9653ed70a7
There is no record for why we implement the database creation outside of the role in the playbook, when we could do it inside the role. Implementing it inside the role allows us to reduce the quantity of group_vars duplicated from the role, and allows us to better document the required variables in the role. The delegation can still be done as it is done in the playbook too. In this patch we implement a new variable called 'keystone_db_setup_host' which is used in the role to allow delegation of the database setup task to any host, but defaults to the first member of the galera_all host group. We also document the variable keystone_galera_address which has been used for a long time, but never documented. Change-Id: I2e4ca01a849a907558caec2dc05aa0b7ae009333
500 lines
18 KiB
YAML
500 lines
18 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
|
|
# Set the package install state for distribution and pip packages
|
|
# Options are 'present' and 'latest'
|
|
keystone_package_state: "latest"
|
|
keystone_pip_package_state: "latest"
|
|
|
|
# Set installation method.
|
|
keystone_install_method: "source"
|
|
|
|
# Role standard API override this option in the OS variable files
|
|
keystone_shibboleth_repo: {}
|
|
|
|
# These variables are used in 'developer mode' in order to allow the role
|
|
# to build an environment directly from a git source without the presence
|
|
# of an OpenStack-Ansible repo_server.
|
|
keystone_git_repo: https://git.openstack.org/openstack/keystone
|
|
keystone_git_install_branch: master
|
|
keystone_developer_mode: false
|
|
keystone_developer_constraints:
|
|
- "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone"
|
|
|
|
# Name of the virtual env to deploy into
|
|
keystone_venv_tag: untagged
|
|
keystone_bin: "{{ _keystone_bin }}"
|
|
|
|
# venv_download, even when true, will use the fallback method of building the
|
|
# venv from scratch if the venv download fails.
|
|
keystone_venv_download: "{{ not keystone_developer_mode | bool }}"
|
|
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz
|
|
|
|
keystone_fatal_deprecations: False
|
|
|
|
## System info
|
|
keystone_system_user_name: keystone
|
|
keystone_system_group_name: keystone
|
|
keystone_system_additional_groups:
|
|
- ssl_cert
|
|
|
|
keystone_system_shell: /bin/bash
|
|
keystone_system_comment: keystone system user
|
|
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
|
|
|
|
## Drivers
|
|
keystone_auth_methods: "password,token"
|
|
keystone_identity_driver: sql
|
|
keystone_token_provider: fernet
|
|
keystone_token_expiration: 43200
|
|
keystone_token_cache_time: 3600
|
|
|
|
# Set the revocation driver used within keystone.
|
|
keystone_revocation_driver: sql
|
|
keystone_revocation_cache_time: 3600
|
|
keystone_revocation_expiration_buffer: 1800
|
|
|
|
## Fernet config vars
|
|
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
|
|
keystone_fernet_tokens_max_active_keys: 7
|
|
# Any of the following rotation times are valid:
|
|
# reboot, yearly, annually, monthly, weekly, daily, hourly
|
|
keystone_fernet_rotation: daily
|
|
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
|
|
|
|
## Credentials config vars
|
|
keystone_credential_key_repository: /etc/keystone/credential-keys
|
|
# Any of the following rotation times are valid:
|
|
# reboot, yearly, annually, monthly, weekly, daily, hourly
|
|
keystone_credential_rotation: weekly
|
|
keystone_credential_auto_rotation_script: /opt/keystone-credential-rotate.sh
|
|
|
|
keystone_assignment_driver: sql
|
|
|
|
keystone_resource_cache_time: 3600
|
|
keystone_resource_driver: sql
|
|
|
|
keystone_bind_address: 0.0.0.0
|
|
|
|
## Database info
|
|
keystone_db_setup_host: "{{ ('galera_all' in groups) | ternary(groups['galera_all'][0], 'localhost') }}"
|
|
keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}"
|
|
keystone_galera_user: keystone
|
|
keystone_galera_database: keystone
|
|
keystone_database_connection_string: >-
|
|
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}
|
|
## Database SSL
|
|
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
|
|
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
|
|
# Database tuning
|
|
keystone_database_enabled: true
|
|
keystone_database_idle_timeout: 200
|
|
keystone_database_min_pool_size: 5
|
|
keystone_database_max_pool_size: 120
|
|
keystone_database_pool_timeout: 30
|
|
|
|
## Oslo Messaging
|
|
keystone_messaging_enabled: true
|
|
|
|
# RPC
|
|
keystone_oslomsg_rpc_transport: rabbit
|
|
keystone_oslomsg_rpc_servers: 127.0.0.1
|
|
keystone_oslomsg_rpc_port: 5672
|
|
keystone_oslomsg_rpc_use_ssl: False
|
|
keystone_oslomsg_rpc_userid: keystone
|
|
keystone_oslomsg_rpc_vhost: /keystone
|
|
|
|
# Notify
|
|
keystone_oslomsg_notify_transport: rabbit
|
|
keystone_oslomsg_notify_servers: 127.0.0.1
|
|
keystone_oslomsg_notify_port: 5672
|
|
keystone_oslomsg_notify_use_ssl: False
|
|
keystone_oslomsg_notify_userid: keystone
|
|
keystone_oslomsg_notify_vhost: /keystone
|
|
|
|
## Role info
|
|
keystone_role_name: admin
|
|
keystone_default_role_name: _member_
|
|
|
|
## Admin info
|
|
keystone_admin_port: 35357
|
|
keystone_admin_user_name: admin
|
|
keystone_admin_tenant_name: admin
|
|
keystone_admin_description: Admin Tenant
|
|
|
|
## Service Type and Data
|
|
keystone_service_setup: true
|
|
keystone_service_region: RegionOne
|
|
keystone_service_name: keystone
|
|
keystone_service_port: 5000
|
|
keystone_service_type: identity
|
|
keystone_service_description: "Keystone Identity Service"
|
|
keystone_service_user_name: keystone
|
|
keystone_service_tenant_name: service
|
|
|
|
keystone_service_proto: http
|
|
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
|
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
|
|
|
keystone_service_internaluri_insecure: false
|
|
keystone_service_adminuri_insecure: false
|
|
|
|
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
|
|
|
## Set this value to override the "public_endpoint" keystone.conf variable
|
|
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
|
|
|
# This is the web server that will handle all requests and will act as a
|
|
# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
|
|
# they are implemented in this web server's configuration. Using a web server
|
|
# for endpoints is far better for scale and allows the use of additional
|
|
# modules to improve performance or security, leaving uWSGI to only have
|
|
# to be used for running the service.
|
|
#
|
|
# Note:
|
|
# The default is nginx, but apache will be used if Keystone is configured
|
|
# as a Federated Service provider.
|
|
# TODO (odyssey4me): Convert the SP implementation to use nginx instead
|
|
# so that we do not have to be concerned with multiple web servers.
|
|
#
|
|
keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
|
|
|
|
## Apache setup
|
|
keystone_apache_log_level: info
|
|
keystone_apache_custom_log_format: combined
|
|
keystone_apache_servertokens: "Prod"
|
|
keystone_apache_serversignature: "Off"
|
|
|
|
## Apache MPM tunables
|
|
keystone_httpd_mpm_backend: event
|
|
keystone_httpd_mpm_start_servers: 2
|
|
keystone_httpd_mpm_min_spare_threads: 25
|
|
keystone_httpd_mpm_max_spare_threads: 75
|
|
keystone_httpd_mpm_thread_limit: 64
|
|
keystone_httpd_mpm_thread_child: 25
|
|
keystone_httpd_mpm_max_requests: 150
|
|
keystone_httpd_mpm_max_conn_child: 0
|
|
|
|
## Nginx setup
|
|
keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
|
|
keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
|
|
keystone_nginx_ports:
|
|
keystone-wsgi-public: "{{ keystone_service_port }}"
|
|
keystone-wsgi-admin: "{{ keystone_admin_port }}"
|
|
keystone_nginx_extra_conf:
|
|
- keepalive_timeout 70;
