Flatten Keystone service configuration
This change combines the previous puppet and docker files into a single file that performs the docker service installation and configuration. With this patch the baremetal version of keystone has been removed. Related-Blueprint: services-yaml-flattening Change-Id: I6140b02ad1ab6d88990e173dcf556977f065b3c5
This commit is contained in:
parent
4fbd9960db
commit
40ba776463
|
@ -1,47 +1,25 @@
|
||||||
heat_template_version: rocky
|
heat_template_version: rocky
|
||||||
|
|
||||||
description: >
|
description: >
|
||||||
OpenStack Keystone service configured with Puppet
|
OpenStack containerized Keystone service
|
||||||
|
|
||||||
parameters:
|
parameters:
|
||||||
KeystoneEnableDBPurge:
|
DockerKeystoneImage:
|
||||||
default: true
|
description: image
|
||||||
description: |
|
|
||||||
Whether to create cron job for purging soft deleted rows in Keystone database.
|
|
||||||
type: boolean
|
|
||||||
KeystoneSSLCertificate:
|
|
||||||
default: ''
|
|
||||||
description: Keystone certificate for verifying token validity.
|
|
||||||
type: string
|
type: string
|
||||||
KeystoneSSLCertificateKey:
|
DockerKeystoneConfigImage:
|
||||||
default: ''
|
description: The container image to use for the keystone config_volume
|
||||||
description: Keystone key for signing tokens.
|
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
KeystoneLoggingSource:
|
||||||
KeystoneNotificationDriver:
|
type: json
|
||||||
description: Comma-separated list of Oslo notification drivers used by Keystone
|
default:
|
||||||
default: ['messaging']
|
tag: openstack.keystone
|
||||||
type: comma_delimited_list
|
path: /var/log/containers/keystone/keystone.log
|
||||||
KeystoneNotificationFormat:
|
EndpointMap:
|
||||||
description: The Keystone notification format
|
default: {}
|
||||||
default: 'basic'
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
type: string
|
via parameter_defaults in the resource registry.
|
||||||
constraints:
|
type: json
|
||||||
- allowed_values: [ 'basic', 'cadf' ]
|
|
||||||
KeystoneNotificationTopics:
|
|
||||||
description: Keystone notification topics to enable
|
|
||||||
default: []
|
|
||||||
type: comma_delimited_list
|
|
||||||
KeystoneRegion:
|
|
||||||
type: string
|
|
||||||
default: 'regionOne'
|
|
||||||
description: Keystone region for endpoint
|
|
||||||
KeystoneTokenProvider:
|
|
||||||
description: The keystone token format
|
|
||||||
type: string
|
|
||||||
default: 'fernet'
|
|
||||||
constraints:
|
|
||||||
- allowed_values: ['uuid', 'fernet']
|
|
||||||
ServiceData:
|
ServiceData:
|
||||||
default: {}
|
default: {}
|
||||||
description: Dictionary packing service data
|
description: Dictionary packing service data
|
||||||
|
@ -63,11 +41,51 @@ parameters:
|
||||||
default: {}
|
default: {}
|
||||||
description: Parameters specific to the role
|
description: Parameters specific to the role
|
||||||
type: json
|
type: json
|
||||||
EndpointMap:
|
AdminPassword:
|
||||||
default: {}
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
||||||
description: Mapping of service endpoint -> protocol. Typically set
|
type: string
|
||||||
via parameter_defaults in the resource registry.
|
hidden: true
|
||||||
type: json
|
KeystoneTokenProvider:
|
||||||
|
description: The keystone token format
|
||||||
|
type: string
|
||||||
|
default: 'fernet'
|
||||||
|
constraints:
|
||||||
|
- allowed_values: ['uuid', 'fernet']
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
UpgradeRemoveUnusedPackages:
|
||||||
|
default: false
|
||||||
|
description: Remove package if the service is being disabled during upgrade
|
||||||
|
type: boolean
|
||||||
|
KeystoneEnableDBPurge:
|
||||||
|
default: true
|
||||||
|
description: |
|
||||||
|
Whether to create cron job for purging soft deleted rows in Keystone database.
|
||||||
|
type: boolean
|
||||||
|
KeystoneSSLCertificate:
|
||||||
|
default: ''
|
||||||
|
description: Keystone certificate for verifying token validity.
|
||||||
|
type: string
|
||||||
|
KeystoneSSLCertificateKey:
|
||||||
|
default: ''
|
||||||
|
description: Keystone key for signing tokens.
