X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;ds=sidebyside;f=docker%2Fservices%2Fkeystone.yaml;h=656f33486e2c937bcb346b1c3d9b28c860f33dae;hb=e52caa7ef0b169d2553e6ea9d03f89839c762b2a;hp=1d25da728e248a0dd1bd0fc5e029c766e3e3645c;hpb=13430798550fc90d47405a3b0f1e7aacc64a452f;p=apex-tripleo-heat-templates.git

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 1d25da72..656f3348 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -30,6 +30,12 @@ parameters:
     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
     type: string
     hidden: true
+  KeystoneTokenProvider:
+    description: The keystone token format
+    type: string
+    default: 'uuid'
+    constraints:
+      - allowed_values: ['uuid', 'fernet']
 
 resources:
 
@@ -40,6 +46,9 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+  keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -49,20 +58,21 @@ outputs:
         map_merge:
           - get_attr: [KeystoneBase, role_data, config_settings]
           - apache::default_vhost: false
-      step_config:
+      step_config: &step_config
         list_join:
           - "\n"
           - - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
             - {get_attr: [KeystoneBase, role_data, step_config]}
       service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
-      docker_image: &keystone_image
-        list_join:
-          - '/'
-          - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
-      puppet_tags: keystone_config
-      config_volume: keystone
-      config_image: *keystone_image
+      puppet_config:
+        config_volume: keystone
+        puppet_tags: keystone_config
+        step_config: *step_config
+        config_image: &keystone_image
+          list_join:
+            - '/'
+            - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
       kolla_config:
          /var/lib/kolla/config_files/keystone.json:
            command: /usr/sbin/httpd -DFOREGROUND
@@ -79,6 +89,16 @@ outputs:
              owner: keystone
              perm: '0600'
              source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
+           - dest: /etc/keystone/fernet-keys/0
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
+             optional: {if: [keystone_fernet_tokens, false, true]}
+           - dest: /etc/keystone/fernet-keys/1
+             owner: keystone
+             perm: '0600'
+             source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
+             optional: {if: [keystone_fernet_tokens, false, true]}
            - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
              owner: root
              perm: '0644'
@@ -109,7 +129,7 @@ outputs:
             start_order: 0
             image: *keystone_image
             user: root
-            command: ['/bin/bash', '-c', 'mkdir /var/log/httpd && mkdir /var/log/keystone && chown keystone:keystone /var/log/keystone']
+            command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && mkdir -p /var/log/keystone && chown keystone:keystone /var/log/keystone']
             volumes:
               - logs:/var/log
           keystone_db_sync:
@@ -144,10 +164,17 @@ outputs:
               [ 'keystone', 'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
       docker_puppet_tasks:
         # Keystone endpoint creation occurs only on single node
-        step_4:
-          - 'keystone_init_tasks'
-          - 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
-          - 'include ::tripleo::profile::base::keystone'
-          - list_join:
+        step_3:
+          config_volume: 'keystone_init_tasks'
+          puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
+          step_config: 'include ::tripleo::profile::base::keystone'
+          config_image:
+            list_join:
             - '/'
             - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ]
+      upgrade_tasks:
+        - name: Stop and disable keystone service (running under httpd)
+          tags: step2
+          service: name=httpd state=stopped enabled=no
+      metadata_settings:
+        get_attr: [KeystoneBase, role_data, metadata_settings]