Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 3e2555e01303d2f5bb36b72ff6fd5780ee8095af / . / keystone / server.sls
blob: d87c9c2651547f59731c30add563a5e684fadbd1 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1{%- from "keystone/map.jinja" import server with context %}
2{%- if server.enabled %}
3
4keystone_packages:
5 pkg.installed:
6 - names: {{ server.pkgs }}
7
8{%- if not salt['user.info']('keystone') %}
9
10keystone_user:
11 user.present:
12 - name: keystone
13 - home: /var/lib/keystone
14 - uid: 301
15 - gid: 301
16 - shell: /bin/false
17 - system: True
18 - require_in:
19 - pkg: keystone_packages
20
21keystone_group:
22 group.present:
23 - name: keystone
24 - gid: 301
25 - system: True
26 - require_in:
27 - pkg: keystone_packages
28 - user: keystone_user
29
30{%- endif %}
31
32/etc/keystone/keystone.conf:
33 file.managed:
34 - source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
35 - template: jinja
36 - require:
37 - pkg: keystone_packages
38
39
40/etc/keystone/keystone-paste.ini:
41 file.managed:
42 - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
43 - template: jinja
44 - require:
45 - pkg: keystone_packages
46 - watch_in:
47 - service: keystone_service
48
49/etc/keystone/policy.json:
50 file.managed:
51 - source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
52 - require:
53 - pkg: keystone_packages
54 - watch_in:
55 - service: keystone_service
56
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]57{%- if server.get("domain", {}) %}
58
59/etc/keystone/domains:
60 file.directory:
61 - mode: 0755
62 - require:
63 - pkg: keystone_packages
64
65{%- for domain_name, domain in server.domain.iteritems() %}
66/etc/keystone/domains/keystone.{{ domain_name }}.conf:
67 file.managed:
68 - source: salt://keystone/files/keystone.domain.conf
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]69 - template: jinja
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]70 - require:
71 - file: /etc/keystone/domains
72 - watch_in:
73 - service: keystone_service
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]74 - defaults:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]75 domain_name: {{ domain_name }}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]76
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame^]77{%- if domain.ldap.tls.cacert is defined %}
78keystone_domain_{{ domain_name }}_cacert:
79 file.managed:
80 - name: /etc/keystone/domains/{{ domain_name }}.pem
81 - contents_pillar: keystone:server:domain:{{ domain_name }}:tls:cacert
82 - require:
83 - file: /etc/keystone/domains
84 - watch_in:
85 - service: keystone_service
86{%- endif %}
87
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]88keystone_domain_{{ domain_name }}:
89 cmd.run:
90 - name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
91 - unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
92 - require:
93 - file: /root/keystonercv3
94 - service: keystone_service
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]95{%- endfor %}
96
97{%- endif %}
98
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]99keystone_service:
100 service.running:
101 - name: {{ server.service_name }}
102 - enable: True
103 - watch:
104 - file: /etc/keystone/keystone.conf
105
106/root/keystonerc:
107 file.managed:
108 - source: salt://keystone/files/keystonerc
109 - template: jinja
110 - require:
111 - pkg: keystone_packages
112
113/root/keystonercv3:
114 file.managed:
115 - source: salt://keystone/files/keystonercv3
116 - template: jinja
117 - require:
118 - pkg: keystone_packages
119
120keystone_syncdb:
121 cmd.run:
122 - name: keystone-manage db_sync
123 - require:
124 - service: keystone_service
125
126{% if server.tokens.engine == 'fernet' %}
127
128/etc/keystone/fernet-keys:
129 file.directory:
130 - mode: 755
131 - user: keystone
132 - group: keystone
133 - require:
134 - pkg: keystone_packages
135 - require_in:
136 - service: keystone_fernet_setup
137
138keystone_fernet_setup:
139 cmd.run:
140 - name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
141 - require:
142 - service: keystone_service
143
144{% endif %}
145
146keystone_service_tenant:
147 keystone.tenant_present:
148 - name: {{ server.service_tenant }}
149 - require:
150 - cmd: keystone_syncdb
151
152keystone_admin_tenant:
153 keystone.tenant_present:
154 - name: {{ server.admin_tenant }}
155 - require:
156 - keystone: keystone_service_tenant
157
158keystone_roles:
159 keystone.role_present:
160 - names: {{ server.roles }}
161 - require:
162 - keystone: keystone_service_tenant
163
164keystone_admin_user:
165 keystone.user_present:
166 - name: {{ server.admin_name }}
167 - password: {{ server.admin_password }}
168 - email: {{ server.admin_email }}
169 - tenant: {{ server.admin_tenant }}
170 - roles:
171 {{ server.admin_tenant }}:
172 - admin
173 - require:
174 - keystone: keystone_admin_tenant
175 - keystone: keystone_roles
176
177{% for service_name, service in server.get('service', {}).iteritems() %}
178
179keystone_{{ service_name }}_service:
180 keystone.service_present:
181 - name: {{ service_name }}
182 - service_type: {{ service.type }}
183 - description: {{ service.description }}
184 - require:
185 - keystone: keystone_roles
186
187keystone_{{ service_name }}_endpoint:
188 keystone.endpoint_present:
189 - name: {{ service_name }}
190 - publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
191 - internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
192 - adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
193 - region: {{ service.get('region', 'RegionOne') }}
194 - require:
195 - keystone: keystone_{{ service_name }}_service
196
197{% if service.user is defined %}
198
199keystone_user_{{ service.user.name }}:
200 keystone.user_present:
201 - name: {{ service.user.name }}
202 - password: {{ service.user.password }}
203 - email: {{ server.admin_email }}
204 - tenant: {{ server.service_tenant }}
205 - roles:
206 {{ server.service_tenant }}:
207 - admin
208 - require:
209 - keystone: keystone_roles
210
211{% endif %}
212
213{% endfor %}
214
215{%- for tenant_name, tenant in server.get('tenant', {}).iteritems() %}
216
217keystone_tenant_{{ tenant_name }}:
218 keystone.tenant_present:
219 - name: {{ tenant_name }}
220 - require:
221 - keystone: keystone_roles
222
223{%- for user_name, user in tenant.get('user', {}).iteritems() %}
224
225keystone_user_{{ user_name }}:
226 keystone.user_present:
227 - name: {{ user_name }}
228 - password: {{ user.password }}
229 - email: {{ user.get('email', 'root@localhost') }}
230 - tenant: {{ tenant_name }}
231 - roles:
232 {{ tenant_name }}:
233 {%- if user.get('roles', False) %}
234 {{ user.roles }}
235 {%- else %}
236 - Member
237 {%- endif %}
238 - require:
239 - keystone: keystone_tenant_{{ tenant_name }}
240
241{%- endfor %}
242
243{%- endfor %}
244
245{%- endif %}