Manage all Keystone resources with Ansible

Depends-On: I557d8f33c9c699aed14b3b6fc1d1c0407365cd08
Depends-On: Ia68f8852662fb4abbd194954a246afb740bf3f71

Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
changes/80/696980/96
Emilien Macchi 3 years ago
parent 914ca3eb28
commit 7f40baabcd
  1. 5
      common/deploy-steps.j2
  2. 11
      common/services/role.role.j2.yaml
  3. 19
      deployment/aodh/aodh-api-container-puppet.yaml
  4. 7
      deployment/aodh/aodh-base.yaml
  5. 22
      deployment/barbican/barbican-api-container-puppet.yaml
  6. 11
      deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml
  7. 6
      deployment/ceilometer/ceilometer-base-container-puppet.yaml
  8. 26
      deployment/ceph-ansible/ceph-rgw.yaml
  9. 66
      deployment/cinder/cinder-api-container-puppet.yaml
  10. 18
      deployment/experimental/designate/designate-api-container-puppet.yaml
  11. 18
      deployment/glance/glance-api-container-puppet.yaml
  12. 18
      deployment/gnocchi/gnocchi-api-container-puppet.yaml
  13. 20
      deployment/heat/heat-api-cfn-container-puppet.yaml
  14. 33
      deployment/heat/heat-api-container-puppet.yaml
  15. 5
      deployment/heat/heat-base-puppet.yaml
  16. 4
      deployment/heat/heat-engine-container-puppet.yaml
  17. 5
      deployment/horizon/horizon-container-puppet.yaml
  18. 19
      deployment/ironic/ironic-api-container-puppet.yaml
  19. 18
      deployment/ironic/ironic-inspector-container-puppet.yaml
  20. 37
      deployment/keystone/keystone-container-puppet.yaml
  21. 35
      deployment/manila/manila-api-container-puppet.yaml
  22. 19
      deployment/mistral/mistral-api-container-puppet.yaml
  23. 11
      deployment/mistral/mistral-base.yaml
  24. 18
      deployment/neutron/neutron-api-container-puppet.yaml
  25. 22
      deployment/nova/nova-api-container-puppet.yaml
  26. 7
      deployment/nova/nova-metadata-container-puppet.yaml
  27. 29
      deployment/nova/novajoin-container-puppet.yaml
  28. 18
      deployment/octavia/octavia-api-container-puppet.yaml
  29. 18
      deployment/placement/placement-api-container-puppet.yaml
  30. 18
      deployment/sahara/sahara-api-container-puppet.yaml
  31. 51
      deployment/swift/external-swift-proxy-baremetal-puppet.yaml
  32. 30
      deployment/swift/swift-proxy-container-puppet.yaml
  33. 28
      deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml
  34. 33
      deployment/zaqar/zaqar-container-puppet.yaml
  35. 5
      overcloud.j2.yaml

@ -218,6 +218,10 @@ parameters:
default: []
description: List of VIP (virtual IP) hosts entries to be appended to /etc/hosts
type: comma_delimited_list
KeystoneResourcesConfigs:
description: The keystone resources config.
type: json
default: {}
conditions:
{% for role in enabled_roles %}
@ -389,6 +393,7 @@ outputs:
undercloud_hosts_entries: {get_param: UndercloudHostsEntries}
extra_hosts_entries: {get_param: ExtraHostsEntries}
vip_hosts_entries: {get_param: VipHostsEntries}
keystone_resources: {get_param: KeystoneResourcesConfigs}
common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml}
deploy_steps_tasks_step_0: {get_file: deploy-steps-tasks-step-0.yaml}
common_deploy_steps_tasks_step_1: {get_file: deploy-steps-tasks-step-1.yaml}

@ -133,6 +133,16 @@ resources:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('global_config_settings')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
KeystoneResourcesConfigs:
type: OS::Heat::Value
properties:
type: json
value:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('keystone_resources')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
ServiceConfigSettings:
type: OS::Heat::Value
properties:
@ -381,6 +391,7 @@ outputs:
upgrade_batch_tasks: {get_attr: [UpgradeBatchTasks, value]}
service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]}
ansible_group_vars: {get_attr: [AnsibleGroupVars, value]}
keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]}
# Keys to support docker/services
puppet_config: {get_attr: [PuppetConfig, value]}

