heat_template_version: wallaby description: > OpenStack containerized Keystone service parameters: ContainerKeystoneImage: description: image type: string tags: - role_specific ContainerKeystoneConfigImage: description: The container image to use for the keystone config_volume type: string tags: - role_specific EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. AdminPassword: description: The password for the keystone admin account, used for monitoring, querying neutron etc. type: string hidden: true KeystoneTokenProvider: description: The keystone token format type: string default: 'fernet' constraints: - allowed_values: ['fernet'] SSLCertificate: default: '' description: > The content of the SSL certificate (without Key) in PEM format. type: string PublicSSLCertificateAutogenerated: default: false description: > Whether the public SSL certificate was autogenerated or not. type: boolean EnablePublicTLS: default: true description: > Whether to enable TLS on the public interface or not. type: boolean PublicTLSCAFile: default: '' type: string description: Specifies the default CA cert to use if TLS is used for services in the public network. EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. MemcachedTLS: default: false description: Set to True to enable TLS on Memcached service. Because not all services support Memcached TLS, during the migration period, Memcached will listen on 2 ports - on the port set with MemcachedPort parameter (above) and on 11211, without TLS. type: boolean KeystoneSSLCertificate: default: '' description: Keystone certificate for verifying token validity. type: string KeystoneSSLCertificateKey: default: '' description: Keystone key for signing tokens. type: string hidden: true KeystoneNotificationFormat: description: The Keystone notification format default: 'basic' type: string constraints: - allowed_values: [ 'basic', 'cadf' ] KeystoneNotificationTopics: description: Keystone notification topics to enable default: [] type: comma_delimited_list KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint Debug: type: boolean default: false description: Set to True to enable debugging on all services. KeystoneDebug: default: false description: Set to True to enable debugging Keystone service. type: boolean EnableCache: description: Enable caching with memcached type: boolean default: true EnableSQLAlchemyCollectd: type: boolean description: > Set to true to enable the SQLAlchemy-collectd server plugin default: false KeystonePassword: description: The password for the nova service and db account default: '' type: string hidden: true TokenExpiration: default: 3600 description: Set a token expiration time in seconds. type: number KeystoneWorkers: type: number description: Set the number of workers for keystone::wsgi::apache default: 0 MonitoringSubscriptionKeystone: default: 'overcloud-keystone' type: string KeystoneCredential0: type: string description: The first Keystone credential key. Must be a valid key. hidden: true KeystoneCredential1: type: string description: The second Keystone credential key. Must be a valid key. hidden: true KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. hidden: true KeystoneFernetMaxActiveKeys: type: number description: The maximum active keys in the keystone fernet key repository. default: 5 ManageKeystoneFernetKeys: type: boolean default: true description: Whether TripleO should manage the keystone fernet keys or not. If set to true, the fernet keys will get the values from the saved keys repository in mistral (the KeystoneFernetKeys variable). If set to false, only the stack creation initializes the keys, but subsequent updates won't touch them. KeystoneLoggingSource: type: json default: tag: openstack.keystone file: /var/log/containers/keystone/keystone.log KeystonePolicies: description: | A hash of policies to configure for Keystone. e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json KeystoneLDAPDomainEnable: description: Trigger to call ldap_backend puppet keystone define. type: boolean default: False KeystoneLDAPBackendConfigs: description: Hash containing the configurations for the LDAP backends configured in keystone. type: json default: {} hidden: true NotificationDriver: type: comma_delimited_list default: 'noop' description: Driver or drivers to handle sending notifications. KeystoneNotificationDriver: type: comma_delimited_list default: [] description: | Driver or drivers to handle sending notifications. This parameter is