111 Commits

Author SHA1 Message Date
Jeffrey Zhang
fc54163319 Use uuid as keystone default token provider
Keystone uses fernet as default provider in its code now. This patch
adds provider=token in keystone.conf file explicitly.

TrivialFix

Change-Id: Id7142ff4f00ee99579ad420573eafefea0f4dcb7
2016-11-11 12:42:47 +08:00
Jenkins
c12020618c Merge "Make number of keystone processes configurable" 2016-11-05 18:07:20 +00:00
Jenkins
dbc881456b Merge "Custom policy files" 2016-11-04 13:42:55 +00:00
Jeffrey Zhang
fa45801946 Move precheck into its own role
* Merge prechecks.yml and site.yml playbook
* Create empty precheck.yml into all roles.

Change-Id: I8a138558a26c0a2a66c5fd48ed37be657c99c1dd
Implements: blueprint condition-pre-check
2016-11-03 14:48:58 +08:00
Eduardo Gonzalez
ef1fd6b8c0 Custom policy files
Allow operators to use their custom policy files.
Avoid maintain policy files in kolla repos, only copying
the files when an operator add their custom config.

Implements: blueprint custom-policies
Change-Id: Icf3c961b87cbc7a1f1dd2ffbfffcf271d151d862
2016-10-28 10:47:05 +01:00
Tomoya Goto
8c8e296ecf Fix fernet related components added to fact var properly.
Previous version of keystone reconfigure fails at adding fernet
components to fact variable "keystone_item".
Ansible can not create fact variable using newly created variable
in a same task.

This patch set split this task into two tasks, first create variable
containing fernet components, then merge it to "keystone_item".

Change-Id: I15571ab20d6104d30350e8b922401b462336fca0
Closes-Bug: #1636047
2016-10-24 15:48:37 +09:00
Jeffrey Zhang
3e89f987c0 Add validate no new line at end of file
TrivialFix

Change-Id: I817aa52caf56b7d54b266e553db6db1ceb38b773
Signed-off-by: Jeffrey Zhang <zhang.lei.fly@gmail.com>
2016-10-19 17:17:06 +00:00
Jeffrey Zhang
e7bdc62d02 Fix keystone upgrade permission issue
Change-Id: I211d9f2dbdd9647ec99e8b43be6332c8ad64114e
Partial-Bug: #1631503
2016-10-14 16:11:40 +08:00
Jenkins
45b0f2cf63 Merge "Remove do_reconfigure.yml file for all roles" 2016-10-13 16:20:30 +00:00
Christian Berendt
bedca5b35e Fix keystone fernet file exchange via ssh
* install openssh client in keystone-fernet container
* install rsync in keystone-ssh container
* fix syntax issue in ssh configuration
* copy ssh configuration into keystone-fernet container
* copy id_rsa.pub into keystone-ssh container
* copy id_rsa into keystone-fernet container
* use full path to ssh binary in used scripts
* add missing newlines at EOF
* when using type source set /var/lib/keystone as home
  directory for the user keystone

Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Change-Id: Id6b41030056a69f6516a054beb2fc0e08226e876
Closes-bug: #1623013
2016-10-12 16:29:34 +00:00
Christian Berendt
801f36ad3c Make number of keystone processes configurable
TrivialFix

Change-Id: I2f0945c444016227a09486d62cec53db51ac1ec9
2016-10-10 14:05:34 +02:00
Narasimha SV
bfd032add4 Add CADF event configurations in Keystone when enabled
By default CADF events added even if they are disbaled in all.yml.
Boolean check is missing is added so that CADF configurations will
be added only if it is enabled.

Change-Id: I757ae176228cc4e74d06ce85b27200bdcdd5dd5c
Closes-Bug: #1607904
2016-10-01 16:33:23 +00:00
zhangyanxian
54f255fe9c Fix typo in start.yml
TrivialFix

Change-Id: I23d74821c7f65cdf20c214f7622f4df0d3c0e172
2016-09-29 09:03:03 +00:00
Jeffrey Zhang
fa856556d5 Remove do_reconfigure.yml file for all roles
do_reconfigure.yml is introduced to use serial directive. But we use
it in wrong. Now serial has moved to playbook file. So it is time to
remove the do_reconfigure.yml file

Closes-Bug: #1628152
Change-Id: I8d42d27e6bc302a0e575b0353956eaef9b2ca9fd
2016-09-27 15:04:00 +00:00
Christian Berendt
45f696cfe7 Use keystone-paste.ini template for keystone
The use of the admin_token_auth middleware presents a security risk
and was removed from [pipeline:api_v3], [pipeline:admin_api],
and [pipeline:public_api].

Change-Id: I3a3ca2e74c0ae341105d3481f97956c6da473046
Closes-bug: #1587747
2016-09-26 15:04:44 +00:00
Jenkins
aa378bfa3a Merge "fix horizon fernet container" 2016-09-20 12:26:37 +00:00
Kevin Fox
ea0e8546ae Fix Keystone CADF notifications
* use template for transport_url that is working for kolla-kubernetes
* use transport_url parameter in DEFAULT section

Co-authored-by: Christian Berendt <berendt@betacloud-solutions.de>

Change-Id: I800b5bc4c178b5df4f208ee50944e2806fd6a7c1
Closes-bug: #1625352
2016-09-19 22:29:30 +02:00
Jeffrey Zhang
c3f2be5928 fix horizon fernet container
keystone-fernet container need keystone.conf file

TrivialFix

Change-Id: If4a75a4d9e88350963c31190bc09cee4862aa34d
2016-09-20 03:41:27 +08:00
Jenkins
33bdf93453 Merge "Enable CADF events in Keystone and introduce enable_cadf_notifications" 2016-09-19 14:23:14 +00:00
Jeffrey Zhang
897fb08bac Fix reconfiguration issue for Keystone role
Closes-Bug: #1624598
Change-Id: If66d82c782e6c8255b94cb00cdf0893630db596c
2016-09-17 02:37:37 +00:00
Christian Berendt
8f6bd4e735 Enable CADF events in Keystone and introduce enable_cadf_notifications
Change-Id: I0a40867ae65011fbfd53308b9d7f42d10435f5fa
Closes-bug: #1607905
2016-09-16 12:19:53 +00:00
Mick Thompson
4c1482b999 Added serial option to site.yml.
Useful for upgrade etc., which is preferablly done serially.

Example usage: tools/kolla-ansible deploy OR tools/kolla-ansible upgrade

Closes-Bug: #1576708

DocImpact

Change-Id: I34b2e16f8ce53e472a4682a4738c4ac0f5abf00c
2016-09-13 09:26:51 +00:00
Jenkins
5c5ef797b0 Merge "Correct permissions to /etc/keystone/domains" 2016-09-01 15:05:49 +00:00
Shaun Smekel
1c68ae389b Add full support for fernet
This addresses the ansible aspects of fernet key bootstrapping as
well as distributed key rotation.

- Bootstrapping is handled in the same way as keystone bootstrap.
- A new keystone-fernet and keystone-ssh container is created to allow
  the nodes to communicate with each other (taken from nova-ssh).
- The keystone-fernet is a keystone container with crontab installed.
  This will handle key rotations through keystone-manage and trigger
  an rsync to push new tokens to other nodes.
- Key rotation is setup to be balanced across the keystone nodes using
  a round-robbin style. This ensures that any node failures will not
  stop the keys from rotating. This is configured by a desired token
  expiration time which then determines the cron scheduling for each
  node as well as the number of fernet tokens in rotation.
- Ability for recovered node to resync with the cluster. When a node
  starts it will run sanity checks to ensure that its fernet tokens
  are not stale. If they are it will rsync with other nodes to ensure
  its tokens are up to date.

The Docker component is implemented in:
  https://review.openstack.org/#/c/349366

Change-Id: I15052c25a1d1149d364236f10ced2e2346119738
Implements: blueprint keystone-fernet-token
2016-08-25 20:08:22 +10:00
Ken Wronkiewicz
37b3c8c354 Keystone interface address and memcached override
Note: This should not result in any behavior changes in regular Kolla,
just Kolla-Kubernetes and only when you've overridden stuff in globals.yml

Allows override of interface address and memcached pools, so that
Kubernetes can do the right thing.

There are some significant architectural issues involved in
memcached pooling in the Kolla-kubernetes world.  Avoiding them right
now.

Current working Kolla-Kubernetes globals.yml file, assuming that your
memcached servers are available under the DNS alias "memcached":

api_interface_address: "0.0.0.0"

memcached_servers: "memcached"

keystone_database_address: "mariadb"
keystone_admin_url: "{{ admin_protocol }}://keystone-admin:{{ keystone_admin_port }}/v3"
keystone_internal_url: "{{ internal_protocol }}://keystone-public:{{ keystone_public_port }}/v3"
keystone_public_url: "{{ public_protocol }}://keystone-public:{{ keystone_public_port }}/v3"

Co-authored-by: Ryan Hallisey <rhallise@redhat.com>
Change-Id: I5126f81da7b4d48001b87f73d58bbbfad658209c
Partially-implements: blueprint api-interface-bind-address-override
2016-08-11 05:33:56 -04:00
Duong Ha-Quang
34975e291e Port with_ loop variable syntax to Ansbile 2
Migrate to full variable syntax in with_ loop
instead of bare variables for:
- ceph
- ceilometer
- glance
- heat
- horizon
- keystone
- mariadb
- memcached
- neutron
- nova
- rabbitmq

Change-Id: Ib925b4ecea47ac758a77739c9c7e140f06933b08
Partial-Implements: blueprint ansible2
2016-08-09 23:23:21 +07:00
jackning
1c0ba85d54 Replace keystone's wsgi config with custom config
Ansible's template action supports replacing keystone's wsgi default
config with custom config, it should only add with_first_found param
to config.yml to support this.

Change-Id: Id66302802db9a57188067982ea697f16faa1d8eb
Closes-Bug: #1609655
2016-08-04 03:41:40 -04:00
Mathias Ewald
29d9d6616a Correct permissions to /etc/keystone/domains
Set permission for /etc/keystone/domains/ directory to 0700 instead of
0600 which is required for Keystone to be able to list directory
contents.

Change-Id: I7536cc3f0bcbc8aea298ad76713e45cbb93a4b27
Closes-Bug: #1609319
2016-08-03 09:45:43 +00:00
Ken Wronkiewicz
a6d89f44e9 Horizon interface address and memcached override
Note: This should not result in any behavior changes in regular Kolla, just
Kolla-Kubernetes and only when you've overridden stuff in globals.yml

Allows override of interface address and memcached pools, so that Kubernetes
can do the right thing.

There are some significant architectural issues involved in memcached pooling
in the Kolla-kubernetes world.  Avoiding them right now.

Current working with this Kolla-Kubernetes globals.yml file:

api_interface_address: "0.0.0.0"

memcached_servers: "memcached"

keystone_database_address: "mariadb"
keystone_admin_url: "http://keystone-admin:35357/v3"
keystone_internal_url: "http://keystone-public:5000/v3"
keystone_public_url: "http://keystone-public:5000/v3"

Three tings to note:
 * In Kolla-Kubernetes, the service is not using net=host, so a
   0.0.0.0 interface address is totally OK.  That patch has been merged.
 * In Kolla-Kubernetes, the global.yml file doesn't do var substitution
   so you have to be explicit about the URLs, otherwise Keystone will
   look like it was provisioned but it won't quite be provisioned right.
 * In order to not duplicate tons of code, moved the keystone_admin_url /
   keystone_internal_url / keystone_public_url to the common defaults
   from the keystone defaults.

Co-Authored-By: Ryan Hallisey <rhallise@redhat.com>
Change-Id: I586ce1c6c3300254c4e2a398ff46645df576aeb0
Partially-implements: blueprint api-interface-bind-address-override
2016-08-02 12:39:22 -04:00
Nenad Radojevic
b6936383da Configurable policy.json for keystone
Copy custom policy.json into keystone container

Change-Id: I58787c3dd7adbeff47d0898c23db95f5919510d3
Closes-Bug: #1604431
2016-07-19 13:53:44 +00:00
Jenkins
d665e01f57 Merge "Support Keystone Domain specific files" 2016-07-18 12:15:52 +00:00
Patrick Powell
51504c3597 Keystones openstack_auth was undefined
Keystones openstack_auth is undefined for Keystones sanity check
closes-bug: #1601808

Change-Id: I445482ce32b924d9220e8c351363b6793558d3b4
2016-07-14 09:40:19 -04:00
Dave Walker (Daviey)
a5e402f1e8 Support Keystone Domain specific files
Currently, it is not possible to make use of Keystone Domain
specific settings. Such as different domains using different
LDAP servers or SQL.

To enable for example domain ACME - domain settings would be
put into:
{{ node_custom_config }}keystone/domains/keystone.ACME.conf

Change-Id: I23620978c618dd4a3598d7cb74c3e9cf8c2394ac
Closes-Bug: #1599868
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
2016-07-14 07:53:41 +00:00
Jenkins
6f17a71d7f Merge "add support for non-default database_port in kolla/ansible" 2016-05-26 09:24:56 +00:00
Ryan Hallisey
2da010a7b9 Make configurable the location where config files are merged
An operator may want to specify the location of custom config
files so that kolla can detect their location and merge
them with the default configs generated.

Partially implements: blueprint multi-project-config

Change-Id: Ibfb38d07a36dfa7fe25381adc34cc1d3cbe7d1e1
2016-05-23 03:23:06 -04:00
Waldemar Znoinski
a2c2eba34f add support for non-default database_port in kolla/ansible
This change makes each step of the kolla deployment aware
of the port database was configured to listen on.
It defaults mariadb_port to database_port.

