aboutsummaryrefslogtreecommitdiffstats
path: root/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml
diff options
context:
space:
mode:
Diffstat (limited to 'deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml')
-rw-r--r--deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml131
1 files changed, 83 insertions, 48 deletions
diff --git a/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml b/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml
index e7e9297e..ea211470 100644
--- a/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml
+++ b/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml
@@ -7,55 +7,90 @@
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################
---
+- include_vars: "{{ ansible_os_family }}.yml"
+
- name: keystone-manage db-sync
- #keystone_manage: action=dbsync
shell: su -s /bin/sh -c 'keystone-manage db_sync' keystone
+- name: Check if fernet keys already exist
+ stat:
+ path: "/etc/keystone/fernet-keys/0"
+ register: fernet_keys_0
+
+- name: Create fernet keys for Keystone
+ command:
+ keystone-manage fernet_setup
+ --keystone-user keystone
+ --keystone-group keystone
+ when: not fernet_keys_0.stat.exists
+ notify:
+ - restart keystone services
+
+- name: Rotate fernet keys for Keystone
+ command:
+ keystone-manage fernet_rotate
+ --keystone-user keystone
+ --keystone-group keystone
+ when: fernet_keys_0.stat.exists
+ notify:
+ - restart keystone services
+
+- name: Distribute the fernet key repository
+ shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \
+ -avz \
+ --delete \
+ /etc/keystone/fernet-keys \
+ root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/
+ with_items: groups['controller'][1:]
+ notify:
+ - restart keystone services
+
+- name: Check if credential keys already exist
+ stat:
+ path: "/etc/keystone/credential-keys/0"
+ register: credential_keys_0
+
+- name: Create credential keys for Keystone
+ command:
+ keystone-manage credential_setup
+ --keystone-user keystone
+ --keystone-group keystone
+ when: not credential_keys_0.stat.exists
+ notify:
+ - restart keystone services
+
+- name: Rotate credential keys for Keystone
+ command:
+ keystone-manage credential_rotate
+ --keystone-user keystone
+ --keystone-group keystone
+ when: credential_keys_0.stat.exists
+ notify:
+ - restart keystone services
+
+- name: Distribute the credential key repository
+ shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \
+ -avz \
+ --delete \
+ /etc/keystone/credential-keys \
+ root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/
+ with_items: groups['controller'][1:]
+ notify:
+ - restart keystone services
+
+- name: Bootstrap the Identity service
+ shell:
+ keystone-manage bootstrap \
+ --bootstrap-password {{ ADMIN_PASS }} \
+ --bootstrap-admin-url http://{{ internal_ip }}:35357/v3/ \
+ --bootstrap-internal-url http://{{ internal_ip }}:35357/v3/ \
+ --bootstrap-public-url http://{{ internal_ip }}:5000/v3/
+ --bootstrap-region-id RegionOne \
+ notify:
+ - restart keystone services
+
+- meta: flush_handlers
+
- name: wait for keystone ready
- wait_for: port=35357 delay=3 timeout=10 host={{ internal_ip }}
-
-- name: cron job to purge expired tokens hourly
- cron:
- name: 'purge expired tokens'
- special_time: hourly
- job: '/usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1'
-
-- name: add tenants
- keystone_user:
- token: "{{ ADMIN_TOKEN }}"
- endpoint: "http://{{ internal_ip }}:35357/v2.0"
- tenant: "{{ item.tenant }}"
- tenant_description: "{{ item.tenant_description }}"
- with_items: "{{ os_users }}"
-
-- name: add users
- keystone_user:
- token: "{{ ADMIN_TOKEN }}"
- endpoint: "http://{{ internal_ip }}:35357/v2.0"
- user: "{{ item.user }}"
- tenant: "{{ item.tenant }}"
- password: "{{ item.password }}"
- email: "{{ item.email }}"
- with_items: "{{ os_users }}"
-
-- name: grant roles
- keystone_user:
- token: "{{ ADMIN_TOKEN }}"
- endpoint: "http://{{ internal_ip }}:35357/v2.0"
- user: "{{ item.user }}"
- role: "{{ item.role }}"
- tenant: "{{ item.tenant }}"
- with_items: "{{ os_users }}"
-
-- name: add endpoints
- keystone_service:
- token: "{{ ADMIN_TOKEN }}"
- endpoint: "http://{{ internal_ip }}:35357/v2.0"
- name: "{{ item.name }}"
- type: "{{ item.type }}"
- region: "{{ item.region}}"
- description: "{{ item.description }}"
- publicurl: "{{ item.publicurl }}"
- internalurl: "{{ item.internalurl }}"
- adminurl: "{{ item.adminurl }}"
- with_items: "{{ os_services }}"
+ wait_for: port=35357 delay=15 timeout=60 host={{ internal_ip }}
+