specific to Keystone. KeystoneEnableDBPurge: default: true description: | Whether to create cron job for purging soft deleted rows in Keystone database. type: boolean KeystoneCronTrustFlushEnsure: type: string description: > Cron to purge expired or soft-deleted trusts - Ensure default: 'present' KeystoneCronTrustFlushMinute: type: string description: > Cron to purge expired or soft-deleted trusts - Minute default: '1' KeystoneCronTrustFlushHour: type: string description: > Cron to purge expired or soft-deleted trusts - Hour default: '*' KeystoneCronTrustFlushMonthday: type: string description: > Cron to purge expired or soft-deleted trusts - Month Day default: '*' KeystoneCronTrustFlushMonth: type: string description: > Cron to purge expired or soft-deleted trusts - Month default: '*' KeystoneCronTrustFlushWeekday: type: string description: > Cron to purge expired or soft-deleted trusts - Week Day default: '*' KeystoneCronTrustFlushMaxDelay: type: number description: > Cron to purge expired or soft-deleted trusts - Max Delay default: 0 KeystoneCronTrustFlushDestination: type: string description: > Cron to purge expired or soft-deleted trusts - Log destination default: '/var/log/keystone/keystone-trustflush.log' KeystoneCronTrustFlushUser: type: string description: > Cron to purge expired or soft-deleted trusts - User default: 'keystone' KeystoneChangePasswordUponFirstUse: type: boolean default: false description: >- Enabling this option requires users to change their password when the user is created, or upon administrative reset. KeystoneDisableUserAccountDaysInactive: type: string default: '' description: >- The maximum number of days a user can go without authenticating before being considered "inactive" and automatically disabled (locked). KeystoneLockoutDuration: type: string default: '' description: >- The number of seconds a user account will be locked when the maximum number of failed authentication attempts (as specified by KeystoneLockoutFailureAttempts) is exceeded. KeystoneLockoutFailureAttempts: type: string default: '' description: >- The maximum number of times that a user can fail to authenticate before the user account is locked for the number of seconds specified by KeystoneLockoutDuration. KeystoneMinimumPasswordAge: type: string default: '' description: >- The number of days that a password must be used before the user can change it. This prevents users from changing their passwords immediately in order to wipe out their password history and reuse an old password. KeystonePasswordExpiresDays: type: string default: '' description: >- The number of days for which a password will be considered valid before requiring it to be changed. KeystonePasswordRegex: type: string default: '' description: >- The regular expression used to validate password strength requirements. KeystonePasswordRegexDescription: type: string default: '' description: >- Describe your password regular expression here in language for humans. KeystoneUniqueLastPasswordCount: type: string default: '' description: >- This controls the number of previous user password iterations to keep in history, in order to enforce that newly created passwords are unique. KeystoneCorsAllowedOrigin: type: string default: '' description: Indicate whether this resource may be shared with the domain received in the request "origin" header. KeystoneEnableMember: description: Create the _member_ role, useful for undercloud deployment. type: boolean default: False KeystoneFederationEnable: type: boolean default: false description: Enable support for federated authentication. KeystoneTrustedDashboards: type: comma_delimited_list default: [] description: A list of dashboard URLs trusted for single sign-on. KeystoneAuthMethods: type: comma_delimited_list default: [] description: >- A list of methods used for authentication. KeystoneOpenIdcEnable: type: boolean default: false description: Enable support for OpenIDC federation. KeystoneOpenIdcIdpName: type: string default: '' description: The name associated with the IdP in Keystone. KeystoneOpenIdcProviderMetadataUrl: type: string default: '' description: The url that points to your OpenID Connect provider metadata KeystoneOpenIdcClientId: type: string default: '' description: >- The client ID to use when handshaking with your OpenID Connect provider KeystoneOpenIdcClientSecret: type: string default: '' description: >- The client secret to use when handshaking with your OpenID Connect provider