|
|
|
|
## uWSGI setup
|
|
keystone_wsgi_threads: 1
|
|
## Cap the maximun number of processes when a user value is unspecified.
|
|
keystone_wsgi_processes_max: 16
|
|
keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
|
|
|
|
keystone_uwsgi_ports:
|
|
keystone-wsgi-public:
|
|
http: 37358
|
|
socket: 35358
|
|
keystone-wsgi-admin:
|
|
http: 37359
|
|
socket: 5001
|
|
|
|
keystone_uwsgi_ini_overrides: {}
|
|
|
|
# set keystone_ssl to true to enable SSL configuration on the keystone containers
|
|
keystone_ssl: false
|
|
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
|
|
keystone_ssl_key: /etc/ssl/private/keystone.key
|
|
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
|
|
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
|
|
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
|
|
|
# if using a self-signed certificate, set this to true to regenerate it
|
|
keystone_ssl_self_signed_regen: false
|
|
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
|
|
|
# Set these variables to deploy custom certificates
|
|
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
|
|
#keystone_user_ssl_key: <path to cert on ansible deployment host>
|
|
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
|
|
|
# Set to true when terminating SSL/TLS at a load balancer
|
|
keystone_external_ssl: false
|
|
|
|
# External SSL forwarding proto
|
|
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
|
|
|
|
## Caching
|
|
# This is a list of strings, each string contains a cache server's
|
|
# information (IP:port for example)
|
|
# The cache_servers default backend is memcached, so this variable
|
|
# should point to a list of memcached servers.
|
|
# If empty, caching is disabled.
|
|
keystone_cache_servers: []
|
|
|
|
## LDAP Section
|
|
# Define Keystone LDAP domain configuration here.
|
|
# This may be used to add configuration for a LDAP identity back-end.
|
|
# See the http://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html
|
|
#
|
|
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
|
|
# the ldap section in the domain-specific configuraiton file.
|
|
#
|
|
# (EXAMPLE LAYOUT)
|
|
# keystone_ldap:
|
|
# Users:
|
|
# url: "ldap://127.0.0.1"
|
|
# user: "root"
|
|
# password: "secrete"
|
|
# ...
|
|
|
|
keystone_ldap: {}
|
|
keystone_ldap_domain_config_dir: /etc/keystone/domains
|
|
|
|
|
|
# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
|
|
# Otherwise keys will be generated on the first run and not regenerated each run.
|
|
keystone_recreate_keys: False
|
|
|
|
## Policy vars
|
|
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
|
# with the access controls in the default policy.json. E.g.
|
|
#keystone_policy_overrides:
|
|
# identity:create_region: "rule:admin_required"
|
|
# identity:update_region: "rule:admin_required"
|
|
|
|
## Federation
|
|
|
|
# Enable the following section on the Keystone IdP
|
|
keystone_idp: {}
|
|
#keystone_idp:
|
|
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
|
|
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
|
|
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
|
|
# regen_cert: false
|
|
# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp"
|
|
# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso"
|
|
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
|
|
# service_providers:
|
|
# - id: "sp_1"
|
|
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
|
|
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
|
|
# # the following settings are optional
|
|
# organization_name: example_company
|
|
# organization_display_name: Example Corp.
|
|
# organization_url: example.com
|
|
# contact_company: example_company
|
|
# contact_name: John
|
|
# contact_surname: Smith
|
|
# contact_email: jsmith@example.com
|
|
# contact_telephone: 555-55-5555
|
|
# contact_type: technical
|
|
|
|
# Enable the following section in order to install and configure
|
|
# Keystone as a Resource Service Provider (SP) and to configure
|
|
# trusts with specific Identity Providers (IdP).
|
|
keystone_sp: {}
|
|
#keystone_sp:
|
|
# cert_duration_years: 5
|
|
# trusted_dashboard_list:
|
|
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
|
# - "https://{{ horizon_server_name }}/auth/websso/"
|
|
# trusted_idp_list:
|
|
# note that only one of these is supported at any one time for now
|
|
# - name: "keystone-idp"
|
|
# entity_ids:
|
|
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
|
|
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
|
|
# metadata_file: 'metadata-keystone-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: keystone-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: openstack_user
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# user:
|
|
# name: '{0}'
|
|
