summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/keystone.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-06-01Add conditional for setting authlogin_nsswitch_use_ldap selbooleanJacob Liberman1-0/+6
If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must be enabled. This setting allows LDAP communications to the confined LDAP/server port. This change includes a conditional for enabling this Boolean only when selinux is in use. Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe Closes-Bug: #1695002
2017-05-23Enable novajoin user on keystone profileJuan Antonio Osorio Robles1-0/+3
If novajoin is enabled, the keystone profile should create its user. bp tls-via-certmonger-containers Change-Id: Ifb43b72cbf0180cf12e6d3584c92ae01ce5294e5
2017-04-19Merge "Ensure we configure ssl.conf"Jenkins1-0/+1
2017-04-18Ensure we configure ssl.confLukas Bezdicka1-0/+1
Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977
2017-04-14Support for external swift proxyLuca Lorenzetto1-1/+1
Users may have an external swift proxy already available (i.e. radosgw from already existing ceph, or hardware appliance implementing swift proxy). With this change user may specify an environment file that registers the specified urls as endpoint for the object-store service. The internal swift proxy is left as unconfigured. Change-Id: Ia568c3a5723d8bd8c2c37dbba094fc8a83b9d67e
2017-04-07Merge "Enable creation of keystone domain when ldap backends are created"Jenkins1-1/+3
2017-04-07Merge "Add missing octavia auth include to keystone manifest"Jenkins1-0/+3
2017-04-07Enable creation of keystone domain when ldap backends are createdJuan Antonio Osorio Robles1-1/+3
This sets the flag create_domain_entry for the ldap_backend resource, which will create the domain for the ldap backend (this was previously not the case since only the configuration was created). Furtherly, this flag will also refresh the keystone server, so the changes come into effect. Note that this is only done in step 3, so the domains are created there and the refresh happens in that step. Also, this is only done for the bootstrap node, since when the other nodes start, they will already have the domains available in the keystone database and there won't be a need to restart. Related-Bug: #1677603 Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28 Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c
2017-04-06Add missing octavia auth include to keystone manifestBrent Eagles1-0/+3
This patch adds the appropriate include to make sure that appropriate keystone user, services, etc. are created when octavia is selected. Closes-bug: #1680588 Change-Id: I0b6d657a0300538292223923d8808c23f936c193
2017-04-05Add a trigger to call ldap_backend defineCyril Lopez1-0/+16
Ldap_backend is a define so we need a resource to talk it. If ldap_backend_enable set by tripleo-heat-templates, we call the ldap_backend as a resource. Given an environment such as the following: parameter_defaults: KeystoneLdapDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. Partial-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Authored-By: Guillaume Coré <gucore@redhat.com> Signed-off-by: Cyril Lopez <cylopez@redhat.com> Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
2017-03-30Decouple ceilometer user create from APIPradeep Kilambi1-1/+4
Ceilometer user is needed for other ceilometer services to authenticate with keystone even when API is not present. So the data can be dispatched to gnocchi. Lets keep these separate so user always exists even when api is not. Depends-On: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354 Change-Id: I8f4e543a7cef5e50a35a191fe20e276d518daf20
2017-03-28Merge "Include oslo.messaging amqp support for rpc and notifications"Jenkins1-0/+4
2017-03-26Remove certificate request bits from service profilesJuan Antonio Osorio Robles1-13/+0
This is now the job of the certmonger_user profile. So these bits are not needed anymore in the service profiles. Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800 Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
2017-03-21Include oslo.messaging amqp support for rpc and notificationsAndrew Smith1-0/+4
This commit conditionally includes messaging amqp class for the oslo.messaging AMQP 1.0 driver to support notifications. This patch: * include keystone::messaging::amqp class for oslo_messaging_amqp opts Change-Id: I8eb23a21d2499795c3a76ae3197bda7773165a8c
2017-02-28Merge "Ironic inspector support"Jenkins1-0/+3
2017-02-22Remove the string cast for using transport_urlCarlos Camacho1-2/+2
os_transport_url was updated to allow receiving a string or an integer as parameter. Fixes the workarounds in puppet-tripleo Change-Id: I50993514048bf96b5a42b3425a7d6f98778fe694 Depends-On: I9e56f8e2de542b20fe9e6995506cff5bb435e220
2017-02-20Ironic inspector supportDan Prince1-0/+3
This includes a new ironic-inspector profile, and updates to the mysql and keystone profiles so that a database and endpoints are also created when the inspector is enabled. Change-Id: I4a71a95efb87a10528df0600277768969a32117b
2017-02-17Use rpc and notify transport_url for oslo_messaging backendsAndrew Smith1-10/+69
This commit adds the transport_url for specifying the oslo.messaging rpc and notify transport schemes. The rpc or notification backend can be one of rabbit, amqp, zmq, etc. Oslo.messaging is deprecating the host, port and auth configuration options. All drivers will get the options via the transport_url. This patch: * Adds transport_url to base services * Updates the corresponding specs * Adds to default hierdata Depends-On: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40 Change-Id: Iea5607dbb3ee6b1dd50acc1395de52dc920aa915
2017-02-14tuning: manage keystone resources only at step3Emilien Macchi1-11/+7
1. Manage Keystone resources only at step 3. Don't verify them at step 4 and 5, it's a huge loss of time. 2. Don't require Keystone resources for Gnocchi services, they are already ready at Step 5. Related-Bug: #1664418 Change-Id: I9879718a1a86b862e5eb97e6f938533c96c9f5c8
2017-02-09Run nova-cell_v2-discover_hosts at step 5Emilien Macchi1-2/+2
We need to run nova-cell_v2-discover_hosts at the very end of the deployment because nova database needs to be aware of all registred compute hosts. 1. Move keystone resources management at step 3. 2. Move nova-compute service at step 4. 3. Move nova-placement-api at step 3. 5. Run nova-cell_v2-discover_hosts at step 5 on one nova-api node. 6. Run neutron-ovs-agent at step 5 to avoid racy deployments where it starts before neutron-server when doing HA deployments. With that change, we expect Nova aware of all compute services deployed in TripleO during an initial deployment. Depends-On: If943157b2b4afeb640919e77ef0214518e13ee15 Change-Id: I6f2df2a83a248fb5dc21c2bd56029eb45b66ceae Related-Bug: #1663273 Related-Bug: #1663458
2017-02-09start nova-compute when keystone resources are createdEmilien Macchi1-3/+3
1. Move keystone resources management at step 4. 2. Move nova-compute startup at step 5. That way, we make sure nova-compute will start when all Keystone resources are ready. Change-Id: I6e153e11b8519254d2a67b9142bf774a25bce69d Closes-Bug: #1663273
2017-01-26Adding congress serviceDan Radez1-0/+3
Change-Id: Ic74ccd5fa7b3b04ca810416e5160463252f17474 Signed-off-by: Dan Radez <dradez@redhat.com>
2017-01-25Adding tacker serviceDan Radez1-0/+3
Change-Id: I3d6bbc05644e840395f87333ec80e3b844f69903
2017-01-20Implement Nova ec2api profileSven Anderson1-1/+3
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
2017-01-11Implement Nova Placement API profileEmilien Macchi1-0/+3
Allow TripleO to deploy Nova Placement API with a new profile. Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles1-4/+4
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-21Merge "Add panko service support"Jenkins1-0/+3
2016-11-16Sort parameters in keystone profile alphabeticallyJuan Antonio Osorio Robles1-20/+20
Change-Id: I035c26e0f50e4b3fc0f6085fa5a4bf524e4852b7
2016-11-16Remove explicit hiera calls for heat in keystone profileJuan Antonio Osorio Robles1-9/+8
These are now passed via the heat profiles in t-h-t (via heat-base.yaml and heat-engine.yaml) and use the actual names of keystone parameters instead. Change-Id: Id0f5dd03b6757df989339c93b58a5b7eac3402a2 Depends-On: I0e5124d57fdc519262fdec2dbeaaac85afaeebdf
2016-11-14Add panko service supportPradeep Kilambi1-0/+3
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
2016-11-08Add proper handling of IPv6 addresses for rabbit host/port handlingBrent Eagles1-1/+2
This patch changes the rabbit_hosts config generation to work properly with IPv6 addresses. Closes-Bug: #1639881 Change-Id: I07cd983880a4a75a051e081dcb96134cb5c6f5e8
2016-11-02Create heat user in keystone profileAlex Schultz1-15/+36
Rather than use the heat::keystone::domain class which also includes the configuration options, we should just create the user for heat in keystone independently of the configuration. Change-Id: I7d42d04ef0c53dc1e62d684d8edacfed9fd28fbe Related-Bug: #1638350 Closes-Bug: #1638626
2016-11-01Merge "Add barbican profile"Jenkins1-0/+3
2016-10-21Merge "Add zaqar profiles"Jenkins1-0/+4
2016-10-19Enable TLS in the internal network for keystoneJuan Antonio Osorio Robles1-11/+79
This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
2016-10-19Add barbican profileAde Lee1-0/+3
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: If2804b469eb3ee08f3f194c7dd3290d23a245a7a
2016-10-17Add port to rabbitmq node ip listBrent Eagles1-1/+6
We use the rabbit_hosts configuration for most of our services but we haven't been adding the configured port. This patch appends the IP port used provided to the service's heat template to the IPs in the list. Note: while we could use the value set for the rabbitmq server in rabbitmq::port, it doesn't allow for dealing with SSL. This also is also backwards compatible with the RabbitClientPort parameters used in the heat templates. Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b Closes-Bug: #1633580
2016-10-17Add zaqar profilesBrad P. Crochet1-0/+4
Change-Id: Ie215289a7be681a2b1aa5495d3f965c005d62f52 Depends-On: Ia863b38bbac1aceabe6b7deb6939c9db693ff16d
2016-10-14Move heat domain/user creation into keystone profileSteven Hardy1-0/+23
This needs to happen on the node running keystone, or things break when you try to deploy e.g the heat_engine service on a non Controller role. We check the enabled flag for heat engine so this only happens if the heat_engine service is running on some (any) role. Partial-Bug: #1631130 Change-Id: Ib088a572b384b479f51d56555734d78ab840a1f3
2016-09-27Move db syncs into mysql base roleDan Prince1-4/+0
This patch moves the various DB syncs into the MySQL role. Database creation needs to occur on the MySQL server to avoid permission issues. This patch also moves database creation to step 2 so we can guarantee that all per-service databases exist at this time. This avoids complex ordering needed during step 3 where services, on different hosts, can run their own db sync's in a distributed fashion. Change-Id: I05cc0afa9373429a3197c194c3e8f784ae96de5f Partial-bug: #1620595
2016-09-06Merge "Add Ceph RGW listener to HAProxy"Jenkins1-0/+3
2016-09-02Make service profiles default to rabbitmq_node_ipsSteven Hardy1-0/+6
Instead of hard-coded yaml aliases in t-h-t, make each service profile that requires rabbit default to the list of rabbit ips. Note this could still be extended in future to e.g enable per service rabbit clusters, but the default is to lookup the hiera which should be logically equivalent to current t-h-t. Change-Id: Ie53c93456529420588eb1927703ea91b54095d87 Partially-Implements: blueprint custom-roles
2016-08-31Add Ceph RGW listener to HAProxyGiulio Fidente1-0/+3
Shares the same (ssl)port with Swift Proxy Change-Id: I2e1de1a3fa6ad62895a1e972e43858f23c08bbea
2016-08-29Merge "Configure keystone endpoints in service profile"Jenkins1-0/+48
2016-08-26UI profile for tripleoMartin André1-0/+1
The new tripleo::profile::base::ui profile installs the openstack-tripleo-ui RPM package and setup CORS for required services. Change-Id: Ib9d8643da3f51171495fcb8b64d1a7ca86cd66bc
2016-08-26Configure keystone endpoints in service profileJuan Antonio Osorio Robles1-0/+48
This commit enables the configuration of the service users and keystone endpoints in the keystone profile. Since with the composable services work, we can't assure that the APIs will be in the same node as keystone, this needs to be done from the keystone profile. Depends-On: I62273f403838893602816204d9bc50d516c0057f Change-Id: I36e1c478e7c92be61da6a0d710e9025d4d354072
2016-08-08Fix parameters and headers inconsistency in the puppet manifests.Carlos Camacho1-6/+6
As we are staring to manually check overcloud services the first step is to check that the puppet profiles are all aligned. Changes applied: No logic added or removed in this submission. Removed unused parameters. Align header comments structure. All profiles parameters sorted following: "Mandatory params first sorted alphabetically then optional params sorted alphabetically." Note: Following submissions will check pacemaker, cinder, mistral and redis services in the base profiles as some of them has the $pacemaker_master parameter defaulted to true. Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
2016-08-05Remove keystone PKI cert generationSteven Hardy1-28/+0
We don't currently offer any parameter interface to enable PKI certs, and these have all been deprecated by keystone, so remove them. Change-Id: I8232262b928c91dcde7bea2f23fa2a7c2660719e
2016-07-18Make ::tripleo::profile::base classes work with multiple nodesMichele Baldessari1-16/+15
In the Next Generation HA architecture a number of active/active services will be run via systemd. In order for this to work we need to make sure that the sync_db operation only takes place on the bootstrap node, just like it is done today for the pacemaker profiles. We do this by removing sync_db as a parameter and instead set it to true or false depending if the hostname matches the bootstrap_node as it is done today in the pacemaker role. Note that we call hiera('bootstrap_nodeid', undef) because if a profile is included on a non controller node that variable will be undefined. The following testing was done: - HA puppet-pacemaker.yaml scenario with three computes - NonHA with one controller - NonHA with three controllers Fixes-Bug: 1600149 Co-Author: cmsj@tenshu.net Change-Id: I04a7b9e3c18627ea512000a34357acb7f27d6e0e Implements: blueprint ha-lightweight-architecture
2016-06-18keystone: fix a race condition in bootstrapEmilien Macchi1-11/+6
Before, we had bootstrap_master set to 'undef' by default that was used to whether or not run keystone bootstrap exec during deployment. Setting the value to undef was a mistake, because enable_bootstrap in puppet-keystone is set to true by default, so bootstrap was running on all controllers at step 4 for HA scenario, while we want it to run on a single controller (pacemaker_master) at step 4, like we do for db-sync. This patch: * removes bootstrap_master. * re-use sync_db to whether or not run keystone bootstrap. so it will only run on a single node when database is ready and db-sync done (orchestration dones by anchors in puppet-keystone). Change-Id: I1042862f7c346d1c358b908c33eae0f33afd5e9f