Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

882 lines
35KB

  1. heat_template_version: rocky
  2. description: >
  3. OpenStack containerized Keystone service
  4. parameters:
  5. ContainerKeystoneImage:
  6. description: image
  7. type: string
  8. ContainerKeystoneConfigImage:
  9. description: The container image to use for the keystone config_volume
  10. type: string
  11. EndpointMap:
  12. default: {}
  13. description: Mapping of service endpoint -> protocol. Typically set
  14. via parameter_defaults in the resource registry.
  15. type: json
  16. ServiceData:
  17. default: {}
  18. description: Dictionary packing service data
  19. type: json
  20. ServiceNetMap:
  21. default: {}
  22. description: Mapping of service_name -> network name. Typically set
  23. via parameter_defaults in the resource registry. This
  24. mapping overrides those in ServiceNetMapDefaults.
  25. type: json
  26. DefaultPasswords:
  27. default: {}
  28. type: json
  29. RoleName:
  30. default: ''
  31. description: Role name on which the service is applied
  32. type: string
  33. RoleParameters:
  34. default: {}
  35. description: Parameters specific to the role
  36. type: json
  37. DeployIdentifier:
  38. default: ''
  39. type: string
  40. description: >
  41. Setting this to a unique value will re-run any deployment tasks which
  42. perform configuration on a Heat stack-update.
  43. AdminPassword:
  44. description: The password for the keystone admin account, used for monitoring, querying neutron etc.
  45. type: string
  46. hidden: true
  47. KeystoneTokenProvider:
  48. description: The keystone token format
  49. type: string
  50. default: 'fernet'
  51. constraints:
  52. - allowed_values: ['fernet']
  53. SSLCertificate:
  54. default: ''
  55. description: >
  56. The content of the SSL certificate (without Key) in PEM format.
  57. type: string
  58. PublicSSLCertificateAutogenerated:
  59. default: false
  60. description: >
  61. Whether the public SSL certificate was autogenerated or not.
  62. type: boolean
  63. EnablePublicTLS:
  64. default: true
  65. description: >
  66. Whether to enable TLS on the public interface or not.
  67. type: boolean
  68. InternalTLSCAFile:
  69. default: '/etc/ipa/ca.crt'
  70. type: string
  71. description: Specifies the default CA cert to use if TLS is used for
  72. services in the internal network.
  73. EnableInternalTLS:
  74. type: boolean
  75. default: false
  76. KeystoneSSLCertificate:
  77. default: ''
  78. description: Keystone certificate for verifying token validity.
  79. type: string
  80. KeystoneSSLCertificateKey:
  81. default: ''
  82. description: Keystone key for signing tokens.
  83. type: string
  84. hidden: true
  85. KeystoneNotificationFormat:
  86. description: The Keystone notification format
  87. default: 'basic'
  88. type: string
  89. constraints:
  90. - allowed_values: [ 'basic', 'cadf' ]
  91. KeystoneNotificationTopics:
  92. description: Keystone notification topics to enable
  93. default: []
  94. type: comma_delimited_list
  95. KeystoneRegion:
  96. type: string
  97. default: 'regionOne'
  98. description: Keystone region for endpoint
  99. Debug:
  100. type: boolean
  101. default: false
  102. description: Set to True to enable debugging on all services.
  103. KeystoneDebug:
  104. default: ''
  105. description: Set to True to enable debugging Keystone service.
  106. type: string
  107. constraints:
  108. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  109. EnableCache:
  110. description: Enable caching with memcached
  111. type: boolean
  112. default: true
  113. EnableSQLAlchemyCollectd:
  114. type: boolean
  115. description: >
  116. Set to true to enable the SQLAlchemy-collectd server plugin
  117. default: false
  118. AdminEmail:
  119. default: 'admin@example.com'
  120. description: The email for the keystone admin account.
  121. type: string
  122. hidden: true
  123. AdminToken:
  124. description: The keystone auth secret and db password.
  125. type: string
  126. hidden: true
  127. TokenExpiration:
  128. default: 3600
  129. description: Set a token expiration time in seconds.
  130. type: number
  131. KeystoneWorkers:
  132. type: string
  133. description: Set the number of workers for keystone::wsgi::apache
  134. default: '%{::os_workers_keystone}'
  135. MonitoringSubscriptionKeystone:
  136. default: 'overcloud-keystone'
  137. type: string
  138. KeystoneCredential0:
  139. type: string
  140. description: The first Keystone credential key. Must be a valid key.
  141. KeystoneCredential1:
  142. type: string
  143. description: The second Keystone credential key. Must be a valid key.
  144. KeystoneFernetKeys:
  145. type: json
  146. description: Mapping containing keystone's fernet keys and their paths.
  147. KeystoneFernetMaxActiveKeys:
  148. type: number
  149. description: The maximum active keys in the keystone fernet key repository.
  150. default: 5
  151. ManageKeystoneFernetKeys:
  152. type: boolean
  153. default: true
  154. description: Whether TripleO should manage the keystone fernet keys or not.
  155. If set to true, the fernet keys will get the values from the
  156. saved keys repository in mistral (the KeystoneFernetKeys
  157. variable). If set to false, only the stack creation
  158. initializes the keys, but subsequent updates won't touch them.
  159. KeystoneLoggingSource:
  160. type: json
  161. default:
  162. tag: openstack.keystone
  163. file: /var/log/containers/keystone/keystone.log
  164. KeystonePolicies:
  165. description: |
  166. A hash of policies to configure for Keystone.
  167. e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
  168. default: {}
  169. type: json
  170. KeystoneLDAPDomainEnable:
  171. description: Trigger to call ldap_backend puppet keystone define.
  172. type: boolean
  173. default: False
  174. KeystoneLDAPBackendConfigs:
  175. description: Hash containing the configurations for the LDAP backends
  176. configured in keystone.
  177. type: json
  178. default: {}
  179. hidden: true
  180. NotificationDriver:
  181. type: string
  182. default: 'messagingv2'
  183. description: Driver or drivers to handle sending notifications.
  184. KeystoneChangePasswordUponFirstUse:
  185. type: string
  186. default: ''
  187. description: >-
  188. Enabling this option requires users to change their password when the
  189. user is created, or upon administrative reset.
  190. constraints:
  191. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  192. KeystoneDisableUserAccountDaysInactive:
  193. type: string
  194. default: ''
  195. description: >-
  196. The maximum number of days a user can go without authenticating before
  197. being considered "inactive" and automatically disabled (locked).
  198. KeystoneLockoutDuration:
  199. type: string
  200. default: ''
  201. description: >-
  202. The number of seconds a user account will be locked when the maximum
  203. number of failed authentication attempts (as specified by
  204. KeystoneLockoutFailureAttempts) is exceeded.
  205. KeystoneLockoutFailureAttempts:
  206. type: string
  207. default: ''
  208. description: >-
  209. The maximum number of times that a user can fail to authenticate before
  210. the user account is locked for the number of seconds specified by
  211. KeystoneLockoutDuration.
  212. KeystoneMinimumPasswordAge:
  213. type: string
  214. default: ''
  215. description: >-
  216. The number of days that a password must be used before the user can
  217. change it. This prevents users from changing their passwords immediately
  218. in order to wipe out their password history and reuse an old password.
  219. KeystonePasswordExpiresDays:
  220. type: string
  221. default: ''
  222. description: >-
  223. The number of days for which a password will be considered valid before
  224. requiring it to be changed.
  225. KeystonePasswordRegex:
  226. type: string
  227. default: ''
  228. description: >-
  229. The regular expression used to validate password strength requirements.
  230. KeystonePasswordRegexDescription:
  231. type: string
  232. default: ''
  233. description: >-
  234. Describe your password regular expression here in language for humans.
  235. KeystoneUniqueLastPasswordCount:
  236. type: string
  237. default: ''
  238. description: >-
  239. This controls the number of previous user password iterations to keep in
  240. history, in order to enforce that newly created passwords are unique.
  241. KeystoneCorsAllowedOrigin:
  242. type: string
  243. default: ''
  244. description: Indicate whether this resource may be shared with the domain received in the request
  245. "origin" header.
  246. KeystoneEnableMember:
  247. description: Create the _member_ role, useful for undercloud deployment.
  248. type: boolean
  249. default: False
  250. KeystoneFederationEnable:
  251. type: boolean
  252. default: false
  253. description: Enable support for federated authentication.
  254. KeystoneTrustedDashboards:
  255. type: comma_delimited_list
  256. default: []
  257. description: A list of dashboard URLs trusted for single sign-on.
  258. KeystoneAuthMethods:
  259. type: comma_delimited_list
  260. default: []
  261. description: >-
  262. A list of methods used for authentication.
  263. KeystoneOpenIdcEnable:
  264. type: boolean
  265. default: false
  266. description: Enable support for OpenIDC federation.
  267. KeystoneOpenIdcIdpName:
  268. type: string
  269. default: ''
  270. description: The name associated with the IdP in Keystone.
  271. KeystoneOpenIdcProviderMetadataUrl:
  272. type: string
  273. default: ''
  274. description: The url that points to your OpenID Connect provider metadata
  275. KeystoneOpenIdcClientId:
  276. type: string
  277. default: ''
  278. description: >-
  279. The client ID to use when handshaking with your OpenID Connect provider
  280. KeystoneOpenIdcClientSecret:
  281. type: string
  282. default: ''
  283. description: >-
  284. The client secret to use when handshaking with your OpenID
  285. Connect provider
  286. KeystoneOpenIdcCryptoPassphrase:
  287. type: string
  288. default: 'openstack'
  289. description: >-
  290. Passphrase to use when encrypting data for OpenID Connect handshake.
  291. KeystoneOpenIdcResponseType:
  292. type: string
  293. default: 'id_token'
  294. description: Response type to be expected from the OpenID Connect provider.
  295. KeystoneOpenIdcRemoteIdAttribute:
  296. type: string
  297. default: 'HTTP_OIDC_ISS'
  298. description: >-
  299. Attribute to be used to obtain the entity ID of the Identity Provider
  300. from the environment.
  301. KeystoneOpenIdcEnableOAuth:
  302. type: boolean
  303. default: false
  304. description: >-
  305. Enable OAuth 2.0 integration.
  306. KeystoneOpenIdcIntrospectionEndpoint:
  307. type: string
  308. default: ''
  309. description: >-
  310. OAuth 2.0 introspection endpoint for mod_auth_openidc
  311. RootStackName:
  312. description: The name of the stack/plan.
  313. type: string
  314. resources:
  315. ContainersCommon:
  316. type: ../containers-common.yaml
  317. MySQLClient:
  318. type: ../database/mysql-client.yaml
  319. ApacheServiceBase:
  320. type: ../../deployment/apache/apache-baremetal-puppet.yaml
  321. properties:
  322. ServiceData: {get_param: ServiceData}
  323. ServiceNetMap: {get_param: ServiceNetMap}
  324. DefaultPasswords: {get_param: DefaultPasswords}
  325. EndpointMap: {get_param: EndpointMap}
  326. RoleName: {get_param: RoleName}
  327. RoleParameters: {get_param: RoleParameters}
  328. EnableInternalTLS: {get_param: EnableInternalTLS}
  329. KeystoneLogging:
  330. type: OS::TripleO::Services::Logging::Keystone
  331. conditions:
  332. public_tls_enabled:
  333. and:
  334. - {get_param: EnablePublicTLS}
  335. - or:
  336. - not:
  337. equals:
  338. - {get_param: SSLCertificate}
  339. - ""
  340. - equals:
  341. - {get_param: PublicSSLCertificateAutogenerated}
  342. - true
  343. internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  344. keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
  345. keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
  346. keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
  347. keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
  348. service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
  349. cache_enabled: {equals: [{get_param: EnableCache}, true]}
  350. enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
  351. # Security compliance
  352. change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
  353. disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
  354. lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
  355. lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
  356. minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
  357. password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
  358. password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
  359. password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
  360. unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
  361. cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
  362. outputs:
  363. role_data:
  364. description: Role data for the Keystone API role.
  365. value:
  366. service_name: keystone
  367. firewall_rules:
  368. '111 keystone':
  369. dport:
  370. - 5000
  371. - 13000
  372. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  373. monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
  374. config_settings:
  375. map_merge:
  376. - get_attr: [ApacheServiceBase, role_data, config_settings]
  377. -
  378. if:
  379. - cors_allowed_origin_unset
  380. - {}
  381. - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
  382. - keystone_enable_member: {get_param: KeystoneEnableMember}
  383. - keystone_resources_managed: false
  384. - keystone::database_connection:
  385. make_url:
  386. scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
  387. username: keystone
  388. password: {get_param: AdminToken}
  389. host: {get_param: [EndpointMap, MysqlInternal, host]}
  390. path: /keystone
  391. query:
  392. if:
  393. - enable_sqlalchemy_collectd
  394. -
  395. read_default_file: /etc/my.cnf.d/tripleo.cnf
  396. read_default_group: tripleo
  397. plugin: collectd
  398. collectd_program_name: keystone
  399. collectd_host: localhost
  400. -
  401. read_default_file: /etc/my.cnf.d/tripleo.cnf
  402. read_default_group: tripleo
  403. keystone::token_expiration: {get_param: TokenExpiration}
  404. keystone::bootstrap::password: {get_param: AdminPassword}
  405. keystone::policy::policies: {get_param: KeystonePolicies}
  406. keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
  407. keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
  408. keystone::token_provider: {get_param: KeystoneTokenProvider}
  409. keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
  410. keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
  411. keystone::enable_proxy_headers_parsing: true
  412. keystone::enable_credential_setup: true
  413. keystone::credential_keys:
  414. '/etc/keystone/credential-keys/0':
  415. content: {get_param: KeystoneCredential0}
  416. '/etc/keystone/credential-keys/1':
  417. content: {get_param: KeystoneCredential1}
  418. keystone::fernet_keys: {get_param: KeystoneFernetKeys}
  419. keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
  420. keystone::logging::debug:
  421. if:
  422. - service_debug_unset
  423. - {get_param: Debug }
  424. - {get_param: KeystoneDebug }
  425. keystone::notification_driver: {get_param: NotificationDriver}
  426. keystone::notification_format: {get_param: KeystoneNotificationFormat}
  427. tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
  428. keystone::bootstrap::email: {get_params: AdminEmail}
  429. keystone::bootstrap::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  430. keystone::bootstrap::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  431. keystone::bootstrap::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  432. keystone::bootstrap::region: {get_param: KeystoneRegion}
  433. keystone::rabbit_heartbeat_timeout_threshold: 60
  434. keystone::bootstrap::service_project_name: 'service'
  435. keystone::bootstrap::project_name: 'admin'
  436. keystone::config::keystone_config:
  437. ec2/driver:
  438. value: 'keystone.contrib.ec2.backends.sql.Ec2'
  439. keystone::service_name: 'httpd'
  440. keystone::enable_ssl: {get_param: EnableInternalTLS}
  441. keystone::wsgi::apache::api_port:
  442. - 5000
  443. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  444. keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
  445. keystone::wsgi::apache::servername:
  446. str_replace:
  447. template:
  448. "%{hiera('fqdn_$NETWORK')}"
  449. params:
  450. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  451. keystone::wsgi::apache::servername_admin:
  452. str_replace:
  453. template:
  454. "%{hiera('fqdn_$NETWORK')}"
  455. params:
  456. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  457. keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
  458. # override via extraconfig:
  459. keystone::wsgi::apache::threads: 1
  460. keystone::db::database_db_max_retries: -1
  461. keystone::db::database_max_retries: -1
  462. keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  463. # NOTE: bind IP is found in hiera replacing the network name with the
  464. # local node IP for the given network; replacement examples
  465. # (eg. for internal_api):
  466. # internal_api -> IP
  467. # internal_api_uri -> [IP]
  468. # internal_api_subnet - > IP/CIDR
  469. # NOTE: this applies to all 2 bind IP settings below...
  470. keystone::wsgi::apache::bind_host:
  471. - str_replace:
  472. template:
  473. "%{hiera('$NETWORK')}"
  474. params:
  475. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  476. - str_replace:
  477. template:
  478. "%{hiera('$NETWORK')}"
  479. params:
  480. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  481. -
  482. if:
  483. - cache_enabled
  484. - keystone::cache_enabled: true
  485. keystone::cache_backend: 'dogpile.cache.memcached'
  486. - {}
  487. -
  488. if:
  489. - keystone_federation_enabled
  490. -
  491. keystone_federation_enabled: True
  492. keystone::federation::trusted_dashboards:
  493. get_param: KeystoneTrustedDashboards
  494. - {}
  495. -
  496. if:
  497. - keystone_openidc_enabled
  498. -
  499. map_merge:
  500. - keystone_openidc_enabled: True
  501. keystone::federation::openidc::methods:
  502. get_param: KeystoneAuthMethods
  503. keystone::federation::openidc::keystone_url:
  504. get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
  505. keystone::federation::openidc::idp_name:
  506. get_param: KeystoneOpenIdcIdpName
  507. keystone::federation::openidc::openidc_provider_metadata_url:
  508. get_param: KeystoneOpenIdcProviderMetadataUrl
  509. keystone::federation::openidc::openidc_client_id:
  510. get_param: KeystoneOpenIdcClientId
  511. keystone::federation::openidc::openidc_client_secret:
  512. get_param: KeystoneOpenIdcClientSecret
  513. keystone::federation::openidc::openidc_crypto_passphrase:
  514. get_param: KeystoneOpenIdcCryptoPassphrase
  515. keystone::federation::openidc::openidc_response_type:
  516. get_param: KeystoneOpenIdcResponseType
  517. keystone::federation::openidc::remote_id_attribute:
  518. get_param: KeystoneOpenIdcRemoteIdAttribute
  519. keystone::federation::openidc::openidc_enable_oauth:
  520. get_param: KeystoneOpenIdcEnableOAuth
  521. keystone::federation::openidc::openidc_introspection_endpoint:
  522. get_param: KeystoneOpenIdcIntrospectionEndpoint
  523. -
  524. if:
  525. - cache_enabled
  526. - keystone::federation::openidc::openidc_cache_type: 'memcache'
  527. - {}
  528. - {}
  529. -
  530. if:
  531. - keystone_ldap_domain_enabled
  532. -
  533. tripleo::profile::base::keystone::ldap_backend_enable: True
  534. keystone::using_domain_config: True
  535. tripleo::profile::base::keystone::ldap_backends_config:
  536. get_param: KeystoneLDAPBackendConfigs
  537. - {}
  538. -
  539. if:
  540. - change_password_upon_first_use_set
  541. - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
  542. - {}
  543. -
  544. if:
  545. - disable_user_account_days_inactive_set
  546. - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
  547. - {}
  548. -
  549. if:
  550. - lockout_duration_set
  551. - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
  552. - {}
  553. -
  554. if:
  555. - lockout_failure_attempts_set
  556. - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
  557. - {}
  558. -
  559. if:
  560. - minimum_password_age_set
  561. - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
  562. - {}
  563. -
  564. if:
  565. - password_expires_days_set
  566. - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
  567. - {}
  568. -
  569. if:
  570. - password_regex_set
  571. - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
  572. - {}
  573. -
  574. if:
  575. - password_regex_description_set
  576. - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
  577. - {}
  578. -
  579. if:
  580. - unique_last_password_count_set
  581. - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
  582. - {}
  583. - apache::default_vhost: false
  584. - get_attr: [KeystoneLogging, config_settings]
  585. service_config_settings:
  586. rsyslog:
  587. tripleo_logging_sources_keystone: {get_param: KeystoneLoggingSource}
  588. mysql:
  589. keystone::db::mysql::password: {get_param: AdminToken}
  590. keystone::db::mysql::user: keystone
  591. keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
  592. keystone::db::mysql::dbname: keystone
  593. keystone::db::mysql::allowed_hosts:
  594. - '%'
  595. - "%{hiera('mysql_bind_host')}"
  596. pacemaker:
  597. keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  598. keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  599. keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  600. keystone::endpoint::region: {get_param: KeystoneRegion}
  601. keystone::bootstrap::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  602. keystone::bootstrap::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  603. keystone::bootstrap::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  604. keystone::bootstrap::region: {get_param: KeystoneRegion}
  605. keystone::admin_password: {get_param: AdminPassword}
  606. keystone::bootstrap::password: {get_param: AdminPassword}
  607. horizon:
  608. if:
  609. - keystone_ldap_domain_enabled
  610. -
  611. horizon::keystone_multidomain_support: true
  612. horizon::keystone_default_domain: 'Default'
  613. - {}
  614. # BEGIN DOCKER SETTINGS
  615. puppet_config:
  616. config_volume: keystone
  617. puppet_tags: keystone_config,keystone_domain_config
  618. step_config:
  619. list_join:
  620. - "\n"
  621. - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
  622. - |
  623. include tripleo::profile::base::keystone
  624. - {get_attr: [MySQLClient, role_data, step_config]}
  625. config_image: &keystone_config_image {get_param: ContainerKeystoneConfigImage}
  626. kolla_config:
  627. /var/lib/kolla/config_files/keystone.json:
  628. command: /usr/sbin/httpd
  629. config_files:
  630. - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
  631. dest: "/etc/keystone/fernet-keys"
  632. merge: false
  633. preserve_properties: true
  634. - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
  635. dest: "/etc/httpd/conf.d"
  636. merge: false
  637. preserve_properties: true
  638. - source: "/var/lib/kolla/config_files/src/*"
  639. dest: "/"
  640. merge: true
  641. preserve_properties: true
  642. docker_config:
  643. # Kolla_bootstrap/db sync runs before permissions set by kolla_config
  644. step_2:
  645. get_attr: [KeystoneLogging, docker_config, step_2]
  646. step_3:
  647. keystone_db_sync:
  648. image: &keystone_image {get_param: ContainerKeystoneImage}
  649. net: host
  650. user: root
  651. privileged: false
  652. detach: false
  653. volumes: &keystone_volumes
  654. list_concat:
  655. - {get_attr: [ContainersCommon, volumes]}
  656. - {get_attr: [KeystoneLogging, volumes]}
  657. -
  658. - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
  659. - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
  660. - if:
  661. - internal_tls_enabled
  662. - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
  663. - []
  664. - if:
  665. - internal_tls_enabled
  666. - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
  667. - []
  668. environment:
  669. map_merge:
  670. - {get_attr: [KeystoneLogging, environment]}
  671. - KOLLA_BOOTSTRAP: true
  672. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  673. TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
  674. command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
  675. keystone:
  676. start_order: 2
  677. image: *keystone_image
  678. net: host
  679. privileged: false
  680. restart: always
  681. healthcheck:
  682. test: /openstack/healthcheck
  683. volumes: *keystone_volumes
  684. environment:
  685. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  686. keystone_bootstrap:
  687. start_order: 3
  688. action: exec
  689. user: root
  690. command:
  691. [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap' ]
  692. environment:
  693. KOLLA_BOOTSTRAP: true
  694. OS_BOOTSTRAP_PASSWORD: {get_param: AdminPassword}
  695. OS_BOOTSTRAP_USERNAME: 'admin'
  696. OS_BOOTSTRAP_PROJECT_NAME: 'admin'
  697. OS_BOOTSTRAP_ROLE_NAME: 'admin'
  698. OS_BOOTSTRAP_SERVICE_NAME: 'keystone'
  699. OS_BOOTSTRAP_ADMIN_URL: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  700. OS_BOOTSTRAP_PUBLIC_URL: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  701. OS_BOOTSTRAP_INTERNAL_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  702. OS_BOOTSTRAP_REGION_ID: {get_param: KeystoneRegion}
  703. step_4:
  704. # There are cases where we need to refresh keystone after the resource provisioning,
  705. # such as the case of using LDAP backends for domains. So we trigger a graceful
  706. # restart [1], which shouldn't cause service disruption, but will reload new
  707. # configurations for keystone.
  708. # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
  709. keystone_refresh:
  710. start_order: 1
  711. action: exec
  712. user: root
  713. command:
  714. [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
  715. external_deploy_tasks:
  716. - name: Manage clouds.yaml files
  717. when:
  718. - step|int == 1
  719. - not ansible_check_mode|bool
  720. block:
  721. - name: Create /etc/openstack directory if it does not exist
  722. become: true
  723. file:
  724. mode: '0755'
  725. owner: root
  726. path: /etc/openstack
  727. state: directory
  728. - name: Configure /etc/openstack/clouds.yaml
  729. include_role:
  730. name: tripleo_keystone_resources
  731. tasks_from: clouds
  732. vars:
  733. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  734. tripleo_keystone_resources_cloud_config:
  735. auth:
  736. auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  737. password: {get_param: AdminPassword}
  738. project_domain_name: Default
  739. project_name: admin
  740. user_domain_name: Default
  741. username: admin
  742. cacert:
  743. if:
  744. - public_tls_enabled
  745. - {get_param: InternalTLSCAFile}
  746. - ''
  747. identity_api_version: '3'
  748. region_name: {get_param: KeystoneRegion}
  749. - name: Manage Keystone resources
  750. become: true
  751. when:
  752. - step|int == 4
  753. - not ansible_check_mode|bool
  754. block:
  755. - name: Manage Keystone resources for OpenStack services
  756. include_role:
  757. name: tripleo_keystone_resources
  758. vars:
  759. tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
  760. tripleo_keystone_resources_service_project: 'service'
  761. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  762. tripleo_keystone_resources_region: {get_param: KeystoneRegion}
  763. tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  764. tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  765. tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  766. tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
  767. tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
  768. - name: is Keystone LDAP enabled
  769. set_fact:
  770. keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
  771. - name: Set fact for tripleo_keystone_ldap_domains
  772. set_fact:
  773. tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
  774. when: keystone_ldap_domain_enabled|bool
  775. - name: Manage Keystone domains from LDAP config
  776. when: keystone_ldap_domain_enabled|bool
  777. include_role:
  778. name: tripleo_keystone_resources
  779. tasks_from: domains
  780. vars:
  781. tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
  782. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  783. batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
  784. deploy_steps_tasks:
  785. - name: validate keystone container state
  786. podman_container_info:
  787. name: keystone
  788. register: keystone_infos
  789. failed_when:
  790. - keystone_infos.containers.0.Healthcheck.Status is defined
  791. - "'healthy' not in keystone_infos.containers.0.Healthcheck.Status"
  792. retries: 10
  793. delay: 30
  794. tags:
  795. - opendev-validation
  796. - opendev-validation-keystone
  797. when:
  798. - container_cli == 'podman'
  799. - not container_healthcheck_disabled
  800. - step|int == 4
  801. container_puppet_tasks:
  802. # Keystone endpoint creation occurs only on single node
  803. step_3:
  804. config_volume: 'keystone_init_tasks'
  805. puppet_tags: 'keystone_config'
  806. step_config: 'include tripleo::profile::base::keystone'
  807. config_image: *keystone_config_image
  808. host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
  809. metadata_settings:
  810. get_attr: [ApacheServiceBase, role_data, metadata_settings]
  811. external_upgrade_tasks:
  812. - when:
  813. - step|int == 1
  814. tags:
  815. - never
  816. - system_upgrade_transfer_data
  817. - system_upgrade_stop_services
  818. block:
  819. - name: Stop keystone container
  820. import_role:
  821. name: tripleo_container_stop
  822. vars:
  823. tripleo_containers_to_stop:
  824. - keystone
  825. - keystone_cron
  826. tripleo_delegate_to: "{{ groups['keystone'] | default([]) }}"
  827. fast_forward_upgrade_tasks:
  828. - when:
  829. - step|int == 0
  830. - release == 'rocky'
  831. block:
  832. - name: Check for keystone running under apache
  833. tags: common
  834. shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
  835. failed_when: false
  836. register: keystone_httpd_enabled_result
  837. - name: Set fact keystone_httpd_enabled
  838. set_fact:
  839. keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
  840. - name: Check if httpd is running
  841. failed_when: false
  842. command: systemctl is-active --quiet httpd
  843. register: httpd_running_result
  844. when:
  845. - httpd_running is undefined
  846. - name: Set fact httpd_running if undefined
  847. set_fact:
  848. httpd_running: "{{ httpd_running_result.rc == 0 }}"
  849. when:
  850. - httpd_running is undefined
  851. - name: Stop and disable keystone (under httpd)
  852. service: name=httpd state=stopped enabled=no
  853. when:
  854. - step|int == 1
  855. - release == 'rocky'
  856. - keystone_httpd_enabled|bool
  857. - httpd_running|bool
  858. - name: Keystone package update
  859. package:
  860. name: 'openstack-keystone*'
  861. state: latest
  862. when:
  863. - step|int == 6
  864. - is_bootstrap_node|bool
  865. - name: keystone db sync
  866. command: keystone-manage db_sync
  867. when:
  868. - step|int == 8
  869. - is_bootstrap_node|bool