@ -52,6 +52,14 @@ parameters:
e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
AodhPassword:
description: The password for the aodh services.
type: string
hidden: true
conditions:
@ -96,6 +104,17 @@ outputs:
dport:
- 8042
- 13042
keystone_resources:
aodh:
endpoints:
public: {get_param: [EndpointMap, AodhPublic, uri]}
internal: {get_param: [EndpointMap, AodhInternal, uri]}
admin: {get_param: [EndpointMap, AodhAdmin, uri]}
users:
aodh:
password: {get_param: AodhPassword}
region: {get_param: KeystoneRegion}
service: 'alarming'
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
config_settings:
map_merge:

@ -111,13 +111,6 @@ outputs:
aodh::auth::auth_region: {get_param: KeystoneRegion}
aodh::auth::auth_tenant_name: 'service'
service_config_settings:
keystone:
aodh::keystone::auth::public_url: {get_param: [EndpointMap, AodhPublic, uri]}
aodh::keystone::auth::internal_url: {get_param: [EndpointMap, AodhInternal, uri]}
aodh::keystone::auth::admin_url: {get_param: [EndpointMap, AodhAdmin, uri]}
aodh::keystone::auth::password: {get_param: AodhPassword}
aodh::keystone::auth::region: {get_param: KeystoneRegion}
aodh::keystone::auth::tenant: 'service'
mysql:
aodh::db::mysql::user: aodh
aodh::db::mysql::password: {get_param: AodhPassword}

@ -192,6 +192,22 @@ outputs:
dport:
- 9311
- 13311
keystone_resources:
barbican:
endpoints:
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
users:
barbican:
password: {get_param: BarbicanPassword}
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:
- key-manager:service-admin
- creator
- observer
- audit
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@ -260,12 +276,6 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
barbican::keystone::auth::password: {get_param: BarbicanPassword}
barbican::keystone::auth::region: {get_param: KeystoneRegion}
barbican::keystone::auth::tenant: 'service'
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
nova_compute:
nova::compute::keymgr_backend: >

@ -52,6 +52,10 @@ parameters:
default: false
description: Whether to enable gnocchi usage.
type: boolean
CeilometerPassword:
description: The password for the ceilometer service account.
type: string
hidden: true
conditions:
ceilometer_enable_gnocchi: {equals: [{get_param: CeilometerEnableGnocchi}, True]}
@ -77,6 +81,13 @@ outputs:
value:
service_name: ceilometer_agent_central
monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCentral}
keystone_resources:
ceilometer:
users:
ceilometer:
password: {get_param: CeilometerPassword}
roles:
- admin
config_settings:
map_merge:
- get_attr: [CeilometerServiceBase, role_data, config_settings]

@ -179,11 +179,5 @@ outputs:
- {}
service_config_settings:
keystone:
ceilometer_auth_enabled: true
# NOTE(aschultz): no endpoints since ceilometer api removal
ceilometer::keystone::auth::configure_endpoint: false
ceilometer::keystone::auth::password: {get_param: CeilometerPassword}
ceilometer::keystone::auth::region: {get_param: KeystoneRegion}
ceilometer::keystone::auth::tenant: 'service'
# Enable default notification queue
tripleo::profile::base::keystone::ceilometer_notification_topics: ["notifications"]

@ -85,6 +85,22 @@ outputs:
- dashboard_enabled
- - '9100'
- []
keystone_resources:
swift:
endpoints:
public: {get_param: [EndpointMap, CephRgwPublic, uri]}
internal: {get_param: [EndpointMap, CephRgwInternal, uri]}
admin: {get_param: [EndpointMap, CephRgwAdmin, uri]}
users:
swift:
password: {get_param: SwiftPassword}
roles:
- admin
- member
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- member
upgrade_tasks: []
puppet_config:
config_image: ''
@ -107,13 +123,3 @@ outputs:
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
service_config_settings:
keystone:
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
ceph::rgw::keystone::auth::roles: [ 'admin', 'member' ]
ceph::rgw::keystone::auth::tenant: service
ceph::rgw::keystone::auth::user: swift
ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}

