Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 5f110b0aa71f3ddf517f8e9928ed2bda3b6d2d7e / . / keystone / server.sls
blob: 54dc774762282164d83dd1d620eb8b10ae5d8c24 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1{%- from "keystone/map.jinja" import server with context %}
2{%- if server.enabled %}
3
4keystone_packages:
5 pkg.installed:
6 - names: {{ server.pkgs }}
7
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]8{%- if server.service_name in ['apache2', 'httpd'] %}
9include:
10- apache
11
12{%- if grains.os_family == "Debian" %}
13keystone:
14{%- endif %}
15{%- if grains.os_family == "RedHat" %}
16openstack-keystone:
17{%- endif %}
18 service.dead:
19 - enable: False
20 - watch:
21 - pkg: keystone_packages
22
23{%- endif %}
24
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]25keystone_salt_config:
26 file.managed:
27 - name: /etc/salt/minion.d/keystone.conf
28 - template: jinja
29 - source: salt://keystone/files/salt-minion.conf
30 - mode: 600
31
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]32{%- if not salt['user.info']('keystone') %}
33
34keystone_user:
35 user.present:
36 - name: keystone
37 - home: /var/lib/keystone
38 - uid: 301
39 - gid: 301
40 - shell: /bin/false
41 - system: True
42 - require_in:
43 - pkg: keystone_packages
44
45keystone_group:
46 group.present:
47 - name: keystone
48 - gid: 301
49 - system: True
50 - require_in:
51 - pkg: keystone_packages
52 - user: keystone_user
53
54{%- endif %}
55
56/etc/keystone/keystone.conf:
57 file.managed:
58 - source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
59 - template: jinja
60 - require:
61 - pkg: keystone_packages
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]62 {%- if not grains.get('noservices', False) %}
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]63 - watch_in:
64 - service: keystone_service
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]65 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]66
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]67{% if server.websso is defined %}
68
69/etc/keystone/sso_callback_template.html:
70 file.managed:
71 - source: salt://keystone/files/sso_callback_template.html
72 - require:
73 - pkg: keystone_packages
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]74 {%- if not grains.get('noservices', False) %}
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]75 - watch_in:
76 - service: keystone_service
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]77 {%- endif %}
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]78
79{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]80
81/etc/keystone/keystone-paste.ini:
82 file.managed:
83 - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
84 - template: jinja
85 - require:
86 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]87 {%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]88 - watch_in:
89 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]90 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]91
92/etc/keystone/policy.json:
93 file.managed:
94 - source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
95 - require:
96 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]97 {%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]98 - watch_in:
99 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]100 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]101
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]102{%- if server.get("domain", {}) %}
103
104/etc/keystone/domains:
105 file.directory:
106 - mode: 0755
107 - require:
108 - pkg: keystone_packages
109
110{%- for domain_name, domain in server.domain.iteritems() %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]111
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]112/etc/keystone/domains/keystone.{{ domain_name }}.conf:
113 file.managed:
114 - source: salt://keystone/files/keystone.domain.conf
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]115 - template: jinja
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]116 - require:
117 - file: /etc/keystone/domains
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]118 {%- if not grains.get('noservices', False) %}
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]119 - watch_in:
120 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]121 {%- endif %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]122 - defaults:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]123 domain_name: {{ domain_name }}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]124
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]125{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]126
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]127keystone_domain_{{ domain_name }}_cacert:
128 file.managed:
129 - name: /etc/keystone/domains/{{ domain_name }}.pem
Filip Pytlounc7e3b812016-01-12 20:52:10 +0100[diff] [blame]130 - contents_pillar: keystone:server:domain:{{ domain_name }}:ldap:tls:cacert
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]131 - require:
132 - file: /etc/keystone/domains
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]133 {%- if not grains.get('noservices', False) %}
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]134 - watch_in:
135 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]136 {%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]137
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]138{%- endif %}
139
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]140{%- if not grains.get('noservices', False) %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]141keystone_domain_{{ domain_name }}:
142 cmd.run:
143 - name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
144 - unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
145 - require:
146 - file: /root/keystonercv3
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]147 {%- if not grains.get('noservices', False) %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]148 - service: keystone_service
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]149 {%- endif %}
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]150{%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]151
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]152{%- endfor %}
153
154{%- endif %}
155
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]156{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]157
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]158keystone_ldap_default_cacert:
159 file.managed:
160 - name: {{ server.ldap.tls.cacertfile }}
161 - contents_pillar: keystone:server:ldap:tls:cacert
162 - require:
163 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]164 {%- if not grains.get('noservices', False) %}
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]165 - watch_in:
166 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]167 {%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]168
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]169{%- endif %}
170
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]171{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]172keystone_service:
173 service.running:
174 - name: {{ server.service_name }}
175 - enable: True
176 - watch:
177 - file: /etc/keystone/keystone.conf
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]178{%- endif %}
179
180{%- if grains.get('virtual_subtype', None) == "Docker" %}
181keystone_entrypoint:
182 file.managed:
183 - name: /entrypoint.sh
184 - template: jinja
185 - source: salt://keystone/files/entrypoint.sh
186 - mode: 755
187{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]188
189/root/keystonerc:
190 file.managed:
191 - source: salt://keystone/files/keystonerc
192 - template: jinja
193 - require:
194 - pkg: keystone_packages
195
196/root/keystonercv3:
197 file.managed:
198 - source: salt://keystone/files/keystonercv3
199 - template: jinja
200 - require:
201 - pkg: keystone_packages
202
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]203{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]204keystone_syncdb:
205 cmd.run:
marco2f8986c2016-06-28 14:21:56 +0200[diff] [blame]206 - name: keystone-manage db_sync; sleep 1
Ruslan Usichenko64cd3542017-01-30 15:59:44 +0200[diff] [blame]207 - timeout: 120
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]208 - require:
209 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]210{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]211
212{% if server.tokens.engine == 'fernet' %}
213
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]214keystone_fernet_keys:
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]215 file.directory:
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]216 - name: {{ server.tokens.location }}
217 - mode: 750
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]218 - user: keystone
219 - group: keystone
220 - require:
221 - pkg: keystone_packages
222 - require_in:
223 - service: keystone_fernet_setup
224
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]225{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]226keystone_fernet_setup:
227 cmd.run:
228 - name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
229 - require:
230 - service: keystone_service
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]231 - file: keystone_fernet_keys
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]232{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]233
234{% endif %}
235
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]236{%- if not grains.get('noservices', False) %}
Ales Komarek95ceb4b2016-10-20 17:28:21 +0200[diff] [blame]237
238{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
239
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]240keystone_service_tenant:
241 keystone.tenant_present:
242 - name: {{ server.service_tenant }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]243 - connection_token: {{ server.service_token }}
244 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]245 - require:
246 - cmd: keystone_syncdb
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]247 - file: keystone_salt_config
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]248
249keystone_admin_tenant:
250 keystone.tenant_present:
251 - name: {{ server.admin_tenant }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]252 - connection_token: {{ server.service_token }}
253 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]254 - require:
255 - keystone: keystone_service_tenant
256
257keystone_roles:
258 keystone.role_present:
259 - names: {{ server.roles }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]260 - connection_token: {{ server.service_token }}
261 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]262 - require:
263 - keystone: keystone_service_tenant
264
265keystone_admin_user:
266 keystone.user_present:
267 - name: {{ server.admin_name }}
268 - password: {{ server.admin_password }}
269 - email: {{ server.admin_email }}
270 - tenant: {{ server.admin_tenant }}
271 - roles:
272 {{ server.admin_tenant }}:
273 - admin
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]274 - connection_token: {{ server.service_token }}
275 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]276 - require:
277 - keystone: keystone_admin_tenant
278 - keystone: keystone_roles
279
Ales Komarek95ceb4b2016-10-20 17:28:21 +0200[diff] [blame]280{%- endif %}
281
282{%- for service_name, service in server.get('service', {}).iteritems() %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]283
284keystone_{{ service_name }}_service:
285 keystone.service_present:
286 - name: {{ service_name }}
287 - service_type: {{ service.type }}
288 - description: {{ service.description }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]289 - connection_token: {{ server.service_token }}
290 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]291 - require:
292 - keystone: keystone_roles
293
Petr Michalec685a2192017-03-06 14:58:01 +0100[diff] [blame]294keystone_{{ service_name }}_{{ service.get('region', 'RegionOne') }}_endpoint:
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]295 keystone.endpoint_present:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]296 - name: {{ service.get('service', service_name) }}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]297 - publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
298 - internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
299 - adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
300 - region: {{ service.get('region', 'RegionOne') }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]301 - connection_token: {{ server.service_token }}
302 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]303 - require:
304 - keystone: keystone_{{ service_name }}_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]305 - file: keystone_salt_config
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]306
307{% if service.user is defined %}
308
309keystone_user_{{ service.user.name }}:
310 keystone.user_present:
311 - name: {{ service.user.name }}
312 - password: {{ service.user.password }}
313 - email: {{ server.admin_email }}
314 - tenant: {{ server.service_tenant }}
315 - roles:
316 {{ server.service_tenant }}:
317 - admin
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]318 - connection_token: {{ server.service_token }}
319 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]320 - require:
321 - keystone: keystone_roles
322
323{% endif %}
324
Ales Komarek95ceb4b2016-10-20 17:28:21 +0200[diff] [blame]325{%- endfor %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]326
327{%- for tenant_name, tenant in server.get('tenant', {}).iteritems() %}
328
329keystone_tenant_{{ tenant_name }}:
330 keystone.tenant_present:
331 - name: {{ tenant_name }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]332 - connection_token: {{ server.service_token }}
333 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]334 - require:
335 - keystone: keystone_roles
336
337{%- for user_name, user in tenant.get('user', {}).iteritems() %}
338
339keystone_user_{{ user_name }}:
340 keystone.user_present:
341 - name: {{ user_name }}
342 - password: {{ user.password }}
343 - email: {{ user.get('email', 'root@localhost') }}
344 - tenant: {{ tenant_name }}
345 - roles:
346 {{ tenant_name }}:
347 {%- if user.get('roles', False) %}
348 {{ user.roles }}
349 {%- else %}
350 - Member
351 {%- endif %}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]352 - connection_token: {{ server.service_token }}
353 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]354 - require:
355 - keystone: keystone_tenant_{{ tenant_name }}
356
357{%- endfor %}
358
359{%- endfor %}
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]360{%- endif %} {# end noservices #}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]361
362{%- endif %}