputs:
description: Role data for the Mistral API role.
value:
service_name: mistral_api
keystone_resources:
mistral:
endpoints:
public: {get_param: [EndpointMap, MistralPublic, uri]}
internal: {get_param: [EndpointMap, MistralInternal, uri]}
admin: {get_param: [EndpointMap, MistralAdmin, uri]}
users:
mistral:
password: {get_param: MistralPassword}
region: {get_param: KeystoneRegion}
service: 'workflowv2'
config_settings:
map_merge:
- get_attr: [MistralBase, role_data, config_settings]

11
deployment/mistral/mistral-base.yaml
View File

@ -45,10 +45,6 @@ parameters:
description: The password for the Mistral service and db account, used by the Mistral services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NotificationDriver:
type: string
default: 'messagingv2'
@ -93,13 +89,6 @@ outputs:
- - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
- '/ec2tokens'
service_config_settings:
keystone:
mistral::keystone::auth::tenant: 'service'
mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]}
mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]}
mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]}
mistral::keystone::auth::password: {get_param: MistralPassword}
mistral::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
mistral::db::mysql::user: mistral
mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}

18
deployment/neutron/neutron-api-container-puppet.yaml
View File

@ -224,6 +224,17 @@ outputs:
description: Role data for the Neutron API role.
value:
service_name: neutron_api
keystone_resources:
neutron:
endpoints:
public: {get_param: [EndpointMap, NeutronPublic, uri]}
internal: {get_param: [EndpointMap, NeutronInternal, uri]}
admin: {get_param: [EndpointMap, NeutronAdmin, uri]}
users:
neutron:
password: {get_param: NeutronPassword}
region: {get_param: KeystoneRegion}
service: 'network'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
config_settings:
map_merge:
@ -371,13 +382,6 @@ outputs:
rsyslog:
tripleo_logging_sources_neutron_api:
- {get_param: NeutronApiLoggingSource}
keystone:
neutron::keystone::auth::tenant: 'service'
neutron::keystone::auth::public_url: {get_param: [EndpointMap, NeutronPublic, uri]}
neutron::keystone::auth::internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] }
neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
neutron::keystone::auth::password: {get_param: NeutronPassword}
neutron::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron

22
deployment/nova/nova-api-container-puppet.yaml
View File

@ -152,6 +152,20 @@ outputs:
description: Role data for the Nova API role.
value:
service_name: nova_api
keystone_resources:
nova:
endpoints:
public: {get_param: [EndpointMap, NovaPublic, uri]}
internal: {get_param: [EndpointMap, NovaInternal, uri]}
admin: {get_param: [EndpointMap, NovaAdmin, uri]}
users:
nova:
roles:
- admin
- service
password: {get_param: NovaPassword}
region: {get_param: KeystoneRegion}
service: 'compute'
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
config_settings:
map_merge:
@ -231,14 +245,6 @@ outputs:
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
nova::keystone::auth::tenant: 'service'
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
nova::keystone::auth::roles: ['admin', 'service']
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova

7
deployment/nova/nova-metadata-container-puppet.yaml
View File

@ -172,13 +172,6 @@ outputs:
rsyslog:
tripleo_logging_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
keystone:
nova::keystone::auth::tenant: 'service'
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
map_merge:
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}

15
deployment/nova/novajoin-container-puppet.yaml
View File

@ -89,6 +89,17 @@ outputs:
description: Role data for the novajoin API role.
value:
service_name: novajoin
keystone_resources:
novajoin:
endpoints:
public: {get_param: [EndpointMap, NovajoinPublic, uri]}
internal: {get_param: [EndpointMap, NovajoinInternal, uri]}
admin: {get_param: [EndpointMap, NovajoinAdmin, uri]}
users:
novajoin:
password: {get_param: NovajoinPassword}
region: {get_param: KeystoneRegion}
service: 'compute-vendordata-plugin'
config_settings:
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
@ -118,10 +129,6 @@ outputs:
dport:
- 9090
service_config_settings:
keystone:
nova::metadata::novajoin::auth::tenant: 'service'
nova::metadata::novajoin::auth::password: {get_param: NovajoinPassword}
nova::metadata::novajoin::auth::region: {get_param: KeystoneRegion}
nova_metadata: &nova_vendordata
novajoin_address:
str_replace:

18
deployment/octavia/octavia-api-container-puppet.yaml
View File

@ -131,6 +131,17 @@ outputs:
description: Role data for the Octavia API role.
value:
service_name: octavia_api
keystone_resources:
octavia:
endpoints:
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
users:
octavia:
password: {get_param: OctaviaPassword}
region: {get_param: KeystoneRegion}
service: 'load-balancer'
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
@ -191,13 +202,6 @@ outputs:
rsyslog:
tripleo_logging_sources_octavia_api:
- {get_param: OctaviaApiLoggingSource}
keystone:
octavia::keystone::auth::tenant: {get_param: OctaviaProjectName}
octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]}
octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] }
octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] }
octavia::keystone::auth::password: {get_param: OctaviaPassword}
octavia::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}

