This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I81216a7eabe6b99d08ab15a62c046108fcb2bfc5
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.
As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.
Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
The Apache mod_auth_openidc requires explicit configuration in
order to read the X-Forwarded-Proto from the reverse proxy as
of version v2.4.11 which comes in from Ubuntu Jammy.
Eventually this will need to become the default and the
variable added in this patch can be removed.
Change-Id: Ic9d37a8463d137508d20de20b10af806a223f852
Defining SSL parameters has nothing to do with
keystone_service_internaluri_proto. It should not be taken into
consideration there.
Theoretically speaking, environment can have TLS disabled on frontend
but enabled on backend.
Change-Id: I81b66a7388c335958badf7135f4289c3423cb229
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
We are having all machines in DNS and want to be able to change IP addresses in DNS. So we do not
use ansible_host in our host_vars/machine.yml
As os_keystone is the first Ansible role we use. We will make similar changes to other roles later
on.
Change-Id: Ic9f43cc3f6b62b5098e85afcf55f008c022517f6
Add X-Forwarded-Proto header based on the haproxy termination
and if keystone configured to use SSL for internal connection
Change-Id: Ia627e19923e1e24d2fede49aefb7251bb75d88de
As ProxyPass defined out of VHost, it has global effect, resulting
in Horizon Identity section to be jsut proxied to keystone API
instead of rederred by Django as instructed by Horizon VHost.
Change-Id: I596614f55a8db8e814b1d24a78c3f1a9d0e00bb2
Closes-Bug: #1960342
Instead of having own implementation of uwsgi, use common role.
This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.
Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
Instead of using file logging we switch apache conf to log into syslog
which results in journald. This aligns with other services way of
logging.
Change-Id: I4c619500f7df389a60a7baf0d444ddbc7fc2a9dc
This adds a new variable to manage TLS v1.3 cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ia507320ca552ec60d893e398ad7f68d4283539be
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.
Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
A follow on from I8a1d7e8d31b43b70de062d5bbf2f648c71014af0.
Remove ability to use incorrect spelling in future releases.
Change-Id: If27c04ba5ce509a30fe2af2a56771cc1a12dbe9d
For backwards compatiblity I have left in the original incorrect spelling,
this patch should be backported.
Change-Id: I8a1d7e8d31b43b70de062d5bbf2f648c71014af0
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I1624730385a7b54cf36a94d313cc298430129736
Nginx config verification that is performed by ansible [1] is made
in tmp "on fly" which fails because of the relative import.
We also move task that replaces ports for nginx.conf to the end
so that config validation was accomplished after all configurations
are applied.
[1] https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/tasks/keystone_nginx.yml#L44
Change-Id: Ic52fc7dbdb0324ab8f4b71d25398f23a05df05d7
If keystone_security_txt_content is defined in user variables,
the keystone service will host this file at the following locations
/security.txt and /.well-known/security.txt as defined in
https://securitytxt.org/
Depends-On: https://review.opendev.org/766030
Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0
Event notifications are useful for those that need to keep an audit
trail. Turned off by default as these logs contain user specific data
and local data protection laws should be considered.
The default notificiation_opt_outs follow the keystone documentation.
Please see here for more information on CADF notifications:
https://docs.openstack.org/keystone/pike/advanced-topics/event_notifications.html
Change-Id: Id1867b6b50fc769757781eabc208ee9ead65f4c9
Added the following parameters to the httpd.conf template
to be used with mod_auth_openidc Apache mod. Params include:
- OIDCStateMaxNumberOfCookies - this takes parameters in the form
<number> <false|true> where number is the maximum number of state
cookies stored in parallel for outstanding auth requests, and the
boolean indicates whether cookies that are still valid over this
amount are deleted
- OIDCDefaultURL - Defines a default URL to be used in case of
3rd-party or OP initiated SSO when no explicit target_link_uri has
been provided. The user is also sent to this URL is in case an
invalid authorization response was received
(ref: https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf)
The reason these have been added is due to some stability issues
that have been seen regarding cached session cookies that subsequently
cause a "state mismatch" error. Being able to limit the number of active cookies
appears to resolve this issue.
Change-Id: Id2248e93f2636407396d4ac8fe29c8943e4a3a57
Added the OIDCAuthRequestParams line to the keystone-httpd.conf template
This allows for the addition of optional extra parameters that will be sent
along with the Authorization Request when using federated logins:
https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf
Change-Id: I020986bbc2d5baa73a19ee7e1070019cb4e9ce63
Piggybacking on to the memcached containers that keystone uses for
its token caching we are able to share state between the apache_mod_openidc
instances so that authentications succeed in cases where auth requests
are being routed to more than one keystone container.
Change-Id: Ia978b46f6a6dfc5da8f8ebecb1a3c9fe44948add
Allows a user to specify the OIDCOutgoingProxy setting for mod_auth_openidc
when setting up an OIDC identity provider.
Change-Id: Ib37ace634f81e4f691d0b1aa8c52424a1c851da4
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
Change-Id: I57e7a977675c203d811bf0afc60ebf2c5661c284
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.
This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.
Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
With Train (current master) openSUSE is switching the openstack packages
to use Python 3. This means that we need to use the python3 module for
uwsgi.
Change-Id: I0fcb9d6a1df8893f3f4e6593a1614611e6712418
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi python3
plugin.
The keystone package includes a dependency for apache2, python3-keystone
should be used instead.
Change-Id: Idbef95bc115755994156ab0fee7538370392e67d
WSGIScriptAliasMatch is a configuration for mod_wsgi that is not used
anymore.
Prevent ProxyPass to redirect all traffic to keystone uwsgi, the
/Shibboleth.sso needs to be handled by mod_shib
Change-Id: I5117ccb6395c820a19d9070187b0a1e5c9fba448
Depends-On: Ibff3aa2a1ac1bbf2493aaf2419ee1e4dd763934c
saml2 is already configured as an entrypoint for the Mapped plugin.
fix sp part of LP:#1808543
Related-Bug: 1808543
mapping in the config has been disable in keystone
Change-Id: Ib926b14f82616f6b4d3c595a8848f191827b4b3e
Depends-On: Ibff3aa2a1ac1bbf2493aaf2419ee1e4dd763934c