Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

878 lines
35KB

  1. heat_template_version: rocky
  2. description: >
  3. OpenStack containerized Keystone service
  4. parameters:
  5. DockerKeystoneImage:
  6. description: image
  7. type: string
  8. DockerKeystoneConfigImage:
  9. description: The container image to use for the keystone config_volume
  10. type: string
  11. EndpointMap:
  12. default: {}
  13. description: Mapping of service endpoint -> protocol. Typically set
  14. via parameter_defaults in the resource registry.
  15. type: json
  16. ServiceData:
  17. default: {}
  18. description: Dictionary packing service data
  19. type: json
  20. ServiceNetMap:
  21. default: {}
  22. description: Mapping of service_name -> network name. Typically set
  23. via parameter_defaults in the resource registry. This
  24. mapping overrides those in ServiceNetMapDefaults.
  25. type: json
  26. DefaultPasswords:
  27. default: {}
  28. type: json
  29. RoleName:
  30. default: ''
  31. description: Role name on which the service is applied
  32. type: string
  33. RoleParameters:
  34. default: {}
  35. description: Parameters specific to the role
  36. type: json
  37. AdminPassword:
  38. description: The password for the keystone admin account, used for monitoring, querying neutron etc.
  39. type: string
  40. hidden: true
  41. KeystoneTokenProvider:
  42. description: The keystone token format
  43. type: string
  44. default: 'fernet'
  45. constraints:
  46. - allowed_values: ['uuid', 'fernet']
  47. EnableInternalTLS:
  48. type: boolean
  49. default: false
  50. KeystoneEnableDBPurge:
  51. default: true
  52. description: |
  53. Whether to create cron job for purging soft deleted rows in Keystone database.
  54. type: boolean
  55. KeystoneSSLCertificate:
  56. default: ''
  57. description: Keystone certificate for verifying token validity.
  58. type: string
  59. KeystoneSSLCertificateKey:
  60. default: ''
  61. description: Keystone key for signing tokens.
  62. type: string
  63. hidden: true
  64. KeystoneNotificationFormat:
  65. description: The Keystone notification format
  66. default: 'basic'
  67. type: string
  68. constraints:
  69. - allowed_values: [ 'basic', 'cadf' ]
  70. KeystoneNotificationTopics:
  71. description: Keystone notification topics to enable
  72. default: []
  73. type: comma_delimited_list
  74. KeystoneRegion:
  75. type: string
  76. default: 'regionOne'
  77. description: Keystone region for endpoint
  78. Debug:
  79. type: boolean
  80. default: false
  81. description: Set to True to enable debugging on all services.
  82. KeystoneDebug:
  83. default: ''
  84. description: Set to True to enable debugging Keystone service.
  85. type: string
  86. constraints:
  87. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  88. AdminEmail:
  89. default: 'admin@example.com'
  90. description: The email for the keystone admin account.
  91. type: string
  92. hidden: true
  93. AdminToken:
  94. description: The keystone auth secret and db password.
  95. type: string
  96. hidden: true
  97. RpcPort:
  98. default: 5672
  99. description: The network port for messaging backend
  100. type: number
  101. RpcUserName:
  102. default: guest
  103. description: The username for messaging backend
  104. type: string
  105. RpcPassword:
  106. description: The password for messaging backend
  107. type: string
  108. hidden: true
  109. RpcUseSSL:
  110. default: false
  111. description: >
  112. Messaging client subscriber parameter to specify
  113. an SSL connection to the messaging host.
  114. type: string
  115. TokenExpiration:
  116. default: 3600
  117. description: Set a token expiration time in seconds.
  118. type: number
  119. KeystoneWorkers:
  120. type: string
  121. description: Set the number of workers for keystone::wsgi::apache
  122. default: '%{::os_workers}'
  123. MonitoringSubscriptionKeystone:
  124. default: 'overcloud-keystone'
  125. type: string
  126. KeystoneCredential0:
  127. type: string
  128. description: The first Keystone credential key. Must be a valid key.
  129. KeystoneCredential1:
  130. type: string
  131. description: The second Keystone credential key. Must be a valid key.
  132. KeystoneFernetKeys:
  133. type: json
  134. description: Mapping containing keystone's fernet keys and their paths.
  135. KeystoneFernetMaxActiveKeys:
  136. type: number
  137. description: The maximum active keys in the keystone fernet key repository.
  138. default: 5
  139. ManageKeystoneFernetKeys:
  140. type: boolean
  141. default: true
  142. description: Whether TripleO should manage the keystone fernet keys or not.
  143. If set to true, the fernet keys will get the values from the
  144. saved keys repository in mistral (the KeystoneFernetKeys
  145. variable). If set to false, only the stack creation
  146. initializes the keys, but subsequent updates won't touch them.
  147. KeystoneLoggingSource:
  148. type: json
  149. default:
  150. tag: openstack.keystone
  151. path: /var/log/containers/keystone/keystone.log
  152. KeystoneErrorLoggingSource:
  153. type: json
  154. default:
  155. tag: openstack.keystone.error
  156. path: /var/log/containers/httpd/keystone/error_log
  157. KeystoneAdminAccessLoggingSource:
  158. type: json
  159. default:
  160. tag: openstack.keystone.admin.access
  161. path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_access.log
  162. KeystoneAdminErrorLoggingSource:
  163. type: json
  164. default:
  165. tag: openstack.keystone.admin.error
  166. path: /var/log/containers/httpd/keystone/keystone_wsgi_admin_error.log
  167. KeystoneMainAcccessLoggingSource:
  168. type: json
  169. default:
  170. tag: openstack.keystone.main.access
  171. path: /var/log/containers/httpd/keystone/keystone_wsgi_main_access.log
  172. KeystoneMainErrorLoggingSource:
  173. type: json
  174. default:
  175. tag: openstack.keystone.wsgi.main.error
  176. path: /var/log/containers/httpd/keystone/keystone_wsgi_main_error.log
  177. KeystoneCronTokenFlushEnsure:
  178. type: string
  179. description: >
  180. Cron to purge expired tokens - Ensure
  181. default: 'present'
  182. KeystoneCronTokenFlushMinute:
  183. type: comma_delimited_list
  184. description: >
  185. Cron to purge expired tokens - Minute
  186. default: '1'
  187. KeystoneCronTokenFlushHour:
  188. type: comma_delimited_list
  189. description: >
  190. Cron to purge expired tokens - Hour
  191. default: '*'
  192. KeystoneCronTokenFlushMonthday:
  193. type: comma_delimited_list
  194. description: >
  195. Cron to purge expired tokens - Month Day
  196. default: '*'
  197. KeystoneCronTokenFlushMonth:
  198. type: comma_delimited_list
  199. description: >
  200. Cron to purge expired tokens - Month
  201. default: '*'
  202. KeystoneCronTokenFlushWeekday:
  203. type: comma_delimited_list
  204. description: >
  205. Cron to purge expired tokens - Week Day
  206. default: '*'
  207. KeystoneCronTokenFlushMaxDelay:
  208. type: number
  209. description: >
  210. Cron to purge expired tokens - Max Delay
  211. default: 0
  212. KeystoneCronTokenFlushDestination:
  213. type: string
  214. description: >
  215. Cron to purge expired tokens - Log destination
  216. default: '/var/log/keystone/keystone-tokenflush.log'
  217. KeystoneCronTokenFlushUser:
  218. type: string
  219. description: >
  220. Cron to purge expired tokens - User
  221. default: 'keystone'
  222. KeystonePolicies:
  223. description: |
  224. A hash of policies to configure for Keystone.
  225. e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
  226. default: {}
  227. type: json
  228. KeystoneLDAPDomainEnable:
  229. description: Trigger to call ldap_backend puppet keystone define.
  230. type: boolean
  231. default: False
  232. KeystoneLDAPBackendConfigs:
  233. description: Hash containing the configurations for the LDAP backends
  234. configured in keystone.
  235. type: json
  236. default: {}
  237. hidden: true
  238. NotificationDriver:
  239. type: string
  240. default: 'messagingv2'
  241. description: Driver or drivers to handle sending notifications.
  242. KeystoneChangePasswordUponFirstUse:
  243. type: string
  244. default: ''
  245. description: >-
  246. Enabling this option requires users to change their password when the
  247. user is created, or upon administrative reset.
  248. constraints:
  249. - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  250. KeystoneDisableUserAccountDaysInactive:
  251. type: string
  252. default: ''
  253. description: >-
  254. The maximum number of days a user can go without authenticating before
  255. being considered "inactive" and automatically disabled (locked).
  256. KeystoneLockoutDuration:
  257. type: string
  258. default: ''
  259. description: >-
  260. The number of seconds a user account will be locked when the maximum
  261. number of failed authentication attempts (as specified by
  262. KeystoneLockoutFailureAttempts) is exceeded.
  263. KeystoneLockoutFailureAttempts:
  264. type: string
  265. default: ''
  266. description: >-
  267. The maximum number of times that a user can fail to authenticate before
  268. the user account is locked for the number of seconds specified by
  269. KeystoneLockoutDuration.
  270. KeystoneMinimumPasswordAge:
  271. type: string
  272. default: ''
  273. description: >-
  274. The number of days that a password must be used before the user can
  275. change it. This prevents users from changing their passwords immediately
  276. in order to wipe out their password history and reuse an old password.
  277. KeystonePasswordExpiresDays:
  278. type: string
  279. default: ''
  280. description: >-
  281. The number of days for which a password will be considered valid before
  282. requiring it to be changed.
  283. KeystonePasswordRegex:
  284. type: string
  285. default: ''
  286. description: >-
  287. The regular expression used to validate password strength requirements.
  288. KeystonePasswordRegexDescription:
  289. type: string
  290. default: ''
  291. description: >-
  292. Describe your password regular expression here in language for humans.
  293. KeystoneUniqueLastPasswordCount:
  294. type: string
  295. default: ''
  296. description: >-
  297. This controls the number of previous user password iterations to keep in
  298. history, in order to enforce that newly created passwords are unique.
  299. KeystoneCorsAllowedOrigin:
  300. type: string
  301. default: ''
  302. description: Indicate whether this resource may be shared with the domain received in the request
  303. "origin" header.
  304. KeystoneEnableMember:
  305. description: Create the _member_ role, useful for undercloud deployment.
  306. type: boolean
  307. default: False
  308. KeystoneFederationEnable:
  309. type: boolean
  310. default: false
  311. description: Enable support for federated authentication.
  312. KeystoneTrustedDashboards:
  313. type: comma_delimited_list
  314. default: []
  315. description: A list of dashboard URLs trusted for single sign-on.
  316. KeystoneAuthMethods:
  317. type: comma_delimited_list
  318. default: []
  319. description: >-
  320. A list of methods used for authentication.
  321. KeystoneOpenIdcEnable:
  322. type: boolean
  323. default: false
  324. description: Enable support for OpenIDC federation.
  325. KeystoneOpenIdcIdpName:
  326. type: string
  327. default: ''
  328. description: The name associated with the IdP in Keystone.
  329. KeystoneOpenIdcProviderMetadataUrl:
  330. type: string
  331. default: ''
  332. description: The url that points to your OpenID Connect provider metadata
  333. KeystoneOpenIdcClientId:
  334. type: string
  335. default: ''
  336. description: >-
  337. The client ID to use when handshaking with your OpenID Connect provider
  338. KeystoneOpenIdcClientSecret:
  339. type: string
  340. default: ''
  341. description: >-
  342. The client secret to use when handshaking with your OpenID
  343. Connect provider
  344. KeystoneOpenIdcCryptoPassphrase:
  345. type: string
  346. default: 'openstack'
  347. description: >-
  348. Passphrase to use when encrypting data for OpenID Connect handshake.
  349. KeystoneOpenIdcResponseType:
  350. type: string
  351. default: 'id_token'
  352. description: Response type to be expected from the OpenID Connect provider.
  353. KeystoneOpenIdcRemoteIdAttribute:
  354. type: string
  355. default: 'HTTP_OIDC_ISS'
  356. description: >-
  357. Attribute to be used to obtain the entity ID of the Identity Provider
  358. from the environment.
  359. parameter_groups:
  360. - label: deprecated
  361. description: |
  362. The following parameters are deprecated and will be removed. They should not
  363. be relied on for new deployments. If you have concerns regarding deprecated
  364. parameters, please contact the TripleO development team on IRC or the
  365. OpenStack mailing list.
  366. parameters:
  367. - RpcPort
  368. - RpcUserName
  369. - RpcPassword
  370. - RpcUseSSL
  371. resources:
  372. ContainersCommon:
  373. type: ../containers-common.yaml
  374. MySQLClient:
  375. type: ../database/mysql-client.yaml
  376. ApacheServiceBase:
  377. type: ../../deployment/apache/apache-baremetal-puppet.yaml
  378. properties:
  379. ServiceData: {get_param: ServiceData}
  380. ServiceNetMap: {get_param: ServiceNetMap}
  381. DefaultPasswords: {get_param: DefaultPasswords}
  382. EndpointMap: {get_param: EndpointMap}
  383. RoleName: {get_param: RoleName}
  384. RoleParameters: {get_param: RoleParameters}
  385. EnableInternalTLS: {get_param: EnableInternalTLS}
  386. KeystoneLogging:
  387. type: OS::TripleO::Services::Logging::Keystone
  388. conditions:
  389. internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  390. keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
  391. keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
  392. keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
  393. keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
  394. service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
  395. # Security compliance
  396. change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
  397. disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
  398. lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
  399. lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
  400. minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
  401. password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
  402. password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
  403. password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
  404. unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
  405. cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
  406. outputs:
  407. role_data:
  408. description: Role data for the Keystone API role.
  409. value:
  410. service_name: keystone
  411. monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
  412. config_settings:
  413. map_merge:
  414. - get_attr: [ApacheServiceBase, role_data, config_settings]
  415. -
  416. if:
  417. - cors_allowed_origin_unset
  418. - {}
  419. - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
  420. - keystone_enable_member: {get_param: KeystoneEnableMember}
  421. - keystone::database_connection:
  422. make_url:
  423. scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
  424. username: keystone
  425. password: {get_param: AdminToken}
  426. host: {get_param: [EndpointMap, MysqlInternal, host]}
  427. path: /keystone
  428. query:
  429. read_default_file: /etc/my.cnf.d/tripleo.cnf
  430. read_default_group: tripleo
  431. keystone::token_expiration: {get_param: TokenExpiration}
  432. keystone::admin_token: {get_param: AdminToken}
  433. keystone::admin_password: {get_param: AdminPassword}
  434. keystone::roles::admin::password: {get_param: AdminPassword}
  435. keystone::policy::policies: {get_param: KeystonePolicies}
  436. keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
  437. keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
  438. keystone::token_provider: {get_param: KeystoneTokenProvider}
  439. keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
  440. keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
  441. keystone::enable_proxy_headers_parsing: true
  442. keystone::enable_credential_setup: true
  443. keystone::credential_keys:
  444. '/etc/keystone/credential-keys/0':
  445. content: {get_param: KeystoneCredential0}
  446. '/etc/keystone/credential-keys/1':
  447. content: {get_param: KeystoneCredential1}
  448. keystone::fernet_keys: {get_param: KeystoneFernetKeys}
  449. keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
  450. keystone::logging::debug:
  451. if:
  452. - service_debug_unset
  453. - {get_param: Debug }
  454. - {get_param: KeystoneDebug }
  455. keystone::notification_driver: {get_param: NotificationDriver}
  456. keystone::notification_format: {get_param: KeystoneNotificationFormat}
  457. tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
  458. keystone::roles::admin::email: {get_param: AdminEmail}
  459. keystone::roles::admin::password: {get_param: AdminPassword}
  460. keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  461. keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  462. keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  463. keystone::endpoint::region: {get_param: KeystoneRegion}
  464. keystone::endpoint::version: ''
  465. keystone::admin_port: {get_param: [EndpointMap, KeystoneAdmin, port]}
  466. keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
  467. keystone::rabbit_heartbeat_timeout_threshold: 60
  468. keystone::cron::token_flush::maxdelay: 3600
  469. keystone::roles::admin::service_tenant: 'service'
  470. keystone::roles::admin::admin_tenant: 'admin'
  471. keystone::cron::token_flush::destination: '/var/log/keystone/keystone-tokenflush.log'
  472. keystone::config::keystone_config:
  473. ec2/driver:
  474. value: 'keystone.contrib.ec2.backends.sql.Ec2'
  475. keystone::service_name: 'httpd'
  476. keystone::enable_ssl: {get_param: EnableInternalTLS}
  477. keystone::wsgi::apache::api_port:
  478. - 5000
  479. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  480. keystone::wsgi::apache::admin_port: {get_param: [EndpointMap, KeystoneAdmin, port]}
  481. keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
  482. keystone::wsgi::apache::servername:
  483. str_replace:
  484. template:
  485. "%{hiera('fqdn_$NETWORK')}"
  486. params:
  487. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  488. keystone::wsgi::apache::servername_admin:
  489. str_replace:
  490. template:
  491. "%{hiera('fqdn_$NETWORK')}"
  492. params:
  493. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  494. keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
  495. # override via extraconfig:
  496. keystone::wsgi::apache::threads: 1
  497. keystone::db::database_db_max_retries: -1
  498. keystone::db::database_max_retries: -1
  499. tripleo::keystone::firewall_rules:
  500. '111 keystone':
  501. dport:
  502. - 5000
  503. - 13000
  504. - {get_param: [EndpointMap, KeystoneAdmin, port]}
  505. keystone::admin_bind_host:
  506. str_replace:
  507. template:
  508. "%{hiera('fqdn_$NETWORK')}"
  509. params:
  510. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  511. keystone::public_bind_host:
  512. str_replace:
  513. template:
  514. "%{hiera('fqdn_$NETWORK')}"
  515. params:
  516. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  517. # NOTE: bind IP is found in hiera replacing the network name with the
  518. # local node IP for the given network; replacement examples
  519. # (eg. for internal_api):
  520. # internal_api -> IP
  521. # internal_api_uri -> [IP]
  522. # internal_api_subnet - > IP/CIDR
  523. # NOTE: this applies to all 2 bind IP settings below...
  524. keystone::wsgi::apache::bind_host:
  525. - str_replace:
  526. template:
  527. "%{hiera('$NETWORK')}"
  528. params:
  529. $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
  530. - str_replace:
  531. template:
  532. "%{hiera('$NETWORK')}"
  533. params:
  534. $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
  535. keystone::cron::token_flush::ensure: {get_param: KeystoneCronTokenFlushEnsure}
  536. keystone::cron::token_flush::minute: {get_param: KeystoneCronTokenFlushMinute}
  537. keystone::cron::token_flush::hour: {get_param: KeystoneCronTokenFlushHour}
  538. keystone::cron::token_flush::monthday: {get_param: KeystoneCronTokenFlushMonthday}
  539. keystone::cron::token_flush::month: {get_param: KeystoneCronTokenFlushMonth}
  540. keystone::cron::token_flush::weekday: {get_param: KeystoneCronTokenFlushWeekday}
  541. keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
  542. keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
  543. keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
  544. -
  545. if:
  546. - keystone_federation_enabled
  547. -
  548. keystone_federation_enabled: True
  549. keystone::federation::trusted_dashboards:
  550. get_param: KeystoneTrustedDashboards
  551. - {}
  552. -
  553. if:
  554. - keystone_openidc_enabled
  555. -
  556. keystone_openidc_enabled: True
  557. keystone::federation::openidc::methods:
  558. get_param: KeystoneAuthMethods
  559. keystone::federation::openidc::keystone_url:
  560. get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
  561. keystone::federation::openidc::idp_name:
  562. get_param: KeystoneOpenIdcIdpName
  563. keystone::federation::openidc::openidc_provider_metadata_url:
  564. get_param: KeystoneOpenIdcProviderMetadataUrl
  565. keystone::federation::openidc::openidc_client_id:
  566. get_param: KeystoneOpenIdcClientId
  567. keystone::federation::openidc::openidc_client_secret:
  568. get_param: KeystoneOpenIdcClientSecret
  569. keystone::federation::openidc::openidc_crypto_passphrase:
  570. get_param: KeystoneOpenIdcCryptoPassphrase
  571. keystone::federation::openidc::openidc_response_type:
  572. get_param: KeystoneOpenIdcResponseType
  573. keystone::federation::openidc::remote_id_attribute:
  574. get_param: KeystoneOpenIdcRemoteIdAttribute
  575. - {}
  576. -
  577. if:
  578. - keystone_ldap_domain_enabled
  579. -
  580. tripleo::profile::base::keystone::ldap_backend_enable: True
  581. keystone::using_domain_config: True
  582. tripleo::profile::base::keystone::ldap_backends_config:
  583. get_param: KeystoneLDAPBackendConfigs
  584. - {}
  585. -
  586. if:
  587. - change_password_upon_first_use_set
  588. - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
  589. - {}
  590. -
  591. if:
  592. - disable_user_account_days_inactive_set
  593. - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
  594. - {}
  595. -
  596. if:
  597. - lockout_duration_set
  598. - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
  599. - {}
  600. -
  601. if:
  602. - lockout_failure_attempts_set
  603. - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
  604. - {}
  605. -
  606. if:
  607. - minimum_password_age_set
  608. - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
  609. - {}
  610. -
  611. if:
  612. - password_expires_days_set
  613. - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
  614. - {}
  615. -
  616. if:
  617. - password_regex_set
  618. - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
  619. - {}
  620. -
  621. if:
  622. - password_regex_description_set
  623. - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
  624. - {}
  625. -
  626. if:
  627. - unique_last_password_count_set
  628. - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
  629. - {}
  630. - apache::default_vhost: false
  631. - get_attr: [KeystoneLogging, config_settings]
  632. service_config_settings:
  633. fluentd:
  634. tripleo_fluentd_groups_keystone:
  635. - keystone
  636. tripleo_fluentd_sources_keystone:
  637. - {get_param: KeystoneLoggingSource}
  638. - {get_param: KeystoneErrorLoggingSource}
  639. - {get_param: KeystoneAdminAccessLoggingSource}
  640. - {get_param: KeystoneAdminErrorLoggingSource}
  641. - {get_param: KeystoneMainAcccessLoggingSource}
  642. - {get_param: KeystoneMainErrorLoggingSource}
  643. mysql:
  644. keystone::db::mysql::password: {get_param: AdminToken}
  645. keystone::db::mysql::user: keystone
  646. keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
  647. keystone::db::mysql::dbname: keystone
  648. keystone::db::mysql::allowed_hosts:
  649. - '%'
  650. - "%{hiera('mysql_bind_host')}"
  651. pacemaker:
  652. keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
  653. keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  654. keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
  655. keystone::endpoint::region: {get_param: KeystoneRegion}
  656. keystone::admin_password: {get_param: AdminPassword}
  657. horizon:
  658. if:
  659. - keystone_ldap_domain_enabled
  660. -
  661. horizon::keystone_multidomain_support: true
  662. horizon::keystone_default_domain: 'Default'
  663. - {}
  664. # BEGIN DOCKER SETTINGS
  665. puppet_config:
  666. config_volume: keystone
  667. puppet_tags: keystone_config,keystone_domain_config
  668. step_config:
  669. list_join:
  670. - "\n"
  671. - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
  672. - |
  673. include ::tripleo::profile::base::keystone
  674. - {get_attr: [MySQLClient, role_data, step_config]}
  675. config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage}
  676. kolla_config:
  677. /var/lib/kolla/config_files/keystone.json:
  678. command: /usr/sbin/httpd
  679. config_files:
  680. - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
  681. dest: "/etc/keystone/fernet-keys"
  682. merge: false
  683. preserve_properties: true
  684. - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
  685. dest: "/etc/httpd/conf.d"
  686. merge: false
  687. preserve_properties: true
  688. - source: "/var/lib/kolla/config_files/src/*"
  689. dest: "/"
  690. merge: true
  691. preserve_properties: true
  692. /var/lib/kolla/config_files/keystone_cron.json:
  693. # FIXME(dprince): this is unused ATM because Kolla hardcodes the
  694. # args for the keystone container to -DFOREGROUND
  695. command: /usr/sbin/crond -n
  696. config_files:
  697. - source: "/var/lib/kolla/config_files/src/*"
  698. dest: "/"
  699. merge: true
  700. preserve_properties: true
  701. permissions:
  702. - path: /var/log/keystone
  703. owner: keystone:keystone
  704. recurse: true
  705. docker_config:
  706. # Kolla_bootstrap/db sync runs before permissions set by kolla_config
  707. step_2:
  708. get_attr: [KeystoneLogging, docker_config, step_2]
  709. step_3:
  710. keystone_db_sync:
  711. image: &keystone_image {get_param: DockerKeystoneImage}
  712. net: host
  713. user: root
  714. privileged: false
  715. detach: false
  716. volumes: &keystone_volumes
  717. list_concat:
  718. - {get_attr: [ContainersCommon, volumes]}
  719. - {get_attr: [KeystoneLogging, volumes]}
  720. -
  721. - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
  722. - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
  723. -
  724. if:
  725. - internal_tls_enabled
  726. - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
  727. - ''
  728. -
  729. if:
  730. - internal_tls_enabled
  731. - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
  732. - ''
  733. environment:
  734. list_concat:
  735. - - KOLLA_BOOTSTRAP=True
  736. - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
  737. - {get_attr: [KeystoneLogging, environment]}
  738. command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
  739. keystone:
  740. start_order: 2
  741. image: *keystone_image
  742. net: host
  743. privileged: false
  744. restart: always
  745. healthcheck:
  746. test: /openstack/healthcheck
  747. volumes: *keystone_volumes
  748. environment:
  749. - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
  750. keystone_bootstrap:
  751. start_order: 3
  752. action: exec
  753. user: root
  754. command:
  755. [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap' ]
  756. environment:
  757. OS_BOOTSTRAP_PASSWORD: {get_param: AdminPassword}
  758. keystone_cron:
  759. start_order: 4
  760. image: *keystone_image
  761. user: root
  762. net: host
  763. privileged: false
  764. restart: always
  765. healthcheck:
  766. test: '/usr/share/openstack-tripleo-common/healthcheck/cron keystone'
  767. command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
  768. volumes:
  769. list_concat:
  770. - {get_attr: [ContainersCommon, volumes]}
  771. - {get_attr: [KeystoneLogging, volumes]}
  772. -
  773. - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
  774. - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
  775. environment:
  776. - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
  777. step_4:
  778. # There are cases where we need to refresh keystone after the resource provisioning,
  779. # such as the case of using LDAP backends for domains. So we trigger a graceful
  780. # restart [1], which shouldn't cause service disruption, but will reload new
  781. # configurations for keystone.
  782. # [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
  783. keystone_refresh:
  784. start_order: 1
  785. action: exec
  786. user: root
  787. command:
  788. [ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
  789. container_puppet_tasks:
  790. # Keystone endpoint creation occurs only on single node
  791. step_3:
  792. config_volume: 'keystone_init_tasks'
  793. puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
  794. step_config: 'include ::tripleo::profile::base::keystone'
  795. config_image: *keystone_config_image
  796. host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
  797. metadata_settings:
  798. get_attr: [ApacheServiceBase, role_data, metadata_settings]
  799. post_upgrade_tasks:
  800. - when: step|int == 1
  801. import_role:
  802. name: tripleo-docker-rm
  803. vars:
  804. containers_to_rm:
  805. - keystone
  806. - keystone_cron
  807. external_upgrade_tasks:
  808. - when:
  809. - step|int == 1
  810. tags:
  811. - never
  812. - system_upgrade_transfer_data
  813. - system_upgrade_stop_services
  814. block:
  815. - name: Stop keystone container
  816. import_role:
  817. name: tripleo-container-stop
  818. vars:
  819. tripleo_containers_to_stop:
  820. - keystone
  821. - keystone_cron
  822. tripleo_delegate_to: "{{ groups['keystone'] | default([]) }}"
  823. fast_forward_upgrade_tasks:
  824. - when:
  825. - step|int == 0
  826. - release == 'ocata'
  827. block:
  828. - name: Check for keystone running under apache
  829. tags: common
  830. shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
  831. ignore_errors: true
  832. register: keystone_httpd_enabled_result
  833. - name: Set fact keystone_httpd_enabled
  834. set_fact:
  835. keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
  836. - name: Check if httpd is running
  837. ignore_errors: True
  838. command: systemctl is-active --quiet httpd
  839. register: httpd_running_result
  840. when:
  841. - httpd_running is undefined
  842. - name: Set fact httpd_running if undefined
  843. set_fact:
  844. httpd_running: "{{ httpd_running_result.rc == 0 }}"
  845. when:
  846. - httpd_running is undefined
  847. - name: Stop and disable keystone (under httpd)
  848. service: name=httpd state=stopped enabled=no
  849. when:
  850. - step|int == 1
  851. - release == 'ocata'
  852. - keystone_httpd_enabled|bool
  853. - httpd_running|bool
  854. - name: Keystone package update
  855. package:
  856. name: 'openstack-keystone*'
  857. state: latest
  858. when:
  859. - step|int == 6
  860. - is_bootstrap_node|bool
  861. - name: keystone db sync
  862. command: keystone-manage db_sync
  863. when:
  864. - step|int == 8
  865. - is_bootstrap_node|bool