18
deployment/placement/placement-api-container-puppet.yaml
View File

@ -110,6 +110,17 @@ outputs:
description: Role data for the Placement API role.
value:
service_name: placement
keystone_resources:
placement:
endpoints:
public: {get_param: [EndpointMap, PlacementPublic, uri]}
internal: {get_param: [EndpointMap, PlacementInternal, uri]}
admin: {get_param: [EndpointMap, PlacementAdmin, uri]}
users:
placement:
password: {get_param: PlacementPassword}
region: {get_param: KeystoneRegion}
service: 'placement'
config_settings:
map_merge:
- get_attr: [PlacementLogging, config_settings]
@ -163,13 +174,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_placement:
- {get_param: PlacementLoggingSource}
keystone:
placement::keystone::auth::tenant: 'service'
placement::keystone::auth::public_url: {get_param: [EndpointMap, PlacementPublic, uri]}
placement::keystone::auth::internal_url: {get_param: [EndpointMap, PlacementInternal, uri]}
placement::keystone::auth::admin_url: {get_param: [EndpointMap, PlacementAdmin, uri]}
placement::keystone::auth::password: {get_param: PlacementPassword}
placement::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
placement::db::mysql::password: {get_param: PlacementPassword}
placement::db::mysql::user: placement

18
deployment/sahara/sahara-api-container-puppet.yaml
View File

@ -92,6 +92,17 @@ outputs:
description: Role data for the Sahara API role.
value:
service_name: sahara_api
keystone_resources:
sahara:
endpoints:
public: {get_param: [EndpointMap, SaharaPublic, uri]}
internal: {get_param: [EndpointMap, SaharaInternal, uri]}
admin: {get_param: [EndpointMap, SaharaAdmin, uri]}
users:
sahara:
password: {get_param: SaharaPassword}
region: {get_param: KeystoneRegion}
service: 'data-processing'
monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi}
config_settings:
map_merge:
@ -120,13 +131,6 @@ outputs:
rsyslog:
tripleo_logging_sources_sahara_api:
- {get_param: SaharaApiLoggingSource}
keystone:
sahara::keystone::auth::tenant: 'service'
sahara::keystone::auth::public_url: {get_param: [EndpointMap, SaharaPublic, uri]}
sahara::keystone::auth::internal_url: {get_param: [EndpointMap, SaharaInternal, uri]}
sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
sahara::keystone::auth::password: {get_param: SaharaPassword }
sahara::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
sahara::db::mysql::password: {get_param: SaharaPassword}
sahara::db::mysql::user: sahara

39
deployment/swift/external-swift-proxy-baremetal-puppet.yaml
View File

@ -63,20 +63,29 @@ outputs:
step_config:
service_config_settings:
keystone:
swift::keystone::auth::public_url: {get_param: ExternalPublicUrl}
swift::keystone::auth::internal_url: {get_param: ExternalInternalUrl}
swift::keystone::auth::admin_url: {get_param: ExternalAdminUrl}
swift::keystone::auth::public_url_s3: ''
swift::keystone::auth::internal_url_s3: ''
swift::keystone::auth::admin_url_s3: ''
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant}
swift::keystone::auth::configure_s3_endpoint: false
swift::keystone::auth::operator_roles:
- admin
keystone_resources:
swift:
endpoints:
public:
if:
- deprecated_external_public_url
- {get_param: ExternalPublicUrl}
- {get_param: ExternalSwiftPublicUrl}
internal:
if:
- deprecated_external_internal_url
- {get_param: ExternalInternalUrl}
- {get_param: ExternalSwiftInternalUrl}
admin:
if:
- deprecated_external_admin_url
- {get_param: ExternalAdminUrl}
- {get_param: ExternalSwiftAdminUrl}
users:
swift:
password: {get_param: SwiftPassword}
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- swiftoperator
- ResellerAdmin

30
deployment/swift/swift-proxy-container-puppet.yaml
View File

@ -126,6 +126,20 @@ outputs:
description: Role data for the swift proxy.
value:
service_name: swift_proxy
keystone_resources:
swift:
endpoints:
public: {get_param: [EndpointMap, SwiftPublic, uri]}
internal: {get_param: [EndpointMap, SwiftInternal, uri]}
admin: {get_param: [EndpointMap, SwiftAdmin, uri]}
users:
swift:
password: {get_param: SwiftPassword}
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- swiftoperator
- ResellerAdmin
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
config_settings:
map_merge:
@ -253,22 +267,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
service_config_settings:
keystone:
swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
swift::keystone::auth::tenant: 'service'
swift::keystone::auth::configure_s3_endpoint: false
swift::keystone::auth::operator_roles:
- admin
- swiftoperator
- ResellerAdmin
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: swift

