├── tests ├── inventory ├── centos-7-test.yml ├── test.yml ├── ansible.cfg └── Dockerfile.centos-7 ├── vars ├── main.yml └── RedHat.yml ├── handlers └── main.yml ├── tasks ├── keystone_install_RedHat.yml ├── keystone_post_install.yml ├── keystone_db_setup.yml ├── keystone_configure.yml ├── keystone_fernet.yml ├── main.yml ├── keystone_apache.yml └── keystone_service_setup.yml ├── meta └── main.yml ├── README.md ├── defaults └── main.yml ├── templates └── wsgi-keystone.conf.j2 ├── .travis.yml └── .vscode └── launch.json /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for ansible-role-openstack-keystone 3 | -------------------------------------------------------------------------------- /tests/centos-7-test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # test file 3 | 4 | - hosts: localhost 5 | roles: 6 | - role_under_test 7 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # test file 3 | 4 | - hosts: all 5 | remote_user: root 6 | roles: 7 | - ansible-role-openstack-keystone 8 | -------------------------------------------------------------------------------- /tests/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | roles_path = ../../ 3 | host_key_checking = False 4 | ansible_managed = Ansible managed: modified on %Y-%m-%d %H:%M:%S by {uid} on {host} 5 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for ansible-role-openstack-keystone 3 | 4 | - name: restart openstack-keystone 5 | service: 6 | name: "{{ keystone_system_service_name }}" 7 | state: restarted 8 | -------------------------------------------------------------------------------- /tasks/keystone_install_RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for keystone install on RedHat 3 | 4 | - name: Install OpenStack keystone packages. 5 | yum: 6 | name: "{{ item }}" 7 | state: installed 8 | with_items: "{{ keystone_packages }}" 9 | -------------------------------------------------------------------------------- /tasks/keystone_post_install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for openstack-keystone post install 3 | 4 | - name: Ensure openstack-keystone services is started and enabled at boot. 5 | service: 6 | name: "{{ keystone_system_service_name }}" 7 | state: started 8 | enabled: yes 9 | -------------------------------------------------------------------------------- /tasks/keystone_db_setup.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for keystone DB Setup 3 | 4 | - name: DB sync for keystone. 5 | command: > 6 | keystone-manage db_sync 7 | become: yes 8 | become_user: "{{ keystone_system_user_name }}" 9 | ignore_errors: True 10 | run_once: True 11 | -------------------------------------------------------------------------------- /tasks/keystone_configure.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for openstack-keystone configure 3 | 4 | - name: Configure keystone. 5 | shell: | 6 | openstack-config --set "{{ keystone_config_location }}" "{{ item.section }}" "{{ item.param }}" "{{ item.value }}" 7 | with_items: 8 | - "{{ keystone_config }}" 9 | -------------------------------------------------------------------------------- /tasks/keystone_fernet.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Task file for fernet 3 | 4 | - name: Create fernet keys for Keystone. 5 | command: > 6 | keystone-manage fernet_setup 7 | --keystone-user "{{ keystone_system_user_name }}" 8 | --keystone-group "{{ keystone_system_group_name }}" 9 | run_once: True -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: z 3 | description: Installs and configures openstack keystone. 4 | company: 5 | license: license (BSD, MIT) 6 | min_ansible_version: 1.9 7 | platforms: 8 | - name: EL 9 | versions: 10 | - 7 11 | galaxy_tags: 12 | - cloud 13 | - keystone 14 | - openstack 15 | dependencies: [] 16 | -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for Redhat 3 | 4 | keystone_packages: 5 | - openstack-keystone 6 | - httpd 7 | - mod_wsgi 8 | 9 | #keystone_system_service_name: openstack-keystone 10 | keystone_system_service_name: httpd 11 | keystone_config_location: /etc/keystone/keystone.conf 12 | keystone_wsgi_config_location: /etc/httpd/conf.d/wsgi-keystone.conf 13 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for ansible-role-openstack-keystone 3 | 4 | # Variable setup. 5 | - name: Include OS-specific variables. 6 | include_vars: "{{ ansible_os_family }}.yml" 7 | 8 | # Setup/Install tasks. 9 | - include: keystone_install_RedHat.yml 10 | when: ansible_os_family == 'RedHat' 11 | 12 | # Configure tasks. 13 | - include: keystone_configure.yml 14 | 15 | # DB task 16 | - include: keystone_db_setup.yml 17 | 18 | - include: keystone_fernet.yml 19 | 20 | - include: keystone_apache.yml 21 | 22 | - include: keystone_post_install.yml 23 | 24 | - include: keystone_service_setup.yml 25 | run_once: True 26 | -------------------------------------------------------------------------------- /tasks/keystone_apache.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for keystone apache configure 3 | 4 | - name: Configure httpd Listen Port. 5 | lineinfile: > 6 | dest=/etc/httpd/conf/httpd.conf 7 | regexp="{{ item.regexp }}" 8 | line="{{ item.line }}" 9 | state=present 10 | with_items: 11 | - { regexp: "^#?Listen", line: "Listen {{ mgmt_ip }}:80" } 12 | 13 | - name: Ensure Apache ServerName. 14 | lineinfile: 15 | dest: "/etc/httpd/conf/httpd.conf" 16 | line: "ServerName {{ ansible_hostname }}" 17 | 18 | - name: Copy the configuration file for keystone wsgi. 19 | template: 20 | src: wsgi-keystone.conf.j2 21 | dest: "{{ keystone_wsgi_config_location }}" 22 | notify: 23 | - restart openstack-keystone 24 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible Role: openstack-keystone 2 | 3 | [![Build Status](https://travis-ci.org/devops/ansible-role-openstack-keystone.svg?branch=master)](https://travis-ci.org/devops/ansible-role-openstack-keystone) 4 | 5 | Ansible role that installs and configures openstack keystone. 6 | 7 | ## Requirements 8 | 9 | None. 10 | 11 | ## Role Variables 12 | 13 | ### `defaults/main.yml` 14 | 15 | 16 | ### `vars/RedHat.yml` 17 | 18 | 19 | ## Dependencies 20 | 21 | None. 22 | 23 | ## Example Playbook 24 | 25 | 1) Install openstack-keystone and use the default settings. 26 | 27 | - hosts: all 28 | roles: 29 | - ansible-role-openstack-keystone 30 | 31 | 32 | ## License 33 | 34 | MIT / BSD 35 | 36 | ## Author Information 37 | 38 | z. 39 | -------------------------------------------------------------------------------- /tests/Dockerfile.centos-7: -------------------------------------------------------------------------------- 1 | FROM centos:7 2 | 3 | # Install systemd -- See https://hub.docker.com/_/centos/ 4 | RUN yum -y swap -- remove fakesystemd -- install systemd systemd-libs 5 | RUN yum -y update; yum clean all; \ 6 | (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ 7 | rm -f /lib/systemd/system/multi-user.target.wants/*; \ 8 | rm -f /etc/systemd/system/*.wants/*; \ 9 | rm -f /lib/systemd/system/local-fs.target.wants/*; \ 10 | rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ 11 | rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ 12 | rm -f /lib/systemd/system/basic.target.wants/*; \ 13 | rm -f /lib/systemd/system/anaconda.target.wants/*; 14 | 15 | # Install Ansible 16 | RUN yum -y install epel-release 17 | RUN yum -y install git ansible sudo iproute 18 | RUN yum clean all 19 | 20 | # Install Ansible inventory file 21 | RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts 22 | 23 | VOLUME ["/sys/fs/cgroup"] 24 | CMD ["/usr/sbin/init"] 25 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for ansible-role-openstack-keystone 3 | 4 | ## openstack public config 5 | # openstack_keystone_admin_token: "" 6 | # openstack_db_host: "" 7 | # openstack_memcached_servers: "" 8 | # openstack_controller_host: "" 9 | 10 | # System info 11 | 12 | keystone_system_user_name: keystone 13 | keystone_system_group_name: keystone 14 | 15 | # keystone service 16 | keystone_service_name: keystone 17 | keystone_service_region: RegionOne 18 | keystone_service_type: identity 19 | keystone_service_description: "OpenStack Identity" 20 | keystone_service_admin_url: "http://{{ openstack_admin_vip }}:35357/v2.0" 21 | keystone_service_internal_url: "http://{{ openstack_internal_vip }}:5000/v2.0" 22 | keystone_service_public_url: "http://{{ openstack_public_vip }}:5000/v2.0" 23 | 24 | # keystone db 25 | keystone_db_host: "{{ openstack_db_host }}" 26 | keystone_db_name: "keystone" 27 | keystone_db_user: "keystone" 28 | keystone_db_password: "keystone" 29 | keystone_db_priv: "{{ keystone_db_name }}.