From 7f40baabcd695aa264da1a224d3badf4d498348c Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Mon, 2 Dec 2019 17:08:11 -0500 Subject: [PATCH] Manage all Keystone resources with Ansible Depends-On: I557d8f33c9c699aed14b3b6fc1d1c0407365cd08 Depends-On: Ia68f8852662fb4abbd194954a246afb740bf3f71 Change-Id: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e --- common/deploy-steps.j2 | 5 ++ common/services/role.role.j2.yaml | 11 ++++ .../aodh/aodh-api-container-puppet.yaml | 19 ++++++ deployment/aodh/aodh-base.yaml | 7 -- .../barbican-api-container-puppet.yaml | 22 +++++-- ...ometer-agent-central-container-puppet.yaml | 11 ++++ .../ceilometer-base-container-puppet.yaml | 6 -- deployment/ceph-ansible/ceph-rgw.yaml | 26 +++++--- .../cinder/cinder-api-container-puppet.yaml | 66 +++++++++++++++---- .../designate-api-container-puppet.yaml | 18 +++-- .../glance/glance-api-container-puppet.yaml | 18 +++-- .../gnocchi/gnocchi-api-container-puppet.yaml | 18 +++-- .../heat/heat-api-cfn-container-puppet.yaml | 20 +++--- .../heat/heat-api-container-puppet.yaml | 33 +++++++--- deployment/heat/heat-base-puppet.yaml | 5 -- .../heat/heat-engine-container-puppet.yaml | 4 -- .../horizon/horizon-container-puppet.yaml | 5 +- .../ironic/ironic-api-container-puppet.yaml | 19 +++--- .../ironic-inspector-container-puppet.yaml | 18 +++-- .../keystone/keystone-container-puppet.yaml | 37 ++++++++++- .../manila/manila-api-container-puppet.yaml | 35 ++++++---- .../mistral/mistral-api-container-puppet.yaml | 19 ++++++ deployment/mistral/mistral-base.yaml | 11 ---- .../neutron/neutron-api-container-puppet.yaml | 18 +++-- .../nova/nova-api-container-puppet.yaml | 22 ++++--- .../nova/nova-metadata-container-puppet.yaml | 7 -- .../nova/novajoin-container-puppet.yaml | 29 ++++---- .../octavia/octavia-api-container-puppet.yaml | 18 +++-- .../placement-api-container-puppet.yaml | 18 +++-- .../sahara/sahara-api-container-puppet.yaml | 18 +++-- ...external-swift-proxy-baremetal-puppet.yaml | 51 +++++++------- .../swift/swift-proxy-container-puppet.yaml | 30 ++++----- ...yperscale-controller-baremetal-puppet.yaml | 28 +++++++- deployment/zaqar/zaqar-container-puppet.yaml | 33 ++++++---- overcloud.j2.yaml | 5 ++ 35 files changed, 466 insertions(+), 244 deletions(-) diff --git a/common/deploy-steps.j2 b/common/deploy-steps.j2 index 66d2ebf4ca..f455a88ca6 100644 --- a/common/deploy-steps.j2 +++ b/common/deploy-steps.j2 @@ -218,6 +218,10 @@ parameters: default: [] description: List of VIP (virtual IP) hosts entries to be appended to /etc/hosts type: comma_delimited_list + KeystoneResourcesConfigs: + description: The keystone resources config. + type: json + default: {} conditions: {% for role in enabled_roles %} @@ -389,6 +393,7 @@ outputs: undercloud_hosts_entries: {get_param: UndercloudHostsEntries} extra_hosts_entries: {get_param: ExtraHostsEntries} vip_hosts_entries: {get_param: VipHostsEntries} + keystone_resources: {get_param: KeystoneResourcesConfigs} common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml} deploy_steps_tasks_step_0: {get_file: deploy-steps-tasks-step-0.yaml} common_deploy_steps_tasks_step_1: {get_file: deploy-steps-tasks-step-1.yaml} diff --git a/common/services/role.role.j2.yaml b/common/services/role.role.j2.yaml index d99fec6f1b..0942f594f5 100644 --- a/common/services/role.role.j2.yaml +++ b/common/services/role.role.j2.yaml @@ -133,6 +133,16 @@ resources: expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('global_config_settings')).where($ != null)) data: {role_data: {get_attr: [ServiceChain, role_data]}} + KeystoneResourcesConfigs: + type: OS::Heat::Value + properties: + type: json + value: + map_merge: + yaql: + expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('keystone_resources')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + ServiceConfigSettings: type: OS::Heat::Value properties: @@ -381,6 +391,7 @@ outputs: upgrade_batch_tasks: {get_attr: [UpgradeBatchTasks, value]} service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} ansible_group_vars: {get_attr: [AnsibleGroupVars, value]} + keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]} # Keys to support docker/services puppet_config: {get_attr: [PuppetConfig, value]} diff --git a/deployment/aodh/aodh-api-container-puppet.yaml b/deployment/aodh/aodh-api-container-puppet.yaml index 11fbd13c4c..baf8ba86ff 100644 --- a/deployment/aodh/aodh-api-container-puppet.yaml +++ b/deployment/aodh/aodh-api-container-puppet.yaml @@ -52,6 +52,14 @@ parameters: e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + AodhPassword: + description: The password for the aodh services. + type: string + hidden: true conditions: @@ -96,6 +104,17 @@ outputs: dport: - 8042 - 13042 + keystone_resources: + aodh: + endpoints: + public: {get_param: [EndpointMap, AodhPublic, uri]} + internal: {get_param: [EndpointMap, AodhInternal, uri]} + admin: {get_param: [EndpointMap, AodhAdmin, uri]} + users: + aodh: + password: {get_param: AodhPassword} + region: {get_param: KeystoneRegion} + service: 'alarming' monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi} config_settings: map_merge: diff --git a/deployment/aodh/aodh-base.yaml b/deployment/aodh/aodh-base.yaml index cc9090830f..19ca2b5c78 100644 --- a/deployment/aodh/aodh-base.yaml +++ b/deployment/aodh/aodh-base.yaml @@ -111,13 +111,6 @@ outputs: aodh::auth::auth_region: {get_param: KeystoneRegion} aodh::auth::auth_tenant_name: 'service' service_config_settings: - keystone: - aodh::keystone::auth::public_url: {get_param: [EndpointMap, AodhPublic, uri]} - aodh::keystone::auth::internal_url: {get_param: [EndpointMap, AodhInternal, uri]} - aodh::keystone::auth::admin_url: {get_param: [EndpointMap, AodhAdmin, uri]} - aodh::keystone::auth::password: {get_param: AodhPassword} - aodh::keystone::auth::region: {get_param: KeystoneRegion} - aodh::keystone::auth::tenant: 'service' mysql: aodh::db::mysql::user: aodh aodh::db::mysql::password: {get_param: AodhPassword} diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index 075bb3015a..abf6d47316 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -192,6 +192,22 @@ outputs: dport: - 9311 - 13311 + keystone_resources: + barbican: + endpoints: + public: {get_param: [EndpointMap, BarbicanPublic, uri]} + internal: {get_param: [EndpointMap, BarbicanInternal, uri]} + admin: {get_param: [EndpointMap, BarbicanAdmin, uri]} + users: + barbican: + password: {get_param: BarbicanPassword} + region: {get_param: KeystoneRegion} + service: 'key-manager' + roles: + - key-manager:service-admin + - creator + - observer + - audit config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] @@ -260,12 +276,6 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" keystone: - barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]} - barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]} - barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]} - barbican::keystone::auth::password: {get_param: BarbicanPassword} - barbican::keystone::auth::region: {get_param: KeystoneRegion} - barbican::keystone::auth::tenant: 'service' tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications'] nova_compute: nova::compute::keymgr_backend: > diff --git a/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml index 5244c1ff41..51fcd78db4 100644 --- a/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml @@ -52,6 +52,10 @@ parameters: default: false description: Whether to enable gnocchi usage. type: boolean + CeilometerPassword: + description: The password for the ceilometer service account. + type: string + hidden: true conditions: ceilometer_enable_gnocchi: {equals: [{get_param: CeilometerEnableGnocchi}, True]} @@ -77,6 +81,13 @@ outputs: value: service_name: ceilometer_agent_central monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCentral} + keystone_resources: + ceilometer: + users: + ceilometer: + password: {get_param: CeilometerPassword} + roles: + - admin config_settings: map_merge: - get_attr: [CeilometerServiceBase, role_data, config_settings] diff --git a/deployment/ceilometer/ceilometer-base-container-puppet.yaml b/deployment/ceilometer/ceilometer-base-container-puppet.yaml index e065408516..9786f06c73 100644 --- a/deployment/ceilometer/ceilometer-base-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-base-container-puppet.yaml @@ -179,11 +179,5 @@ outputs: - {} service_config_settings: keystone: - ceilometer_auth_enabled: true - # NOTE(aschultz): no endpoints since ceilometer api removal - ceilometer::keystone::auth::configure_endpoint: false - ceilometer::keystone::auth::password: {get_param: CeilometerPassword} - ceilometer::keystone::auth::region: {get_param: KeystoneRegion} - ceilometer::keystone::auth::tenant: 'service' # Enable default notification queue tripleo::profile::base::keystone::ceilometer_notification_topics: ["notifications"] diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index 583d858188..a4ecc25d39 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -85,6 +85,22 @@ outputs: - dashboard_enabled - - '9100' - [] + keystone_resources: + swift: + endpoints: + public: {get_param: [EndpointMap, CephRgwPublic, uri]} + internal: {get_param: [EndpointMap, CephRgwInternal, uri]} + admin: {get_param: [EndpointMap, CephRgwAdmin, uri]} + users: + swift: + password: {get_param: SwiftPassword} + roles: + - admin + - member + region: {get_param: KeystoneRegion} + service: 'object-store' + roles: + - member upgrade_tasks: [] puppet_config: config_image: '' @@ -107,13 +123,3 @@ outputs: content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - service_config_settings: - keystone: - ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} - ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} - ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} - ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} - ceph::rgw::keystone::auth::roles: [ 'admin', 'member' ] - ceph::rgw::keystone::auth::tenant: service - ceph::rgw::keystone::auth::user: swift - ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index 0d4097a3e1..19b411a594 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -78,6 +78,9 @@ parameters: type: string default: 'messagingv2' description: Driver or drivers to handle sending notifications. + RootStackName: + description: The name of the stack/plan. + type: string conditions: @@ -123,11 +126,46 @@ outputs: dport: - 8776 - 13776 + keystone_resources: + cinder: + users: + cinder: + password: {get_param: CinderPassword} + roles: + - admin + - service + cinderv2: + endpoints: + public: {get_param: [EndpointMap, CinderV2Public, uri]} + internal: {get_param: [EndpointMap, CinderV2Internal, uri]} + admin: {get_param: [EndpointMap, CinderV2Admin, uri]} + users: + cinderv2: + password: {get_param: CinderPassword} + roles: + - admin + - service + region: {get_param: KeystoneRegion} + service: 'volumev2' + cinderv3: + endpoints: + public: {get_param: [EndpointMap, CinderV3Public, uri]} + internal: {get_param: [EndpointMap, CinderV3Internal, uri]} + admin: {get_param: [EndpointMap, CinderV3Admin, uri]} + users: + cinderv3: + password: {get_param: CinderPassword} + roles: + - admin + - service + region: {get_param: KeystoneRegion} + service: 'volumev3' monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi} config_settings: map_merge: - get_attr: [CinderBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] + - keystone_resources_managed: false - cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} @@ -185,17 +223,6 @@ outputs: - rsyslog: tripleo_logging_sources_cinder_api: - {get_param: CinderApiLoggingSource} - keystone: - cinder::keystone::auth::tenant: 'service' - cinder::keystone::auth::public_url_v2: {get_param: [EndpointMap, CinderV2Public, uri]} - cinder::keystone::auth::internal_url_v2: {get_param: [EndpointMap, CinderV2Internal, uri]} - cinder::keystone::auth::admin_url_v2: {get_param: [EndpointMap, CinderV2Admin, uri]} - cinder::keystone::auth::public_url_v3: {get_param: [EndpointMap, CinderV3Public, uri]} - cinder::keystone::auth::internal_url_v3: {get_param: [EndpointMap, CinderV3Internal, uri]} - cinder::keystone::auth::admin_url_v3: {get_param: [EndpointMap, CinderV3Admin, uri]} - cinder::keystone::auth::password: {get_param: CinderPassword} - cinder::keystone::auth::region: {get_param: KeystoneRegion} - cinder::keystone::auth::roles: ['admin', 'service'] mysql: cinder::db::mysql::password: {get_param: CinderPassword} cinder::db::mysql::user: cinder @@ -413,3 +440,20 @@ outputs: when: - step|int == 8 - is_bootstrap_node|bool + external_deploy_tasks: + - name: Manage Cinder Volume Type + become: true + vars: + default_volume_type: {get_param: CinderDefaultVolumeType} + environment: + OS_CLOUD: {get_param: RootStackName} + when: + - step|int == 5 + - not ansible_check_mode|bool + shell: | + if ! openstack volume type show "{{ default_volume_type }}"; then + openstack volume type create --public "{{ default_volume_type }}" + fi + args: + executable: /bin/bash + changed_when: false diff --git a/deployment/experimental/designate/designate-api-container-puppet.yaml b/deployment/experimental/designate/designate-api-container-puppet.yaml index 42a386b785..a12cf5e753 100644 --- a/deployment/experimental/designate/designate-api-container-puppet.yaml +++ b/deployment/experimental/designate/designate-api-container-puppet.yaml @@ -84,6 +84,17 @@ outputs: dport: - 9001 - 13001 + keystone_resources: + designate: + endpoints: + public: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]} + internal: {get_param: [EndpointMap, DesignateInternal, uri_no_suffix]} + admin: {get_param: [EndpointMap, DesignateAdmin, uri_no_suffix]} + users: + designate: + password: {get_param: DesignatePassword} + region: {get_param: KeystoneRegion} + service: 'dns' monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi} config_settings: map_merge: @@ -105,13 +116,6 @@ outputs: - {} - designate::api::workers: {get_param: DesignateWorkers} service_config_settings: - keystone: - designate::keystone::auth::tenant: 'service' - designate::keystone::auth::public_url: {get_param: [EndpointMap, DesignatePublic, uri_no_suffix]} - designate::keystone::auth::internal_url: { get_param: [ EndpointMap, DesignateInternal, uri_no_suffix ] } - designate::keystone::auth::admin_url: { get_param: [ EndpointMap, DesignateAdmin, uri_no_suffix ] } - designate::keystone::auth::password: {get_param: DesignatePassword} - designate::keystone::auth::region: {get_param: KeystoneRegion} neutron_api: neutron::designate::password: {get_param: NeutronPassword} neutron::designate::url: {get_param: [EndpointMap, DesignateInternal, uri]} diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index b768744af0..aa21b5888a 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -299,6 +299,17 @@ outputs: dport: - 9292 - 13292 + keystone_resources: + glance: + endpoints: + public: {get_param: [EndpointMap, GlancePublic, uri]} + internal: {get_param: [EndpointMap, GlanceInternal, uri]} + admin: {get_param: [EndpointMap, GlanceAdmin, uri]} + users: + glance: + password: {get_param: GlancePassword} + region: {get_param: KeystoneRegion} + service: 'image' monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi} config_settings: map_merge: @@ -438,13 +449,6 @@ outputs: - {} - glance::api::sync_db: false service_config_settings: - keystone: - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::keystone::auth::tenant: 'service' mysql: glance::db::mysql::password: {get_param: GlancePassword} glance::db::mysql::user: glance diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index 4e8bc75af4..b6380308f4 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -142,6 +142,17 @@ outputs: dport: - 8041 - 13041 + keystone_resources: + gnocchi: + endpoints: + public: {get_param: [EndpointMap, GnocchiPublic, uri]} + internal: {get_param: [EndpointMap, GnocchiInternal, uri]} + admin: {get_param: [EndpointMap, GnocchiAdmin, uri]} + users: + gnocchi: + password: {get_param: GnocchiPassword} + region: {get_param: KeystoneRegion} + service: 'metric' monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi} config_settings: map_merge: @@ -197,13 +208,6 @@ outputs: - rsyslog: tripleo_logging_sources_gnocchi_api: - {get_param: GnocchiApiLoggingSource} - keystone: - gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] } - gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]} - gnocchi::keystone::auth::password: {get_param: GnocchiPassword} - gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] } - gnocchi::keystone::auth::region: {get_param: KeystoneRegion} - gnocchi::keystone::auth::tenant: 'service' mysql: gnocchi::db::mysql::password: {get_param: GnocchiPassword} gnocchi::db::mysql::user: gnocchi diff --git a/deployment/heat/heat-api-cfn-container-puppet.yaml b/deployment/heat/heat-api-cfn-container-puppet.yaml index 7bee00129c..088e34ceab 100644 --- a/deployment/heat/heat-api-cfn-container-puppet.yaml +++ b/deployment/heat/heat-api-cfn-container-puppet.yaml @@ -105,6 +105,17 @@ outputs: dport: - 8000 - 13800 + keystone_resources: + heat-cfn: + endpoints: + public: {get_param: [EndpointMap, HeatCfnPublic, uri]} + internal: {get_param: [EndpointMap, HeatCfnInternal, uri]} + admin: {get_param: [EndpointMap, HeatCfnAdmin, uri]} + users: + heat-cfn: + password: {get_param: HeatPassword} + region: {get_param: KeystoneRegion} + service: 'cloudformation' monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf} config_settings: map_merge: @@ -145,15 +156,6 @@ outputs: rsyslog: tripleo_logging_sources_heat_api_cfn: - {get_param: HeatApiCfnLoggingSource} - keystone: - map_merge: - - get_attr: [HeatBase, role_data, service_config_settings, keystone] - - heat::keystone::auth_cfn::tenant: 