28
deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml
View File

@ -80,6 +80,10 @@ parameters:
type: json
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
outputs:
role_data:
@ -100,7 +104,27 @@ outputs:
service_config_settings:
rabbitmq:
vrts_rabbitmq_passwd: {get_param: VrtsRabbitPassword}
keystone:
vrts_keystone_passwd: {get_param: VrtsKeystonePassword}
mysql:
vrts_mysql_passwd: {get_param: VrtsMysqlPassword}
keystone_resources:
hyperscale:
# Replicating what was done with Puppet manifest:
# https://github.com/vtas-hyperscale-ci/puppet-veritas_hyperscale/blob/7c7868adb027c5bcfdcb6fc9d86610470759ae28/manifests/hs_keystone.pp#L17
# Moving forward, we should have the Veritas part of EndpointMap so the service
# can live outside of the Keystone node.
endpoints:
public: &veritas_endpoint
make_url:
scheme: {get_param: [EndpointMap, KeystoneAdmin, protocol]}
host: {get_param: [EndpointMap, KeystoneAdmin, host]}
port: 8753
path: /v1/%(tenant_id)s
internal: *veritas_endpoint
admin: *veritas_endpoint
users:
hyperscale:
password: {get_param: VrtsKeystonePassword}
region: {get_param: KeystoneRegion}
service: 'infrastructure'
roles:
- infra_admin

33
deployment/zaqar/zaqar-container-puppet.yaml
View File

@ -116,6 +116,27 @@ outputs:
description: Role data for the Zaqar API role.
value:
service_name: zaqar_api
keystone_resources:
zaqar:
endpoints:
public: {get_param: [EndpointMap, ZaqarPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarAdmin, uri]}
users:
zaqar:
password: {get_param: ZaqarPassword}
region: {get_param: KeystoneRegion}
service: 'messaging'
zaqar-websocket:
endpoints:
public: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]}
users:
zaqar-websocket:
password: {get_param: ZaqarPassword}
region: {get_param: KeystoneRegion}
service: 'messaging-websocket'
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@ -204,18 +225,6 @@ outputs:
service_config_settings:
map_merge:
- keystone:
zaqar::keystone::auth::password: {get_param: ZaqarPassword}
zaqar::keystone::auth::public_url: {get_param: [EndpointMap, ZaqarPublic, uri]}
zaqar::keystone::auth::admin_url: {get_param: [EndpointMap, ZaqarAdmin, uri]}
zaqar::keystone::auth::internal_url: {get_param: [EndpointMap, ZaqarInternal, uri]}
zaqar::keystone::auth::region: {get_param: KeystoneRegion}
zaqar::keystone::auth::tenant: 'service'
zaqar::keystone::auth_websocket::password: {get_param: ZaqarPassword}
zaqar::keystone::auth_websocket::public_url: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]}
zaqar::keystone::auth_websocket::admin_url: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]}
zaqar::keystone::auth_websocket::internal_url: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]}
zaqar::keystone::auth_websocket::region: {get_param: KeystoneRegion}
zaqar::keystone::auth_websocket::tenant: 'service'
zaqar::keystone::trust::password: {get_param: ZaqarPassword}
zaqar::keystone::trust::user_domain_name: 'Default'
tripleo::zaqar_api::firewall_rules:

3
environments/ssl/no-tls-endpoints-public-ip.yaml
View File

@ -78,6 +78,9 @@ parameter_defaults:
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS}
NovajoinAdmin: {protocol: http, port: '9090', host: IP_ADDRESS}
NovajoinInternal: {protocol: http, port: '9090', host: IP_ADDRESS}
NovajoinPublic: {protocol: http, port: '9090', host: IP_ADDRESS}
NovaMetadataInternal: {protocol: http, port: '8775', host: IP_ADDRESS}
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
PlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}

3
environments/ssl/tls-endpoints-public-dns.yaml
View File

@ -74,6 +74,9 @@ parameter_defaults:
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}

3
environments/ssl/tls-endpoints-public-ip.yaml
View File

@ -74,6 +74,9 @@ parameter_defaults:
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'IP_ADDRESS'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}

3
environments/ssl/tls-everywhere-endpoints-dns.yaml
View File

@ -74,6 +74,9 @@ parameter_defaults:
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovajoinAdmin: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
NovajoinInternal: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}

15
network/endpoints/endpoint_data.yaml
View File

@ -398,3 +398,18 @@ NovaMetadata:
Internal:
net_param: NovaMetadata
port: 8775
Novajoin:
Internal:
net_param: Novajoin
uri_suffixes:
'': /v1
Public:
net_param: Public
uri_suffixes:
'': /v1
Admin:
net_param: Novajoin
uri_suffixes:
'': /v1
port: 9090

