openstack/tripleo-heat-templates
Code Issues Proposed changes
3c5d5a12fd
tripleo-heat-templates/deployment/keystone/keystone-container-puppet.yaml

926 lines
38 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack containerized Keystone service
parameters:
ContainerKeystoneImage:
description: image
type: string
tags:
- role_specific
ContainerKeystoneConfigImage:
description: The container image to use for the keystone config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
KeystoneTokenProvider:
description: The keystone token format
type: string
default: 'fernet'
constraints:
- allowed_values: ['fernet']
SSLCertificate:
default: ''
description: >
The content of the SSL certificate (without Key) in PEM format.
type: string
PublicSSLCertificateAutogenerated:
default: false
description: >
Whether the public SSL certificate was autogenerated or not.
type: boolean
EnablePublicTLS:
default: true
description: >
Whether to enable TLS on the public interface or not.
type: boolean
PublicTLSCAFile:
default: ''
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the public network.
EnableInternalTLS:
type: boolean
default: false
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
KeystoneSSLCertificate:
default: ''
description: Keystone certificate for verifying token validity.
type: string
KeystoneSSLCertificateKey:
default: ''
description: Keystone key for signing tokens.
type: string
hidden: true
KeystoneNotificationFormat:
description: The Keystone notification format
default: 'basic'
type: string
constraints:
- allowed_values: [ 'basic', 'cadf' ]
KeystoneNotificationTopics:
description: Keystone notification topics to enable
default: []
type: comma_delimited_list
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
KeystoneDebug:
default: false
description: Set to True to enable debugging Keystone service.
type: boolean
EnableCache:
description: Enable caching with memcached
type: boolean
default: true
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
KeystonePassword:
description: The password for the nova service and db account
default: ''
type: string
hidden: true
TokenExpiration:
default: 3600
description: Set a token expiration time in seconds.
type: number
KeystoneWorkers:
type: string
description: Set the number of workers for keystone::wsgi::apache
default: '%{::os_workers_keystone}'
MonitoringSubscriptionKeystone:
default: 'overcloud-keystone'
type: string
KeystoneCredential0:
type: string
description: The first Keystone credential key. Must be a valid key.
KeystoneCredential1:
type: string
description: The second Keystone credential key. Must be a valid key.
KeystoneFernetKeys:
type: json
description: Mapping containing keystone's fernet keys and their paths.
KeystoneFernetMaxActiveKeys:
type: number
description: The maximum active keys in the keystone fernet key repository.
default: 5
ManageKeystoneFernetKeys:
type: boolean
default: true
description: Whether TripleO should manage the keystone fernet keys or not.
If set to true, the fernet keys will get the values from the
saved keys repository in mistral (the KeystoneFernetKeys
variable). If set to false, only the stack creation
initializes the keys, but subsequent updates won't touch them.
KeystoneLoggingSource:
type: json
default:
tag: openstack.keystone
file: /var/log/containers/keystone/keystone.log
KeystonePolicies:
description: |
A hash of policies to configure for Keystone.
e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
KeystoneLDAPDomainEnable:
description: Trigger to call ldap_backend puppet keystone define.
type: boolean
default: False
KeystoneLDAPBackendConfigs:
description: Hash containing the configurations for the LDAP backends
configured in keystone.
type: json
default: {}
hidden: true
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
KeystoneNotificationDriver:
type: comma_delimited_list
default: []
description: |
Driver or drivers to handle sending notifications. This parameter is
specific to Keystone.
KeystoneEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Keystone database.
type: boolean
KeystoneCronTrustFlushEnsure:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Ensure
default: 'present'
KeystoneCronTrustFlushMinute:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Minute
default: '1'
KeystoneCronTrustFlushHour:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Hour
default: '*'
KeystoneCronTrustFlushMonthday:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Month Day
default: '*'
KeystoneCronTrustFlushMonth:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Month
default: '*'
KeystoneCronTrustFlushWeekday:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Week Day
default: '*'
KeystoneCronTrustFlushMaxDelay:
type: number
description: >
Cron to purge expired or soft-deleted trusts - Max Delay
default: 0
KeystoneCronTrustFlushDestination:
type: string
description: >
Cron to purge expired or soft-deleted trusts - Log destination
default: '/var/log/keystone/keystone-trustflush.log'
KeystoneCronTrustFlushUser:
type: string
description: >
Cron to purge expired or soft-deleted trusts - User
default: 'keystone'
KeystoneChangePasswordUponFirstUse:
type: string
default: ''
description: >-
Enabling this option requires users to change their password when the
user is created, or upon administrative reset.
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneDisableUserAccountDaysInactive:
type: string
default: ''
description: >-
The maximum number of days a user can go without authenticating before
being considered "inactive" and automatically disabled (locked).
KeystoneLockoutDuration:
type: string
default: ''
description: >-
The number of seconds a user account will be locked when the maximum
number of failed authentication attempts (as specified by
KeystoneLockoutFailureAttempts) is exceeded.
KeystoneLockoutFailureAttempts:
type: string
default: ''
description: >-
The maximum number of times that a user can fail to authenticate before
the user account is locked for the number of seconds specified by
KeystoneLockoutDuration.
KeystoneMinimumPasswordAge:
type: string
default: ''
description: >-
The number of days that a password must be used before the user can
change it. This prevents users from changing their passwords immediately
in order to wipe out their password history and reuse an old password.
KeystonePasswordExpiresDays:
type: string
default: ''
description: >-
The number of days for which a password will be considered valid before
requiring it to be changed.
KeystonePasswordRegex:
type: string
default: ''
description: >-
The regular expression used to validate password strength requirements.
KeystonePasswordRegexDescription:
type: string
default: ''
description: >-
Describe your password regular expression here in language for humans.
KeystoneUniqueLastPasswordCount:
type: string
default: ''
description: >-
This controls the number of previous user password iterations to keep in
history, in order to enforce that newly created passwords are unique.
KeystoneCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
KeystoneEnableMember:
description: Create the _member_ role, useful for undercloud deployment.
type: boolean
default: False
KeystoneFederationEnable:
type: boolean
default: false
description: Enable support for federated authentication.
KeystoneTrustedDashboards:
type: comma_delimited_list
default: []
description: A list of dashboard URLs trusted for single sign-on.
KeystoneAuthMethods:
type: comma_delimited_list
default: []
description: >-
A list of methods used for authentication.
KeystoneOpenIdcEnable:
type: boolean
default: false
description: Enable support for OpenIDC federation.
KeystoneOpenIdcIdpName:
type: string
default: ''
description: The name associated with the IdP in Keystone.
KeystoneOpenIdcProviderMetadataUrl:
type: string
default: ''
description: The url that points to your OpenID Connect provider metadata
KeystoneOpenIdcClientId:
type: string
default: ''
description: >-
The client ID to use when handshaking with your OpenID Connect provider
KeystoneOpenIdcClientSecret:
type: string
default: ''
description: >-
The client secret to use when handshaking with your OpenID
Connect provider
KeystoneOpenIdcCryptoPassphrase:
type: string
default: 'openstack'
description: >-
Passphrase to use when encrypting data for OpenID Connect handshake.
KeystoneOpenIdcResponseType:
type: string
default: 'id_token'
description: Response type to be expected from the OpenID Connect provider.
KeystoneOpenIdcRemoteIdAttribute:
type: string
default: 'HTTP_OIDC_ISS'
description: >-
Attribute to be used to obtain the entity ID of the Identity Provider
from the environment.
KeystoneOpenIdcEnableOAuth:
type: boolean
default: false
description: >-
Enable OAuth 2.0 integration.
KeystoneOpenIdcIntrospectionEndpoint:
type: string
default: ''
description: >-
OAuth 2.0 introspection endpoint for mod_auth_openidc
KeystoneOpenIdcClaimDelimiter:
type: string
default: ';'
description: >-
The delimiter to use when setting multi-valued claims.
KeystoneOpenIdcPassUserInfoAs:
type: string
default: 'claims'
description: >-
Define the way(s) in which the claims resolved from the userinfo endpoint
are passed to the application according to OIDCPassClaimsAs.
constraints:
- allowed_values: ['claims', 'json', 'jwt']
KeystoneOpenIdcPassClaimsAs:
type: string
default: 'both'
description: >-
Define the way in which the claims and tokens are passed to the application environment:
"none": no claims/tokens are passed
"environment": claims/tokens are passed as environment variables
"headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
"both": claims/tokens are passed as both headers as well as environment variables (default)
constraints:
- allowed_values: ['none', 'environment', 'headers', 'both']
RootStackName:
description: The name of the stack/plan.
type: string
AdminToken:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
default: ''
type: string
hidden: true
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- AdminToken
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
KeystoneLogging:
type: OS::TripleO::Services::Logging::Keystone
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerKeystoneImage: ContainerKeystoneImage
ContainerKeystoneConfigImage: ContainerKeystoneConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerKeystoneImage: {get_param: ContainerKeystoneImage}
ContainerKeystoneConfigImage: {get_param: ContainerKeystoneConfigImage}
conditions:
public_tls_enabled:
and:
- {get_param: EnablePublicTLS}
- or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- {get_param: PublicSSLCertificateAutogenerated}
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
nontls_cache_enabled:
and:
- {get_param: EnableCache}
- not: {get_param: MemcachedTLS}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
# Security compliance
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}}
admin_token_set: {not: {equals: [{get_param: AdminToken}, '']}}
keystone_notification_driver_set: {not: {equals: [{get_param: KeystoneNotificationDriver}, []]}}
outputs:
role_data:
description: Role data for the Keystone API role.
value:
service_name: keystone
firewall_rules:
'111 keystone':
dport:
- 5000
firewall_frontend_rules:
'100 keystone_public_haproxy_frontend':
dport:
- 5000
'100 keystone_admin_haproxy_frontend':
dport:
- {get_param: [EndpointMap, KeystoneAdmin, port]}
firewall_ssl_frontend_rules:
'100 keystone_public_haproxy_frontend_ssl':
dport:
- 13000
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- if:
- cors_allowed_origin_set
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
- keystone::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: keystone
password:
if:
- admin_token_set
- {get_param: AdminToken}
- {get_param: KeystonePassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /keystone
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: keystone
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
keystone::sync_db: false
keystone::token_expiration: {get_param: TokenExpiration}
keystone::policy::policies: {get_param: KeystonePolicies}
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
keystone::token_provider: {get_param: KeystoneTokenProvider}
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
keystone::enable_proxy_headers_parsing: true
keystone::enable_credential_setup: true
keystone::credential_keys:
'/etc/keystone/credential-keys/0':
content: {get_param: KeystoneCredential0}
'/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1}
keystone::fernet_keys: {get_param: KeystoneFernetKeys}
keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
keystone::logging::debug:
if:
- {get_param: KeystoneDebug}
- true
- {get_param: Debug }
keystone::notification_driver:
if:
- keystone_notification_driver_set
- {get_param: KeystoneNotificationDriver}
- {get_param: NotificationDriver}
keystone::notification_format: {get_param: KeystoneNotificationFormat}
tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
tripleo::profile::base::keystone::manage_db_purge: {get_param: KeystoneEnableDBPurge}
keystone::cron::trust_flush::ensure: {get_param: KeystoneCronTrustFlushEnsure}
keystone::cron::trust_flush::minute: {get_param: KeystoneCronTrustFlushMinute}
keystone::cron::trust_flush::hour: {get_param: KeystoneCronTrustFlushHour}
keystone::cron::trust_flush::monthday: {get_param: KeystoneCronTrustFlushMonthday}
keystone::cron::trust_flush::month: {get_param: KeystoneCronTrustFlushMonth}
keystone::cron::trust_flush::weekday: {get_param: KeystoneCronTrustFlushWeekday}
keystone::cron::trust_flush::maxdelay: {get_param: KeystoneCronTrustFlushMaxDelay}
keystone::cron::trust_flush::destination: {get_param: KeystoneCronTrustFlushDestination}
keystone::cron::trust_flush::user: {get_param: KeystoneCronTrustFlushUser}
keystone::rabbit_heartbeat_timeout_threshold: 60
keystone::service_name: 'httpd'
keystone::enable_ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::access_log_format: 'forwarded'
keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
# override via extraconfig:
keystone::wsgi::apache::threads: 1
keystone::db::database_db_max_retries: -1
keystone::db::database_max_retries: -1
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
keystone::wsgi::apache::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
- keystone::cache::enabled: {get_param: EnableCache}
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
- if:
- tls_cache_enabled
- keystone::cache::backend: 'dogpile.cache.pymemcache'
keystone::cache::enable_socket_keepalive: true
- keystone::cache::backend: 'dogpile.cache.memcached'
- if:
- {get_param: KeystoneFederationEnable}
