Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

835 lines
34KB

  1. heat_template_version: rocky
  2. description: >
  3. OpenStack containerized Keystone service
  4. parameters:
  5. ContainerKeystoneImage:
  6. description: image
  7. type: string
  8. ContainerKeystoneConfigImage:
  9. description: The container image to use for the keystone config_volume
  10. type: string
  11. EndpointMap:
  12. default: {}
  13. description: Mapping of service endpoint -> protocol. Typically set
  14. via parameter_defaults in the resource registry.
  15. type: json
  16. ServiceData:
  17. default: {}
  18. description: Dictionary packing service data
  19. type: json
  20. ServiceNetMap:
  21. default: {}
  22. description: Mapping of service_name -> network name. Typically set
  23. via parameter_defaults in the resource registry. This
  24. mapping overrides those in ServiceNetMapDefaults.
  25. type: json
  26. DefaultPasswords:
  27. default: {}
  28. type: json
  29. RoleName:
  30. default: ''
  31. description: Role name on which the service is applied
  32. type: string
  33. RoleParameters:
  34. default: {}
  35. description: Parameters specific to the role
  36. type: json
  37. AdminPassword:
  38. description: The password for the keystone admin account, used for monitoring, querying neutron etc.
  39. type: string
  40. hidden: true
  41. KeystoneTokenProvider:
  42. description: The keystone token format
  43. type: string
  44. default: 'fernet'
  45. constraints:
  46. - allowed_values: ['fernet']
  47. EnableInternalTLS:
  48. type: boolean
  49. default: false
  50. KeystoneSSLCertificate:
  51. default: ''
  52. description: Keystone certificate for verifying token validity.
  53. type: string
  54. KeystoneSSLCertificateKey:
  55. default: ''
  56. description: Keystone key for signing tokens.
  57. type: string
  58. hidden: true
  59. KeystoneNotificationFormat:
  60. description: The Keystone notification format
  61. default: 'basic'
  62. type: string
  63. constraints:
  64. - allowed_values: [ 'basic', 'cadf' ]
  65. KeystoneNotificationTopics:
  66. description: Keystone notification topics to enable
  67. default: []
  68. type: comma_delimited_list
  69. KeystoneRegion:
  70. type: string
  71. default: 'regionOne'
  72. description: Keystone region for endpoint
  73. Debug:
  74. type: boolean
  75. default: false
  76. description: Set to True to enable debugging on all services.
  77. KeystoneDebug:
  78. default: ''
  79. description: Set to True to enable debugging Keystone service.
  80. type: string
  81. constraints:
  82. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  83. EnableSQLAlchemyCollectd:
  84. type: boolean
  85. description: >
  86. Set to true to enable the SQLAlchemy-collectd server plugin
  87. default: false
  88. AdminEmail:
  89. default: 'admin@example.com'
  90. description: The email for the keystone admin account.
  91. type: string
  92. hidden: true
  93. AdminToken:
  94. description: The keystone auth secret and db password.
  95. type: string
  96. hidden: true
  97. TokenExpiration:
  98. default: 3600
  99. description: Set a token expiration time in seconds.
  100. type: number
  101. KeystoneWorkers:
  102. type: string
  103. description: Set the number of workers for keystone::wsgi::apache
  104. default: '%{::os_workers}'
  105. MonitoringSubscriptionKeystone:
  106. default: 'overcloud-keystone'
  107. type: string
  108. KeystoneCredential0:
  109. type: string
  110. description: The first Keystone credential key. Must be a valid key.
  111. KeystoneCredential1:
  112. type: string
  113. description: The second Keystone credential key. Must be a valid key.
  114. KeystoneFernetKeys:
  115. type: json
  116. description: Mapping containing keystone's fernet keys and their paths.
  117. KeystoneFernetMaxActiveKeys:
  118. type: number
  119. description: The maximum active keys in the keystone fernet key repository.
  120. default: 5
  121. ManageKeystoneFernetKeys:
  122. type: boolean
  123. default: true
  124. description: Whether TripleO should manage the keystone fernet keys or not.
  125. If set to true, the fernet keys will get the values from the
  126. saved keys repository in mistral (the KeystoneFernetKeys
  127. variable). If set to false, only the stack creation
  128. initializes the keys, but subsequent updates won't touch them.
  129. KeystoneLoggingSource:
  130. type: json
  131. default:
  132. tag: openstack.keystone
  133. file: /var/log/containers/keystone/keystone.log
  134. KeystonePolicies:
  135. description: |
  136. A hash of policies to configure for Keystone.
  137. e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
  138. default: {}
  139. type: json
  140. KeystoneLDAPDomainEnable:
  141. description: Trigger to call ldap_backend puppet keystone define.
  142. type: boolean
  143. default: False
  144. KeystoneLDAPBackendConfigs:
  145. description: Hash containing the configurations for the LDAP backends
  146. configured in keystone.
  147. type: json
  148. default: {}
  149. hidden: true
  150. NotificationDriver:
  151. type: string
  152. default: 'messagingv2'
  153. description: Driver or drivers to handle sending notifications.
  154. KeystoneChangePasswordUponFirstUse:
  155. type: string
  156. default: ''
  157. description: >-
  158. Enabling this option requires users to change their password when the
  159. user is created, or upon administrative reset.
  160. constraints:
  161. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  162. KeystoneDisableUserAccountDaysInactive:
  163. type: string
  164. default: ''
  165. description: >-
  166. The maximum number of days a user can go without authenticating before
  167. being considered "inactive" and automatically disabled (locked).
  168. KeystoneLockoutDuration:
  169. type: string
  170. default: ''
  171. description: >-
  172. The number of seconds a user account will be locked when the maximum
  173. number of failed authentication attempts (as specified by
  174. KeystoneLockoutFailureAttempts) is exceeded.
  175. KeystoneLockoutFailureAttempts:
  176. type: string
  177. default: ''
  178. description: >-
  179. The maximum number of times that a user can fail to authenticate before
  180. the user account is locked for the number of seconds specified by
  181. KeystoneLockoutDuration.
  182. KeystoneMinimumPasswordAge:
  183. type: string
  184. default: ''
  185. description: >-
  186. The number of days that a password must be used before the user can
  187. change it. This prevents users from changing their passwords immediately
  188. in order to wipe out their password history and reuse an old password.
  189. KeystonePasswordExpiresDays:
  190. type: string
  191. default: ''
  192. description: >-
  193. The number of days for which a password will be considered valid before
  194. requiring it to be changed.
  195. KeystonePasswordRegex:
  196. type: string
  197. default: ''
  198. description: >-
  199. The regular expression used to validate password strength requirements.
  200. KeystonePasswordRegexDescription:
  201. type: string
  202. default: ''
  203. description: >-
  204. Describe your password regular expression here in language for humans.
  205. KeystoneUniqueLastPasswordCount:
  206. type: string
  207. default: ''
  208. description: >-
  209. This controls the number of previous user password iterations to keep in
  210. history, in order to enforce that newly created passwords are unique.
  211. KeystoneCorsAllowedOrigin:
  212. type: string
  213. default: ''
  214. description: Indicate whether this resource may be shared with the domain received in the request
  215. "origin" header.
  216. KeystoneEnableMember:
  217. description: Create the _member_ role, useful for undercloud deployment.
  218. type: boolean
  219. default: False
  220. KeystoneFederationEnable:
  221. type: boolean
  222. default: false
  223. description: Enable support for federated authentication.
  224. KeystoneTrustedDashboards:
  225. type: comma_delimited_list
  226. default: []
  227. description: A list of dashboard URLs trusted for single sign-on.
  228. KeystoneAuthMethods:
  229. type: comma_delimited_list
  230. default: []
  231. description: >-
  232. A list of methods used for authentication.
  233. KeystoneOpenIdcEnable:
  234. type: boolean
  235. default: false
  236. description: Enable support for OpenIDC federation.
  237. KeystoneOpenIdcIdpName:
  238. type: string
  239. default: ''
  240. description: The name associated with the IdP in Keystone.
  241. KeystoneOpenIdcProviderMetadataUrl:
  242. type: string
  243. default: ''
  244. description: The url that points to your OpenID Connect provider metadata
  245. KeystoneOpenIdcClientId:
  246. type: string
  247. default: ''
  248. description: >-
  249. The client ID to use when handshaking with your OpenID Connect provider
  250. KeystoneOpenIdcClientSecret:
  251. type: string
  252. default: ''
  253. description: >-
  254. The client secret to use when handshaking with your OpenID
  255. Connect provider
  256. KeystoneOpenIdcCryptoPassphrase:
  257. type: string
  258. default: 'openstack'
  259. description: >-
  260. Passphrase to use when encrypting data for OpenID Connect handshake.
  261. KeystoneOpenIdcResponseType:
  262. type: string
  263. default: 'id_token'
  264. description: Response type to be expected from the OpenID Connect provider.
  265. KeystoneOpenIdcRemoteIdAttribute:
  266. type: string
  267. default: 'HTTP_OIDC_ISS'
  268. description: >-
  269. Attribute to be used to obtain the entity ID of the Identity Provider
  270. from the environment.
  271. KeystoneOpenIdcEnableOAuth:
  272. type: boolean
  273. default: false
  274. description: >-
  275. Enable OAuth 2.0 integration.
  276. KeystoneOpenIdcIntrospectionEndpoint:
  277. type: string
  278. default: ''
  279. description: >-
  280. OAuth 2.0 introspection endpoint for mod_auth_openidc
  281. RootStackName:
  282. description: The name of the stack/plan.
  283. type: string
  284. resources:
  285. ContainersCommon:
  286. type: ../containers-common.yaml
  287. MySQLClient:
  288. type: ../database/mysql-client.yaml
  289. ApacheServiceBase:
  290. type: ../../deployment/apache/apache-baremetal-puppet.yaml
  291. properties:
  292. ServiceData: {get_param: ServiceData}
  293. ServiceNetMap: {get_param: ServiceNetMap}
  294. DefaultPasswords: {get_param: DefaultPasswords}
  295. EndpointMap: {get_param: EndpointMap}
  296. RoleName: {get_param: RoleName}
  297. RoleParameters: {get_param: RoleParameters}
  298. EnableInternalTLS: {get_param: EnableInternalTLS}
  299. KeystoneLogging:
  300. type: OS::TripleO::Services::Logging::Keystone
  301. conditions:
  302. internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  303. keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
  304. keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
  305. keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
  306. keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
  307. service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
  308. enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
  309. # Security compliance
  310. change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
  311. disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
  312. lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
  313. lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
  314. minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
  315. password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
  316. password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
  317. password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
  318. unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
  319. cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
  320. outputs:
  321. role_data:
  322. description: Role data for the Keystone API role.
  323. value:
  324. service_name: keystone
  325. firewall_rules:
  326. '111 keystone':
  327. dport:
  328. - 5000
  329. - 13000
  330. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  331. monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
  332. config_settings:
  333. map_merge:
  334. - get_attr: [ApacheServiceBase, role_data, config_settings]
  335. -
  336. if:
  337. - cors_allowed_origin_unset
  338. - {}
  339. - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
  340. - keystone_enable_member: {get_param: KeystoneEnableMember}
  341. - keystone_resources_managed: false
  342. - keystone::database_connection:
  343. make_url:
  344. scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
  345. username: keystone
  346. password: {get_param: AdminToken}
  347. host: {get_param: [EndpointMap, MysqlInternal, host]}
  348. path: /keystone
  349. query:
  350. if:
  351. - enable_sqlalchemy_collectd
  352. -
  353. read_default_file: /etc/my.cnf.d/tripleo.cnf
  354. read_default_group: tripleo
  355. plugin: collectd
  356. collectd_program_name: keystone
  357. collectd_host: localhost
  358. -
  359. read_default_file: /etc/my.cnf.d/tripleo.cnf
  360. read_default_group: tripleo
  361. keystone::token_expiration: {get_param: TokenExpiration}
  362. keystone::admin_token: {get_param: AdminToken}
  363. keystone::admin_password: {get_param: AdminPassword}
  364. keystone::roles::admin::password: {get_param: AdminPassword}
  365. keystone::bootstrap::password: {get_param: AdminPassword}
  366. keystone::policy::policies: {get_param: KeystonePolicies}
  367. keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
  368. keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
  369. keystone::token_provider: {get_param: KeystoneTokenProvider}
  370. keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
  371. keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
  372. keystone::enable_proxy_headers_parsing: true
  373. keystone::enable_credential_setup: true
  374. keystone::credential_keys:
  375. '/etc/keystone/credential-keys/0':
  376. content: {get_param: KeystoneCredential0}
  377. '/etc/keystone/credential-keys/1':
  378. content: {get_param: KeystoneCredential1}
  379. keystone::fernet_keys: {get_param: KeystoneFernetKeys}
  380. keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
  381. keystone::logging::debug:
  382. if:
  383. - service_debug_unset
  384. - {get_param: Debug }
  385. - {get_param: KeystoneDebug }
  386. keystone::notification_driver: {get_param: NotificationDriver}
  387. keystone::notification_format: {get_param: KeystoneNotificationFormat}
  388. tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
  389. keystone::roles::admin::email: {get_param: AdminEmail}
  390. keystone::bootstrap::email: {get_params: AdminEmail}
  391. keystone::roles::admin::password: {get_param: AdminPassword}
  392. keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  393. keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  394. keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  395. keystone::endpoint::region: {get_param: KeystoneRegion}
  396. keystone::endpoint::version: ''
  397. keystone::bootstrap::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  398. keystone::bootstrap::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  399. keystone::bootstrap::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  400. keystone::bootstrap::region: {get_param: KeystoneRegion}
  401. keystone::admin_port: {get_param: [EndpointMap, KeystoneAdmin, port]}
  402. keystone::rabbit_heartbeat_timeout_threshold: 60
  403. keystone::roles::admin::service_tenant: 'service'
  404. keystone::bootstrap::service_project_name: 'service'
  405. keystone::roles::admin::admin_tenant: 'admin'
  406. keystone::bootstrap::project_name: 'admin'
  407. keystone::config::keystone_config:
  408. ec2/driver:
  409. value: 'keystone.contrib.ec2.backends.sql.Ec2'
  410. keystone::service_name: 'httpd'
  411. keystone::enable_ssl: {get_param: EnableInternalTLS}
  412. keystone::wsgi::apache::api_port:
  413. - 5000
  414. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  415. keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
  416. keystone::wsgi::apache::servername:
  417. str_replace:
  418. template:
  419. "%{hiera('fqdn_$NETWORK')}"
  420. params:
  421. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  422. keystone::wsgi::apache::servername_admin:
  423. str_replace:
  424. template:
  425. "%{hiera('fqdn_$NETWORK')}"
  426. params:
  427. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  428. keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
  429. # override via extraconfig:
  430. keystone::wsgi::apache::threads: 1
  431. keystone::db::database_db_max_retries: -1
  432. keystone::db::database_max_retries: -1
  433. keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  434. # NOTE: bind IP is found in hiera replacing the network name with the
  435. # local node IP for the given network; replacement examples
  436. # (eg. for internal_api):
  437. # internal_api -> IP
  438. # internal_api_uri -> [IP]
  439. # internal_api_subnet - > IP/CIDR
  440. # NOTE: this applies to all 2 bind IP settings below...
  441. keystone::wsgi::apache::bind_host:
  442. - str_replace:
  443. template:
  444. "%{hiera('$NETWORK')}"
  445. params:
  446. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  447. - str_replace:
  448. template:
  449. "%{hiera('$NETWORK')}"
  450. params:
  451. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  452. -
  453. if:
  454. - keystone_federation_enabled
  455. -
  456. keystone_federation_enabled: True
  457. keystone::federation::trusted_dashboards:
  458. get_param: KeystoneTrustedDashboards
  459. - {}
  460. -
  461. if:
  462. - keystone_openidc_enabled
  463. -
  464. keystone_openidc_enabled: True
  465. keystone::federation::openidc::methods:
  466. get_param: KeystoneAuthMethods
  467. keystone::federation::openidc::keystone_url:
  468. get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
  469. keystone::federation::openidc::idp_name:
  470. get_param: KeystoneOpenIdcIdpName
  471. keystone::federation::openidc::openidc_provider_metadata_url:
  472. get_param: KeystoneOpenIdcProviderMetadataUrl
  473. keystone::federation::openidc::openidc_client_id:
  474. get_param: KeystoneOpenIdcClientId
  475. keystone::federation::openidc::openidc_client_secret:
  476. get_param: KeystoneOpenIdcClientSecret
  477. keystone::federation::openidc::openidc_crypto_passphrase:
  478. get_param: KeystoneOpenIdcCryptoPassphrase
  479. keystone::federation::openidc::openidc_response_type:
  480. get_param: KeystoneOpenIdcResponseType
  481. keystone::federation::openidc::remote_id_attribute:
  482. get_param: KeystoneOpenIdcRemoteIdAttribute
  483. keystone::federation::openidc::openidc_oauth_enabled:
  484. get_param: KeystoneOpenIdcEnableOAuth
  485. keystone::federation::openidc::openidc_introspection_endpoint:
  486. get_param: KeystoneOpenIdcIntrospectionEndpoint
  487. - {}
  488. -
  489. if:
  490. - keystone_ldap_domain_enabled
  491. -
  492. tripleo::profile::base::keystone::ldap_backend_enable: True
  493. keystone::using_domain_config: True
  494. tripleo::profile::base::keystone::ldap_backends_config:
  495. get_param: KeystoneLDAPBackendConfigs
  496. - {}
  497. -
  498. if:
  499. - change_password_upon_first_use_set
  500. - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
  501. - {}
  502. -
  503. if:
  504. - disable_user_account_days_inactive_set
  505. - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
  506. - {}
  507. -
  508. if:
  509. - lockout_duration_set
  510. - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
  511. - {}
  512. -
  513. if:
  514. - lockout_failure_attempts_set
  515. - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
  516. - {}
  517. -
  518. if:
  519. - minimum_password_age_set
  520. - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
  521. - {}
  522. -
  523. if:
  524. - password_expires_days_set
  525. - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
  526. - {}
  527. -
  528. if:
  529. - password_regex_set
  530. - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
  531. - {}
  532. -
  533. if:
  534. - password_regex_description_set
  535. - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
  536. - {}
  537. -
  538. if:
  539. - unique_last_password_count_set
  540. - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
  541. - {}
  542. - apache::default_vhost: false
  543. - get_attr: [KeystoneLogging, config_settings]
  544. service_config_settings:
  545. rsyslog:
  546. tripleo_logging_sources_keystone: {get_param: KeystoneLoggingSource}
  547. mysql:
  548. keystone::db::mysql::password: {get_param: AdminToken}
  549. keystone::db::mysql::user: keystone
  550. keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
  551. keystone::db::mysql::dbname: keystone
  552. keystone::db::mysql::allowed_hosts:
  553. - '%'
  554. - "%{hiera('mysql_bind_host')}"
  555. pacemaker:
  556. keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  557. keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  558. keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  559. keystone::endpoint::region: {get_param: KeystoneRegion}
  560. keystone::bootstrap::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  561. keystone::bootstrap::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  562. keystone::bootstrap::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  563. keystone::bootstrap::region: {get_param: KeystoneRegion}
  564. keystone::admin_password: {get_param: AdminPassword}
  565. keystone::bootstrap::password: {get_param: AdminPassword}
  566. horizon:
  567. if:
  568. - keystone_ldap_domain_enabled
  569. -
  570. horizon::keystone_multidomain_support: true
  571. horizon::keystone_default_domain: 'Default'
  572. - {}
  573. # BEGIN DOCKER SETTINGS
  574. puppet_config:
  575. config_volume: keystone
  576. puppet_tags: keystone_config,keystone_domain_config
  577. step_config:
  578. list_join:
  579. - "\n"
  580. - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
  581. - |
  582. include ::tripleo::profile::base::keystone
  583. - {get_attr: [MySQLClient, role_data, step_config]}
  584. config_image: &keystone_config_image {get_param: ContainerKeystoneConfigImage}
  585. kolla_config:
  586. /var/lib/kolla/config_files/keystone.json:
  587. command: /usr/sbin/httpd
  588. config_files:
  589. - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
  590. dest: "/etc/keystone/fernet-keys"
  591. merge: false
  592. preserve_properties: true
  593. - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
  594. dest: "/etc/httpd/conf.d"
  595. merge: false
  596. preserve_properties: true
  597. - source: "/var/lib/kolla/config_files/src/*"
  598. dest: "/"
  599. merge: true
  600. preserve_properties: true
  601. docker_config:
  602. # Kolla_bootstrap/db sync runs before permissions set by kolla_config
  603. step_2:
  604. get_attr: [KeystoneLogging, docker_config, step_2]
  605. step_3:
  606. keystone_db_sync:
  607. image: &keystone_image {get_param: ContainerKeystoneImage}
  608. net: host
  609. user: root
  610. privileged: false
  611. detach: false
  612. volumes: &keystone_volumes
  613. list_concat:
  614. - {get_attr: [ContainersCommon, volumes]}
  615. - {get_attr: [KeystoneLogging, volumes]}
  616. -
  617. - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
  618. - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
  619. -
  620. if:
  621. - internal_tls_enabled
  622. - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
  623. - ''
  624. -
  625. if:
  626. - internal_tls_enabled
  627. - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
  628. - ''
  629. environment:
  630. map_merge:
  631. - {get_attr: [KeystoneLogging, environment]}
  632. - KOLLA_BOOTSTRAP: true
  633. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  634. command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
  635. keystone:
  636. start_order: 2
  637. image: *keystone_image
  638. net: host
  639. privileged: false
  640. restart: always
  641. healthcheck:
  642. test: /openstack/healthcheck
  643. volumes: *keystone_volumes
  644. environment:
  645. KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
  646. keystone_bootstrap:
  647. start_order: 3
  648. action: exec
  649. user: root
  650. command:
  651. [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap' ]
  652. environment:
  653. KOLLA_BOOTSTRAP: true
  654. OS_BOOTSTRAP_PASSWORD: {get_param: AdminPassword}
  655. OS_BOOTSTRAP_USERNAME: 'admin'
  656. OS_BOOTSTRAP_PROJECT_NAME: 'admin'
  657. OS_BOOTSTRAP_ROLE_NAME: 'admin'
  658. OS_BOOTSTRAP_SERVICE_NAME: 'keystone'
  659. OS_BOOTSTRAP_ADMIN_URL: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  660. OS_BOOTSTRAP_PUBLIC_URL: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  661. OS_BOOTSTRAP_INTERNAL_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  662. OS_BOOTSTRAP_REGION_ID: {get_param: KeystoneRegion}
  663. step_4:
  664. # There are cases where we need to refresh keystone after the resource provisioning,
  665. # such as the case of using LDAP backends for domains. So we trigger a graceful
  666. # restart [1], which shouldn't cause service disruption, but will reload new
  667. # configurations for keystone.
