openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
openstack-ansible-os_keystone/defaults/main.yml
Kevin Carter 62d9f9c10d
Cleanup files and templates using smart sources 
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.

  * Source installs have the configuration files within the venv at
    "<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
    default configuration path to this directory. When the service is
    upgraded the link will move to the new venv path.
  * Distro installs package all of the required configuration files.

To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.

Change-Id: I93cb6463ca1eb93ab7f4e7a3970a7de829efaf66
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2019-01-09 18:30:07 -06:00

510 lines
20 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Verbosity Options
debug: False
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
keystone_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable'])) }}"
# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
keystone_package_state: "latest"
keystone_pip_package_state: "latest"
# Set installation method.
keystone_install_method: "source"
# Role standard API override this option in the OS variable files
keystone_shibboleth_repo: {}
# These variables are used in 'developer mode' in order to allow the role
# to build an environment directly from a git source without the presence
# of an OpenStack-Ansible repo_server.
keystone_git_repo: https://git.openstack.org/openstack/keystone
keystone_git_install_branch: master
keystone_developer_mode: false
keystone_developer_constraints:
- "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone"
# TODO(odyssey4me):
# This can be simplified once all the roles are using
# python_venv_build. We can then switch to using a
# set of constraints in pip.conf inside the venv,
# perhaps prepared by giving a giving a list of
# constraints to the role.
keystone_pip_install_args: >-
{{ keystone_developer_mode | ternary(pip_install_developer_constraints | default('--constraint /opt/developer-pip-constraints.txt'), '') }}
{{ (pip_install_upper_constraints is defined) | ternary('--constraint ' + pip_install_upper_constraints | default(''), '') }}
{{ pip_install_options | default('') }}
# Name of the virtual env to deploy into
keystone_venv_tag: "{{ venv_tag | default('untagged') }}"
keystone_bin: "{{ _keystone_bin }}"
# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
keystone_venv_download: "{{ not keystone_developer_mode | bool }}"
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
keystone_fatal_deprecations: False
## System info
keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
- ssl_cert
keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
## Drivers
keystone_auth_methods: "password,token"
keystone_identity_driver: sql
keystone_token_provider: fernet
keystone_token_expiration: 43200
keystone_token_cache_time: 3600
# Set the revocation driver used within keystone.
keystone_revocation_driver: sql
keystone_revocation_cache_time: 3600
keystone_revocation_expiration_buffer: 1800
## Fernet config vars
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
keystone_fernet_tokens_max_active_keys: 7
# Any of the following rotation times are valid:
# reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_fernet_rotation: daily
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
## Credentials config vars
keystone_credential_key_repository: /etc/keystone/credential-keys
# Any of the following rotation times are valid:
# reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_credential_rotation: weekly
keystone_credential_auto_rotation_script: /opt/keystone-credential-rotate.sh
keystone_assignment_driver: sql
keystone_resource_cache_time: 3600
keystone_resource_driver: sql
keystone_bind_address: 0.0.0.0
## Database info
keystone_db_setup_host: "{{ ('galera_all' in groups) | ternary(groups['galera_all'][0], 'localhost') }}"
keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}"
keystone_galera_user: keystone
keystone_galera_database: keystone
keystone_galera_port: 3306
keystone_database_connection_string: >-
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{keystone_galera_port}}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}
## Database SSL
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
# Database tuning
keystone_database_enabled: true
keystone_database_idle_timeout: 200
keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120
keystone_database_pool_timeout: 30
## Oslo Messaging
keystone_messaging_enabled: true
# RPC
keystone_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
keystone_oslomsg_rpc_setup_host: "{{ (keystone_oslomsg_rpc_host_group in groups) | ternary(groups[keystone_oslomsg_rpc_host_group][0], 'localhost') }}"
keystone_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
keystone_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
keystone_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
keystone_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
keystone_oslomsg_rpc_userid: keystone
keystone_oslomsg_rpc_vhost: /keystone
# Notify
keystone_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
keystone_oslomsg_notify_setup_host: "{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}"
keystone_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
keystone_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
keystone_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
keystone_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
keystone_oslomsg_notify_userid: "{{ keystone_oslomsg_rpc_userid }}"
keystone_oslomsg_notify_password: "{{ keystone_oslomsg_rpc_password }}"
keystone_oslomsg_notify_vhost: "{{ keystone_oslomsg_rpc_vhost }}"
## (Qdrouterd) info
# TODO(ansmith): Change structure when more backends will be supported
keystone_oslomsg_amqp1_enabled: "{{ keystone_oslomsg_rpc_transport == 'amqp' }}"
## Role info
keystone_role_name: admin
keystone_default_role_name: _member_
## Admin info
keystone_admin_user_name: admin
keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant
## Service Type and Data
keystone_service_setup: true
keystone_service_region: RegionOne
keystone_service_name: keystone
keystone_service_port: 5000
keystone_service_type: identity
keystone_service_description: "Keystone Identity Service"
keystone_service_tenant_name: service
keystone_service_proto: http
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_insecure: false
keystone_service_adminuri_insecure: false
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
# This is the web server that will handle all requests and will act as a
# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
# they are implemented in this web server's configuration. Using a web server
# for endpoints is far better for scale and allows the use of additional
# modules to improve performance or security, leaving uWSGI to only have
# to be used for running the service.
#
# Note:
# The default is nginx, but apache will be used if Keystone is configured
# as a Federated Service provider.
# TODO (odyssey4me): Convert the SP implementation to use nginx instead
# so that we do not have to be concerned with multiple web servers.
#
keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