396
network/endpoints/endpoint_map.yaml
View File

@ -287,6 +287,18 @@ parameters:
protocol: http
port: '6080'
host: IP_ADDRESS
NovajoinAdmin:
protocol: http
port: '9090'
host: IP_ADDRESS
NovajoinInternal:
protocol: http
port: '9090'
host: IP_ADDRESS
NovajoinPublic:
protocol: http
port: '9090'
host: IP_ADDRESS
OctaviaAdmin:
protocol: http
port: '9876'
@ -10918,6 +10930,390 @@ outputs:
- EndpointMap
- OctaviaPublic
- port
NovajoinAdmin:
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinAdmin
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
host_nobrackets:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinAdmin
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- get_param:
- ServiceNetMap
- NovajoinNetwork
port:
get_param:
- EndpointMap
- NovajoinAdmin
- port
protocol:
get_param:
- EndpointMap
- NovajoinAdmin
- protocol
uri:
make_url:
scheme:
get_param:
- EndpointMap
- NovajoinAdmin
- protocol
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinAdmin
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
port:
get_param:
- EndpointMap
- NovajoinAdmin
- port
path: /v1
uri_no_suffix:
make_url:
scheme:
get_param:
- EndpointMap
- NovajoinAdmin
- protocol
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinAdmin
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
port:
get_param:
- EndpointMap
- NovajoinAdmin
- port
NovajoinInternal:
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinInternal
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
host_nobrackets:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinInternal
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- get_param:
- ServiceNetMap
- NovajoinNetwork
port:
get_param:
- EndpointMap
- NovajoinInternal
- port
protocol:
get_param:
- EndpointMap
- NovajoinInternal
- protocol
uri:
make_url:
scheme:
get_param:
- EndpointMap
- NovajoinInternal
- protocol
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinInternal
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
port:
get_param:
- EndpointMap
- NovajoinInternal
- port
path: /v1
uri_no_suffix:
make_url:
scheme:
get_param:
- EndpointMap
- NovajoinInternal
- protocol
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinInternal
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- NovajoinNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- NovajoinNetwork
template: NETWORK_uri
port:
get_param:
- EndpointMap
- NovajoinInternal
- port
NovajoinPublic:
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinPublic
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- PublicNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- PublicNetwork
template: NETWORK_uri
host_nobrackets:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinPublic
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- PublicNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- get_param:
- ServiceNetMap
- PublicNetwork
port:
get_param:
- EndpointMap
- NovajoinPublic
- port
protocol:
get_param:
- EndpointMap
- NovajoinPublic
- protocol
uri:
make_url:
scheme:
get_param:
- EndpointMap
- NovajoinPublic
- protocol
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinPublic
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- PublicNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- PublicNetwork
template: NETWORK_uri
port:
get_param:
- EndpointMap
- NovajoinPublic
- port
path: /v1
uri_no_suffix:
make_url:
scheme:
get_param:
- EndpointMap
- NovajoinPublic
- protocol
host:
str_replace:
template:
get_param:
- EndpointMap
- NovajoinPublic
- host
params:
CLOUDNAME:
get_param:
- CloudEndpoints
- get_param:
- ServiceNetMap
- PublicNetwork
IP_ADDRESS:
get_param:
- NetIpMap
- str_replace:
params:
NETWORK:
get_param:
- ServiceNetMap
- PublicNetwork
template: NETWORK_uri
port:
get_param:
- EndpointMap
- NovajoinPublic
- port
PlacementAdmin:
host:
str_replace:

5
overcloud.j2.yaml
View File

@ -1129,6 +1129,11 @@ resources:
- add_vips_to_etc_hosts
- {get_attr: [VipHosts, value]}
- ''
KeystoneResourcesConfigs:
map_merge:
{% for role in roles %}
- get_attr: [{{role.name}}ServiceChainRoleData, value, keystone_resources]
{% endfor %}
outputs:
ManagedEndpoints:

12
sample-env-generator/ssl.yaml
View File

@ -182,6 +182,9 @@ environments:
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'IP_ADDRESS'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
@ -290,6 +293,9 @@ environments:
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
@ -398,6 +404,9 @@ environments:
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovajoinAdmin: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
NovajoinInternal: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
@ -516,6 +525,9 @@ environments:
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS}
NovajoinAdmin: {protocol: http, port: '9090', host: IP_ADDRESS}
NovajoinInternal: {protocol: http, port: '9090', host: IP_ADDRESS}
NovajoinPublic: {protocol: http, port: '9090', host: IP_ADDRESS}
NovaMetadataInternal: {protocol: http, port: '8775', host: IP_ADDRESS}
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
PlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}