dd43ba1cf2
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. Which is the commit this is on top of. Also, an environment file was added that's similar to environments/docker.yaml. The difference is that this one will contain the services that can run containerized with TLS-everywhere. This file will be updated as more services get support for this. bp tls-via-certmonger-containers Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
146 lines
5.2 KiB
YAML
146 lines
5.2 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: >
|
|
OpenStack containerized Keystone service
|
|
|
|
parameters:
|
|
DockerNamespace:
|
|
description: namespace
|
|
default: 'tripleoupstream'
|
|
type: string
|
|
DockerKeystoneImage:
|
|
description: image
|
|
default: 'centos-binary-keystone:latest'
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
AdminPassword:
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
type: string
|
|
hidden: true
|
|
KeystoneTokenProvider:
|
|
description: The keystone token format
|
|
type: string
|
|
default: 'fernet'
|
|
constraints:
|
|
- allowed_values: ['uuid', 'fernet']
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
resources:
|
|
|
|
KeystoneBase:
|
|
type: ../../puppet/services/keystone.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Keystone API role.
|
|
value:
|
|
service_name: {get_attr: [KeystoneBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [KeystoneBase, role_data, config_settings]
|
|
- apache::default_vhost: false
|
|
step_config: &step_config
|
|
list_join:
|
|
- "\n"
|
|
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
|
|
- {get_attr: [KeystoneBase, role_data, step_config]}
|
|
service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: keystone
|
|
puppet_tags: keystone_config
|
|
step_config: *step_config
|
|
config_image: &keystone_image
|
|
list_join:
|
|
- '/'
|
|
- [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/keystone.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
docker_config:
|
|
step_3:
|
|
keystone-init-log:
|
|
start_order: 0
|
|
image: *keystone_image
|
|
user: root
|
|
command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && mkdir -p /var/log/keystone && chown keystone:keystone /var/log/keystone']
|
|
volumes:
|
|
- logs:/var/log
|
|
keystone_db_sync:
|
|
start_order: 1
|
|
image: *keystone_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
volumes: &keystone_volumes
|
|
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/keystone/var/www/:/var/www/:ro
|
|
- /var/lib/config-data/keystone/etc/keystone/:/etc/keystone/:ro
|
|
- /var/lib/config-data/keystone/etc/httpd/:/etc/httpd/:ro
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- logs:/var/log
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- ''
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- ''
|
|
environment:
|
|
- KOLLA_BOOTSTRAP=True
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
keystone:
|
|
start_order: 1
|
|
image: *keystone_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
volumes: *keystone_volumes
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
keystone_bootstrap:
|
|
start_order: 2
|
|
action: exec
|
|
command:
|
|
[ 'keystone', 'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
|
|
docker_puppet_tasks:
|
|
# Keystone endpoint creation occurs only on single node
|
|
step_3:
|
|
config_volume: 'keystone_init_tasks'
|
|
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
|
|
step_config: 'include ::tripleo::profile::base::keystone'
|
|
config_image: *keystone_image
|
|
upgrade_tasks:
|
|
- name: Stop and disable keystone service (running under httpd)
|
|
tags: step2
|
|
service: name=httpd state=stopped enabled=no
|
|
metadata_settings:
|
|
get_attr: [KeystoneBase, role_data, metadata_settings]
|