At the moment we assign `heat_stack_owner` to the `admin` user in a
`service` project, which leads to a completely unwanted behaviour, since
`admin` user does not have any other privileges to the `service` project
rather then `heat_stack_owner`.
Instead we should be granting privileges to the bootstrapped project
for the admin user.
This fixes unclarity and potential issues users might face in horizon
by switching to the `service` project, where they have no permissions.
Change-Id: I95faa779bf62524fafd09576aa7ae27de029bb57
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I68a3041edf0b0eb891fbe1e40081f779fc40c21d
By overriding the variable `heat_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the heat backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ifb904adc61f1461e646c3fce0bd062f526b8e446
This line snuck in with If9f874305d0470f267bc8bbc74e879ec11860cac
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: I48b67f163ea5cf5d6fb37a9a8ae5678aa8574fe7
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Ib5d15aaf56112a776e2b9abb2396f9ea4f4fe319
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: If9f874305d0470f267bc8bbc74e879ec11860cac
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: Ie4e45d41b070c5abbc3b80305aeee89470ee739a
Deployment can fail if an user with name defined in _service_users exists in more than 1 domain(Multiple matches found for <username>). To avoid these errors we need to explicitly define domain in _service_users
Change-Id: I55c5c8b9806188f246af9f2e89afe4a2d1b38b3c
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I1a9fd61f8690621144fc26eec762527d6ffcc33c
When we were migrating service to uwsgi usage, we clean forgot to
trigger uwsgi restart on service config change.
Change-Id: I9c470d5555e5d2841018be3112c1b82e75e60021
run_once can't be replaced with such condition since config files should
be put against all groups, and not only api one.
Change-Id: Iee0f0efa7e8c8f5ee14e6052db9d2407c4880680
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Iea777412d3bf7dc76b8073c51b4cdcb029573f66
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: Ic51187c5f063d7d8b932e76d0f82c062061a3962
Since ansible feature has been implemented and we can reference
openstack domain with it's name but not only id,
we can simplify service creation task.
Change-Id: I1485160f330fa289e02874e9286cf7a27009ea76
This patch refactors the openstack user/service/endpoints creation to
service_setup.yml which will eventually be managed by
openstack-ansible-tests.
Depends-On: https://review.opendev.org/681610
Change-Id: I88665890fc2e117d1ed9892b976bba2aa06dd504
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: If539762d5de0730ce97d8f8aaefb4c096d850902
When task/role files are included using include_tasks, tags are not
passed to the included tasks. As a result, tags like neutron-config
do not have the intended effect. This patch changes include_tasks
to import_tasks for all cases where dynamic vars or loops are not used
so that tags are properly handled.
Also heat_init_systemd is finally dropped, as it is not used anymore.
Reference -
https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse.htmlhttps://bugs.launchpad.net/openstack-ansible/+bug/1815043
Change-Id: I321979a96acc04a25b5287fb2f61fa03cda66e81
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: I9f8a7f92d644775bd673dbade73fbaa1268712d5
This patch refactors the database creation to db_setup.yml which
will eventually be managed by openstack-ansible-tests.
This also re-orders the mq_setup to be done earlier so these system
level dependencies are ready before service activation.
Change-Id: Ife10587bb82cd56c3d537c510f35962a9b8276d9
The variables heat_developer_mode and heat_venv_download
no longer carry any meaning. This review changes heat to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.
As part of this, we move the installation out of its own file
because it's now a single task to include the venv build role.
This is just to make it easier to follow the code.
Depends-On: https://review.openstack.org/648551
Change-Id: I4b66febefc77176a112486b0e9ee9b46e16cff05
The private option on include role was never implemented and
will no longer be developed. This change removes the option
so ansible no longer raises a deprecation warning.
Change-Id: I0fe59819c7e2594188e93d7cc482abff74495b8e
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
With this variable, users would be able to extend
the list of pip packages in case of needing an
extra pip package.
Currently if we need an extra pip package we need
to override the existing list.
Change-Id: I9aea9f42c476ff3c6f2355a0afb21be4eea57b69
Currently in rocky, due to the fact we replaced
the ansible keystone plugin, the heat user is
not being added in the heat domain, which causes
issues for example to magnum to create stacks and
nodes. This role is stated in the heat openstack
installation docs.
This patch aims to implemente the role assignment
Depends-On: I2fbb2465f9b4765a87011dfb2c2f65bd27e7b2c9
Change-Id: Ib65a12990059f8125caff279622d89643bcc2fd5
It is possible that the hostname of the system does not match the
one in the inventory which means that the delegate_to or the
comparision to inventory_hostname will fail in the tasks later.
Change-Id: I22eb68694063b4e0567c5700d8a9d8b93ffae6a2