Browse Source

Merge "Flatten Keystone service configuration"

changes/77/629777/1
Zuul 3 years ago committed by Gerrit Code Review
parent
commit
f1ce0b106b
  1. 344
      deployment/keystone/keystone-container-puppet.yaml
  2. 321
      docker/services/keystone.yaml
  3. 2
      environments/baremetal-services.yaml
  4. 2
      environments/docker-uc-light.yaml
  5. 2
      overcloud-resource-registry-puppet.j2.yaml
  6. 4
      releasenotes/notes/drop-baremetal-keystone-000a4babb7f8ef60.yaml
  7. 2
      sample-env-generator/openidc.yaml

344
puppet/services/keystone.yaml → deployment/keystone/keystone-container-puppet.yaml

@ -1,9 +1,63 @@
heat_template_version: rocky
description: >
OpenStack Keystone service configured with Puppet
OpenStack containerized Keystone service
parameters:
DockerKeystoneImage:
description: image
type: string
DockerKeystoneConfigImage:
description: The container image to use for the keystone config_volume
type: string
KeystoneLoggingSource:
type: json
default:
tag: openstack.keystone
path: /var/log/containers/keystone/keystone.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
KeystoneTokenProvider:
description: The keystone token format
type: string
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
EnableInternalTLS:
type: boolean
default: false
UpgradeRemoveUnusedPackages:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
KeystoneEnableDBPurge:
default: true
description: |
@ -18,10 +72,6 @@ parameters:
description: Keystone key for signing tokens.
type: string
hidden: true
KeystoneNotificationDriver:
description: Comma-separated list of Oslo notification drivers used by Keystone
default: ['messaging']
type: comma_delimited_list
KeystoneNotificationFormat:
description: The Keystone notification format
default: 'basic'
@ -36,38 +86,6 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
KeystoneTokenProvider:
description: The keystone token format
type: string
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
Debug:
type: boolean
default: false
@ -83,10 +101,6 @@ parameters:
description: The email for the keystone admin account.
type: string
hidden: true
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
AdminToken:
description: The keystone auth secret and db password.
type: string
@ -126,14 +140,6 @@ parameters:
KeystoneCredential1:
type: string
description: The second Keystone credential key. Must be a valid key.
KeystoneFernetKey0:
type: string
default: ''
description: (DEPRECATED) The first Keystone fernet key. Must be a valid key.
KeystoneFernetKey1:
type: string
default: ''
description: (DEPRECATED) The second Keystone fernet key. Must be a valid key.
KeystoneFernetKeys:
type: json
description: Mapping containing keystone's fernet keys and their paths.
@ -153,35 +159,32 @@ parameters:
type: json
default:
tag: openstack.keystone
path: /var/log/keystone/keystone.log
path: /var/log/containers/keystone/keystone.log
KeystoneErrorLoggingSource:
type: json
default:
tag: openstack.keystone.error
path: /var/log/httpd/keystone/error_log
path: /var/log/containers/httpd/keystone/error_log
KeystoneAdminAccessLoggingSource:
type: json
default:
tag: openstack.keystone.admin.access
path: /var/log/httpd/keystone/keystone_wsgi_admin_access.log
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_access.log
KeystoneAdminErrorLoggingSource:
type: json
default:
tag: openstack.keystone.admin.error
path: /var/log/httpd/keystone/keystone_wsgi_admin_error.log
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_error.log
KeystoneMainAcccessLoggingSource:
type: json
default:
tag: openstack.keystone.main.access
path: /var/log/httpd/keystone/keystone_wsgi_main_access.log
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_access.log
KeystoneMainErrorLoggingSource:
type: json
default:
tag: openstack.keystone.wsgi.main.error
path: /var/log/httpd/keystone/keystone_wsgi_main_error.log
EnableInternalTLS:
type: boolean
default: false
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_error.log
KeystoneCronTokenFlushEnsure:
type: string
description: >
@ -365,22 +368,16 @@ parameters:
Attribute to be used to obtain the entity ID of the Identity Provider
from the environment.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- KeystoneFernetKey0
- KeystoneFernetKey1
- KeystoneNotificationDriver
resources:
ContainersCommon:
type: ../../docker/services/containers-common.yaml
MySQLClient:
type: ../../puppet/services/database/mysql-client.yaml
ApacheServiceBase:
type: ./apache.yaml
type: ../../puppet/services/apache.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
@ -390,7 +387,12 @@ resources:
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
KeystoneLogging:
type: OS::TripleO::Services::Logging::Keystone
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
@ -411,7 +413,7 @@ conditions:
outputs:
role_data:
description: Role data for the Keystone role.
description: Role data for the Keystone API role.
value:
service_name: keystone
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
@ -641,9 +643,8 @@ outputs:
- unique_last_password_count_set
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
- {}
step_config: |
include ::tripleo::profile::base::keystone
- apache::default_vhost: false
- get_attr: [KeystoneLogging, config_settings]
service_config_settings:
fluentd:
tripleo_fluentd_groups_keystone:
@ -676,12 +677,191 @@ outputs:
horizon::keystone_multidomain_support: true
horizon::keystone_default_domain: 'Default'
- {}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: keystone
puppet_tags: keystone_config,keystone_domain_config
step_config:
list_join:
- "\n"
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
- |
include ::tripleo::profile::base::keystone
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage}
kolla_config:
/var/lib/kolla/config_files/keystone.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
dest: "/etc/keystone/fernet-keys"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/keystone_cron.json:
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
# args for the keystone container to -DFOREGROUND
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/keystone
owner: keystone:keystone
recurse: true
docker_config:
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
step_2:
get_attr: [KeystoneLogging, docker_config, step_2]
step_3:
keystone_db_sync:
image: &keystone_image {get_param: DockerKeystoneImage}
net: host
user: root
privileged: false
detach: false
volumes: &keystone_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
list_concat:
- - KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- {get_attr: [KeystoneLogging, environment]}
command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
keystone:
start_order: 2
image: *keystone_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes: *keystone_volumes
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
keystone_bootstrap:
start_order: 3
action: exec
user: root
command:
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
keystone_cron:
start_order: 4
image: *keystone_image
user: root
net: host
privileged: false
restart: always
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_4:
# There are cases where we need to refresh keystone after the resource provisioning,
# such as the case of using LDAP backends for domains. So we trigger a graceful
# restart [1], which shouldn't cause service disruption, but will reload new
# configurations for keystone.
# [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
keystone_refresh:
start_order: 1
action: exec
user: root
command:
[ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
docker_puppet_tasks:
# Keystone endpoint creation occurs only on single node
step_3:
config_volume: 'keystone_init_tasks'
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
step_config: 'include ::tripleo::profile::base::keystone'
config_image: *keystone_config_image
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
upgrade_tasks:
- when: step|int == 3
block:
- name: Set fact for removal of openstack-keystone package
set_fact:
remove_keystone_package: {get_param: UpgradeRemoveUnusedPackages}
- name: Remove openstack-keystone package if operator requests it
package: name=openstack-keystone state=removed
ignore_errors: True
when: remove_keystone_package|bool
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
list_concat:
- get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
-
- name: Stop keystone service (running under httpd)
when: step|int == 1
service: name=httpd state=stopped
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- keystone
- keystone_cron
fast_forward_upgrade_tasks:
- when:
- step|int == 0
- release == 'ocata'
block:
- name: Check for keystone running under apache
tags: common
shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
ignore_errors: true
register: keystone_httpd_enabled_result
- name: Set fact keystone_httpd_enabled
set_fact:
keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
- name: Check if httpd is running
ignore_errors: True
command: systemctl is-active --quiet httpd
register: httpd_running_result
when:
- httpd_running is undefined
- name: Set fact httpd_running if undefined
set_fact:
httpd_running: "{{ httpd_running_result.rc == 0 }}"
when:
- httpd_running is undefined
- name: Stop and disable keystone (under httpd)
service: name=httpd state=stopped enabled=no
when:
- step|int == 1
- release == 'ocata'
- keystone_httpd_enabled|bool
- httpd_running|bool
- name: Keystone package update
package:
name: 'openstack-keystone*'
state: latest
when:
- step|int == 6
- is_bootstrap_node|bool
- name: keystone db sync
command: keystone-manage db_sync
when:
- step|int == 8
- is_bootstrap_node|bool

321
docker/services/keystone.yaml

@ -1,321 +0,0 @@
heat_template_version: rocky
description: >
OpenStack containerized Keystone service
parameters:
DockerKeystoneImage:
description: image
type: string
DockerKeystoneConfigImage:
description: The container image to use for the keystone config_volume
type: string
KeystoneLoggingSource:
type: json
default:
tag: openstack.keystone
path: /var/log/containers/keystone/keystone.log
KeystoneErrorLoggingSource:
type: json
default:
tag: openstack.keystone.error
path: /var/log/containers/httpd/keystone/error_log
KeystoneAdminAccessLoggingSource:
type: json
default:
tag: openstack.keystone.admin.access
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_access.log
KeystoneAdminErrorLoggingSource:
type: json
default:
tag: openstack.keystone.admin.error
path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_error.log
KeystoneMainAcccessLoggingSource:
type: json
default:
tag: openstack.keystone.main.access
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_access.log
KeystoneMainErrorLoggingSource:
type: json
default:
tag: openstack.keystone.wsgi.main.error
path: /var/log/containers/httpd/keystone/keystone_wsgi_main_error.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
KeystoneTokenProvider:
description: The keystone token format
type: string
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
EnableInternalTLS:
type: boolean
default: false
UpgradeRemoveUnusedPackages:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
resources:
ContainersCommon:
type: ./containers-common.yaml
MySQLClient:
type: ../../puppet/services/database/mysql-client.yaml
KeystoneBase:
type: ../../puppet/services/keystone.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
KeystoneLogging:
type: OS::TripleO::Services::Logging::Keystone
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
description: Role data for the Keystone API role.
value:
service_name: {get_attr: [KeystoneBase, role_data, service_name]}
config_settings:
map_merge:
- get_attr: [KeystoneBase, role_data, config_settings]
- get_attr: [KeystoneLogging, config_settings]
- apache::default_vhost: false
service_config_settings:
map_merge:
- get_attr: [KeystoneBase, role_data, service_config_settings]
- fluentd:
tripleo_fluentd_groups_keystone:
- keystone
tripleo_fluentd_sources_keystone:
- {get_param: KeystoneLoggingSource}
- {get_param: KeystoneErrorLoggingSource}
- {get_param: KeystoneAdminAccessLoggingSource}
- {get_param: KeystoneAdminErrorLoggingSource}
- {get_param: KeystoneMainAcccessLoggingSource}
- {get_param: KeystoneMainErrorLoggingSource}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: keystone
puppet_tags: keystone_config,keystone_domain_config
step_config:
list_join:
- "\n"
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
- {get_attr: [KeystoneBase, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage}
kolla_config:
/var/lib/kolla/config_files/keystone.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
dest: "/etc/keystone/fernet-keys"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/keystone_cron.json:
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
# args for the keystone container to -DFOREGROUND
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/keystone
owner: keystone:keystone
recurse: true
docker_config:
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
step_2:
get_attr: [KeystoneLogging, docker_config, step_2]
step_3:
keystone_db_sync:
image: &keystone_image {get_param: DockerKeystoneImage}
net: host
user: root
privileged: false
detach: false
volumes: &keystone_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
list_concat:
- - KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- {get_attr: [KeystoneLogging, environment]}
command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
keystone:
start_order: 2
image: *keystone_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes: *keystone_volumes
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
keystone_bootstrap:
start_order: 3
action: exec
user: root
command:
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
keystone_cron:
start_order: 4
image: *keystone_image
user: root
net: host
privileged: false
restart: always
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_4:
# There are cases where we need to refresh keystone after the resource provisioning,
# such as the case of using LDAP backends for domains. So we trigger a graceful
# restart [1], which shouldn't cause service disruption, but will reload new
# configurations for keystone.
# [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
keystone_refresh:
start_order: 1
action: exec
user: root
command:
[ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
docker_puppet_tasks:
# Keystone endpoint creation occurs only on single node
step_3:
config_volume: 'keystone_init_tasks'
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
step_config: 'include ::tripleo::profile::base::keystone'
config_image: *keystone_config_image
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
upgrade_tasks:
- when: step|int == 3
block:
- name: Set fact for removal of openstack-keystone package
set_fact:
remove_keystone_package: {get_param: UpgradeRemoveUnusedPackages}
- name: Remove openstack-keystone package if operator requests it
package: name=openstack-keystone state=removed
ignore_errors: True
when: remove_keystone_package|bool
metadata_settings:
get_attr: [KeystoneBase, role_data, metadata_settings]
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- keystone
- keystone_cron
fast_forward_upgrade_tasks:
- when:
- step|int == 0
- release == 'ocata'
block:
- name: Check for keystone running under apache
tags: common
shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
ignore_errors: true
register: keystone_httpd_enabled_result
- name: Set fact keystone_httpd_enabled
set_fact:
keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
- name: Check if httpd is running
ignore_errors: True
command: systemctl is-active --quiet httpd
register: httpd_running_result
when:
- httpd_running is undefined
- name: Set fact httpd_running if undefined
set_fact:
httpd_running: "{{ httpd_running_result.rc == 0 }}"
when:
- httpd_running is undefined
- name: Stop and disable keystone (under httpd)
service: name=httpd state=stopped enabled=no
when:
- step|int == 1
- release == 'ocata'
- keystone_httpd_enabled|bool
- httpd_running|bool
- name: Keystone package update
package:
name: 'openstack-keystone*'
state: latest
when:
- step|int == 6
- is_bootstrap_node|bool
- name: keystone db sync
command: keystone-manage db_sync
when:
- step|int == 8
- is_bootstrap_node|bool

