Merge pull request #4 from salt-formulas/pr_kitchen_travis
Add kitchen tests + travis ci
diff --git a/.gitignore b/.gitignore
index 1bfce6e..aa8e42a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
+.kitchen
tests/build/
*.swp
*.pyc
-.ropeproject
\ No newline at end of file
+.ropeproject
diff --git a/Makefile b/Makefile
index fc83783..1043fbe 100644
--- a/Makefile
+++ b/Makefile
@@ -1,12 +1,38 @@
DESTDIR=/
SALTENVDIR=/usr/share/salt-formulas/env
RECLASSDIR=/usr/share/salt-formulas/reclass
-FORMULANAME=$(shell grep name: metadata.yml|head -1|cut -d : -f 2|grep -Eo '[a-z0-9\-]*')
+FORMULANAME=$(shell grep name: metadata.yml|head -1|cut -d : -f 2|grep -Eo '[a-z0-9\-\_]*')
+VERSION=$(shell grep version: metadata.yml|head -1|cut -d : -f 2|grep -Eo '[a-z0-9\.\-\_]*')
+VERSION_MAJOR := $(shell echo $(VERSION)|cut -d . -f 1-2)
+VERSION_MINOR := $(shell echo $(VERSION)|cut -d . -f 3)
+
+NEW_MAJOR_VERSION ?= $(shell date +%Y.%m|sed 's,\.0,\.,g')
+NEW_MINOR_VERSION ?= $(shell /bin/bash -c 'echo $$[ $(VERSION_MINOR) + 1 ]')
+
+MAKE_PID := $(shell echo $$PPID)
+JOB_FLAG := $(filter -j%, $(subst -j ,-j,$(shell ps T | grep "^\s*$(MAKE_PID).*$(MAKE)")))
+
+ifneq ($(subst -j,,$(JOB_FLAG)),)
+JOBS := $(subst -j,,$(JOB_FLAG))
+else
+JOBS := 1
+endif
+
+KITCHEN_LOCAL_YAML?=.kitchen.yml
+KITCHEN_OPTS?="--concurrency=$(JOBS)"
+KITCHEN_OPTS_CREATE?=""
+KITCHEN_OPTS_CONVERGE?=""
+KITCHEN_OPTS_VERIFY?=""
+KITCHEN_OPTS_TEST?=""
all:
@echo "make install - Install into DESTDIR"
@echo "make test - Run tests"
+ @echo "make kitchen - Run Kitchen CI tests (create, converge, verify)"
@echo "make clean - Cleanup after tests run"
+ @echo "make release-major - Generate new major release"
+ @echo "make release-minor - Generate new minor release"
+ @echo "make changelog - Show changes since last release"
install:
# Formula
@@ -14,6 +40,7 @@
cp -a $(FORMULANAME) $(DESTDIR)/$(SALTENVDIR)/
[ ! -d _modules ] || cp -a _modules $(DESTDIR)/$(SALTENVDIR)/
[ ! -d _states ] || cp -a _states $(DESTDIR)/$(SALTENVDIR)/ || true
+ [ ! -d _grains ] || cp -a _grains $(DESTDIR)/$(SALTENVDIR)/ || true
# Metadata
[ -d $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME) ] || mkdir -p $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
cp -a metadata/service/* $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
@@ -21,6 +48,71 @@
test:
[ ! -d tests ] || (cd tests; ./run_tests.sh)
+release-major: check-changes
+ @echo "Current version is $(VERSION), new version is $(NEW_MAJOR_VERSION)"
+ @[ $(VERSION_MAJOR) != $(NEW_MAJOR_VERSION) ] || (echo "Major version $(NEW_MAJOR_VERSION) already released, nothing to do. Do you want release-minor?" && exit 1)
+ echo "$(NEW_MAJOR_VERSION)" > VERSION
+ sed -i 's,version: .*,version: "$(NEW_MAJOR_VERSION)",g' metadata.yml
+ [ ! -f debian/changelog ] || dch -v $(NEW_MAJOR_VERSION) -m --force-distribution -D `dpkg-parsechangelog -S Distribution` "New version"
+ make genchangelog-$(NEW_MAJOR_VERSION)
+ (git add -u; git commit -m "Version $(NEW_MAJOR_VERSION)")
+ git tag -s -m $(NEW_MAJOR_VERSION) $(NEW_MAJOR_VERSION)
+
+release-minor: check-changes
+ @echo "Current version is $(VERSION), new version is $(VERSION_MAJOR).$(NEW_MINOR_VERSION)"
+ echo "$(VERSION_MAJOR).$(NEW_MINOR_VERSION)" > VERSION
+ sed -i 's,version: .*,version: "$(VERSION_MAJOR).$(NEW_MINOR_VERSION)",g' metadata.yml
+ [ ! -f debian/changelog ] || dch -v $(VERSION_MAJOR).$(NEW_MINOR_VERSION) -m --force-distribution -D `dpkg-parsechangelog -S Distribution` "New version"
+ make genchangelog-$(VERSION_MAJOR).$(NEW_MINOR_VERSION)
+ (git add -u; git commit -m "Version $(VERSION_MAJOR).$(NEW_MINOR_VERSION)")
+ git tag -s -m $(NEW_MAJOR_VERSION) $(VERSION_MAJOR).$(NEW_MINOR_VERSION)
+
+check-changes:
+ @git log --pretty=oneline --decorate $(VERSION)..HEAD | grep -Eqc '.*' || (echo "No new changes since version $(VERSION)"; exit 1)
+
+changelog:
+ git log --pretty=short --invert-grep --grep="Merge pull request" --decorate $(VERSION)..HEAD
+
+genchangelog: genchangelog-$(VERSION_MAJOR).$(NEW_MINOR_VERSION)
+
+genchangelog-%:
+ $(eval NEW_VERSION := $(patsubst genchangelog-%,%,$@))
+ (echo "=========\nChangelog\n=========\n"; \
+ (echo $(NEW_VERSION);git tag) | sort -r | grep -E '^[0-9\.]+' | while read i; do \
+ cur=$$i; \
+ test $$i = $(NEW_VERSION) && i=HEAD; \
+ prev=`(echo $(NEW_VERSION);git tag)|sort|grep -E '^[0-9\.]+'|grep -B1 "$$cur\$$"|head -1`; \
+ echo "Version $$cur\n=============================\n"; \
+ git log --pretty=short --invert-grep --grep="Merge pull request" --decorate $$prev..$$i; \
+ echo; \
+ done) > CHANGELOG.rst
+
+kitchen-check:
+ @[ -e $(KITCHEN_LOCAL_YAML) ] || (echo "Kitchen tests not available, there's no $(KITCHEN_LOCAL_YAML)." && exit 1)
+
+kitchen: kitchen-check kitchen-create kitchen-converge kitchen-verify kitchen-list
+
+kitchen-create: kitchen-check
+ kitchen create ${KITCHEN_OPTS} ${KITCHEN_OPTS_CREATE}
+ [ "$(shell echo $(KITCHEN_LOCAL_YAML)|grep -Eo docker)" = "docker" ] || sleep 120
+
+kitchen-converge: kitchen-check
+ kitchen converge ${KITCHEN_OPTS} ${KITCHEN_OPTS_CONVERGE} &&\
+ kitchen converge ${KITCHEN_OPTS} ${KITCHEN_OPTS_CONVERGE}
+
+kitchen-verify: kitchen-check
+ [ ! -d tests/integration ] || kitchen verify -t tests/integration ${KITCHEN_OPTS} ${KITCHEN_OPTS_VERIFY}
+ [ -d tests/integration ] || kitchen verify ${KITCHEN_OPTS} ${KITCHEN_OPTS_VERIFY}
+
+kitchen-test: kitchen-check
+ [ ! -d tests/integration ] || kitchen test -t tests/integration ${KITCHEN_OPTS} ${KITCHEN_OPTS_TEST}
+ [ -d tests/integration ] || kitchen test ${KITCHEN_OPTS} ${KITCHEN_OPTS_TEST}
+
+kitchen-list: kitchen-check
+ kitchen list
+
clean:
+ [ ! -x "$(shell which kitchen)" ] || kitchen destroy
+ [ ! -d .kitchen ] || rm -rf .kitchen
[ ! -d tests/build ] || rm -rf tests/build
[ ! -d build ] || rm -rf build
diff --git a/README.rst b/README.rst
index a8bfb88..bf5ceeb 100644
--- a/README.rst
+++ b/README.rst
@@ -321,6 +321,7 @@
federation_driver: keystone.contrib.federation.backends.sql.Federation
trusted_dashboard:
- http://${_param:proxy_vip_address_public}/horizon/auth/websso/
+ shib_url_scheme: https
apache:
server:
pkgs:
@@ -330,6 +331,25 @@
- wsgi
- shib2
+Use a custom identity driver with custom options
