During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
[1] https://review.opendev.org/q/topic:%22bug-2031497%22
Change-Id: Ia7fc7b8d33c3c08e89310e30d90109d6b56f2672
In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
This change also disables RPC communication for Glance since there's
no signs of RPC usage in Glance code. RabbitMQ seems to be used solely
for notifications
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/914144
Change-Id: I92b95acc5ec35468cafe041b277ef9fb3c21c2e4
In order to allow definition of policies per service, we need to add variables
to service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: I9daf2b784dfbf6b6acb436efdf4caf5713764531
Due to weird postinst logic of keystone-common package permissions
for SSH private key that is used for fernet rotation are reset to 0640 which
prevents SSH from further functioning.
We add post-package installation task that will ensure private key permissions
for Ubuntu distro installations specifically.
Change-Id: I1ebee33e3cf52cc0a9c474423a4fd5fa7f1cbe81
Currently when re-building the keystone primary node, a new set
of fernet keys will be created as none exists, despite keys
existing on the secondary nodes.
This patch uses a similar approach to the credential key
distribution where other nodes are checked for keys if none exist
on the first play host. In this case an rsync is performed to
distribute the keys correctly before proceeding.
Change-Id: I92434276aef54805e5cee56e1d22821e11245fe4
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I81216a7eabe6b99d08ab15a62c046108fcb2bfc5
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.
As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.
Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.
Change-Id: I2c73f087b48fd3e664e0b339f2fb2b77b208f6c5
The Apache mod_auth_openidc requires explicit configuration in
order to read the X-Forwarded-Proto from the reverse proxy as
of version v2.4.11 which comes in from Ubuntu Jammy.
Eventually this will need to become the default and the
variable added in this patch can be removed.
Change-Id: Ic9d37a8463d137508d20de20b10af806a223f852
Doc jobs for the role are failing now with line being too long. Adding
new line fix the issue as link is treated properly afterwards.
Change-Id: I4deeacd9d953e3bf1bde208a4011455f8dd6fbe0
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
Is the package is not installed it's not possible to validate the
tls cert of the ldap-server.
This package went from depends to suggests in jammy release.
Change-Id: Ia9e2e35d3898727af67c4d07115bad6d0582dda4
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
Defining SSL parameters has nothing to do with
keystone_service_internaluri_proto. It should not be taken into
consideration there.
Theoretically speaking, environment can have TLS disabled on frontend
but enabled on backend.
Change-Id: I81b66a7388c335958badf7135f4289c3423cb229
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
Apache needs to respond with all intermediate CA certificates.
Otherwise, haproxy will not be able to validate backend certificate.
That is why -chain.crt file needs to be installed for keystone.
Change-Id: Ibc8267a1c27e1de7ed5bce716199f3264e8c136d
Keystone has particular ordering requirements for setting up
multiple instances and distributing fernet keys.
Run the infra jobs for the os_keystone role as these test
three keystone containers simultaneously.
Change-Id: Ia454d95a48dff1fa1856137df74a548d9c7d8a11
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I83fbde781bbedd6e84f2ff1b1136b4558bf1da00
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
When deploying keystone for the first time, aliveness check inside
service_bootstrap can not succeed for multi-node setup, as playbook
will disable current backend. So we need to bootstrap host only
when running against last host in play. We also should make sure, that
following tasks will not fail when running against first ones.
Closes-Bug: #1990008
Related-Bug: #1989326
Change-Id: Ifa9a79c34265b225a5e24c30cae47d3f0fa0739f
This line was introduced by Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1
for centos-7 support, and should already be covered by the
distribution_major_version line above.
Change-Id: I87dbc866f63cd1240dd0049b5b30a1339e1b1e34
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
This change brings the keystone role into line with others such
as cinder which check the service status using the loadbalancer.
This is useful in environments using a proxy server where the
internal VIP can be included in "no_proxy" but the service IP
for the containers are too numerous to list in "no_proxy" and
stay within the 1024 character limit for pam_env.
Change-Id: I1a4aec40618237aa23b4f40b335c141071a56f08
Keystone role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.
Change-Id: Ib21a5f5caa590daa827e45d26015bf32abe39cf2
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: I7f03a145490529e703aced630c49d08b0e59a435
These are now in main_pre.yml and the role should be called seperatley
with tasks_from targetting all keystone hosts before being called
again with serial: settings appropraite for H/A deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843740
Change-Id: Iecb5567382d27ae6a875f8937f33aa7bb492252e
There are a number of tasks and use of the ssh keypair setup role
which must happen on all of the keystone hosts before the service
itself is deployed.
Previously, the keystone role ran with serial (1,100%), and the
pre-service setup tasks iterated over ansible_play_hosts
during the deployment of the first keystone host using delegate_to.
This makes the control flow of the role hard to understand and
causes issues when the pre-service tasks need to include further
roles which also use delegate_to, such as the ssh-keypairs role.
This change introduces a new 'main' tasks file for the pre-service
setup which can be called independantly with no restriction on
serial:. This means that the pre-service setup can be completed
on all keystone hosts using normal ansible tasks without iteration
or delegate_to, and the role can be called a second time with the usual
main.yml and serial: settings to deploy the service itself and
maintain operation in a H/A deployment. In addition, the behaviour
of --limit will now be more obvious.
Change-Id: Ifcd2afe217205684b0ea3917a3776666d10ffae7