dsl_version: 0.6.0 service: name: keystone ports: - {{ keystone.public_port }} - {{ keystone.admin_port }} annotations: service: prometheus.io/probe: "true" prometheus.io/probe_path: "/v3" containers: - name: keystone image: keystone probes: readiness: type: "httpGet" port: {{ keystone.admin_port.cont }} path: "/" # {% if keystone.tls.enabled %} scheme: "https" # {% endif %} volumes: - name: keystone-logs path: "/var/log/ccp/keystone" type: host readOnly: False pre: - name: chown-logs-dir command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone" - name: chown-fernet-dir command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys" - name: fernet-dir-permissions command: "/bin/chmod 0700 /etc/keystone/fernet-keys" - name: keystone-generate-fernet-keys command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup" type: single files: - fernet-manage - name: keystone-db-create dependencies: - database type: single command: mysql -u root -p{{ db.root_password }} -h {{ address("database") }} -e "create database {{ keystone.db.name }}; create user '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}' {% if db.tls.enabled %} require ssl {% endif %}; grant all privileges on {{ keystone.db.name }}.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}' {% if db.tls.enabled %} require ssl {% endif %}; grant super on *.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}' {% if db.tls.enabled %} require ssl {% endif %};" - name: keystone-db-sync files: - keystone-conf dependencies: - keystone-db-create type: single command: keystone-manage db_sync - name: keystone-db-bootstrap files: - keystone-conf dependencies: - keystone-db-sync - keystone-generate-fernet-keys type: single command: keystone-manage bootstrap --bootstrap-password {{ openstack.user_password }} --bootstrap-username {{ openstack.user_name }} --bootstrap-project-name {{ openstack.project_name }} --bootstrap-role-name {{ openstack.role_name }} --bootstrap-service-name keystone --bootstrap-region-id RegionOne --bootstrap-admin-url {{ address('keystone', keystone.admin_port, with_scheme=True) }} --bootstrap-public-url {{ address('keystone', keystone.public_port, external=True, with_scheme=True) }} --bootstrap-internal-url {{ address('keystone', keystone.public_port, with_scheme=True) }} daemon: dependencies: - memcached # {% if keystone.notifications.enable -%} - notifications # {%- endif %} files: - keystone-conf - wsgi-keystone-conf - credential-key # {% if keystone.tls.enabled %} - ca_cert # {% endif %} secrets: - keystone-fernet command: daemon.sh post: - name: keystone-create-domain type: single command: openstack domain create --or-show {{ service_account.domain }} - name: keystone-create-project type: single dependencies: - keystone-create-domain command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }} # {% if keystone.tls.enabled %} - name: nginx-keystone image: nginx daemon: files: - upstreams - servers - server-cert - server-key command: nginx # {% endif %} files: keystone-conf: path: /etc/keystone/keystone.conf content: keystone.conf.j2 wsgi-keystone-conf: path: /etc/apache2/conf-enabled/wsgi-keystone.conf content: wsgi-keystone.conf.j2 credential-key: path: /etc/keystone/credential-keys/1 content: credential-key.j2 perm: "0600" user: keystone fernet-manage: path: /opt/ccp/bin/fernet-manage.py content: fernet-manage.py perm: "0400" user: keystone # {% if keystone.tls.enabled %} servers: path: /etc/nginx/conf.d/servers.conf content: servers.conf.j2 perm: "0400" upstreams: path: /etc/nginx/conf.d/upstreams.conf content: upstreams.conf.j2 perm: "0400" ca_cert: path: /opt/ccp/etc/tls/ca.pem content: ca-cert.pem.j2 server-cert: path: /opt/ccp/etc/tls/server-cert.pem content: server-cert.pem.j2 perm: "0400" server-key: path: /opt/ccp/etc/tls/server-key.pem content: server-key.pem.j2 perm: "0400" # {% endif %} secrets: keystone-fernet: path: "/etc/keystone/fernet-keys" secret: secretName: {{ keystone.fernet_secret_name }}