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ backend: k2k
+ k2k:
+ auth_url: 'https://keystone.example.com/v2.0'
+ read_user: 'example_user'
+ read_pass: 'password'
+ read_tenant_id: 'admin'
+ identity_driver: 'sql'
+ id_prefix: 'k2k:'
+ domain: 'default'
+ caching: true
+ cache_time: 600
+
+
Keystone client
---------------
@@ -374,15 +394,32 @@
admin:
host: 10.0.0.2
port: 5000
- project: 'token'
+ project: admin
user: admin
password: 'passwd'
+ region_name: RegionOne
+ protocol: https
roles:
- admin
- member
project:
tenant01:
description: "test env"
+ quota:
+ instances: 100
+ cores: 24
+ ram: 151200
+ floating_ips: 50
+ fixed_ips: -1
+ metadata_items: 128
+ injected_files: 5
+ injected_file_content_bytes: 10240
+ injected_file_path_bytes: 255
+ key_pairs: 100
+ security_groups: 20
+ security_group_rules: 40
+ server_groups: 20
+ server_group_members: 20
user:
user01:
email: jdoe@domain.com
@@ -394,6 +431,78 @@
roles:
- custom-roles
+Multiple servers example
+
+.. code-block:: yaml
+
+ keystone:
+ client:
+ enabled: true
+ server:
+ keystone01:
+ admin:
+ host: 10.0.0.2
+ port: 5000
+ project: 'admin'
+ user: admin
+ password: 'workshop'
+ region_name: RegionOne
+ protocol: https
+ keystone02:
+ admin:
+ host: 10.0.0.3
+ port: 5000
+ project: 'admin'
+ user: admin
+ password: 'workshop'
+ region_name: RegionOne
+
+
+Tenant quotas
+
+.. code-block:: yaml
+
+ keystone:
+ client:
+ enabled: true
+ server:
+ keystone01:
+ admin:
+ host: 10.0.0.2
+ port: 5000
+ project: admin
+ user: admin
+ password: 'passwd'
+ region_name: RegionOne
+ protocol: https
+ roles:
+ - admin
+ - member
+ project:
+ tenant01:
+ description: "test env"
+ quota:
+ instances: 100
+ cores: 24
+ ram: 151200
+ floating_ips: 50
+ fixed_ips: -1
+ metadata_items: 128
+ injected_files: 5
+ injected_file_content_bytes: 10240
+ injected_file_path_bytes: 255
+ key_pairs: 100
+ security_groups: 20
+ security_group_rules: 40
+ server_groups: 20
+ server_group_members: 20
+
+Usage
+=====
+
+Apply state `keystone.client.service` first and then `keystone.client` state.
+
+
Documentation and Bugs
======================
@@ -419,3 +528,36 @@
Developers should also join the discussion on the IRC list, at:
https://wiki.openstack.org/wiki/Meetings/openstack-salt
+
+Documentation and Bugs
+======================
+
+To learn how to install and update salt-formulas, consult the documentation
+available online at:
+
+ http://salt-formulas.readthedocs.io/
+
+In the unfortunate event that bugs are discovered, they should be reported to
+the appropriate issue tracker. Use Github issue tracker for specific salt
+formula:
+
+ https://github.com/salt-formulas/salt-formula-keystone/issues
+
+For feature requests, bug reports or blueprints affecting entire ecosystem,
+use Launchpad salt-formulas project:
+
+ https://launchpad.net/salt-formulas
+
+You can also join salt-formulas-users team and subscribe to mailing list:
+
+ https://launchpad.net/~salt-formulas-users
+
+Developers wishing to work on the salt-formulas projects should always base
+their work on master branch and submit pull request against specific formula.
+
+ https://github.com/salt-formulas/salt-formula-keystone
+
+Any questions or feedback is always welcome so feel free to join our IRC
+channel:
+
+ #salt-formulas @ irc.freenode.net
diff --git a/keystone/client/server.sls b/keystone/client/server.sls
index 38d8169..4a8bfed 100644
--- a/keystone/client/server.sls
+++ b/keystone/client/server.sls
@@ -15,7 +15,6 @@
{%- set protocol = 'https' %}
{%- endif %}
-
{%- if server.admin.token is defined %}
{%- set connection_args = {'endpoint': protocol+'://'+server.admin.host+':'+server.admin.port|string+'/'+version,
'token': server.admin.token} %}
@@ -103,6 +102,20 @@
- connection_auth_url: {{ connection_args.auth_url }}
{%- endif %}
+{%- if tenant.quota is defined and tenant.quota is mapping %}
+
+keystone_{{ server_name }}_tenant_{{ tenant_name }}_quota:
+ novang.quota_present:
+ - profile: {{ server_name }}
+ - tenant_name: {{ tenant_name }}
+ {%- for quota_name, quota_value in tenant.quota.iteritems() %}
+ - {{ quota_name }}: {{ quota_value }}
+ {%- endfor %}
+ - require:
+ - keystone: keystone_{{ server_name }}_tenant_{{ tenant_name }}
+
+{%- endif %}
+
{%- for user_name, user in tenant.get('user', {}).iteritems() %}
keystone_{{ server_name }}_tenant_{{ tenant_name }}_user_{{ user_name }}:
diff --git a/keystone/client/service.sls b/keystone/client/service.sls
index 40c68df..efdef37 100644
--- a/keystone/client/service.sls
+++ b/keystone/client/service.sls
@@ -5,4 +5,10 @@
pkg.installed:
- names: {{ client.pkgs }}
-{%- endif %}
+keystone_profile:
+ file.managed:
+ - name: /etc/salt/minion.d/_keystone.conf
+ - source: salt://keystone/files/keystone.conf
+ - template: jinja
+
+{%- endif %}
\ No newline at end of file
diff --git a/keystone/files/_k2k.conf b/keystone/files/_k2k.conf
new file mode 100644
index 0000000..ae3696f
--- /dev/null
+++ b/keystone/files/_k2k.conf
@@ -0,0 +1,46 @@
+
+[k2k]
+
+#
+# Specific driver configuration for identity backend k2k
+# (Authentication against other keystone backend as fallback)
+#
+
+# Authentication URL of keystone to authenticate against (v2.0 only)
+# (string value)
+#auth_url = https://keystone.example.com/v2.0
+auth_url = {{ k2k.auth_url }}
+
+# User that is able to read users (string value)
+#read_user = admin
+read_user = {{ k2k.read_user }}
+
+# Password for readonly user (string value)
+#read_pass = password
+read_pass = {{ k2k.read_pass }}
+
+# Tenant id to be used to read (string value)
+#read_tenant_id = admin
+read_tenant_id = {{ k2k.read_tenant_id }}
+
+# Keystone identity driver to use before k2k authentication (string value)
+#identity_driver = sql
+identity_driver = {{ k2k.get('identity_driver', 'sql') }}
+
+# UserId prefix to use for assignment mappings etc (string value)
+#id_prefix = k2k:
+id_prefix = {{ k2k.get('id_prefix', 'k2k:') }}
+
+# This value will be set in the User object after authentication (string value)
+#domain = default
+domain = {{ k2k.get('domain', 'default') }}
+
+# Toggle for k2k caching. This has no effect unless global caching is enabled.
+# (boolean value)
+#caching = true
+caching = {{ k2k.get('caching', 'true')|lower }}
+
+# Time to cache identity data (in seconds). This has no effect unless global and
+# identity caching are enabled. (integer value)
+#cache_time = 600
+cache_time = {{ k2k.get('cache_time', 600) }}
diff --git a/keystone/files/keystone.conf b/keystone/files/keystone.conf
new file mode 100644
index 0000000..e6c9de2
--- /dev/null
+++ b/keystone/files/keystone.conf
@@ -0,0 +1,31 @@
+{%- from "keystone/map.jinja" import client with context %}
+{%- for profile_name, identity in client.server.iteritems() %}
+
+{%- if identity.admin.get('protocol', 'http') == 'http' %}
+{%- set protocol = 'http' %}
+{%- else %}
+{%- set protocol = 'https' %}
+{%- endif %}
+
+{%- if identity.admin.get('api_version', '2') == '3' %}
+{%- set version = "v3" %}
+{%- else %}
+{%- set version = "v2.0" %}
+{%- endif %}
+
+{%- if identity.admin.user is defined %}
+
+{%- if identity.admin.token is not defined %}
+
+{{ profile_name }}:
+ keystone.user: '{{ identity.admin.user }}'
+ keystone.password: '{{ identity.admin.password }}'
+ keystone.tenant: '{{ identity.admin.project }}'
+ keystone.auth_url: '{{ protocol+'://'+identity.admin.host+':'+identity.admin.port|string+'/'+version }}'
+ keystone.region_name: '{{ identity.admin.region_name }}'
+
+{%- endif %}
+
+{%- endif %}
+
+{%- endfor %}
diff --git a/keystone/files/keystonerc b/keystone/files/keystonerc
index ee35efc..e3cf64a 100644
--- a/keystone/files/keystonerc
+++ b/keystone/files/keystonerc
@@ -6,3 +6,4 @@
export OS_REGION_NAME={{ server.region }}
export OS_SERVICE_TOKEN={{ server.service_token }}
export OS_SERVICE_ENDPOINT="http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0/"
+export OS_ENDPOINT_TYPE="internal"
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index d48f485..2834cea 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -377,11 +377,6 @@
# namespace. (string value)
#oauth1 = <None>
-{% if server.websso is defined %}
-[{{ server.websso.protocol }}]
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
-
[cache]
#
@@ -843,7 +838,7 @@
# Entrypoint for the federation backend driver in the keystone.federation
# namespace. (string value)
#driver = sql
-{% if server.websso is defined %}
+{%- if server.get('websso', {}).federation_driver is defined %}
driver = {{ server.websso.federation_driver }}
{%- endif %}
@@ -855,6 +850,9 @@
# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
# Provider`). (string value)
#remote_id_attribute = <None>
+{%- if server.websso is defined %}
+remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{%- endif %}
# A domain name that is reserved to allow federated ephemeral users to have a
# domain concept. Note that an admin will not be able to create a domain with
@@ -868,13 +866,11 @@
# example: trusted_dashboard=http://acme.com/auth/websso
# trusted_dashboard=http://beta.com/auth/websso (multi valued)
#trusted_dashboard =
-{%- if server.websso is defined %}
-{%- if server.websso.trusted_dashboard is defined %}
+{%- if server.get('websso', {}).trusted_dashboard is defined %}
{%- for dashboard in server.websso.trusted_dashboard %}
trusted_dashboard = {{ dashboard }}
{%- endfor %}
{%- endif %}
-{%- endif %}
# Location of Single Sign-On callback handler, will return a token to a trusted
# dashboard host. (string value)
@@ -948,11 +944,7 @@
# Entrypoint for the identity backend driver in the keystone.identity
# namespace. Supplied drivers are ldap and sql. (string value)
#driver = sql
-{%- if server.get('backend', 'sql') == 'ldap' %}
-driver = ldap
-{%- else %}
-driver = sql
-{%- endif %}
+driver = {{ server.get('backend', 'sql') }}
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -971,6 +963,10 @@
# (integer value)
#list_limit = <None>
+{%- if server.get("backend", "sql") == "k2k" and server.k2k is defined %}
+{%- set k2k = server.k2k %}
