diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml index 837430251e..a250e248e4 100644 --- a/deployment/iscsid/iscsid-container-puppet.yaml +++ b/deployment/iscsid/iscsid-container-puppet.yaml @@ -68,7 +68,6 @@ parameters: type: string resources: - ContainersCommon: type: ../containers-common.yaml @@ -142,8 +141,7 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro - /dev/:/dev/ - /run/:/run/ - /sys:/sys diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index 628a4518fc..ae57e6b26d 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -363,7 +363,6 @@ parameters: type: string resources: - ContainersCommon: type: ../containers-common.yaml @@ -384,7 +383,6 @@ resources: type: OS::TripleO::Services::Logging::Keystone conditions: - public_tls_enabled: and: - {get_param: EnablePublicTLS} @@ -393,14 +391,8 @@ conditions: equals: - {get_param: SSLCertificate} - "" - - equals: - - {get_param: PublicSSLCertificateAutogenerated} - - true - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + - {get_param: PublicSSLCertificateAutogenerated} keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} - keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]} - keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]} - keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]} nontls_cache_enabled: and: - {get_param: EnableCache} @@ -409,8 +401,6 @@ conditions: and: - {get_param: EnableCache} - {get_param: MemcachedTLS} - enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} - # Security compliance change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}} disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}} @@ -421,7 +411,7 @@ conditions: password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}} password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}} unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}} - cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']} + cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}} outputs: role_data: @@ -438,10 +428,8 @@ outputs: config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - - - if: - - cors_allowed_origin_unset - - {} + - if: + - cors_allowed_origin_set - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin} - keystone::database_connection: make_url: @@ -452,17 +440,14 @@ outputs: path: /keystone query: if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: keystone - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - + - {get_param: EnableSQLAlchemyCollectd} + - read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + plugin: collectd + collectd_program_name: keystone + collectd_host: localhost + - read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo keystone::token_expiration: {get_param: TokenExpiration} keystone::policy::policies: {get_param: KeystonePolicies} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} @@ -533,110 +518,80 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - - - keystone::cache::enabled: {get_param: EnableCache} + - keystone::cache::enabled: {get_param: EnableCache} keystone::cache::tls_enabled: {get_param: MemcachedTLS} - if: + - if: - tls_cache_enabled - keystone::cache::backend: 'dogpile.cache.pymemcache' keystone::token_caching: true - keystone::cache::backend: 'dogpile.cache.memcached' - - - if: - - keystone_federation_enabled - - - keystone_federation_enabled: True + - if: + - {get_param: KeystoneFederationEnable} + - keystone_federation_enabled: True keystone::federation::trusted_dashboards: get_param: KeystoneTrustedDashboards - - {} - - - if: - - keystone_openidc_enabled - - - map_merge: - - keystone_openidc_enabled: True - keystone::federation::openidc::methods: - get_param: KeystoneAuthMethods - keystone::federation::openidc::keystone_url: - get_param: [EndpointMap, KeystonePublic, uri_no_suffix] - keystone::federation::openidc::idp_name: - get_param: KeystoneOpenIdcIdpName - keystone::federation::openidc::openidc_provider_metadata_url: - get_param: KeystoneOpenIdcProviderMetadataUrl - keystone::federation::openidc::openidc_client_id: - get_param: KeystoneOpenIdcClientId - keystone::federation::openidc::openidc_client_secret: - get_param: KeystoneOpenIdcClientSecret - keystone::federation::openidc::openidc_crypto_passphrase: - get_param: KeystoneOpenIdcCryptoPassphrase - keystone::federation::openidc::openidc_response_type: - get_param: KeystoneOpenIdcResponseType - keystone::federation::openidc::remote_id_attribute: - get_param: KeystoneOpenIdcRemoteIdAttribute - keystone::federation::openidc::openidc_enable_oauth: - get_param: KeystoneOpenIdcEnableOAuth - keystone::federation::openidc::openidc_introspection_endpoint: - get_param: KeystoneOpenIdcIntrospectionEndpoint - - - if: + - if: + - {get_param: KeystoneOpenIdcEnable} + - keystone_openidc_enabled: True + keystone::federation::openidc::methods: + get_param: KeystoneAuthMethods + keystone::federation::openidc::keystone_url: + get_param: [EndpointMap, KeystonePublic, uri_no_suffix] + keystone::federation::openidc::idp_name: + get_param: KeystoneOpenIdcIdpName + keystone::federation::openidc::openidc_provider_metadata_url: + get_param: KeystoneOpenIdcProviderMetadataUrl + keystone::federation::openidc::openidc_client_id: + get_param: KeystoneOpenIdcClientId + keystone::federation::openidc::openidc_client_secret: + get_param: KeystoneOpenIdcClientSecret + keystone::federation::openidc::openidc_crypto_passphrase: + get_param: KeystoneOpenIdcCryptoPassphrase + keystone::federation::openidc::openidc_response_type: + get_param: KeystoneOpenIdcResponseType + keystone::federation::openidc::remote_id_attribute: + get_param: KeystoneOpenIdcRemoteIdAttribute + keystone::federation::openidc::openidc_enable_oauth: + get_param: KeystoneOpenIdcEnableOAuth + keystone::federation::openidc::openidc_introspection_endpoint: + get_param: KeystoneOpenIdcIntrospectionEndpoint + keystone::federation::openidc::openidc_cache_type: + if: - nontls_cache_enabled - - keystone::federation::openidc::openidc_cache_type: 'memcache' - - {} - - {} - - - if: - - keystone_ldap_domain_enabled - - - tripleo::profile::base::keystone::ldap_backend_enable: True + - 'memcache' + - if: + - {get_param: KeystoneLDAPDomainEnable} + - tripleo::profile::base::keystone::ldap_backend_enable: True keystone::using_domain_config: True tripleo::profile::base::keystone::ldap_backends_config: get_param: KeystoneLDAPBackendConfigs - - {} - - - if: + - if: - change_password_upon_first_use_set - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse} - - {} - - - if: + - if: - disable_user_account_days_inactive_set - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive} - - {} - - - if: + - if: - lockout_duration_set - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration} - - {} - - - if: + - if: - lockout_failure_attempts_set - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts} - - {} - - - if: + - if: - minimum_password_age_set - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge} - - {} - - - if: + - if: - password_expires_days_set - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays} - - {} - - - if: + - if: - password_regex_set - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex} - - {} - - - if: + - if: - password_regex_description_set - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription} - - {} - - - if: + - if: - unique_last_password_count_set - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount} - - {} - apache::default_vhost: false - get_attr: [KeystoneLogging, config_settings] service_config_settings: @@ -658,11 +613,9 @@ outputs: keystone::admin_password: {get_param: AdminPassword} horizon: if: - - keystone_ldap_domain_enabled - - - horizon::keystone_multidomain_support: true + - {get_param: KeystoneLDAPDomainEnable} + - horizon::keystone_multidomain_support: true horizon::keystone_default_domain: 'Default' - - {} # BEGIN DOCKER SETTINGS puppet_config: config_volume: keystone @@ -722,18 +675,13 @@ outputs: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [KeystoneLogging, volumes]} - - - - /etc/openldap:/etc/openldap:ro + - - /etc/openldap:/etc/openldap:ro - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro - if: - - internal_tls_enabled + - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - - [] - - if: - - internal_tls_enabled - - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - - [] + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro environment: map_merge: - {get_attr: [KeystoneLogging, environment]} @@ -783,8 +731,7 @@ outputs: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [KeystoneLogging, volumes]} - - - - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS