Fuel CCP - Keystone deployment
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

keystone.yaml 5.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. dsl_version: 0.6.0
  2. service:
  3. name: keystone
  4. ports:
  5. - {{ keystone.public_port }}
  6. - {{ keystone.admin_port }}
  7. annotations:
  8. service:
  9. prometheus.io/probe: "true"
  10. prometheus.io/probe_path: "/v3"
  11. containers:
  12. - name: keystone
  13. image: keystone
  14. probes:
  15. readiness:
  16. type: "httpGet"
  17. port: {{ keystone.admin_port.cont }}
  18. path: "/"
  19. # {% if keystone.tls.enabled %}
  20. scheme: "https"
  21. # {% endif %}
  22. volumes:
  23. - name: keystone-logs
  24. path: "/var/log/ccp/keystone"
  25. type: host
  26. readOnly: False
  27. pre:
  28. - name: chown-logs-dir
  29. command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
  30. - name: chown-fernet-dir
  31. command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
  32. - name: fernet-dir-permissions
  33. command: "/bin/chmod 0700 /etc/keystone/fernet-keys"
  34. - name: keystone-generate-fernet-keys
  35. command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
  36. type: single
  37. files:
  38. - fernet-manage
  39. - name: keystone-db-create
  40. dependencies:
  41. - database
  42. type: single
  43. command:
  44. mysql -u root -p{{ db.root_password }} -h {{ address("database") }} -e "create database {{ keystone.db.name }};
  45. create user '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
  46. {% if db.tls.enabled %} require ssl {% endif %};
  47. grant all privileges on {{ keystone.db.name }}.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
  48. {% if db.tls.enabled %} require ssl {% endif %};
  49. grant super on *.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
  50. {% if db.tls.enabled %} require ssl {% endif %};"
  51. - name: keystone-db-sync
  52. files:
  53. - keystone-conf
  54. dependencies:
  55. - keystone-db-create
  56. type: single
  57. command: keystone-manage db_sync
  58. - name: keystone-db-bootstrap
  59. files:
  60. - keystone-conf
  61. dependencies:
  62. - keystone-db-sync
  63. - keystone-generate-fernet-keys
  64. type: single
  65. command: keystone-manage bootstrap
  66. --bootstrap-password {{ openstack.user_password }}
  67. --bootstrap-username {{ openstack.user_name }}
  68. --bootstrap-project-name {{ openstack.project_name }}
  69. --bootstrap-role-name {{ openstack.role_name }}
  70. --bootstrap-service-name keystone --bootstrap-region-id RegionOne
  71. --bootstrap-admin-url {{ address('keystone', keystone.admin_port, with_scheme=True) }}
  72. --bootstrap-public-url {{ address('keystone', keystone.public_port, external=True, with_scheme=True) }}
  73. --bootstrap-internal-url {{ address('keystone', keystone.public_port, with_scheme=True) }}
  74. daemon:
  75. dependencies:
  76. - memcached
  77. # {% if keystone.notifications.enable -%}
  78. - notifications
  79. # {%- endif %}
  80. files:
  81. - keystone-conf
  82. - wsgi-keystone-conf
  83. - credential-key
  84. # {% if keystone.tls.enabled %}
  85. - ca_cert
  86. # {% endif %}
  87. secrets:
  88. - keystone-fernet
  89. command: daemon.sh
  90. post:
  91. - name: keystone-create-domain
  92. type: single
  93. command: openstack domain create --or-show {{ service_account.domain }}
  94. - name: keystone-create-project
  95. type: single
  96. dependencies:
  97. - keystone-create-domain
  98. command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }}
  99. # {% if keystone.tls.enabled %}
  100. - name: nginx-keystone
  101. image: nginx
  102. daemon:
  103. files:
  104. - upstreams
  105. - servers
  106. - server-cert
  107. - server-key
  108. command: nginx
  109. # {% endif %}
  110. files:
  111. keystone-conf:
  112. path: /etc/keystone/keystone.conf
  113. content: keystone.conf.j2
  114. wsgi-keystone-conf:
  115. path: /etc/apache2/conf-enabled/wsgi-keystone.conf
  116. content: wsgi-keystone.conf.j2
  117. credential-key:
  118. path: /etc/keystone/credential-keys/1
  119. content: credential-key.j2
  120. perm: "0600"
  121. user: keystone
  122. fernet-manage:
  123. path: /opt/ccp/bin/fernet-manage.py
  124. content: fernet-manage.py
  125. perm: "0400"
  126. user: keystone
  127. # {% if keystone.tls.enabled %}
  128. servers:
  129. path: /etc/nginx/conf.d/servers.conf
  130. content: servers.conf.j2
  131. perm: "0400"
  132. upstreams:
  133. path: /etc/nginx/conf.d/upstreams.conf
  134. content: upstreams.conf.j2
  135. perm: "0400"
  136. ca_cert:
  137. path: /opt/ccp/etc/tls/ca.pem
  138. content: ca-cert.pem.j2
  139. server-cert:
  140. path: /opt/ccp/etc/tls/server-cert.pem
  141. content: server-cert.pem.j2
  142. perm: "0400"
  143. server-key:
  144. path: /opt/ccp/etc/tls/server-key.pem
  145. content: server-key.pem.j2
  146. perm: "0400"
  147. # {% endif %}
  148. secrets:
  149. keystone-fernet:
  150. path: "/etc/keystone/fernet-keys"
  151. secret:
  152. secretName: {{ keystone.fernet_secret_name }}