This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I81216a7eabe6b99d08ab15a62c046108fcb2bfc5
The Apache mod_auth_openidc requires explicit configuration in
order to read the X-Forwarded-Proto from the reverse proxy as
of version v2.4.11 which comes in from Ubuntu Jammy.
Eventually this will need to become the default and the
variable added in this patch can be removed.
Change-Id: Ic9d37a8463d137508d20de20b10af806a223f852
Is the package is not installed it's not possible to validate the
tls cert of the ldap-server.
This package went from depends to suggests in jammy release.
Change-Id: Ia9e2e35d3898727af67c4d07115bad6d0582dda4
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
Instead of having own implementation of uwsgi, use common role.
This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.
Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
The python_venv_build role is responsible for setting up the build
environment for python wheels so this role should not install
python development packages
Change-Id: I0958bdb0b4a04d3398fc2c42f10d54cc7c30f0f8
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.
Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
Package and module names were accidentally updated to equivalents
used for Debian and Ubuntu Focal+. This patch adds a temporary
vars file for Ubuntu 18.04 to maintain compatibility.
Change-Id: I50c649fda50b9e6a984abccdf61717a2294caaee
While shibboleth and mod_auth_openidc can theoretically co installed
now, unfortunately the shibboleth enabled configuation will cause
issues when using mod_auth_openidc.
As we only drop the configuration for one of these apache mods at a time
I have decided that it is best we only support one of these packages
being present at any time to avoid conflicts.
Change-Id: Ib0ebf1711db42dd00b3e14c1e5604fed2632437d
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I1624730385a7b54cf36a94d313cc298430129736
For ubuntu bionic there was a difference in dependancies between
these two libraries on libcurl3 and libcurl4 which mean they were
not co-installable.
For Focal we should be able to install both as the version of
the shibboleth library is now > 3.0
Closes-Bug: 1900410
Change-Id: Ia135870e45cc32ddfdad61476fe9ce12f61a6df7
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Iac06d3f02b1c9ee5e3bfbd28043fbb70d8b1d328
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.
This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.
Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
For Centos, we use by default public repo for nginx and shibboleth. You can
change this behaviour with these role-wide variables:
- keystone_centos_nginx_mirror
- keystone_centos_nginx_key
- keystone_centos_shibboleth_mirror
- keystone_centos_shibboleth_key
Or with these osa-wide variables:
- centos_nginx_mirror
- centos_nginx_key
Change-Id: Icb21c31141d1d78e5a2e23b35378ffb0520c0d1d
The use of nginx-full causes a service restart on package update
which brings down the keystone endpoints.
Change-Id: Ic9cc341edb6f2f0ba76bd301c9782fbcc5951544
Related-Bug: 1847395
With Train (current master) openSUSE is switching the openstack packages
to use Python 3. This means that we need to use the python3 module for
uwsgi.
Change-Id: I0fcb9d6a1df8893f3f4e6593a1614611e6712418
If you don't want to generate shibboleth SP key-pair on first playbook run
You can provide sp-cert.pem and sp-key.pem in /etc/openstack_deploy/keystone/
Change-Id: I6fb099cee10ef76f2cd6d20a03ffe53f45a1f85d
Signed-off-by: Kourosh Vivan <kourosh.vivan@osones.com>
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi python3
plugin.
The keystone package includes a dependency for apache2, python3-keystone
should be used instead.
Change-Id: Idbef95bc115755994156ab0fee7538370392e67d
uw_apache test was runned against xenial, which is not currrently
supported, due to which job was updated to run on bionic nodeset.
We also need to enable proxy_uwsgi for debian based distros.
Co-Authored-By: Guilherme Steinmuller Pimentel <gsteinmuller@vexxhost.com>
Co-Authored-By: Marc Gariépy <gariepy.marc@gmail.com>
Change-Id: Ibff3aa2a1ac1bbf2493aaf2419ee1e4dd763934c
The RedHat-based operating systems such as CentOS have a pretty
stable list of packages, therefore, we don't need to pin it by
version and we can instead move to a much more generic redhat.yml
which will support a bigger range of systems.
Change-Id: Ic80fd9b1f112d02c24ceb2579195fa655cd63b00
This patch adds support for this role to be able to deploy on
Debian Stretch.
Change-Id: I97bcfacc55b8afcda6792dd19e7f947cdec38ce4
Needed-By: I9a92b73c419a0dc1cca40dacfef75de61a61db94
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.
* Source installs have the configuration files within the venv at
"<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
default configuration path to this directory. When the service is
upgraded the link will move to the new venv path.
* Distro installs package all of the required configuration files.
To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.
Change-Id: I93cb6463ca1eb93ab7f4e7a3970a7de829efaf66
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Keystone requires this package at runtime and currently assumes
that it is present in the environment. This patch ensures that
assumption is correct.
Change-Id: Ifb427af8ec4d18089732b7e77a2703f535631e6e
Currently the devel packages are installed everywhere,
but they only need to be where the wheels are built.
Also, there is already a task to install the packages
needed on the target hosts when installing - so we do
not need to give the same list to the venv install role
because they will already have been installed.
Change-Id: I306017d66416f147a17ae9e1f16130af4bfa7774
This reverts commit 781835e752.
The package is actually required on the memcached hosts, not
the keystone hosts. This helped make role tests pass because
in the role tests memcache and keystone are often on the same
containers.
The actual fix will be https://review.openstack.org/613099 which
ensures that netcat is installed on the memcache hosts instead.
Depends-On: https://review.openstack.org/613099
Change-Id: I55158c332a35e150f61541e8c2c1390e397d7d2c
Commit afc0e5b1ce ("Add memcache flushing handler on db migrations")
added an implicit dependency to the 'nc' package but it did not add it
to the list of required packages so things break like this:
["/bin/sh: nc: command not found"]
As such, we need to add the package to the rest of the distro packages.
Fixes: afc0e5b1ce ("Add memcache flushing handler on db migrations")
Change-Id: Ieab35215e84d6971cd9c2068206ebf2103cbc4b4
The ssh service on ubuntu based systems is "ssh" which is established by
the service unit path `/lib/systemd/system/ssh.service`. When running
the service will respond to the name "sshd" however this is just an
alias. This change adds a variable to set the service unit name
based on the distro family which will allow the service to start should
it be masked.
The change will now delegate to all nodes within the keystone cluster
ensuring ssh is enabled and started. If SSH is not running everywhere at
the same time keystone key rotation will not be possible later on in the
role.
Change-Id: I552a6bb09b3ab917bfcad140633fe4662c0c5a82
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The keystone containers rely on SSHD for the key synchronisation,
so in this patch we ensure that it is installed, enabled and
running.
Change-Id: I044c080dba1068f79f4018b54b8ad120192b3932
To make the transition between versions easier,
we rename the vars file. This also resolves
issues when meta-dependent role inclusions do
not pick up the correct file when using the
include_vars task with multiple search paths.
Change-Id: Ibe1758b4d2187f0bd85368ce91089ea30ca652ac