By overriding the variable `gnocchi_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the gnocchi backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ie2c824052b0024d440b20febb34b6bde22f4fac2
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: I0265fc94d795360f6dfbddee5398ee067ea0422b
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: Iec03bd79279e694678336880460bcb83f68d9780
This patch moves gnocchi-api from usage of apache with mod_wsgi
to uWSGI, which means unification across another roles and
reduced maintenance costs
During migration period tasks that ensures apache won't listen
on gnocchi_service_port are present, but they are supposed to be removed
after train release.
Depends-On: https://review.opendev.org/671988
Change-Id: I06bbcb2f15108fc517742208ac5291719627ffe2
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing
features or functionality. The intention of this change is to ensure
uniformity and reduce the maintenance burden on the community when
sweeping changes are needed. The exterior role is built to be OSA
compatible and may be pulled into tree should we deem it necessary.
Change-Id: I54e3063d6e641a785377f9039641072f8001cf24
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.
We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.
This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:
1. Replaces 'developer mode' with an equivalent mechanism
that uses the common role and is simpler to understand.
We will also simplify the provisioning of pip install
arguments when doing this.
2. Simplifies the installation of optional pip packages.
Right now it's more complicated than it needs to be due
to us needing to keep the py_pkgs plugin working in the
integrated build.
Depends-On: https://review.openstack.org/598957
Change-Id: I7a6acaa94265b21fb886a775c3b5b86a4142a905
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: I2f92ab5520fb2e9822fcd0bbc3382305066c5d21
From Ansible 2.2 onwards, listen can be used for
handlers instead of chaining notifiers. The
handlers are then executed in the sequence
present in the handler file.
Change-Id: I97a794220f3f97b41a70be5484ff48230214fa20
Due to the debug message plugin the handler restart
messages show at the end of the playbook execution
which is a little confusing. Using debug also
requires setting changed_when to true which is a
little extra bit of code which we do not have to
carry.
Instead we use the command module which is simple,
works and less wordy.
Change-Id: I5d4573e5415365fcd493850192f90a46897d6534
When the policy file is copied from the templated
file to the active file, it loses its group/mode
settings. This patch ensures that they are properly
replicated during the copy.
Change-Id: I30a371cbfd247dfaccfd6367555bf5b732eef689
The policy.json file is currently read continually by the
services and is not only read on service start. We therefore
cannot template directly to the file read by the service
(if the service is already running) because the new policies
may not be valid until the service restarts. This is
particularly important during a major upgrade. We therefore
only put the policy file in place after the service restart.
This patch also tidies up the handlers and some of the install
tasks to simplify them and reduce the tasks/code a little.
Change-Id: Ib62c9b0c8d1081409b06c35d27421a28da22c796
The *_services dict pattern present in other roles
has been adopted and systemd/upstart service enablement
of the gnocchi-api service is now directly tied to the
state of `gnocchi_use_mod_wsgi`.
Change-Id: Ibc15c37bbd5a1a70b0774a1184b5759e558a0efb
Closes-Bug: #1633205
Addresses the deprecation warning:
"[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax"
Change-Id: I5deacf1b77b622ac2e7d884d5af221602efbaf23
Removes host and port from api section of config file template.
Also cleans up Ansible Lint warnings
Related-To: I2298f9cb94a684747f4b4dbc262cdcab7de49175
Change-Id: I56954df3d13b86cfcb4eb68e419ce13dfac2c051
In testing the playbook was erroring during policy setup due to the API not
being available yet when the play runs, on a re-run of the playbook the issue
is no longer repeatable. This is an attempt to improve the resilience of the
play on the first pass so that a rerun is not necessary.
Also adds a delay and more retries to policy setup in order to ensure that
step completes successfully since the API takes a moment to stop returning
Status 503s.