@ -78,6 +78,9 @@ parameters:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
RootStackName:
description: The name of the stack/plan.
type: string
conditions:
@ -123,11 +126,46 @@ outputs:
dport:
- 8776
- 13776
keystone_resources:
cinder:
users:
cinder:
password: {get_param: CinderPassword}
roles:
- admin
- service
cinderv2:
endpoints:
public: {get_param: [EndpointMap, CinderV2Public, uri]}
internal: {get_param: [EndpointMap, CinderV2Internal, uri]}
admin: {get_param: [EndpointMap, CinderV2Admin, uri]}
users:
cinderv2:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev2'
cinderv3:
endpoints:
public: {get_param: [EndpointMap, CinderV3Public, uri]}
internal: {get_param: [EndpointMap, CinderV3Internal, uri]}
admin: {get_param: [EndpointMap, CinderV3Admin, uri]}
users:
cinderv3:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev3'
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- keystone_resources_managed: false
- cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
@ -185,17 +223,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_cinder_api:
- {get_param: CinderApiLoggingSource}
keystone:
cinder::keystone::auth::tenant: 'service'
cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]}
cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]}
cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]}
cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]}
cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]}
cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]}
cinder::keystone::auth::password: {get_param: CinderPassword}
cinder::keystone::auth::region: {get_param: KeystoneRegion}
cinder::keystone::auth::roles: ['admin', 'service']
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
@ -413,3 +440,20 @@ outputs:
when:
- step|int == 8
- is_bootstrap_node|bool
external_deploy_tasks:
- name: Manage Cinder Volume Type
become: true
vars:
default_volume_type: {get_param: CinderDefaultVolumeType}
environment:
OS_CLOUD: {get_param: RootStackName}
when:
- step|int == 5
- not ansible_check_mode|bool
shell: |
if ! openstack volume type show "{{ default_volume_type }}"; then
openstack volume type create --public "{{ default_volume_type }}"
fi
args:
executable: /bin/bash
changed_when: false

@ -84,6 +84,17 @@ outputs:
dport:
- 9001
- 13001
keystone_resources:
designate:
endpoints:
public: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]}
internal: {get_param: [EndpointMap, DesignateInternal, uri_no_suffix]}
admin: {get_param: [EndpointMap, DesignateAdmin, uri_no_suffix]}
users:
designate:
password: {get_param: DesignatePassword}
region: {get_param: KeystoneRegion}
service: 'dns'
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
config_settings:
map_merge:
@ -105,13 +116,6 @@ outputs:
- {}
- designate::api::workers: {get_param: DesignateWorkers}
service_config_settings:
keystone:
designate::keystone::auth::tenant: 'service'
designate::keystone::auth::public_url: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]}
designate::keystone::auth::internal_url: { get_param: [ EndpointMap, DesignateInternal, uri_no_suffix ] }
designate::keystone::auth::admin_url: { get_param: [ EndpointMap, DesignateAdmin, uri_no_suffix ] }
designate::keystone::auth::password: {get_param: DesignatePassword}
designate::keystone::auth::region: {get_param: KeystoneRegion}
neutron_api:
neutron::designate::password: {get_param: NeutronPassword}
neutron::designate::url: {get_param: [EndpointMap, DesignateInternal, uri]}

@ -299,6 +299,17 @@ outputs:
dport:
- 9292
- 13292
keystone_resources:
glance:
endpoints:
public: {get_param: [EndpointMap, GlancePublic, uri]}
internal: {get_param: [EndpointMap, GlanceInternal, uri]}
admin: {get_param: [EndpointMap, GlanceAdmin, uri]}
users:
glance:
password: {get_param: GlancePassword}
region: {get_param: KeystoneRegion}
service: 'image'
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
@ -438,13 +449,6 @@ outputs:
- {}
- glance::api::sync_db: false
service_config_settings:
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
glance::keystone::auth::region: {get_param: KeystoneRegion}
glance::keystone::auth::tenant: 'service'
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance

@ -142,6 +142,17 @@ outputs:
dport:
- 8041
- 13041
keystone_resources:
gnocchi:
endpoints:
public: {get_param: [EndpointMap, GnocchiPublic, uri]}
internal: {get_param: [EndpointMap, GnocchiInternal, uri]}
admin: {get_param: [EndpointMap, GnocchiAdmin, uri]}
users:
gnocchi:
password: {get_param: GnocchiPassword}
region: {get_param: KeystoneRegion}
service: 'metric'
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
config_settings:
map_merge:
@ -197,13 +208,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_gnocchi_api:
- {get_param: GnocchiApiLoggingSource}
keystone:
gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] }
gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]}
gnocchi::keystone::auth::password: {get_param: GnocchiPassword}
gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] }
gnocchi::keystone::auth::region: {get_param: KeystoneRegion}
gnocchi::keystone::auth::tenant: 'service'
mysql:
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
gnocchi::db::mysql::user: gnocchi

@ -105,6 +105,17 @@ outputs:
dport:
- 8000
- 13800
keystone_resources:
heat-cfn:
endpoints:
public: {get_param: [EndpointMap, HeatCfnPublic, uri]}
internal: {get_param: [EndpointMap, HeatCfnInternal, uri]}
admin: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
users:
heat-cfn:
password: {get_param: HeatPassword}
region: {get_param: KeystoneRegion}
service: 'cloudformation'
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
config_settings:
map_merge:
@ -145,15 +156,6 @@ outputs:
rsyslog:
tripleo_logging_sources_heat_api_cfn:
- {get_param: HeatApiCfnLoggingSource}
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- heat::keystone::auth_cfn::tenant: 'service'
heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]}
heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]}
heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
heat::keystone::auth_cfn::password: {get_param: HeatPassword}
heat::keystone::auth_cfn::region: {get_param: KeystoneRegion}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api_cfn

@ -74,6 +74,10 @@ parameters:
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
HeatStackDomainAdminPassword:
description: Password for heat_stack_domain_admin user.
type: string
hidden: true
conditions:
@ -119,6 +123,26 @@ outputs:
dport:
- 8004
- 13004
keystone_resources:
heat:
endpoints:
public: {get_param: [EndpointMap, HeatPublic, uri]}
internal: {get_param: [EndpointMap, HeatInternal, uri]}
admin: {get_param: [EndpointMap, HeatAdmin, uri]}
users:
heat:
password: {get_param: HeatPassword}
heat_stack_domain_admin:
password: {get_param: HeatStackDomainAdminPassword}
roles:
- admin
domain: heat_stack
region: {get_param: KeystoneRegion}
service: 'orchestration'
roles:
- heat_stack_user
domains:
- heat_stack
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
config_settings:
map_merge:
@ -161,15 +185,6 @@ outputs:
rsyslog:
tripleo_logging_sources_heat_api:
- {get_param: HeatApiLoggingSource}
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- heat::keystone::auth::tenant: 'service'
heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]}
heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]}
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
heat::keystone::auth::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api

@ -186,8 +186,3 @@ outputs:
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
service_config_settings:
keystone:
tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'
tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin'
tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost'

@ -216,10 +216,6 @@ outputs:
heat::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
map_merge:
- get_attr: [HeatBase, role_data, service_config_settings, keystone]
- tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat

@ -203,9 +203,8 @@ outputs:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
service_config_settings:
keystone:
keystone_enable_member: true
ansible_group_vars:
keystone_enable_member: true
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon

@ -105,6 +105,17 @@ outputs:
dport:
- 6385
- 13385
keystone_resources:
ironic:
endpoints:
public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
users:
ironic:
password: {get_param: IronicPassword}
region: {get_param: KeystoneRegion}
service: 'baremetal'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
config_settings:
map_merge:
@ -159,14 +170,6 @@ outputs:
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
- apache::default_vhost: false
service_config_settings:
keystone:
ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]}
ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
ironic::keystone::auth::auth_name: 'ironic'
ironic::keystone::auth::password: {get_param: IronicPassword }
ironic::keystone::auth::tenant: 'service'
ironic::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
ironic::db::mysql::password: {get_param: IronicPassword}
ironic::db::mysql::user: ironic

@ -212,6 +212,17 @@ outputs:
proto: 'udp'
chain: 'OUTPUT'
dport: 547
keystone_resources:
ironic-inspector:
endpoints:
public: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
internal: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
admin: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
users:
ironic-inspector:
password: {get_param: IronicPassword}
region: {get_param: KeystoneRegion}
service: 'baremetal-introspection'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
config_settings:
map_merge:
@ -314,13 +325,6 @@ outputs:
- ironic::inspector::tftp_root: /var/lib/ironic/tftpboot
- ironic::inspector::http_root: /var/lib/ironic/httpboot
service_config_settings:
keystone:
ironic::keystone::auth_inspector::tenant: 'service'
ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
ironic::keystone::auth_inspector::password: {get_param: IronicPassword}
ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion}
mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector

@ -349,6 +349,7 @@ outputs:
- {}
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
- keystone_enable_member: {get_param: KeystoneEnableMember}
- keystone_resources_managed: false
- keystone::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
@ -712,6 +713,40 @@ outputs:
username: admin
identity_api_version: '3'
region_name: {get_param: KeystoneRegion}
- name: Manage Keystone resources
become: true
when:
- step|int == 4
- not ansible_check_mode|bool
block:
- name: Manage Keystone resources for OpenStack services
include_role:
name: tripleo-keystone-resources
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
tripleo_keystone_resources_service_project: 'service'
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
tripleo_keystone_resources_region: {get_param: KeystoneRegion}
tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
- name: is Keystone LDAP enabled
set_fact:
keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
- name: Set fact for tripleo_keystone_ldap_domains
set_fact:
tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
when: keystone_ldap_domain_enabled|bool
- name: Manage Keystone domains from LDAP config
when: keystone_ldap_domain_enabled|bool
include_role:
name: tripleo-keystone-resources
tasks_from: domains
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
deploy_steps_tasks:
- name: validate keystone service state
when:
@ -732,7 +767,7 @@ outputs:
# Keystone endpoint creation occurs only on single node
step_3:
config_volume: 'keystone_init_tasks'
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain,keystone_puppet_config'
puppet_tags: 'keystone_config'
step_config: 'include ::tripleo::profile::base::keystone'
config_image: *keystone_config_image
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}

@ -99,6 +99,27 @@ outputs:
dport:
- 8786
- 13786
keystone_resources:
manila:
endpoints:
public: {get_param: [EndpointMap, ManilaV1Public, uri]}
internal: {get_param: [EndpointMap, ManilaV1Internal, uri]}
admin: {get_param: [EndpointMap, ManilaV1Admin, uri]}
users:
manila:
password: {get_param: ManilaPassword}
region: {get_param: KeystoneRegion}
service: 'share'
manilav2:
endpoints:
public: {get_param: [EndpointMap, ManilaPublic, uri]}
internal: {get_param: [EndpointMap, ManilaInternal, uri]}
admin: {get_param: [EndpointMap, ManilaAdmin, uri]}
users:
manilav2:
password: {get_param: ManilaPassword}
region: {get_param: KeystoneRegion}
service: 'sharev2'
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
config_settings:
map_merge:
@ -142,19 +163,7 @@ outputs:
- manila_workers_zero
- {}
- manila::wsgi::apache::workers: {get_param: ManilaWorkers}
service_config_settings:
map_merge:
- get_attr: [ManilaBase, role_data, service_config_settings]
- keystone:
manila::keystone::auth::tenant: 'service'
manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]}
manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]}
manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]}
manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]}
manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]}
manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]}
manila::keystone::auth::password: {get_param: ManilaPassword}
manila::keystone::auth::region: {get_param: KeystoneRegion}
service_config_settings: {get_attr: [ManilaBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: manila