|
||||||
|
type: string
|
||||||
|
hidden: true
|
||||||
|
KeystoneNotificationFormat:
|
||||||
|
description: The Keystone notification format
|
||||||
|
default: 'basic'
|
||||||
|
type: string
|
||||||
|
constraints:
|
||||||
|
- allowed_values: [ 'basic', 'cadf' ]
|
||||||
|
KeystoneNotificationTopics:
|
||||||
|
description: Keystone notification topics to enable
|
||||||
|
default: []
|
||||||
|
type: comma_delimited_list
|
||||||
|
KeystoneRegion:
|
||||||
|
type: string
|
||||||
|
default: 'regionOne'
|
||||||
|
description: Keystone region for endpoint
|
||||||
Debug:
|
Debug:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
@ -83,10 +101,6 @@ parameters:
|
||||||
description: The email for the keystone admin account.
|
description: The email for the keystone admin account.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
AdminPassword:
|
|
||||||
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
||||||
type: string
|
|
||||||
hidden: true
|
|
||||||
AdminToken:
|
AdminToken:
|
||||||
description: The keystone auth secret and db password.
|
description: The keystone auth secret and db password.
|
||||||
type: string
|
type: string
|
||||||
|
@ -126,14 +140,6 @@ parameters:
|
||||||
KeystoneCredential1:
|
KeystoneCredential1:
|
||||||
type: string
|
type: string
|
||||||
description: The second Keystone credential key. Must be a valid key.
|
description: The second Keystone credential key. Must be a valid key.
|
||||||
KeystoneFernetKey0:
|
|
||||||
type: string
|
|
||||||
default: ''
|
|
||||||
description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
|
|
||||||
KeystoneFernetKey1:
|
|
||||||
type: string
|
|
||||||
default: ''
|
|
||||||
description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
|
|
||||||
KeystoneFernetKeys:
|
KeystoneFernetKeys:
|
||||||
type: json
|
type: json
|
||||||
description: Mapping containing keystone's fernet keys and their paths.
|
description: Mapping containing keystone's fernet keys and their paths.
|
||||||
|
@ -153,35 +159,32 @@ parameters:
|
||||||
type: json
|
type: json
|
||||||
default:
|
default:
|
||||||
tag: openstack.keystone
|
tag: openstack.keystone
|
||||||
path: /var/log/keystone/keystone.log
|
path: /var/log/containers/keystone/keystone.log
|
||||||
KeystoneErrorLoggingSource:
|
KeystoneErrorLoggingSource:
|
||||||
type: json
|
type: json
|
||||||
default:
|
default:
|
||||||
tag: openstack.keystone.error
|
tag: openstack.keystone.error
|
||||||
path: /var/log/httpd/keystone/error_log
|
path: /var/log/containers/httpd/keystone/error_log
|
||||||
KeystoneAdminAccessLoggingSource:
|
KeystoneAdminAccessLoggingSource:
|
||||||
type: json
|
type: json
|
||||||
default:
|
default:
|
||||||
tag: openstack.keystone.admin.access
|
tag: openstack.keystone.admin.access
|
||||||
path: /var/log/httpd/keystone/keystone_wsgi_admin_access.log
|
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_access.log
|
||||||
KeystoneAdminErrorLoggingSource:
|
KeystoneAdminErrorLoggingSource:
|
||||||
type: json
|
type: json
|
||||||
default:
|
default:
|
||||||
tag: openstack.keystone.admin.error
|
tag: openstack.keystone.admin.error
|
||||||
path: /var/log/httpd/keystone/keystone_wsgi_admin_error.log
|
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_error.log
|
||||||
KeystoneMainAcccessLoggingSource:
|
KeystoneMainAcccessLoggingSource:
|
||||||
type: json
|
type: json
|
||||||
default:
|
default:
|
||||||
tag: openstack.keystone.main.access
|
tag: openstack.keystone.main.access
|
||||||
path: /var/log/httpd/keystone/keystone_wsgi_main_access.log
|
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_access.log
|
||||||
KeystoneMainErrorLoggingSource:
|
KeystoneMainErrorLoggingSource:
|
||||||
type: json
|
type: json
|
||||||
default:
|
default:
|
||||||
tag: openstack.keystone.wsgi.main.error
|
tag: openstack.keystone.wsgi.main.error
|
||||||
path: /var/log/httpd/keystone/keystone_wsgi_main_error.log
|
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_error.log
|
||||||
EnableInternalTLS:
|
|
||||||
type: boolean
|
|
||||||
default: false
|
|
||||||
KeystoneCronTokenFlushEnsure:
|
KeystoneCronTokenFlushEnsure:
|
||||||
type: string
|
type: string
|
||||||
description: >
|
description: >
|
||||||
|
@ -365,22 +368,16 @@ parameters:
|
||||||
Attribute to be used to obtain the entity ID of the Identity Provider
|
Attribute to be used to obtain the entity ID of the Identity Provider
|
||||||
from the environment.
|
from the environment.
