925e2db462
This was introduced to manage keystone resources (users, projects and so on) by puppet but now these resources are managed by ansible. Change-Id: I9e76f21e41e2891f959cbf41b89cba07b2e67632
942 lines
39 KiB
YAML
942 lines
39 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Keystone service
|
|
|
|
parameters:
|
|
ContainerKeystoneImage:
|
|
description: image
|
|
type: string
|
|
ContainerKeystoneConfigImage:
|
|
description: The container image to use for the keystone config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
AdminPassword:
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
type: string
|
|
hidden: true
|
|
KeystoneTokenProvider:
|
|
description: The keystone token format
|
|
type: string
|
|
default: 'fernet'
|
|
constraints:
|
|
- allowed_values: ['fernet']
|
|
SSLCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
PublicSSLCertificateAutogenerated:
|
|
default: false
|
|
description: >
|
|
Whether the public SSL certificate was autogenerated or not.
|
|
type: boolean
|
|
EnablePublicTLS:
|
|
default: true
|
|
description: >
|
|
Whether to enable TLS on the public interface or not.
|
|
type: boolean
|
|
PublicTLSCAFile:
|
|
default: ''
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the public network.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
MemcachedTLS:
|
|
default: false
|
|
description: Set to True to enable TLS on Memcached service.
|
|
Because not all services support Memcached TLS, during the
|
|
migration period, Memcached will listen on 2 ports - on the
|
|
port set with MemcachedPort parameter (above) and on 11211,
|
|
without TLS.
|
|
type: boolean
|
|
KeystoneSSLCertificate:
|
|
default: ''
|
|
description: Keystone certificate for verifying token validity.
|
|
type: string
|
|
KeystoneSSLCertificateKey:
|
|
default: ''
|
|
description: Keystone key for signing tokens.
|
|
type: string
|
|
hidden: true
|
|
KeystoneNotificationFormat:
|
|
description: The Keystone notification format
|
|
default: 'basic'
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ 'basic', 'cadf' ]
|
|
KeystoneNotificationTopics:
|
|
description: Keystone notification topics to enable
|
|
default: []
|
|
type: comma_delimited_list
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
KeystoneDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Keystone service.
|
|
type: boolean
|
|
EnableCache:
|
|
description: Enable caching with memcached
|
|
type: boolean
|
|
default: true
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
KeystonePassword:
|
|
description: The password for the nova service and db account
|
|
default: ''
|
|
type: string
|
|
hidden: true
|
|
TokenExpiration:
|
|
default: 3600
|
|
description: Set a token expiration time in seconds.
|
|
type: number
|
|
KeystoneWorkers:
|
|
type: string
|
|
description: Set the number of workers for keystone::wsgi::apache
|
|
default: '%{::os_workers_keystone}'
|
|
MonitoringSubscriptionKeystone:
|
|
default: 'overcloud-keystone'
|
|
type: string
|
|
KeystoneCredential0:
|
|
type: string
|
|
description: The first Keystone credential key. Must be a valid key.
|
|
KeystoneCredential1:
|
|
type: string
|
|
description: The second Keystone credential key. Must be a valid key.
|
|
KeystoneFernetKeys:
|
|
type: json
|
|
description: Mapping containing keystone's fernet keys and their paths.
|
|
KeystoneFernetMaxActiveKeys:
|
|
type: number
|
|
description: The maximum active keys in the keystone fernet key repository.
|
|
default: 5
|
|
ManageKeystoneFernetKeys:
|
|
type: boolean
|
|
default: true
|
|
description: Whether TripleO should manage the keystone fernet keys or not.
|
|
If set to true, the fernet keys will get the values from the
|
|
saved keys repository in mistral (the KeystoneFernetKeys
|
|
variable). If set to false, only the stack creation
|
|
initializes the keys, but subsequent updates won't touch them.
|
|
KeystoneLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.keystone
|
|
file: /var/log/containers/keystone/keystone.log
|
|
KeystonePolicies:
|
|
description: |
|
|
A hash of policies to configure for Keystone.
|
|
e.g. { keystone-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
KeystoneLDAPDomainEnable:
|
|
description: Trigger to call ldap_backend puppet keystone define.
|
|
type: boolean
|
|
default: False
|
|
KeystoneLDAPBackendConfigs:
|
|
description: Hash containing the configurations for the LDAP backends
|
|
configured in keystone.
|
|
type: json
|
|
default: {}
|
|
hidden: true
|
|
NotificationDriver:
|
|
type: comma_delimited_list
|
|
default: 'noop'
|
|
description: Driver or drivers to handle sending notifications.
|
|
KeystoneEnableDBPurge:
|
|
default: true
|
|
description: |
|
|
Whether to create cron job for purging soft deleted rows in Keystone database.
|
|
type: boolean
|
|
KeystoneCronTrustFlushEnsure:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Ensure
|
|
default: 'present'
|
|
KeystoneCronTrustFlushMinute:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Minute
|
|
default: '1'
|
|
KeystoneCronTrustFlushHour:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Hour
|
|
default: '*'
|
|
KeystoneCronTrustFlushMonthday:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Month Day
|
|
default: '*'
|
|
KeystoneCronTrustFlushMonth:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Month
|
|
default: '*'
|
|
KeystoneCronTrustFlushWeekday:
|
|
type: comma_delimited_list
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Week Day
|
|
default: '*'
|
|
KeystoneCronTrustFlushMaxDelay:
|
|
type: number
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Max Delay
|
|
default: 0
|
|
KeystoneCronTrustFlushDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - Log destination
|
|
default: '/var/log/keystone/keystone-trustflush.log'
|
|
KeystoneCronTrustFlushUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge expired or soft-deleted trusts - User
|
|
default: 'keystone'
|
|
KeystoneChangePasswordUponFirstUse:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
Enabling this option requires users to change their password when the
|
|
user is created, or upon administrative reset.
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
KeystoneDisableUserAccountDaysInactive:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The maximum number of days a user can go without authenticating before
|
|
being considered "inactive" and automatically disabled (locked).
|
|
KeystoneLockoutDuration:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The number of seconds a user account will be locked when the maximum
|
|
number of failed authentication attempts (as specified by
|
|
KeystoneLockoutFailureAttempts) is exceeded.
|
|
KeystoneLockoutFailureAttempts:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The maximum number of times that a user can fail to authenticate before
|
|
the user account is locked for the number of seconds specified by
|
|
KeystoneLockoutDuration.
|
|
KeystoneMinimumPasswordAge:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The number of days that a password must be used before the user can
|
|
change it. This prevents users from changing their passwords immediately
|
|
in order to wipe out their password history and reuse an old password.
|
|
KeystonePasswordExpiresDays:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The number of days for which a password will be considered valid before
|
|
requiring it to be changed.
|
|
KeystonePasswordRegex:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The regular expression used to validate password strength requirements.
|
|
KeystonePasswordRegexDescription:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
Describe your password regular expression here in language for humans.
|
|
KeystoneUniqueLastPasswordCount:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
This controls the number of previous user password iterations to keep in
|
|
history, in order to enforce that newly created passwords are unique.
|
|
KeystoneCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
KeystoneEnableMember:
|
|
description: Create the _member_ role, useful for undercloud deployment.
|
|
type: boolean
|
|
default: False
|
|
KeystoneFederationEnable:
|
|
type: boolean
|
|
default: false
|
|
description: Enable support for federated authentication.
|
|
KeystoneTrustedDashboards:
|
|
type: comma_delimited_list
|
|
default: []
|
|
description: A list of dashboard URLs trusted for single sign-on.
|
|
KeystoneAuthMethods:
|
|
type: comma_delimited_list
|
|
default: []
|
|
description: >-
|
|
A list of methods used for authentication.
|
|
KeystoneOpenIdcEnable:
|
|
type: boolean
|
|
default: false
|
|
description: Enable support for OpenIDC federation.
|
|
KeystoneOpenIdcIdpName:
|
|
type: string
|
|
default: ''
|
|
description: The name associated with the IdP in Keystone.
|
|
KeystoneOpenIdcProviderMetadataUrl:
|
|
type: string
|
|
default: ''
|
|
description: The url that points to your OpenID Connect provider metadata
|
|
KeystoneOpenIdcClientId:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The client ID to use when handshaking with your OpenID Connect provider
|
|
KeystoneOpenIdcClientSecret:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
The client secret to use when handshaking with your OpenID
|
|
Connect provider
|
|
KeystoneOpenIdcCryptoPassphrase:
|
|
type: string
|
|
default: 'openstack'
|
|
description: >-
|
|
Passphrase to use when encrypting data for OpenID Connect handshake.
|
|
KeystoneOpenIdcResponseType:
|
|
type: string
|
|
default: 'id_token'
|
|
description: Response type to be expected from the OpenID Connect provider.
|
|
KeystoneOpenIdcRemoteIdAttribute:
|
|
type: string
|
|
default: 'HTTP_OIDC_ISS'
|
|
description: >-
|
|
Attribute to be used to obtain the entity ID of the Identity Provider
|
|
from the environment.
|
|
KeystoneOpenIdcEnableOAuth:
|
|
type: boolean
|
|
default: false
|
|
description: >-
|
|
Enable OAuth 2.0 integration.
|
|
KeystoneOpenIdcIntrospectionEndpoint:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
OAuth 2.0 introspection endpoint for mod_auth_openidc
|
|
KeystoneOpenIdcClaimDelimiter:
|
|
type: string
|
|
default: ';'
|
|
description: >-
|
|
The delimiter to use when setting multi-valued claims.
|
|
KeystoneOpenIdcPassUserInfoAs:
|
|
type: string
|
|
default: 'claims'
|
|
description: >-
|
|
Define the way(s) in which the claims resolved from the userinfo endpoint
|
|
are passed to the application according to OIDCPassClaimsAs.
|
|
constraints:
|
|
- allowed_values: ['claims', 'json', 'jwt']
|
|
KeystoneOpenIdcPassClaimsAs:
|
|
type: string
|
|
default: 'both'
|
|
description: >-
|
|
Define the way in which the claims and tokens are passed to the application environment:
|
|
"none": no claims/tokens are passed
|
|
"environment": claims/tokens are passed as environment variables
|
|
"headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
|
|
"both": claims/tokens are passed as both headers as well as environment variables (default)
|
|
constraints:
|
|
- allowed_values: ['none', 'environment', 'headers', 'both']
|
|
RootStackName:
|
|
description: The name of the stack/plan.
|
|
type: string
|
|
AdminToken:
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
default: ''
|
|
type: string
|
|
hidden: true
|
|
EnforceSecureRbac:
|
|
type: boolean
|
|
default: false
|
|
description: >-
|
|
Setting this option to True will configure each OpenStack service to
|
|
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
|
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
|
of RBAC personas across OpenStack services that include support for
|
|
system and project scope, as well as keystone's default roles, admin,
|
|
member, and reader. Do not enable this functionality until all services in
|
|
your deployment actually support secure RBAC.
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- AdminToken
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
KeystoneLogging:
|
|
type: OS::TripleO::Services::Logging::Keystone
|
|
|
|
conditions:
|
|
public_tls_enabled:
|
|
and:
|
|
- {get_param: EnablePublicTLS}
|
|
- or:
|
|
- not:
|
|
equals:
|
|
- {get_param: SSLCertificate}
|
|
- ""
|
|
- {get_param: PublicSSLCertificateAutogenerated}
|
|
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
|
nontls_cache_enabled:
|
|
and:
|
|
- {get_param: EnableCache}
|
|
- not: {get_param: MemcachedTLS}
|
|
tls_cache_enabled:
|
|
and:
|
|
- {get_param: EnableCache}
|
|
- {get_param: MemcachedTLS}
|
|
# Security compliance
|
|
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
|
|
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
|
|
lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
|
|
lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
|
|
minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
|
|
password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
|
|
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
|
|
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
|
|
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
|
|
cors_allowed_origin_set: {not: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}}
|
|
admin_token_set: {not: {equals: [{get_param: AdminToken}, '']}}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Keystone API role.