'service' - heat::keystone::auth_cfn::public_url: {get_param: [EndpointMap, HeatCfnPublic, uri]} - heat::keystone::auth_cfn::internal_url: {get_param: [EndpointMap, HeatCfnInternal, uri]} - heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} - heat::keystone::auth_cfn::password: {get_param: HeatPassword} - heat::keystone::auth_cfn::region: {get_param: KeystoneRegion} # BEGIN DOCKER SETTINGS puppet_config: config_volume: heat_api_cfn diff --git a/deployment/heat/heat-api-container-puppet.yaml b/deployment/heat/heat-api-container-puppet.yaml index bb2bc7bbd2..4eb4cfaed9 100644 --- a/deployment/heat/heat-api-container-puppet.yaml +++ b/deployment/heat/heat-api-container-puppet.yaml @@ -74,6 +74,10 @@ parameters: e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json + HeatStackDomainAdminPassword: + description: Password for heat_stack_domain_admin user. + type: string + hidden: true conditions: @@ -119,6 +123,26 @@ outputs: dport: - 8004 - 13004 + keystone_resources: + heat: + endpoints: + public: {get_param: [EndpointMap, HeatPublic, uri]} + internal: {get_param: [EndpointMap, HeatInternal, uri]} + admin: {get_param: [EndpointMap, HeatAdmin, uri]} + users: + heat: + password: {get_param: HeatPassword} + heat_stack_domain_admin: + password: {get_param: HeatStackDomainAdminPassword} + roles: + - admin + domain: heat_stack + region: {get_param: KeystoneRegion} + service: 'orchestration' + roles: + - heat_stack_user + domains: + - heat_stack monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi} config_settings: map_merge: @@ -161,15 +185,6 @@ outputs: rsyslog: tripleo_logging_sources_heat_api: - {get_param: HeatApiLoggingSource} - keystone: - map_merge: - - get_attr: [HeatBase, role_data, service_config_settings, keystone] - - heat::keystone::auth::tenant: 'service' - heat::keystone::auth::public_url: {get_param: [EndpointMap, HeatPublic, uri]} - heat::keystone::auth::internal_url: {get_param: [EndpointMap, HeatInternal, uri]} - heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} - heat::keystone::auth::password: {get_param: HeatPassword} - heat::keystone::auth::region: {get_param: KeystoneRegion} # BEGIN DOCKER SETTINGS puppet_config: config_volume: heat_api diff --git a/deployment/heat/heat-base-puppet.yaml b/deployment/heat/heat-base-puppet.yaml index 79a381036b..05a4038171 100644 --- a/deployment/heat/heat-base-puppet.yaml +++ b/deployment/heat/heat-base-puppet.yaml @@ -186,8 +186,3 @@ outputs: heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType} heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination} heat::max_json_body_size: {get_param: HeatMaxJsonBodySize} - service_config_settings: - keystone: - tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack' - tripleo::profile::base::keystone::heat_admin_user: 'heat_stack_domain_admin' - tripleo::profile::base::keystone::heat_admin_email: 'heat_stack_domain_admin@localhost' diff --git a/deployment/heat/heat-engine-container-puppet.yaml b/deployment/heat/heat-engine-container-puppet.yaml index 2b0d9495b2..e7c0830dc6 100644 --- a/deployment/heat/heat-engine-container-puppet.yaml +++ b/deployment/heat/heat-engine-container-puppet.yaml @@ -216,10 +216,6 @@ outputs: heat::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" - keystone: - map_merge: - - get_attr: [HeatBase, role_data, service_config_settings, keystone] - - tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword} # BEGIN DOCKER SETTINGS puppet_config: config_volume: heat diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml index 10e4be282a..ebccca9fd6 100644 --- a/deployment/horizon/horizon-container-puppet.yaml +++ b/deployment/horizon/horizon-container-puppet.yaml @@ -203,9 +203,8 @@ outputs: - debug_unset - horizon::django_debug: { get_param: HorizonDebug } - horizon::django_debug: { get_param: Debug } - service_config_settings: - keystone: - keystone_enable_member: true + ansible_group_vars: + keystone_enable_member: true # BEGIN DOCKER SETTINGS puppet_config: config_volume: horizon diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index 53403420ca..20df207e05 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -105,6 +105,17 @@ outputs: dport: - 6385 - 13385 + keystone_resources: + ironic: + endpoints: + public: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} + internal: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} + admin: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]} + users: + ironic: + password: {get_param: IronicPassword} + region: {get_param: KeystoneRegion} + service: 'baremetal' monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi} config_settings: map_merge: @@ -159,14 +170,6 @@ outputs: ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma' - apache::default_vhost: false service_config_settings: - keystone: - ironic::keystone::auth::admin_url: {get_param: [EndpointMap, IronicAdmin, uri_no_suffix]} - ironic::keystone::auth::internal_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} - ironic::keystone::auth::public_url: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]} - ironic::keystone::auth::auth_name: 'ironic' - ironic::keystone::auth::password: {get_param: IronicPassword } - ironic::keystone::auth::tenant: 'service' - ironic::keystone::auth::region: {get_param: KeystoneRegion} mysql: ironic::db::mysql::password: {get_param: IronicPassword} ironic::db::mysql::user: ironic diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 296a672e96..7ff03e0328 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -212,6 +212,17 @@ outputs: proto: 'udp' chain: 'OUTPUT' dport: 547 + keystone_resources: + ironic-inspector: + endpoints: + public: {get_param: [EndpointMap, IronicInspectorPublic, uri]} + internal: {get_param: [EndpointMap, IronicInspectorInternal, uri]} + admin: {get_param: [EndpointMap, IronicInspectorAdmin, uri]} + users: + ironic-inspector: + password: {get_param: IronicPassword} + region: {get_param: KeystoneRegion} + service: 'baremetal-introspection' monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector} config_settings: map_merge: @@ -314,13 +325,6 @@ outputs: - ironic::inspector::tftp_root: /var/lib/ironic/tftpboot - ironic::inspector::http_root: /var/lib/ironic/httpboot service_config_settings: - keystone: - ironic::keystone::auth_inspector::tenant: 'service' - ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]} - ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]} - ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]} - ironic::keystone::auth_inspector::password: {get_param: IronicPassword} - ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion} mysql: ironic::inspector::db::mysql::password: {get_param: IronicPassword} ironic::inspector::db::mysql::user: ironic-inspector diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index a2d335cd0d..9de3518b5c 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -349,6 +349,7 @@ outputs: - {} - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin} - keystone_enable_member: {get_param: KeystoneEnableMember} + - keystone_resources_managed: false - keystone::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} @@ -712,6 +713,40 @@ outputs: username: admin identity_api_version: '3' region_name: {get_param: KeystoneRegion} + - name: Manage Keystone resources + become: true + when: + - step|int == 4 + - not ansible_check_mode|bool + block: + - name: Manage Keystone resources for OpenStack services + include_role: + name: tripleo-keystone-resources + vars: + tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}" + tripleo_keystone_resources_service_project: 'service' + tripleo_keystone_resources_cloud_name: {get_param: RootStackName} + tripleo_keystone_resources_region: {get_param: KeystoneRegion} + tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + tripleo_keystone_resources_admin_password: {get_param: AdminPassword} + tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember} + - name: is Keystone LDAP enabled + set_fact: + keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable} + - name: Set fact for tripleo_keystone_ldap_domains + set_fact: + tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs} + when: keystone_ldap_domain_enabled|bool + - name: Manage Keystone domains from LDAP config + when: keystone_ldap_domain_enabled|bool + include_role: + name: tripleo-keystone-resources + tasks_from: domains + vars: + tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}" + batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}" deploy_steps_tasks: - name: validate keystone service state when: @@ -732,7 +767,7 @@ outputs: # Keystone endpoint creation occurs only on single node step_3: config_volume: 'keystone_init_tasks' - puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain,keystone_puppet_config' + puppet_tags: 'keystone_config' step_config: 'include ::tripleo::profile::base::keystone' config_image: *keystone_config_image host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]} diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index 47450ff212..690c3abe5d 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -99,6 +99,27 @@ outputs: dport: - 8786 - 13786 + keystone_resources: + manila: + endpoints: + public: {get_param: [EndpointMap, ManilaV1Public, uri]} + internal: {get_param: [EndpointMap, ManilaV1Internal, uri]} + admin: {get_param: [EndpointMap, ManilaV1Admin, uri]} + users: + manila: + password: {get_param: ManilaPassword} + region: {get_param: KeystoneRegion} + service: 'share' + manilav2: + endpoints: + public: {get_param: [EndpointMap, ManilaPublic, uri]} + internal: {get_param: [EndpointMap, ManilaInternal, uri]} + admin: {get_param: [EndpointMap, ManilaAdmin, uri]} + users: + manilav2: + password: {get_param: ManilaPassword} + region: {get_param: KeystoneRegion} + service: 'sharev2' monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi} config_settings: map_merge: @@ -142,19 +163,7 @@ outputs: - manila_workers_zero - {} - manila::wsgi::apache::workers: {get_param: ManilaWorkers} - service_config_settings: - map_merge: - - get_attr: [ManilaBase, role_data, service_config_settings] - - keystone: - manila::keystone::auth::tenant: 'service' - manila::keystone::auth::public_url: {get_param: [EndpointMap, ManilaV1Public, uri]} - manila::keystone::auth::internal_url: {get_param: [EndpointMap, ManilaV1Internal, uri]} - manila::keystone::auth::admin_url: {get_param: [EndpointMap, ManilaV1Admin, uri]} - manila::keystone::auth::public_url_v2: {get_param: [EndpointMap, ManilaPublic, uri]} - manila::keystone::auth::internal_url_v2: {get_param: [EndpointMap, ManilaInternal, uri]} - manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]} - manila::keystone::auth::password: {get_param: ManilaPassword} - manila::keystone::auth::region: {get_param: KeystoneRegion} + service_config_settings: {get_attr: [ManilaBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS # puppet_config: config_volume: manila diff --git a/deployment/mistral/mistral-api-container-puppet.yaml b/deployment/mistral/mistral-api-container-puppet.yaml index 46b80ba75f..818104a051 100644 --- a/deployment/mistral/mistral-api-container-puppet.yaml +++ b/deployment/mistral/mistral-api-container-puppet.yaml @@ -60,6 +60,14 @@ parameters: default: '' description: Indicate whether this resource may be shared with the domain received in the request "origin" header. + MistralPassword: + description: The password for the Mistral service and db account, used by the Mistral services. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint conditions: mistral_workers_zero: {equals : [{get_param: MistralWorkers}, 0]} @@ -93,6 +101,17 @@ outputs: dport: - 8989 - 13989 + keystone_resources: + mistral: + endpoints: + public: {get_param: [EndpointMap, MistralPublic, uri]} + internal: {get_param: [EndpointMap, MistralInternal, uri]} + admin: {get_param: [EndpointMap, MistralAdmin, uri]} + users: + mistral: + password: {get_param: MistralPassword} + region: {get_param: KeystoneRegion} + service: 'workflowv2' config_settings: map_merge: - get_attr: [MistralBase, role_data, config_settings] diff --git a/deployment/mistral/mistral-base.yaml b/deployment/mistral/mistral-base.yaml index a7e779730d..f6b37c1d7e 100644 --- a/deployment/mistral/mistral-base.yaml +++ b/deployment/mistral/mistral-base.yaml @@ -50,10 +50,6 @@ parameters: description: The password for the Mistral service and db account, used by the Mistral services. type: string hidden: true - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint NotificationDriver: type: string default: 'messagingv2' @@ -109,13 +105,6 @@ outputs: - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} - '/ec2tokens' service_config_settings: - keystone: - mistral::keystone::auth::tenant: 'service' - mistral::keystone::auth::public_url: {get_param: [EndpointMap, MistralPublic, uri]} - mistral::keystone::auth::internal_url: {get_param: [EndpointMap, MistralInternal, uri]} - mistral::keystone::auth::admin_url: {get_param: [EndpointMap, MistralAdmin, uri]} - mistral::keystone::auth::password: {get_param: MistralPassword} - mistral::keystone::auth::region: {get_param: KeystoneRegion} mysql: mistral::db::mysql::user: mistral mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 04c8b84b4c..e801522863 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -229,6 +229,17 @@ outputs: dport: - 9696 - 13696 + keystone_resources: + neutron: + endpoints: + public: {get_param: [EndpointMap, NeutronPublic, uri]} + internal: {get_param: [EndpointMap, NeutronInternal, uri]} + admin: {get_param: [EndpointMap, NeutronAdmin, uri]} + users: + neutron: + password: {get_param: NeutronPassword} + region: {get_param: KeystoneRegion} + service: 'network' monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer} config_settings: map_merge: @@ -373,13 +384,6 @@ outputs: rsyslog: tripleo_logging_sources_neutron_api: - {get_param: NeutronApiLoggingSource} - keystone: - neutron::keystone::auth::tenant: 'service' - neutron::keystone::auth::public_url: {get_param: [EndpointMap, NeutronPublic, uri]} - neutron::keystone::auth::internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] } - neutron::keystone::auth::admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] } - neutron::keystone::auth::password: {get_param: NeutronPassword} - neutron::keystone::auth::region: {get_param: KeystoneRegion} mysql: neutron::db::mysql::password: {get_param: NeutronPassword} neutron::db::mysql::user: neutron diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index 2c36b435e4..ac7ecd8952 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -151,6 +151,20 @@ outputs: dport: - 8774 - 13774 + keystone_resources: + nova: + endpoints: + public: {get_param: [EndpointMap, NovaPublic, uri]} + internal: {get_param: [EndpointMap, NovaInternal, uri]} + admin: {get_param: [EndpointMap, NovaAdmin, uri]} + users: + nova: + roles: + - admin + - service + password: {get_param: NovaPassword} + region: {get_param: KeystoneRegion} + service: 'compute' monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi} config_settings: map_merge: @@ -225,14 +239,6 @@ outputs: nova::db::mysql_api::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" - keystone: - nova::keystone::auth::tenant: 'service' - nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]} - nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]} - nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} - nova::keystone::auth::password: {get_param: NovaPassword} - nova::keystone::auth::region: {get_param: KeystoneRegion} - nova::keystone::auth::roles: ['admin', 'service'] # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index db5d032320..2b4e8e1a7d 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -172,13 +172,6 @@ outputs: rsyslog: tripleo_logging_sources_nova_metadata: - {get_param: NovaMetadataLoggingSource} - keystone: - nova::keystone::auth::tenant: 'service' - nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]} - nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]} - nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} - nova::keystone::auth::password: {get_param: NovaPassword} - nova::keystone::auth::region: {get_param: KeystoneRegion} mysql: map_merge: - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} diff --git a/deployment/nova/novajoin-container-puppet.yaml b/deployment/nova/novajoin-container-puppet.yaml index 35ddb3c380..d07a91c495 100644 --- a/deployment/nova/novajoin-container-puppet.yaml +++ b/deployment/nova/novajoin-container-puppet.yaml @@ -98,6 +98,22 @@ outputs: '119 novajoin': dport: - 9090 + keystone_resources: + novajoin: + endpoints: + public: &novajoin_endpoint + str_replace: + template: + "http://%{hiera('novajoin_network')}:9090/v1/" + params: + novajoin_network: {get_param: [ServiceNetMap, NovajoinNetwork]} + internal: *novajoin_endpoint + admin: *novajoin_endpoint + users: + novajoin: + password: {get_param: NovajoinPassword} + region: {get_param: KeystoneRegion} + service: 'compute-vendordata-plugin' config_settings: tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword} tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort} @@ -124,19 +140,6 @@ outputs: nova::metadata::novajoin::authtoken::project_name: 'service' nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies} service_config_settings: - keystone: - nova::metadata::novajoin::auth::tenant: 'service' - nova::metadata::novajoin::auth::password: {get_param: NovajoinPassword} - nova::metadata::novajoin::auth::region: {get_param: KeystoneRegion} - nova::metadata::novajoin::auth::configure_endpoint: true - nova::metadata::novajoin::auth::public_url: &novajoin_endpoint - str_replace: - template: - "http://%{hiera('novajoin_network')}:9090/v1/" - params: - novajoin_network: {get_param: [ServiceNetMap, NovajoinNetwork]} - nova::metadata::novajoin::auth::internal_url: *novajoin_endpoint - nova::metadata::novajoin::auth::admin_url: *novajoin_endpoint nova_metadata: &nova_vendordata novajoin_address: *novajoin_address nova::vendordata::vendordata_jsonfile_path: '/etc/novajoin/cloud-config-novajoin.json' diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index d754883baa..44e6b819ca 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -130,6 +130,17 @@ outputs: dport: - 9876 - 13876 + keystone_resources: + octavia: + endpoints: + public: {get_param: [EndpointMap, OctaviaPublic, uri]} + internal: {get_param: [EndpointMap, OctaviaInternal, uri]} + admin: {get_param: [EndpointMap, OctaviaAdmin, uri]} + users: + octavia: + password: {get_param: OctaviaPassword} + region: {get_param: KeystoneRegion} + service: 'load-balancer' monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} config_settings: map_merge: @@ -185,13 +196,6 @@ outputs: rsyslog: tripleo_logging_sources_octavia_api: - {get_param: OctaviaApiLoggingSource} - keystone: - octavia::keystone::auth::tenant: {get_param: OctaviaProjectName} - octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]} - octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] } - octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] } - octavia::keystone::auth::password: {get_param: OctaviaPassword} - octavia::keystone::auth::region: {get_param: KeystoneRegion} mysql: octavia::db::mysql::password: {get_param: OctaviaPassword} octavia::db::mysql::user: {get_param: OctaviaUserName} diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index e24f5c6bf1..08c3b8b3e7 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -115,6 +115,17 @@ outputs: dport: - 8778 - 13778 + keystone_resources: + placement: + endpoints: + public: {get_param: [EndpointMap, PlacementPublic, uri]} + internal: {get_param: [EndpointMap, PlacementInternal, uri]} + admin: {get_param: [EndpointMap, PlacementAdmin, uri]} + users: + placement: + password: {get_param: PlacementPassword} + region: {get_param: KeystoneRegion} + service: 'placement' config_settings: map_merge: - get_attr: [PlacementLogging, config_settings] @@ -173,13 +184,6 @@ outputs: - rsyslog: tripleo_logging_sources_placement: - {get_param: PlacementLoggingSource} - keystone: - placement::keystone::auth::tenant: 'service' - placement::keystone::auth::public_url: {get_param: [EndpointMap, PlacementPublic, uri]} - placement::keystone::auth::internal_url: {get_param: [EndpointMap, PlacementInternal, uri]} - placement::keystone::auth::admin_url: {get_param: [EndpointMap, PlacementAdmin, uri]} - placement::keystone::auth::password: {get_param: PlacementPassword} - placement::keystone::auth::region: {get_param: KeystoneRegion} mysql: placement::db::mysql::password: {get_param: PlacementPassword} placement::db::mysql::user: placement diff --git a/deployment/sahara/sahara-api-container-puppet.yaml b/deployment/sahara/sahara-api-container-puppet.yaml index 24a3ba1c33..543397339a 100644 --- a/deployment/sahara/sahara-api-container-puppet.yaml +++ b/deployment/sahara/sahara-api-container-puppet.yaml @@ -91,6 +91,17 @@ outputs: dport: - 8386 - 13386 + keystone_resources: + sahara: + endpoints: + public: {get_param: [EndpointMap, SaharaPublic, uri]} + internal: {get_param: [EndpointMap, SaharaInternal, uri]} + admin: {get_param: [EndpointMap, SaharaAdmin, uri]} + users: + sahara: + password: {get_param: SaharaPassword} + region: {get_param: KeystoneRegion} + service: 'data-processing' monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi} config_settings: map_merge: @@ -114,13 +125,6 @@ outputs: rsyslog: tripleo_logging_sources_sahara_api: - {get_param: SaharaApiLoggingSource} - keystone: - sahara::keystone::auth::tenant: 'service' - sahara::keystone::auth::public_url: {get_param: [EndpointMap, SaharaPublic, uri]} - sahara::keystone::auth::internal_url: {get_param: [EndpointMap, SaharaInternal, uri]} - sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} - sahara::keystone::auth::password: {get_param: SaharaPassword } - sahara::keystone::auth::region: {get_param: KeystoneRegion} mysql: sahara::db::mysql::password: {get_param: SaharaPassword} sahara::db::mysql::user: sahara diff --git a/deployment/swift/external-swift-proxy-baremetal-puppet.yaml b/deployment/swift/external-swift-proxy-baremetal-puppet.yaml index 07550be067..1e92990252 100644 --- a/deployment/swift/external-swift-proxy-baremetal-puppet.yaml +++ b/deployment/swift/external-swift-proxy-baremetal-puppet.yaml @@ -92,32 +92,29 @@ outputs: step_config: - service_config_settings: - keystone: - swift::keystone::auth::public_url: - if: - - deprecated_external_public_url - - {get_param: ExternalPublicUrl} - - {get_param: ExternalSwiftPublicUrl} - swift::keystone::auth::internal_url: - if: - - deprecated_external_internal_url - - {get_param: ExternalInternalUrl} - - {get_param: ExternalSwiftInternalUrl} - swift::keystone::auth::admin_url: - if: - - deprecated_external_admin_url - - {get_param: ExternalAdminUrl} - - {get_param: ExternalSwiftAdminUrl} - swift::keystone::auth::public_url_s3: '' - swift::keystone::auth::internal_url_s3: '' - swift::keystone::auth::admin_url_s3: '' - swift::keystone::auth::password: {get_param: SwiftPassword} - swift::keystone::auth::region: {get_param: KeystoneRegion} - swift::keystone::auth::tenant: {get_param: ExternalSwiftUserTenant} - swift::keystone::auth::configure_s3_endpoint: false - swift::keystone::auth::operator_roles: - - admin + keystone_resources: + swift: + endpoints: + public: + if: + - deprecated_external_public_url + - {get_param: ExternalPublicUrl} + - {get_param: ExternalSwiftPublicUrl} + internal: + if: + - deprecated_external_internal_url + - {get_param: ExternalInternalUrl} + - {get_param: ExternalSwiftInternalUrl} + admin: + if: + - deprecated_external_admin_url + - {get_param: ExternalAdminUrl} + - {get_param: ExternalSwiftAdminUrl} + users: + swift: + password: {get_param: SwiftPassword} + region: {get_param: KeystoneRegion} + service: 'object-store' + roles: - swiftoperator - ResellerAdmin - diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index 324a1df184..959e82d496 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -131,6 +131,20 @@ outputs: dport: - 8080 - 13808 + keystone_resources: + swift: + endpoints: + public: {get_param: [EndpointMap, SwiftPublic, uri]} + internal: {get_param: [EndpointMap, SwiftInternal, uri]} + admin: {get_param: [EndpointMap, SwiftAdmin, uri]} + users: + swift: + password: {get_param: SwiftPassword} + region: {get_param: KeystoneRegion} + service: 'object-store' + roles: + - swiftoperator + - ResellerAdmin monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy} config_settings: map_merge: @@ -253,22 +267,6 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} - service_config_settings: - keystone: - swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]} - swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]} - swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]} - swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]} - swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]} - swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} - swift::keystone::auth::password: {get_param: SwiftPassword} - swift::keystone::auth::region: {get_param: KeystoneRegion} - swift::keystone::auth::tenant: 'service' - swift::keystone::auth::configure_s3_endpoint: false - swift::keystone::auth::operator_roles: - - admin - - swiftoperator - - ResellerAdmin # BEGIN DOCKER SETTINGS puppet_config: config_volume: swift diff --git a/deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml b/deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml index db10777c44..cf59e9dc58 100644 --- a/deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml +++ b/deployment/veritas-hyperscale/veritas-hyperscale-controller-baremetal-puppet.yaml @@ -80,6 +80,10 @@ parameters: type: json description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint outputs: role_data: @@ -100,7 +104,27 @@ outputs: service_config_settings: rabbitmq: vrts_rabbitmq_passwd: {get_param: VrtsRabbitPassword} - keystone: - vrts_keystone_passwd: {get_param: VrtsKeystonePassword} mysql: vrts_mysql_passwd: {get_param: VrtsMysqlPassword} + keystone_resources: + hyperscale: + # Replicating what was done with Puppet manifest: + # https://github.com/vtas-hyperscale-ci/puppet-veritas_hyperscale/blob/7c7868adb027c5bcfdcb6fc9d86610470759ae28/manifests/hs_keystone.pp#L17 + # Moving forward, we should have the Veritas part of EndpointMap so the service + # can live outside of the Keystone node. + endpoints: + public: &veritas_endpoint + make_url: + scheme: {get_param: [EndpointMap, KeystoneAdmin, protocol]} + host: {get_param: [EndpointMap, KeystoneAdmin, host]} + port: 8753 + path: /v1/%(tenant_id)s + internal: *veritas_endpoint + admin: *veritas_endpoint + users: + hyperscale: + password: {get_param: VrtsKeystonePassword} + region: {get_param: KeystoneRegion} + service: 'infrastructure' + roles: + - infra_admin diff --git a/deployment/zaqar/zaqar-container-puppet.yaml b/deployment/zaqar/zaqar-container-puppet.yaml index ce7e40f3ae..92dee6c913 100644 --- a/deployment/zaqar/zaqar-container-puppet.yaml +++ b/deployment/zaqar/zaqar-container-puppet.yaml @@ -123,6 +123,27 @@ outputs: - 8888 - 3000 #SSL for websocket - 13888 #SSL for api + keystone_resources: + zaqar: + endpoints: + public: {get_param: [EndpointMap, ZaqarPublic, uri]} + internal: {get_param: [EndpointMap, ZaqarInternal, uri]} + admin: {get_param: [EndpointMap, ZaqarAdmin, uri]} + users: + zaqar: + password: {get_param: ZaqarPassword} + region: {get_param: KeystoneRegion} + service: 'messaging' + zaqar-websocket: + endpoints: + public: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]} + internal: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]} + admin: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]} + users: + zaqar-websocket: + password: {get_param: ZaqarPassword} + region: {get_param: KeystoneRegion} + service: 'messaging-websocket' config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] @@ -221,18 +242,6 @@ outputs: service_config_settings: map_merge: - keystone: - zaqar::keystone::auth::password: {get_param: ZaqarPassword} - zaqar::keystone::auth::public_url: {get_param: [EndpointMap, ZaqarPublic, uri]} - zaqar::keystone::auth::admin_url: {get_param: [EndpointMap, ZaqarAdmin, uri]} - zaqar::keystone::auth::internal_url: {get_param: [EndpointMap, ZaqarInternal, uri]} - zaqar::keystone::auth::region: {get_param: KeystoneRegion} - zaqar::keystone::auth::tenant: 'service' - zaqar::keystone::auth_websocket::password: {get_param: ZaqarPassword} - zaqar::keystone::auth_websocket::public_url: {get_param: [EndpointMap, ZaqarWebSocketPublic, uri]} - zaqar::keystone::auth_websocket::admin_url: {get_param: [EndpointMap, ZaqarWebSocketAdmin, uri]} - zaqar::keystone::auth_websocket::internal_url: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri]} - zaqar::keystone::auth_websocket::region: {get_param: KeystoneRegion} - zaqar::keystone::auth_websocket::tenant: 'service' zaqar::keystone::trust::password: {get_param: ZaqarPassword} zaqar::keystone::trust::user_domain_name: 'Default' - diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index 3124d2c786..cdd2cc0e91 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -1130,6 +1130,11 @@ resources: - add_vips_to_etc_hosts - {get_attr: [VipHosts, value]} - '' + KeystoneResourcesConfigs: + map_merge: +{% for role in roles %} + - get_attr: [{{role.name}}ServiceChainRoleData, value, keystone_resources] +{% endfor %} outputs: ManagedEndpoints: