From afa0ecd1dfedb87fef916597d52f5dca60c3a865 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Fri, 13 Jan 2017 00:22:00 +0000
Subject: [PATCH] Keystone Load Complete Configs

This PS loads all the required keystone configuration files into a container for an apache based deployment.

It allows OpenStack-Helm to be image agnosic, meaning operators can use any Apache based Keystone image they want.
---
 keystone/templates/bin/_db-sync.sh.tpl        |  27 +--
 keystone/templates/bin/_init.sh.tpl           |  19 +-
 keystone/templates/bin/_start.sh.tpl          |  16 +-
 keystone/templates/configmap-etc.yaml         |   8 +-
 keystone/templates/deployment.yaml            |  43 +++-
 .../templates/etc/_keystone-paste.ini.tpl     |  97 +++++++++
 keystone/templates/etc/_policy.json.tpl       | 199 ++++++++++++++++++
 .../etc/_sso_callback_template.html.tpl       |  22 ++
 .../templates/etc/_wsgi-keystone.conf.tpl     |  17 +-
 keystone/templates/job-db-sync.yaml           |   8 +-
 keystone/values.yaml                          |   1 -
 11 files changed, 419 insertions(+), 38 deletions(-)
 create mode 100644 keystone/templates/etc/_keystone-paste.ini.tpl
 create mode 100644 keystone/templates/etc/_policy.json.tpl
 create mode 100644 keystone/templates/etc/_sso_callback_template.html.tpl

diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl
index 89c4c5de84..e4f69c7214 100644
--- a/keystone/templates/bin/_db-sync.sh.tpl
+++ b/keystone/templates/bin/_db-sync.sh.tpl
@@ -1,22 +1,13 @@
 #!/bin/bash
 set -ex
 
-# order of kolla_keystone_bootstrap urls
-# for those of looking for a little expanation
-# to a mysterious blackbox
-# 
-# these will feed into the keystone endpoints
-# so it is important they are correct
-#
-# keystone_admin_url
-# keystone_internal_url 
-# keystone_public_url 
-
-keystone-manage db_sync
-kolla_keystone_bootstrap {{ .Values.keystone.admin_user }} {{ .Values.keystone.admin_password }} \
-  {{ .Values.keystone.admin_project_name }} admin \
-  {{ include "endpoint_keystone_admin" . }} \
-  {{ include "endpoint_keystone_internal" . }} \
-  {{ include "endpoint_keystone_internal" . }} \
-  {{ .Values.keystone.admin_region_name }}
+keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
 
+keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
+    --bootstrap-username {{ .Values.keystone.admin_user }} \
+    --bootstrap-password {{ .Values.keystone.admin_password }} \
+    --bootstrap-project-name {{ .Values.keystone.admin_project_name }} \
+    --bootstrap-admin-url {{ include "endpoint_keystone_admin" . }} \
+    --bootstrap-public-url {{ include "endpoint_keystone_internal" . }} \
+    --bootstrap-internal-url {{ include "endpoint_keystone_internal" . }} \
+    --bootstrap-region-id {{ .Values.keystone.admin_region_name }}
diff --git a/keystone/templates/bin/_init.sh.tpl b/keystone/templates/bin/_init.sh.tpl
index 0d47c4ba71..f48157a2ce 100644
--- a/keystone/templates/bin/_init.sh.tpl
+++ b/keystone/templates/bin/_init.sh.tpl
@@ -2,5 +2,20 @@
 set -ex
 export HOME=/tmp
 
-ansible localhost -vvv -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_database_name }}'"
-ansible localhost -vvv -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_user }}' password='{{ .Values.database.keystone_password }}' host='%' priv='{{ .Values.database.keystone_database_name }}.*:ALL' append_privs='yes'"
+ansible localhost -vvv \
+  -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' \
+                  login_port='{{ .Values.database.port }}' \
+                  login_user='{{ .Values.database.root_user }}' \
+                  login_password='{{ .Values.database.root_password }}' \
+                  name='{{ .Values.database.keystone_database_name }}'"
+
+ansible localhost -vvv \
+  -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' \
+                    login_port='{{ .Values.database.port }}' \
+                    login_user='{{ .Values.database.root_user }}' \
+                    login_password='{{ .Values.database.root_password }}' \
+                    name='{{ .Values.database.keystone_user }}' \
+                    password='{{ .Values.database.keystone_password }}' \
+                    host='%' \
+                    priv='{{ .Values.database.keystone_database_name }}.*:ALL' \
+                    append_privs='yes'"
diff --git a/keystone/templates/bin/_start.sh.tpl b/keystone/templates/bin/_start.sh.tpl
index 4bafe63ee4..72529c2f32 100644
--- a/keystone/templates/bin/_start.sh.tpl
+++ b/keystone/templates/bin/_start.sh.tpl
@@ -1,8 +1,10 @@
-#!/bin/bash		
-set -ex		
-		
-# Loading Apache2 ENV variables		
-source /etc/apache2/envvars		
+#!/bin/bash
+set -ex
 
-# start apache with any container arguments
-apache2 -DFOREGROUND $*
+if [ -f /etc/apache2/envvars ]; then
+   # Loading Apache2 ENV variables
+   source /etc/apache2/envvars
+fi
+
+# Start Apache2
+exec apache2 -DFOREGROUND
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index b59534ee98..3ad7dc8293 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -6,6 +6,12 @@ data:
   keystone.conf: |+
 {{ tuple "etc/_keystone.conf.tpl" . | include "template" | indent 4 }}
   mpm_event.conf: |+
-{{ tuple "etc/_mpm_event.conf.tpl" . | include "template" | indent 4 }}  
+{{ tuple "etc/_mpm_event.conf.tpl" . | include "template" | indent 4 }}
   wsgi-keystone.conf: |+
 {{ tuple "etc/_wsgi-keystone.conf.tpl" . | include "template" | indent 4 }}
+  policy.json: |+
+{{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}
+  keystone-paste.ini: |+
+{{ tuple "etc/_keystone-paste.ini.tpl" . | include "template" | indent 4 }}
+  sso_callback_template.html: |+
+{{ tuple "etc/_sso_callback_template.html.tpl" . | include "template" | indent 4 }}
diff --git a/keystone/templates/deployment.yaml b/keystone/templates/deployment.yaml
index 49917adaed..49b84d0084 100644
--- a/keystone/templates/deployment.yaml
+++ b/keystone/templates/deployment.yaml
@@ -11,14 +11,14 @@ spec:
     rollingUpdate:
       maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
       maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
-    {{ end }}    
+    {{ end }}
   template:
     metadata:
       labels:
         app: keystone-api
       annotations:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
-        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}        
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
         pod.beta.kubernetes.io/init-containers: '[
           {
             "name": "init",
@@ -44,7 +44,7 @@ spec:
               {
                 "name": "COMMAND",
                 "value": "echo done"
-              }              
+              }
             ]
           }
         ]'
@@ -61,26 +61,62 @@ spec:
           ports:
             - containerPort: {{ .Values.network.port.public }}
             - containerPort: {{ .Values.network.port.admin }}
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - apachectl
+                  - -k
+                  - graceful-stop
           readinessProbe:
             tcpSocket:
               port: {{ .Values.network.port.public }}
           volumeMounts:
+            - name: pod-etc-keystone
+              mountPath: /etc/keystone
             - name: keystoneconf
               mountPath: /etc/keystone/keystone.conf
               subPath: keystone.conf
+              readOnly: true
+            - name: keystonepaste
+              mountPath: /etc/keystone/keystone-paste.ini
+              subPath: keystone-paste.ini
+              readOnly: true
+            - name: keystonepolicy
+              mountPath: /etc/keystone/policy.json
+              subPath: policy.json
+              readOnly: true
+            - name: keystonessotemplate
+              mountPath: /etc/keystone/sso_callback_template.html
+              subPath: sso_callback_template.html
+              readOnly: true
             - name: wsgikeystone
               mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf
               subPath: wsgi-keystone.conf
+              readOnly: true
             - name: mpmeventconf
               mountPath: /etc/apache2/mods-available/mpm_event.conf
               subPath: mpm_event.conf
+              readOnly: true
             - name: startsh
               mountPath: /tmp/start.sh
               subPath: start.sh
+              readOnly: true
       volumes:
+        - name: pod-etc-keystone
+          emptyDir: {}
         - name: keystoneconf
           configMap:
             name: keystone-etc
+        - name: keystonepaste
+          configMap:
+            name: keystone-etc
+        - name: keystonepolicy
+          configMap:
+            name: keystone-etc
+        - name: keystonessotemplate
+          configMap:
+            name: keystone-etc
         - name: wsgikeystone
           configMap:
             name: keystone-etc
@@ -90,4 +126,3 @@ spec:
         - name: startsh
           configMap:
             name: keystone-bin
-
diff --git a/keystone/templates/etc/_keystone-paste.ini.tpl b/keystone/templates/etc/_keystone-paste.ini.tpl
new file mode 100644
index 0000000000..0d058ac009
--- /dev/null
+++ b/keystone/templates/etc/_keystone-paste.ini.tpl
@@ -0,0 +1,97 @@
+# Keystone PasteDeploy configuration file.
+
+[filter:debug]
+use = egg:oslo.middleware#debug
+
+[filter:request_id]
+use = egg:oslo.middleware#request_id
+
+[filter:build_auth_context]
+use = egg:keystone#build_auth_context
+
+[filter:token_auth]
+use = egg:keystone#token_auth
+
+[filter:admin_token_auth]
+# This is deprecated in the M release and will be removed in the O release.
+# Use `keystone-manage bootstrap` and remove this from the pipelines below.
+use = egg:keystone#admin_token_auth
+
+[filter:json_body]
+use = egg:keystone#json_body
+
+[filter:cors]
+use = egg:oslo.middleware#cors
+oslo_config_project = keystone
+
+[filter:http_proxy_to_wsgi]
+use = egg:oslo.middleware#http_proxy_to_wsgi
+
+[filter:healthcheck]
+use = egg:oslo.middleware#healthcheck
+
+[filter:ec2_extension]
+use = egg:keystone#ec2_extension
+
+[filter:ec2_extension_v3]
+use = egg:keystone#ec2_extension_v3
+
+[filter:s3_extension]
+use = egg:keystone#s3_extension
+
+[filter:url_normalize]
+use = egg:keystone#url_normalize
+
+[filter:sizelimit]
+use = egg:oslo.middleware#sizelimit
+
+[filter:osprofiler]
+use = egg:osprofiler#osprofiler
+
+[app:public_service]
+use = egg:keystone#public_service
+
+[app:service_v3]
+use = egg:keystone#service_v3
+
+[app:admin_service]
+use = egg:keystone#admin_service
+
+[pipeline:public_api]
+# The last item in this pipeline must be public_service or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
+
+[pipeline:admin_api]
+# The last item in this pipeline must be admin_service or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
+
+[pipeline:api_v3]
+# The last item in this pipeline must be service_v3 or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
+
+[app:public_version_service]
+use = egg:keystone#public_version_service
+
+[app:admin_version_service]
+use = egg:keystone#admin_version_service
+
+[pipeline:public_version_api]
+pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
+
+[pipeline:admin_version_api]
+pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service
+
+[composite:main]
+use = egg:Paste#urlmap
+/v2.0 = public_api
+/v3 = api_v3
+/ = public_version_api
+
+[composite:admin]
+use = egg:Paste#urlmap
+/v2.0 = admin_api
+/v3 = api_v3
+/ = admin_version_api
diff --git a/keystone/templates/etc/_policy.json.tpl b/keystone/templates/etc/_policy.json.tpl
new file mode 100644
index 0000000000..ddf2396272
--- /dev/null
+++ b/keystone/templates/etc/_policy.json.tpl
@@ -0,0 +1,199 @@
+{
+    "admin_required": "role:admin or is_admin:1",
+    "service_role": "role:service",
+    "service_or_admin": "rule:admin_required or rule:service_role",
+    "owner" : "user_id:%(user_id)s",
+    "admin_or_owner": "rule:admin_required or rule:owner",
+    "token_subject": "user_id:%(target.token.user_id)s",
+    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
+    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
+
+    "default": "rule:admin_required",
+
+    "identity:get_region": "",
+    "identity:list_regions": "",
+    "identity:create_region": "rule:admin_required",
+    "identity:update_region": "rule:admin_required",
+    "identity:delete_region": "rule:admin_required",
+
+    "identity:get_service": "rule:admin_required",
+    "identity:list_services": "rule:admin_required",
+    "identity:create_service": "rule:admin_required",
+    "identity:update_service": "rule:admin_required",
+    "identity:delete_service": "rule:admin_required",
+
+    "identity:get_endpoint": "rule:admin_required",
+    "identity:list_endpoints": "rule:admin_required",
+    "identity:create_endpoint": "rule:admin_required",
+    "identity:update_endpoint": "rule:admin_required",
+    "identity:delete_endpoint": "rule:admin_required",
+
+    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
+    "identity:list_domains": "rule:admin_required",
+    "identity:create_domain": "rule:admin_required",
+    "identity:update_domain": "rule:admin_required",
+    "identity:delete_domain": "rule:admin_required",
+
+    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
+    "identity:list_projects": "rule:admin_required",
+    "identity:list_user_projects": "rule:admin_or_owner",
+    "identity:create_project": "rule:admin_required",
+    "identity:update_project": "rule:admin_required",
+    "identity:delete_project": "rule:admin_required",
+
+    "identity:get_user": "rule:admin_or_owner",
+    "identity:list_users": "rule:admin_required",
+    "identity:create_user": "rule:admin_required",
+    "identity:update_user": "rule:admin_required",
+    "identity:delete_user": "rule:admin_required",
+    "identity:change_password": "rule:admin_or_owner",
+
+    "identity:get_group": "rule:admin_required",
+    "identity:list_groups": "rule:admin_required",
+    "identity:list_groups_for_user": "rule:admin_or_owner",
+    "identity:create_group": "rule:admin_required",
+    "identity:update_group": "rule:admin_required",
+    "identity:delete_group": "rule:admin_required",
+    "identity:list_users_in_group": "rule:admin_required",
+    "identity:remove_user_from_group": "rule:admin_required",
+    "identity:check_user_in_group": "rule:admin_required",
+    "identity:add_user_to_group": "rule:admin_required",
+
+    "identity:get_credential": "rule:admin_required",
+    "identity:list_credentials": "rule:admin_required",
+    "identity:create_credential": "rule:admin_required",
+    "identity:update_credential": "rule:admin_required",
+    "identity:delete_credential": "rule:admin_required",
+
+    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
+    "identity:ec2_list_credentials": "rule:admin_or_owner",
+    "identity:ec2_create_credential": "rule:admin_or_owner",
+    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
+
+    "identity:get_role": "rule:admin_required",
+    "identity:list_roles": "rule:admin_required",
+    "identity:create_role": "rule:admin_required",
+    "identity:update_role": "rule:admin_required",
+    "identity:delete_role": "rule:admin_required",
+    "identity:get_domain_role": "rule:admin_required",
+    "identity:list_domain_roles": "rule:admin_required",
+    "identity:create_domain_role": "rule:admin_required",
+    "identity:update_domain_role": "rule:admin_required",
+    "identity:delete_domain_role": "rule:admin_required",
+
+    "identity:get_implied_role": "rule:admin_required ",
+    "identity:list_implied_roles": "rule:admin_required",
+    "identity:create_implied_role": "rule:admin_required",
+    "identity:delete_implied_role": "rule:admin_required",
+    "identity:list_role_inference_rules": "rule:admin_required",
+    "identity:check_implied_role": "rule:admin_required",
+
+    "identity:check_grant": "rule:admin_required",
+    "identity:list_grants": "rule:admin_required",
+    "identity:create_grant": "rule:admin_required",
+    "identity:revoke_grant": "rule:admin_required",
+
+    "identity:list_role_assignments": "rule:admin_required",
+    "identity:list_role_assignments_for_tree": "rule:admin_required",
+
+    "identity:get_policy": "rule:admin_required",
+    "identity:list_policies": "rule:admin_required",
+    "identity:create_policy": "rule:admin_required",
+    "identity:update_policy": "rule:admin_required",
+    "identity:delete_policy": "rule:admin_required",
+
+    "identity:check_token": "rule:admin_or_token_subject",
+    "identity:validate_token": "rule:service_admin_or_token_subject",
+    "identity:validate_token_head": "rule:service_or_admin",
+    "identity:revocation_list": "rule:service_or_admin",
+    "identity:revoke_token": "rule:admin_or_token_subject",
+
+    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
+    "identity:list_trusts": "",
+    "identity:list_roles_for_trust": "",
+    "identity:get_role_for_trust": "",
+    "identity:delete_trust": "",
+
+    "identity:create_consumer": "rule:admin_required",
+    "identity:get_consumer": "rule:admin_required",
+    "identity:list_consumers": "rule:admin_required",
+    "identity:delete_consumer": "rule:admin_required",
+    "identity:update_consumer": "rule:admin_required",
+
+    "identity:authorize_request_token": "rule:admin_required",
+    "identity:list_access_token_roles": "rule:admin_required",
+    "identity:get_access_token_role": "rule:admin_required",
+    "identity:list_access_tokens": "rule:admin_required",
+    "identity:get_access_token": "rule:admin_required",
+    "identity:delete_access_token": "rule:admin_required",
+
+    "identity:list_projects_for_endpoint": "rule:admin_required",
+    "identity:add_endpoint_to_project": "rule:admin_required",
+    "identity:check_endpoint_in_project": "rule:admin_required",
+    "identity:list_endpoints_for_project": "rule:admin_required",
+    "identity:remove_endpoint_from_project": "rule:admin_required",
+
+    "identity:create_endpoint_group": "rule:admin_required",
+    "identity:list_endpoint_groups": "rule:admin_required",
+    "identity:get_endpoint_group": "rule:admin_required",
+    "identity:update_endpoint_group": "rule:admin_required",
+    "identity:delete_endpoint_group": "rule:admin_required",
+    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
+    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
+    "identity:get_endpoint_group_in_project": "rule:admin_required",
+    "identity:list_endpoint_groups_for_project": "rule:admin_required",
+    "identity:add_endpoint_group_to_project": "rule:admin_required",
+    "identity:remove_endpoint_group_from_project": "rule:admin_required",
+
+    "identity:create_identity_provider": "rule:admin_required",
+    "identity:list_identity_providers": "rule:admin_required",
+    "identity:get_identity_providers": "rule:admin_required",
+    "identity:update_identity_provider": "rule:admin_required",
+    "identity:delete_identity_provider": "rule:admin_required",
+
+    "identity:create_protocol": "rule:admin_required",
+    "identity:update_protocol": "rule:admin_required",
+    "identity:get_protocol": "rule:admin_required",
+    "identity:list_protocols": "rule:admin_required",
+    "identity:delete_protocol": "rule:admin_required",
+
+    "identity:create_mapping": "rule:admin_required",
+    "identity:get_mapping": "rule:admin_required",
+    "identity:list_mappings": "rule:admin_required",
+    "identity:delete_mapping": "rule:admin_required",
+    "identity:update_mapping": "rule:admin_required",
+
+    "identity:create_service_provider": "rule:admin_required",
+    "identity:list_service_providers": "rule:admin_required",
+    "identity:get_service_provider": "rule:admin_required",
+    "identity:update_service_provider": "rule:admin_required",
+    "identity:delete_service_provider": "rule:admin_required",
+
+    "identity:get_auth_catalog": "",
+    "identity:get_auth_projects": "",
+    "identity:get_auth_domains": "",
+
+    "identity:list_projects_for_user": "",
+    "identity:list_domains_for_user": "",
+
+    "identity:list_revoke_events": "rule:service_or_admin",
+
+    "identity:create_policy_association_for_endpoint": "rule:admin_required",
+    "identity:check_policy_association_for_endpoint": "rule:admin_required",
+    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
+    "identity:create_policy_association_for_service": "rule:admin_required",
+    "identity:check_policy_association_for_service": "rule:admin_required",
+    "identity:delete_policy_association_for_service": "rule:admin_required",
+    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
+    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
+    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
+    "identity:get_policy_for_endpoint": "rule:admin_required",
+    "identity:list_endpoints_for_policy": "rule:admin_required",
+
+    "identity:create_domain_config": "rule:admin_required",
+    "identity:get_domain_config": "rule:admin_required",
+    "identity:get_security_compliance_domain_config": "",
+    "identity:update_domain_config": "rule:admin_required",
+    "identity:delete_domain_config": "rule:admin_required",
+    "identity:get_domain_config_default": "rule:admin_required"
+}
diff --git a/keystone/templates/etc/_sso_callback_template.html.tpl b/keystone/templates/etc/_sso_callback_template.html.tpl
new file mode 100644
index 0000000000..3364d69e55
--- /dev/null
+++ b/keystone/templates/etc/_sso_callback_template.html.tpl
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Keystone WebSSO redirect</title>
+  </head>
+  <body>
+     <form id="sso" name="sso" action="$host" method="post">
+       Please wait...
+       <br/>
+       <input type="hidden" name="token" id="token" value="$token"/>
+       <noscript>
+         <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
+            value="If your JavaScript is disabled, please click to continue"/>
+       </noscript>
+     </form>
+     <script type="text/javascript">
+       window.onload = function() {
+         document.forms['sso'].submit();
+       }
+     </script>
+  </body>
+</html>
diff --git a/keystone/templates/etc/_wsgi-keystone.conf.tpl b/keystone/templates/etc/_wsgi-keystone.conf.tpl
index e6535eae85..f04bc7e1b6 100644
--- a/keystone/templates/etc/_wsgi-keystone.conf.tpl
+++ b/keystone/templates/etc/_wsgi-keystone.conf.tpl
@@ -1,6 +1,9 @@
 Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.public }}
 Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }}
 
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
 <VirtualHost *:{{ .Values.network.port.public }}>
     WSGIDaemonProcess keystone-public processes=16 threads=6 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-public
@@ -10,8 +13,11 @@ Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }}
     <IfVersion >= 2.4>
       ErrorLogFormat "%{cu}t %M"
     </IfVersion>
-    ErrorLog "|$/bin/cat 1>&2"
-    CustomLog "|/bin/cat" combined
+    ErrorLog /dev/stderr
+
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
 </VirtualHost>
 
 <VirtualHost *:{{ .Values.network.port.admin }}>
@@ -23,6 +29,9 @@ Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }}
     <IfVersion >= 2.4>
       ErrorLogFormat "%{cu}t %M"
     </IfVersion>
-    ErrorLog "|$/bin/cat 1>&2"
-    CustomLog "|/bin/cat" combined
+    ErrorLog /dev/stderr
+
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
 </VirtualHost>
diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml
index c1f4954279..403f1d60ee 100644
--- a/keystone/templates/job-db-sync.yaml
+++ b/keystone/templates/job-db-sync.yaml
@@ -15,7 +15,7 @@ spec:
               {
                 "name": "NAMESPACE",
                 "value": "{{ .Release.Namespace }}"
-              },            
+              },
               {
                 "name": "DEPENDENCY_SERVICE",
                 "value": "{{  include "joinListWithColon" .Values.dependencies.db_sync.service }}"
@@ -43,13 +43,19 @@ spec:
             - bash
             - /tmp/db-sync.sh
           volumeMounts:
+            - name: pod-etc-keystone
+              mountPath: /etc/keystone
             - name: keystoneconf
               mountPath: /etc/keystone/keystone.conf
               subPath: keystone.conf
+              readOnly: true
             - name: keystone-bin
               mountPath: /tmp/db-sync.sh
               subPath: db-sync.sh
+              readOnly: true
       volumes:
+        - name: pod-etc-keystone
+          emptyDir: {}
         - name: keystoneconf
           configMap:
             name: keystone-etc
diff --git a/keystone/values.yaml b/keystone/values.yaml
index a4a84a67bf..1088d2d010 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -90,4 +90,3 @@ endpoints:
     port:
         admin: 35357
         public: 5000
-