*:ALL" 30 | 31 | # keystone config 32 | keystone_token_provider: "fernet" 33 | 34 | keystone_config: 35 | - { section: "DEFAULT", param: "admin_token", value: "{{ openstack_keystone_admin_token }}" } 36 | - { section: "database", param: "connection", value: "mysql+pymysql://{{ keystone_db_user }}:{{ keystone_db_password }}@{{ keystone_db_host }}/{{ keystone_db_name }}" } 37 | - { section: "token", param: "provider", value: "{{ keystone_token_provider }}" } 38 | -------------------------------------------------------------------------------- /templates/wsgi-keystone.conf.j2: -------------------------------------------------------------------------------- 1 | Listen {{ mgmt_ip }}:5000 2 | Listen {{ mgmt_ip }}:35357 3 | 4 | 5 | WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} 6 | WSGIProcessGroup keystone-public 7 | WSGIScriptAlias / /usr/bin/keystone-wsgi-public 8 | WSGIApplicationGroup %{GLOBAL} 9 | WSGIPassAuthorization On 10 | = 2.4> 11 | ErrorLogFormat "%{cu}t %M" 12 | 13 | ErrorLog /var/log/httpd/keystone-error.log 14 | CustomLog /var/log/httpd/keystone-access.log combined 15 | 16 | 17 | = 2.4> 18 | Require all granted 19 | 20 | 21 | Order allow,deny 22 | Allow from all 23 | 24 | 25 | 26 | 27 | 28 | WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} 29 | WSGIProcessGroup keystone-admin 30 | WSGIScriptAlias / /usr/bin/keystone-wsgi-admin 31 | WSGIApplicationGroup %{GLOBAL} 32 | WSGIPassAuthorization On 33 | = 2.4> 34 | ErrorLogFormat "%{cu}t %M" 35 | 36 | ErrorLog /var/log/httpd/keystone-error.log 37 | CustomLog /var/log/httpd/keystone-access.log combined 38 | 39 | 40 | = 2.4> 41 | Require all granted 42 | 43 | 44 | Order allow,deny 45 | Allow from all 46 | 47 | 48 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | env: 3 | - distribution: centos 4 | version: 7 5 | init: /usr/lib/systemd/systemd 6 | run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" 7 | playbook: centos-7-test.yml 8 | 9 | services: 10 | - docker 11 | 12 | before_install: 13 | # Pull container 14 | - 'sudo docker pull ${distribution}:${version}' 15 | 16 | # Customize container 17 | - 'sudo docker build --rm=true --file=tests/Dockerfile.${distribution}-${version} --tag=${distribution}-${version}:ansible tests' 18 | 19 | script: 20 | - container_id=$(mktemp) 21 | 22 | # Run container in detached state 23 | - 'sudo docker run --detach --volume="${PWD}":/etc/ansible/roles/role_under_test:ro ${run_opts} ${distribution}-${version}:ansible "${init}" > "${container_id}"' 24 | 25 | # Ansible syntax check. 26 | - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/role_under_test/tests/${playbook} --syntax-check' 27 | 28 | # Test role. 29 | - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/role_under_test/tests/${playbook}' 30 | 31 | # Test role idempotence. 32 | - > 33 | sudo docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/role_under_test/tests/${playbook} 34 | | grep -q 'changed=0.*failed=0' 35 | && (echo 'Idempotence test: pass' && exit 0) 36 | || (echo 'Idempotence test: fail' && exit 1) 37 | 38 | # Some debugging (show all the logs). 39 | - sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ss -ntlup || true 40 | 41 | # Clean up 42 | - sudo docker stop "$(cat ${container_id})" 43 | 44 | notifications: 45 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ 46 | -------------------------------------------------------------------------------- /tasks/keystone_service_setup.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for openstack-keystone service setup 3 | 4 | - name: Wait for keystone service to come up. 5 | wait_for: 6 | host: "{{ openstack_controller_host }}" 7 | port: 35357 8 | delay: 10 9 | timeout: 30 10 | 11 | - name: Create the service entity for keystone. 12 | shell: | 13 | openstack service create --name "{{ keystone_service_name }}" --description "{{ keystone_service_description }}" "{{ keystone_service_type }}" 14 | environment: 15 | - "{{ token_auth_env }}" 16 | 17 | # Create the API endpoint for keystone. 18 | - name: "Check if API endpoint exists for service {{ keystone_service_type }}" 19 | shell: "openstack endpoint list --service {{ keystone_service_type }}" 20 | register: check_endpoint_result 21 | environment: 22 | - "{{ token_auth_env }}" 23 | ignore_errors: True 24 | 25 | - name: "Specify API endpoints for {{ keystone_service_type }} service" 26 | when: check_endpoint_result.rc == 0 27 | shell: | 28 | openstack endpoint create --region {{ keystone_service_region }} {{ keystone_service_type }} public {{ keystone_service_public_url }} 29 | openstack endpoint create --region {{ keystone_service_region }} {{ keystone_service_type }} internal {{ keystone_service_internal_url }} 30 | openstack endpoint create --region {{ keystone_service_region }} {{ keystone_service_type }} admin {{ keystone_service_admin_url }} 31 | environment: 32 | - "{{ token_auth_env }}" 33 | 34 | # Create projects, users, and roles 35 | - name: "Create the admin project, user, role" 36 | shell: | 37 | openstack domain create --description "Default Domain" default 38 | openstack project create --domain default --description "Admin Project" admin 39 | openstack user create --domain default --password "{{ openstack_admin_password }}" "{{ openstack_admin_user }}" 40 | openstack role create admin 41 | openstack role add --project admin --user {{ openstack_admin_user }} admin 42 | environment: 43 | - "{{ token_auth_env }}" 44 | 45 | - name: "Create the service project" 46 | shell: | 47 | openstack project create --domain default --description "Service Project" service 48 | environment: 49 | - "{{ token_auth_env }}" 50 | 51 | - name: "Create the user role" 52 | shell: | 53 | openstack role create user 54 | environment: 55 | - "{{ token_auth_env }}" 56 | -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "0.2.0", 3 | "configurations": [ 4 | { 5 | "name": "Python", 6 | "type": "python", 7 | "request": "launch", 8 | "stopOnEntry": true, 9 | "pythonPath": "${config.python.pythonPath}", 10 | "program": "${file}", 11 | "debugOptions": [ 12 | "WaitOnAbnormalExit", 13 | "WaitOnNormalExit", 14 | "RedirectOutput" 15 | ] 16 | }, 17 | { 18 | "name": "Integrated Terminal/Console", 19 | "type": "python", 20 | "request": "launch", 21 | "stopOnEntry": true, 22 | "pythonPath": "${config.python.pythonPath}", 23 | "program": "${file}", 24 | "console": "integratedTerminal", 25 | "debugOptions": [ 26 | "WaitOnAbnormalExit", 27 | "WaitOnNormalExit" 28 | ] 29 | }, 30 | { 31 | "name": "External Terminal/Console", 32 | "type": "python", 33 | "request": "launch", 34 | "stopOnEntry": true, 35 | "pythonPath": "${config.python.pythonPath}", 36 | "program": "${file}", 37 | "console": "externalTerminal", 38 | "debugOptions": [ 39 | "WaitOnAbnormalExit", 40 | "WaitOnNormalExit" 41 | ] 42 | }, 43 | { 44 | "name": "Django", 45 | "type": "python", 46 | "request": "launch", 47 | "stopOnEntry": true, 48 | "pythonPath": "${config.python.pythonPath}", 49 | "program": "${workspaceRoot}/manage.py", 50 | "args": [ 51 | "runserver", 52 | "--noreload" 53 | ], 54 | "debugOptions": [ 55 | "WaitOnAbnormalExit", 56 | "WaitOnNormalExit", 57 | "RedirectOutput", 58 | "DjangoDebugging" 59 | ] 60 | }, 61 | { 62 | "name": "Flask", 63 | "type": "python", 64 | "request": "launch", 65 | "stopOnEntry": true, 66 | "pythonPath": "${config.python.pythonPath}", 67 | "program": "${workspaceRoot}/run.py", 68 | "args": [], 69 | "debugOptions": [ 70 | "WaitOnAbnormalExit", 71 | "WaitOnNormalExit", 72 | "RedirectOutput" 73 | ] 74 | }, 75 | { 76 | "name": "Watson", 77 | "type": "python", 78 | "request": "launch", 79 | "stopOnEntry": true, 80 | "pythonPath": "${config.python.pythonPath}", 81 | "program": "${workspaceRoot}/console.py", 82 | "args": [ 83 | "dev", 84 | "runserver", 85 | "--noreload=True" 86 | ], 87 | "debugOptions": [ 88 | "WaitOnAbnormalExit", 89 | "WaitOnNormalExit", 90 | "RedirectOutput" 91 | ] 92 | }, 93 | { 94 | "name": "Attach (Remote Debug)", 95 | "type": "python", 96 | "request": "attach", 97 | "localRoot": "${workspaceRoot}", 98 | "remoteRoot": "${workspaceRoot}", 99 | "port": 3000, 100 | "secret": "my_secret", 101 | "host": "localhost" 102 | } 103 | ] 104 | } --------------------------------------------------------------------------------