Merge "Simplify keystone, iscsid service templates"

This commit is contained in:
Zuul 2021-04-27 19:32:48 +00:00 committed by Gerrit Code Review
commit ff2aa984ed
2 changed files with 64 additions and 119 deletions

View File

@ -68,7 +68,6 @@ parameters:
type: string type: string
resources: resources:
ContainersCommon: ContainersCommon:
type: ../containers-common.yaml type: ../containers-common.yaml
@ -142,8 +141,7 @@ outputs:
volumes: volumes:
list_concat: list_concat:
- {get_attr: [ContainersCommon, volumes]} - {get_attr: [ContainersCommon, volumes]}
- - - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
- /dev/:/dev/ - /dev/:/dev/
- /run/:/run/ - /run/:/run/
- /sys:/sys - /sys:/sys

View File

@ -363,7 +363,6 @@ parameters:
type: string type: string
resources: resources:
ContainersCommon: ContainersCommon:
type: ../containers-common.yaml type: ../containers-common.yaml
@ -384,7 +383,6 @@ resources:
type: OS::TripleO::Services::Logging::Keystone type: OS::TripleO::Services::Logging::Keystone
conditions: conditions:
public_tls_enabled: public_tls_enabled:
and: and:
- {get_param: EnablePublicTLS} - {get_param: EnablePublicTLS}
@ -393,14 +391,8 @@ conditions:
equals: equals:
- {get_param: SSLCertificate} - {get_param: SSLCertificate}
- "" - ""
- equals: - {get_param: PublicSSLCertificateAutogenerated}
- {get_param: PublicSSLCertificateAutogenerated}
- true
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
nontls_cache_enabled: nontls_cache_enabled:
and: and:
- {get_param: EnableCache} - {get_param: EnableCache}
@ -409,8 +401,6 @@ conditions:
and: and:
- {get_param: EnableCache} - {get_param: EnableCache}
- {get_param: MemcachedTLS} - {get_param: MemcachedTLS}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Security compliance # Security compliance
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}} change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}} disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
@ -421,7 +411,7 @@ conditions:
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}} password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}} password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}} unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']} cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}}
outputs: outputs:
role_data: role_data:
@ -438,10 +428,8 @@ outputs:
config_settings: config_settings:
map_merge: map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings]
- - if:
if: - cors_allowed_origin_set
- cors_allowed_origin_unset
- {}
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin} - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
- keystone::database_connection: - keystone::database_connection:
make_url: make_url:
@ -452,17 +440,14 @@ outputs:
path: /keystone path: /keystone
query: query:
if: if:
- enable_sqlalchemy_collectd - {get_param: EnableSQLAlchemyCollectd}
- - read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo
read_default_group: tripleo plugin: collectd
plugin: collectd collectd_program_name: keystone
collectd_program_name: keystone collectd_host: localhost
collectd_host: localhost - read_default_file: /etc/my.cnf.d/tripleo.cnf
- read_default_group: tripleo
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
keystone::token_expiration: {get_param: TokenExpiration} keystone::token_expiration: {get_param: TokenExpiration}
keystone::policy::policies: {get_param: KeystonePolicies} keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
@ -533,110 +518,80 @@ outputs:
"%{hiera('$NETWORK')}" "%{hiera('$NETWORK')}"
params: params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
- - keystone::cache::enabled: {get_param: EnableCache}
keystone::cache::enabled: {get_param: EnableCache}
keystone::cache::tls_enabled: {get_param: MemcachedTLS} keystone::cache::tls_enabled: {get_param: MemcachedTLS}
if: - if:
- tls_cache_enabled - tls_cache_enabled
- keystone::cache::backend: 'dogpile.cache.pymemcache' - keystone::cache::backend: 'dogpile.cache.pymemcache'
keystone::token_caching: true keystone::token_caching: true
- keystone::cache::backend: 'dogpile.cache.memcached' - keystone::cache::backend: 'dogpile.cache.memcached'
- - if:
if: - {get_param: KeystoneFederationEnable}
- keystone_federation_enabled - keystone_federation_enabled: True
-
keystone_federation_enabled: True
keystone::federation::trusted_dashboards: keystone::federation::trusted_dashboards:
get_param: KeystoneTrustedDashboards get_param: KeystoneTrustedDashboards
- {} - if:
- - {get_param: KeystoneOpenIdcEnable}
if: - keystone_openidc_enabled: True
- keystone_openidc_enabled keystone::federation::openidc::methods:
- get_param: KeystoneAuthMethods
map_merge: keystone::federation::openidc::keystone_url:
- keystone_openidc_enabled: True get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
keystone::federation::openidc::methods: keystone::federation::openidc::idp_name:
get_param: KeystoneAuthMethods get_param: KeystoneOpenIdcIdpName
keystone::federation::openidc::keystone_url: keystone::federation::openidc::openidc_provider_metadata_url:
get_param: [EndpointMap, KeystonePublic, uri_no_suffix] get_param: KeystoneOpenIdcProviderMetadataUrl
keystone::federation::openidc::idp_name: keystone::federation::openidc::openidc_client_id:
get_param: KeystoneOpenIdcIdpName get_param: KeystoneOpenIdcClientId
keystone::federation::openidc::openidc_provider_metadata_url: keystone::federation::openidc::openidc_client_secret:
get_param: KeystoneOpenIdcProviderMetadataUrl get_param: KeystoneOpenIdcClientSecret
keystone::federation::openidc::openidc_client_id: keystone::federation::openidc::openidc_crypto_passphrase:
get_param: KeystoneOpenIdcClientId get_param: KeystoneOpenIdcCryptoPassphrase
keystone::federation::openidc::openidc_client_secret: keystone::federation::openidc::openidc_response_type:
get_param: KeystoneOpenIdcClientSecret get_param: KeystoneOpenIdcResponseType
keystone::federation::openidc::openidc_crypto_passphrase: keystone::federation::openidc::remote_id_attribute:
get_param: KeystoneOpenIdcCryptoPassphrase get_param: KeystoneOpenIdcRemoteIdAttribute
keystone::federation::openidc::openidc_response_type: keystone::federation::openidc::openidc_enable_oauth:
get_param: KeystoneOpenIdcResponseType get_param: KeystoneOpenIdcEnableOAuth
keystone::federation::openidc::remote_id_attribute: keystone::federation::openidc::openidc_introspection_endpoint:
get_param: KeystoneOpenIdcRemoteIdAttribute get_param: KeystoneOpenIdcIntrospectionEndpoint
keystone::federation::openidc::openidc_enable_oauth: keystone::federation::openidc::openidc_cache_type:
get_param: KeystoneOpenIdcEnableOAuth if:
keystone::federation::openidc::openidc_introspection_endpoint:
get_param: KeystoneOpenIdcIntrospectionEndpoint
-
if:
- nontls_cache_enabled - nontls_cache_enabled
- keystone::federation::openidc::openidc_cache_type: 'memcache' - 'memcache'
- {} - if:
- {} - {get_param: KeystoneLDAPDomainEnable}
- - tripleo::profile::base::keystone::ldap_backend_enable: True
if:
- keystone_ldap_domain_enabled
-
tripleo::profile::base::keystone::ldap_backend_enable: True
keystone::using_domain_config: True keystone::using_domain_config: True
tripleo::profile::base::keystone::ldap_backends_config: tripleo::profile::base::keystone::ldap_backends_config:
get_param: KeystoneLDAPBackendConfigs get_param: KeystoneLDAPBackendConfigs
- {} - if:
-
if:
- change_password_upon_first_use_set - change_password_upon_first_use_set
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse} - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
- {} - if:
-
if:
- disable_user_account_days_inactive_set - disable_user_account_days_inactive_set
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive} - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
- {} - if:
-
if:
- lockout_duration_set - lockout_duration_set
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration} - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
- {} - if:
-
if:
- lockout_failure_attempts_set - lockout_failure_attempts_set
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts} - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
- {} - if:
-
if:
- minimum_password_age_set - minimum_password_age_set
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge} - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
- {} - if:
-
if:
- password_expires_days_set - password_expires_days_set
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays} - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
- {} - if:
-
if:
- password_regex_set - password_regex_set
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex} - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
- {} - if:
-
if:
- password_regex_description_set - password_regex_description_set
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription} - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
- {} - if:
-
if:
- unique_last_password_count_set - unique_last_password_count_set
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount} - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
- {}
- apache::default_vhost: false - apache::default_vhost: false
- get_attr: [KeystoneLogging, config_settings] - get_attr: [KeystoneLogging, config_settings]
service_config_settings: service_config_settings:
@ -658,11 +613,9 @@ outputs:
keystone::admin_password: {get_param: AdminPassword} keystone::admin_password: {get_param: AdminPassword}
horizon: horizon:
if: if:
- keystone_ldap_domain_enabled - {get_param: KeystoneLDAPDomainEnable}
- - horizon::keystone_multidomain_support: true
horizon::keystone_multidomain_support: true
horizon::keystone_default_domain: 'Default' horizon::keystone_default_domain: 'Default'
- {}
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: keystone config_volume: keystone
@ -722,18 +675,13 @@ outputs:
list_concat: list_concat:
- {get_attr: [ContainersCommon, volumes]} - {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]} - {get_attr: [KeystoneLogging, volumes]}
- - - /etc/openldap:/etc/openldap:ro
- /etc/openldap:/etc/openldap:ro
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
- if: - if:
- internal_tls_enabled - {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- [] - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- if:
- internal_tls_enabled
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- []
environment: environment:
map_merge: map_merge:
- {get_attr: [KeystoneLogging, environment]} - {get_attr: [KeystoneLogging, environment]}
@ -783,8 +731,7 @@ outputs:
list_concat: list_concat:
- {get_attr: [ContainersCommon, volumes]} - {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]} - {get_attr: [KeystoneLogging, volumes]}
- - - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS