Merge "Fix Grafana dashboard with accurate HTTP 5xx rate"
diff --git a/.kitchen.yml b/.kitchen.yml
index 73f2e37..32e9f68 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -10,7 +10,7 @@
salt_bootstrap_url: https://bootstrap.saltstack.com
salt_version: latest
require_chef: false
- log_level: info
+ log_level: error
formula: keystone
grains:
noservices: False
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index a464ac3..7c5960e 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -672,7 +672,7 @@
# of keys should be managed separately and require different rotation policies.
# Do not share this repository with the repository used to manage keys for
# Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
[database]
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 5374c5d..9e9ff1c 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -745,7 +745,7 @@
# of keys should be managed separately and require different rotation policies.
# Do not share this repository with the repository used to manage keys for
# Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
[database]
diff --git a/keystone/server.sls b/keystone/server.sls
index b8fde3a..d6a54da 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -8,13 +8,11 @@
{%- if server.service_name in ['apache2', 'httpd'] %}
{%- set keystone_service = 'apache_service' %}
-{%- if not grains.get('noservices', False) %}
purge_not_needed_configs:
file.absent:
- names: ['/etc/apache2/sites-enabled/keystone.conf', '/etc/apache2/sites-enabled/wsgi-keystone.conf']
- watch_in:
- service: {{ keystone_service }}
-{%- endif %}
include:
- apache
@@ -135,10 +133,8 @@
- template: jinja
- require:
- file: /etc/keystone/domains
- {%- if not grains.get('noservices', False) %}
- watch_in:
- service: {{ keystone_service }}
- {%- endif %}
- defaults:
domain_name: {{ domain_name }}
@@ -157,7 +153,6 @@
{%- endif %}
-{%- if not grains.get('noservices', False) %}
keystone_domain_{{ domain_name }}:
cmd.run:
- name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
@@ -165,7 +160,6 @@
- require:
- file: /root/keystonercv3
- service: {{ keystone_service }}
-{%- endif %}
{%- endfor %}
@@ -189,9 +183,9 @@
service.running:
- name: {{ server.service_name }}
- enable: True
- {% if grains.noservices is defined %}
- - onlyif: {% if grains.get('noservices', "True") %}"True"{% else %}False{% endif %}
- {% endif %}
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
- watch:
- file: /etc/keystone/keystone.conf
{%- endif %}
@@ -248,20 +242,30 @@
- require:
- service: {{ keystone_service }}
- file: keystone_fernet_keys
+{%- endif %}
-{%- if server.version == 'newton' %}
-keystone_fernet_setup_credentials:
+{% endif %}
+
+{%- if server.version in ['newton', 'ocata'] %}
+keystone_credential_keys:
+ file.directory:
+ - name: {{ server.credential.location }}
+ - mode: 750
+ - user: keystone
+ - group: keystone
+ - require:
+ - pkg: keystone_packages
+
+{%- if not grains.get('noservices', False) %}
+keystone_credential_setup:
cmd.run:
- name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
- require:
- service: {{ keystone_service }}
- - cmd: keystone_fernet_setup
- - file: keystone_fernet_keys
+ - file: keystone_credential_keys
{%- endif %}
{%- endif %}
-{% endif %}
-
{%- if not grains.get('noservices', False) %}
{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 5038cf3..147bd34 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -30,6 +30,8 @@
engine: cache
expiration: 43200
location: /etc/keystone/fernet-keys/
+ credential:
+ location: /etc/keystone/credential-keys/
message_queue:
engine: rabbitmq
host: ${_param:cluster_vip_address}
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 5269121..d131fd7 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -30,6 +30,8 @@
engine: cache
expiration: 43200
location: /etc/keystone/fernet-keys/
+ credential:
+ location: /etc/keystone/credential-keys/
message_queue:
engine: rabbitmq
host: ${_param:single_address}