## Apache setup
keystone_apache_log_level: info
keystone_apache_custom_log_format: combined
keystone_apache_servertokens: "Prod"
keystone_apache_serversignature: "Off"
## Apache MPM tunables
keystone_httpd_mpm_backend: event
keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25
keystone_httpd_mpm_max_spare_threads: 75
keystone_httpd_mpm_thread_limit: 64
keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_conn_child: 0
## Nginx setup
keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
keystone_nginx_ports:
keystone-wsgi-public: "{{ keystone_service_port }}"
keystone_nginx_extra_conf:
- keepalive_timeout 70;
## uWSGI setup
keystone_wsgi_threads: 1
## Cap the maximun number of processes when a user value is unspecified.
keystone_wsgi_processes_max: 16
keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
keystone_uwsgi_ports:
keystone-wsgi-public:
http: 37358
socket: 35358
keystone_uwsgi_ini_overrides: {}
# set keystone_ssl to true to enable SSL configuration on the keystone containers
keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it
keystone_ssl_self_signed_regen: false
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
# Set these variables to deploy custom certificates
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
#keystone_user_ssl_key: <path to cert on ansible deployment host>
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: false
# External SSL forwarding proto
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
## Caching
# This is a list of strings, each string contains a cache server's
# information (IP:port for example)
# The cache_servers default backend is memcached, so this variable
# should point to a list of memcached servers.
# If empty, caching is disabled.
keystone_cache_servers: []
## LDAP Section
# Define Keystone LDAP domain configuration here.
# This may be used to add configuration for a LDAP identity back-end.
# See the http://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html
#
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
# the ldap section in the domain-specific configuration file.
#
# (EXAMPLE LAYOUT)
# keystone_ldap:
# Users:
# url: "ldap://127.0.0.1"
# user: "root"
# password: "secrete"
# ...
keystone_ldap: {}
keystone_ldap_domain_config_dir: /etc/keystone/domains
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
# Otherwise keys will be generated on the first run and not regenerated each run.
keystone_recreate_keys: False
## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
#keystone_policy_overrides:
# identity:create_region: "rule:admin_required"
# identity:update_region: "rule:admin_required"
## Federation
# Enable the following section on the Keystone IdP
keystone_idp: {}
#keystone_idp:
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
# regen_cert: false
# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp"
# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso"
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
# service_providers:
# - id: "sp_1"
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
# # the following settings are optional
# organization_name: example_company
# organization_display_name: Example Corp.
# organization_url: example.com
# contact_company: example_company
# contact_name: John
# contact_surname: Smith
# contact_email: jsmith@example.com
# contact_telephone: 555-55-5555
# contact_type: technical
# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
keystone_sp: {}
#keystone_sp:
# cert_duration_years: 5
# trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/"
# trusted_idp_list:
# note that only one of these is supported at any one time for now
# - name: "keystone-idp"
# entity_ids:
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
# metadata_file: 'metadata-keystone-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: keystone-idp-mapping
# rules:
# - remote:
# - type: openstack_user
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
# attributes:
# - name: openstack_user
# id: openstack_user
# - name: openstack_roles
# id: openstack_roles
# - name: openstack_project
# id: openstack_project
# - name: openstack_user_domain
# id: openstack_user_domain
# - name: openstack_project_domain
# id: openstack_project_domain
#
# - name: 'testshib-idp'
# entity_ids:
# - 'https://idp.testshib.org/idp/shibboleth'
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
# metadata_file: 'metadata-testshib-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: testshib-idp-mapping
# rules:
# - remote:
# - type: eppn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
#
# - name: 'adfs-idp'
# entity_ids:
# - 'http://adfs.contoso.com/adfs/services/trust'
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
# metadata_file: 'metadata-adfs-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: Default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: adfs-idp-mapping
# rules:
# - remote:
# - type: upn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
# attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn
keystone_service_in_ldap: false
# Keystone notification settings
keystone_ceilometer_enabled: false
# Common pip packages
keystone_pip_packages:
- keystone
- ldappool
- osprofiler
- PyMySQL
- python-memcached
- python-openstackclient
- systemd-python
- uWSGI
- pyngus
# optional pip packages
keystone_optional_oslomsg_amqp1_pip_packages:
- oslo.messaging[amqp1]
# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
keystone_role_project_group: keystone_all
# NOTE(cloudnull): Tunable SSO callback file file-based overrides If defined,
# it'll be read from the deployment host, interpreted by the
# template engine and copied to the target host.
# keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
#: Tunable var-based overrides
# The contents of these are templated over the default files.
keystone_keystone_conf_overrides: {}
keystone_keystone_default_conf_overrides: {}
keystone_policy_overrides: {}
keystone_required_secrets:
- keystone_auth_admin_password
- keystone_container_mysql_password
- keystone_oslomsg_rpc_password
- keystone_oslomsg_notify_password
- keystone_rabbitmq_password
keystone_uwsgi_init_overrides: {}
## Service Name-Group Mapping
keystone_services:
keystone-wsgi-public:
service_name: "keystone-wsgi-public"
init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-public.ini"
## Extra HTTP headers for Keystone
# Add any additional headers here that Keystone should return.
#
# Example:
#
# keystone_extra_headers:
# - parameter: "Access-Control-Expose-Headers"
# value: "X-Subject-Token"
# - parameter: "Access-Control-Allow-Headers"
# value: "Content-Type, X-Auth-Token"
# - parameter: "Access-Control-Allow-Origin"
# value: "*"
keystone_extra_headers: []
# List of trusted IPs which can pass X-Forwarded-For
keystone_set_real_ip_from: []
# Toggle whether memcache should be flushed when doing
# database migrations. This is sometimes useful when
# doing upgrades, but should not usually be required.
# ref: https://bugs.launchpad.net/openstack-ansible/+bug/1793389
keystone_flush_memcache: no
View Git Blame Copy Permalink