diff --git a/puppet/services/keystone.yaml b/deployment/keystone/keystone-container-puppet.yaml similarity index 73% rename from puppet/services/keystone.yaml rename to deployment/keystone/keystone-container-puppet.yaml index ba5a17b200..e5bc071f0b 100644 --- a/puppet/services/keystone.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -1,47 +1,25 @@ heat_template_version: rocky description: > - OpenStack Keystone service configured with Puppet + OpenStack containerized Keystone service parameters: - KeystoneEnableDBPurge: - default: true - description: | - Whether to create cron job for purging soft deleted rows in Keystone database. - type: boolean - KeystoneSSLCertificate: - default: '' - description: Keystone certificate for verifying token validity. + DockerKeystoneImage: + description: image type: string - KeystoneSSLCertificateKey: - default: '' - description: Keystone key for signing tokens. + DockerKeystoneConfigImage: + description: The container image to use for the keystone config_volume type: string - hidden: true - KeystoneNotificationDriver: - description: Comma-separated list of Oslo notification drivers used by Keystone - default: ['messaging'] - type: comma_delimited_list - KeystoneNotificationFormat: - description: The Keystone notification format - default: 'basic' - type: string - constraints: - - allowed_values: [ 'basic', 'cadf' ] - KeystoneNotificationTopics: - description: Keystone notification topics to enable - default: [] - type: comma_delimited_list - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint - KeystoneTokenProvider: - description: The keystone token format - type: string - default: 'fernet' - constraints: - - allowed_values: ['uuid', 'fernet'] + KeystoneLoggingSource: + type: json + default: + tag: openstack.keystone + path: /var/log/containers/keystone/keystone.log + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json ServiceData: default: {} description: Dictionary packing service data @@ -63,11 +41,51 @@ parameters: default: {} description: Parameters specific to the role type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json + AdminPassword: + description: The password for the keystone admin account, used for monitoring, querying neutron etc. + type: string + hidden: true + KeystoneTokenProvider: + description: The keystone token format + type: string + default: 'fernet' + constraints: + - allowed_values: ['uuid', 'fernet'] + EnableInternalTLS: + type: boolean + default: false + UpgradeRemoveUnusedPackages: + default: false + description: Remove package if the service is being disabled during upgrade + type: boolean + KeystoneEnableDBPurge: + default: true + description: | + Whether to create cron job for purging soft deleted rows in Keystone database. + type: boolean + KeystoneSSLCertificate: + default: '' + description: Keystone certificate for verifying token validity. + type: string + KeystoneSSLCertificateKey: + default: '' + description: Keystone key for signing tokens. + type: string + hidden: true + KeystoneNotificationFormat: + description: The Keystone notification format + default: 'basic' + type: string + constraints: + - allowed_values: [ 'basic', 'cadf' ] + KeystoneNotificationTopics: + description: Keystone notification topics to enable + default: [] + type: comma_delimited_list + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint Debug: type: boolean default: false @@ -83,10 +101,6 @@ parameters: description: The email for the keystone admin account. type: string hidden: true - AdminPassword: - description: The password for the keystone admin account, used for monitoring, querying neutron etc. - type: string - hidden: true AdminToken: description: The keystone auth secret and db password. type: string @@ -126,14 +140,6 @@ parameters: KeystoneCredential1: type: string description: The second Keystone credential key. Must be a valid key. - KeystoneFernetKey0: - type: string - default: '' - description: (DEPRECATED) The first Keystone fernet key. Must be a valid key. - KeystoneFernetKey1: - type: string - default: '' - description: (DEPRECATED) The second Keystone fernet key. Must be a valid key. KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. @@ -153,35 +159,32 @@ parameters: type: json default: tag: openstack.keystone - path: /var/log/keystone/keystone.log + path: /var/log/containers/keystone/keystone.log KeystoneErrorLoggingSource: type: json default: tag: openstack.keystone.error - path: /var/log/httpd/keystone/error_log + path: /var/log/containers/httpd/keystone/error_log KeystoneAdminAccessLoggingSource: type: json default: tag: openstack.keystone.admin.access - path: /var/log/httpd/keystone/keystone_wsgi_admin_access.log + path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_access.log