By overriding the variable `gnocchi_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the gnocchi backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ie2c824052b0024d440b20febb34b6bde22f4fac2
This line was introduced by Ic1d3fc7089e80767ab59304642c8809d8a4e707f
to bring it in line with other OSA roles, but should already be
covered by the distribution_major_version line above.
Change-Id: Icdac9fabefe047895d446b0498897a15e8028738
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Iaed7f2b4a724aed0f4165e32f3d40aac9d74edd7
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: Ia6f6e36fc34e382eb02ea59973ee0a6e8aec20b4
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: I5e9aac0216a7406fefe4bfe315bd914723c7e27c
When gnocchi_storage_driver is file, run the db sync on all nodes.
But if gnocchi_storage_driver is other than file, run only on first node.
Closes-Bug: #1915618
Change-Id: I18a0ca9e32515194fbcf939bed53cdbef4de26f6
This moves ceph_client include from the playbook
into the role itself to leverage libraries symlinking
inside venv and to align with other roles
Change-Id: I9f1339b0b592e18a227b9a53cad9ef4af7fa82c0
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/769974
This file duplicates the purpose of the service_setup.yml
so we're running same set of tasks twice.
Change-Id: Ia0ee853b14cffd3082346e20bb021da24e3f2c40
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: I022d52c39c706fd9f82b9efcdcdc589a2e971d24
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Depends-On: https://review.opendev.org/754718
Depends-On: https://review.opendev.org/755258
Change-Id: I5098673bdf84d1c2b13ca87e474a5c598260ae94
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: I69c08fd522c1c80356000b1cf2a48a9b63327b3c
Current conditionals didn't work correctly with running tasks with --limit
We should intersect with ansible_play_hosts to get tasks run for specific
host only (ie running with --limit)
Change-Id: I56e873114cf85b29233d50a866ee925615dba70b
DB upgrade should be run after service restart, as new config should
be applied for that (instead of the default one).
Change-Id: Idb3d5da2dc851fb57dd94d31136e43c34350e0cf
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: Iec03bd79279e694678336880460bcb83f68d9780
This patch refactors the openstack user/service/endpoints creation to
service_setup.yml which will eventually be managed by
openstack-ansible-tests.
Change-Id: Ic126b9ad6fa4905514f356b98690e04965f4d93c
This patch moves gnocchi-api from usage of apache with mod_wsgi
to uWSGI, which means unification across another roles and
reduced maintenance costs
During migration period tasks that ensures apache won't listen
on gnocchi_service_port are present, but they are supposed to be removed
after train release.
Depends-On: https://review.opendev.org/671988
Change-Id: I06bbcb2f15108fc517742208ac5291719627ffe2
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: I3f6a1cee0e98372881b015ebf06e405c79495fe1
This patch refactors the database creation to db_setup.yml which
will eventually be managed by openstack-ansible-tests.
This also re-orders the mq_setup to be done earlier so these system
level dependencies are ready before service activation.
Change-Id: Ibda9982a85b967dac091bdcd0e115b3c6333361b
I04e853fb582d7b39708a2fb6ed854b4e458f06d9 fixed this for
gnocchi_service_setup, but did not fix it in gnocchi_identity_setup.
Change-Id: Ic889b94c07d1479da8f7004fce21786e9fb77826
The variables gnocchi_developer_mode and gnocchi_venv_download
no longer carry any meaning. This review changes gnocchi to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.
We also change include_tasks to import_tasks so that the
tags in the python_venv_build role will work.
Change-Id: I6c43b8c9e627b9e10deda4d500da21eb29bb9206
The private option on include role was never implemented and
will no longer be developed. This change removes the option
so ansible no longer raises a deprecation warning.
Change-Id: I419cdf1a38f6fc8431934b3fe112ffaf8776aaac
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing
features or functionality. The intention of this change is to ensure
uniformity and reduce the maintenance burden on the community when
sweeping changes are needed. The exterior role is built to be OSA
compatible and may be pulled into tree should we deem it necessary.
Change-Id: I54e3063d6e641a785377f9039641072f8001cf24
In order to enable the service setup host python interpreter to
be changed easily, we make it a variable. This will be useful
when someone sets the service setup host to be the utility
container, because we'll be able to set this var by default.
Change-Id: I04e853fb582d7b39708a2fb6ed854b4e458f06d9
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.
We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.
This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:
1. Replaces 'developer mode' with an equivalent mechanism
that uses the common role and is simpler to understand.
We will also simplify the provisioning of pip install
arguments when doing this.
2. Simplifies the installation of optional pip packages.
Right now it's more complicated than it needs to be due
to us needing to keep the py_pkgs plugin working in the
integrated build.
Depends-On: https://review.openstack.org/598957
Change-Id: I7a6acaa94265b21fb886a775c3b5b86a4142a905
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
In the integrated build, the repo build process upgrades
pip/setuptools/wheel in the venv to our preferred pinned
version, but the role tests using developer mode does not.
Gnocchi, since 4.3.0 [1] requires setuptools > 30.3.0 -
but CentOS only has 28.8.0 when it builds the venv, so the
package install fails.
In this patch we create the venv, then upgrade pip,
setuptools and wheel, then install the keystone packages.
Doing this for all roles is impractical, but it will be
necessary to unblock patches from merging into this role
today. In the future when we use the python_venv_build role
we can do all this there instead of repeating this patch
across all the roles.
[1] 3f8a22a51b
Change-Id: Ibb5a068350b30f0d74ef26a55528527bd9e646a3
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: I2f92ab5520fb2e9822fcd0bbc3382305066c5d21
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
With the dependent patches, the openstack_openrc role is now executed once
on the designated host, so it is no longer required as a meta-dependency for
the role.
Depends-On: https://review.openstack.org/579233
Depends-On: https://review.openstack.org/579959
Change-Id: I4131312eea8c743e7803ccc622b7642c6082a4c8
There is no record for why we implement the database creation outside
of the role in the playbook, when we could do it inside the role.
Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.
In this patch we implement a new variable called 'gnocchi_db_setup_host'
which is used in the role to allow delegation of the database setup
task to any host, but defaults to the first member of the galera_all
host group. We also document the variable gnocchi_galera_address which
has been used for a long time, but never documented.
Change-Id: Idff20080d825e5afd071cbc03055f96c920aff9d