0cb5c847f3
If we use variables defined in later step in conditional before checking which step are we on we will fail. Resolves: rhbz#1535457 Closes-Bug: #1743764 Change-Id: Ic21f6eb5c4101f230fa894cd0829a11e2f0ef39b
230 lines
8.6 KiB
YAML
230 lines
8.6 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack containerized Keystone service
|
|
|
|
parameters:
|
|
DockerKeystoneImage:
|
|
description: image
|
|
type: string
|
|
DockerKeystoneConfigImage:
|
|
description: The container image to use for the keystone config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
AdminPassword:
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
type: string
|
|
hidden: true
|
|
KeystoneTokenProvider:
|
|
description: The keystone token format
|
|
type: string
|
|
default: 'fernet'
|
|
constraints:
|
|
- allowed_values: ['uuid', 'fernet']
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../../puppet/services/database/mysql-client.yaml
|
|
|
|
KeystoneBase:
|
|
type: ../../puppet/services/keystone.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
KeystoneLogging:
|
|
type: OS::TripleO::Services::Logging::Keystone
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Keystone API role.
|
|
value:
|
|
service_name: {get_attr: [KeystoneBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [KeystoneBase, role_data, config_settings]
|
|
- get_attr: [KeystoneLogging, config_settings]
|
|
- apache::default_vhost: false
|
|
logging_source: {get_attr: [KeystoneBase, role_data, logging_source]}
|
|
logging_groups: {get_attr: [KeystoneBase, role_data, logging_groups]}
|
|
service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: keystone
|
|
puppet_tags: keystone_config,keystone_domain_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
|
|
- {get_attr: [KeystoneBase, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/keystone.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/keystone_cron.json:
|
|
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
|
|
# args for the keystone container to -DFOREGROUND
|
|
command: /usr/sbin/crond -n
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/keystone
|
|
owner: keystone:keystone
|
|
recurse: true
|
|
docker_config:
|
|
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
|
|
step_2:
|
|
get_attr: [KeystoneLogging, docker_config, step_2]
|
|
step_3:
|
|
keystone_db_sync:
|
|
image: &keystone_image {get_param: DockerKeystoneImage}
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
detach: false
|
|
volumes: &keystone_volumes
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [KeystoneLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- ''
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- ''
|
|
environment:
|
|
list_concat:
|
|
- - KOLLA_BOOTSTRAP=True
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
- {get_attr: [KeystoneLogging, environment]}
|
|
command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
|
|
keystone:
|
|
start_order: 2
|
|
image: *keystone_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes: *keystone_volumes
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
keystone_bootstrap:
|
|
start_order: 3
|
|
action: exec
|
|
user: root
|
|
command:
|
|
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
|
|
keystone_cron:
|
|
start_order: 4
|
|
image: *keystone_image
|
|
user: root
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [KeystoneLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
docker_puppet_tasks:
|
|
# Keystone endpoint creation occurs only on single node
|
|
step_3:
|
|
config_volume: 'keystone_init_tasks'
|
|
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
|
|
step_config: 'include ::tripleo::profile::base::keystone'
|
|
config_image: *keystone_config_image
|
|
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
|
|
upgrade_tasks:
|
|
- name: Check for keystone running under apache
|
|
tags: common
|
|
shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
|
|
ignore_errors: True
|
|
register: httpd_enabled
|
|
- name: Check if httpd is running
|
|
tags: common
|
|
command: systemctl is-active --quiet httpd
|
|
ignore_errors: True
|
|
register: httpd_running
|
|
- name: "PreUpgrade step0,validation: Check if keystone_wsgi is running under httpd"
|
|
shell: systemctl status 'httpd' | grep -q keystone
|
|
tags: validation
|
|
when:
|
|
- step|int == 0
|
|
- httpd_enabled.rc == 0
|
|
- httpd_running.rc == 0
|
|
- name: Stop and disable keystone service (running under httpd)
|
|
when:
|
|
- step|int == 2
|
|
- httpd_enabled.rc == 0
|
|
- httpd_running.rc == 0
|
|
service: name=httpd state=stopped enabled=no
|
|
- name: remove old keystone cron jobs
|
|
when: step|int == 2
|
|
file:
|
|
path: /var/spool/cron/keystone
|
|
state: absent
|
|
metadata_settings:
|
|
get_attr: [KeystoneBase, role_data, metadata_settings]
|