|
||||||
|
|
||||||
parameter_groups:
|
|
||||||
- label: deprecated
|
|
||||||
description: |
|
|
||||||
The following parameters are deprecated and will be removed. They should not
|
|
||||||
be relied on for new deployments. If you have concerns regarding deprecated
|
|
||||||
parameters, please contact the TripleO development team on IRC or the
|
|
||||||
OpenStack mailing list.
|
|
||||||
parameters:
|
|
||||||
- KeystoneFernetKey0
|
|
||||||
- KeystoneFernetKey1
|
|
||||||
- KeystoneNotificationDriver
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
|
ContainersCommon:
|
||||||
|
type: ../../docker/services/containers-common.yaml
|
||||||
|
|
||||||
|
MySQLClient:
|
||||||
|
type: ../../puppet/services/database/mysql-client.yaml
|
||||||
|
|
||||||
ApacheServiceBase:
|
ApacheServiceBase:
|
||||||
type: ./apache.yaml
|
type: ../../puppet/services/apache.yaml
|
||||||
properties:
|
properties:
|
||||||
ServiceData: {get_param: ServiceData}
|
ServiceData: {get_param: ServiceData}
|
||||||
ServiceNetMap: {get_param: ServiceNetMap}
|
ServiceNetMap: {get_param: ServiceNetMap}
|
||||||
|
@ -390,7 +387,12 @@ resources:
|
||||||
RoleParameters: {get_param: RoleParameters}
|
RoleParameters: {get_param: RoleParameters}
|
||||||
EnableInternalTLS: {get_param: EnableInternalTLS}
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||||
|
|
||||||
|
KeystoneLogging:
|
||||||
|
type: OS::TripleO::Services::Logging::Keystone
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
||||||
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
|
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
|
||||||
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
||||||
|
@ -411,7 +413,7 @@ conditions:
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
description: Role data for the Keystone role.
|
description: Role data for the Keystone API role.
|
||||||
value:
|
value:
|
||||||
service_name: keystone
|
service_name: keystone
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
||||||
|
@ -641,9 +643,8 @@ outputs:
|
||||||
- unique_last_password_count_set
|
- unique_last_password_count_set
|
||||||
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
|
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
|
||||||
- {}
|
- {}
|
||||||
|
- apache::default_vhost: false
|
||||||
step_config: |
|
- get_attr: [KeystoneLogging, config_settings]
|
||||||
include ::tripleo::profile::base::keystone
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
fluentd:
|
fluentd:
|
||||||
tripleo_fluentd_groups_keystone:
|
tripleo_fluentd_groups_keystone:
|
||||||
|
@ -676,12 +677,191 @@ outputs:
|
||||||
horizon::keystone_multidomain_support: true
|
horizon::keystone_multidomain_support: true
|
||||||
horizon::keystone_default_domain: 'Default'
|
horizon::keystone_default_domain: 'Default'
|
||||||
- {}
|
- {}
|
||||||
|
# BEGIN DOCKER SETTINGS
|
||||||
|
puppet_config:
|
||||||
|
config_volume: keystone
|
||||||
|
puppet_tags: keystone_config,keystone_domain_config
|
||||||
|
step_config:
|
||||||
|
list_join:
|
||||||
|
- "\n"
|
||||||
|
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
|
||||||
|
- |
|
||||||
|
include ::tripleo::profile::base::keystone
|
||||||
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
||||||
|
config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage}
|
||||||
|
kolla_config:
|
||||||
|
/var/lib/kolla/config_files/keystone.json:
|
||||||
|
command: /usr/sbin/httpd -DFOREGROUND
|
||||||
|
config_files:
|
||||||
|
- source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
|
||||||
|
dest: "/etc/keystone/fernet-keys"
|
||||||
|
merge: false
|
||||||
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
/var/lib/kolla/config_files/keystone_cron.json:
|
||||||
|
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
|
||||||
|
# args for the keystone container to -DFOREGROUND
|
||||||
|
command: /usr/sbin/crond -n
|
||||||
|
config_files:
|
||||||
|
- source: "/var/lib/kolla/config_files/src/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
permissions:
|
||||||
|
- path: /var/log/keystone
|
||||||
|
owner: keystone:keystone
|
||||||
|
recurse: true
|
||||||
|
docker_config:
|
||||||
|
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
|
||||||
|
step_2:
|
||||||
|
get_attr: [KeystoneLogging, docker_config, step_2]
|
||||||
|
step_3:
|
||||||
|
keystone_db_sync:
|
||||||
|
image: &keystone_image {get_param: DockerKeystoneImage}
|
||||||
|
net: host
|
||||||
|
user: root
|
||||||
|
privileged: false
|
||||||
|
detach: false
|
||||||
|
volumes: &keystone_volumes
|
||||||
|
list_concat:
|
||||||
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