@ -60,6 +60,14 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
MistralPassword:
description: The password for the Mistral service and db account, used by the Mistral services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
conditions:
mistral_workers_zero: {equals : [{get_param: MistralWorkers}, 0]}
@ -93,6 +101,17 @@ outputs:
dport:
- 8989
- 13989
keystone_resources:
mistral:
endpoints:
public: {get_param: [EndpointMap, MistralPublic, uri]}
internal: {get_param: [EndpointMap, MistralInternal, uri]}
admin: {get_param: [EndpointMap, MistralAdmin, uri]}
users:
mistral:
password: {get_param: MistralPassword}
region: {get_param: KeystoneRegion}
service: 'workflowv2'
config_settings:
map_merge:
- get_attr: [MistralBase, role_data, config_settings]

@ -50,10 +50,6 @@ parameters:
description: The password for the Mistral service and db account, used by the Mistral services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NotificationDriver:
type: string
default: 'messagingv2'
@ -109,13 +105,6 @@ outputs:
- - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
- '/ec2tokens'
service_config_settings:
keystone:
mistral::keystone::auth::tenant: 'service'
mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]}
mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]}
mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]}
mistral::keystone::auth::password: {get_param: MistralPassword}
mistral::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
mistral::db::mysql::user: mistral
mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}

@ -229,6 +229,17 @@ outputs:
dport:
- 9696
- 13696
keystone_resources:
neutron:
endpoints:
public: {get_param: [EndpointMap, NeutronPublic, uri]}
internal: {get_param: [EndpointMap, NeutronInternal, uri]}
admin: {get_param: [EndpointMap, NeutronAdmin, uri]}
users:
neutron:
password: {get_param: NeutronPassword}
region: {get_param: KeystoneRegion}
service: 'network'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
config_settings:
map_merge:
@ -373,13 +384,6 @@ outputs:
rsyslog:
tripleo_logging_sources_neutron_api:
- {get_param: NeutronApiLoggingSource}
keystone:
neutron::keystone::auth::tenant: 'service'
neutron::keystone::auth::public_url: {get_param: [EndpointMap, NeutronPublic, uri]}
neutron::keystone::auth::internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] }
neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
neutron::keystone::auth::password: {get_param: NeutronPassword}
neutron::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron

@ -151,6 +151,20 @@ outputs:
dport:
- 8774
- 13774
keystone_resources:
nova:
endpoints:
public: {get_param: [EndpointMap, NovaPublic, uri]}
internal: {get_param: [EndpointMap, NovaInternal, uri]}
admin: {get_param: [EndpointMap, NovaAdmin, uri]}
users:
nova:
roles:
- admin
- service
password: {get_param: NovaPassword}
region: {get_param: KeystoneRegion}
service: 'compute'
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
config_settings:
map_merge:
@ -225,14 +239,6 @@ outputs:
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
nova::keystone::auth::tenant: 'service'
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
nova::keystone::auth::roles: ['admin', 'service']
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova

@ -172,13 +172,6 @@ outputs:
rsyslog:
tripleo_logging_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
keystone:
nova::keystone::auth::tenant: 'service'
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
map_merge:
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}

