d84043f941
This commit removes the keystone_cache_expiration_time variable, allowing deployers to override using standard config overrides. Additionally, we /temporarily/ disable catalog caching in keystone.conf.j2 to unblock our master gate. Note that this change is necessary as we have been experiencing fairly consistent gate failures in master where the tempest role is unable to upload an image to glance. This causes the tempest run to fail since the expected image is not available. This upstream keystone review [1] introduced a change to add catalog caching, and what we are actually seeing is glance failing to upload the image (or create the necessary directory in swift) as the object-store endpoint is not in the catalog which it gets back from keystone. When this happens we are presumably hitting a stale cache entry which will not expire for 5400 seconds (the old value of keystone_cache_expiration_time). For some additional information (as provided by dolphm), it looks like endpoint updates invalidate portions of the dogpile cache but not all. There is a fix in flight [2] to address this. [1] https://review.openstack.org/#/c/215212/ [2] https://review.openstack.org/#/c/271536/ UpgradeImpact Related-bug: #1537617 Change-Id: I3b2a833a3e96a3b5deac76052eed480ddcb6175d
161 lines
4.9 KiB
Django/Jinja
161 lines
4.9 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
[DEFAULT]
|
|
verbose = {{ verbose }}
|
|
debug = {{ debug }}
|
|
admin_token = {{ keystone_auth_admin_token }}
|
|
{% if keystone_public_endpoint is defined %}
|
|
public_endpoint = {{ keystone_public_endpoint }}
|
|
{% endif %}
|
|
admin_endpoint = {{ keystone_service_adminuri }}
|
|
fatal_deprecations = {{ keystone_fatal_deprecations }}
|
|
member_role_name = {{ keystone_default_role_name }}
|
|
|
|
{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
|
|
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
|
|
{% endif %}
|
|
|
|
log_file = keystone.log
|
|
log_dir = /var/log/keystone
|
|
rpc_backend = {{ keystone_rpc_backend }}
|
|
|
|
{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
|
|
[memcache]
|
|
servers = {{ keystone_memcached_servers }}
|
|
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
|
|
{% endif %}
|
|
|
|
{% if keystone_cache_backend_argument is defined %}
|
|
[cache]
|
|
backend = dogpile.cache.memcached
|
|
backend_argument = {{ keystone_cache_backend_argument }}
|
|
config_prefix = cache.keystone
|
|
distributed_lock = True
|
|
enabled = true
|
|
{% endif %}
|
|
|
|
|
|
[revoke]
|
|
caching = true
|
|
driver = {{ keystone_revocation_driver }}
|
|
expiration_buffer = {{ keystone_revocation_expiration_buffer }}
|
|
cache_time = {{ keystone_revocation_cache_time }}
|
|
|
|
|
|
[auth]
|
|
{% if keystone_sp is defined %}
|
|
methods = {{ keystone_auth_methods }},saml2
|
|
saml2 = keystone.auth.plugins.mapped.Mapped
|
|
{% else %}
|
|
methods = {{ keystone_auth_methods }}
|
|
{% endif %}
|
|
|
|
[database]
|
|
connection = mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
|
|
idle_timeout = {{ keystone_database_idle_timeout }}
|
|
min_pool_size = {{ keystone_database_min_pool_size }}
|
|
max_pool_size = {{ keystone_database_max_pool_size }}
|
|
pool_timeout = {{ keystone_database_pool_timeout }}
|
|
|
|
|
|
[fernet_tokens]
|
|
key_repository = {{ keystone_fernet_tokens_key_repository }}
|
|
max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
|
|
|
|
|
|
[identity]
|
|
driver = {{ keystone_identity_driver }}
|
|
{% if keystone_ldap is defined and keystone_ldap.ldap %}
|
|
domain_config_dir = {{ keystone_ldap_domain_config_dir }}
|
|
domain_specific_drivers_enabled = True
|
|
{% endif %}
|
|
|
|
|
|
[assignment]
|
|
driver = {{ keystone_assignment_driver }}
|
|
|
|
|
|
[resource]
|
|
cache_time = {{ keystone_resource_cache_time }}
|
|
caching = true
|
|
driver = {{ keystone_resource_driver }}
|
|
|
|
|
|
[token]
