Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 9b152ebee6a9a2c58fdbbcd8df19e292273caa58 / . / keystone / server.sls
blob: c95ffb134e165719f33fddd90922ecc0e17124a6 [file] [log] [blame]
{%- from "keystone/map.jinja" import server with context %}
{%- if server.enabled %}
{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
include:
{%- if server.service_name in ['apache2', 'httpd'] %}
- apache
{%- endif %}
- keystone.db.offline_sync
{%- if mysql_x509_ssl_enabled %}
- keystone._ssl.mysql
{%- endif %}
keystone_packages:
pkg.installed:
- names: {{ server.pkgs }}
- require_in:
- sls: keystone.db.offline_sync
{%- if server.service_name in ['apache2', 'httpd'] %}
- require_in:
- pkg: apache_packages
{%- endif %}
{%- set ldap = {'enabled': False} %}
{%- if server.get('backend') == 'ldap' %}
{%- do ldap.update({'enabled': True}) %}
{%- else %}
{%- for domain in server.get('domain', {}).itervalues() %}
{%- if domain.get('ldap') %}
{%- do ldap.update({'enabled': True}) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- if ldap.enabled %}
keystone_ldap_packages:
pkg.installed:
- names:
- python-ldap
- python-ldappool
{%- if server.service_name in ['apache2', 'httpd'] %}
- require_in:
- pkg: apache_packages
{%- endif %}
{% endif %}
{%- if server.service_name in ['apache2', 'httpd'] %}
{%- set keystone_service = 'apache_service' %}
purge_not_needed_configs:
file.absent:
- names: ['/etc/apache2/sites-enabled/keystone.conf', '/etc/apache2/sites-enabled/wsgi-keystone.conf']
- watch_in:
- service: {{ keystone_service }}
{%- if grains.os_family == "Debian" %}
keystone:
{%- endif %}
{%- if grains.os_family == "RedHat" %}
openstack-keystone:
{%- endif %}
service.dead:
- enable: False
- watch:
- pkg: keystone_packages
{%- else %}
{%- set keystone_service = 'keystone_service' %}
{%- endif %}
{%- if not salt['user.info']('keystone') %}
keystone_user:
user.present:
- name: keystone
- home: /var/lib/keystone
- uid: 301
- gid: 301
- shell: /bin/false
- system: True
- require_in:
- pkg: keystone_packages
keystone_group:
group.present:
- name: keystone
- gid: 301
- system: True
- require_in:
- pkg: keystone_packages
- user: keystone_user
{%- endif %}
/etc/keystone/keystone.conf:
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
- template: jinja
- mode: 0640
- group: keystone
- require:
- pkg: keystone_packages
{%- if mysql_x509_ssl_enabled %}
- sls: keystone._ssl.mysql
{%- endif %}
- watch_in:
- service: {{ keystone_service }}
{% if server.federation is defined %}
/etc/keystone/sso_callback_template.html:
file.managed:
- source: salt://keystone/files/sso_callback_template.html
- mode: 0640
- group: keystone
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
{%- endif %}
/etc/keystone/keystone-paste.ini:
file.managed:
- source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
- mode: 0640
- user: root
- group: keystone
- template: jinja
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
{%- if server.logging.log_appender %}
{%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
keystone_fluentd_logger_package:
pkg.installed:
- name: python-fluent-logger
{%- endif %}
/etc/keystone/logging.conf:
file.managed:
- mode: 0640
- user: root
- group: keystone
- source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- defaults:
service_name: keystone
_data: {{ server.logging }}
- require:
- pkg: keystone_packages
{%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
- pkg: keystone_fluentd_logger_package
{%- endif %}
- watch_in:
- service: {{ keystone_service }}
/var/log/keystone/keystone.log:
file.managed:
- user: keystone
- group: keystone
- watch_in:
- service: {{ keystone_service }}
{%- endif %}
/etc/keystone/policy.json:
file.managed:
- mode: 0640
- user: root
- group: keystone
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
{%- for name, rule in server.get('policy', {}).items() %}
{%- if rule != None %}
keystone_rule_{{ name }}_present:
keystone_policy.rule_present:
- path: /etc/keystone/policy.json
- name: {{ name }}
- rule: {{ rule }}
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
{%- else %}
keystone_rule_{{ name }}_absent:
keystone_policy.rule_absent:
- path: /etc/keystone/policy.json
- name: {{ name }}
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
{%- endif %}
{%- endfor %}
{%- if server.get("domain", {}) %}
/etc/keystone/domains:
file.directory:
- mode: 0755
- require:
- pkg: keystone_packages
{%- for domain_name, domain in server.domain.items() %}
/etc/keystone/domains/keystone.{{ domain_name }}.conf:
file.managed:
- source: salt://keystone/files/keystone.domain.conf
- template: jinja
- mode: 0640
- group: keystone
- require:
- file: /etc/keystone/domains
- watch_in:
- service: {{ keystone_service }}
- defaults:
domain_name: {{ domain_name }}
{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
keystone_domain_{{ domain_name }}_cacert:
file.managed:
- name: /etc/keystone/domains/{{ domain_name }}.pem
- contents_pillar: keystone:server:domain:{{ domain_name }}:ldap:tls:cacert
- require:
- file: /etc/keystone/domains
{%- if not grains.get('noservices', False) %}
- watch_in:
- service: {{ keystone_service }}
{%- endif %}
{%- endif %}
{#- can't use RC file here as identity endpoint may not be present in keystone #}
{#- as we will add it later in keystone.client state. Use endpoint override here. #}
{#- will be fixed when switched to keystone bootstrap. #}
{#- TODO: move domain creation to keystone.client state. #}
keystone_domain_{{ domain_name }}:
cmd.run:
- name: openstack --os-identity-api-version 3
--os-endpoint {{ server.bind.get('private_protocol', 'http') }}://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
--os-token {{ server.service_token }}
--os-auth-type admin_token
domain create --description "{{ domain.description }}" {{ domain_name }}
- unless: {% if grains.get('noservices') %}/bin/true{% else %}
openstack --os-identity-api-version 3
--os-endpoint {{ server.bind.get('private_protocol', 'http') }}://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
--os-token {{ server.service_token }}
--os-auth-type admin_token
domain show "{{ domain_name }}"{% endif %}
- shell: /bin/bash
- require:
- file: /root/keystonercv3
- service: {{ keystone_service }}
- sls: keystone.db.offline_sync
{%- endfor %}
{%- endif %}
{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
keystone_ldap_default_cacert:
file.managed:
- name: {{ server.ldap.tls.cacertfile }}
- contents_pillar: keystone:server:ldap:tls:cacert
- require:
- pkg: keystone_packages
- watch_in:
- service: {{ keystone_service }}
{%- endif %}
{%- if server.service_name not in ['apache2', 'httpd'] %}
keystone_service:
service.running:
- name: {{ server.service_name }}
- enable: True
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
- watch:
{%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_keystone_server
{%- endif %}
- file: /etc/keystone/keystone.conf
{%- endif %}
{%- if grains.get('virtual_subtype', None) == "Docker" %}
keystone_entrypoint:
file.managed:
- name: /entrypoint.sh
- template: jinja
- source: salt://keystone/files/entrypoint.sh
- mode: 755
{%- endif %}
/root/keystonerc:
file.managed:
- source: salt://keystone/files/keystonerc
- template: jinja
- mode: 0640
- user: root
- group: root
- require:
- pkg: keystone_packages
/root/keystonercv3:
file.managed:
- source: salt://keystone/files/keystonercv3
- template: jinja
- mode: 0640
- user: root
- group: root
- require:
- pkg: keystone_packages
{% if server.tokens.engine == 'fernet' %}
keystone_fernet_keys:
file.directory:
- name: {{ server.tokens.location }}
- mode: 750
- user: keystone
- group: keystone
- require:
- pkg: keystone_packages
- require_in:
- service: keystone_fernet_setup
keystone_fernet_setup:
cmd.run:
- name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
- require:
- service: {{ keystone_service }}
- file: keystone_fernet_keys
{%- if grains.get('noservices', False) %}
- onlyif: /bin/false
{%- endif %}
{% if server.get('tokens', {}).get('fernet_rotation_driver', 'shared_filesystem') == 'rsync' or server.get('credential', {}).get('credential_rotation_driver', 'shared_filesystem') == 'rsync' %}
{% if server.get('role', 'secondary') == 'primary' %}
/var/lib/keystone/keystone_keys_rotate.sh:
file.managed:
- source: salt://keystone/files/keystone_keys_rotate.sh
- template: jinja
- user: keystone
- group: keystone
- mode: 744
- require:
- pkg: keystone_packages
{%- endif %}
{%- endif %}
{% if server.get('tokens', {}).get('fernet_rotation_driver', 'shared_filesystem') == 'rsync' %}
{% if server.get('role', 'secondary') == 'primary' %}
run_fernet_rotation_sync_only:
cmd.run:
- name: /var/lib/keystone/keystone_keys_rotate.sh -s -t fernet
- runas: keystone
- require:
- cmd: keystone_fernet_setup
- file: /var/lib/keystone/keystone_keys_rotate.sh
{%- endif %}
{%- endif %}
{% endif %}
{%- if server.version not in ['mitaka'] %}
keystone_credential_keys:
file.directory:
- name: {{ server.credential.location }}
- mode: 750
- user: keystone
- group: keystone
- require:
- pkg: keystone_packages
keystone_credential_setup:
cmd.run:
- name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
- require:
- service: {{ keystone_service }}
- file: keystone_credential_keys
