heat_template_version: wallaby description: > OpenStack containerized Keystone service parameters: ContainerKeystoneImage: description: image type: string ContainerKeystoneConfigImage: description: The container image to use for the keystone config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. AdminPassword: description: The password for the keystone admin account, used for monitoring, querying neutron etc. type: string hidden: true KeystoneTokenProvider: description: The keystone token format type: string default: 'fernet' constraints: - allowed_values: ['fernet'] SSLCertificate: default: '' description: > The content of the SSL certificate (without Key) in PEM format. type: string PublicSSLCertificateAutogenerated: default: false description: > Whether the public SSL certificate was autogenerated or not. type: boolean EnablePublicTLS: default: true description: > Whether to enable TLS on the public interface or not. type: boolean PublicTLSCAFile: default: '' type: string description: Specifies the default CA cert to use if TLS is used for services in the public network. EnableInternalTLS: type: boolean default: false MemcachedTLS: default: false description: Set to True to enable TLS on Memcached service. Because not all services support Memcached TLS, during the migration period, Memcached will listen on 2 ports - on the port set with MemcachedPort parameter (above) and on 11211, without TLS. type: boolean KeystoneSSLCertificate: default: '' description: Keystone certificate for verifying token validity. type: string KeystoneSSLCertificateKey: default: '' description: Keystone key for signing tokens. type: string hidden: true KeystoneNotificationFormat: description: The Keystone notification format default: 'basic' type: string constraints: - allowed_values: [ 'basic', 'cadf' ] KeystoneNotificationTopics: description: Keystone notification topics to enable default: [] type: comma_delimited_list KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint Debug: type: boolean default: false description: Set to True to enable debugging on all services. KeystoneDebug: default: false description: Set to True to enable debugging Keystone service. type: boolean EnableCache: description: Enable caching with memcached type: boolean default: true EnableSQLAlchemyCollectd: type: boolean description: > Set to true to enable the SQLAlchemy-collectd server plugin default: false AdminToken: description: The keystone auth secret and db password. type: string hidden: true TokenExpiration: default: 3600 description: Set a token expiration time in seconds. type: number KeystoneWorkers: type: string description: Set the number of workers for keystone::wsgi::apache default: '%{::os_workers_keystone}' MonitoringSubscriptionKeystone: default: 'overcloud-keystone' type: string KeystoneCredential0: type: string description: The first Keystone credential key. Must be a valid key. KeystoneCredential1: type: string description: The second Keystone credential key. Must be a valid key. KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. KeystoneFernetMaxActiveKeys: type: number description: The maximum active keys in the keystone fernet key repository. default: 5 ManageKeystoneFernetKeys: type: boolean default: true description: Whether TripleO should manage the keystone fernet keys or not. If set to true, the fernet keys will get the values from the saved keys repository in mistral (the KeystoneFernetKeys variable). If set to false, only the stack creation initializes the keys, but subsequent updates won't touch them. KeystoneLoggingSource: type: json default: tag: openstack.keystone file: /var/log/containers/keystone/keystone.log KeystonePolicies: description: | A hash of policies to configure for Keystone. e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json KeystoneLDAPDomainEnable: description: Trigger to call ldap_backend puppet keystone define. type: boolean default: False KeystoneLDAPBackendConfigs: description: Hash containing the configurations for the LDAP backends configured in keystone. type: json default: {} hidden: true NotificationDriver: type: comma_delimited_list default: 'noop' description: Driver or drivers to handle sending notifications. KeystoneChangePasswordUponFirstUse: type: string default: '' description: >- Enabling this option requires users to change their password when the user is created, or upon administrative reset. constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] KeystoneDisableUserAccountDaysInactive: type: string default: '' description: >- The maximum number of days a user can go without authenticating before being considered "inactive" and automatically disabled (locked). KeystoneLockoutDuration: type: string default: '' description: >- The number of seconds a user account will be locked when the maximum number of failed authentication attempts (as specified by KeystoneLockoutFailureAttempts) is exceeded. KeystoneLockoutFailureAttempts: type: string default: '' description: >- The maximum number of times that a user can fail to authenticate before the user account is locked for the number of seconds specified by KeystoneLockoutDuration. KeystoneMinimumPasswordAge: type: string default: '' description: >- The number of days that a password must be used before the user can change it. This prevents users from changing their passwords immediately in order to wipe out their password history and reuse an old password. KeystonePasswordExpiresDays: type: string default: '' description: >- The number