|
|
enforce_token_bind = permissive
|
|
expiration = {{ keystone_token_expiration }}
|
|
caching = true
|
|
cache_time = {{ keystone_token_cache_time }}
|
|
provider = {{ keystone_token_provider }}
|
|
{% if 'fernet' not in keystone_token_provider %}
|
|
driver = {{ keystone_token_driver }}
|
|
{% endif %}
|
|
|
|
# We need to /temporarily/ disable catalog caching due to [1], once
|
|
# upstream keystone bug [2] is fixed we can remove this [catalog]
|
|
# section entirely.
|
|
# [1] https://review.openstack.org/#/c/215212/
|
|
# [2] https://review.openstack.org/#/c/271536/
|
|
[catalog]
|
|
caching = false
|
|
|
|
{% if keystone_idp is defined %}
|
|
[saml]
|
|
certfile = "{{ keystone_idp.certfile }}"
|
|
keyfile = "{{ keystone_idp.keyfile }}"
|
|
idp_entity_id = "{{ keystone_idp.idp_entity_id }}"
|
|
idp_sso_endpoint = "{{ keystone_idp.idp_sso_endpoint }}"
|
|
idp_metadata_path = "{{ keystone_idp.idp_metadata_path }}"
|
|
{% if keystone_idp.organization_name is defined %}
|
|
idp_organization_name = {{ keystone_idp.organization_name }}
|
|
{% endif %}
|
|
{% if keystone_idp.organization_display_name is defined %}
|
|
idp_organization_display_name = {{ keystone_idp.organization_display_name }}
|
|
{% endif %}
|
|
{% if keystone_idp.organization_url is defined %}
|
|
idp_organization_url = {{ keystone_idp.organization_url }}
|
|
{% endif %}
|
|
{% if keystone_idp.contact_company is defined %}
|
|
idp_contact_company = {{ keystone_idp.contact_company }}
|
|
{% endif %}
|
|
{% if keystone_idp.contact_name is defined %}
|
|
idp_contact_name = {{ keystone_idp.contact_name }}
|
|
{% endif %}
|
|
{% if keystone_idp.contact_surname is defined %}
|
|
idp_contact_surname = {{ keystone_idp.contact_surname }}
|
|
{% endif %}
|
|
{% if keystone_idp.contact_email is defined %}
|
|
idp_contact_email = {{ keystone_idp.contact_email }}
|
|
{% endif %}
|
|
{% if keystone_idp.contact_telephone is defined %}
|
|
idp_contact_telephone = {{ keystone_idp.contact_telephone }}
|
|
{% endif %}
|
|
{% if keystone_idp.contact_type is defined %}
|
|
idp_contact_type = {{ keystone_idp.contact_type }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
[eventlet_server]
|
|
admin_bind_host = {{ keystone_bind_address }}
|
|
admin_port = {{ keystone_admin_port }}
|
|
public_port = {{ keystone_service_port }}
|
|
|
|
[oslo_messaging_rabbit]
|
|
rabbit_port = {{ rabbitmq_port }}
|
|
rabbit_userid = {{ keystone_rabbitmq_userid }}
|
|
rabbit_password = {{ keystone_rabbitmq_password }}
|
|
rabbit_virtual_host = {{ keystone_rabbitmq_vhost }}
|
|
rabbit_hosts = {{ rabbitmq_servers }}
|
|
rabbit_use_ssl = {{ rabbitmq_use_ssl }}
|
|
|
|
{% if keystone_sp is defined %}
|
|
[federation]
|
|
remote_id_attribute = Shib-Identity-Provider
|
|
{% if keystone_sp.trusted_dashboard_list is defined %}
|
|
{% for item in keystone_sp.trusted_dashboard_list %}
|
|
trusted_dashboard = {{ item }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endif %}
|
|
|