2
environments/baremetal-services.yaml

@ -26,7 +26,7 @@ resource_registry:
OS::TripleO::Services::HeatEngine: ../puppet/services/heat-engine.yaml
OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml
OS::TripleO::Services::Iscsid: ../puppet/services/iscsid.yaml
OS::TripleO::Services::Keystone: ../puppet/services/keystone.yaml
OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container-puppet.yaml
OS::TripleO::Services::Memcached: ../deployment/memcached/memcached-container-puppet.yaml
OS::TripleO::Services::Multipathd: OS::Heat::None
OS::TripleO::Services::MySQL: ../puppet/services/database/mysql.yaml

2
environments/docker-uc-light.yaml

@ -10,7 +10,7 @@ resource_registry:
OS::TripleO::Services::HeatApi: ../docker/services/heat-api.yaml
OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml
OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container.yaml
OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml
OS::TripleO::Services::MistralApi: ../docker/services/mistral-api.yaml
OS::TripleO::Services::MistralEngine: ../docker/services/mistral-engine.yaml

2
overcloud-resource-registry-puppet.j2.yaml

@ -121,7 +121,7 @@ resource_registry:
OS::TripleO::Services::CinderVolume: docker/services/cinder-volume.yaml
OS::TripleO::Services::BlockStorageCinderVolume: docker/services/cinder-volume.yaml
OS::TripleO::Services::Congress: OS::Heat::None
OS::TripleO::Services::Keystone: docker/services/keystone.yaml
OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml
OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml
OS::TripleO::Services::GlanceRegistry: deployment/glance/glance-registry-disabled-puppet.yaml
OS::TripleO::Services::HeatApi: docker/services/heat-api.yaml

4
releasenotes/notes/drop-baremetal-keystone-000a4babb7f8ef60.yaml

@ -0,0 +1,4 @@
---
upgrade:
- |
Deploying keystone on baremetal is no longer supported.

2
sample-env-generator/openidc.yaml

@ -3,7 +3,7 @@ environments:
name: enable-federation-openidc
title: Enable keystone federation with OpenID Connect
files:
puppet/services/keystone.yaml:
deployment/keystone/keystone-container-puppet.yaml:
parameters:
- KeystoneFederationEnable
- KeystoneAuthMethods

Loading…
Cancel
Save