This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I9b9de6cdfac8ba3a89b874cd920df8d5b01e81f2
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I7835892960360ddea73ba98ed1cbdc8268d5e71e
By overriding the variable `tacker_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the tacker backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ib5dd3a2494bed81add670e331085294910d7f425
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I9fa323e544849f7c24ccd7b860160bb5756ada28
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I36f5315ad27904c817f4349151fca4181180e811
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I42d544d80d8fef5be9a68e6ef7090f85d0daa88c
Takcer hasn't been paid any attention for a while and current
configuration is not relevant and contain obvious mistakes.
While patch doesn't aim to fully fix all issues, we at least improve
things by removing obvious mistakes.
Change-Id: Ib8b89fa2664e63245b503780e4fc65d813db0e6f
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.
config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.
We make a separate task not to restart service when it's not needed.
[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I0606751e4e7707091cd34429deeee01630eb576a
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: Id68c80b52fe72bd209e96dba230b4f2cb12f900d
The notification driver setup was resulting in the driver and connection string
on the same line. This is caused by the case statement and how jinja formats
the template when a case statement is present. This change modifies how the
driver string is created using a ternary, which will eliminate the case
statement and render the value of the diver correctly.
Change-Id: Ic61c0dc953903a5a531565ae5deb773b348ec2ef
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The variables tacker_developer_mode and tacker_venv_download
no longer carry any meaning. This review changes tacker to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.
As part of this, we move the source build out of its own file
because it's now a single task to include the venv build role.
This is just to make it easier to follow the code.
We also change include_tasks to import_tasks and include_role
to import_role so that the tags in the python_venv_build role
will work.
In addition tacker init was replaced by the standard systemd_service
role. Due to this was added new variable tacker_init_config_overrides.
program_override variable has no influence now.
In config notification_driver was deprecated in favor of driver from
oslo_messaging_notifications
Change-Id: Id5629cb631b23887383fa23f472052477edbc4eb
Use the OpenStack Barbican component instead of OpenStack Keystone
as secret key handler.
The reason behind is the way that Tacker handles the secret keys of
complex scenarios (specially the scenarios with HA) and how they are
stored or retrieved between different VMs or Blades.
Change-Id: I63d40c5239d2585e8bb7ac3b9338252c9e28c4c6
Signed-off-by: Panagiotis Karalis <pkaralis@intracom-telecom.com>
This patch add the conditional inclusion of the notification
section of the service configuration. This ensures that oslo.messaging
notifications use the correct transport for deployments that have
separate rpc and notify messaging backends. For example, if the
transport_url is not provided in the notification section of the
service configuration, the transport_url specified in the default
section will be used instead.
This patch conditionally selects the notifier driver. The noop
driver will be selected when notification publishing is disabled.
The messagingv2 driver is selected when notification publishing is
enabled.
Change-Id: I60e92e14c0893b80f4023b6b6681864fee5228e5
Closes-Bug: #1794320
The mysql-python package is no longer maintained. We are using
pymysql instead, so this package does not need to be installed.
The tacker.conf file wasn't set to use pymysql, so we correct
that.
Change-Id: I7346071d52f2b12802af42236af69b362f2f9d9d
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and are used to generate the messaging
transport_url for the service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Add transport_url generation to conf
* Add oslo.messaging to tests inventory and update tests
* Install extra packages for optional drivers
Change-Id: I88fa6bd04ebad08211570d46ed464409b5896123
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I880d6881cd18d5ef07e30f2ea54126b6cfdb3839
Tacker is trying to fetch the keys from /etc/tacker/vim/fernet_keys, however
the correct directory is in the venv. We should provide that information in
tacker.conf otherwise it uses the default value which results in errors
Change-Id: I6bbdc4852df8c53dac73e3052af9c1046f216642
The locations of the previously included templates have been
moved to the standard location used in all other roles. This
helps to allow the sources-branch-updater script be able to
automatically place the updated files processed from the
upstream git repositories.
As there is now a rootwrap filter file, the appropriate tasks
to create the directory and to add the file have been
implemented. A little clean-up of syntax of tasks near those
modified have been included.
Finally - to resolve the ansible-lint issue the use of
systemctl has been removed.
Change-Id: I9b64d5e99dc81a6f35d74c0366ee2bbe7d15d327
When 'tacker_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Change-Id: I9165a04de869197ac05e60be799f59a263e98a7b
Partial-Bug: 1667789
Tacker.conf was outdated and missing some options required for the integration
with networking-sfc.
- Several sections not needed anymore like tacker_heat or tacker_nova
- New concept of vim added and openstack is defined as its driver
- Clean up parts of tacker.conf which are not used for simplicity
The new tacker.conf is aligned with tacker official documentation:
https://docs.openstack.org/tacker/latest/install/manual_installation.html
Change-Id: I922618e2a27dde422dfe01e9ca4b688e5755abbc
Signed-off-by: Manuel Buil <mbuil@suse.com>
Dmitriy Rabotyagov