Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / f61df54cb61152d128c90e179e3b1068fb6b003d / . / keystone / server.sls
blob: eb08cdc17072b6c615ee305bd071f0ad7873cdf5 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1{%- from "keystone/map.jinja" import server with context %}
2{%- if server.enabled %}
3
4keystone_packages:
5 pkg.installed:
6 - names: {{ server.pkgs }}
7
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]8{%- if server.service_name in ['apache2', 'httpd'] %}
9include:
10- apache
11
12{%- if grains.os_family == "Debian" %}
13keystone:
14{%- endif %}
15{%- if grains.os_family == "RedHat" %}
16openstack-keystone:
17{%- endif %}
18 service.dead:
19 - enable: False
20 - watch:
21 - pkg: keystone_packages
22
23{%- endif %}
24
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]25keystone_salt_config:
26 file.managed:
27 - name: /etc/salt/minion.d/keystone.conf
28 - template: jinja
29 - source: salt://keystone/files/salt-minion.conf
30 - mode: 600
31
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]32{%- if not salt['user.info']('keystone') %}
33
34keystone_user:
35 user.present:
36 - name: keystone
37 - home: /var/lib/keystone
38 - uid: 301
39 - gid: 301
40 - shell: /bin/false
41 - system: True
42 - require_in:
43 - pkg: keystone_packages
44
45keystone_group:
46 group.present:
47 - name: keystone
48 - gid: 301
49 - system: True
50 - require_in:
51 - pkg: keystone_packages
52 - user: keystone_user
53
54{%- endif %}
55
56/etc/keystone/keystone.conf:
57 file.managed:
58 - source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
59 - template: jinja
60 - require:
61 - pkg: keystone_packages
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]62 {%- if not grains.get('noservices', False) %}
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]63 - watch_in:
64 - service: keystone_service
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]65 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]66
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]67{% if server.websso is defined %}
68
69/etc/keystone/sso_callback_template.html:
70 file.managed:
71 - source: salt://keystone/files/sso_callback_template.html
72 - require:
73 - pkg: keystone_packages
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]74 {%- if not grains.get('noservices', False) %}
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]75 - watch_in:
76 - service: keystone_service
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]77 {%- endif %}
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]78
79{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]80
81/etc/keystone/keystone-paste.ini:
82 file.managed:
83 - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
84 - template: jinja
85 - require:
86 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]87 {%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]88 - watch_in:
89 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]90 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]91
92/etc/keystone/policy.json:
93 file.managed:
94 - source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
95 - require:
96 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]97 {%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]98 - watch_in:
99 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]100 {%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]101
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]102{%- if server.get("domain", {}) %}
103
104/etc/keystone/domains:
105 file.directory:
106 - mode: 0755
107 - require:
108 - pkg: keystone_packages
109
110{%- for domain_name, domain in server.domain.iteritems() %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]111
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]112/etc/keystone/domains/keystone.{{ domain_name }}.conf:
113 file.managed:
114 - source: salt://keystone/files/keystone.domain.conf
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]115 - template: jinja
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]116 - require:
117 - file: /etc/keystone/domains
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]118 {%- if not grains.get('noservices', False) %}
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]119 - watch_in:
120 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]121 {%- endif %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]122 - defaults:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]123 domain_name: {{ domain_name }}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]124
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]125{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]126
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]127keystone_domain_{{ domain_name }}_cacert:
128 file.managed:
129 - name: /etc/keystone/domains/{{ domain_name }}.pem
Filip Pytlounc7e3b812016-01-12 20:52:10 +0100[diff] [blame]130 - contents_pillar: keystone:server:domain:{{ domain_name }}:ldap:tls:cacert
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]131 - require:
132 - file: /etc/keystone/domains