KeystoneOpenIdcCryptoPassphrase: type: string default: 'openstack' description: >- Passphrase to use when encrypting data for OpenID Connect handshake. KeystoneOpenIdcResponseType: type: string default: 'id_token' description: Response type to be expected from the OpenID Connect provider. KeystoneOpenIdcRemoteIdAttribute: type: string default: 'HTTP_OIDC_ISS' description: >- Attribute to be used to obtain the entity ID of the Identity Provider from the environment. KeystoneOpenIdcEnableOAuth: type: boolean default: false description: >- Enable OAuth 2.0 integration. KeystoneOpenIdcIntrospectionEndpoint: type: string default: '' description: >- OAuth 2.0 introspection endpoint for mod_auth_openidc KeystoneOpenIdcClaimDelimiter: type: string default: ';' description: >- The delimiter to use when setting multi-valued claims. KeystoneOpenIdcPassUserInfoAs: type: string default: 'claims' description: >- Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs. constraints: - allowed_values: ['claims', 'json', 'jwt'] KeystoneOpenIdcPassClaimsAs: type: string default: 'both' description: >- Define the way in which the claims and tokens are passed to the application environment: "none": no claims/tokens are passed "environment": claims/tokens are passed as environment variables "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) "both": claims/tokens are passed as both headers as well as environment variables (default) constraints: - allowed_values: ['none', 'environment', 'headers', 'both'] RootStackName: description: The name of the stack/plan. type: string AdminToken: description: The password for the keystone admin account, used for monitoring, querying neutron etc. default: '' type: string hidden: true EnforceSecureRbac: type: boolean default: false description: >- Setting this option to True will configure each OpenStack service to enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and `[oslo_policy] enforce_scope` to True. This introduces a consistent set of RBAC personas across OpenStack services that include support for system and project scope, as well as keystone's default roles, admin, member, and reader. Do not enable this functionality until all services in your deployment actually support secure RBAC. parameter_groups: - label: deprecated description: | The following parameters are deprecated and will be removed. They should not be relied on for new deployments. If you have concerns regarding deprecated parameters, please contact the TripleO development team on IRC or the OpenStack mailing list. parameters: - AdminToken resources: ContainersCommon: type: ../containers-common.yaml MySQLClient: type: ../database/mysql-client.yaml ApacheServiceBase: type: ../../deployment/apache/apache-baremetal-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} KeystoneLogging: type: OS::TripleO::Services::Logging::Keystone RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ContainerKeystoneImage: ContainerKeystoneImage ContainerKeystoneConfigImage: ContainerKeystoneConfigImage - values: {get_param: [RoleParameters]} - values: ContainerKeystoneImage: {get_param: ContainerKeystoneImage} ContainerKeystoneConfigImage: {get_param: ContainerKeystoneConfigImage} conditions: keystone_workers_set: not: {equals : [{get_param: KeystoneWorkers}, 0]} public_tls_enabled: and: - {get_param: EnablePublicTLS} - or: - not: equals: - {get_param: SSLCertificate} - "" - {get_param: PublicSSLCertificateAutogenerated} keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} nontls_cache_enabled: and: - {get_param: EnableCache} - not: {get_param: MemcachedTLS} tls_cache_enabled: and: - {get_param: EnableCache} - {get_param: MemcachedTLS} # Security compliance disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}} lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}} lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}} minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}} password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}} password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}} password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}} unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}} cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}} admin_token_set: {not: {equals: [{get_param: AdminToken}, '']}} keystone_notification_driver_set: {not: {equals: [{get_param: KeystoneNotificationDriver}, []]}} outputs: role_data: description: Role data for the Keystone API role. value: service_name: keystone