openstack/tripleo-heat-templates
Code Issues Proposed changes

Reintroduce keystone_cron container

Browse Source 
This patch reintroduces keystone_cron container, which was previously
removed when useless token_flush cron job was removed, so that we can
run trust_flush cron job to purge expired or soft-deleted trusts from
keystone database.

Depends-on: https://review.opendev.org/#/c/739378/
Depends-on: https://review.opendev.org/#/c/739382/
Change-Id: I4ad67c82d770e39becca0b61693d07cef1f1fff8
This commit is contained in:
Takashi Kajinami 2020-07-06 09:10:30 +09:00
parent cada48fc30
commit 9e6893cb86
2 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
deployment/keystone/keystone-container-puppet.yaml
View File

@ -175,6 +175,56 @@ parameters:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
KeystoneEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Keystone database.
type: boolean
KeystoneCronTrustFlushEnsure:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Ensure
default: 'present'
KeystoneCronTrustFlushMinute:
type: comma_delimited_list
description: >
Cron to purge expired or soft-deleted trusts - Minute
default: '1'
KeystoneCronTrustFlushHour:
type: comma_delimited_list
description: >
Cron to purge expired or soft-deleted trusts - Hour
default: '*'
KeystoneCronTrustFlushMonthday:
type: comma_delimited_list
description: >
Cron to purge expired or soft-deleted trusts - Month Day
default: '*'
KeystoneCronTrustFlushMonth:
type: comma_delimited_list
description: >
Cron to purge expired or soft-deleted trusts - Month
default: '*'
KeystoneCronTrustFlushWeekday:
type: comma_delimited_list
description: >
Cron to purge expired or soft-deleted trusts - Week Day
default: '*'
KeystoneCronTrustFlushMaxDelay:
type: number
description: >
Cron to purge expired or soft-deleted trusts - Max Delay
default: 0
KeystoneCronTrustFlushDestination:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Log destination
default: '/var/log/keystone/keystone-trustflush.log'
KeystoneCronTrustFlushUser:
type: string
description: >
Cron to purge expired or soft-deleted trusts - User
default: 'keystone'
KeystoneChangePasswordUponFirstUse:
type: string
default: ''
@ -427,6 +477,16 @@ outputs:
keystone::notification_driver: {get_param: NotificationDriver}
keystone::notification_format: {get_param: KeystoneNotificationFormat}
tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
keystone::cron::trust_flush::ensure: {get_param: KeystoneCronTrustFlushEnsure}
keystone::cron::trust_flush::minute: {get_param: KeystoneCronTrustFlushMinute}
keystone::cron::trust_flush::hour: {get_param: KeystoneCronTrustFlushHour}
keystone::cron::trust_flush::monthday: {get_param: KeystoneCronTrustFlushMonthday}
keystone::cron::trust_flush::month: {get_param: KeystoneCronTrustFlushMonth}
keystone::cron::trust_flush::weekday: {get_param: KeystoneCronTrustFlushWeekday}
keystone::cron::trust_flush::maxdelay: {get_param: KeystoneCronTrustFlushMaxDelay}
keystone::cron::trust_flush::destination: {get_param: KeystoneCronTrustFlushDestination}
keystone::cron::trust_flush::user: {get_param: KeystoneCronTrustFlushUser}
keystone::rabbit_heartbeat_timeout_threshold: 60
keystone::config::keystone_config:
ec2/driver:
@ -635,6 +695,15 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/keystone_cron.json:
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
# args for the keystone container to -DFOREGROUND
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
docker_config:
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
step_2:
@ -696,6 +765,25 @@ outputs:
OS_BOOTSTRAP_PUBLIC_URL: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
OS_BOOTSTRAP_INTERNAL_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
OS_BOOTSTRAP_REGION_ID: {get_param: KeystoneRegion}
keystone_cron:
start_order: 4
image: *keystone_image
user: root
net: host
privileged: false
restart: always
healthcheck:
test: '/usr/share/openstack-tripleo-common/healthcheck/cron keystone'
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
step_4:
# There are cases where we need to refresh keystone after the resource provisioning,
# such as the case of using LDAP backends for domains. So we trigger a graceful

21
releasenotes/notes/reintroduce-keystone_corn-85290afe6bf8b019.yaml Normal file
View File

@ -0,0 +1,21 @@
---
features:
- |
The keystone_cron container was reintroduced to run trust_flush job, which
removes expired or soft-deleted trusts from keystone database.
- |
The KeystoneEnableDBPurge parameter was readded, to enable or disable
purge job for Keystone.
- |
The following parameters were added, to configure parameters about
trust_flush cron job.
- ``KeystoneCronTrustFlushEnsure``
- ``KeystoneCronTrustFlushMinute``
- ``KeystoneCronTrustFlushHour``
- ``KeystoneCronTrustFlushMonthday``
- ``KeystoneCronTrustFlushMonth``
- ``KeystoneCronTrustFlushWeekday``
- ``KeystoneCronTrustFlushMaxDelay``
- ``KeystoneCronTrustFlushDestination``
- ``KeystoneCronTrustFlushUser``