openstack/tripleo-heat-templates
Code Issues Proposed changes
b66c7bde4b
tripleo-heat-templates/docker/services/keystone.yaml
Juan Antonio Osorio Robles dd43ba1cf2 Bind mount directories that contain the key/certs for keystone 
This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.

Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.

bp tls-via-certmonger-containers

Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
2017-04-12 09:45:17 +00:00

146 lines
5.2 KiB
YAML
Raw Blame History

heat_template_version: ocata
description: >
OpenStack containerized Keystone service
parameters:
DockerNamespace:
description: namespace
default: 'tripleoupstream'
type: string
DockerKeystoneImage:
description: image
default: 'centos-binary-keystone:latest'
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
KeystoneTokenProvider:
description: The keystone token format
type: string
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
EnableInternalTLS:
type: boolean
default: false
resources:
KeystoneBase:
type: ../../puppet/services/keystone.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
description: Role data for the Keystone API role.
value:
service_name: {get_attr: [KeystoneBase, role_data, service_name]}
config_settings:
map_merge:
- get_attr: [KeystoneBase, role_data, config_settings]
- apache::default_vhost: false
step_config: &step_config
list_join:
- "\n"
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
- {get_attr: [KeystoneBase, role_data, step_config]}
service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: keystone
puppet_tags: keystone_config
step_config: *step_config
config_image: &keystone_image
list_join:
- '/'
- [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
kolla_config:
/var/lib/kolla/config_files/keystone.json:
command: /usr/sbin/httpd -DFOREGROUND
docker_config:
step_3:
keystone-init-log:
start_order: 0
image: *keystone_image
user: root
command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && mkdir -p /var/log/keystone && chown keystone:keystone /var/log/keystone']
volumes:
- logs:/var/log
keystone_db_sync:
start_order: 1
image: *keystone_image
net: host
privileged: false
detach: false
volumes: &keystone_volumes
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/keystone/var/www/:/var/www/:ro
- /var/lib/config-data/keystone/etc/keystone/:/etc/keystone/:ro
- /var/lib/config-data/keystone/etc/httpd/:/etc/httpd/:ro
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
keystone:
start_order: 1
image: *keystone_image
net: host
privileged: false
restart: always
volumes: *keystone_volumes
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
keystone_bootstrap:
start_order: 2
action: exec
command:
[ 'keystone', 'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
docker_puppet_tasks:
# Keystone endpoint creation occurs only on single node
step_3:
config_volume: 'keystone_init_tasks'
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
step_config: 'include ::tripleo::profile::base::keystone'
config_image: *keystone_image
upgrade_tasks:
- name: Stop and disable keystone service (running under httpd)
tags: step2
service: name=httpd state=stopped enabled=no
metadata_settings:
get_attr: [KeystoneBase, role_data, metadata_settings]
View Git Blame Copy Permalink