Merge "Simplify keystone, iscsid service templates"
This commit is contained in:
commit
ff2aa984ed
|
@ -68,7 +68,6 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
ContainersCommon:
|
ContainersCommon:
|
||||||
type: ../containers-common.yaml
|
type: ../containers-common.yaml
|
||||||
|
|
||||||
|
@ -142,8 +141,7 @@ outputs:
|
||||||
volumes:
|
volumes:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
-
|
- - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
|
|
||||||
- /dev/:/dev/
|
- /dev/:/dev/
|
||||||
- /run/:/run/
|
- /run/:/run/
|
||||||
- /sys:/sys
|
- /sys:/sys
|
||||||
|
|
|
@ -363,7 +363,6 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
ContainersCommon:
|
ContainersCommon:
|
||||||
type: ../containers-common.yaml
|
type: ../containers-common.yaml
|
||||||
|
|
||||||
|
@ -384,7 +383,6 @@ resources:
|
||||||
type: OS::TripleO::Services::Logging::Keystone
|
type: OS::TripleO::Services::Logging::Keystone
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
|
||||||
public_tls_enabled:
|
public_tls_enabled:
|
||||||
and:
|
and:
|
||||||
- {get_param: EnablePublicTLS}
|
- {get_param: EnablePublicTLS}
|
||||||
|
@ -393,14 +391,8 @@ conditions:
|
||||||
equals:
|
equals:
|
||||||
- {get_param: SSLCertificate}
|
- {get_param: SSLCertificate}
|
||||||
- ""
|
- ""
|
||||||
- equals:
|
- {get_param: PublicSSLCertificateAutogenerated}
|
||||||
- {get_param: PublicSSLCertificateAutogenerated}
|
|
||||||
- true
|
|
||||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
||||||
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
||||||
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
|
|
||||||
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
|
||||||
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
|
|
||||||
nontls_cache_enabled:
|
nontls_cache_enabled:
|
||||||
and:
|
and:
|
||||||
- {get_param: EnableCache}
|
- {get_param: EnableCache}
|
||||||
|
@ -409,8 +401,6 @@ conditions:
|
||||||
and:
|
and:
|
||||||
- {get_param: EnableCache}
|
- {get_param: EnableCache}
|
||||||
- {get_param: MemcachedTLS}
|
- {get_param: MemcachedTLS}
|
||||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
|
||||||
|
|
||||||
# Security compliance
|
# Security compliance
|
||||||
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
|
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
|
||||||
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
|
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
|
||||||
|
@ -421,7 +411,7 @@ conditions:
|
||||||
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
|
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
|
||||||
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
|
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
|
||||||
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
|
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
|
||||||
cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
|
cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
|
@ -438,10 +428,8 @@ outputs:
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||||
-
|
- if:
|
||||||
if:
|
- cors_allowed_origin_set
|
||||||
- cors_allowed_origin_unset
|
|
||||||
- {}
|
|
||||||
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
|
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
|
||||||
- keystone::database_connection:
|
- keystone::database_connection:
|
||||||
make_url:
|
make_url:
|
||||||
|
@ -452,17 +440,14 @@ outputs:
|
||||||
path: /keystone
|
path: /keystone
|
||||||
query:
|
query:
|
||||||
if:
|
if:
|
||||||
- enable_sqlalchemy_collectd
|
- {get_param: EnableSQLAlchemyCollectd}
|
||||||
-
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
read_default_group: tripleo
|
||||||
read_default_group: tripleo
|
plugin: collectd
|
||||||
plugin: collectd
|
collectd_program_name: keystone
|
||||||
collectd_program_name: keystone
|
collectd_host: localhost
|
||||||
collectd_host: localhost
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||||
-
|
read_default_group: tripleo
|
||||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
||||||
read_default_group: tripleo
|
|
||||||
|
|
||||||
keystone::token_expiration: {get_param: TokenExpiration}
|
keystone::token_expiration: {get_param: TokenExpiration}
|
||||||
keystone::policy::policies: {get_param: KeystonePolicies}
|
keystone::policy::policies: {get_param: KeystonePolicies}
|
||||||
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
|
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
|
||||||
|
@ -533,110 +518,80 @@ outputs:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
||||||
-
|
- keystone::cache::enabled: {get_param: EnableCache}
|
||||||
keystone::cache::enabled: {get_param: EnableCache}
|
|
||||||
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
|
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||||
if:
|
- if:
|
||||||
- tls_cache_enabled
|
- tls_cache_enabled
|
||||||
- keystone::cache::backend: 'dogpile.cache.pymemcache'
|
- keystone::cache::backend: 'dogpile.cache.pymemcache'
|
||||||
keystone::token_caching: true
|
keystone::token_caching: true
|
||||||
- keystone::cache::backend: 'dogpile.cache.memcached'
|
- keystone::cache::backend: 'dogpile.cache.memcached'
|
||||||
-
|
- if:
|
||||||
if:
|
- {get_param: KeystoneFederationEnable}
|
||||||
- keystone_federation_enabled
|
- keystone_federation_enabled: True
|
||||||
-
|
|
||||||
keystone_federation_enabled: True
|
|
||||||
keystone::federation::trusted_dashboards:
|
keystone::federation::trusted_dashboards:
|
||||||
get_param: KeystoneTrustedDashboards
|
get_param: KeystoneTrustedDashboards
|
||||||
- {}
|
- if:
|
||||||
-
|
- {get_param: KeystoneOpenIdcEnable}
|
||||||
if:
|
- keystone_openidc_enabled: True
|
||||||
- keystone_openidc_enabled
|
keystone::federation::openidc::methods:
|
||||||
-
|
get_param: KeystoneAuthMethods
|
||||||
map_merge:
|
keystone::federation::openidc::keystone_url:
|
||||||
- keystone_openidc_enabled: True
|
get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
|
||||||
keystone::federation::openidc::methods:
|
keystone::federation::openidc::idp_name:
|
||||||
get_param: KeystoneAuthMethods
|
get_param: KeystoneOpenIdcIdpName
|
||||||
keystone::federation::openidc::keystone_url:
|
keystone::federation::openidc::openidc_provider_metadata_url:
|
||||||
get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
|
get_param: KeystoneOpenIdcProviderMetadataUrl
|
||||||
keystone::federation::openidc::idp_name:
|
keystone::federation::openidc::openidc_client_id:
|
||||||
get_param: KeystoneOpenIdcIdpName
|
get_param: KeystoneOpenIdcClientId
|
||||||
keystone::federation::openidc::openidc_provider_metadata_url:
|
keystone::federation::openidc::openidc_client_secret:
|
||||||
get_param: KeystoneOpenIdcProviderMetadataUrl
|
get_param: KeystoneOpenIdcClientSecret
|
||||||
keystone::federation::openidc::openidc_client_id:
|
keystone::federation::openidc::openidc_crypto_passphrase:
|
||||||
get_param: KeystoneOpenIdcClientId
|
get_param: KeystoneOpenIdcCryptoPassphrase
|
||||||
keystone::federation::openidc::openidc_client_secret:
|
keystone::federation::openidc::openidc_response_type:
|
||||||
get_param: KeystoneOpenIdcClientSecret
|
get_param: KeystoneOpenIdcResponseType
|
||||||
keystone::federation::openidc::openidc_crypto_passphrase:
|
keystone::federation::openidc::remote_id_attribute:
|
||||||
get_param: KeystoneOpenIdcCryptoPassphrase
|
get_param: KeystoneOpenIdcRemoteIdAttribute
|
||||||
keystone::federation::openidc::openidc_response_type:
|
keystone::federation::openidc::openidc_enable_oauth:
|
||||||
get_param: KeystoneOpenIdcResponseType
|
get_param: KeystoneOpenIdcEnableOAuth
|
||||||
keystone::federation::openidc::remote_id_attribute:
|
keystone::federation::openidc::openidc_introspection_endpoint:
|
||||||
get_param: KeystoneOpenIdcRemoteIdAttribute
|
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
||||||
keystone::federation::openidc::openidc_enable_oauth:
|
keystone::federation::openidc::openidc_cache_type:
|
||||||
get_param: KeystoneOpenIdcEnableOAuth
|
if:
|
||||||
keystone::federation::openidc::openidc_introspection_endpoint:
|
|
||||||
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
|
||||||
-
|
|
||||||
if:
|
|
||||||
- nontls_cache_enabled
|
- nontls_cache_enabled
|
||||||
- keystone::federation::openidc::openidc_cache_type: 'memcache'
|
- 'memcache'
|
||||||
- {}
|
- if:
|
||||||
- {}
|
- {get_param: KeystoneLDAPDomainEnable}
|
||||||
-
|
- tripleo::profile::base::keystone::ldap_backend_enable: True
|
||||||
if:
|
|
||||||
- keystone_ldap_domain_enabled
|
|
||||||
-
|
|
||||||
tripleo::profile::base::keystone::ldap_backend_enable: True
|
|
||||||
keystone::using_domain_config: True
|
keystone::using_domain_config: True
|
||||||
tripleo::profile::base::keystone::ldap_backends_config:
|
tripleo::profile::base::keystone::ldap_backends_config:
|
||||||
get_param: KeystoneLDAPBackendConfigs
|
get_param: KeystoneLDAPBackendConfigs
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- change_password_upon_first_use_set
|
- change_password_upon_first_use_set
|
||||||
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
|
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- disable_user_account_days_inactive_set
|
- disable_user_account_days_inactive_set
|
||||||
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
|
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- lockout_duration_set
|
- lockout_duration_set
|
||||||
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
|
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- lockout_failure_attempts_set
|
- lockout_failure_attempts_set
|
||||||
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
|
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- minimum_password_age_set
|
- minimum_password_age_set
|
||||||
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
|
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- password_expires_days_set
|
- password_expires_days_set
|
||||||
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
|
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- password_regex_set
|
- password_regex_set
|
||||||
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
|
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- password_regex_description_set
|
- password_regex_description_set
|
||||||
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
|
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
|
||||||
- {}
|
- if:
|
||||||
-
|
|
||||||
if:
|
|
||||||
- unique_last_password_count_set
|
- unique_last_password_count_set
|
||||||
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
|
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
|
||||||
- {}
|
|
||||||
- apache::default_vhost: false
|
- apache::default_vhost: false
|
||||||
- get_attr: [KeystoneLogging, config_settings]
|
- get_attr: [KeystoneLogging, config_settings]
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
|
@ -658,11 +613,9 @@ outputs:
|
||||||
keystone::admin_password: {get_param: AdminPassword}
|
keystone::admin_password: {get_param: AdminPassword}
|
||||||
horizon:
|
horizon:
|
||||||
if:
|
if:
|
||||||
- keystone_ldap_domain_enabled
|
- {get_param: KeystoneLDAPDomainEnable}
|
||||||
-
|
- horizon::keystone_multidomain_support: true
|
||||||
horizon::keystone_multidomain_support: true
|
|
||||||
horizon::keystone_default_domain: 'Default'
|
horizon::keystone_default_domain: 'Default'
|
||||||
- {}
|
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_volume: keystone
|
config_volume: keystone
|
||||||
|
@ -722,18 +675,13 @@ outputs:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- {get_attr: [KeystoneLogging, volumes]}
|
- {get_attr: [KeystoneLogging, volumes]}
|
||||||
-
|
- - /etc/openldap:/etc/openldap:ro
|
||||||
- /etc/openldap:/etc/openldap:ro
|
|
||||||
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
|
||||||
- if:
|
- if:
|
||||||
- internal_tls_enabled
|
- {get_param: EnableInternalTLS}
|
||||||
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||||
- []
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||||
- if:
|
|
||||||
- internal_tls_enabled
|
|
||||||
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
||||||
- []
|
|
||||||
environment:
|
environment:
|
||||||
map_merge:
|
map_merge:
|
||||||
- {get_attr: [KeystoneLogging, environment]}
|
- {get_attr: [KeystoneLogging, environment]}
|
||||||
|
@ -783,8 +731,7 @@ outputs:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- {get_attr: [KeystoneLogging, volumes]}
|
- {get_attr: [KeystoneLogging, volumes]}
|
||||||
-
|
- - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
|
|
||||||
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
||||||
environment:
|
environment:
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
|
|
Loading…
Reference in New Issue