firewall_rules: '111 keystone': dport: - 5000 firewall_frontend_rules: '100 keystone_public_haproxy_frontend': dport: - 5000 '100 keystone_admin_haproxy_frontend': dport: - {get_param: [EndpointMap, KeystoneAdmin, port]} firewall_ssl_frontend_rules: '100 keystone_public_haproxy_frontend_ssl': dport: - 13000 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone} config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - if: - cors_allowed_origin_set - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin} - keystone::db::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: keystone password: if: - admin_token_set - {get_param: AdminToken} - {get_param: KeystonePassword} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /keystone query: if: - {get_param: EnableSQLAlchemyCollectd} - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo plugin: collectd collectd_program_name: keystone collectd_host: localhost - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo keystone::sync_db: false keystone::token_expiration: {get_param: TokenExpiration} keystone::policy::policies: {get_param: KeystonePolicies} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: '/etc/keystone/credential-keys/0': content: {get_param: KeystoneCredential0} '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} keystone::fernet_keys: {get_param: KeystoneFernetKeys} keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys} keystone::logging::debug: if: - {get_param: KeystoneDebug} - true - {get_param: Debug } keystone::notification_driver: if: - keystone_notification_driver_set - {get_param: KeystoneNotificationDriver} - {get_param: NotificationDriver} keystone::notification_format: {get_param: KeystoneNotificationFormat} tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics} tripleo::profile::base::keystone::manage_db_purge: {get_param: KeystoneEnableDBPurge} keystone::cron::trust_flush::ensure: {get_param: KeystoneCronTrustFlushEnsure} keystone::cron::trust_flush::minute: {get_param: KeystoneCronTrustFlushMinute} keystone::cron::trust_flush::hour: {get_param: KeystoneCronTrustFlushHour} keystone::cron::trust_flush::monthday: {get_param: KeystoneCronTrustFlushMonthday} keystone::cron::trust_flush::month: {get_param: KeystoneCronTrustFlushMonth} keystone::cron::trust_flush::weekday: {get_param: KeystoneCronTrustFlushWeekday} keystone::cron::trust_flush::maxdelay: {get_param: KeystoneCronTrustFlushMaxDelay} keystone::cron::trust_flush::destination: {get_param: KeystoneCronTrustFlushDestination} keystone::cron::trust_flush::user: {get_param: KeystoneCronTrustFlushUser} keystone::rabbit_heartbeat_timeout_threshold: 60 keystone::service_name: 'httpd' keystone::wsgi::apache::access_log_format: 'forwarded' keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS} keystone::wsgi::apache::servername: str_replace: template: "%{lookup('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::workers: if: - keystone_workers_set - {get_param: KeystoneWorkers} # override via extraconfig: keystone::wsgi::apache::threads: 1 keystone::db::database_db_max_retries: -1 keystone::db::database_max_retries: -1 # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR keystone::wsgi::apache::bind_host: str_replace: template: "%{lookup('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - keystone::cache::enabled: {get_param: EnableCache} keystone::cache::tls_enabled: {get_param: MemcachedTLS} - if: - tls_cache_enabled - keystone::cache::backend: 'dogpile.cache.pymemcache' keystone::cache::enable_socket_keepalive: true - keystone::cache::backend: 'dogpile.cache.memcached' - if: - {get_param: KeystoneFederationEnable} - tripleo::profile::base::keystone::keystone_federation_enabled: True keystone::federation::trusted_dashboards: get_param: KeystoneTrustedDashboards - if: - {get_param: KeystoneOpenIdcEnable} - tripleo::profile::base::keystone::keystone_openidc_enabled: True keystone::federation::openidc::methods: get_param: KeystoneAuthMethods keystone::federation::openidc::keystone_url: get_param: [EndpointMap, KeystonePublic, uri_no_suffix] keystone::federation::openidc::idp_name: get_param: KeystoneOpenIdcIdpName keystone::federation::openidc::openidc_provider_metadata_url: get_param: KeystoneOpenIdcProviderMetadataUrl keystone::federation::openidc::openidc_client_id: get_param: KeystoneOpenIdcClientId keystone::federation::openidc::openidc_client_secret: get_param: KeystoneOpenIdcClientSecret keystone::federation::openidc::openidc_crypto_passphrase: get_param: KeystoneOpenIdcCryptoPassphrase keystone::federation::openidc::openidc_response_type: get_param: KeystoneOpenIdcResponseType keystone::federation::openidc::remote_id_attribute: get_param: KeystoneOpenIdcRemoteIdAttribute keystone::federation::openidc::openidc_enable_oauth: get_param: KeystoneOpenIdcEnableOAuth keystone::federation::openidc::openidc_introspection_endpoint: get_param: KeystoneOpenIdcIntrospectionEndpoint keystone::federation::openidc::openidc_pass_userinfo_as: get_param: KeystoneOpenIdcPassUserInfoAs keystone::federation::openidc::openidc_pass_claim_as: get_param: KeystoneOpenIdcPassClaimsAs keystone::federation::openidc::openidc_claim_delimiter: get_param: KeystoneOpenIdcClaimDelimiter keystone::federation::openidc::openidc_cache_type: if: - nontls_cache_enabled - 'memcache' - if: - {get_param: KeystoneLDAPDomainEnable} - tripleo::profile::base::keystone::ldap_backend_enable: True keystone::using_domain_config: True tripleo::profile::base::keystone::ldap_backends_config: get_param: KeystoneLDAPBackendConfigs - if: - {get_param: EnforceSecureRbac} - keystone::policy::enforce_scope: true keystone::policy::enforce_new_defaults: true - if: - {get_param: KeystoneChangePasswordUponFirstUse} - keystone::security_compliance::change_password_upon_first_use: true - if: - disable_user_account_days_inactive_set - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive} - if: - lockout_duration_set - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration} - if: - lockout_failure_attempts_set - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts} - if: - minimum_password_age_set - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge} - if: - password_expires_days_set - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays} - if: - password_regex_set - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex} - if: - password_regex_description_set - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription} - if: - unique_last_password_count_set - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount} - apache::default_vhost: false - get_attr: [KeystoneLogging, config_settings] service_config_settings: rsyslog: tripleo_logging_sources_keystone: {get_param: KeystoneLoggingSource} mysql: keystone::db::mysql::password: if: - admin_token_set - {get_param: AdminToken} - {get_param: KeystonePassword} keystone::db::mysql::user: keystone keystone::db::mysql::host: '%' keystone::db::mysql::dbname: keystone pacemaker: keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} keystone::endpoint::region: {get_param: KeystoneRegion} keystone::admin_password: {get_param: AdminPassword} horizon: map_merge: - if: - {get_param: KeystoneLDAPDomainEnable} - horizon::keystone_multidomain_support: true horizon::keystone_default_domain: 'Default' - horizon::policy::keystone_policies: {get_param: KeystonePolicies} ansible_group_vars: tripleo_keystone_image: {get_attr: [RoleParametersValue, value, ContainerKeystoneImage]} tripleo_keystone_volumes: - /etc/openldap:/etc/openldap:ro - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro tripleo_keystone_common_volumes: {get_attr: [ContainersCommon, volumes]} tripleo_keystone_logging_volumes: {get_attr: [KeystoneLogging, volumes]} tripleo_enable_internal_tls: {get_param: EnableInternalTLS} tripleo_internal_tls_ca_file: { get_param: InternalTLSCAFile } tripleo_keystone_environment: KOLLA_BOOTSTRAP: true KOLLA_CONFIG_STRATEGY: COPY_ALWAYS TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} tripleo_keystone_logging_environment: {get_attr: [KeystoneLogging, environment]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: keystone puppet_tags: keystone_config,keystone_domain_config step_config: list_join: - "\n" - - include tripleo::profile::base::keystone - {get_attr: [MySQLClient, role_data, step_config]} config_image: &keystone_config_image {get_attr: [RoleParametersValue, value, ContainerKeystoneConfigImage]} docker_config: # Kolla_bootstrap/db sync runs before permissions set by kolla_config step_2: get_attr: [KeystoneLogging, docker_config, step_2] step_4: # There are cases where we need to refresh keystone after the resource provisioning, # such as the case of using LDAP backends for domains. So we trigger a graceful # restart [1], which shouldn't cause service disruption, but will reload new # configurations for keystone. # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful keystone_refresh: start_order: 1 action: exec user: root command: [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ] external_deploy_tasks: - name: Manage clouds.yaml files when: - step|int == 1 - not ansible_check_mode|bool block: - name: Create /etc/openstack directory if it does not exist become: true file: mode: '0755' owner: root path: /etc/openstack state: directory - name: Configure /etc/openstack/clouds.yaml include_role: name: tripleo_keystone_resources tasks_from: clouds vars: tripleo_keystone_resources_cloud_name: {get_param: RootStackName} tripleo_keystone_resources_cloud_config: auth: auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} password: {get_param: AdminPassword} project_domain_name: Default project_name: admin user_domain_name: Default username: admin cacert: if: - public_tls_enabled - {get_param: PublicTLSCAFile} - '' identity_api_version: '3' volume_api_version: '3' region_name: {get_param: KeystoneRegion} - name: Configure system admin account in /etc/openstack/clouds.yaml include_role: name: tripleo_keystone_resources tasks_from: clouds vars: tripleo_keystone_resources_cloud_name: list_join: - '-' - - {get_param: RootStackName} - 'system-admin' tripleo_keystone_resources_cloud_config: auth: auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} password: {get_param: AdminPassword} system_scope: all user_domain_name: Default username: admin cacert: if: - public_tls_enabled - {get_param: PublicTLSCAFile} - '' identity_api_version: '3' volume_api_version: '3' region_name: {get_param: KeystoneRegion} - name: Manage Keystone resources become: true when: - step|int == 4 - not ansible_check_mode|bool block: - name: Manage Keystone resources for OpenStack services include_role: name: tripleo_keystone_resources vars: tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}" tripleo_keystone_resources_service_project: 'service' tripleo_keystone_resources_cloud_name: list_join: - '-' - - {get_param: RootStackName} - 'system-admin' tripleo_keystone_resources_region: {get_param: KeystoneRegion} tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tripleo_keystone_resources_admin_password: {get_param: AdminPassword} tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember} - name: is Keystone LDAP enabled set_fact: keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable} - name: Set fact for tripleo_keystone_ldap_domains set_fact: tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs} when: keystone_ldap_domain_enabled|bool - name: Manage Keystone domains from LDAP config when: keystone_ldap_domain_enabled|bool include_role: name: tripleo_keystone_resources tasks_from: domains vars: tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}" tripleo_keystone_resources_cloud_name: {get_param: RootStackName} batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}" deploy_steps_tasks: list_concat: - get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks] - - name: validate keystone container state containers.podman.podman_container_info: name: keystone register: keystone_infos failed_when: - keystone_infos.containers.0.Healthcheck.Status is defined - "'healthy' not in keystone_infos.containers.0.Healthcheck.Status" retries: 10 delay: 30 tags: - opendev-validation - opendev-validation-keystone when: - not container_healthcheck_disabled - step|int == 4 - name: Keystone DB sync include_role: name: tripleo_keystone tasks_from: keystone-db-sync.yaml when: - step|int == 3 - name: Keystone containers import_role: name: tripleo_keystone tasks_from: keystone.yaml when: - step|int == 3 - name: Keystone bootstrap containers import_role: name: tripleo_keystone tasks_from: keystone-bootstrap.yaml when: - step|int == 3 vars: tripleo_keystone_admin_password: {get_param: AdminPassword} tripleo_keystone_admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} tripleo_keystone_public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} tripleo_keystone_internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tripleo_keystone_region: {get_param: KeystoneRegion} host_prep_tasks: list_concat: - {get_attr: [KeystoneLogging, host_prep_tasks]} - - include_role: name: tripleo_keystone tasks_from: keystone-install.yaml metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] external_upgrade_tasks: - when: - step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop keystone container import_role: name: tripleo_container_stop vars: tripleo_containers_to_stop: - keystone - keystone_cron tripleo_delegate_to: "{{ groups['keystone'] | difference(groups['excluded_overcloud']) }}"