241 lines
11 KiB
YAML
241 lines
11 KiB
YAML
---
|
|
keystone_services:
|
|
keystone:
|
|
container_name: "keystone"
|
|
group: "keystone"
|
|
enabled: true
|
|
image: "{{ keystone_image_full }}"
|
|
volumes: "{{ keystone_default_volumes + keystone_extra_volumes }}"
|
|
dimensions: "{{ keystone_dimensions }}"
|
|
healthcheck: "{{ keystone_healthcheck }}"
|
|
haproxy:
|
|
keystone_internal:
|
|
enabled: "{{ enable_keystone }}"
|
|
mode: "http"
|
|
external: false
|
|
tls_backend: "{{ keystone_enable_tls_backend }}"
|
|
port: "{{ keystone_internal_port }}"
|
|
listen_port: "{{ keystone_internal_listen_port }}"
|
|
backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}"
|
|
keystone_external:
|
|
enabled: "{{ enable_keystone }}"
|
|
mode: "http"
|
|
external: true
|
|
external_fqdn: "{{ keystone_external_fqdn }}"
|
|
tls_backend: "{{ keystone_enable_tls_backend }}"
|
|
port: "{{ keystone_public_port }}"
|
|
listen_port: "{{ keystone_public_listen_port }}"
|
|
backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}"
|
|
keystone-ssh:
|
|
container_name: "keystone_ssh"
|
|
group: "keystone"
|
|
enabled: true
|
|
image: "{{ keystone_ssh_image_full }}"
|
|
volumes:
|
|
- "{{ node_config_directory }}/keystone-ssh/:{{ container_config_directory }}/:ro"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
|
|
- "kolla_logs:/var/log/kolla/"
|
|
- "keystone_fernet_tokens:/etc/keystone/fernet-keys"
|
|
dimensions: "{{ keystone_ssh_dimensions }}"
|
|
healthcheck: "{{ keystone_ssh_healthcheck }}"
|
|
keystone-fernet:
|
|
container_name: "keystone_fernet"
|
|
group: "keystone"
|
|
enabled: true
|
|
image: "{{ keystone_fernet_image_full }}"
|
|
volumes:
|
|
- "{{ node_config_directory }}/keystone-fernet/:{{ container_config_directory }}/:ro"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
|
|
- "kolla_logs:/var/log/kolla/"
|
|
- "keystone_fernet_tokens:/etc/keystone/fernet-keys"
|
|
dimensions: "{{ keystone_fernet_dimensions }}"
|
|
healthcheck: "{{ keystone_fernet_healthcheck }}"
|
|
|
|
####################
|
|
# Config Validate
|
|
####################
|
|
keystone_config_validation:
|
|
- generator: "/keystone/config-generator/keystone.conf"
|
|
config: "/etc/keystone/keystone.conf"
|
|
|
|
####################
|
|
# Database
|
|
####################
|
|
keystone_database_name: "keystone"
|
|
keystone_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}keystone{% endif %}"
|
|
keystone_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}"
|
|
|
|
####################
|
|
# Database sharding
|
|
####################
|
|
keystone_database_shard_root_user: "{% if enable_proxysql | bool %}root_shard_{{ keystone_database_shard_id }}{% else %}{{ database_user }}{% endif %}"
|
|
keystone_database_shard_id: "{{ mariadb_default_database_shard_id | int }}"
|
|
keystone_database_shard:
|
|
users:
|
|
- user: "{{ keystone_database_user }}"
|
|
password: "{{ keystone_database_password }}"
|
|
rules:
|
|
- schema: "{{ keystone_database_name }}"
|
|
shard_id: "{{ keystone_database_shard_id }}"
|
|
|
|
|
|
####################
|
|
# Fernet
|
|
####################
|
|
keystone_username: "keystone"
|
|
keystone_groupname: "keystone"
|
|
|
|
|
|
####################
|
|
# Docker
|
|
####################
|
|
keystone_tag: "{{ openstack_tag }}"
|
|
|
|
keystone_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/keystone"
|
|
keystone_service_tag: "{{ keystone_tag }}"
|
|
keystone_image_full: "{{ keystone_image }}:{{ keystone_service_tag }}"
|
|
|
|
keystone_fernet_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/keystone-fernet"
|
|
keystone_fernet_tag: "{{ keystone_tag }}"
|
|
keystone_fernet_image_full: "{{ keystone_fernet_image }}:{{ keystone_fernet_tag }}"
|
|
|
|
keystone_ssh_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/keystone-ssh"
|
|
keystone_ssh_tag: "{{ keystone_tag }}"
|
|
keystone_ssh_image_full: "{{ keystone_ssh_image }}:{{ keystone_ssh_tag }}"
|
|
|
|
keystone_dimensions: "{{ default_container_dimensions }}"
|
|
keystone_fernet_dimensions: "{{ default_container_dimensions }}"
|
|
keystone_ssh_dimensions: "{{ default_container_dimensions }}"
|
|
|
|
keystone_enable_healthchecks: "{{ enable_container_healthchecks }}"
|
|
keystone_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
|
|
keystone_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
|
|
keystone_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
|
|
keystone_healthcheck_test: ["CMD-SHELL", "healthcheck_curl {{ 'https' if keystone_enable_tls_backend | bool else 'http' }}://{{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}"]
|
|
keystone_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
|
|
keystone_healthcheck:
|
|
interval: "{{ keystone_healthcheck_interval }}"
|
|
retries: "{{ keystone_healthcheck_retries }}"
|
|
start_period: "{{ keystone_healthcheck_start_period }}"
|
|
test: "{% if keystone_enable_healthchecks | bool %}{{ keystone_healthcheck_test }}{% else %}NONE{% endif %}"
|
|
timeout: "{{ keystone_healthcheck_timeout }}"
|
|
|
|
keystone_ssh_enable_healthchecks: "{{ enable_container_healthchecks }}"
|
|
keystone_ssh_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
|
|
keystone_ssh_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
|
|
keystone_ssh_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
|
|
keystone_ssh_healthcheck_test: ["CMD-SHELL", "healthcheck_listen sshd {{ keystone_ssh_port }}"]
|
|
keystone_ssh_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
|
|
keystone_ssh_healthcheck:
|
|
interval: "{{ keystone_ssh_healthcheck_interval }}"
|
|
retries: "{{ keystone_ssh_healthcheck_retries }}"
|
|
start_period: "{{ keystone_ssh_healthcheck_start_period }}"
|
|
test: "{% if keystone_ssh_enable_healthchecks | bool %}{{ keystone_ssh_healthcheck_test }}{% else %}NONE{% endif %}"
|
|
timeout: "{{ keystone_ssh_healthcheck_timeout }}"
|
|
|
|
keystone_fernet_enable_healthchecks: "{{ enable_container_healthchecks }}"
|
|
keystone_fernet_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
|
|
keystone_fernet_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
|
|
keystone_fernet_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
|
|
keystone_fernet_healthcheck_test: ["CMD-SHELL", "/usr/bin/fernet-healthcheck.sh"]
|
|
keystone_fernet_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
|
|
keystone_fernet_healthcheck:
|
|
interval: "{{ keystone_fernet_healthcheck_interval }}"
|
|
retries: "{{ keystone_fernet_healthcheck_retries }}"
|
|
start_period: "{{ keystone_fernet_healthcheck_start_period }}"
|
|
test: "{% if keystone_fernet_enable_healthchecks | bool %}{{ keystone_fernet_healthcheck_test }}{% else %}NONE{% endif %}"
|
|
timeout: "{{ keystone_fernet_healthcheck_timeout }}"
|
|
|
|
keystone_default_volumes:
|
|
- "{{ node_config_directory }}/keystone/:{{ container_config_directory }}/:ro"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
|
|
- "{{ kolla_dev_repos_directory ~ '/keystone/keystone:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/keystone' if keystone_dev_mode | bool else '' }}"
|
|
- "kolla_logs:/var/log/kolla/"
|
|
- "keystone_fernet_tokens:/etc/keystone/fernet-keys"
|
|
|
|
keystone_extra_volumes: "{{ default_extra_volumes }}"
|
|
|
|
####################
|
|
# OpenStack
|
|
####################
|
|
keystone_logging_debug: "{{ openstack_logging_debug }}"
|
|
|
|
openstack_keystone_auth: "{{ openstack_auth }}"
|
|
|
|
keystone_api_workers: "{{ openstack_service_workers }}"
|
|
|
|
####################
|
|
# Kolla
|
|
####################
|
|
keystone_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
|
|
keystone_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
|
|
keystone_dev_mode: "{{ kolla_dev_mode }}"
|
|
keystone_source_version: "{{ kolla_source_version }}"
|
|
|
|
|
|
####################
|
|
# Notifications
|
|
####################
|
|
keystone_default_notifications_topic_enabled: "{{ enable_ceilometer | bool }}"
|
|
keystone_default_notifications_topic_name: "notifications"
|
|
|
|
keystone_notification_topics:
|
|
- name: "{{ keystone_default_notifications_topic_name }}"
|
|
enabled: "{{ keystone_default_notifications_topic_enabled | bool }}"
|
|
- name: barbican_notifications
|
|
enabled: "{{ enable_barbican | bool }}"
|
|
|
|
keystone_enabled_notification_topics: "{{ keystone_notification_topics | selectattr('enabled', 'equalto', true) | list }}"
|
|
|
|
|
|
####################
|
|
# Keystone
|
|
####################
|
|
keystone_service_endpoints:
|
|
- {'interface': 'internal', 'url': '{{ keystone_internal_url }}'}
|
|
- {'interface': 'public', 'url': '{{ keystone_public_url }}'}
|
|
|
|
# TODO(yoctozepto): Remove admin_endpoint leftovers in Antelope (2023.1).
|
|
keystone_service_admin_endpoint: {'interface': 'admin', 'url': '{{ keystone_internal_url }}'}
|
|
keystone_create_admin_endpoint: false
|
|
|
|
keystone_ks_services:
|
|
- name: "keystone"
|
|
type: "identity"
|
|
description: "Openstack Identity Service"
|
|
endpoints: "{{ keystone_service_endpoints + ([keystone_service_admin_endpoint] if kolla_action == 'upgrade' or keystone_create_admin_endpoint | bool else []) }}"
|
|
|
|
####################
|
|
# TLS
|
|
####################
|
|
keystone_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
|
|
|
###############################
|
|
# OpenStack identity federation
|
|
###############################
|
|
# Default OpenID Connect remote attribute key
|
|
keystone_remote_id_attribute_oidc: "HTTP_OIDC_ISS"
|
|
keystone_container_federation_oidc_metadata_folder: "{{ '/etc/apache2/metadata' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/metadata' }}"
|
|
keystone_container_federation_oidc_idp_certificate_folder: "{{ '/etc/apache2/cert' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/cert' }}"
|
|
keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_config_directory }}/federation/oidc/attribute_maps"
|
|
keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keystone/federation/oidc/metadata"
|
|
keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
|
|
keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
|
|
keystone_federation_oidc_jwks_uri: ""
|
|
keystone_federation_oidc_additional_options: {}
|
|
|
|
# These variables are used to define multiple trusted Horizon dashboards.
|
|
# keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']
|
|
keystone_trusted_dashboards: "{{ ['%s://%s/auth/websso/' % (public_protocol, kolla_external_fqdn), '%s/auth/websso/' % (horizon_public_endpoint)] if enable_horizon | bool else [] }}"
|
|
keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and keystone_identity_providers | selectattr('protocol', 'equalto', 'openid') | list | count > 0 }}"
|
|
keystone_should_remove_attribute_mappings: False
|
|
keystone_should_remove_identity_providers: False
|
|
keystone_federation_oidc_response_type: "id_token"
|
|
keystone_federation_oidc_scopes: "openid email profile"
|
|
|
|
# OIDC caching
|
|
keystone_oidc_enable_memcached: "{{ enable_memcached }}"
|