Change-Id: I8e85d5732015afc0a5481cb33e0b629fdfa84a1b
Closes-Bug: #1576151
DocImpact
2016-05-13 12:12:25 +00:00
Jenkins
1011b7cd24 Merge "map the host localtime to the container" 2016-05-03 19:12:15 +00:00
Jeffrey Zhang
0fcee87549 map the host localtime to the container
Closes-Bug: #1577148
Change-Id: I636cefc63cf532434a41af3898b63dffa711e280
2016-05-03 09:27:51 +08:00
Mauricio Lima
2c34214388 Remove unecessary blank lines
TrivialFix

Change-Id: I1f03d428c380dfdbde5ef33e7ea43cbf5e9154ce
2016-05-02 07:44:29 -04:00
Paul Bourke
e2452906f3 Disable tty for keystone register script
There seems to be a bug regarding the interaction between the Red Hat
based images and docker exec, where output is missed when attaching a
tty. This can be replicated using the following:

$ docker run -d --name test centos /bin/sleep infinity
$ docker exec -t test echo hi

Repeat the second command over and over, "hi" will only be printed out
every couple of runs.

This affects the keystone register task as sometimes it will not print
it's final json result to stdout, causing ansible to fall over with a
difficult to diagnose error (despite the register having run
successfully).

Disabling the tty fixes this for me, it should not be needed in this
case regardless.

Change-Id: Ie7eb7c01c34ee3c59bd843651195fbcb7259d2c8
Closes-Bug: #1572082
2016-04-19 15:59:51 +01:00
Ryan Hallisey
67333e4dd1 Set db connection retry to infinity
Make sure that all the sevices will attempt to
connect to the database an infinite about of times.
If the database ever disappears for some reason we
want the services to try and reconnect more than just
10 times.

Closes-bug: #1505636
Change-Id: I77abbf72ce5bfd68faa451bb9a72bd2544963f4b
2016-04-11 07:22:09 -04:00
Carlos Cesario
493650aa5e Change keystone log dir
Proposed patch to change keystone and heka log dir
from /var/log/kolla/apache2/ to /var/log/kolla/keystone/

Closes-Bug: #1560620
Change-Id: I70c65ceba5a301cc56880313ca86f01bd35676cb
2016-03-28 08:51:35 -03:00
SamYaple
d4535b6dc3 Add memcached_servers to keystone_auth section
The in-process cache for keystone tokens has been deprecated due to
"incosistent results and high memory usage" with the expectation we
switch to memcached_servers if we want to stay performant.

Add memcache_servers [cache] section to the appropriate servers as the
[DEFAULT]\memcache_servers options was deprecated.

TrivialFix
Related-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a

Change-Id: Ic971bdddc0be3338b15924f7cc0f97d4a3ad2440
2016-03-19 21:53:03 +00:00
SamYaple
1f371e2717 Allow per node configuration with augments
This type of per node configuration is required to support things like
availability zones for nova. As always, if this file doesnt exist it
doesnt get used so this change is safe.

TrivialFix

Change-Id: Iff8172af522c2c96e5f2c173b24a5dfd4d522ed2
2016-03-17 17:18:00 +00:00
Dave McCowan
3daded6242 Add TLS protection on external API endpoints
TLS can be used to encrypt and authenticate the connection with
OpenStack endpoints.  This patch provides the necessary
parameters and changes the resulting service configurations to
enable TLS for the Kolla deployed OpenStack cloud.

The new input parameters are:

kolla_enable_tls_external: "yes" or "no" (default is "no")
kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt"

Implements: blueprint kolla-ssl

Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41
2016-03-03 14:44:37 -05:00
SamYaple
57124620ab Fix Keystone v3 and Horizon
After our switch to keystone-manage bootstrap Horizon is not happy
due to v3 not being setup correctly. This patch fixes that

This also includes removal of unused variables (transforms them into
endpoint url variables)

TrivialFix
Change-Id: I1e04db8c24049f80e974c063f03068a2ab32a563
2016-03-03 15:44:53 +00:00
Jeffrey Zhang
b694408abc Add kolla_docker action for reconfigure
add three actions used for reconfigure

* restart_container
* get_container_env
* get_container_state

Partially-implements: bp kolla-reconfig

Change-Id: I63609ce47f044926ff276ab1188b10f44270a0b5
2016-03-02 01:35:55 +08:00
SamYaple
4edd0baf8d Remove keystone admin token
Admin token has been deprecated upstream. It will be removed in O. We
switch over to the new `keystone-manage bootstrap` method for creating
the initial admin user, role, and project.

Co-Authored-By: Sam Yaple <sam@yaple.net>
Change-Id: I6ca90e8d4c3b71009e24b049b2efbc08c05ebfbf
2016-03-01 00:14:06 +00:00
Jeffrey Zhang
ac4c3bb69a Run the keystone reconfigure only on keystone group host
Run the keystone reconfigure only when inventory_hostname in
groups['keystone']

Partially-implements: bp kolla-reconfig
Change-Id: I9d4b5f39f2d68cfd2ae087e3f8a2ee4785eb9586
2016-02-29 11:46:15 +08:00
Jenkins
a238fb5d3e Merge "Reconfigure keystone service" 2016-02-28 19:39:46 +00:00