# attributes:
|
|
# - name: openstack_user
|
|
# id: openstack_user
|
|
# - name: openstack_roles
|
|
# id: openstack_roles
|
|
# - name: openstack_project
|
|
# id: openstack_project
|
|
# - name: openstack_user_domain
|
|
# id: openstack_user_domain
|
|
# - name: openstack_project_domain
|
|
# id: openstack_project_domain
|
|
#
|
|
# - name: 'testshib-idp'
|
|
# entity_ids:
|
|
# - 'https://idp.testshib.org/idp/shibboleth'
|
|
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
|
|
# metadata_file: 'metadata-testshib-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: testshib-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: eppn
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# - user:
|
|
# name: '{0}'
|
|
#
|
|
# - name: 'adfs-idp'
|
|
# entity_ids:
|
|
# - 'http://adfs.contoso.com/adfs/services/trust'
|
|
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
|
|
# metadata_file: 'metadata-adfs-idp.xml'
|
|
# metadata_reload: 1800
|
|
# federated_identities:
|
|
# - domain: Default
|
|
# project: fedproject
|
|
# group: fedgroup
|
|
# role: _member_
|
|
# protocols:
|
|
# - name: saml2
|
|
# mapping:
|
|
# name: adfs-idp-mapping
|
|
# rules:
|
|
# - remote:
|
|
# - type: upn
|
|
# local:
|
|
# - group:
|
|
# name: fedgroup
|
|
# domain:
|
|
# name: Default
|
|
# - user:
|
|
# name: '{0}'
|
|
# attributes:
|
|
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
|
# id: upn
|
|
|
|
keystone_service_in_ldap: false
|
|
|
|
# Keystone notification settings
|
|
keystone_ceilometer_enabled: false
|
|
|
|
# Keystone packages that must be installed before anything else
|
|
keystone_requires_pip_packages:
|
|
- virtualenv
|
|
|
|
# Common pip packages
|
|
keystone_pip_packages:
|
|
- keystone
|
|
- ldappool
|
|
- pyldap
|
|
- PyMySQL
|
|
- python-memcached
|
|
- python-openstackclient
|
|
- uWSGI
|
|
|
|
# This variable is used by the repo_build process to determine
|
|
# which host group to check for members of before building the
|
|
# pip packages required by this role. The value is picked up
|
|
# by the py_pkgs lookup.
|
|
keystone_role_project_group: keystone_all
|
|
|
|
#: Tunable file-based overrides
|
|
# The contents of these files, if they exist, are read from the
|
|
# specified path on the deployment host, interpreted by the
|
|
# template engine and copied to the target host. If they do
|
|
# not exist then the default files will be sourced from the
|
|
# service git repository.
|
|
keystone_paste_default_file_path: "/etc/openstack_deploy/keystone/keystone-paste.ini"
|
|
keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json"
|
|
keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
|
|
|
|
# If the above-mentioned files do not exist, then the defaults
|
|
# inside the venvs will be used, but cached at this location
|
|
# on the deployment host. Using the cache makes the re-use
|
|
# of the files faster when deploying, but is also required in
|
|
# order to still be able to apply the config_template override.
|
|
keystone_config_cache_path: "{{ lookup('env', 'HOME') | default('/opt', true) }}/cache/keystone"
|
|
keystone_config_cache_path_owner: "{{ lookup('env', 'USER') | default('root', true) }}"
|
|
|
|
#: Tunable var-based overrides
|
|
# The contents of these are templated over the default files.
|
|
keystone_keystone_conf_overrides: {}
|
|
keystone_keystone_default_conf_overrides: {}
|
|
keystone_keystone_paste_ini_overrides: {}
|
|
keystone_policy_overrides: {}
|
|
|
|
keystone_required_secrets:
|
|
- keystone_auth_admin_password
|
|
- keystone_container_mysql_password
|
|
- keystone_oslomsg_rpc_password
|
|
- keystone_oslomsg_notify_password
|
|
- keystone_rabbitmq_password
|
|
- keystone_service_password
|
|
|
|
keystone_uwsgi_init_overrides: {}
|
|
|
|
## Service Name-Group Mapping
|
|
keystone_services:
|
|
keystone-wsgi-public:
|
|
service_name: "keystone-wsgi-public"
|
|
init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
|
|
execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-public.ini"
|
|
keystone-wsgi-admin:
|
|
service_name: "keystone-wsgi-admin"
|
|
init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
|
|
execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-admin.ini"
|
|
|
|
## Extra HTTP headers for Keystone
|
|
# Add any additional headers here that Keystone should return.
|
|
#
|
|
# Example:
|
|
#
|
|
# keystone_extra_headers:
|
|
# - parameter: "Access-Control-Expose-Headers"
|
|
# value: "X-Subject-Token"
|
|
# - parameter: "Access-Control-Allow-Headers"
|
|
# value: "Content-Type, X-Auth-Token"
|
|
# - parameter: "Access-Control-Allow-Origin"
|
|
# value: "*"
|
|
keystone_extra_headers: []
|
|
|
|
# List of trusted IPs which can pass X-Forwarded-For
|
|
keystone_set_real_ip_from: []
|