{%- if grains.get('noservices', False) %}
- onlyif: /bin/false
{%- endif %}
{% if server.get('credential', {}).get('credential_rotation_driver', 'shared_filesystem') == 'rsync' %}
{% if server.get('role', 'secondary') == 'primary' %}
run_credential_rotation_sync_only:
cmd.run:
- name: /var/lib/keystone/keystone_keys_rotate.sh -s -t credential
- runas: keystone
- require:
- cmd: keystone_credential_setup
- file: /var/lib/keystone/keystone_keys_rotate.sh
{%- endif %}
{%- endif %}
{%- endif %}
{%- if server.version not in ['mitaka', 'newton', 'ocata', 'pike'] %}
keystone_identity_bootstrap_setup:
cmd.run:
- name: keystone-manage bootstrap
--bootstrap-password {{ server.admin_password }}
--bootstrap-username {{ server.admin_name }}
--bootstrap-project-name admin
--bootstrap-role-name admin
--bootstrap-service-name keystone
--bootstrap-region-id {{ server.get('admin_region', 'RegionOne') }}
--bootstrap-internal-url {{ server.bind.get('protocol', 'http') }}://{{ server.bind.address }}:{{ server.bind.get('port', 5000) }}
- unless:
. /root/keystonercv3; openstack endpoint list --service identity --interface internal -f value -c URL |grep {{ server.bind.get('port', 5000) }}
{%- if grains.get('noservices', False) %}
- onlyif: /bin/false
{%- endif %}
{%- endif %}
{%- if not grains.get('noservices', False) %}
{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
keystone_service_tenant:
keystoneng.tenant_present:
- name: {{ server.service_tenant }}
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- sls: keystone.db.offline_sync
keystone_admin_tenant:
keystoneng.tenant_present:
- name: {{ server.admin_tenant }}
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_service_tenant
keystone_roles:
keystoneng.role_present:
- names: {{ server.roles }}
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_service_tenant
{%- if not server.get('ldap', {}).get('read_only', False) %}
keystone_admin_user:
keystoneng.user_present:
- name: {{ server.admin_name }}
- password: {{ server.admin_password }}
- email: {{ server.admin_email }}
- tenant: {{ server.admin_tenant }}
- roles:
{{ server.admin_tenant }}:
- admin
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_admin_tenant
- keystoneng: keystone_roles
{%- endif %}
{%- endif %}
{%- for service_name, service in server.get('service', {}).items() %}
keystone_{{ service_name }}_service:
keystoneng.service_present:
- name: {{ service_name }}
- service_type: {{ service.type }}
- description: {{ service.description }}
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_roles
keystone_{{ service_name }}_{{ service.get('region', 'RegionOne') }}_endpoint:
keystoneng.endpoint_present:
- name: {{ service.get('service', service_name) }}
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
- internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
- adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
- region: {{ service.get('region', 'RegionOne') }}
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_{{ service_name }}_service
{% if service.user is defined %}
keystone_user_{{ service.user.name }}:
keystoneng.user_present:
- name: {{ service.user.name }}
- password: {{ service.user.password }}
- email: {{ server.admin_email }}
- tenant: {{ server.service_tenant }}
- roles:
{{ server.service_tenant }}:
- admin
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_roles
{% endif %}
{%- endfor %}
{%- for tenant_name, tenant in server.get('tenant', {}).items() %}
keystone_tenant_{{ tenant_name }}:
keystoneng.tenant_present:
- name: {{ tenant_name }}
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_roles
{%- for user_name, user in tenant.get('user', {}).items() %}
keystone_user_{{ user_name }}:
keystoneng.user_present:
- name: {{ user_name }}
- password: {{ user.password }}
- email: {{ user.get('email', 'root@localhost') }}
- tenant: {{ tenant_name }}
- roles:
{{ tenant_name }}:
{%- if user.get('roles', False) %}
{{ user.roles }}
{%- else %}
- Member
{%- endif %}
- connection_token: {{ server.service_token }}
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
- require:
- keystoneng: keystone_tenant_{{ tenant_name }}
{%- endfor %}
{%- endfor %}
{%- endif %} {# end noservices #}
{%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbitmq_ca_keystone_server:
{%- if server.message_queue.ssl.cacert is defined %}
file.managed:
- name: {{ server.message_queue.ssl.cacert_file }}
- contents_pillar: keystone:server:message_queue:ssl:cacert
- mode: 0444
- makedirs: true
{%- else %}
file.exists:
- name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
{%- endif %}
{%- endif %}