179 lines
6.0 KiB
YAML
179 lines
6.0 KiB
YAML
dsl_version: 0.9.0
|
|
service:
|
|
name: keystone
|
|
ports:
|
|
- {{ keystone.public_port }}
|
|
- {{ keystone.admin_port }}
|
|
annotations:
|
|
service:
|
|
prometheus.io/probe: "true"
|
|
prometheus.io/probe_path: "/v3"
|
|
containers:
|
|
- name: keystone
|
|
image: keystone
|
|
probes:
|
|
readiness:
|
|
type: "httpGet"
|
|
port: {{ keystone.admin_port.cont }}
|
|
path: "/"
|
|
# {% if keystone.tls.enabled %}
|
|
scheme: "https"
|
|
# {% endif %}
|
|
volumes:
|
|
- name: keystone-logs
|
|
path: "/var/log/ccp/keystone"
|
|
type: host
|
|
readOnly: False
|
|
lifecycle:
|
|
preStop:
|
|
exec:
|
|
command: ["apachectl", "-k", "graceful-stop"]
|
|
pre:
|
|
- name: chown-logs-dir
|
|
command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
|
|
- name: chown-fernet-dir
|
|
command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
|
|
- name: fernet-dir-permissions
|
|
command: "/bin/chmod 0700 /etc/keystone/fernet-keys"
|
|
- name: keystone-generate-fernet-keys
|
|
command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
|
|
type: single
|
|
files:
|
|
- fernet-manage
|
|
- name: keystone-db-create
|
|
dependencies:
|
|
- database
|
|
type: single
|
|
command:
|
|
mysql -u root -p{{ db.root_password }} -h {{ address("database") }} -e "create database {{ keystone.db.name }};
|
|
create user '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
|
|
{% if db.tls.enabled %} require ssl {% endif %};
|
|
grant all privileges on {{ keystone.db.name }}.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
|
|
{% if db.tls.enabled %} require ssl {% endif %};
|
|
grant super on *.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
|
|
{% if db.tls.enabled %} require ssl {% endif %};"
|
|
- name: keystone-db-sync
|
|
files:
|
|
- keystone-conf
|
|
dependencies:
|
|
- keystone-db-create
|
|
type: single
|
|
command: keystone-manage db_sync
|
|
- name: keystone-db-bootstrap
|
|
files:
|
|
- keystone-conf
|
|
dependencies:
|
|
- keystone-db-sync
|
|
- keystone-generate-fernet-keys
|
|
type: single
|
|
command: keystone-manage bootstrap
|
|
--bootstrap-password {{ openstack.user_password }}
|
|
--bootstrap-username {{ openstack.user_name }}
|
|
--bootstrap-project-name {{ openstack.project_name }}
|
|
--bootstrap-role-name {{ openstack.role_name }}
|
|
--bootstrap-service-name keystone --bootstrap-region-id RegionOne
|
|
--bootstrap-admin-url {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
|
--bootstrap-public-url {{ address('keystone', keystone.public_port, external=True, with_scheme=True) }}
|
|
--bootstrap-internal-url {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
|
daemon:
|
|
dependencies:
|
|
- memcached
|
|
# {% if keystone.notifications.enable -%}
|
|
- notifications
|
|
# {%- endif %}
|
|
files:
|
|
- keystone-conf
|
|
# {% if keystone.ldap.enabled %}
|
|
- keystone-ldap-conf
|
|
# {% if keystone.ldap.tls.enabled %}
|
|
- keystone-ldap-cacert
|
|
# {% endif %}
|
|
# {% endif %}
|
|
- wsgi-keystone-conf
|
|
- credential-key
|
|
# {% if keystone.tls.enabled %}
|
|
- ca_cert
|
|
# {% endif %}
|
|
secrets:
|
|
- keystone-fernet
|
|
command: daemon.sh
|
|
post:
|
|
- name: keystone-create-domain
|
|
type: single
|
|
command: openstack domain create --or-show {{ service_account.domain }}
|
|
- name: keystone-create-project
|
|
type: single
|
|
dependencies:
|
|
- keystone-create-domain
|
|
command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }}
|
|
- name: keystone-create-admin-role
|
|
type: single
|
|
command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default
|
|
# {% if keystone.ldap.enabled %}
|
|
- name: keystone-create-ldap-domain
|
|
type: single
|
|
command: openstack domain create ldap
|
|
# {% endif %}
|
|
|
|
# {% if keystone.tls.enabled %}
|
|
- name: nginx-keystone
|
|
image: nginx
|
|
daemon:
|
|
files:
|
|
- upstreams
|
|
- servers
|
|
- server-cert
|
|
- server-key
|
|
command: nginx
|
|
# {% endif %}
|
|
|
|
files:
|
|
keystone-conf:
|
|
path: /etc/keystone/keystone.conf
|
|
content: keystone.conf.j2
|
|
keystone-ldap-conf:
|
|
path: /etc/keystone/domains/keystone.ldap.conf
|
|
content: keystone.ldap.conf.j2
|
|
keystone-ldap-cacert:
|
|
path: /etc/keystone/ldap_tls_cacert.pem
|
|
content: keystone.ldap.cacert.j2
|
|
wsgi-keystone-conf:
|
|
path: /etc/apache2/conf-enabled/wsgi-keystone.conf
|
|
content: wsgi-keystone.conf.j2
|
|
credential-key:
|
|
path: /etc/keystone/credential-keys/1
|
|
content: credential-key.j2
|
|
perm: "0600"
|
|
user: keystone
|
|
fernet-manage:
|
|
path: /opt/ccp/bin/fernet-manage.py
|
|
content: fernet-manage.py
|
|
perm: "0400"
|
|
user: keystone
|
|
# {% if keystone.tls.enabled %}
|
|
servers:
|
|
path: /etc/nginx/conf.d/servers.conf
|
|
content: servers.conf.j2
|
|
perm: "0400"
|
|
upstreams:
|
|
path: /etc/nginx/conf.d/upstreams.conf
|
|
content: upstreams.conf.j2
|
|
perm: "0400"
|
|
ca_cert:
|
|
path: /opt/ccp/etc/tls/ca.pem
|
|
content: ca-cert.pem.j2
|
|
server-cert:
|
|
path: /opt/ccp/etc/tls/server-cert.pem
|
|
content: server-cert.pem.j2
|
|
perm: "0400"
|
|
server-key:
|
|
path: /opt/ccp/etc/tls/server-key.pem
|
|
content: server-key.pem.j2
|
|
perm: "0400"
|
|
# {% endif %}
|
|
secrets:
|
|
keystone-fernet:
|
|
path: "/etc/keystone/fernet-keys"
|
|
secret:
|
|
secretName: {{ keystone.fernet_secret_name }}
|