KeystoneAdminErrorLoggingSource: type: json default: tag: openstack.keystone.admin.error - path: /var/log/httpd/keystone/keystone_wsgi_admin_error.log + path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_error.log KeystoneMainAcccessLoggingSource: type: json default: tag: openstack.keystone.main.access - path: /var/log/httpd/keystone/keystone_wsgi_main_access.log + path: /var/log/containers/httpd/keystone/keystone_wsgi_main_access.log KeystoneMainErrorLoggingSource: type: json default: tag: openstack.keystone.wsgi.main.error - path: /var/log/httpd/keystone/keystone_wsgi_main_error.log - EnableInternalTLS: - type: boolean - default: false + path: /var/log/containers/httpd/keystone/keystone_wsgi_main_error.log KeystoneCronTokenFlushEnsure: type: string description: > @@ -365,22 +368,16 @@ parameters: Attribute to be used to obtain the entity ID of the Identity Provider from the environment. -parameter_groups: -- label: deprecated - description: | - The following parameters are deprecated and will be removed. They should not - be relied on for new deployments. If you have concerns regarding deprecated - parameters, please contact the TripleO development team on IRC or the - OpenStack mailing list. - parameters: - - KeystoneFernetKey0 - - KeystoneFernetKey1 - - KeystoneNotificationDriver - resources: + ContainersCommon: + type: ../../docker/services/containers-common.yaml + + MySQLClient: + type: ../../puppet/services/database/mysql-client.yaml + ApacheServiceBase: - type: ./apache.yaml + type: ../../puppet/services/apache.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} @@ -390,7 +387,12 @@ resources: RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} + KeystoneLogging: + type: OS::TripleO::Services::Logging::Keystone + conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]} keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]} @@ -411,7 +413,7 @@ conditions: outputs: role_data: - description: Role data for the Keystone role. + description: Role data for the Keystone API role. value: service_name: keystone monitoring_subscription: {get_param: MonitoringSubscriptionKeystone} @@ -641,9 +643,8 @@ outputs: - unique_last_password_count_set - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount} - {} - - step_config: | - include ::tripleo::profile::base::keystone + - apache::default_vhost: false + - get_attr: [KeystoneLogging, config_settings] service_config_settings: fluentd: tripleo_fluentd_groups_keystone: @@ -676,12 +677,191 @@ outputs: horizon::keystone_multidomain_support: true horizon::keystone_default_domain: 'Default' - {} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: keystone + puppet_tags: keystone_config,keystone_domain_config + step_config: + list_join: + - "\n" + - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }" + - | + include ::tripleo::profile::base::keystone + - {get_attr: [MySQLClient, role_data, step_config]} + config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage} + kolla_config: + /var/lib/kolla/config_files/keystone.json: + command: /usr/sbin/httpd -DFOREGROUND + config_files: + - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys" + dest: "/etc/keystone/fernet-keys" + merge: false + preserve_properties: true + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + /var/lib/kolla/config_files/keystone_cron.json: + # FIXME(dprince): this is unused ATM because Kolla hardcodes the + # args for the keystone container to -DFOREGROUND + command: /usr/sbin/crond -n + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/keystone + owner: keystone:keystone + recurse: true + docker_config: + # Kolla_bootstrap/db sync runs before permissions set by kolla_config + step_2: + get_attr: [KeystoneLogging, docker_config, step_2] + step_3: + keystone_db_sync: + image: &keystone_image {get_param: DockerKeystoneImage} + net: host + user: root + privileged: false + detach: false + volumes: &keystone_volumes + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [KeystoneLogging, volumes]} + - + - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' + environment: + list_concat: + - - KOLLA_BOOTSTRAP=True + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {get_attr: [KeystoneLogging, environment]} + command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start'] + keystone: + start_order: 2 + image: *keystone_image + net: host + privileged: false + restart: always + healthcheck: + test: /openstack/healthcheck + volumes: *keystone_volumes + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + keystone_bootstrap: + start_order: 3 + action: exec + user: root + command: + [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ] + keystone_cron: + start_order: 4 + image: *keystone_image + user: root + net: host + privileged: false + restart: always + command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n'] + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [KeystoneLogging, volumes]} + - + - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + step_4: + # There are cases where we need to refresh keystone after the resource provisioning, + # such as the case of using LDAP backends for domains. So we trigger a graceful + # restart [1], which shouldn't cause service disruption, but will reload new + # configurations for keystone. + # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful + keystone_refresh: + start_order: 1 + action: exec + user: root + command: + [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ] + docker_puppet_tasks: + # Keystone endpoint creation occurs only on single node + step_3: + config_volume: 'keystone_init_tasks' + puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain' + step_config: 'include ::tripleo::profile::base::keystone' + config_image: *keystone_config_image + host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]} + upgrade_tasks: + - when: step|int == 3 + block: + - name: Set fact for removal of openstack-keystone package + set_fact: + remove_keystone_package: {get_param: UpgradeRemoveUnusedPackages} + - name: Remove openstack-keystone package if operator requests it + package: name=openstack-keystone state=removed + ignore_errors: True + when: remove_keystone_package|bool metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] - upgrade_tasks: - list_concat: - - get_attr: [ApacheServiceBase, role_data, upgrade_tasks] - - - - name: Stop keystone service (running under httpd) - when: step|int == 1 - service: name=httpd state=stopped + post_upgrade_tasks: + - when: step|int == 1 + import_role: + name: tripleo-docker-rm + vars: + containers_to_rm: + - keystone + - keystone_cron + fast_forward_upgrade_tasks: + - when: + - step|int == 0 + - release == 'ocata' + block: + - name: Check for keystone running under apache + tags: common + shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi" + ignore_errors: true + register: keystone_httpd_enabled_result + - name: Set fact keystone_httpd_enabled + set_fact: + keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}" + - name: Check if httpd is running + ignore_errors: True + command: systemctl is-active --quiet httpd + register: httpd_running_result + when: + - httpd_running is undefined + - name: Set fact httpd_running if undefined + set_fact: + httpd_running: "{{ httpd_running_result.rc == 0 }}" + when: + - httpd_running is undefined + - name: Stop and disable keystone (under httpd) + service: name=httpd state=stopped enabled=no + when: + - step|int == 1 + - release == 'ocata' + - keystone_httpd_enabled|bool + - httpd_running|bool + - name: Keystone package update + package: + name: 'openstack-keystone*' + state: latest + when: + - step|int == 6 + - is_bootstrap_node|bool + - name: keystone db sync + command: keystone-manage db_sync + when: + - step|int == 8 + - is_bootstrap_node|bool diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml deleted file mode 100644 index 5265ae5e52..0000000000 --- a/docker/services/keystone.yaml +++ /dev/null @@ -1,321 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack containerized Keystone service - -parameters: - DockerKeystoneImage: - description: image - type: string - DockerKeystoneConfigImage: - description: The container image to use for the keystone config_volume - type: string - KeystoneLoggingSource: - type: json - default: - tag: openstack.keystone - path: /var/log/containers/keystone/keystone.log - KeystoneErrorLoggingSource: - type: json - default: - tag: openstack.keystone.error - path: /var/log/containers/httpd/keystone/error_log - KeystoneAdminAccessLoggingSource: - type: json - default: - tag: openstack.keystone.admin.access - path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_access.log - KeystoneAdminErrorLoggingSource: - type: json - default: - tag: openstack.keystone.admin.error - path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_error.log - KeystoneMainAcccessLoggingSource: - type: json - default: - tag: openstack.keystone.main.access - path: /var/log/containers/httpd/keystone/keystone_wsgi_main_access.log - KeystoneMainErrorLoggingSource: - type: json - default: - tag: openstack.keystone.wsgi.main.error - path: /var/log/containers/httpd/keystone/keystone_wsgi_main_error.log - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - AdminPassword: - description: The password for the keystone admin account, used for monitoring, querying neutron etc. - type: string - hidden: true - KeystoneTokenProvider: - description: The keystone token format - type: string - default: 'fernet' - constraints: - - allowed_values: ['uuid', 'fernet'] - EnableInternalTLS: - type: boolean - default: false - UpgradeRemoveUnusedPackages: - default: false - description: Remove package if the service is being disabled during upgrade - type: boolean - -resources: - - ContainersCommon: - type: ./containers-common.yaml - - MySQLClient: - type: ../../puppet/services/database/mysql-client.yaml - - KeystoneBase: - type: ../../puppet/services/keystone.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - - KeystoneLogging: - type: OS::TripleO::Services::Logging::Keystone - -conditions: - - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} - -outputs: - role_data: - description: Role data for the Keystone API role. - value: - service_name: {get_attr: [KeystoneBase, role_data, service_name]} - config_settings: - map_merge: - - get_attr: [KeystoneBase, role_data, config_settings] - - get_attr: [KeystoneLogging, config_settings] - - apache::default_vhost: false - service_config_settings: - map_merge: - - get_attr: [KeystoneBase, role_data, service_config_settings] - - fluentd: - tripleo_fluentd_groups_keystone: - - keystone - tripleo_fluentd_sources_keystone: - - {get_param: KeystoneLoggingSource} - - {get_param: KeystoneErrorLoggingSource} - - {get_param: KeystoneAdminAccessLoggingSource} - - {get_param: KeystoneAdminErrorLoggingSource} - - {get_param: KeystoneMainAcccessLoggingSource} - - {get_param: KeystoneMainErrorLoggingSource} - # BEGIN DOCKER SETTINGS - puppet_config: - config_volume: keystone - puppet_tags: keystone_config,keystone_domain_config - step_config: - list_join: - - "\n" - - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }" - - {get_attr: [KeystoneBase, role_data, step_config]} - - {get_attr: [MySQLClient, role_data, step_config]} - config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage} - kolla_config: - /var/lib/kolla/config_files/keystone.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys" - dest: "/etc/keystone/fernet-keys" - merge: false - preserve_properties: true - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true - /var/lib/kolla/config_files/keystone_cron.json: - # FIXME(dprince): this is unused ATM because Kolla hardcodes the - # args for the keystone container to -DFOREGROUND - command: /usr/sbin/crond -n - config_files: - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true - permissions: - - path: /var/log/keystone - owner: keystone:keystone - recurse: true - docker_config: - # Kolla_bootstrap/db sync runs before permissions set by kolla_config - step_2: - get_attr: [KeystoneLogging, docker_config, step_2] - step_3: - keystone_db_sync: - image: &keystone_image {get_param: DockerKeystoneImage} - net: host - user: root - privileged: false - detach: false - volumes: &keystone_volumes - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [KeystoneLogging, volumes]} - - - - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro - - - if: - - internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - - '' - - - if: - - internal_tls_enabled - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - - '' - environment: - list_concat: - - - KOLLA_BOOTSTRAP=True - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - - {get_attr: [KeystoneLogging, environment]} - command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start'] - keystone: - start_order: 2 - image: *keystone_image - net: host - privileged: false - restart: always - healthcheck: - test: /openstack/healthcheck - volumes: *keystone_volumes - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - keystone_bootstrap: - start_order: 3 - action: exec - user: root - command: - [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ] - keystone_cron: - start_order: 4 - image: *keystone_image - user: root - net: host - privileged: false - restart: always - command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n'] - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [KeystoneLogging, volumes]} - - - - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - step_4: - # There are cases where we need to refresh keystone after the resource provisioning, - # such as the case of using LDAP backends for domains. So we trigger a graceful - # restart [1], which shouldn't cause service disruption, but will reload new - # configurations for keystone. - # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful - keystone_refresh: - start_order: 1 - action: exec - user: root - command: - [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ] - docker_puppet_tasks: - # Keystone endpoint creation occurs only on single node - step_3: - config_volume: 'keystone_init_tasks' - puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain' - step_config: 'include ::tripleo::profile::base::keystone' - config_image: *keystone_config_image - host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]} - upgrade_tasks: - - when: step|int == 3 - block: - - name: Set fact for removal of openstack-keystone package - set_fact: - remove_keystone_package: {get_param: UpgradeRemoveUnusedPackages} - - name: Remove openstack-keystone package if operator requests it - package: name=openstack-keystone state=removed - ignore_errors: True - when: remove_keystone_package|bool - metadata_settings: - get_attr: [KeystoneBase, role_data, metadata_settings] - post_upgrade_tasks: - - when: step|int == 1 - import_role: - name: tripleo-docker-rm - vars: - containers_to_rm: - - keystone - - keystone_cron - fast_forward_upgrade_tasks: - - when: - - step|int == 0 - - release == 'ocata' - block: - - name: Check for keystone running under apache - tags: common - shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi" - ignore_errors: true - register: keystone_httpd_enabled_result - - name: Set fact keystone_httpd_enabled - set_fact: - keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}" - - name: Check if httpd is running - ignore_errors: True - command: systemctl is-active --quiet httpd - register: httpd_running_result - when: - - httpd_running is undefined - - name: Set fact httpd_running if undefined - set_fact: - httpd_running: "{{ httpd_running_result.rc == 0 }}" - when: - - httpd_running is undefined - - name: Stop and disable keystone (under httpd) - service: name=httpd state=stopped enabled=no - when: - - step|int == 1 - - release == 'ocata' - - keystone_httpd_enabled|bool - - httpd_running|bool - - name: Keystone package update - package: - name: 'openstack-keystone*' - state: latest - when: - - step|int == 6 - - is_bootstrap_node|bool - - name: keystone db sync - command: keystone-manage db_sync - when: - - step|int == 8 - - is_bootstrap_node|bool diff --git a/environments/baremetal-services.yaml b/environments/baremetal-services.yaml index 7801148e4a..d6c5ca30c2 100644 --- a/environments/baremetal-services.yaml +++ b/environments/baremetal-services.yaml @@ -26,7 +26,7 @@ resource_registry: OS::TripleO::Services::HeatEngine: ../puppet/services/heat-engine.yaml OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml OS::TripleO::Services::Iscsid: ../puppet/services/iscsid.yaml - OS::TripleO::Services::Keystone: ../puppet/services/keystone.yaml + OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container-puppet.yaml OS::TripleO::Services::Memcached: ../deployment/memcached/memcached-container-puppet.yaml OS::TripleO::Services::Multipathd: OS::Heat::None OS::TripleO::Services::MySQL: ../puppet/services/database/mysql.yaml diff --git a/environments/docker-uc-light.yaml b/environments/docker-uc-light.yaml index bc77dff95f..f1edd30069 100644 --- a/environments/docker-uc-light.yaml +++ b/environments/docker-uc-light.yaml @@ -10,7 +10,7 @@ resource_registry: OS::TripleO::Services::HeatApi: ../docker/services/heat-api.yaml OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml - OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml + OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container.yaml OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml OS::TripleO::Services::MistralApi: ../docker/services/mistral-api.yaml OS::TripleO::Services::MistralEngine: ../docker/services/mistral-engine.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index c05b9ddaab..a22003cd9f 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -121,7 +121,7 @@ resource_registry: OS::TripleO::Services::CinderVolume: docker/services/cinder-volume.yaml OS::TripleO::Services::BlockStorageCinderVolume: docker/services/cinder-volume.yaml OS::TripleO::Services::Congress: OS::Heat::None - OS::TripleO::Services::Keystone: docker/services/keystone.yaml + OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml OS::TripleO::Services::GlanceRegistry: deployment/glance/glance-registry-disabled-puppet.yaml OS::TripleO::Services::HeatApi: docker/services/heat-api.yaml diff --git a/releasenotes/notes/drop-baremetal-keystone-000a4babb7f8ef60.yaml b/releasenotes/notes/drop-baremetal-keystone-000a4babb7f8ef60.yaml new file mode 100644 index 0000000000..0cc83221a1 --- /dev/null +++ b/releasenotes/notes/drop-baremetal-keystone-000a4babb7f8ef60.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - | + Deploying keystone on baremetal is no longer supported. diff --git a/sample-env-generator/openidc.yaml b/sample-env-generator/openidc.yaml index 5fc5b52673..cf3c4fa57e 100644 --- a/sample-env-generator/openidc.yaml +++ b/sample-env-generator/openidc.yaml @@ -3,7 +3,7 @@ environments: name: enable-federation-openidc title: Enable keystone federation with OpenID Connect files: - puppet/services/keystone.yaml: + deployment/keystone/keystone-container-puppet.yaml: parameters: - KeystoneFederationEnable - KeystoneAuthMethods