keystone/containers: Add support for fernet keys

[apex-tripleo-heat-templates.git] / docker / services / keystone.yaml

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index e09fd76..3f8baef 100644 (file)
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -30,6 +30,12 @@ parameters:
     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
     type: string
     hidden: true
+  KeystoneTokenProvider:
+    description: The keystone token format
+    type: string
+    default: 'uuid'
+    constraints:
+      - allowed_values: ['uuid', 'fernet']
 
 resources:
 
@@ -40,6 +46,9 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+  keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -49,20 +58,21 @@ outputs:
         map_merge:
           - get_attr: [KeystoneBase, role_data, config_settings]
           - apache::default_vhost: false
-      step_config:
+      step_config: &step_config
         list_join:
           - "\n"
           - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
             - {get_attr: [KeystoneBase, role_data, step_config]}
       service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
-      docker_image: &keystone_image
-        list_join:
-          - '/'
-          - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
-      puppet_tags: keystone_config
-      config_volume: keystone
-      config_image: *keystone_image
+      puppet_config:
+        config_volume: keystone
+        puppet_tags: keystone_config
+        step_config: *step_config
+        config_image: &keystone_image
+          list_join:
+            - '/'
+            - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
       kolla_config:
          /var/lib/kolla/config_files/keystone.json:
            command: /usr/sbin/httpd -DFOREGROUND
@@ -79,6 +89,16 @@ outputs:
              owner: keystone
              perm: '0600'
              source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
+           - dest: /etc/keystone/fernet-keys/0
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
+             optional: {if: [keystone_fernet_tokens, false, true]}
+           - dest: /etc/keystone/fernet-keys/1
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
+             optional: {if: [keystone_fernet_tokens, false, true]}
            - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
              owner: root
              perm: '0644'
@@ -152,3 +172,7 @@ outputs:
             list_join:
             - '/'
             - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
+      upgrade_tasks:
+        - name: Stop and disable keystone service (running under httpd)
+          tags: step2
+          service: name=httpd state=stopped enabled=no