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]133 {%- if not grains.get('noservices', False) %}
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]134 - watch_in:
135 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]136 {%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]137
Filip Pytloun3e2555e2016-01-12 20:23:34 +0100[diff] [blame]138{%- endif %}
139
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]140{%- if not grains.get('noservices', False) %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]141keystone_domain_{{ domain_name }}:
142 cmd.run:
143 - name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
144 - unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
145 - require:
146 - file: /root/keystonercv3
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]147 {%- if not grains.get('noservices', False) %}
Filip Pytloun5b503852016-01-12 14:02:07 +0100[diff] [blame]148 - service: keystone_service
Petr Michalece9a6c2a2017-03-05 20:14:34 +0100[diff] [blame]149 {%- endif %}
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]150{%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]151
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]152{%- endfor %}
153
154{%- endif %}
155
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]156{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]157
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]158keystone_ldap_default_cacert:
159 file.managed:
160 - name: {{ server.ldap.tls.cacertfile }}
161 - contents_pillar: keystone:server:ldap:tls:cacert
162 - require:
163 - pkg: keystone_packages
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]164 {%- if not grains.get('noservices', False) %}
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]165 - watch_in:
166 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]167 {%- endif %}
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]168
Filip Pytloun19620f72016-01-19 16:27:00 +0100[diff] [blame]169{%- endif %}
170
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]171{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]172keystone_service:
173 service.running:
174 - name: {{ server.service_name }}
175 - enable: True
176 - watch:
177 - file: /etc/keystone/keystone.conf
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]178{%- endif %}
179
180{%- if grains.get('virtual_subtype', None) == "Docker" %}
181keystone_entrypoint:
182 file.managed:
183 - name: /entrypoint.sh
184 - template: jinja
185 - source: salt://keystone/files/entrypoint.sh
186 - mode: 755
187{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]188
189/root/keystonerc:
190 file.managed:
191 - source: salt://keystone/files/keystonerc
192 - template: jinja
193 - require:
194 - pkg: keystone_packages
195
196/root/keystonercv3:
197 file.managed:
198 - source: salt://keystone/files/keystonercv3
199 - template: jinja
200 - require:
201 - pkg: keystone_packages
202
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]203{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]204keystone_syncdb:
205 cmd.run:
marco2f8986c2016-06-28 14:21:56 +0200[diff] [blame]206 - name: keystone-manage db_sync; sleep 1
Ruslan Usichenko64cd3542017-01-30 15:59:44 +0200[diff] [blame]207 - timeout: 120
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]208 - require:
209 - service: keystone_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]210{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]211
212{% if server.tokens.engine == 'fernet' %}
213
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]214keystone_fernet_keys:
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]215 file.directory:
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]216 - name: {{ server.tokens.location }}
217 - mode: 750
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]218 - user: keystone
219 - group: keystone
220 - require:
221 - pkg: keystone_packages
222 - require_in:
223 - service: keystone_fernet_setup
224
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]225{%- if not grains.get('noservices', False) %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]226keystone_fernet_setup:
227 cmd.run:
228 - name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
229 - require:
230 - service: keystone_service
Jakub Pavlik143338c2016-02-16 18:57:54 +0100[diff] [blame]231 - file: keystone_fernet_keys
Jakub Pavlikf61df542017-04-03 18:01:23 +0200[diff] [blame^]232
233{%- if server.version == 'newton' %}
234keystone_fernet_setup_credentials:
235 cmd.run:
236 - name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
237 - require:
238 - service: keystone_service
239 - cmd: keystone_fernet_setup
240 - file: keystone_fernet_keys
241{%- endif %}
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]242{%- endif %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]243
244{% endif %}
245
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]246{%- if not grains.get('noservices', False) %}
Ales Komarek95ceb4b2016-10-20 17:28:21 +0200[diff] [blame]247
248{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
249
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]250keystone_service_tenant:
251 keystone.tenant_present:
252 - name: {{ server.service_tenant }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]253 - connection_token: {{ server.service_token }}
254 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]255 - require:
256 - cmd: keystone_syncdb
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]257 - file: keystone_salt_config
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]258
259keystone_admin_tenant:
260 keystone.tenant_present:
261 - name: {{ server.admin_tenant }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]262 - connection_token: {{ server.service_token }}
263 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]264 - require:
265 - keystone: keystone_service_tenant
266
267keystone_roles:
268 keystone.role_present:
269 - names: {{ server.roles }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]270 - connection_token: {{ server.service_token }}
271 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]272 - require:
273 - keystone: keystone_service_tenant
274
275keystone_admin_user:
276 keystone.user_present:
277 - name: {{ server.admin_name }}
278 - password: {{ server.admin_password }}
279 - email: {{ server.admin_email }}
280 - tenant: {{ server.admin_tenant }}
281 - roles:
282 {{ server.admin_tenant }}:
283 - admin
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]284 - connection_token: {{ server.service_token }}
285 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]286 - require:
287 - keystone: keystone_admin_tenant
288 - keystone: keystone_roles
289
Ales Komarek95ceb4b2016-10-20 17:28:21 +0200[diff] [blame]290{%- endif %}
291
292{%- for service_name, service in server.get('service', {}).iteritems() %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]293
294keystone_{{ service_name }}_service:
295 keystone.service_present:
296 - name: {{ service_name }}
297 - service_type: {{ service.type }}
298 - description: {{ service.description }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]299 - connection_token: {{ server.service_token }}
300 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]301 - require:
302 - keystone: keystone_roles
303
Petr Michalec685a2192017-03-06 14:58:01 +0100[diff] [blame]304keystone_{{ service_name }}_{{ service.get('region', 'RegionOne') }}_endpoint:
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]305 keystone.endpoint_present:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]306 - name: {{ service.get('service', service_name) }}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]307 - publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
308 - internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
309 - adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
310 - region: {{ service.get('region', 'RegionOne') }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]311 - connection_token: {{ server.service_token }}
312 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]313 - require:
314 - keystone: keystone_{{ service_name }}_service
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]315 - file: keystone_salt_config
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]316
317{% if service.user is defined %}
318
319keystone_user_{{ service.user.name }}:
320 keystone.user_present:
321 - name: {{ service.user.name }}
322 - password: {{ service.user.password }}
323 - email: {{ server.admin_email }}
324 - tenant: {{ server.service_tenant }}
325 - roles:
326 {{ server.service_tenant }}:
327 - admin
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]328 - connection_token: {{ server.service_token }}
329 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]330 - require:
331 - keystone: keystone_roles
332
333{% endif %}
334
Ales Komarek95ceb4b2016-10-20 17:28:21 +0200[diff] [blame]335{%- endfor %}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]336
337{%- for tenant_name, tenant in server.get('tenant', {}).iteritems() %}
338
339keystone_tenant_{{ tenant_name }}:
340 keystone.tenant_present:
341 - name: {{ tenant_name }}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]342 - connection_token: {{ server.service_token }}
343 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]344 - require:
345 - keystone: keystone_roles
346
347{%- for user_name, user in tenant.get('user', {}).iteritems() %}
348
349keystone_user_{{ user_name }}:
350 keystone.user_present:
351 - name: {{ user_name }}
352 - password: {{ user.password }}
353 - email: {{ user.get('email', 'root@localhost') }}
354 - tenant: {{ tenant_name }}
355 - roles:
356 {{ tenant_name }}:
357 {%- if user.get('roles', False) %}
358 {{ user.roles }}
359 {%- else %}
360 - Member
361 {%- endif %}
Andres Montalban06c35892016-09-23 12:24:38 -0300[diff] [blame]362 - connection_token: {{ server.service_token }}
363 - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]364 - require:
365 - keystone: keystone_tenant_{{ tenant_name }}
366
367{%- endfor %}
368
369{%- endfor %}
Filip Pytlounb96a0a42016-05-25 11:36:44 +0200[diff] [blame]370{%- endif %} {# end noservices #}
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]371
372{%- endif %}