openstack/tripleo-heat-templates
Code Issues Proposed changes

Simplify keystone, iscsid service templates

Browse Source 
Change-Id: I9f6a630ce31e63d222c32eee9ab4a0156aa2bbe3
This commit is contained in:
ramishra 2021-04-26 09:30:24 +05:30
parent 03213d643e
commit b7f0e066e2
2 changed files with 64 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deployment/iscsid/iscsid-container-puppet.yaml
View File

@ -68,7 +68,6 @@ parameters:
type: string
resources:
ContainersCommon:
type: ../containers-common.yaml
@ -142,8 +141,7 @@ outputs:
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
- /dev/:/dev/
- /run/:/run/
- /sys:/sys

179
deployment/keystone/keystone-container-puppet.yaml
View File

@ -363,7 +363,6 @@ parameters:
type: string
resources:
ContainersCommon:
type: ../containers-common.yaml
@ -384,7 +383,6 @@ resources:
type: OS::TripleO::Services::Logging::Keystone
conditions:
public_tls_enabled:
and:
- {get_param: EnablePublicTLS}
@ -393,14 +391,8 @@ conditions:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
- {get_param: PublicSSLCertificateAutogenerated}
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
nontls_cache_enabled:
and:
- {get_param: EnableCache}
@ -409,8 +401,6 @@ conditions:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Security compliance
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
@ -421,7 +411,7 @@ conditions:
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}}
outputs:
role_data:
@ -438,10 +428,8 @@ outputs:
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
-
if:
- cors_allowed_origin_unset
- {}
- if:
- cors_allowed_origin_set
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
- keystone::database_connection:
make_url:
@ -452,17 +440,14 @@ outputs:
path: /keystone
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: keystone
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: keystone
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
keystone::token_expiration: {get_param: TokenExpiration}
keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
@ -533,110 +518,80 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
-
keystone::cache::enabled: {get_param: EnableCache}
- keystone::cache::enabled: {get_param: EnableCache}
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
if:
- if:
- tls_cache_enabled
- keystone::cache::backend: 'dogpile.cache.pymemcache'
keystone::token_caching: true
- keystone::cache::backend: 'dogpile.cache.memcached'
-
if:
- keystone_federation_enabled
-
keystone_federation_enabled: True
- if:
- {get_param: KeystoneFederationEnable}
- keystone_federation_enabled: True
keystone::federation::trusted_dashboards:
get_param: KeystoneTrustedDashboards
- {}
-
if:
- keystone_openidc_enabled
-
map_merge:
- keystone_openidc_enabled: True
keystone::federation::openidc::methods:
get_param: KeystoneAuthMethods
keystone::federation::openidc::keystone_url:
get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
keystone::federation::openidc::idp_name:
get_param: KeystoneOpenIdcIdpName
keystone::federation::openidc::openidc_provider_metadata_url:
get_param: KeystoneOpenIdcProviderMetadataUrl
keystone::federation::openidc::openidc_client_id:
get_param: KeystoneOpenIdcClientId
keystone::federation::openidc::openidc_client_secret:
get_param: KeystoneOpenIdcClientSecret
keystone::federation::openidc::openidc_crypto_passphrase:
get_param: KeystoneOpenIdcCryptoPassphrase
keystone::federation::openidc::openidc_response_type:
get_param: KeystoneOpenIdcResponseType
keystone::federation::openidc::remote_id_attribute:
get_param: KeystoneOpenIdcRemoteIdAttribute
keystone::federation::openidc::openidc_enable_oauth:
get_param: KeystoneOpenIdcEnableOAuth
keystone::federation::openidc::openidc_introspection_endpoint:
get_param: KeystoneOpenIdcIntrospectionEndpoint
-
if:
- if:
- {get_param: KeystoneOpenIdcEnable}
- keystone_openidc_enabled: True
keystone::federation::openidc::methods:
get_param: KeystoneAuthMethods
keystone::federation::openidc::keystone_url:
get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
keystone::federation::openidc::idp_name:
get_param: KeystoneOpenIdcIdpName
keystone::federation::openidc::openidc_provider_metadata_url:
get_param: KeystoneOpenIdcProviderMetadataUrl
keystone::federation::openidc::openidc_client_id:
get_param: KeystoneOpenIdcClientId
keystone::federation::openidc::openidc_client_secret:
get_param: KeystoneOpenIdcClientSecret
keystone::federation::openidc::openidc_crypto_passphrase:
get_param: KeystoneOpenIdcCryptoPassphrase
keystone::federation::openidc::openidc_response_type:
get_param: KeystoneOpenIdcResponseType
keystone::federation::openidc::remote_id_attribute:
get_param: KeystoneOpenIdcRemoteIdAttribute
keystone::federation::openidc::openidc_enable_oauth:
get_param: KeystoneOpenIdcEnableOAuth
keystone::federation::openidc::openidc_introspection_endpoint:
get_param: KeystoneOpenIdcIntrospectionEndpoint
keystone::federation::openidc::openidc_cache_type:
if:
- nontls_cache_enabled
- keystone::federation::openidc::openidc_cache_type: 'memcache'
- {}
- {}
-
if:
- keystone_ldap_domain_enabled
-
tripleo::profile::base::keystone::ldap_backend_enable: True
- 'memcache'
- if:
- {get_param: KeystoneLDAPDomainEnable}
- tripleo::profile::base::keystone::ldap_backend_enable: True
keystone::using_domain_config: True
tripleo::profile::base::keystone::ldap_backends_config:
get_param: KeystoneLDAPBackendConfigs
- {}
-
if:
- if:
- change_password_upon_first_use_set
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
- {}
-
if:
- if:
- disable_user_account_days_inactive_set
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
- {}
-
if:
- if:
- lockout_duration_set
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
- {}
-
if:
- if:
- lockout_failure_attempts_set
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
- {}
-
if:
- if:
- minimum_password_age_set
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
- {}
-
if:
- if:
- password_expires_days_set
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
- {}
-
if:
- if:
- password_regex_set
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
- {}
-
if:
- if:
- password_regex_description_set
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
- {}
-
if:
- if:
- unique_last_password_count_set
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
- {}
- apache::default_vhost: false
- get_attr: [KeystoneLogging, config_settings]
service_config_settings:
@ -658,11 +613,9 @@ outputs:
keystone::admin_password: {get_param: AdminPassword}
horizon:
if:
- keystone_ldap_domain_enabled
-
horizon::keystone_multidomain_support: true
- {get_param: KeystoneLDAPDomainEnable}
- horizon::keystone_multidomain_support: true
horizon::keystone_default_domain: 'Default'
- {}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: keystone
@ -722,18 +675,13 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /etc/openldap:/etc/openldap:ro
- - /etc/openldap:/etc/openldap:ro
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
- if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- []
- if:
- internal_tls_enabled
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- []
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
map_merge:
- {get_attr: [KeystoneLogging, environment]}
@ -783,8 +731,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS