Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

832 lines
33 KiB

  1. heat_template_version: rocky
  2. description: >
  3. OpenStack containerized Keystone service
  4. parameters:
  5. ContainerKeystoneImage:
  6. description: image
  7. type: string
  8. ContainerKeystoneConfigImage:
  9. description: The container image to use for the keystone config_volume
  10. type: string
  11. EndpointMap:
  12. default: {}
  13. description: Mapping of service endpoint -> protocol. Typically set
  14. via parameter_defaults in the resource registry.
  15. type: json
  16. ServiceData:
  17. default: {}
  18. description: Dictionary packing service data
  19. type: json
  20. ServiceNetMap:
  21. default: {}
  22. description: Mapping of service_name -> network name. Typically set
  23. via parameter_defaults in the resource registry. This
  24. mapping overrides those in ServiceNetMapDefaults.
  25. type: json
  26. DefaultPasswords:
  27. default: {}
  28. type: json
  29. RoleName:
  30. default: ''
  31. description: Role name on which the service is applied
  32. type: string
  33. RoleParameters:
  34. default: {}
  35. description: Parameters specific to the role
  36. type: json
  37. DeployIdentifier:
  38. default: ''
  39. type: string
  40. description: >
  41. Setting this to a unique value will re-run any deployment tasks which
  42. perform configuration on a Heat stack-update.
  43. AdminPassword:
  44. description: The password for the keystone admin account, used for monitoring, querying neutron etc.
  45. type: string
  46. hidden: true
  47. KeystoneTokenProvider:
  48. description: The keystone token format
  49. type: string
  50. default: 'fernet'
  51. constraints:
  52. - allowed_values: ['fernet']
  53. SSLCertificate:
  54. default: ''
  55. description: >
  56. The content of the SSL certificate (without Key) in PEM format.
  57. type: string
  58. PublicSSLCertificateAutogenerated:
  59. default: false
  60. description: >
  61. Whether the public SSL certificate was autogenerated or not.
  62. type: boolean
  63. EnablePublicTLS:
  64. default: true
  65. description: >
  66. Whether to enable TLS on the public interface or not.
  67. type: boolean
  68. PublicTLSCAFile:
  69. default: ''
  70. type: string
  71. description: Specifies the default CA cert to use if TLS is used for
  72. services in the public network.
  73. EnableInternalTLS:
  74. type: boolean
  75. default: false
  76. KeystoneSSLCertificate:
  77. default: ''
  78. description: Keystone certificate for verifying token validity.
  79. type: string
  80. KeystoneSSLCertificateKey:
  81. default: ''
  82. description: Keystone key for signing tokens.
  83. type: string
  84. hidden: true
  85. KeystoneNotificationFormat:
  86. description: The Keystone notification format
  87. default: 'basic'
  88. type: string
  89. constraints:
  90. - allowed_values: [ 'basic', 'cadf' ]
  91. KeystoneNotificationTopics:
  92. description: Keystone notification topics to enable
  93. default: []
  94. type: comma_delimited_list
  95. KeystoneRegion:
  96. type: string
  97. default: 'regionOne'
  98. description: Keystone region for endpoint
  99. Debug:
  100. type: boolean
  101. default: false
  102. description: Set to True to enable debugging on all services.
  103. KeystoneDebug:
  104. default: ''
  105. description: Set to True to enable debugging Keystone service.
  106. type: string
  107. constraints:
  108. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  109. EnableCache:
  110. description: Enable caching with memcached
  111. type: boolean
  112. default: true
  113. EnableSQLAlchemyCollectd:
  114. type: boolean
  115. description: >
  116. Set to true to enable the SQLAlchemy-collectd server plugin
  117. default: false
  118. AdminEmail:
  119. default: 'admin@example.com'
  120. description: The email for the keystone admin account.
  121. type: string
  122. hidden: true
  123. AdminToken:
  124. description: The keystone auth secret and db password.
  125. type: string
  126. hidden: true
  127. TokenExpiration:
  128. default: 3600
  129. description: Set a token expiration time in seconds.
  130. type: number
  131. KeystoneWorkers:
  132. type: string
  133. description: Set the number of workers for keystone::wsgi::apache
  134. default: '%{::os_workers_keystone}'
  135. MonitoringSubscriptionKeystone:
  136. default: 'overcloud-keystone'
  137. type: string
  138. KeystoneCredential0:
  139. type: string
  140. description: The first Keystone credential key. Must be a valid key.
  141. KeystoneCredential1:
  142. type: string
  143. description: The second Keystone credential key. Must be a valid key.
  144. KeystoneFernetKeys:
  145. type: json
  146. description: Mapping containing keystone's fernet keys and their paths.
  147. KeystoneFernetMaxActiveKeys:
  148. type: number
  149. description: The maximum active keys in the keystone fernet key repository.
  150. default: 5
  151. ManageKeystoneFernetKeys:
  152. type: boolean
  153. default: true
  154. description: Whether TripleO should manage the keystone fernet keys or not.
  155. If set to true, the fernet keys will get the values from the
  156. saved keys repository in mistral (the KeystoneFernetKeys
  157. variable). If set to false, only the stack creation
  158. initializes the keys, but subsequent updates won't touch them.
  159. KeystoneLoggingSource:
  160. type: json
  161. default:
  162. tag: openstack.keystone
  163. file: /var/log/containers/keystone/keystone.log
  164. KeystonePolicies:
  165. description: |
  166. A hash of policies to configure for Keystone.
  167. e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
  168. default: {}
  169. type: json
  170. KeystoneLDAPDomainEnable:
  171. description: Trigger to call ldap_backend puppet keystone define.
  172. type: boolean
  173. default: False
  174. KeystoneLDAPBackendConfigs:
  175. description: Hash containing the configurations for the LDAP backends
  176. configured in keystone.
  177. type: json
  178. default: {}
  179. hidden: true
  180. NotificationDriver:
  181. type: string
  182. default: 'messagingv2'
  183. description: Driver or drivers to handle sending notifications.
  184. KeystoneChangePasswordUponFirstUse:
  185. type: string
  186. default: ''
  187. description: >-
  188. Enabling this option requires users to change their password when the
  189. user is created, or upon administrative reset.
  190. constraints:
  191. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  192. KeystoneDisableUserAccountDaysInactive:
  193. type: string
  194. default: ''
  195. description: >-
  196. The maximum number of days a user can go without authenticating before
  197. being considered "inactive" and automatically disabled (locked).
  198. KeystoneLockoutDuration:
  199. type: string
  200. default: ''
  201. description: >-
  202. The number of seconds a user account will be locked when the maximum
  203. number of failed authentication attempts (as specified by
  204. KeystoneLockoutFailureAttempts) is exceeded.
  205. KeystoneLockoutFailureAttempts:
  206. type: string
  207. default: ''
  208. description: >-
  209. The maximum number of times that a user can fail to authenticate before
  210. the user account is locked for the number of seconds specified by
  211. KeystoneLockoutDuration.
  212. KeystoneMinimumPasswordAge:
  213. type: string
  214. default: ''
  215. description: >-
  216. The number of days that a password must be used before the user can
  217. change it. This prevents users from changing their passwords immediately
  218. in order to wipe out their password history and reuse an old password.
  219. KeystonePasswordExpiresDays:
  220. type: string
  221. default: ''
  222. description: >-
  223. The number of days for which a password will be considered valid before
  224. requiring it to be changed.
  225. KeystonePasswordRegex:
  226. type: string
  227. default: ''
  228. description: >-
  229. The regular expression used to validate password strength requirements.
  230. KeystonePasswordRegexDescription:
  231. type: string
  232. default: ''
  233. description: >-
  234. Describe your password regular expression here in language for humans.
  235. KeystoneUniqueLastPasswordCount:
  236. type: string
  237. default: ''
  238. description: >-
  239. This controls the number of previous user password iterations to keep in
  240. history, in order to enforce that newly created passwords are unique.
  241. KeystoneCorsAllowedOrigin:
  242. type: string
  243. default: ''
  244. description: Indicate whether this resource may be shared with the domain received in the request
  245. "origin" header.
  246. KeystoneEnableMember:
  247. description: Create the _member_ role, useful for undercloud deployment.
  248. type: boolean
  249. default: False
  250. KeystoneFederationEnable:
  251. type: boolean
  252. default: false
  253. description: Enable support for federated authentication.
  254. KeystoneTrustedDashboards:
  255. type: comma_delimited_list
  256. default: []
  257. description: A list of dashboard URLs trusted for single sign-on.
  258. KeystoneAuthMethods:
  259. type: comma_delimited_list
  260. default: []
  261. description: >-
  262. A list of methods used for authentication.
  263. KeystoneOpenIdcEnable:
  264. type: boolean
  265. default: false
  266. description: Enable support for OpenIDC federation.
  267. KeystoneOpenIdcIdpName:
  268. type: string
  269. default: ''
  270. description: The name associated with the IdP in Keystone.
  271. KeystoneOpenIdcProviderMetadataUrl:
  272. type: string
  273. default: ''
  274. description: The url that points to your OpenID Connect provider metadata
  275. KeystoneOpenIdcClientId:
  276. type: string
  277. default: ''
  278. description: >-
  279. The client ID to use when handshaking with your OpenID Connect provider
  280. KeystoneOpenIdcClientSecret:
  281. type: string
  282. default: ''
  283. description: >-
  284. The client secret to use when handshaking with your OpenID
  285. Connect provider
  286. KeystoneOpenIdcCryptoPassphrase:
  287. type: string
  288. default: 'openstack'
  289. description: >-
  290. Passphrase to use when encrypting data for OpenID Connect handshake.
  291. KeystoneOpenIdcResponseType:
  292. type: string
  293. default: 'id_token'
  294. description: Response type to be expected from the OpenID Connect provider.
  295. KeystoneOpenIdcRemoteIdAttribute:
  296. type: string
  297. default: 'HTTP_OIDC_ISS'
  298. description: >-
  299. Attribute to be used to obtain the entity ID of the Identity Provider
  300. from the environment.
  301. KeystoneOpenIdcEnableOAuth:
  302. type: boolean
  303. default: false
  304. description: >-
  305. Enable OAuth 2.0 integration.
  306. KeystoneOpenIdcIntrospectionEndpoint:
  307. type: string
  308. default: ''
  309. description: >-
  310. OAuth 2.0 introspection endpoint for mod_auth_openidc
  311. RootStackName:
  312. description: The name of the stack/plan.
  313. type: string
  314. resources:
  315. ContainersCommon:
  316. type: ../containers-common.yaml
  317. MySQLClient:
  318. type: ../database/mysql-client.yaml
  319. ApacheServiceBase:
  320. type: ../../deployment/apache/apache-baremetal-puppet.yaml
  321. properties:
  322. ServiceData: {get_param: ServiceData}
  323. ServiceNetMap: {get_param: ServiceNetMap}
  324. DefaultPasswords: {get_param: DefaultPasswords}
  325. EndpointMap: {get_param: EndpointMap}
  326. RoleName: {get_param: RoleName}
  327. RoleParameters: {get_param: RoleParameters}
  328. EnableInternalTLS: {get_param: EnableInternalTLS}
  329. KeystoneLogging:
  330. type: OS::TripleO::Services::Logging::Keystone
  331. conditions:
  332. public_tls_enabled:
  333. and:
  334. - {get_param: EnablePublicTLS}
  335. - or:
  336. - not:
  337. equals:
  338. - {get_param: SSLCertificate}
  339. - ""
  340. - equals:
  341. - {get_param: PublicSSLCertificateAutogenerated}
  342. - true
  343. internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  344. keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
  345. keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
  346. keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
  347. keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
  348. service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
  349. cache_enabled: {equals: [{get_param: EnableCache}, true]}
  350. enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
  351. # Security compliance
  352. change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
  353. disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
  354. lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
  355. lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
  356. minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
  357. password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
  358. password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
  359. password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
  360. unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
  361. cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
  362. outputs:
  363. role_data:
  364. description: Role data for the Keystone API role.
  365. value:
  366. service_name: keystone
  367. firewall_rules:
  368. '111 keystone':
  369. dport:
  370. - 5000
  371. - 13000
  372. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  373. monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
  374. config_settings:
  375. map_merge:
  376. - get_attr: [ApacheServiceBase, role_data, config_settings]
  377. -
  378. if:
  379. - cors_allowed_origin_unset
  380. - {}
  381. - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
  382. - keystone_enable_member: {get_param: KeystoneEnableMember}
  383. - keystone_resources_managed: false
  384. - keystone::database_connection:
  385. make_url:
  386. scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
  387. username: keystone
  388. password: {get_param: AdminToken}
  389. host: {get_param: [EndpointMap, MysqlInternal, host]}
  390. path: /keystone
  391. query:
  392. if:
  393. - enable_sqlalchemy_collectd
  394. -
  395. read_default_file: /etc/my.cnf.d/tripleo.cnf
  396. read_default_group: tripleo
  397. plugin: collectd
  398. collectd_program_name: keystone
  399. collectd_host: localhost
  400. -
  401. read_default_file: /etc/my.cnf.d/tripleo.cnf
  402. read_default_group: tripleo
  403. keystone::token_expiration: {get_param: TokenExpiration}
  404. keystone::policy::policies: {get_param: KeystonePolicies}
  405. keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
  406. keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
  407. keystone::token_provider: {get_param: KeystoneTokenProvider}
  408. keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
  409. keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
  410. keystone::enable_proxy_headers_parsing: true
  411. keystone::enable_credential_setup: true
  412. keystone::credential_keys:
  413. '/etc/keystone/credential-keys/0':
  414. content: {get_param: KeystoneCredential0}
  415. '/etc/keystone/credential-keys/1':
  416. content: {get_param: KeystoneCredential1}
  417. keystone::fernet_keys: {get_param: KeystoneFernetKeys}
  418. keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
  419. keystone::logging::debug:
  420. if:
  421. - service_debug_unset
  422. - {get_param: Debug }
  423. - {get_param: KeystoneDebug }
  424. keystone::notification_driver: {get_param: NotificationDriver}
  425. keystone::notification_format: {get_param: KeystoneNotificationFormat}
  426. tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
  427. keystone::rabbit_heartbeat_timeout_threshold: 60
  428. keystone::config::keystone_config:
  429. ec2/driver:
  430. value: 'keystone.contrib.ec2.backends.sql.Ec2'
  431. keystone::service_name: 'httpd'
  432. keystone::enable_ssl: {get_param: EnableInternalTLS}
  433. keystone::wsgi::apache::api_port:
  434. - 5000
  435. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  436. keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
  437. keystone::wsgi::apache::servername:
  438. str_replace:
  439. template:
  440. "%{hiera('fqdn_$NETWORK')}"
  441. params:
  442. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  443. keystone::wsgi::apache::servername_admin:
  444. str_replace:
  445. template:
  446. "%{hiera('fqdn_$NETWORK')}"
  447. params:
  448. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  449. keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
  450. # override via extraconfig:
  451. keystone::wsgi::apache::threads: 1
  452. keystone::db::database_db_max_retries: -1
  453. keystone::db::database_max_retries: -1
  454. # NOTE: bind IP is found in hiera replacing the network name with the
  455. # local node IP for the given network; replacement examples
  456. # (eg. for internal_api):
  457. # internal_api -> IP
  458. # internal_api_uri -> [IP]
  459. # internal_api_subnet - > IP/CIDR
  460. # NOTE: this applies to all 2 bind IP settings below...
  461. keystone::wsgi::apache::bind_host:
  462. - str_replace:
  463. template:
  464. "%{hiera('$NETWORK')}"
  465. params:
  466. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  467. - str_replace:
  468. template:
  469. "%{hiera('$NETWORK')}"
  470. params:
  471. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  472. -
  473. if:
  474. - cache_enabled
  475. - keystone::cache::enabled: true
  476. keystone::cache::backend: 'dogpile.cache.memcached'
  477. - {}
  478. -
  479. if:
  480. - keystone_federation_enabled
  481. -
  482. keystone_federation_enabled: True
  483. keystone::federation::trusted_dashboards:
  484. get_param: KeystoneTrustedDashboards
  485. - {}
  486. -
  487. if:
  488. - keystone_openidc_enabled
  489. -
  490. map_merge:
  491. - keystone_openidc_enabled: True
  492. keystone::federation::openidc::methods:
  493. get_param: KeystoneAuthMethods
  494. keystone::federation::openidc::keystone_url:
  495. get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
  496. keystone::federation::openidc::idp_name:
  497. get_param: KeystoneOpenIdcIdpName
  498. keystone::federation::openidc::openidc_provider_metadata_url:
  499. get_param: KeystoneOpenIdcProviderMetadataUrl
  500. keystone::federation::openidc::openidc_client_id:
  501. get_param: KeystoneOpenIdcClientId
  502. keystone::federation::openidc::openidc_client_secret:
  503. get_param: KeystoneOpenIdcClientSecret
  504. keystone::federation::openidc::openidc_crypto_passphrase:
  505. get_param: KeystoneOpenIdcCryptoPassphrase
  506. keystone::federation::openidc::openidc_response_type:
  507. get_param: KeystoneOpenIdcResponseType
  508. keystone::federation::openidc::remote_id_attribute:
  509. get_param: KeystoneOpenIdcRemoteIdAttribute
  510. keystone::federation::openidc::openidc_enable_oauth:
  511. get_param: KeystoneOpenIdcEnableOAuth
  512. keystone::federation::openidc::openidc_introspection_endpoint:
  513. get_param: KeystoneOpenIdcIntrospectionEndpoint
  514. -
  515. if:
  516. - cache_enabled
  517. - keystone::federation::openidc::openidc_cache_type: 'memcache'
  518. - {}
  519. - {}
  520. -
  521. if:
  522. - keystone_ldap_domain_enabled
  523. -
  524. tripleo::profile::base::keystone::ldap_backend_enable: True
  525. keystone::using_domain_config: True
  526. tripleo::profile::base::keystone::ldap_backends_config:
  527. get_param: KeystoneLDAPBackendConfigs
  528. - {}
  529. -
  530. if:
  531. - change_password_upon_first_use_set
  532. - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
  533. - {}
  534. -
  535. if:
  536. - disable_user_account_days_inactive_set
  537. - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
  538. - {}
  539. -
  540. if:
  541. - lockout_duration_set
  542. - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
  543. - {}
  544. -
  545. if:
  546. - lockout_failure_attempts_set
  547. - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
  548. - {}
  549. -
  550. if:
  551. - minimum_password_age_set
  552. - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
  553. - {}
  554. -
  555. if:
  556. - password_expires_days_set
  557. - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
  558. - {}
  559. -
  560. if:
  561. - password_regex_set
  562. - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
  563. - {}
  564. -
  565. if:
  566. - password_regex_description_set
  567. - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
  568. - {}
  569. -
  570. if:
  571. - unique_last_password_count_set
  572. - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
  573. - {}
  574. - apache::default_vhost: false
  575. - get_attr: [KeystoneLogging, config_settings]
  576. service_config_settings:
  577. rsyslog:
  578. tripleo_logging_sources_keystone: {get_param: KeystoneLoggingSource}
  579. mysql:
  580. keystone::db::mysql::password: {get_param: AdminToken}
  581. keystone::db::mysql::user: keystone
  582. keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
  583. keystone::db::mysql::dbname: keystone
  584. keystone::db::mysql::allowed_hosts:
  585. - '%'
  586. - "%{hiera('mysql_bind_host')}"
  587. pacemaker:
  588. keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  589. keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  590. keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  591. keystone::endpoint::region: {get_param: KeystoneRegion}
  592. keystone::admin_password: {get_param: AdminPassword}
  593. horizon:
  594. if:
  595. - keystone_ldap_domain_enabled
  596. -
  597. horizon::keystone_multidomain_support: true
  598. horizon::keystone_default_domain: 'Default'
  599. - {}
  600. # BEGIN DOCKER SETTINGS
  601. puppet_config:
  602. config_volume: keystone
  603. puppet_tags: keystone_config,keystone_domain_config
  604. step_config:
  605. list_join:
  606. - "\n"
  607. - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
  608. - |
  609. include tripleo::profile::base::keystone
  610. - {get_attr: [MySQLClient, role_data, step_config]}
  611. config_image: &keystone_config_image {get_param: ContainerKeystoneConfigImage}
  612. kolla_config:
  613. /var/lib/kolla/config_files/keystone.json:
  614. command: /usr/sbin/httpd
  615. config_files:
  616. - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
  617. dest: "/etc/keystone/fernet-keys"
  618. merge: false
  619. preserve_properties: true
  620. - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
  621. dest: "/etc/httpd/conf.d"
  622. merge: false
  623. preserve_properties: true
  624. - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
  625. dest: "/etc/httpd/conf.modules.d"
  626. # TODO(emilien) remove optional flag once we get a promotion
  627. # https://launchpad.net/bugs/1884115
  628. optional: true
  629. merge: false
  630. preserve_properties: true
  631. - source: "/var/lib/kolla/config_files/src/*"
  632. dest: "/"
  633. merge: true
  634. preserve_properties: true
  635. docker_config:
  636. # Kolla_bootstrap/db sync runs before permissions set by kolla_config
  637. step_2:
  638. get_attr: [KeystoneLogging, docker_config, step_2]
  639. step_3:
  640. keystone_db_sync:
  641. image: &keystone_image {get_param: ContainerKeystoneImage}
  642. net: host
  643. user: root
  644. privileged: false
  645. detach: false
  646. volumes: &keystone_volumes
  647. list_concat:
  648. - {get_attr: [ContainersCommon, volumes]}
  649. - {get_attr: [KeystoneLogging, volumes]}
  650. -
  651. - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
  652. - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
  653. - if:
  654. - internal_tls_enabled
  655. - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
  656. - []
  657. - if:
  658. - internal_tls_enabled
  659. - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
  660. - []
  661. environment:
  662. map_merge:
  663. - {get_attr: [KeystoneLogging, environment]}
  664. - KOLLA_BOOTSTRAP: true
  665. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  666. TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
  667. command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
  668. keystone:
  669. start_order: 2
  670. image: *keystone_image
  671. net: host
  672. privileged: false
  673. restart: always
  674. healthcheck:
  675. test: /openstack/healthcheck
  676. volumes: *keystone_volumes
  677. environment:
  678. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  679. keystone_bootstrap:
  680. start_order: 3
  681. action: exec
  682. user: root
  683. command:
  684. [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap' ]
  685. environment:
  686. KOLLA_BOOTSTRAP: true
  687. OS_BOOTSTRAP_PASSWORD: {get_param: AdminPassword}
  688. OS_BOOTSTRAP_USERNAME: 'admin'
  689. OS_BOOTSTRAP_PROJECT_NAME: 'admin'
  690. OS_BOOTSTRAP_ROLE_NAME: 'admin'
  691. OS_BOOTSTRAP_SERVICE_NAME: 'keystone'
  692. OS_BOOTSTRAP_ADMIN_URL: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  693. OS_BOOTSTRAP_PUBLIC_URL: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  694. OS_BOOTSTRAP_INTERNAL_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  695. OS_BOOTSTRAP_REGION_ID: {get_param: KeystoneRegion}
  696. step_4:
  697. # There are cases where we need to refresh keystone after the resource provisioning,
  698. # such as the case of using LDAP backends for domains. So we trigger a graceful
  699. # restart [1], which shouldn't cause service disruption, but will reload new
  700. # configurations for keystone.
  701. # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
  702. keystone_refresh:
  703. start_order: 1
  704. action: exec
  705. user: root
  706. command:
  707. [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
  708. external_deploy_tasks:
  709. - name: Manage clouds.yaml files
  710. when:
  711. - step|int == 1
  712. - not ansible_check_mode|bool
  713. block:
  714. - name: Create /etc/openstack directory if it does not exist
  715. become: true
  716. file:
  717. mode: '0755'
  718. owner: root
  719. path: /etc/openstack
  720. state: directory
  721. - name: Configure /etc/openstack/clouds.yaml
  722. include_role:
  723. name: tripleo_keystone_resources
  724. tasks_from: clouds
  725. vars:
  726. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  727. tripleo_keystone_resources_cloud_config:
  728. auth:
  729. auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  730. password: {get_param: AdminPassword}
  731. project_domain_name: Default
  732. project_name: admin
  733. user_domain_name: Default
  734. username: admin
  735. cacert:
  736. if:
  737. - public_tls_enabled
  738. - {get_param: PublicTLSCAFile}
  739. - ''
  740. identity_api_version: '3'
  741. region_name: {get_param: KeystoneRegion}
  742. - name: Manage Keystone resources
  743. become: true
  744. when:
  745. - step|int == 4
  746. - not ansible_check_mode|bool
  747. block:
  748. - name: Manage Keystone resources for OpenStack services
  749. include_role:
  750. name: tripleo_keystone_resources
  751. vars:
  752. tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
  753. tripleo_keystone_resources_service_project: 'service'
  754. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  755. tripleo_keystone_resources_region: {get_param: KeystoneRegion}
  756. tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  757. tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  758. tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  759. tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
  760. tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
  761. - name: is Keystone LDAP enabled
  762. set_fact:
  763. keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
  764. - name: Set fact for tripleo_keystone_ldap_domains
  765. set_fact:
  766. tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
  767. when: keystone_ldap_domain_enabled|bool
  768. - name: Manage Keystone domains from LDAP config
  769. when: keystone_ldap_domain_enabled|bool
  770. include_role:
  771. name: tripleo_keystone_resources
  772. tasks_from: domains
  773. vars:
  774. tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
  775. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  776. batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
  777. deploy_steps_tasks:
  778. - name: validate keystone container state
  779. podman_container_info:
  780. name: keystone
  781. register: keystone_infos
  782. failed_when:
  783. - keystone_infos.containers.0.Healthcheck.Status is defined
  784. - "'healthy' not in keystone_infos.containers.0.Healthcheck.Status"
  785. retries: 10
  786. delay: 30
  787. tags:
  788. - opendev-validation
  789. - opendev-validation-keystone
  790. when:
  791. - container_cli == 'podman'
  792. - not container_healthcheck_disabled
  793. - step|int == 4
  794. container_puppet_tasks:
  795. # Keystone endpoint creation occurs only on single node
  796. step_3:
  797. config_volume: 'keystone_init_tasks'
  798. puppet_tags: 'keystone_config'
  799. step_config: 'include tripleo::profile::base::keystone'
  800. config_image: *keystone_config_image
  801. host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
  802. metadata_settings:
  803. get_attr: [ApacheServiceBase, role_data, metadata_settings]
  804. external_upgrade_tasks:
  805. - when:
  806. - step|int == 1
  807. tags:
  808. - never
  809. - system_upgrade_transfer_data
  810. - system_upgrade_stop_services
  811. block:
  812. - name: Stop keystone container
  813. import_role:
  814. name: tripleo_container_stop
  815. vars:
  816. tripleo_containers_to_stop:
  817. - keystone
  818. - keystone_cron
  819. tripleo_delegate_to: "{{ groups['keystone'] | default([]) }}"