aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services/keystone.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-07-11Allow to set Notification Driver to 'noop'Emilien Macchi1-1/+8
This patch does 2 things: * Configure messagingv2 as default driver for Oslo Notifications sent on RPC. * Allow users to choose between messagingv2 (default) and noop when we want to disable notifications (for example, when Telemetry is disabled). * Deprecate KeystoneNotificationDriver in favor of NotificationDriver. Change-Id: Ia547d7f4bfb51e7c45246b097b48fd86da231bd3 Related-Bug: #1701357
2017-06-16Make fernet max active keys configurableJuan Antonio Osorio Robles1-0/+5
This will set the max_active_keys setting in keystone.conf, and furtherly we'll read this value from tripleo-common to do purging of keys if necessary. bp keystone-fernet-rotation Change-Id: I9c6b0708c2c03ad9918222599f8b6aad397d8089
2017-06-14Enable heat/puppet to manage the fernet keys and make it configurableJuan Antonio Osorio Robles1-1/+9
With the addition of the KeystoneFernetKeys parameter, it's now possible to do fernet key rotations using mistral, by modifying the KeystoneFernetKeys variable in mistral; subsequently a rotation could happen when doing a stack update. So this re-enables the managing of the key files by puppet. However, this is left configurable, as folks might want to manage those files out-of-band. bp keystone-fernet-rotation Change-Id: Ic82fb8b8a76481a6e588047acf33a036cf444d7d
2017-06-14Use KeystoneFernetKeys instead of individual parametersJuan Antonio Osorio Robles1-7/+19
This uses the newly introduced dict with the keys and paths instead of the individual keys. Having the advantage that rotation will be possible on stack update, as we no longer have a limit on how many keys we can pass (as we did with the individual parameters). bp keystone-fernet-rotation Change-Id: I7d224595b731d9f3390fce5a9d002282b2b4b8f2 Depends-On: I63ae158fa8cb33ac857dcf9434e9fbef07ecb68d
2017-06-07Ability to enable/disable debug mode per OpenStack serviceEmilien Macchi1-1/+10
Add ServiceDebug parameters for each services that will allow operators to enable/disable Debug for specific services. We keep the Debug parameters for backward compatibility. Operators want to enable Debug everywhere: Debug: true Operators want to disable Debug everywhere: Debug: false Operators want to disable Debug everywhere except Glance: GlanceDebug: true Operators want to enable Debug everywhere except Glance: Debug: true GlanceDebug: false New parameters: AodhDebug, BarbicanDebug, CeilometerDebug, CinderDebug, CongressDebug, GlanceDebug, GnocchiDebug, HeatDebug, HorizonDebug, IronicDebug, KeystoneDebug, ManilaDebug, MistralDebug, NeutronDebug, NovaDebug, OctaviaDebug, PankoDebug, SaharaDebug, TackerDebug, ZaqarDebug. Note: for backward compatibility in Horizon, HorizonDebug is set to false, so we maintain previous behavior. Change-Id: Icbf4a38afcdbd8471d1afc11743df9705451db52 Implement-blueprint: composable-debug Closes-Bug: #1634567
2017-05-15Add role specific information to the service templateSaravanan KR1-0/+10
When a service is enabled on multiple roles, the parameters for the service will be global. This change enables an option to provide role specific parameter to services and other templates. Two new parameters - RoleName and RoleParameters, are added to the service template. RoleName provides the role name of on which the current instance of the service is being applied on. RoleParameters provides the list of parameters which are configured specific to the role in the environment file, like below: parameters_default: # Default value for applied to all roles NovaReservedHostMemory: 2048 ComputeDpdkParameters: # Applied only to ComputeDpdk role NovaReservedHostMemory: 4096 In above sample, the cluster contains 2 roles - Compute, ComputeDpdk. The values of ComputeDpdkParameters will be passed on to the templates as RoleParameters while creating the stack for ComputeDpdk role. The parameter which supports role specific configuration, should find the parameter first in in the RoleParameters list, if not found, then the default (for all roles) should be used. Implements: blueprint tripleo-derive-parameters Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-11Disabling replacing fernet keys from puppetJuan Antonio Osorio Robles1-0/+1
Once puppet has written the initial fernet keys, if a deployer wants to rotate them, the keys will be overwritten when another overcloud deploy is executed (for instance, for updates or upgrades). This disables replacing this keys via puppet, so now the operator can rotate the keys out of band. Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
2017-05-05Use the make_url function to build URLsZane Bitter1-10/+10
Change-Id: I2b23d92c85d5ecc889a7ee597b90e930bde9028e Depends-On: I72f84e737b042ecfaabf5639c6164d46a072b423
2017-04-26upgrades: deploy mod_ssl when upgrading apacheEmilien Macchi1-5/+10
1) When Apache is upgraded, install mod_ssl rpm. See https://bugs.launchpad.net/tripleo/+bug/1682448 to understand why we need mod_ssl. 2) All services that run Apache for API will use the snippet from Apache service to deploy mod_ssl, so we don't duplicate the code in all services. It's using the same mechanism as ovs upgrade to compile upgrade_tasks between both services. Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84 Closes-Bug: #1686503
2017-04-18Run token flush cron job hourly by defaultJuan Antonio Osorio Robles1-1/+1
Running this job once a day has proven problematic for large deployments as seen in the bug report. Setting it to run hourly would be an improvement to the current situation, as the flushes wouldn't need to process as much data. Note that this only affects people using UUID as the token provider. Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a Related-Bug: #1649616
2017-04-12Use comma_delimited_list for token flush cron time settingsJuan Antonio Osorio Robles1-5/+5
This allows us to better configure these parametes, e.g. we could set the cron job to run more times per day, and not just one. Change-Id: I0a151808804809c0742bcfa8ac876e22f5ce5570 Closes-Bug: #1682097
2017-04-06Add trigger to setup a LDAP backend as keystone domaineCyril Lopez1-0/+27
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo who will call a define in puppet-keysone ldap_backend.pp. Given the following environment: parameter_defaults: KeystoneLDAPDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. This also enables multi-domain support for horizon. Closes-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643 Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi1-0/+7
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-14Switch keystone default provider to fernetJuan Antonio Osorio Robles1-1/+1
UUID is to be deprecated, and we should be using fernet. Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
2017-03-09Merge "Keystone token flush cron job should log to a file"Jenkins1-1/+1
2017-02-28Put service stop at step1 and quiesce at step2.Sofer Athlan-Guyot1-1/+1
In the previous release[1], the services were stopped before the pacemaker services, so that they get a chance to send last message to the database/rabbitmq queue: Let's do the upgrade in the same order. [1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71 Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
2017-02-27Deploy versionless keystone endpoints (for keystone only)Juan Antonio Osorio Robles1-0/+1
The default is to deploy v2.0 endpoints, but this is not the recommended approach. we should instead be using versionless endpoints Change-Id: Icbfae1c2ff2b7312646fd8e817dd8209220a0d96 Related-Bug: #1667679
2017-02-17Make the DB URIs host-independent for all servicesMichele Baldessari1-2/+1
When fixing LP#1643487 we added ?bind_address to all DB URIs. Since this clashes with Cellsv2 due to the URIs becoming host dependent, we need a new approach to pass bind_address to pymysql that leaves the DB URIs host-independent. In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct bind-address option. In this change we make sure that the DB URIs will point to the added file and to the specific section containing the necessary bind-address option. We do introduce a new MySQLClient profile which will hold all this more client-specific configuration so that this change can fit better in the composable roles work. Also, in the future it might contain the necessary configuration for SSL for example. Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist (because it is created via the mysqlclient profile), things keep on working as usual and the bind-address option simply won't be set, which has no impact on hosts where there are no VIPs. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12 Related-Bug: #1643487 Closes-Bug: #1663181 Closes-Bug: #1664524 Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-13Remove [heat,glance,ironic,cinder,keystone] db sync from ansiblemarios1-3/+0
These are handle by puppet as usual (puppet run comes after the ansible steps) so remove them from these remaining upgrade_tasks Change-Id: Ic341f31251622ccb11a5f7818b2edf7a82391560
2017-02-03Reduce number of steps for upgradesSteven Hardy1-3/+0
We don't need all the steps currently enabled for either batched or concurrent updates, so decrease them. In future we can perhaps introspect the task tags during plan creation and set these dynamically. Change-Id: I0358886a332dfbecd03bc4a67086b08d25756c22 Partially-Implements: blueprint overcloud-upgrades-per-service
2017-01-25Add metadata settings for needed kerberos principalsJuan Antonio Osorio Robles1-0/+5
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-19Merge "Don't start all services during upgrade steps"Jenkins1-3/+0
2017-01-19Don't start all services during upgrade stepsSteven Hardy1-3/+0
Currently we start all OpenStack services in step6, but puppet already does this, and sometimes services require configuration to account for the new version after the yum update before they will start. So instead of reimplementing that configuration management in ansible, just defer starting the services until puppet has run which will happen right after the ansible upgrade steps complete. Note there are some DB sync operations etc that we may also be able to remove and let puppet do those steps, but I've left those in for now, as we know there are some actions during that phase e.g nova cells setup, which aren't yet handled by puppet. Change-Id: Idc8e253167a4bc74b086830cfabf28d4aab97d28
2017-01-16Configure cron parameters for Cinder Heat Keystone and NovaCarlos Camacho1-0/+55
Change-Id: I1b2c0025e363d0387ddc0514decd3bc2dc80f9ae Closes-Bug: 1650680
2017-01-04Merge "DB connection: prevent src address from binding to a VIP"Jenkins1-0/+2
2017-01-03DB connection: prevent src address from binding to a VIPDamien Ciabrini1-0/+2
When a service connects to the database VIP from the node hosting this VIP, the resulting TCP socket has a src address which is by default bound to the VIP as well. If the VIP is failed over to another node while the socket's Send-Q is not empty, TCP keepalive won't engage and the service will become unavailable for a very long time (by default more than 10m). To prevent failover issues, DB connections should have the src address of their TCP socket bound to the IP of the network interface used for MySQL traffic. This is achieved by passing a new option to the database connection URIs. This option is available starting from PyMySQL 0.7.9-2. We use a new intermediate variable in hiera to hold the IP to be used as a source address for all DB connections. All services adapt their database URI accordingly. Moreover, a new YAML validation check is added to guarantee that new services will construct their database URI appropriately. Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035 Closes-Bug: #1643487
2016-12-23Bump template version for all templates to "ocata"Steven Hardy1-1/+1
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-07Keystone token flush cron job should log to a fileakrzos1-1/+1
Keystone UUID tokens require the token_flush job to delete expired tokens to prevent the disk from filling. When the job runs, it should be allowed to log to the disk so that the job can be traced if required. Change-Id: I62e36e0968902564b97093a45df15e963ad08242 Closes-Bug: #1648174
2016-12-02Merge "Use network-based fqdn entry from hiera instead of the custom fact"Jenkins1-4/+4
2016-12-01Initial support for composable upgrades with Heat+AnsibleSteven Hardy1-0/+11
This shows how we could wire in the upgrade steps using Ansible as was previously proposed e.g in https://review.openstack.org/#/c/321416/ but it's more closely integrated with the new composable services architecture. It's also very similar to the approach taken by SpinalStack where ansible snippets per-service were combined then run in a series of steps using Ansible tags. This patch just enables upgrade of keystone - we'll add support for other patches in subsequent patches. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
2016-12-01Use network-based fqdn entry from hiera instead of the custom factJuan Antonio Osorio Robles1-4/+4
This changes how we get the network-based FQDNs for the specific services, from using the custom fact, to the new hiera entries. Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
2016-11-30Hiera optimization: use a new hiera hookDan Prince1-5/+5
This patch optimizes how we deploy hiera by using a new heat hook specifically designed to help compose hiera within heat templates. As part of this change: - we update all the 'hiera' software configurations to set the group to hiera instead of os-apply-config. - The new format uses JSON instead of YAML. The hook actually writes out the hiera JSON directly so no conversion takes place. Arrays, Strings, Booleans all stay in their native formats. As such we can avoid having to do many of the awkward string and list conversions in t-h-t to support the previous YAML formatting. - The new hook prefers JSON over YAML so upgrading users will have the new files prefered. (we will post a cleanup routine for the old files soon but this isn't a new behavior, JSON is now simply prefered.) - A lot of services required edits to account for default settings that worked in YAML that no longer work correctly in the native JSON format. In almost all these cases I think the resulting codes looks cleaner and is more explicit with regards to what is getting configured in hiera on the actual nodes. Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b Closes-bug: #1596373 Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
2016-11-17Configure Keystone Fernet KeysAdam Young1-0/+11
Provision the Keystone Fernet Token provider by installing 2 keys with dynamic content generated by python-tripleoclient. Note that this only sets up the necessary keys to use fernet as a token provider, however, this does not intend to set it up as the default provider; This will be discussed and will come as part of another commit. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ic070d160b519b8637997dbde165dbf15275e0dfe Change-Id: Iaa5499614417000c1b9ba42a776a50cb22c1bb30
2016-11-14Define keystone token providerAlex Schultz1-1/+12
In order to eventually enable fernet tokens for keystone, we need to be specify the token provider. This change codifies the current default used by TripleO of uuid tokens and fernet token setup disabled. Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a Closes-Bug: #1641763
2016-11-10Fix typo in Keystone Sensu subscriptionMartin Mágr1-1/+1
Closes-Bug: rhbz#1392428 Closes-Bug: #1640834 Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe
2016-10-21Merge "Use correct password for keystone bootstrap"Jenkins1-0/+1
2016-10-21Merge "Use ::os_workers fact instead of ::processorcount"Jenkins1-1/+1
2016-10-21Use ::os_workers fact instead of ::processorcountJuan Antonio Osorio Robles1-1/+1
Change-Id: Ib25849565c617f32357ef545957f58454b2a53f8
2016-10-20Generate internal TLS hieradata for apache servicesJuan Antonio Osorio Robles1-4/+19
This adds an environment file that can be used to enable TLS in the internal endpoints via certmonger if used. This will include a nested stack that will create the hash that will be used to create the certmonger certificates. When setting up a service over apache via puppet, we used to disable explicitly ssl (which sets modd_ssl-related fields for that vhost). We now make this depend on the EnableInternalTLS flag. This has only been done for keystone, but more services will be added as the puppet code lands bp tls-via-certmonger Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039 Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
2016-09-28Move db::mysql into service_config_settingsDan Prince1-7/+9
This patch movs the various db::mysql hiera settings into a 'mysql' specific service_config_settings section for each service so that these will only get applied on the MySQL service node. This follows a similar puppet-tripleo change where we create the actual databases for all services locally on the MySQL service node to avoid permission issues. Change-Id: Ic0692b1f7aa8409699630ef3924c4be98ca6ffb2 Closes-bug: #1620595 Depends-On: I05cc0afa9373429a3197c194c3e8f784ae96de5f Depends-On: I5e1ef2dc6de6f67d7c509e299855baec371f614d
2016-09-27Use correct password for keystone bootstrapAlex Schultz1-0/+1
In upstream puppet-keystone, the boostrap process should use an admin password not the admin token for the bootstrapping of keystone. The admin password option is being added to the upstream class so we will need to provide it to properly have keystone bootstrapped. Change-Id: Icab4b0cb70d6caf2f2792c4fe730f060b807fbc1 Depends-On: I7a706d93b43ec025bdb4b29667f64ff2f7dd52a0 Related-Bug: #1621959
2016-09-26Remove double definition of config_settings key in keystoneJuan Antonio Osorio Robles1-1/+0
Change-Id: I291bfb1e5736864ea504cd82eea1d4001fcdd931
2016-09-21Make apache-based services use network-dependent servernameJuan Antonio Osorio Robles1-1/+12
Currently the servername is incorrectly set for the services running over apache. It currently takes the default value which is just the regular FQDN, when the services actually might be running on different IPs that require alternative FQDNs. This fixes that by filling that value from a fact in hiera that's dependant on the service's network. Closes-Bug: #1625677 Change-Id: Ib7ea5fd2d18a376eaa2f5a3fa5687cb9b719a8e2
2016-09-17Add fluentd client serviceLars Kellogg-Stedman1-0/+8
This implements support for installing fluentd agents as a composable service on the overcloud. Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940 Implements: tripleo-opstools-centralized-logging Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
2016-09-16Merge "Unset Keystone public_endpoint"Jenkins1-1/+0
2016-09-12Unset Keystone public_endpointAdam Young1-1/+0
The keystone public_endpoint value should be deduced from the calling request and not hardcoded, or it makes network isolation impossible. Change-Id: Ide6a65aa9393cb84591b0015ec5966cc01ffbcf8 Closes-Bug: 1381961
2016-09-12Configure Keystone credentialsEmilien Macchi1-0/+12
Configure Keystone credentials by installing 2 keys with dynamic content generated by python-tripleoclient. Note: this is a first iteration of managing Keystone credentials. It has a few limitations: - keys are not exported to external storage. - keys are not rotated automatically. Change-Id: I45cf8821eadf528dfcdc8d74e6e0484597b0d2c0
2016-08-31Availability monitoring agents supportMartin Mágr1-0/+4
- adds possibility to install sensu-client on all nodes - each composable service has it's own subscription Co-Authored-By: Emilien Macchi <emilien@redhat.com> Co-Authored-By: Michele Baldessari <michele@redhat.com> Implements: blueprint tripleo-opstools-availability-monitoring Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
2016-08-30Mv Nova, Neutron, Horizon out of controller.yamlDan Prince1-70/+83
This patch moves the settings for Nova, Neutron, and Horizon out of controller.yaml. Also fixes the NovaPassword settings in nova-base.yaml so they don't use get_input. Also, creates a new apache.yaml base service to contain shared apache settings for several services which use Apache for WSGI. Co-Authored-By: Giulio Fidente <gfidente@redhat.com> Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e Related-bug: #1604414
2016-08-25Mv keystone, mongo, manila out of controller.yamlDan Prince1-0/+11
This patch moves keystone, mongodb, and manila bind host settings out of controller.yaml and into composable services. Change-Id: I1874dc47fffa30606107999da702442badde35c9