diff options
Diffstat (limited to 'deploy/adapters/ansible/openstack_newton_xenial/roles/keystone')
8 files changed, 338 insertions, 19 deletions
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_config.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_config.yml new file mode 100644 index 00000000..35c84ce8 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_config.yml @@ -0,0 +1,101 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: keystone-manage db-sync + shell: su -s /bin/sh -c 'keystone-manage db_sync' keystone + +- name: Check if fernet keys already exist + stat: + path: "/etc/keystone/fernet-keys/0" + register: fernet_keys_0 + +- name: Create fernet keys for Keystone + command: + keystone-manage fernet_setup + --keystone-user keystone + --keystone-group keystone + when: not fernet_keys_0.stat.exists + notify: + - restart keystone services + +- name: Rotate fernet keys for Keystone + command: + keystone-manage fernet_rotate + --keystone-user keystone + --keystone-group keystone + when: fernet_keys_0.stat.exists + notify: + - restart keystone services + +- name: Distribute the fernet key repository + shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \ + -avz \ + --delete \ + /etc/keystone/fernet-keys \ + root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/ + with_items: groups['controller'][1:] + notify: + - restart keystone services + +- name: Check if credential keys already exist + stat: + path: "/etc/keystone/credential-keys/0" + register: credential_keys_0 + +- name: Create credential keys for Keystone + command: + keystone-manage credential_setup + --keystone-user keystone + --keystone-group keystone + when: not credential_keys_0.stat.exists + notify: + - restart keystone services + +- name: Rotate credential keys for Keystone + command: + keystone-manage credential_rotate + --keystone-user keystone + --keystone-group keystone + when: credential_keys_0.stat.exists + notify: + - restart keystone services + +- name: Distribute the credential key repository + shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \ + -avz \ + --delete \ + /etc/keystone/credential-keys \ + root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/ + with_items: groups['controller'][1:] + notify: + - restart keystone services + +- name: Bootstrap the Identity service + shell: + keystone-manage bootstrap \ + --bootstrap-password {{ ADMIN_PASS }} \ + --bootstrap-admin-url http://{{ internal_ip }}:35357/v3/ \ + --bootstrap-internal-url http://{{ internal_ip }}:35357/v3/ \ + --bootstrap-public-url http://{{ internal_ip }}:5000/v3/ + --bootstrap-region-id RegionOne \ + notify: + - restart keystone services + +- meta: flush_handlers + +- name: wait for keystone ready + wait_for: port=35357 delay=3 timeout=30 host={{ internal_vip.ip }} + +- name: cron job to purge expired tokens hourly + cron: + name: 'purge expired tokens' + special_time: hourly + job: '/usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1' diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_create.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_create.yml new file mode 100644 index 00000000..53077776 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_create.yml @@ -0,0 +1,93 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- name: set keystone endpoint + shell: + . /opt/admin-openrc.sh; + openstack endpoint set \ + --interface public \ + --url {{ item.publicurl }} \ + $(openstack endpoint list | grep keystone | grep public | awk '{print $2}'); + openstack endpoint set \ + --interface internal \ + --url {{ item.internalurl }} \ + $(openstack endpoint list | grep keystone | grep internal | awk '{print $2}'); + openstack endpoint set \ + --interface admin \ + --url {{ item.adminurl }} \ + $(openstack endpoint list | grep keystone | grep admin | awk '{print $2}'); + with_items: "{{ os_services[0:1] }}" + +- name: add service + shell: + . /opt/admin-openrc.sh; + openstack service create \ + --name "{{ item.name }}" + --description "{{ item.description }}" \ + {{ item.type }} + with_items: "{{ os_services[1:] }}" + +- name: add project + shell: + . /opt/admin-openrc.sh; + openstack project create --description "Service Project" service; + openstack project create --domain default --description "Demo Project" demo; + +- name: set admin user + shell: + . /opt/admin-openrc.sh; + openstack user set \ + --email "{{ item.email }}" \ + --project "{{ item.tenant }}" \ + --description "{{ item.tenant_description }}" \ + --password "{{ item.password }}" \ + {{ item.user }} + with_items: "{{ os_users }}" + when: item["user"] == "admin" + +- name: add user + shell: + . /opt/admin-openrc.sh; + openstack user create \ + --email "{{ item.email }}" \ + --project "{{ item.tenant }}" \ + --description "{{ item.tenant_description }}" \ + --password "{{ item.password }}" \ + {{ item.user }} + with_items: "{{ os_users[1:] }}" + +- name: add roles + shell: + . /opt/admin-openrc.sh; + openstack role create {{ item.role }} + with_items: "{{ os_users }}" + when: item["user"] == "demo" + +- name: grant roles + shell: + . /opt/admin-openrc.sh; + openstack role add \ + --project "{{ item.tenant }}" \ + --user "{{ item.user }}" \ + {{ item.role }} + with_items: "{{ os_users }}" + +- name: add endpoints + shell: + . /opt/admin-openrc.sh; + openstack endpoint create \ + --region {{ item.region }} \ + {{ item.name }} public {{ item.publicurl }}; + openstack endpoint create \ + --region {{ item.region }} \ + {{ item.name }} internal {{ item.internalurl }}; + openstack endpoint create \ + --region {{ item.region }} \ + {{ item.name }} admin {{ item.adminurl }}; + with_items: "{{ os_services[1:] }}" diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml index 8ff087ce..e9a36d42 100644 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml @@ -93,6 +93,5 @@ with_items: - admin-openrc.sh - demo-openrc.sh - - admin-openrc-v3.sh - meta: flush_handlers diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/main.yml new file mode 100644 index 00000000..ad619d40 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/main.yml @@ -0,0 +1,30 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- include: keystone_install.yml + tags: + - install + - keystone_install + - keystone + +- include: keystone_config.yml + when: inventory_hostname == groups['controller'][0] + tags: + - config + - keystone_config + - keystone + +- include: keystone_create.yml + when: inventory_hostname == groups['controller'][0] + tags: + - config + - keystone_create + - keystone + +- meta: flush_handlers diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/admin-openrc.sh b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/admin-openrc.sh new file mode 100644 index 00000000..94d5850f --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/admin-openrc.sh @@ -0,0 +1,18 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +# Verify the Identity Service installation +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_TENANT_NAME=admin +export OS_PROJECT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD={{ ADMIN_PASS }} +export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v3 +export OS_IDENTITY_API_VERSION=3 +export OS_IMAGE_API_VERSION=2 diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/demo-openrc.sh b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/demo-openrc.sh new file mode 100644 index 00000000..920f42ed --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/demo-openrc.sh @@ -0,0 +1,17 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_TENANT_NAME=demo +export OS_PROJECT_NAME=demo +export OS_USERNAME=demo +export OS_PASSWORD={{ DEMO_PASS }} +export OS_AUTH_URL=http://{{ internal_vip.ip }}:5000/v3 +export OS_IDENTITY_API_VERSION=3 +export OS_IMAGE_API_VERSION=2 diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/keystone.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/keystone.conf new file mode 100644 index 00000000..919be344 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/keystone.conf @@ -0,0 +1,60 @@ +{% set memcached_servers = [] %} +{% set rabbitmq_servers = [] %} +{% for host in haproxy_hosts.values() %} +{% set _ = memcached_servers.append('%s:11211'% host) %} +{% set _ = rabbitmq_servers.append('%s:5672'% host) %} +{% endfor %} +{% set memcached_servers = memcached_servers|join(',') %} +{% set rabbitmq_servers = rabbitmq_servers|join(',') %} +[DEFAULT] +debug={{ DEBUG }} +log_dir = /var/log/keystone + +[cache] +backend = keystone.cache.memcache_pool +memcache_servers = {{ memcached_servers}} +enabled=true + +[revoke] +driver = sql +expiration_buffer = 3600 +caching = true + +[database] +connection = mysql://keystone:{{ KEYSTONE_DBPASS }}@{{ db_host }}/keystone?charset=utf8 +idle_timeout = 30 +min_pool_size = 5 +max_pool_size = 120 +pool_timeout = 30 + +[fernet_tokens] +key_repository = /etc/keystone/fernet-keys/ + +[identity] +default_domain_id = default +driver = sql + +[assignment] +driver = sql + +[resource] +driver = sql +caching = true +cache_time = 3600 + +[token] +enforce_token_bind = permissive +expiration = 43200 +provider = fernet +driver = sql +caching = true +cache_time = 3600 + +[eventlet_server] +public_bind_host = {{ identity_host }} +admin_bind_host = {{ identity_host }} + +[oslo_messaging_rabbit] +rabbit_userid = {{ RABBIT_USER }} +rabbit_password = {{ RABBIT_PASS }} +rabbit_hosts = {{ rabbitmq_servers }} diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml index 79ed06fe..90977372 100644 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml @@ -17,9 +17,9 @@ os_services: type: identity region: RegionOne description: "OpenStack Identity" - publicurl: "http://{{ public_vip.ip }}:5000/v2.0" - internalurl: "http://{{ internal_vip.ip }}:5000/v2.0" - adminurl: "http://{{ internal_vip.ip }}:35357/v2.0" + publicurl: "http://{{ public_vip.ip }}:5000/v3" + internalurl: "http://{{ internal_vip.ip }}:5000/v3" + adminurl: "http://{{ internal_vip.ip }}:35357/v3" - name: glance type: image @@ -33,9 +33,9 @@ os_services: type: compute region: RegionOne description: "OpenStack Compute" - publicurl: "http://{{ public_vip.ip }}:8774/v2/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" - name: neutron type: network @@ -65,25 +65,25 @@ os_services: type: volume region: RegionOne description: "OpenStack Block Storage" - publicurl: "http://{{ public_vip.ip }}:8776/v1/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8776/v1/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s" - name: cinderv2 type: volumev2 region: RegionOne description: "OpenStack Block Storage v2" - publicurl: "http://{{ public_vip.ip }}:8776/v2/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8776/v2/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s" - name: heat type: orchestration region: RegionOne description: "OpenStack Orchestration" - publicurl: "http://{{ public_vip.ip }}:8004/v1/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8004/v1/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s" - name: heat-cfn type: cloudformation @@ -97,9 +97,9 @@ os_services: # type: object-store # region: RegionOne # description: "OpenStack Object Storage" -# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" -# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" -# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" +# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" +# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" +# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" os_users: - user: admin @@ -178,3 +178,4 @@ os_users: # role: admin # tenant: service # tenant_description: "Service Tenant" + |