|
- {get_attr: [KeystoneLogging, volumes]}
|
||||||
|
-
|
||||||
|
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
|
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||||
|
- ''
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||||
|
- ''
|
||||||
|
environment:
|
||||||
|
list_concat:
|
||||||
|
- - KOLLA_BOOTSTRAP=True
|
||||||
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
- {get_attr: [KeystoneLogging, environment]}
|
||||||
|
command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
|
||||||
|
keystone:
|
||||||
|
start_order: 2
|
||||||
|
image: *keystone_image
|
||||||
|
net: host
|
||||||
|
privileged: false
|
||||||
|
restart: always
|
||||||
|
healthcheck:
|
||||||
|
test: /openstack/healthcheck
|
||||||
|
volumes: *keystone_volumes
|
||||||
|
environment:
|
||||||
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
keystone_bootstrap:
|
||||||
|
start_order: 3
|
||||||
|
action: exec
|
||||||
|
user: root
|
||||||
|
command:
|
||||||
|
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
|
||||||
|
keystone_cron:
|
||||||
|
start_order: 4
|
||||||
|
image: *keystone_image
|
||||||
|
user: root
|
||||||
|
net: host
|
||||||
|
privileged: false
|
||||||
|
restart: always
|
||||||
|
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
|
||||||
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
|
- {get_attr: [KeystoneLogging, volumes]}
|
||||||
|
-
|
||||||
|
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
|
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
||||||
|
environment:
|
||||||
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
step_4:
|
||||||
|
# There are cases where we need to refresh keystone after the resource provisioning,
|
||||||
|
# such as the case of using LDAP backends for domains. So we trigger a graceful
|
||||||
|
# restart [1], which shouldn't cause service disruption, but will reload new
|
||||||
|
# configurations for keystone.
|
||||||
|
# [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
|
||||||
|
keystone_refresh:
|
||||||
|
start_order: 1
|
||||||
|
action: exec
|
||||||
|
user: root
|
||||||
|
command:
|
||||||
|
[ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
|
||||||
|
docker_puppet_tasks:
|
||||||
|
# Keystone endpoint creation occurs only on single node
|
||||||
|
step_3:
|
||||||
|
config_volume: 'keystone_init_tasks'
|
||||||
|
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
|
||||||
|
step_config: 'include ::tripleo::profile::base::keystone'
|
||||||
|
config_image: *keystone_config_image
|
||||||
|
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
|
||||||
|
upgrade_tasks:
|
||||||
|
- when: step|int == 3
|
||||||
|
block:
|
||||||
|
- name: Set fact for removal of openstack-keystone package
|
||||||
|
set_fact:
|
||||||
|
remove_keystone_package: {get_param: UpgradeRemoveUnusedPackages}
|
||||||
|
- name: Remove openstack-keystone package if operator requests it
|
||||||
|
package: name=openstack-keystone state=removed
|
||||||
|
ignore_errors: True
|
||||||
|
when: remove_keystone_package|bool
|
||||||
metadata_settings:
|
metadata_settings:
|
||||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||||
upgrade_tasks:
|
post_upgrade_tasks:
|
||||||
list_concat:
|
- when: step|int == 1
|
||||||
- get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
|
import_role:
|
||||||
-
|
name: tripleo-docker-rm
|
||||||
- name: Stop keystone service (running under httpd)
|
vars:
|
||||||
when: step|int == 1
|
containers_to_rm:
|
||||||
service: name=httpd state=stopped
|
- keystone
|
||||||
|
- keystone_cron
|
||||||
|
fast_forward_upgrade_tasks:
|
||||||
|
- when:
|
||||||
|
- step|int == 0
|
||||||
|
- release == 'ocata'
|
||||||
|
block:
|
||||||
|
- name: Check for keystone running under apache
|
||||||
|
tags: common
|
||||||
|
shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
|
||||||
|
ignore_errors: true
|
||||||
|
register: keystone_httpd_enabled_result
|
||||||
|
- name: Set fact keystone_httpd_enabled
|
||||||
|
set_fact:
|
||||||
|
keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
|
||||||
|
- name: Check if httpd is running
|
||||||
|
ignore_errors: True
|
||||||
|
command: systemctl is-active --quiet httpd
|
||||||
|
register: httpd_running_result
|
||||||
|
when:
|
||||||
|
- httpd_running is undefined
|
||||||
|
- name: Set fact httpd_running if undefined
|
||||||
|
set_fact:
|
||||||
|
httpd_running: "{{ httpd_running_result.rc == 0 }}"
|
||||||
|
when:
|
||||||
|
- httpd_running is undefined
|
||||||
|
- name: Stop and disable keystone (under httpd)
|
||||||
|
service: name=httpd state=stopped enabled=no
|
||||||
|
when:
|
||||||
|
- step|int == 1
|
||||||
|
- release == 'ocata'
|
||||||
|
- keystone_httpd_enabled|bool
|
||||||
|
- httpd_running|bool
|
||||||
|
- name: Keystone package update
|
||||||
|
package:
|
||||||
|
name: 'openstack-keystone*'
|
||||||
|
state: latest
|
||||||
|
when:
|
||||||
|
- step|int == 6
|
||||||
|
- is_bootstrap_node|bool
|
||||||
|
- name: keystone db sync
|
||||||
|
command: keystone-manage db_sync
|
||||||
|
when:
|
||||||
|
- step|int == 8
|
||||||
|
- is_bootstrap_node|bool
|
|
@ -1,321 +0,0 @@
|
||||||
heat_template_version: rocky
|
|
||||||
|
|
||||||
description: >
|
|
||||||
OpenStack containerized Keystone service
|
|
||||||
|
|
||||||
parameters:
|
|
||||||
DockerKeystoneImage:
|
|
||||||
description: image
|
|
||||||
type: string
|
|
||||||
DockerKeystoneConfigImage:
|
|
||||||
description: The container image to use for the keystone config_volume
|
|
||||||
type: string
|
|
||||||
KeystoneLoggingSource:
|
|
||||||
type: json
|
|
||||||
default:
|
|
||||||
tag: openstack.keystone
|
|
||||||
path: /var/log/containers/keystone/keystone.log
|
|
||||||
KeystoneErrorLoggingSource:
|
|
||||||
type: json
|
|
||||||
default:
|
|
||||||
tag: openstack.keystone.error
|
|
||||||
path: /var/log/containers/httpd/keystone/error_log
|
|
||||||
KeystoneAdminAccessLoggingSource:
|
|
||||||
type: json
|
|
||||||
default:
|
|
||||||
tag: openstack.keystone.admin.access
|
|
||||||
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_access.log
|
|
||||||
KeystoneAdminErrorLoggingSource:
|
|
||||||
type: json
|
|
||||||
default:
|
|
||||||
tag: openstack.keystone.admin.error
|
|
||||||
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_error.log
|
|
||||||
KeystoneMainAcccessLoggingSource:
|
|
||||||
type: json
|
|
||||||
default:
|
|
||||||
tag: openstack.keystone.main.access
|
|
||||||
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_access.log
|
|
||||||
KeystoneMainErrorLoggingSource:
|
|
||||||
type: json
|
|
||||||
default:
|
|
||||||
tag: openstack.keystone.wsgi.main.error
|
|
||||||
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_error.log
|
|
||||||
EndpointMap:
|
|
||||||
default: {}
|
|
||||||
description: Mapping of service endpoint -> protocol. Typically set
|
|
||||||
via parameter_defaults in the resource registry.
|
|
||||||
type: json
|
|
||||||
ServiceData:
|
|
||||||
default: {}
|
|
||||||
description: Dictionary packing service data
|
|
||||||
type: json
|
|
||||||
ServiceNetMap:
|
|
||||||
default: {}
|
|
||||||
description: Mapping of service_name -> network name. Typically set
|
|
||||||
via parameter_defaults in the resource registry. This
|
|
||||||
mapping overrides those in ServiceNetMapDefaults.
|
|
||||||
type: json
|
|
||||||
DefaultPasswords:
|
|
||||||
default: {}
|
|
||||||
type: json
|
|
||||||
RoleName:
|
|
||||||
default: ''
|
|
||||||
description: Role name on which the service is applied
|
|
||||||
type: string
|
|
||||||
RoleParameters:
|
|
||||||
default: {}
|
|
||||||
description: Parameters specific to the role
|
|
||||||
type: json
|
|
||||||
AdminPassword:
|
|
||||||
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
||||||
type: string
|
|
||||||
hidden: true
|
|
||||||
KeystoneTokenProvider:
|
|
||||||
description: The keystone token format
|
|
||||||
type: string
|
|
||||||
default: 'fernet'
|
|
||||||
constraints:
|
|
||||||
- allowed_values: ['uuid', 'fernet']
|
|
||||||
EnableInternalTLS:
|
|
||||||
type: boolean
|
|
||||||
default: false
|
|
||||||
UpgradeRemoveUnusedPackages:
|
|
||||||
default: false
|
|
||||||
description: Remove package if the service is being disabled during upgrade
|
|
||||||
type: boolean
|
|
||||||
|
|
||||||
resources:
|
|
||||||
|
|
||||||
ContainersCommon:
|
|
||||||
type: ./containers-common.yaml
|
|
||||||
|
|
||||||
MySQLClient:
|
|
||||||
type: ../../puppet/services/database/mysql-client.yaml
|
|
||||||
|
|
||||||
KeystoneBase:
|
|
||||||
type: ../../puppet/services/keystone.yaml
|
|
||||||
properties:
|
|
||||||
EndpointMap: {get_param: EndpointMap}
|
|
||||||
ServiceData: {get_param: ServiceData}
|
|
||||||
ServiceNetMap: {get_param: ServiceNetMap}
|
|
||||||
DefaultPasswords: {get_param: DefaultPasswords}
|
|
||||||
RoleName: {get_param: RoleName}
|
|
||||||
RoleParameters: {get_param: RoleParameters}
|
|
||||||
|
|
||||||
KeystoneLogging:
|
|
||||||
type: OS::TripleO::Services::Logging::Keystone
|
|
||||||
|
|
||||||
conditions:
|
|
||||||
|
|
||||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
||||||
|
|
||||||
outputs:
|
|
||||||
role_data:
|
|
||||||
description: Role data for the Keystone API role.