@ -98,6 +98,22 @@ outputs:
'119 novajoin':
dport:
- 9090
keystone_resources:
novajoin:
endpoints:
public: &novajoin_endpoint
str_replace:
template:
"http://%{hiera('novajoin_network')}:9090/v1/"
params:
novajoin_network: {get_param: [ServiceNetMap, NovajoinNetwork]}
internal: *novajoin_endpoint
admin: *novajoin_endpoint
users:
novajoin:
password: {get_param: NovajoinPassword}
region: {get_param: KeystoneRegion}
service: 'compute-vendordata-plugin'
config_settings:
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
@ -124,19 +140,6 @@ outputs:
nova::metadata::novajoin::authtoken::project_name: 'service'
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
service_config_settings:
keystone:
nova::metadata::novajoin::auth::tenant: 'service'
nova::metadata::novajoin::auth::password: {get_param: NovajoinPassword}
nova::metadata::novajoin::auth::region: {get_param: KeystoneRegion}
nova::metadata::novajoin::auth::configure_endpoint: true
nova::metadata::novajoin::auth::public_url: &novajoin_endpoint
str_replace:
template:
"http://%{hiera('novajoin_network')}:9090/v1/"
params:
novajoin_network: {get_param: [ServiceNetMap, NovajoinNetwork]}
nova::metadata::novajoin::auth::internal_url: *novajoin_endpoint
nova::metadata::novajoin::auth::admin_url: *novajoin_endpoint
nova_metadata: &nova_vendordata
novajoin_address: *novajoin_address
nova::vendordata::vendordata_jsonfile_path: '/etc/novajoin/cloud-config-novajoin.json'

@ -130,6 +130,17 @@ outputs:
dport:
- 9876
- 13876
keystone_resources:
octavia:
endpoints:
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
users:
octavia:
password: {get_param: OctaviaPassword}
region: {get_param: KeystoneRegion}
service: 'load-balancer'
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
@ -185,13 +196,6 @@ outputs:
rsyslog:
tripleo_logging_sources_octavia_api:
- {get_param: OctaviaApiLoggingSource}
keystone:
octavia::keystone::auth::tenant: {get_param: OctaviaProjectName}
octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]}
octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] }
octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] }
octavia::keystone::auth::password: {get_param: OctaviaPassword}
octavia::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}

@ -115,6 +115,17 @@ outputs:
dport:
- 8778
- 13778
keystone_resources:
placement:
endpoints:
public: {get_param: [EndpointMap, PlacementPublic, uri]}
internal: {get_param: [EndpointMap, PlacementInternal, uri]}
admin: {get_param: [EndpointMap, PlacementAdmin, uri]}
users:
placement:
password: {get_param: PlacementPassword}
region: {get_param: KeystoneRegion}
service: 'placement'
config_settings:
map_merge:
- get_attr: [PlacementLogging, config_settings]
@ -173,13 +184,6 @@ outputs:
- rsyslog:
tripleo_logging_sources_placement:
- {get_param: PlacementLoggingSource}
keystone:
placement::keystone::auth::tenant: 'service'
placement::keystone::auth::public_url: {get_param: [EndpointMap, PlacementPublic, uri]}
placement::keystone::auth::internal_url: {get_param: [EndpointMap, PlacementInternal, uri]}
placement::keystone::auth::admin_url: {get_param: [EndpointMap, PlacementAdmin, uri]}
placement::keystone::auth::password: {get_param: PlacementPassword}
placement::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
placement::db::mysql::password: {get_param: PlacementPassword}
placement::db::mysql::user: placement

@ -91,6 +91,17 @@ outputs:
dport:
- 8386
- 13386
keystone_resources:
sahara:
endpoints:
public: {get_param: [EndpointMap, SaharaPublic, uri]}
internal: {get_param: [EndpointMap, SaharaInternal, uri]}
admin: {get_param: [EndpointMap, SaharaAdmin, uri]}
users:
sahara:
password: {get_param: SaharaPassword}
region: {get_param: KeystoneRegion}
service: 'data-processing'
monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi}
config_settings:
map_merge:
@ -114,13 +125,6 @@ outputs:
rsyslog:
tripleo_logging_sources_sahara_api:
- {get_param: SaharaApiLoggingSource}
keystone:
sahara::keystone::auth::tenant: 'service'
sahara::keystone::auth::public_url: {get_param: [EndpointMap, SaharaPublic, uri]}
sahara::keystone::auth::internal_url: {get_param: [EndpointMap, SaharaInternal, uri]}
sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
sahara::keystone::auth::password: {get_param: SaharaPassword }
sahara::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
sahara::db::mysql::password: {get_param: SaharaPassword}
sahara::db::mysql::user: sahara

