87514a5705
Add ssl keystone endpoints Add ssl keystone endpoints use fqdn for keystone everywhere. Iadded certs for horizon. Also increased yield of nuke.yml
131 lines
4.3 KiB
YAML
131 lines
4.3 KiB
YAML
# Build and install a docker image for keystone.
|
|
---
|
|
- name: include secrets
|
|
include_vars:
|
|
file: ../../secrets.yml
|
|
name: secrets
|
|
|
|
- name: Make persistent directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: 0777
|
|
with_items:
|
|
- /srv
|
|
- /srv/keystone
|
|
- /srv/keystone/fernet-keys
|
|
- /srv/keystone/root
|
|
- /srv/keystone/certs
|
|
- /srv/keystone/shibboleth
|
|
|
|
- name: install ssl files
|
|
template:
|
|
src: templates/certs/{{ item }}
|
|
dest: /srv/keystone/certs/{{ item }}
|
|
mode: 400
|
|
with_items:
|
|
- merlin.hpc.rug.nl.key
|
|
- merlin.hpc.rug.nl.crt
|
|
- DigiCertCA.crt
|
|
|
|
- set_fact:
|
|
docker_image: registry.webhosting.rug.nl/hpc/openstack-keystone-merlin:latest
|
|
|
|
- name: pull docker image
|
|
docker_image:
|
|
name: "{{ docker_image }}"
|
|
force: True
|
|
tags: pull
|
|
|
|
- name: install service file.
|
|
template:
|
|
src: templates/keystone.service
|
|
dest: /etc/systemd/system/keystone.service
|
|
mode: 644
|
|
owner: root
|
|
group: root
|
|
|
|
- name: install service file
|
|
command: systemctl daemon-reload
|
|
|
|
- name: start service at boot.
|
|
command: systemctl reenable keystone.service
|
|
|
|
- name: Initialize db
|
|
script: scripts/initialize_db.sh
|
|
environment:
|
|
MYSQL_ROOT_PASSWORD: "{{ secrets['MYSQL_ROOT_PASSWORD'] }}"
|
|
DB_HOST: "{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
|
|
register: result
|
|
until: result is succeeded
|
|
# sometimes the initial connect fails.
|
|
# Retry until it succeeds.
|
|
retries: 7
|
|
delay: 3
|
|
ignore_errors: yes
|
|
|
|
- name: keystone manage commands to setup db_sync
|
|
command: >
|
|
/usr/bin/docker run --rm
|
|
--add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
|
|
-v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys
|
|
-e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
|
|
{{ docker_image }} keystone-manage {{ item }}
|
|
with_items:
|
|
- db_sync
|
|
- fernet_setup --keystone-user keystone --keystone-group keystone
|
|
- credential_setup --keystone-user keystone --keystone-group keystone
|
|
- >
|
|
bootstrap --bootstrap-password {{ secrets['OS_PASSWORD'] }}
|
|
--bootstrap-admin-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
|
|
--bootstrap-internal-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
|
|
--bootstrap-public-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:5000/v3/
|
|
--bootstrap-region-id RegionOne
|
|
# sometimes the initial connect fails.
|
|
# Retry until it succeeds.
|
|
retries: 7
|
|
delay: 3
|
|
ignore_errors: yes
|
|
|
|
- name: make sure service is started
|
|
systemd:
|
|
name: keystone.service
|
|
state: restarted
|
|
|
|
- name: Create a domain, projects users and roles
|
|
command: >
|
|
/usr/bin/docker run --rm
|
|
--add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
|
|
-v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys
|
|
-v /srv/keystone/root:/root
|
|
-e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
|
|
-e "OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3"
|
|
-e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
|
|
{{ docker_image }} bash /etc/bootstrap.sh
|
|
register: result
|
|
retries: 7
|
|
delay: 3
|
|
|
|
|
|
- name: install openstack repo key host.
|
|
command: apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
|
|
tags: openstackclient
|
|
|
|
- name: install openstack repo on host.
|
|
apt_repository:
|
|
repo: "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main"
|
|
filename: ocata
|
|
tags: openstackclient
|
|
|
|
- name: install openstack client for management
|
|
apt:
|
|
name: python-openstackclient
|
|
state: latest
|
|
update_cache: yes
|
|
tags: openstackclient
|
|
|
|
- name: source admin-openrc.sh in root .bashrc
|
|
lineinfile:
|
|
path: /root/.bashrc
|
|
line: 'source /srv/keystone/root/admin-openrc.sh'
|