Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / b96a0a437ecc5b3b745908eebc230b7dee50f60f / . / keystone / server.sls
blob: 0772576f2d9c2f8426a0e411728bdeb12d23a1d4 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1{%- from "keystone/map.jinja" import server with context %}
2{%- if server.enabled %}
3
4keystone_packages:
5 pkg.installed:
6 - names: {{ server.pkgs }}
7
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]8keystone_salt_config:
9 file.managed:
10 - name: /etc/salt/minion.d/keystone.conf
11 - template: jinja
12 - source: salt://keystone/files/salt-minion.conf
13 - mode: 600
14
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]15{%- if not salt['user.info']('keystone') %}
16
17keystone_user:
18 user.present:
19 - name: keystone
20 - home: /var/lib/keystone
21 - uid: 301
22 - gid: 301
23 - shell: /bin/false
24 - system: True
25 - require_in:
26 - pkg: keystone_packages
27
28keystone_group:
29 group.present:
30 - name: keystone
31 - gid: 301
32 - system: True
33 - require_in:
34 - pkg: keystone_packages
35 - user: keystone_user
36
37{%- endif %}
38
39/etc/keystone/keystone.conf:
40 file.managed:
41 - source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
42 - template: jinja
43 - require:
44 - pkg: keystone_packages
45
46
47/etc/keystone/keystone-paste.ini:
48 file.managed:
49 - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
50 - template: jinja
51 - require:
52 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]53 {%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]54 - watch_in:
55 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]56 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]57
58/etc/keystone/policy.json:
59 file.managed:
60 - source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
61 - require:
62 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]63 {%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]64 - watch_in:
65 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]66 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]67
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]68{%- if server.get("domain", {}) %}
69
70/etc/keystone/domains:
71 file.directory:
72 - mode: 0755
73 - require:
74 - pkg: keystone_packages
75
76{%- for domain_name, domain in server.domain.iteritems() %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]77
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]78/etc/keystone/domains/keystone.{{ domain_name }}.conf:
79 file.managed:
80 - source: salt://keystone/files/keystone.domain.conf
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]81 - template: jinja
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]82 - require:
83 - file: /etc/keystone/domains
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]84 {%- if not grains.get('noservices', False) %}
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]85 - watch_in:
86 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]87 {%- endif %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]88 - defaults:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]89 domain_name: {{ domain_name }}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]90
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]91{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]92
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]93keystone_domain_{{ domain_name }}_cacert:
94 file.managed:
95 - name: /etc/keystone/domains/{{ domain_name }}.pem
Filip Pytlounc7e3b812016-01-12 20:52:10 +0100[diff] [blame]96 - contents_pillar: keystone:server:domain:{{ domain_name }}:ldap:tls:cacert
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]97 - require:
98 - file: /etc/keystone/domains
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]99 {%- if not grains.get('noservices', False) %}
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]100 - watch_in:
101 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]102 {%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]103
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]104{%- endif %}
105
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]106{%- if not grains.get('noservices', False) %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]107keystone_domain_{{ domain_name }}:
108 cmd.run:
109 - name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
110 - unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
111 - require:
112 - file: /root/keystonercv3
113 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]114{%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]115
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]116{%- endfor %}
117
118{%- endif %}
119
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]120{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]121
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]122keystone_ldap_default_cacert:
123 file.managed:
124 - name: {{ server.ldap.tls.cacertfile }}
125 - contents_pillar: keystone:server:ldap:tls:cacert
126 - require:
127 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]128 {%- if not grains.get('noservices', False) %}
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]129 - watch_in:
130 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]131 {%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]132
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]133{%- endif %}
134
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]135{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]136keystone_service:
137 service.running:
138 - name: {{ server.service_name }}
139 - enable: True
140 - watch:
141 - file: /etc/keystone/keystone.conf
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]142{%- endif %}
143
144{%- if grains.get('virtual_subtype', None) == "Docker" %}
145keystone_entrypoint:
146 file.managed:
147 - name: /entrypoint.sh
148 - template: jinja
149 - source: salt://keystone/files/entrypoint.sh
150 - mode: 755
151{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]152
153/root/keystonerc:
154 file.managed:
155 - source: salt://keystone/files/keystonerc
156 - template: jinja
157 - require:
158 - pkg: keystone_packages
159
160/root/keystonercv3:
161 file.managed:
162 - source: salt://keystone/files/keystonercv3
163 - template: jinja
164 - require:
165 - pkg: keystone_packages
166
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]167{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]168keystone_syncdb:
169 cmd.run:
170 - name: keystone-manage db_sync
171 - require:
172 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]173{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]174
175{% if server.tokens.engine == 'fernet' %}
176
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]177keystone_fernet_keys:
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]178 file.directory:
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]179 - name: {{ server.tokens.location }}
180 - mode: 750
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]181 - user: keystone
182 - group: keystone
183 - require:
184 - pkg: keystone_packages
185 - require_in:
186 - service: keystone_fernet_setup
187
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]188{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]189keystone_fernet_setup:
190 cmd.run:
191 - name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
192 - require:
193 - service: keystone_service
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]194 - file: keystone_fernet_keys
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]195{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]196
197{% endif %}
198
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]199{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]200keystone_service_tenant:
201 keystone.tenant_present:
202 - name: {{ server.service_tenant }}
203 - require:
204 - cmd: keystone_syncdb
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]205 - file: keystone_salt_config
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]206
207keystone_admin_tenant:
208 keystone.tenant_present:
209 - name: {{ server.admin_tenant }}
210 - require:
211 - keystone: keystone_service_tenant
212
213keystone_roles:
214 keystone.role_present:
215 - names: {{ server.roles }}
216 - require:
217 - keystone: keystone_service_tenant
218
219keystone_admin_user:
220 keystone.user_present:
221 - name: {{ server.admin_name }}
222 - password: {{ server.admin_password }}
223 - email: {{ server.admin_email }}
224 - tenant: {{ server.admin_tenant }}
225 - roles:
226 {{ server.admin_tenant }}:
227 - admin
228 - require:
229 - keystone: keystone_admin_tenant
230 - keystone: keystone_roles
231
232{% for service_name, service in server.get('service', {}).iteritems() %}
233
234keystone_{{ service_name }}_service:
235 keystone.service_present:
236 - name: {{ service_name }}
237 - service_type: {{ service.type }}
238 - description: {{ service.description }}
239 - require:
240 - keystone: keystone_roles
241
242keystone_{{ service_name }}_endpoint:
243 keystone.endpoint_present:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]244 - name: {{ service.get('service', service_name) }}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]245 - publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
246 - internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
247 - adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
248 - region: {{ service.get('region', 'RegionOne') }}
249 - require:
250 - keystone: keystone_{{ service_name }}_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]251 - file: keystone_salt_config
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]252
253{% if service.user is defined %}
254
255keystone_user_{{ service.user.name }}:
256 keystone.user_present:
257 - name: {{ service.user.name }}
258 - password: {{ service.user.password }}
259 - email: {{ server.admin_email }}
260 - tenant: {{ server.service_tenant }}
261 - roles:
262 {{ server.service_tenant }}:
263 - admin
264 - require:
265 - keystone: keystone_roles
266
267{% endif %}
268
269{% endfor %}
270
271{%- for tenant_name, tenant in server.get('tenant', {}).iteritems() %}
272
273keystone_tenant_{{ tenant_name }}:
274 keystone.tenant_present:
275 - name: {{ tenant_name }}
276 - require:
277 - keystone: keystone_roles
278
279{%- for user_name, user in tenant.get('user', {}).iteritems() %}
280
281keystone_user_{{ user_name }}:
282 keystone.user_present:
283 - name: {{ user_name }}
284 - password: {{ user.password }}
285 - email: {{ user.get('email', 'root@localhost') }}
286 - tenant: {{ tenant_name }}
287 - roles:
288 {{ tenant_name }}:
289 {%- if user.get('roles', False) %}
290 {{ user.roles }}
291 {%- else %}
292 - Member
293 {%- endif %}
294 - require:
295 - keystone: keystone_tenant_{{ tenant_name }}
296
297{%- endfor %}
298
299{%- endfor %}
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame^]300{%- endif %} {# end noservices #}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]301
302{%- endif %}