@ -92,32 +92,29 @@ outputs:
step_config:
service_config_settings:
keystone:
swift::keystone::auth::public_url:
if:
- deprecated_external_public_url
- {get_param: ExternalPublicUrl}
- {get_param: ExternalSwiftPublicUrl}
swift::keystone::auth::internal_url:
if:
- deprecated_external_internal_url
- {get_param: ExternalInternalUrl}
- {get_param: ExternalSwiftInternalUrl}
swift::keystone::auth::admin_url:
if:
- deprecated_external_admin_url
- {get_param: ExternalAdminUrl}
- {get_param: ExternalSwiftAdminUrl}
swift::keystone::auth::public_url_s3: ''
swift::keystone::auth::internal_url_s3: ''
swift::keystone::auth::admin_url_s3: ''
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant}
swift::keystone::auth::configure_s3_endpoint: false
swift::keystone::auth::operator_roles:
- admin
keystone_resources:
swift:
endpoints:
public:
if:
- deprecated_external_public_url
- {get_param: ExternalPublicUrl}
- {get_param: ExternalSwiftPublicUrl}
internal:
if:
- deprecated_external_internal_url
- {get_param: ExternalInternalUrl}
- {get_param: ExternalSwiftInternalUrl}
admin:
if:
- deprecated_external_admin_url
- {get_param: ExternalAdminUrl}
- {get_param: ExternalSwiftAdminUrl}
users:
swift:
password: {get_param: SwiftPassword}
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- swiftoperator
- ResellerAdmin

@ -131,6 +131,20 @@ outputs:
dport:
- 8080
- 13808
keystone_resources:
swift:
endpoints:
public: {get_param: [EndpointMap, SwiftPublic, uri]}
internal: {get_param: [EndpointMap, SwiftInternal, uri]}
admin: {get_param: [EndpointMap, SwiftAdmin, uri]}
users:
swift:
password: {get_param: SwiftPassword}
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- swiftoperator
- ResellerAdmin
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
config_settings:
map_merge:
@ -253,22 +267,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
service_config_settings:
keystone:
swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
swift::keystone::auth::tenant: 'service'
swift::keystone::auth::configure_s3_endpoint: false
swift::keystone::auth::operator_roles:
- admin
- swiftoperator
- ResellerAdmin
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: swift

@ -80,6 +80,10 @@ parameters:
type: json
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
outputs:
role_data:
@ -100,7 +104,27 @@ outputs:
service_config_settings:
rabbitmq:
vrts_rabbitmq_passwd: {get_param: VrtsRabbitPassword}
keystone:
vrts_keystone_passwd: {get_param: VrtsKeystonePassword}
mysql:
vrts_mysql_passwd: {get_param: VrtsMysqlPassword}
keystone_resources:
hyperscale:
# Replicating what was done with Puppet manifest:
# https://github.com/vtas-hyperscale-ci/puppet-veritas_hyperscale/blob/7c7868adb027c5bcfdcb6fc9d86610470759ae28/manifests/hs_keystone.pp#L17
# Moving forward, we should have the Veritas part of EndpointMap so the service
# can live outside of the Keystone node.
endpoints:
public: &veritas_endpoint
make_url:
scheme: {get_param: [EndpointMap, KeystoneAdmin, protocol]}
host: {get_param: [EndpointMap, KeystoneAdmin, host]}
port: 8753
path: /v1/%(tenant_id)s
internal: *veritas_endpoint
admin: *veritas_endpoint
users:
hyperscale:
password: {get_param: VrtsKeystonePassword}
region: {get_param: KeystoneRegion}
service: 'infrastructure'
roles:
- infra_admin

@ -123,6 +123,27 @@ outputs:
- 8888
- 3000 #SSL for websocket
- 13888 #SSL for api
keystone_resources:
zaqar:
endpoints:
public: {get_param: [EndpointMap, ZaqarPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarAdmin, uri]}
users:
zaqar:
password: {get_param: ZaqarPassword}
region: {get_param: KeystoneRegion}
service: 'messaging'
zaqar-websocket:
endpoints:
public: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]}
internal: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]}
admin: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]}
<