+{% include "keystone/files/_k2k.conf" %}
+{%- endif %}
[identity_mapping]
diff --git a/keystone/files/mitaka/wsgi-keystone.conf b/keystone/files/mitaka/wsgi-keystone.conf
index 74a1c30..763672d 100644
--- a/keystone/files/mitaka/wsgi-keystone.conf
+++ b/keystone/files/mitaka/wsgi-keystone.conf
@@ -30,6 +30,9 @@
</Directory>
{% if server.websso is defined %}
+ {% if server.websso.shib_url_scheme is defined %}
+ ShibURLScheme {{ server.websso.shib_url_scheme }}
+ {%- endif %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
<Location /Shibboleth.sso>
SetHandler shib
@@ -83,6 +86,9 @@
</Directory>
{% if server.websso is defined %}
+ {% if server.websso.shib_url_scheme is defined %}
+ ShibURLScheme {{ server.websso.shib_url_scheme }}
+ {%- endif %}
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
<Location /Shibboleth.sso>
SetHandler shib
diff --git a/keystone/meta/grafana.yml b/keystone/meta/grafana.yml
index c0bd17f..caad76f 100644
--- a/keystone/meta/grafana.yml
+++ b/keystone/meta/grafana.yml
@@ -2,3 +2,18 @@
keystone:
format: json
template: keystone/files/grafana_dashboards/keystone_influxdb.json
+ main:
+ row:
+ ost-control-plane:
+ title: OpenStack Control Plane
+ panel:
+ keystone:
+ title: Keystone
+ links:
+ - dashboard: Keystone
+ title: Keystone
+ type: dashboard
+ target:
+ cluster_status:
+ rawQuery: true
+ query: SELECT last(value) FROM cluster_status WHERE cluster_name = 'keystone' AND environment_label = '$environment' AND $timeFilter GROUP BY time($interval) fill(null)
diff --git a/keystone/meta/heka.yml b/keystone/meta/heka.yml
index 7bf794a..84ed391 100644
--- a/keystone/meta/heka.yml
+++ b/keystone/meta/heka.yml
@@ -96,6 +96,28 @@
window: 60
periods: 0
function: last
+ keystone_failed_authentications_too_high:
+ description: 'Too many failed authentications have been detected for Keystone'
+ severity: warning
+ no_data_policy: okay
+ logical_operator: and
+ rules:
+ - metric: authentications_percent
+ value: failed
+ relational_operator: '>'
+ threshold: 80
+ window: 120
+ periods: 0
+ function: avg
+ # The second condition is to avoid triggering the alarm when the volume
+ # of authentication requests is too low to be relevant
+ - metric: authentications_rate
+ value: all
+ relational_operator: '>'
+ threshold: 0.1
+ window: 120
+ periods: 0
+ function: avg
alarm:
keystone_public_api_check:
alerting: enabled
@@ -103,6 +125,12 @@
- keystone_public_api_check_failed
dimension:
service: keystone-public-api-check
+ keystone_failed_authentications:
+ alerting: enabled
+ triggers:
+ - keystone_failed_authentications_too_high
+ dimension:
+ service: keystone-failed-authentications
aggregator:
alarm_cluster:
keystone_response_time:
@@ -148,6 +176,16 @@
dimension:
service: keystone
nagios_host: 01-service-clusters
+ keystone_failed_authentications:
+ policy: highest_severity
+ alerting: enabled
+ match:
+ service: keystone-failed-authentications
+ members:
+ - keystone_failed_authentications
+ dimension:
+ service: keystone
+ nagios_host: 01-service-clusters
keystone:
policy: highest_severity
alerting: enabled_with_notification
@@ -158,6 +196,7 @@
- keystone_logs
- keystone_public_api_endpoint
- keystone_public_api_check
+ - keystone_failed_authentications
dimension:
cluster_name: keystone
nagios_host: 00-top-clusters
diff --git a/keystone/server.sls b/keystone/server.sls
index 84f0dc6..54dc774 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -204,6 +204,7 @@
keystone_syncdb:
cmd.run:
- name: keystone-manage db_sync; sleep 1
+ - timeout: 120
- require:
- service: keystone_service
{%- endif %}
@@ -290,7 +291,7 @@
- require:
- keystone: keystone_roles
-keystone_{{ service_name }}_endpoint:
+keystone_{{ service_name }}_{{ service.get('region', 'RegionOne') }}_endpoint:
keystone.endpoint_present:
- name: {{ service.get('service', service_name) }}
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'