1b58806a62
We don't need all the steps currently enabled for either batched or concurrent updates, so decrease them. In future we can perhaps introspect the task tags during plan creation and set these dynamically. Change-Id: I0358886a332dfbecd03bc4a67086b08d25756c22 Partially-Implements: blueprint overcloud-upgrades-per-service
318 lines
12 KiB
YAML
318 lines
12 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: >
|
|
OpenStack Keystone service configured with Puppet
|
|
|
|
parameters:
|
|
KeystoneEnableDBPurge:
|
|
default: true
|
|
description: |
|
|
Whether to create cron job for purging soft deleted rows in Keystone database.
|
|
type: boolean
|
|
KeystoneSSLCertificate:
|
|
default: ''
|
|
description: Keystone certificate for verifying token validity.
|
|
type: string
|
|
KeystoneSSLCertificateKey:
|
|
default: ''
|
|
description: Keystone key for signing tokens.
|
|
type: string
|
|
hidden: true
|
|
KeystoneNotificationDriver:
|
|
description: Comma-separated list of Oslo notification drivers used by Keystone
|
|
default: ['messaging']
|
|
type: comma_delimited_list
|
|
KeystoneNotificationFormat:
|
|
description: The Keystone notification format
|
|
default: 'basic'
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ 'basic', 'cadf' ]
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
KeystoneTokenProvider:
|
|
description: The keystone token format
|
|
type: string
|
|
default: 'uuid'
|
|
constraints:
|
|
- allowed_values: ['uuid', 'fernet']
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
type: string
|
|
default: ''
|
|
AdminEmail:
|
|
default: 'admin@example.com'
|
|
description: The email for the keystone admin account.
|
|
type: string
|
|
hidden: true
|
|
AdminPassword:
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
type: string
|
|
hidden: true
|
|
AdminToken:
|
|
description: The keystone auth secret and db password.
|
|
type: string
|
|
hidden: true
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
RabbitClientUseSSL:
|
|
default: false
|
|
description: >
|
|
Rabbit client subscriber parameter to specify
|
|
an SSL connection to the RabbitMQ host.
|
|
type: string
|
|
RabbitClientPort:
|
|
default: 5672
|
|
description: Set rabbit subscriber port, change this if using SSL
|
|
type: number
|
|
KeystoneWorkers:
|
|
type: string
|
|
description: Set the number of workers for keystone::wsgi::apache
|
|
default: '%{::os_workers}'
|
|
MonitoringSubscriptionKeystone:
|
|
default: 'overcloud-keystone'
|
|
type: string
|
|
KeystoneCredential0:
|
|
type: string
|
|
description: The first Keystone credential key. Must be a valid key.
|
|
KeystoneCredential1:
|
|
type: string
|
|
description: The second Keystone credential key. Must be a valid key.
|
|
KeystoneFernetKey0:
|
|
type: string
|
|
description: The first Keystone fernet key. Must be a valid key.
|
|
KeystoneFernetKey1:
|
|
type: string
|
|
description: The second Keystone fernet key. Must be a valid key.
|
|
KeystoneLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone
|
|
path: /var/log/keystone/keystone.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
KeystoneCronTokenFlushEnsure:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Ensure
|
|
default: 'present'
|
|
KeystoneCronTokenFlushMinute:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Minute
|
|
default: '1'
|
|
KeystoneCronTokenFlushHour:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Hour
|
|
default: '0'
|
|
KeystoneCronTokenFlushMonthday:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Month Day
|
|
default: '*'
|
|
KeystoneCronTokenFlushMonth:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Month
|
|
default: '*'
|
|
KeystoneCronTokenFlushWeekday:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Week Day
|
|
default: '*'
|
|
KeystoneCronTokenFlushMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Max Delay
|
|
default: '0'
|
|
KeystoneCronTokenFlushDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - Log destination
|
|
default: '/var/log/keystone/keystone-tokenflush.log'
|
|
KeystoneCronTokenFlushUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired tokens - User
|
|
default: 'keystone'
|
|
|
|
resources:
|
|
|
|
ApacheServiceBase:
|
|
type: ./apache.yaml
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
conditions:
|
|
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Keystone role.
|
|
value:
|
|
service_name: keystone
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
|
logging_source: {get_param: KeystoneLoggingSource}
|
|
logging_groups:
|
|
- keystone
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- keystone::database_connection:
|
|
list_join:
|
|
- ''
|
|
- - {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
- '://keystone:'
|
|
- {get_param: AdminToken}
|
|
- '@'
|
|
- {get_param: [EndpointMap, MysqlInternal, host]}
|
|
- '/keystone'
|
|
- '?bind_address='
|
|
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
|
keystone::admin_token: {get_param: AdminToken}
|
|
keystone::admin_password: {get_param: AdminPassword}
|
|
keystone::roles::admin::password: {get_param: AdminPassword}
|
|
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
|
|
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
|
|
keystone::token_provider: {get_param: KeystoneTokenProvider}
|
|
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
|
|
keystone::enable_proxy_headers_parsing: true
|
|
keystone::enable_credential_setup: true
|
|
keystone::credential_keys:
|
|
'/etc/keystone/credential-keys/0':
|
|
content: {get_param: KeystoneCredential0}
|
|
'/etc/keystone/credential-keys/1':
|
|
content: {get_param: KeystoneCredential1}
|
|
keystone::fernet_keys:
|
|
'/etc/keystone/fernet-keys/0':
|
|
content: {get_param: KeystoneFernetKey0}
|
|
'/etc/keystone/fernet-keys/1':
|
|
content: {get_param: KeystoneFernetKey1}
|
|
keystone::debug: {get_param: Debug}
|
|
keystone::rabbit_userid: {get_param: RabbitUserName}
|
|
keystone::rabbit_password: {get_param: RabbitPassword}
|
|
keystone::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
|
keystone::rabbit_port: {get_param: RabbitClientPort}
|
|
keystone::notification_driver: {get_param: KeystoneNotificationDriver}
|
|
keystone::notification_format: {get_param: KeystoneNotificationFormat}
|
|
keystone::roles::admin::email: {get_param: AdminEmail}
|
|
keystone::roles::admin::password: {get_param: AdminPassword}
|
|
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
keystone::endpoint::region: {get_param: KeystoneRegion}
|
|
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
|
|
keystone::rabbit_heartbeat_timeout_threshold: 60
|
|
keystone::cron::token_flush::maxdelay: 3600
|
|
keystone::roles::admin::service_tenant: 'service'
|
|
keystone::roles::admin::admin_tenant: 'admin'
|
|
keystone::cron::token_flush::destination: '/dev/null'
|
|
keystone::config::keystone_config:
|
|
ec2/driver:
|
|
value: 'keystone.contrib.ec2.backends.sql.Ec2'
|
|
keystone::service_name: 'httpd'
|
|
keystone::enable_ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
keystone::wsgi::apache::servername_admin:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
|
|
# override via extraconfig:
|
|
keystone::wsgi::apache::threads: 1
|
|
keystone::db::database_db_max_retries: -1
|
|
keystone::db::database_max_retries: -1
|
|
tripleo.keystone.firewall_rules:
|
|
'111 keystone':
|
|
dport:
|
|
- 5000
|
|
- 13000
|
|
- 35357
|
|
- 13357
|
|
keystone::admin_bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::public_bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
# NOTE: this applies to all 2 bind IP settings below...
|
|
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
|
|
keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
|
|
keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
|
|
keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
|
|
keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
|
|
keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
|
|
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
|
|
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
|
|
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
|
|
|
|
step_config: |
|
|
include ::tripleo::profile::base::keystone
|
|
service_config_settings:
|
|
mysql:
|
|
keystone::db::mysql::password: {get_param: AdminToken}
|
|
keystone::db::mysql::user: keystone
|
|
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
keystone::db::mysql::dbname: keystone
|
|
keystone::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
# Ansible tasks to handle upgrade
|
|
upgrade_tasks:
|
|
- name: Stop keystone service (running under httpd)
|
|
tags: step2
|
|
service: name=httpd state=stopped
|
|
- name: Sync keystone DB
|
|
tags: step5
|
|
command: keystone-manage db_sync
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|