|
|
value:
|
|
service_name: keystone
|
|
firewall_rules:
|
|
'111 keystone':
|
|
dport:
|
|
- 5000
|
|
- 13000
|
|
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- if:
|
|
- cors_allowed_origin_set
|
|
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
|
|
- keystone::db::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: keystone
|
|
password:
|
|
if:
|
|
- admin_token_set
|
|
- {get_param: AdminToken}
|
|
- {get_param: KeystonePassword}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /keystone
|
|
query:
|
|
if:
|
|
- {get_param: EnableSQLAlchemyCollectd}
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
plugin: collectd
|
|
collectd_program_name: keystone
|
|
collectd_host: localhost
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
keystone::token_expiration: {get_param: TokenExpiration}
|
|
keystone::policy::policies: {get_param: KeystonePolicies}
|
|
keystone_ssl_certificate: {get_param: KeystoneSSLCertificate}
|
|
keystone_ssl_certificate_key: {get_param: KeystoneSSLCertificateKey}
|
|
keystone::token_provider: {get_param: KeystoneTokenProvider}
|
|
keystone::enable_fernet_setup: {if: [keystone_fernet_tokens, true, false]}
|
|
keystone::fernet_max_active_keys: {get_param: KeystoneFernetMaxActiveKeys}
|
|
keystone::enable_proxy_headers_parsing: true
|
|
keystone::enable_credential_setup: true
|
|
keystone::credential_keys:
|
|
'/etc/keystone/credential-keys/0':
|
|
content: {get_param: KeystoneCredential0}
|
|
'/etc/keystone/credential-keys/1':
|
|
content: {get_param: KeystoneCredential1}
|
|
keystone::fernet_keys: {get_param: KeystoneFernetKeys}
|
|
keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
|
|
keystone::logging::debug:
|
|
if:
|
|
- {get_param: KeystoneDebug}
|
|
- true
|
|
- {get_param: Debug }
|
|
keystone::notification_driver: {get_param: NotificationDriver}
|
|
keystone::notification_format: {get_param: KeystoneNotificationFormat}
|
|
tripleo::profile::base::keystone::extra_notification_topics: {get_param: KeystoneNotificationTopics}
|
|
keystone_enable_db_purge: {get_param: KeystoneEnableDBPurge}
|
|
keystone::cron::trust_flush::ensure: {get_param: KeystoneCronTrustFlushEnsure}
|
|
keystone::cron::trust_flush::minute: {get_param: KeystoneCronTrustFlushMinute}
|
|
keystone::cron::trust_flush::hour: {get_param: KeystoneCronTrustFlushHour}
|
|
keystone::cron::trust_flush::monthday: {get_param: KeystoneCronTrustFlushMonthday}
|
|
keystone::cron::trust_flush::month: {get_param: KeystoneCronTrustFlushMonth}
|
|
keystone::cron::trust_flush::weekday: {get_param: KeystoneCronTrustFlushWeekday}
|
|
keystone::cron::trust_flush::maxdelay: {get_param: KeystoneCronTrustFlushMaxDelay}
|
|
keystone::cron::trust_flush::destination: {get_param: KeystoneCronTrustFlushDestination}
|
|
keystone::cron::trust_flush::user: {get_param: KeystoneCronTrustFlushUser}
|
|
keystone::rabbit_heartbeat_timeout_threshold: 60
|
|
keystone::service_name: 'httpd'
|
|
keystone::enable_ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::api_port:
|
|
- 5000
|
|
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
|
keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
keystone::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
|
|
# override via extraconfig:
|
|
keystone::wsgi::apache::threads: 1
|
|
keystone::db::database_db_max_retries: -1
|
|
keystone::db::database_max_retries: -1
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
# NOTE: this applies to all 2 bind IP settings below...
|
|
keystone::wsgi::apache::bind_host:
|
|
- str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
|
|
- str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
|
- keystone::cache::enabled: {get_param: EnableCache}
|
|
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
|
|
- if:
|
|
- tls_cache_enabled
|
|
- keystone::cache::backend: 'dogpile.cache.pymemcache'
|
|
- keystone::cache::backend: 'dogpile.cache.memcached'
|
|
- if:
|
|
- {get_param: KeystoneFederationEnable}
|
|
- keystone_federation_enabled: True
|
|
keystone::federation::trusted_dashboards:
|
|
get_param: KeystoneTrustedDashboards
|
|
- if:
|
|
- {get_param: KeystoneOpenIdcEnable}
|
|
- keystone_openidc_enabled: True
|
|
keystone::federation::openidc::methods:
|
|
get_param: KeystoneAuthMethods
|
|
keystone::federation::openidc::keystone_url:
|
|
get_param: [EndpointMap, KeystonePublic, uri_no_suffix]
|
|
keystone::federation::openidc::idp_name:
|
|
get_param: KeystoneOpenIdcIdpName
|
|
keystone::federation::openidc::openidc_provider_metadata_url:
|
|
get_param: KeystoneOpenIdcProviderMetadataUrl
|
|
keystone::federation::openidc::openidc_client_id:
|
|
get_param: KeystoneOpenIdcClientId
|
|
keystone::federation::openidc::openidc_client_secret:
|
|
get_param: KeystoneOpenIdcClientSecret
|
|
keystone::federation::openidc::openidc_crypto_passphrase:
|
|
get_param: KeystoneOpenIdcCryptoPassphrase
|
|
keystone::federation::openidc::openidc_response_type:
|
|
get_param: KeystoneOpenIdcResponseType
|
|
keystone::federation::openidc::remote_id_attribute:
|
|
get_param: KeystoneOpenIdcRemoteIdAttribute
|
|
keystone::federation::openidc::openidc_enable_oauth:
|
|
get_param: KeystoneOpenIdcEnableOAuth
|
|
keystone::federation::openidc::openidc_introspection_endpoint:
|
|
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
|
keystone::federation::openidc::openidc_pass_userinfo_as:
|
|
get_param: KeystoneOpenIdcPassUserInfoAs
|
|
keystone::federation::openidc::openidc_pass_claim_as:
|
|
get_param: KeystoneOpenIdcPassClaimsAs
|
|
keystone::federation::openidc::openidc_claim_delimiter:
|
|
get_param: KeystoneOpenIdcClaimDelimiter
|
|
keystone::federation::openidc::openidc_cache_type:
|
|
if:
|
|
- nontls_cache_enabled
|
|
- 'memcache'
|
|
- if:
|
|
- {get_param: KeystoneLDAPDomainEnable}
|
|
- tripleo::profile::base::keystone::ldap_backend_enable: True
|
|
keystone::using_domain_config: True
|
|
tripleo::profile::base::keystone::ldap_backends_config:
|
|
get_param: KeystoneLDAPBackendConfigs
|
|
- if:
|
|
- change_password_upon_first_use_set
|
|
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
|
|
- if:
|
|
- disable_user_account_days_inactive_set
|
|
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
|
|
- if:
|
|
- lockout_duration_set
|
|
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
|
|
- if:
|
|
- lockout_failure_attempts_set
|
|
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
|
|
- if:
|
|
- minimum_password_age_set
|
|
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
|
|
- if:
|
|
- password_expires_days_set
|
|
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
|
|
- if:
|
|
- password_regex_set
|
|
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
|
|
- if:
|
|
- password_regex_description_set
|
|
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
|
|
- if:
|
|
- unique_last_password_count_set
|
|
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
|
|
- apache::default_vhost: false
|
|
- get_attr: [KeystoneLogging, config_settings]
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_keystone: {get_param: KeystoneLoggingSource}
|
|
mysql:
|
|
keystone::db::mysql::password:
|
|
if:
|
|
- admin_token_set
|
|
- {get_param: AdminToken}
|
|
- {get_param: KeystonePassword}
|
|
keystone::db::mysql::user: keystone
|
|
keystone::db::mysql::host: '%'
|
|
keystone::db::mysql::dbname: keystone
|
|
pacemaker:
|
|
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
keystone::endpoint::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
keystone::endpoint::region: {get_param: KeystoneRegion}
|
|
keystone::admin_password: {get_param: AdminPassword}
|
|
horizon:
|
|
if:
|
|
- {get_param: KeystoneLDAPDomainEnable}
|
|
- horizon::keystone_multidomain_support: true
|
|
horizon::keystone_default_domain: 'Default'
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: keystone
|
|
puppet_tags: keystone_config,keystone_domain_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
|
|
- |
|
|
include tripleo::profile::base::keystone
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: &keystone_config_image {get_param: ContainerKeystoneConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/keystone.json:
|
|
command: /usr/sbin/httpd
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
|
|
dest: "/etc/keystone/fernet-keys"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/keystone_cron.json:
|
|
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
|
|
# args for the keystone container to -DFOREGROUND
|
|
command: /usr/sbin/crond -n
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
docker_config:
|
|
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
|
|
step_2:
|
|
get_attr: [KeystoneLogging, docker_config, step_2]
|
|
step_3:
|
|
keystone_db_sync:
|
|
image: &keystone_image {get_param: ContainerKeystoneImage}
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
detach: false
|
|
volumes: &keystone_volumes
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [KeystoneLogging, volumes]}
|
|
- - /etc/openldap:/etc/openldap:ro
|
|
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
map_merge:
|
|
- {get_attr: [KeystoneLogging, environment]}
|
|
- KOLLA_BOOTSTRAP: true
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
|
|
keystone:
|
|
start_order: 2
|
|
image: *keystone_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes: *keystone_volumes
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
keystone_bootstrap:
|
|
start_order: 3
|
|
action: exec
|
|
user: root
|
|
command:
|
|
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap' ]
|
|
environment:
|
|
KOLLA_BOOTSTRAP: true
|
|
OS_BOOTSTRAP_PASSWORD: {get_param: AdminPassword}
|
|
OS_BOOTSTRAP_USERNAME: 'admin'
|
|
OS_BOOTSTRAP_PROJECT_NAME: 'admin'
|
|
OS_BOOTSTRAP_ROLE_NAME: 'admin'
|
|
OS_BOOTSTRAP_SERVICE_NAME: 'keystone'
|
|
OS_BOOTSTRAP_ADMIN_URL: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
OS_BOOTSTRAP_PUBLIC_URL: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
OS_BOOTSTRAP_INTERNAL_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
OS_BOOTSTRAP_REGION_ID: {get_param: KeystoneRegion}
|
|
keystone_cron:
|
|
start_order: 4
|
|
image: *keystone_image
|
|
user: root
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: '/usr/share/openstack-tripleo-common/healthcheck/cron keystone'
|
|
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [KeystoneLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
step_4:
|
|
# There are cases where we need to refresh keystone after the resource provisioning,
|
|
# such as the case of using LDAP backends for domains. So we trigger a graceful
|
|
# restart [1], which shouldn't cause service disruption, but will reload new
|
|
# configurations for keystone.
|
|
# [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
|
|
keystone_refresh:
|
|
start_order: 1
|
|
action: exec
|
|
user: root
|
|
command:
|
|
[ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
|
|
external_deploy_tasks:
|
|
- name: Manage clouds.yaml files
|
|
when:
|
|
- step|int == 1
|
|
- not ansible_check_mode|bool
|
|
block:
|
|
- name: Create /etc/openstack directory if it does not exist
|
|
become: true
|
|
file:
|
|
mode: '0755'
|
|
owner: root
|
|
path: /etc/openstack
|
|
state: directory
|
|
- name: Configure /etc/openstack/clouds.yaml
|
|
include_role:
|
|
name: tripleo_keystone_resources
|
|
tasks_from: clouds
|
|
vars:
|
|
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
|
|
tripleo_keystone_resources_cloud_config:
|
|
auth:
|
|
auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
password: {get_param: AdminPassword}
|
|
project_domain_name: Default
|
|
project_name: admin
|
|
user_domain_name: Default
|
|
username: admin
|
|
cacert:
|
|
if:
|
|
- public_tls_enabled
|
|
- {get_param: PublicTLSCAFile}
|
|
- ''
|
|
identity_api_version: '3'
|
|
volume_api_version: '3'
|
|
region_name: {get_param: KeystoneRegion}
|
|
- name: Configure system admin account in /etc/openstack/clouds.yaml
|
|
include_role:
|
|
name: tripleo_keystone_resources
|
|
tasks_from: clouds
|
|
vars:
|
|
tripleo_keystone_resources_cloud_name:
|
|
list_join:
|
|
- '-'
|
|
- - {get_param: RootStackName}
|
|
- 'system-admin'
|
|
tripleo_keystone_resources_cloud_config:
|
|
auth:
|
|
auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
password: {get_param: AdminPassword}
|
|
system_scope: all
|
|
user_domain_name: Default
|
|
username: admin
|
|
cacert:
|
|
if:
|
|
- public_tls_enabled
|
|
- {get_param: PublicTLSCAFile}
|
|
- ''
|
|
identity_api_version: '3'
|
|
volume_api_version: '3'
|
|
region_name: {get_param: KeystoneRegion}
|
|
- name: Manage Keystone resources
|
|
become: true
|
|
when:
|
|
- step|int == 4
|
|
- not ansible_check_mode|bool
|
|
block:
|
|
- name: Manage Keystone resources for OpenStack services
|
|
include_role:
|
|
name: tripleo_keystone_resources
|
|
vars:
|
|
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
|
|
tripleo_keystone_resources_service_project: 'service'
|
|
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
|
|
tripleo_keystone_resources_region: {get_param: KeystoneRegion}
|
|
tripleo_keystone_resources_admin_endpoint: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
tripleo_keystone_resources_public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
tripleo_keystone_resources_internal_endpoint: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
tripleo_keystone_resources_admin_password: {get_param: AdminPassword}
|
|
tripleo_keystone_resources_member_role_enabled: {get_param: KeystoneEnableMember}
|
|
- name: is Keystone LDAP enabled
|
|
set_fact:
|
|
keystone_ldap_domain_enabled: {get_param: KeystoneLDAPDomainEnable}
|
|
- name: Set fact for tripleo_keystone_ldap_domains
|
|
set_fact:
|
|
tripleo_keystone_ldap_domains: {get_param: KeystoneLDAPBackendConfigs}
|
|
when: keystone_ldap_domain_enabled|bool
|
|
- name: Manage Keystone domains from LDAP config
|
|
when: keystone_ldap_domain_enabled|bool
|
|
include_role:
|
|
name: tripleo_keystone_resources
|
|
tasks_from: domains
|
|
vars:
|
|
tripleo_keystone_resources_catalog_config: "{{ keystone_resources }}"
|
|
tripleo_keystone_resources_cloud_name: {get_param: RootStackName}
|
|
batched_tripleo_keystone_resources_domains: "{{ tripleo_keystone_ldap_domains | list }}"
|
|
deploy_steps_tasks:
|
|
list_concat:
|
|
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
- - name: validate keystone container state
|
|
containers.podman.podman_container_info:
|
|
name: keystone
|
|
register: keystone_infos
|
|
failed_when:
|
|
- keystone_infos.containers.0.Healthcheck.Status is defined
|
|
- "'healthy' not in keystone_infos.containers.0.Healthcheck.Status"
|
|
retries: 10
|
|
delay: 30
|
|
tags:
|
|
- opendev-validation
|
|
- opendev-validation-keystone
|
|
when:
|
|
- container_cli == 'podman'
|
|
- not container_healthcheck_disabled
|
|
- step|int == 4
|
|
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop keystone container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- keystone
|
|
- keystone_cron
|
|
tripleo_delegate_to: "{{ groups['keystone'] | default([]) }}"
|