aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services/keystone.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-05-11Disabling replacing fernet keys from puppetJuan Antonio Osorio Robles1-0/+1
Once puppet has written the initial fernet keys, if a deployer wants to rotate them, the keys will be overwritten when another overcloud deploy is executed (for instance, for updates or upgrades). This disables replacing this keys via puppet, so now the operator can rotate the keys out of band. Change-Id: I01fd46ba7c5e0db12524095dc9fe29e90cb0de57
2017-05-05Use the make_url function to build URLsZane Bitter1-10/+10
Change-Id: I2b23d92c85d5ecc889a7ee597b90e930bde9028e Depends-On: I72f84e737b042ecfaabf5639c6164d46a072b423
2017-04-26upgrades: deploy mod_ssl when upgrading apacheEmilien Macchi1-5/+10
1) When Apache is upgraded, install mod_ssl rpm. See https://bugs.launchpad.net/tripleo/+bug/1682448 to understand why we need mod_ssl. 2) All services that run Apache for API will use the snippet from Apache service to deploy mod_ssl, so we don't duplicate the code in all services. It's using the same mechanism as ovs upgrade to compile upgrade_tasks between both services. Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84 Closes-Bug: #1686503
2017-04-18Run token flush cron job hourly by defaultJuan Antonio Osorio Robles1-1/+1
Running this job once a day has proven problematic for large deployments as seen in the bug report. Setting it to run hourly would be an improvement to the current situation, as the flushes wouldn't need to process as much data. Note that this only affects people using UUID as the token provider. Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a Related-Bug: #1649616
2017-04-12Use comma_delimited_list for token flush cron time settingsJuan Antonio Osorio Robles1-5/+5
This allows us to better configure these parametes, e.g. we could set the cron job to run more times per day, and not just one. Change-Id: I0a151808804809c0742bcfa8ac876e22f5ce5570 Closes-Bug: #1682097
2017-04-06Add trigger to setup a LDAP backend as keystone domaineCyril Lopez1-0/+27
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo who will call a define in puppet-keysone ldap_backend.pp. Given the following environment: parameter_defaults: KeystoneLDAPDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. This also enables multi-domain support for horizon. Closes-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643 Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi1-0/+7
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-14Switch keystone default provider to fernetJuan Antonio Osorio Robles1-1/+1
UUID is to be deprecated, and we should be using fernet. Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
2017-03-09Merge "Keystone token flush cron job should log to a file"Jenkins1-1/+1
2017-02-28Put service stop at step1 and quiesce at step2.Sofer Athlan-Guyot1-1/+1
In the previous release[1], the services were stopped before the pacemaker services, so that they get a chance to send last message to the database/rabbitmq queue: Let's do the upgrade in the same order. [1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71 Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
2017-02-27Deploy versionless keystone endpoints (for keystone only)Juan Antonio Osorio Robles1-0/+1
The default is to deploy v2.0 endpoints, but this is not the recommended approach. we should instead be using versionless endpoints Change-Id: Icbfae1c2ff2b7312646fd8e817dd8209220a0d96 Related-Bug: #1667679
2017-02-17Make the DB URIs host-independent for all servicesMichele Baldessari1-2/+1
When fixing LP#1643487 we added ?bind_address to all DB URIs. Since this clashes with Cellsv2 due to the URIs becoming host dependent, we need a new approach to pass bind_address to pymysql that leaves the DB URIs host-independent. In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct bind-address option. In this change we make sure that the DB URIs will point to the added file and to the specific section containing the necessary bind-address option. We do introduce a new MySQLClient profile which will hold all this more client-specific configuration so that this change can fit better in the composable roles work. Also, in the future it might contain the necessary configuration for SSL for example. Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist (because it is created via the mysqlclient profile), things keep on working as usual and the bind-address option simply won't be set, which has no impact on hosts where there are no VIPs. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12 Related-Bug: #1643487 Closes-Bug: #1663181 Closes-Bug: #1664524 Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-13Remove [heat,glance,ironic,cinder,keystone] db sync from ansiblemarios1-3/+0
These are handle by puppet as usual (puppet run comes after the ansible steps) so remove them from these remaining upgrade_tasks Change-Id: Ic341f31251622ccb11a5f7818b2edf7a82391560
2017-02-03Reduce number of steps for upgradesSteven Hardy1-3/+0
We don't need all the steps currently enabled for either batched or concurrent updates, so decrease them. In future we can perhaps introspect the task tags during plan creation and set these dynamically. Change-Id: I0358886a332dfbecd03bc4a67086b08d25756c22 Partially-Implements: blueprint overcloud-upgrades-per-service
2017-01-25Add metadata settings for needed kerberos principalsJuan Antonio Osorio Robles1-0/+5
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-19Merge "Don't start all services during upgrade steps"Jenkins1-3/+0
2017-01-19Don't start all services during upgrade stepsSteven Hardy1-3/+0
Currently we start all OpenStack services in step6, but puppet already does this, and sometimes services require configuration to account for the new version after the yum update before they will start. So instead of reimplementing that configuration management in ansible, just defer starting the services until puppet has run which will happen right after the ansible upgrade steps complete. Note there are some DB sync operations etc that we may also be able to remove and let puppet do those steps, but I've left those in for now, as we know there are some actions during that phase e.g nova cells setup, which aren't yet handled by puppet. Change-Id: Idc8e253167a4bc74b086830cfabf28d4aab97d28
2017-01-16Configure cron parameters for Cinder Heat Keystone and NovaCarlos Camacho1-0/+55
Change-Id: I1b2c0025e363d0387ddc0514decd3bc2dc80f9ae Closes-Bug: 1650680
2017-01-04Merge "DB connection: prevent src address from binding to a VIP"Jenkins1-0/+2
2017-01-03DB connection: prevent src address from binding to a VIPDamien Ciabrini1-0/+2
When a service connects to the database VIP from the node hosting this VIP, the resulting TCP socket has a src address which is by default bound to the VIP as well. If the VIP is failed over to another node while the socket's Send-Q is not empty, TCP keepalive won't engage and the service will become unavailable for a very long time (by default more than 10m). To prevent failover issues, DB connections should have the src address of their TCP socket bound to the IP of the network interface used for MySQL traffic. This is achieved by passing a new option to the database connection URIs. This option is available starting from PyMySQL 0.7.9-2. We use a new intermediate variable in hiera to hold the IP to be used as a source address for all DB connections. All services adapt their database URI accordingly. Moreover, a new YAML validation check is added to guarantee that new services will construct their database URI appropriately. Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035 Closes-Bug: #1643487
2016-12-23Bump template version for all templates to "ocata"Steven Hardy1-1/+1
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-07Keystone token flush cron job should log to a fileakrzos1-1/+1
Keystone UUID tokens require the token_flush job to delete expired tokens to prevent the disk from filling. When the job runs, it should be allowed to log to the disk so that the job can be traced if required. Change-Id: I62e36e0968902564b97093a45df15e963ad08242 Closes-Bug: #1648174
2016-12-02Merge "Use network-based fqdn entry from hiera instead of the custom fact"Jenkins1-4/+4
2016-12-01Initial support for composable upgrades with Heat+AnsibleSteven Hardy1-0/+11
This shows how we could wire in the upgrade steps using Ansible as was previously proposed e.g in https://review.openstack.org/#/c/321416/ but it's more closely integrated with the new composable services architecture. It's also very similar to the approach taken by SpinalStack where ansible snippets per-service were combined then run in a series of steps using Ansible tags. This patch just enables upgrade of keystone - we'll add support for other patches in subsequent patches. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
2016-12-01Use network-based fqdn entry from hiera instead of the custom factJuan Antonio Osorio Robles1-4/+4
This changes how we get the network-based FQDNs for the specific services, from using the custom fact, to the new hiera entries. Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
2016-11-30Hiera optimization: use a new hiera hookDan Prince1-5/+5
This patch optimizes how we deploy hiera by using a new heat hook specifically designed to help compose hiera within heat templates. As part of this change: - we update all the 'hiera' software configurations to set the group to hiera instead of os-apply-config. - The new format uses JSON instead of YAML. The hook actually writes out the hiera JSON directly so no conversion takes place. Arrays, Strings, Booleans all stay in their native formats. As such we can avoid having to do many of the awkward string and list conversions in t-h-t to support the previous YAML formatting. - The new hook prefers JSON over YAML so upgrading users will have the new files prefered. (we will post a cleanup routine for the old files soon but this isn't a new behavior, JSON is now simply prefered.) - A lot of services required edits to account for default settings that worked in YAML that no longer work correctly in the native JSON format. In almost all these cases I think the resulting codes looks cleaner and is more explicit with regards to what is getting configured in hiera on the actual nodes. Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b Closes-bug: #1596373 Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
2016-11-17Configure Keystone Fernet KeysAdam Young1-0/+11
Provision the Keystone Fernet Token provider by installing 2 keys with dynamic content generated by python-tripleoclient. Note that this only sets up the necessary keys to use fernet as a token provider, however, this does not intend to set it up as the default provider; This will be discussed and will come as part of another commit. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: Ic070d160b519b8637997dbde165dbf15275e0dfe Change-Id: Iaa5499614417000c1b9ba42a776a50cb22c1bb30
2016-11-14Define keystone token providerAlex Schultz1-1/+12
In order to eventually enable fernet tokens for keystone, we need to be specify the token provider. This change codifies the current default used by TripleO of uuid tokens and fernet token setup disabled. Change-Id: I7c03ed7b6495d0b9a57986458d020b3e3bf7224a Closes-Bug: #1641763
2016-11-10Fix typo in Keystone Sensu subscriptionMartin Mágr1-1/+1
Closes-Bug: rhbz#1392428 Closes-Bug: #1640834 Change-Id: I2a1a869493ccb4c8d5b9aea26b8ef947750d2cfe
2016-10-21Merge "Use correct password for keystone bootstrap"Jenkins1-0/+1
2016-10-21Merge "Use ::os_workers fact instead of ::processorcount"Jenkins1-1/+1
2016-10-21Use ::os_workers fact instead of ::processorcountJuan Antonio Osorio Robles1-1/+1
Change-Id: Ib25849565c617f32357ef545957f58454b2a53f8
2016-10-20Generate internal TLS hieradata for apache servicesJuan Antonio Osorio Robles1-4/+19
This adds an environment file that can be used to enable TLS in the internal endpoints via certmonger if used. This will include a nested stack that will create the hash that will be used to create the certmonger certificates. When setting up a service over apache via puppet, we used to disable explicitly ssl (which sets modd_ssl-related fields for that vhost). We now make this depend on the EnableInternalTLS flag. This has only been done for keystone, but more services will be added as the puppet code lands bp tls-via-certmonger Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039 Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
2016-09-28Move db::mysql into service_config_settingsDan Prince1-7/+9
This patch movs the various db::mysql hiera settings into a 'mysql' specific service_config_settings section for each service so that these will only get applied on the MySQL service node. This follows a similar puppet-tripleo change where we create the actual databases for all services locally on the MySQL service node to avoid permission issues. Change-Id: Ic0692b1f7aa8409699630ef3924c4be98ca6ffb2 Closes-bug: #1620595 Depends-On: I05cc0afa9373429a3197c194c3e8f784ae96de5f Depends-On: I5e1ef2dc6de6f67d7c509e299855baec371f614d
2016-09-27Use correct password for keystone bootstrapAlex Schultz1-0/+1
In upstream puppet-keystone, the boostrap process should use an admin password not the admin token for the bootstrapping of keystone. The admin password option is being added to the upstream class so we will need to provide it to properly have keystone bootstrapped. Change-Id: Icab4b0cb70d6caf2f2792c4fe730f060b807fbc1 Depends-On: I7a706d93b43ec025bdb4b29667f64ff2f7dd52a0 Related-Bug: #1621959
2016-09-26Remove double definition of config_settings key in keystoneJuan Antonio Osorio Robles1-1/+0
Change-Id: I291bfb1e5736864ea504cd82eea1d4001fcdd931
2016-09-21Make apache-based services use network-dependent servernameJuan Antonio Osorio Robles1-1/+12
Currently the servername is incorrectly set for the services running over apache. It currently takes the default value which is just the regular FQDN, when the services actually might be running on different IPs that require alternative FQDNs. This fixes that by filling that value from a fact in hiera that's dependant on the service's network. Closes-Bug: #1625677 Change-Id: Ib7ea5fd2d18a376eaa2f5a3fa5687cb9b719a8e2
2016-09-17Add fluentd client serviceLars Kellogg-Stedman1-0/+8
This implements support for installing fluentd agents as a composable service on the overcloud. Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940 Implements: tripleo-opstools-centralized-logging Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
2016-09-16Merge "Unset Keystone public_endpoint"Jenkins1-1/+0
2016-09-12Unset Keystone public_endpointAdam Young1-1/+0
The keystone public_endpoint value should be deduced from the calling request and not hardcoded, or it makes network isolation impossible. Change-Id: Ide6a65aa9393cb84591b0015ec5966cc01ffbcf8 Closes-Bug: 1381961
2016-09-12Configure Keystone credentialsEmilien Macchi1-0/+12
Configure Keystone credentials by installing 2 keys with dynamic content generated by python-tripleoclient. Note: this is a first iteration of managing Keystone credentials. It has a few limitations: - keys are not exported to external storage. - keys are not rotated automatically. Change-Id: I45cf8821eadf528dfcdc8d74e6e0484597b0d2c0
2016-08-31Availability monitoring agents supportMartin Mágr1-0/+4
- adds possibility to install sensu-client on all nodes - each composable service has it's own subscription Co-Authored-By: Emilien Macchi <emilien@redhat.com> Co-Authored-By: Michele Baldessari <michele@redhat.com> Implements: blueprint tripleo-opstools-availability-monitoring Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
2016-08-30Mv Nova, Neutron, Horizon out of controller.yamlDan Prince1-70/+83
This patch moves the settings for Nova, Neutron, and Horizon out of controller.yaml. Also fixes the NovaPassword settings in nova-base.yaml so they don't use get_input. Also, creates a new apache.yaml base service to contain shared apache settings for several services which use Apache for WSGI. Co-Authored-By: Giulio Fidente <gfidente@redhat.com> Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e Related-bug: #1604414
2016-08-25Mv keystone, mongo, manila out of controller.yamlDan Prince1-0/+11
This patch moves keystone, mongodb, and manila bind host settings out of controller.yaml and into composable services. Change-Id: I1874dc47fffa30606107999da702442badde35c9
2016-08-18Add DefaultPasswords to composable servicesDan Prince1-0/+3
This patch adds a new DefaultPasswords parameter to composable services. This is needed to help provide access to top level password resources that overcloud.yaml currently manages (passwords for Rabbit, Mysql, etc.). Moving the RandomString resources into composable services would cause them to regenerate within the stack. With this approach we can leave them where they are while we deprecate the top level mechanism and move the code that uses the passwords into the composable services. Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18Pass ServiceNetMap to servicesGiulio Fidente1-0/+6
This will be needed to pick the network where the service has to bind to from within the service template. Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-08-11Convert EndpointMap to not require per-service VIP parametersSteven Hardy1-1/+1
Currently we have a hard-coded set of per-service parameters, which will cause problems for custom roles and full composability. As a first step towards making this more configurable, remove the hard-coded per-service parameters from overcloud.yaml, and adjust the EndpointMap generation to instead accept two mappings, the ServiceNetMap and a mapping of networks to IPs (effectively this just moves the map lookup inside the endpoint map instead of inside overcloud.yaml) Change-Id: Ib522e89c36eed2115a6586dd5a6770907d9b33db Partially-Implements: blueprint custom-roles
2016-08-05Remove keystone PKI related parametersSteven Hardy1-16/+0
These interfaces have all been deprecated by keystone, and we don't offer any parameter interface to select PKI token format anyway, so remove these to align with keystone reccomendations. The keystone.conf.sample says these values may be silently ignored or removed, so it seems reasonable to do the same here (parameter_defaults should be ignored from old stacks). Change-Id: Ic88d584863a98ed49fc335825fbfba7a52b0f14e Depends-On: I8232262b928c91dcde7bea2f23fa2a7c2660719e
2016-08-04Next generation HA architecture workMichele Baldessari1-0/+2
This is the THT part that brings us the next generation architecture as described in the following spec: https://review.openstack.org/#/c/299628/ Blueprint: https://blueprints.launchpad.net/tripleo/+spec/ha-lightweight-architecture So far we tested deployment + tripleo.sh --overcloud-pingtest and failover + tripleo.sh --overcloud-pingtest Note that many of the Pacemaker template files become redundant with this change, but to simplify the process of getting this change landed, those templates will not be removed until a future commit. Depends-On: I5e7585c08675d8a4bd071523b94210d325d79b59 Change-Id: I00bccb2563c006f80baed623b64f1e17af20dd4e Implements: blueprint ha-lightweight-architecture Co-Author: cmsj@tenshu.net
2016-07-29Enable keystone to use the SSL middlewareJuan Antonio Osorio Robles1-2/+1
The http_proxy_to_wsgi middleware was recently added to keystone as default in the pipeline [1]. So this takes it into use instead of the non-standard option we were using before, which will be deprecated. We already enable this middleware for nova, cinder and heat. [1] Iad628a863e55cbf20c89ef23ebc7527ba8e1a835 Depends-On: I0fec98a6e1d9c8be4d8b8df382b78ba2815790f9 Change-Id: I8c1b84adc828a2b8c9ea11c4e2b8349427b1b206