|
|
||||||
value:
|
|
||||||
service_name: {get_attr: [KeystoneBase, role_data, service_name]}
|
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- get_attr: [KeystoneBase, role_data, config_settings]
|
|
||||||
- get_attr: [KeystoneLogging, config_settings]
|
|
||||||
- apache::default_vhost: false
|
|
||||||
service_config_settings:
|
|
||||||
map_merge:
|
|
||||||
- get_attr: [KeystoneBase, role_data, service_config_settings]
|
|
||||||
- fluentd:
|
|
||||||
tripleo_fluentd_groups_keystone:
|
|
||||||
- keystone
|
|
||||||
tripleo_fluentd_sources_keystone:
|
|
||||||
- {get_param: KeystoneLoggingSource}
|
|
||||||
- {get_param: KeystoneErrorLoggingSource}
|
|
||||||
- {get_param: KeystoneAdminAccessLoggingSource}
|
|
||||||
- {get_param: KeystoneAdminErrorLoggingSource}
|
|
||||||
- {get_param: KeystoneMainAcccessLoggingSource}
|
|
||||||
- {get_param: KeystoneMainErrorLoggingSource}
|
|
||||||
# BEGIN DOCKER SETTINGS
|
|
||||||
puppet_config:
|
|
||||||
config_volume: keystone
|
|
||||||
puppet_tags: keystone_config,keystone_domain_config
|
|
||||||
step_config:
|
|
||||||
list_join:
|
|
||||||
- "\n"
|
|
||||||
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
|
|
||||||
- {get_attr: [KeystoneBase, role_data, step_config]}
|
|
||||||
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
||||||
config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage}
|
|
||||||
kolla_config:
|
|
||||||
/var/lib/kolla/config_files/keystone.json:
|
|
||||||
command: /usr/sbin/httpd -DFOREGROUND
|
|
||||||
config_files:
|
|
||||||
- source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
|
|
||||||
dest: "/etc/keystone/fernet-keys"
|
|
||||||
merge: false
|
|
||||||
preserve_properties: true
|
|
||||||
- source: "/var/lib/kolla/config_files/src/*"
|
|
||||||
dest: "/"
|
|
||||||
merge: true
|
|
||||||
preserve_properties: true
|
|
||||||
/var/lib/kolla/config_files/keystone_cron.json:
|
|
||||||
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
|
|
||||||
# args for the keystone container to -DFOREGROUND
|
|
||||||
command: /usr/sbin/crond -n
|
|
||||||
config_files:
|
|
||||||
- source: "/var/lib/kolla/config_files/src/*"
|
|
||||||
dest: "/"
|
|
||||||
merge: true
|
|
||||||
preserve_properties: true
|
|
||||||
permissions:
|
|
||||||
- path: /var/log/keystone
|
|
||||||
owner: keystone:keystone
|
|
||||||
recurse: true
|
|
||||||
docker_config:
|
|
||||||
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
|
|
||||||
step_2:
|
|
||||||
get_attr: [KeystoneLogging, docker_config, step_2]
|
|
||||||
step_3:
|
|
||||||
keystone_db_sync:
|
|
||||||
image: &keystone_image {get_param: DockerKeystoneImage}
|
|
||||||
net: host
|
|
||||||
user: root
|
|
||||||
privileged: false
|
|
||||||
detach: false
|
|
||||||
volumes: &keystone_volumes
|
|
||||||
list_concat:
|
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
|
||||||
- {get_attr: [KeystoneLogging, volumes]}
|
|
||||||
-
|
|
||||||
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
|
|
||||||
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
|
||||||
-
|
|
||||||
if:
|
|
||||||
- internal_tls_enabled
|
|
||||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
||||||
- ''
|
|
||||||
-
|
|
||||||
if:
|
|
||||||
- internal_tls_enabled
|
|
||||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
||||||
- ''
|
|
||||||
environment:
|
|
||||||
list_concat:
|
|
||||||
- - KOLLA_BOOTSTRAP=True
|
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
||||||
- {get_attr: [KeystoneLogging, environment]}
|
|
||||||
command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
|
|
||||||
keystone:
|
|
||||||
start_order: 2
|
|
||||||
image: *keystone_image
|
|
||||||
net: host
|
|
||||||
privileged: false
|
|
||||||
restart: always
|
|
||||||
healthcheck:
|
|
||||||
test: /openstack/healthcheck
|
|
||||||
volumes: *keystone_volumes
|
|
||||||
environment:
|
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
||||||
keystone_bootstrap:
|
|
||||||
start_order: 3
|
|
||||||
action: exec
|
|
||||||
user: root
|
|
||||||
command:
|
|
||||||
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
|
|
||||||
keystone_cron:
|
|
||||||
start_order: 4
|
|
||||||
image: *keystone_image
|
|
||||||
user: root
|
|
||||||
net: host
|
|
||||||
privileged: false
|
|
||||||
restart: always
|
|
||||||
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
|
|
||||||
volumes:
|
|
||||||
list_concat:
|
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
|
||||||
- {get_attr: [KeystoneLogging, volumes]}
|
|
||||||
-
|
|
||||||
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
|
|
||||||
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
|
||||||
environment:
|
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
||||||
step_4:
|
|
||||||
# There are cases where we need to refresh keystone after the resource provisioning,
|
|
||||||
# such as the case of using LDAP backends for domains. So we trigger a graceful
|
|
||||||
# restart [1], which shouldn't cause service disruption, but will reload new
|
|
||||||
# configurations for keystone.
|
|
||||||
# [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
|
|
||||||
keystone_refresh:
|
|
||||||
start_order: 1
|
|
||||||
action: exec
|
|
||||||
user: root
|
|
||||||
command:
|
|
||||||
[ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
|
|
||||||
docker_puppet_tasks:
|
|
||||||
# Keystone endpoint creation occurs only on single node
|
|
||||||
step_3:
|
|
||||||
config_volume: 'keystone_init_tasks'
|
|
||||||
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
|
|
||||||
step_config: 'include ::tripleo::profile::base::keystone'
|
|
||||||
config_image: *keystone_config_image
|
|
||||||
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
|
|
||||||
upgrade_tasks:
|
|
||||||
- when: step|int == 3
|
|
||||||
block:
|
|
||||||
- name: Set fact for removal of openstack-keystone package
|
|
||||||
set_fact:
|
|
||||||
remove_keystone_package: {get_param: UpgradeRemoveUnusedPackages}
|
|
||||||
- name: Remove openstack-keystone package if operator requests it
|
|
||||||
package: name=openstack-keystone state=removed
|
|
||||||
ignore_errors: True
|
|
||||||
when: remove_keystone_package|bool
|
|
||||||
metadata_settings:
|
|
||||||
get_attr: [KeystoneBase, role_data, metadata_settings]
|
|
||||||
post_upgrade_tasks:
|
|
||||||
- when: step|int == 1
|
|
||||||
import_role:
|
|
||||||
name: tripleo-docker-rm
|
|
||||||
vars:
|
|
||||||
containers_to_rm:
|
|
||||||
- keystone
|
|
||||||
- keystone_cron
|
|
||||||
fast_forward_upgrade_tasks:
|
|
||||||
- when:
|
|
||||||
- step|int == 0
|
|
||||||
- release == 'ocata'
|
|
||||||
block:
|
|
||||||
- name: Check for keystone running under apache
|
|
||||||
tags: common
|
|
||||||
shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
|
|
||||||
ignore_errors: true
|
|
||||||
register: keystone_httpd_enabled_result
|
|
||||||
- name: Set fact keystone_httpd_enabled
|
|
||||||
set_fact:
|
|
||||||
keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
|
|
||||||
- name: Check if httpd is running
|
|
||||||
ignore_errors: True
|
|
||||||
command: systemctl is-active --quiet httpd
|
|
||||||
register: httpd_running_result
|
|
||||||
when:
|
|
||||||
- httpd_running is undefined
|
|
||||||
- name: Set fact httpd_running if undefined
|
|
||||||
set_fact:
|
|
||||||
httpd_running: "{{ httpd_running_result.rc == 0 }}"
|
|
||||||
when:
|
|
||||||
- httpd_running is undefined
|
|
||||||
- name: Stop and disable keystone (under httpd)
|
|
||||||
service: name=httpd state=stopped enabled=no
|
|
||||||
when:
|
|
||||||
- step|int == 1
|
|
||||||
- release == 'ocata'
|
|
||||||
- keystone_httpd_enabled|bool
|
|
||||||
- httpd_running|bool
|
|
||||||
- name: Keystone package update
|
|
||||||
package:
|
|
||||||
name: 'openstack-keystone*'
|
|
||||||
state: latest
|
|
||||||
when:
|
|
||||||
- step|int == 6
|
|
||||||
- is_bootstrap_node|bool
|
|
||||||