  668. # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
  669. keystone_refresh:
  670. start_order: 1
  671. action: exec
  672. user: root
  673. command:
  674. [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
  675. external_deploy_tasks:
  676. - name: Manage clouds.yaml files
  677. when:
  678. - step|int == 1
  679. - not ansible_check_mode|bool
  680. block:
  681. - name: Create /etc/openstack directory if it does not exist
  682. become: true
  683. file:
  684. mode: '0755'
  685. owner: root
  686. path: /etc/openstack
  687. state: directory
  688. - name: Configure /etc/openstack/clouds.yaml
  689. include_role:
  690. name: tripleo_keystone_resources
  691. tasks_from: clouds
  692. vars:
  693. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  694. tripleo_keystone_resources_cloud_config:
  695. auth:
  696. auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  697. password: {get_param: AdminPassword}
  698. project_domain_name: Default
  699. project_name: admin
  700. user_domain_name: Default
  701. username: admin
  702. identity_api_version: '3'
  703. region_name: {get_param: KeystoneRegion}
  704. - name: Manage Keystone resources
  705. become: true
  706. when:
  707. - step|int == 4
  708. - not ansible_check_mode|bool
  709. block:
  710. - name: Manage Keystone resources for OpenStack services
  711. include_role:
  712. name: tripleo_keystone_resources
  713. vars:
  714. tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
  715. tripleo_keystone_resources_service_project: 'service'
  716. tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
  717. tripleo_keystone_resources_region: {get_param: KeystoneRegion}
  718. tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  719. tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  720. tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  721. tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
  722. tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
  723. - name: is Keystone LDAP enabled
  724. set_fact:
  725. keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
  726. - name: Set fact for tripleo_keystone_ldap_domains
  727. set_fact:
  728. tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
  729. when: keystone_ldap_domain_enabled|bool
  730. - name: Manage Keystone domains from LDAP config
  731. when: keystone_ldap_domain_enabled|bool
  732. include_role:
  733. name: tripleo_keystone_resources
  734. tasks_from: domains
  735. vars:
  736. tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
  737. batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
  738. deploy_steps_tasks:
  739. - name: validate keystone service state
  740. when:
  741. - container_cli == 'podman'
  742. - not container_healthcheck_disabled
  743. - step|int == 4
  744. tags:
  745. - opendev-validation
  746. - opendev-validation-keystone
  747. block:
  748. - name: Get keystone service healthcheck status
  749. import_role:
  750. name: healthcheck-service-status
  751. vars:
  752. inflight_healthcheck_services:
  753. - tripleo_keystone_healthcheck
  754. container_puppet_tasks:
  755. # Keystone endpoint creation occurs only on single node
  756. step_3:
  757. config_volume: 'keystone_init_tasks'
  758. puppet_tags: 'keystone_config'
  759. step_config: 'include ::tripleo::profile::base::keystone'
  760. config_image: *keystone_config_image
  761. host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
  762. metadata_settings:
  763. get_attr: [ApacheServiceBase, role_data, metadata_settings]
  764. external_upgrade_tasks:
  765. - when:
  766. - step|int == 1
  767. tags:
  768. - never
  769. - system_upgrade_transfer_data
  770. - system_upgrade_stop_services
  771. block:
  772. - name: Stop keystone container
  773. import_role:
  774. name: tripleo_container_stop
  775. vars:
  776. tripleo_containers_to_stop:
  777. - keystone
  778. - keystone_cron
  779. tripleo_delegate_to: "{{ groups['keystone'] | default([]) }}"
  780. fast_forward_upgrade_tasks:
  781. - when:
  782. - step|int == 0
  783. - release == 'ocata'
  784. block:
  785. - name: Check for keystone running under apache
  786. tags: common
  787. shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
  788. ignore_errors: true
  789. register: keystone_httpd_enabled_result
  790. - name: Set fact keystone_httpd_enabled
  791. set_fact:
  792. keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
  793. - name: Check if httpd is running
  794. ignore_errors: True
  795. command: systemctl is-active --quiet httpd
  796. register: httpd_running_result
  797. when:
  798. - httpd_running is undefined
  799. - name: Set fact httpd_running if undefined
  800. set_fact:
  801. httpd_running: "{{ httpd_running_result.rc == 0 }}"
  802. when:
  803. - httpd_running is undefined
  804. - name: Stop and disable keystone (under httpd)
  805. service: name=httpd state=stopped enabled=no
  806. when:
  807. - step|int == 1
  808. - release == 'ocata'
  809. - keystone_httpd_enabled|bool
  810. - httpd_running|bool
  811. - name: Keystone package update
  812. package:
  813. name: 'openstack-keystone*'
  814. state: latest
  815. when:
  816. - step|int == 6
  817. - is_bootstrap_node|bool
  818. - name: keystone db sync
  819. command: keystone-manage db_sync
  820. when:
  821. - step|int == 8
  822. - is_bootstrap_node|bool