of days for which a password will be considered valid before requiring it to be changed. KeystonePasswordRegex: type: string default: '' description: >- The regular expression used to validate password strength requirements. KeystonePasswordRegexDescription: type: string default: '' description: >- Describe your password regular expression here in language for humans. KeystoneUniqueLastPasswordCount: type: string default: '' description: >- This controls the number of previous user password iterations to keep in history, in order to enforce that newly created passwords are unique. KeystoneCorsAllowedOrigin: type: string default: '' description: Indicate whether this resource may be shared with the domain received in the request "origin" header. KeystoneEnableMember: description: Create the _member_ role, useful for undercloud deployment. type: boolean default: False KeystoneFederationEnable: type: boolean default: false description: Enable support for federated authentication. KeystoneTrustedDashboards: type: comma_delimited_list default: [] description: A list of dashboard URLs trusted for single sign-on. KeystoneAuthMethods: type: comma_delimited_list default: [] description: >- A list of methods used for authentication. KeystoneOpenIdcEnable: type: boolean default: false description: Enable support for OpenIDC federation. KeystoneOpenIdcIdpName: type: string default: '' description: The name associated with the IdP in Keystone. KeystoneOpenIdcProviderMetadataUrl: type: string default: '' description: The url that points to your OpenID Connect provider metadata KeystoneOpenIdcClientId: type: string default: '' description: >- The client ID to use when handshaking with your OpenID Connect provider KeystoneOpenIdcClientSecret: type: string default: '' description: >- The client secret to use when handshaking with your OpenID Connect provider KeystoneOpenIdcCryptoPassphrase: type: string default: 'openstack' description: >- Passphrase to use when encrypting data for OpenID Connect handshake. KeystoneOpenIdcResponseType: type: string default: 'id_token' description: Response type to be expected from the OpenID Connect provider. KeystoneOpenIdcRemoteIdAttribute: type: string default: 'HTTP_OIDC_ISS' description: >- Attribute to be used to obtain the entity ID of the Identity Provider from the environment. KeystoneOpenIdcEnableOAuth: type: boolean default: false description: >- Enable OAuth 2.0 integration. KeystoneOpenIdcIntrospectionEndpoint: type: string default: '' description: >- OAuth 2.0 introspection endpoint for mod_auth_openidc RootStackName: description: The name of the stack/plan. type: string resources: ContainersCommon: type: ../containers-common.yaml MySQLClient: type: ../database/mysql-client.yaml ApacheServiceBase: type: ../../deployment/apache/apache-baremetal-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} KeystoneLogging: type: OS::TripleO::Services::Logging::Keystone conditions: public_tls_enabled: and: - {get_param: EnablePublicTLS} - or: - not: equals: - {get_param: SSLCertificate} - "" - equals: - {get_param: PublicSSLCertificateAutogenerated} - true internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]} keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]} keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]} nontls_cache_enabled: and: - {get_param: EnableCache} - not: {get_param: MemcachedTLS} tls_cache_enabled: and: - {get_param: EnableCache} - {get_param: MemcachedTLS} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} # Security compliance change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}} disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}} lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}} lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}} minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}} password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}} password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}} password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}} unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}} cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']} outputs: role_data: description: Role data for the Keystone API role. value: service_name: keystone firewall_rules: '111 keystone': dport: - 5000 - 13000 - {get_param: [EndpointMap, KeystoneAdmin, port]} monitoring_subscription: {get_param: MonitoringSubscriptionKeystone} config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - if: - cors_allowed_origin_unset - {} - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin} - keystone::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: keystone password: {get_param: AdminToken} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /keystone query: if: - enable_sqlalchemy_collectd - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo plugin: collectd collectd_program_name: keystone collectd_host: localhost - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo keystone::token_expiration: {get_param: TokenExpiration} keystone::policy::policies: {get_param: KeystonePolicies} keystone_ssl_certificate: {get_param: KeystoneSSLCertificate} keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey} keystone::token_provider: {get_param: KeystoneTokenProvider} keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]} keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys} keystone::enable_proxy_headers_parsing: true keystone::enable_credential_setup: true keystone::credential_keys: '/etc/keystone/credential-keys/0': content: {get_param: KeystoneCredential0} '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} keystone::fernet_keys: {get_param: KeystoneFernetKeys} keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys} keystone::logging::debug: if: - {get_param: KeystoneDebug} - true - {get_param: Debug } keystone::notification_driver: {get_param: NotificationDriver} keystone::notification_format: {get_param: KeystoneNotificationFormat} tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics} keystone::rabbit_heartbeat_timeout_threshold: 60 keystone::service_name: 'httpd' keystone::enable_ssl: {get_param: EnableInternalTLS} keystone::wsgi::apache::api_port: - 5000 - {get_param: [EndpointMap, KeystoneAdmin, port]} keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS} keystone::wsgi::apache::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::servername_admin: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} # override via extraconfig: keystone::wsgi::apache::threads: 1 keystone::db::database_db_max_retries: -1 keystone::db::database_max_retries: -1 # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR # NOTE: this applies to all 2 bind IP settings below... keystone::wsgi::apache::bind_host: - str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} - str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - keystone::cache::enabled: {get_param: EnableCache} keystone::cache::tls_enabled: {get_param: MemcachedTLS} if: - tls_cache_enabled - keystone::cache::backend: 'dogpile.cache.pymemcache' keystone::token_caching: true - keystone::cache::backend: 'dogpile.cache.memcached' - if: - keystone_federation_enabled - keystone_federation_enabled: True keystone::federation::trusted_dashboards: get_param: KeystoneTrustedDashboards - {} - if: - keystone_openidc_enabled - map_merge: - keystone_openidc_enabled: True keystone::federation::openidc::methods: get_param: KeystoneAuthMethods keystone::federation::openidc::keystone_url: get_param: [EndpointMap, KeystonePublic, uri_no_suffix] keystone::federation::openidc::idp_name: get_param: KeystoneOpenIdcIdpName keystone::federation::openidc::openidc_provider_metadata_url: get_param: KeystoneOpenIdcProviderMetadataUrl keystone::federation::openidc::openidc_client_id: get_param: KeystoneOpenIdcClientId keystone::federation::openidc::openidc_client_secret: get_param: KeystoneOpenIdcClientSecret keystone::federation::openidc::openidc_crypto_passphrase: get_param: KeystoneOpenIdcCryptoPassphrase keystone::federation::openidc::openidc_response_type: get_param: KeystoneOpenIdcResponseType keystone::federation::openidc::remote_id_attribute: get_param: KeystoneOpenIdcRemoteIdAttribute keystone::federation::openidc::openidc_enable_oauth: get_param: KeystoneOpenIdcEnableOAuth keystone::federation::openidc::openidc_introspection_endpoint: get_param: KeystoneOpenIdcIntrospectionEndpoint - if: - nontls_cache_enabled - keystone::federation::openidc::openidc_cache_type: 'memcache' - {} - {} - if: - keystone_ldap_domain_enabled - tripleo::profile::base::keystone::ldap_backend_enable: True keystone::using_domain_config: True tripleo::profile::base::keystone::ldap_backends_config: get_param: KeystoneLDAPBackendConfigs - {} - if: - change_password_upon_first_use_set - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse} - {} - if: - disable_user_account_days_inactive_set - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive} - {} - if: - lockout_duration_set - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration} - {} - if: - lockout_failure_attempts_set - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts} - {} - if: - minimum_password_age_set - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge} - {} - if: - password_expires_days_set - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays} - {} - if: - password_regex_set - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex} - {} - if: - password_regex_description_set - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription} - {} - if: - unique_last_password_count_set - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount} - {} - apache::default_vhost: false - get_attr: [KeystoneLogging, config_settings] service_config_settings: rsyslog: tripleo_logging_sources_keystone: {get_param: KeystoneLoggingSource} mysql: keystone::db::mysql::password: {get_param: AdminToken} keystone::db::mysql::user: keystone keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} keystone::db::mysql::dbname: keystone keystone::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" pacemaker: keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} keystone::endpoint::region: {get_param: KeystoneRegion} keystone::admin_password: {get_param: AdminPassword} horizon: if: - keystone_ldap_domain_enabled - horizon::keystone_multidomain_support: true horizon::keystone_default_domain: 'Default' - {} # BEGIN DOCKER SETTINGS puppet_config: config_volume: keystone puppet_tags: keystone_config,keystone_domain_config step_config: list_join: - "\n" - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }" - | include tripleo::profile::base::keystone - {get_attr: [MySQLClient, role_data, step_config]} config_image: &keystone_config_image {get_param: ContainerKeystoneConfigImage} kolla_config: /var/lib/kolla/config_files/keystone.json: command: /usr/sbin/httpd config_files: - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys" dest: "/etc/keystone/fernet-keys" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" dest: "/etc/httpd/conf.modules.d" # TODO(emilien) remove optional flag once we get a promotion # https://launchpad.net/bugs/1884115 optional: true merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true docker_config: # Kolla_bootstrap/db sync runs before permissions set by kolla_config step_2: get_attr: [KeystoneLogging, docker_config, step_2] step_3: keystone_db_sync: image: &keystone_image {get_param: ContainerKeystoneImage} net: host user: root privileged: false detach: false volumes: &keystone_volumes list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [KeystoneLogging, volumes]} - - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro - if: - internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - [] - if: - internal_tls_enabled - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - [] environment: map_merge: - {get_attr: [KeystoneLogging, environment]} - KOLLA_BOOTSTRAP: true KOLLA_CONFIG_STRATEGY: COPY_ALWAYS TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start'] keystone: start_order: 2 image: *keystone_image net: host privileged: false restart: always healthcheck: test: /openstack/healthcheck volumes: *keystone_volumes environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS keystone_bootstrap: start_order: 3 action: exec user: root command: [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap' ] environment: KOLLA_BOOTSTRAP: true OS_BOOTSTRAP_PASSWORD: {get_param: AdminPassword} OS_BOOTSTRAP_USERNAME: 'admin' OS_BOOTSTRAP_PROJECT_NAME: 'admin' OS_BOOTSTRAP_ROLE_NAME: 'admin' OS_BOOTSTRAP_SERVICE_NAME: 'keystone' OS_BOOTSTRAP_ADMIN_URL: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} OS_BOOTSTRAP_PUBLIC_URL: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} OS_BOOTSTRAP_INTERNAL_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} OS_BOOTSTRAP_REGION_ID: {get_param: KeystoneRegion} step_4: # There are cases where we need to refresh keystone after the resource provisioning, # such as the case of using LDAP backends for domains. So we trigger a graceful # restart [1], which shouldn't cause service disruption, but will reload new # configurations for keystone. # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful keystone_refresh: start_order: 1 action: exec user: root command: [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ] external_deploy_tasks: - name: Manage clouds.yaml files when: - step|int == 1 - not ansible_check_mode|bool block: - name: Create /etc/openstack directory if it does not exist become: true file: mode: '0755' owner: root path: /etc/openstack state: directory - name: Configure /etc/openstack/clouds.yaml include_role: name: tripleo_keystone_resources tasks_from: clouds vars: tripleo_keystone_resources_cloud_name: {get_param: RootStackName} tripleo_keystone_resources_cloud_config: auth: auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} password: {get_param: AdminPassword} project_domain_name: Default project_name: admin user_domain_name: Default username: admin cacert: if: - public_tls_enabled - {get_param: PublicTLSCAFile} - '' identity_api_version: '3' volume_api_version: '3' region_name: {get_param: KeystoneRegion} - name: Manage Keystone resources become: true when: - step|int == 4 - not ansible_check_mode|bool block: - name: Manage Keystone resources for OpenStack services include_role: name: tripleo_keystone_resources vars: tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}" tripleo_keystone_resources_service_project: 'service' tripleo_keystone_resources_cloud_name: {get_param: RootStackName} tripleo_keystone_resources_region: {get_param: KeystoneRegion} tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tripleo_keystone_resources_admin_password: {get_param: AdminPassword} tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember} - name: is Keystone LDAP enabled set_fact: keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable} - name: Set fact for tripleo_keystone_ldap_domains set_fact: tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs} when: keystone_ldap_domain_enabled|bool - name: Manage Keystone domains from LDAP config when: keystone_ldap_domain_enabled|bool include_role: name: tripleo_keystone_resources tasks_from: domains vars: tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}" tripleo_keystone_resources_cloud_name: {get_param: RootStackName} batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}" deploy_steps_tasks: list_concat: - get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks] - - name: validate keystone container state podman_container_info: name: keystone register: keystone_infos failed_when: - keystone_infos.containers.0.Healthcheck.Status is defined - "'healthy' not in keystone_infos.containers.0.Healthcheck.Status" retries: 10 delay: 30 tags: - opendev-validation - opendev-validation-keystone when: - container_cli == 'podman' - not container_healthcheck_disabled - step|int == 4 container_puppet_tasks: # Keystone endpoint creation occurs only on single node step_3: config_volume: 'keystone_init_tasks' puppet_tags: 'keystone_config' step_config: 'include tripleo::profile::base::keystone' config_image: *keystone_config_image host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]} metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] external_upgrade_tasks: - when: - step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop keystone container import_role: name: tripleo_container_stop vars: tripleo_containers_to_stop: - keystone - keystone_cron tripleo_delegate_to: "{{ groups['keystone'] | default([]) }}"