- name: keystone db sync
|
|
||||||
command: keystone-manage db_sync
|
|
||||||
when:
|
|
||||||
- step|int == 8
|
|
||||||
- is_bootstrap_node|bool
|
|
|
@ -26,7 +26,7 @@ resource_registry:
|
||||||
OS::TripleO::Services::HeatEngine: ../puppet/services/heat-engine.yaml
|
OS::TripleO::Services::HeatEngine: ../puppet/services/heat-engine.yaml
|
||||||
OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml
|
OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml
|
||||||
OS::TripleO::Services::Iscsid: ../puppet/services/iscsid.yaml
|
OS::TripleO::Services::Iscsid: ../puppet/services/iscsid.yaml
|
||||||
OS::TripleO::Services::Keystone: ../puppet/services/keystone.yaml
|
OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container-puppet.yaml
|
||||||
OS::TripleO::Services::Memcached: ../deployment/memcached/memcached-container-puppet.yaml
|
OS::TripleO::Services::Memcached: ../deployment/memcached/memcached-container-puppet.yaml
|
||||||
OS::TripleO::Services::Multipathd: OS::Heat::None
|
OS::TripleO::Services::Multipathd: OS::Heat::None
|
||||||
OS::TripleO::Services::MySQL: ../puppet/services/database/mysql.yaml
|
OS::TripleO::Services::MySQL: ../puppet/services/database/mysql.yaml
|
||||||
|
|
|
@ -10,7 +10,7 @@ resource_registry:
|
||||||
OS::TripleO::Services::HeatApi: ../docker/services/heat-api.yaml
|
OS::TripleO::Services::HeatApi: ../docker/services/heat-api.yaml
|
||||||
OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml
|
OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml
|
||||||
OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
|
OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
|
||||||
OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
|
OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container.yaml
|
||||||
OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml
|
OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml
|
||||||
OS::TripleO::Services::MistralApi: ../docker/services/mistral-api.yaml
|
OS::TripleO::Services::MistralApi: ../docker/services/mistral-api.yaml
|
||||||
OS::TripleO::Services::MistralEngine: ../docker/services/mistral-engine.yaml
|
OS::TripleO::Services::MistralEngine: ../docker/services/mistral-engine.yaml
|
||||||
|
|
|
@ -121,7 +121,7 @@ resource_registry:
|
||||||
OS::TripleO::Services::CinderVolume: docker/services/cinder-volume.yaml
|
OS::TripleO::Services::CinderVolume: docker/services/cinder-volume.yaml
|
||||||
OS::TripleO::Services::BlockStorageCinderVolume: docker/services/cinder-volume.yaml
|
OS::TripleO::Services::BlockStorageCinderVolume: docker/services/cinder-volume.yaml
|
||||||
OS::TripleO::Services::Congress: OS::Heat::None
|
OS::TripleO::Services::Congress: OS::Heat::None
|
||||||
OS::TripleO::Services::Keystone: docker/services/keystone.yaml
|
OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml
|
||||||
OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml
|
OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml
|
||||||
OS::TripleO::Services::GlanceRegistry: deployment/glance/glance-registry-disabled-puppet.yaml
|
OS::TripleO::Services::GlanceRegistry: deployment/glance/glance-registry-disabled-puppet.yaml
|
||||||
OS::TripleO::Services::HeatApi: docker/services/heat-api.yaml
|
OS::TripleO::Services::HeatApi: docker/services/heat-api.yaml
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Deploying keystone on baremetal is no longer supported.
|
|
@ -3,7 +3,7 @@ environments:
|
||||||
name: enable-federation-openidc
|
name: enable-federation-openidc
|
||||||
title: Enable keystone federation with OpenID Connect
|
title: Enable keystone federation with OpenID Connect
|
||||||
files:
|
files:
|
||||||
puppet/services/keystone.yaml:
|
deployment/keystone/keystone-container-puppet.yaml:
|
||||||
parameters:
|
parameters:
|
||||||
- KeystoneFederationEnable
|
- KeystoneFederationEnable
|
||||||
- KeystoneAuthMethods
|
- KeystoneAuthMethods
|
||||||
|
|
Loading…
Reference in New Issue