- tripleo::profile::base::keystone::keystone_federation_enabled: True
keystone::federation::trusted_dashboards:
get_param: KeystoneTrustedDashboards
- if:
- {get_param: KeystoneOpenIdcEnable}
- tripleo::profile::base::keystone::keystone_openidc_enabled: True
keystone::federation::openidc::methods:
get_param: KeystoneAuthMethods
keystone::federation::openidc::keystone_url:
get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
keystone::federation::openidc::idp_name:
get_param: KeystoneOpenIdcIdpName
keystone::federation::openidc::openidc_provider_metadata_url:
get_param: KeystoneOpenIdcProviderMetadataUrl
keystone::federation::openidc::openidc_client_id:
get_param: KeystoneOpenIdcClientId
keystone::federation::openidc::openidc_client_secret:
get_param: KeystoneOpenIdcClientSecret
keystone::federation::openidc::openidc_crypto_passphrase:
get_param: KeystoneOpenIdcCryptoPassphrase
keystone::federation::openidc::openidc_response_type:
get_param: KeystoneOpenIdcResponseType
keystone::federation::openidc::remote_id_attribute:
get_param: KeystoneOpenIdcRemoteIdAttribute
keystone::federation::openidc::openidc_enable_oauth:
get_param: KeystoneOpenIdcEnableOAuth
keystone::federation::openidc::openidc_introspection_endpoint:
get_param: KeystoneOpenIdcIntrospectionEndpoint
keystone::federation::openidc::openidc_pass_userinfo_as:
get_param: KeystoneOpenIdcPassUserInfoAs
keystone::federation::openidc::openidc_pass_claim_as:
get_param: KeystoneOpenIdcPassClaimsAs
keystone::federation::openidc::openidc_claim_delimiter:
get_param: KeystoneOpenIdcClaimDelimiter
keystone::federation::openidc::openidc_cache_type:
if:
- nontls_cache_enabled
- 'memcache'
- if:
- {get_param: KeystoneLDAPDomainEnable}
- tripleo::profile::base::keystone::ldap_backend_enable: True
keystone::using_domain_config: True
tripleo::profile::base::keystone::ldap_backends_config:
get_param: KeystoneLDAPBackendConfigs
- if:
- {get_param: EnforceSecureRbac}
- keystone::policy::enforce_scope: true
keystone::policy::enforce_new_defaults: true
- if:
- change_password_upon_first_use_set
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
- if:
- disable_user_account_days_inactive_set
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
- if:
- lockout_duration_set
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
- if:
- lockout_failure_attempts_set
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
- if:
- minimum_password_age_set
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
- if:
- password_expires_days_set
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
- if:
- password_regex_set
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
- if:
- password_regex_description_set
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
- if:
- unique_last_password_count_set
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
- apache::default_vhost: false
- get_attr: [KeystoneLogging, config_settings]
service_config_settings:
rsyslog:
tripleo_logging_sources_keystone: {get_param: KeystoneLoggingSource}
mysql:
keystone::db::mysql::password:
if:
- admin_token_set
- {get_param: AdminToken}
- {get_param: KeystonePassword}
keystone::db::mysql::user: keystone
keystone::db::mysql::host: '%'
keystone::db::mysql::dbname: keystone
pacemaker:
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
keystone::endpoint::region: {get_param: KeystoneRegion}
keystone::admin_password: {get_param: AdminPassword}
horizon:
map_merge:
- if:
- {get_param: KeystoneLDAPDomainEnable}
- horizon::keystone_multidomain_support: true
horizon::keystone_default_domain: 'Default'
- horizon::policy::keystone_policies: {get_param: KeystonePolicies}
ansible_group_vars:
tripleo_keystone_image: {get_attr: [RoleParametersValue, value, ContainerKeystoneImage]}
tripleo_keystone_volumes:
- /etc/openldap:/etc/openldap:ro
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
tripleo_keystone_common_volumes: {get_attr: [ContainersCommon, volumes]}
tripleo_keystone_logging_volumes: {get_attr: [KeystoneLogging, volumes]}
tripleo_enable_internal_tls: {get_param: EnableInternalTLS}
tripleo_keystone_environment:
KOLLA_BOOTSTRAP: true
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
tripleo_keystone_logging_environment: {get_attr: [KeystoneLogging, environment]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: keystone
puppet_tags: keystone_config,keystone_domain_config
step_config:
list_join:
- "\n"
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
- |
include tripleo::profile::base::keystone
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: &keystone_config_image {get_attr: [RoleParametersValue, value, ContainerKeystoneConfigImage]}
docker_config:
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
step_2:
get_attr: [KeystoneLogging, docker_config, step_2]
step_4:
# There are cases where we need to refresh keystone after the resource provisioning,
# such as the case of using LDAP backends for domains. So we trigger a graceful
# restart [1], which shouldn't cause service disruption, but will reload new
# configurations for keystone.
# [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
keystone_refresh:
start_order: 1
action: exec
user: root
command:
[ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
external_deploy_tasks:
- name: Manage clouds.yaml files
when:
- step|int == 1
- not ansible_check_mode|bool
block:
- name: Create /etc/openstack directory if it does not exist
become: true
file:
mode: '0755'
owner: root
path: /etc/openstack
state: directory
- name: Configure /etc/openstack/clouds.yaml
include_role:
name: tripleo_keystone_resources
tasks_from: clouds
vars:
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
tripleo_keystone_resources_cloud_config:
auth:
auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
password: {get_param: AdminPassword}
project_domain_name: Default
project_name: admin
user_domain_name: Default
username: admin
cacert:
if:
- public_tls_enabled
- {get_param: PublicTLSCAFile}
- ''
identity_api_version: '3'
volume_api_version: '3'
region_name: {get_param: KeystoneRegion}
- name: Configure system admin account in /etc/openstack/clouds.yaml
include_role:
name: tripleo_keystone_resources
tasks_from: clouds
vars:
tripleo_keystone_resources_cloud_name:
list_join:
- '-'
- - {get_param: RootStackName}
- 'system-admin'
tripleo_keystone_resources_cloud_config:
auth:
auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
password: {get_param: AdminPassword}
system_scope: all
user_domain_name: Default
username: admin
cacert:
if:
- public_tls_enabled
- {get_param: PublicTLSCAFile}
- ''
identity_api_version: '3'
volume_api_version: '3'
region_name: {get_param: KeystoneRegion}
- name: Manage Keystone resources
become: true
when:
- step|int == 4
- not ansible_check_mode|bool
block:
- name: Manage Keystone resources for OpenStack services
include_role:
name: tripleo_keystone_resources
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
tripleo_keystone_resources_service_project: 'service'
tripleo_keystone_resources_cloud_name:
list_join:
- '-'
- - {get_param: RootStackName}
- 'system-admin'
tripleo_keystone_resources_region: {get_param: KeystoneRegion}
tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
- name: is Keystone LDAP enabled
set_fact:
keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
- name: Set fact for tripleo_keystone_ldap_domains
set_fact:
tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
when: keystone_ldap_domain_enabled|bool
- name: Manage Keystone domains from LDAP config
when: keystone_ldap_domain_enabled|bool
include_role:
name: tripleo_keystone_resources
tasks_from: domains
vars:
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
deploy_steps_tasks:
list_concat:
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
- - name: validate keystone container state
containers.podman.podman_container_info:
name: keystone
register: keystone_infos
failed_when:
- keystone_infos.containers.0.Healthcheck.Status is defined
- "'healthy' not in keystone_infos.containers.0.Healthcheck.Status"
retries: 10
delay: 30
tags:
- opendev-validation
- opendev-validation-keystone
when:
- not container_healthcheck_disabled
- step|int == 4
- name: Keystone DB sync
include_role:
name: tripleo_keystone
tasks_from: keystone-db-sync.yaml
when:
- step|int == 3
- name: Keystone containers
import_role:
name: tripleo_keystone
tasks_from: keystone.yaml
when:
- step|int == 3
- name: Keystone bootstrap containers
import_role:
name: tripleo_keystone
tasks_from: keystone-bootstrap.yaml
when:
- step|int == 3
vars:
tripleo_keystone_admin_password: {get_param: AdminPassword}
tripleo_keystone_admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
tripleo_keystone_public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
tripleo_keystone_internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
tripleo_keystone_region: {get_param: KeystoneRegion}
host_prep_tasks:
list_concat:
- {get_attr: [KeystoneLogging, host_prep_tasks]}
- - include_role:
name: tripleo_keystone
tasks_from: keystone-install.yaml
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop keystone container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- keystone
- keystone_cron
tripleo_delegate_to: "{{ groups['keystone'] | default([]) }}"
View Git Blame Copy Permalink