From e9bc8e2a0dadf98c1e4778d83d81b8226130df89 Mon Sep 17 00:00:00 2001 From: James Slagle Date: Fri, 1 Apr 2022 12:02:21 -0400 Subject: [PATCH] Use tripleo_keystone role Update Keystone service template to use tripleo_keystone role from tripleo-ansible. Depends-On: I24c30d8ec721c1730411818416fefa63902d4294 Change-Id: I4f7c2e60ee0b183224c6bac0a61937e3be395a84 Signed-off-by: James Slagle --- .../keystone/keystone-container-puppet.yaml | 171 +++++------------- deployment/logging/files/keystone.yaml | 12 +- 2 files changed, 49 insertions(+), 134 deletions(-) diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index ca3e1d45e3..e67db42d4f 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -725,6 +725,25 @@ outputs: - horizon::keystone_multidomain_support: true horizon::keystone_default_domain: 'Default' - horizon::policy::keystone_policies: {get_param: KeystonePolicies} + ansible_group_vars: + tripleo_keystone_image: &keystone_image {get_attr: [RoleParametersValue, value, ContainerKeystoneImage]} + tripleo_keystone_volumes: + - /etc/openldap:/etc/openldap:ro + - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro + tripleo_keystone_common_volumes: {get_attr: [ContainersCommon, volumes]} + tripleo_keystone_logging_volumes: {get_attr: [KeystoneLogging, volumes]} + tripleo_keystone_enable_internal_tls: {get_param: EnableInternalTLS} + tripleo_keystone_internal_tls_volumes: + - if: + - {get_param: EnableInternalTLS} + - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + tripleo_keystone_environment: + KOLLA_BOOTSTRAP: true + KOLLA_CONFIG_STRATEGY: COPY_ALWAYS + TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} + tripleo_keystone_logging_environment: {get_attr: [KeystoneLogging, environment]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: keystone @@ -737,110 +756,10 @@ outputs: include tripleo::profile::base::keystone - {get_attr: [MySQLClient, role_data, step_config]} config_image: &keystone_config_image {get_attr: [RoleParametersValue, value, ContainerKeystoneConfigImage]} - kolla_config: - /var/lib/kolla/config_files/keystone.json: - command: /usr/sbin/httpd - config_files: - - source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys" - dest: "/etc/keystone/fernet-keys" - merge: false - preserve_properties: true - - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" - dest: "/etc/httpd/conf.d" - merge: false - preserve_properties: true - - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" - dest: "/etc/httpd/conf.modules.d" - merge: false - preserve_properties: true - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true - /var/lib/kolla/config_files/keystone_cron.json: - # FIXME(dprince): this is unused ATM because Kolla hardcodes the - # args for the keystone container to -DFOREGROUND - command: /usr/sbin/crond -n - config_files: - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true docker_config: # Kolla_bootstrap/db sync runs before permissions set by kolla_config step_2: get_attr: [KeystoneLogging, docker_config, step_2] - step_3: - keystone_db_sync: - image: &keystone_image {get_attr: [RoleParametersValue, value, ContainerKeystoneImage]} - net: host - user: root - privileged: false - detach: false - volumes: &keystone_volumes - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [KeystoneLogging, volumes]} - - - /etc/openldap:/etc/openldap:ro - - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro - - if: - - {get_param: EnableInternalTLS} - - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - environment: - map_merge: - - {get_attr: [KeystoneLogging, environment]} - - KOLLA_BOOTSTRAP: true - KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} - command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start'] - keystone: - start_order: 2 - image: *keystone_image - net: host - privileged: false - restart: always - healthcheck: - test: /openstack/healthcheck - volumes: *keystone_volumes - environment: - KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - keystone_bootstrap: - start_order: 3 - action: exec - user: root - command: - [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap' ] - environment: - KOLLA_BOOTSTRAP: true - OS_BOOTSTRAP_PASSWORD: {get_param: AdminPassword} - OS_BOOTSTRAP_USERNAME: 'admin' - OS_BOOTSTRAP_PROJECT_NAME: 'admin' - OS_BOOTSTRAP_ROLE_NAME: 'admin' - OS_BOOTSTRAP_SERVICE_NAME: 'keystone' - OS_BOOTSTRAP_ADMIN_URL: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} - OS_BOOTSTRAP_PUBLIC_URL: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} - OS_BOOTSTRAP_INTERNAL_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - OS_BOOTSTRAP_REGION_ID: {get_param: KeystoneRegion} - keystone_cron: - start_order: 4 - image: *keystone_image - user: root - net: host - privileged: false - restart: always - healthcheck: - test: '/usr/share/openstack-tripleo-common/healthcheck/cron keystone' - command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n'] - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [KeystoneLogging, volumes]} - - - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro - environment: - KOLLA_CONFIG_STRATEGY: COPY_ALWAYS step_4: # There are cases where we need to refresh keystone after the resource provisioning, # such as the case of using LDAP backends for domains. So we trigger a graceful @@ -971,34 +890,36 @@ outputs: - container_cli == 'podman' - not container_healthcheck_disabled - step|int == 4 + - name: Keystone DB sync + include_role: + name: tripleo_keystone + tasks_from: keystone-db-sync.yaml + when: + - step|int == 3 + - name: Keystone containers + import_role: + name: tripleo_keystone + tasks_from: keystone.yaml + when: + - step|int == 3 + - name: Keystone bootstrap containers + import_role: + name: tripleo_keystone + tasks_from: keystone-bootstrap.yaml + when: + - step|int == 3 + vars: + tripleo_keystone_admin_password: {get_param: AdminPassword} + tripleo_keystone_admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + tripleo_keystone_public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} + tripleo_keystone_internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + tripleo_keystone_region: {get_param: KeystoneRegion} host_prep_tasks: list_concat: - {get_attr: [KeystoneLogging, host_prep_tasks]} - - - name: Check if file certs_valid exist - stat: - path: "/etc/openldap/certs/certs_valid" - register: certs_valid_stat - - name: Check if file cert9.db exist - stat: - path: "/etc/openldap/certs/cert9.db" - register: cert9_stat - when: not certs_valid_stat.stat.exists - - name: Check if file key4.db exist - stat: - path: "/etc/openldap/certs/key4.db" - register: key4_stat - when: not certs_valid_stat.stat.exists - - fail: - msg: > - Keys and/or certificates were found in /etc/openldap/certs - but these conflicts with keystone python LDAP calls. If - you know those certificates are valid and not causing any - conflicts, you can touch /etc/openldap/certs/certs_valid - in order to skip this failure and retry or you can delete - the files located in /etc/openldap/certs and retry. - when: >- - ( cert9_stat.stat.exists or key4_stat.stat.exists ) and - not certs_valid_stat.stat.exists + - - include_role: + name: tripleo_keystone + tasks_from: keystone-install.yaml metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] external_upgrade_tasks: diff --git a/deployment/logging/files/keystone.yaml b/deployment/logging/files/keystone.yaml index d7c522e2f9..9fc9f26139 100644 --- a/deployment/logging/files/keystone.yaml +++ b/deployment/logging/files/keystone.yaml @@ -54,12 +54,6 @@ outputs: host_prep_tasks: description: Extra ansible tasks needed for logging to files in the host. value: - - name: create persistent directories - file: - path: "{{ item.path }}" - state: directory - setype: "{{ item.setype }}" - mode: "{{ item.mode }}" - with_items: - - { 'path': /var/log/containers/keystone, 'setype': container_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/keystone, 'setype': container_file_t, 'mode': '0750' } + - include_role: + name: tripleo_keystone + tasks_from: keystone-logging-install.yaml