diff options
Diffstat (limited to 'deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml')
-rw-r--r-- | deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml | 131 |
1 files changed, 83 insertions, 48 deletions
diff --git a/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml b/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml index e7e9297e..ea211470 100644 --- a/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml +++ b/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml @@ -7,55 +7,90 @@ # http://www.apache.org/licenses/LICENSE-2.0 ############################################################################## --- +- include_vars: "{{ ansible_os_family }}.yml" + - name: keystone-manage db-sync - #keystone_manage: action=dbsync shell: su -s /bin/sh -c 'keystone-manage db_sync' keystone +- name: Check if fernet keys already exist + stat: + path: "/etc/keystone/fernet-keys/0" + register: fernet_keys_0 + +- name: Create fernet keys for Keystone + command: + keystone-manage fernet_setup + --keystone-user keystone + --keystone-group keystone + when: not fernet_keys_0.stat.exists + notify: + - restart keystone services + +- name: Rotate fernet keys for Keystone + command: + keystone-manage fernet_rotate + --keystone-user keystone + --keystone-group keystone + when: fernet_keys_0.stat.exists + notify: + - restart keystone services + +- name: Distribute the fernet key repository + shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \ + -avz \ + --delete \ + /etc/keystone/fernet-keys \ + root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/ + with_items: groups['controller'][1:] + notify: + - restart keystone services + +- name: Check if credential keys already exist + stat: + path: "/etc/keystone/credential-keys/0" + register: credential_keys_0 + +- name: Create credential keys for Keystone + command: + keystone-manage credential_setup + --keystone-user keystone + --keystone-group keystone + when: not credential_keys_0.stat.exists + notify: + - restart keystone services + +- name: Rotate credential keys for Keystone + command: + keystone-manage credential_rotate + --keystone-user keystone + --keystone-group keystone + when: credential_keys_0.stat.exists + notify: + - restart keystone services + +- name: Distribute the credential key repository + shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \ + -avz \ + --delete \ + /etc/keystone/credential-keys \ + root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/ + with_items: groups['controller'][1:] + notify: + - restart keystone services + +- name: Bootstrap the Identity service + shell: + keystone-manage bootstrap \ + --bootstrap-password {{ ADMIN_PASS }} \ + --bootstrap-admin-url http://{{ internal_ip }}:35357/v3/ \ + --bootstrap-internal-url http://{{ internal_ip }}:35357/v3/ \ + --bootstrap-public-url http://{{ internal_ip }}:5000/v3/ + --bootstrap-region-id RegionOne \ + notify: + - restart keystone services + +- meta: flush_handlers + - name: wait for keystone ready - wait_for: port=35357 delay=3 timeout=10 host={{ internal_ip }} - -- name: cron job to purge expired tokens hourly - cron: - name: 'purge expired tokens' - special_time: hourly - job: '/usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1' - -- name: add tenants - keystone_user: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - tenant: "{{ item.tenant }}" - tenant_description: "{{ item.tenant_description }}" - with_items: "{{ os_users }}" - -- name: add users - keystone_user: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - user: "{{ item.user }}" - tenant: "{{ item.tenant }}" - password: "{{ item.password }}" - email: "{{ item.email }}" - with_items: "{{ os_users }}" - -- name: grant roles - keystone_user: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - user: "{{ item.user }}" - role: "{{ item.role }}" - tenant: "{{ item.tenant }}" - with_items: "{{ os_users }}" - -- name: add endpoints - keystone_service: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - name: "{{ item.name }}" - type: "{{ item.type }}" - region: "{{ item.region}}" - description: "{{ item.description }}" - publicurl: "{{ item.publicurl }}" - internalurl: "{{ item.internalurl }}" - adminurl: "{{ item.adminurl }}" - with_items: "{{ os_services }}" + wait_for: port=35357 delay=15 timeout=60 host={{ internal_ip }} + |