Don't validate token_flush for non-persistent token formats
THT incorporated a change so that the keystone_cron container deploys
only if a persistent token format is used (e.g, `uuid`, `pki`):
https://review.opendev.org/#/c/682265/
This is because `fernet` and `jws` tokens are completely non-persistent
by way of authenticated encryption and the keystone_cron container only
runs a cron job to execute `keystone-manage token_flush`, which prunes
expired tokens from keystone's token table. This cron job is useful for
deployments relying on `uuid`, `pki`, or some other out-of-tree provider
that requires tokens to be recorded for keystone's token validation
process.
This commit updates the validation to check for the token format and
only performs the validation if the token format isn't `fernet` or
`jws`.
Change-Id: Ib4d0a505021568975b79400d67fd709dd74e9acf
(cherry picked from commit 7547548a6b
)
This commit is contained in:
parent
328bb7345d
commit
3fd14c9960
|
@ -39,6 +39,7 @@
|
|||
:datadir: "/etc/puppet/"
|
||||
:hierarchy:
|
||||
- "common"
|
||||
- "service_configs"
|
||||
|
||||
- name: populate hiera content
|
||||
copy:
|
||||
|
@ -46,6 +47,12 @@
|
|||
content: |
|
||||
tripleo_undercloud_conf_file: /undercloud.conf
|
||||
|
||||
- name: populate service config content
|
||||
copy:
|
||||
dest: /etc/puppet/service_configs.yaml
|
||||
content: |
|
||||
"keystone::token_provider": "uuid"
|
||||
|
||||
- name: populate undercloud.conf
|
||||
copy:
|
||||
dest: /undercloud.conf
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
# Molecule managed
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
{% if item.registry is defined %}
|
||||
FROM {{ item.registry.url }}/{{ item.image }}
|
||||
{% else %}
|
||||
FROM {{ item.image }}
|
||||
{% endif %}
|
||||
|
||||
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
|
||||
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
|
||||
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
|
||||
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
|
||||
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
|
||||
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
|
||||
|
||||
{% for pkg in item.easy_install | default([]) %}
|
||||
# install pip for centos where there is no python-pip rpm in default repos
|
||||
RUN easy_install {{ pkg }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
CMD ["sh", "-c", "while true; do sleep 10000; done"]
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: centos7
|
||||
hostname: centos7
|
||||
image: centos:7
|
||||
override_command: true
|
||||
command: python -m SimpleHTTPServer 8787
|
||||
pkg_extras: python-setuptools python-enum34 python-netaddr epel-release ruby PyYAML
|
||||
easy_install:
|
||||
- pip
|
||||
environment: &env
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||
|
||||
- name: fedora28
|
||||
hostname: fedora28
|
||||
image: fedora:28
|
||||
override_command: true
|
||||
command: python3 -m http.server 8787
|
||||
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
|
||||
environment:
|
||||
<<: *env
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_LIBRARY: "../../../../library"
|
||||
|
||||
scenario:
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
- destroy
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,44 @@
|
|||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
|
||||
tasks:
|
||||
- name: Skip validation when using fernet tokens
|
||||
block:
|
||||
- name: Set token format to fernet
|
||||
copy:
|
||||
dest: /etc/puppet/service_configs.yaml
|
||||
content: |
|
||||
"keystone::token_provider": "fernet"
|
||||
|
||||
- name: Ensure validation gracefully passes
|
||||
include_role:
|
||||
name: undercloud_tokenflush
|
||||
|
||||
- name: Skip validation when using jws tokens
|
||||
block:
|
||||
- name: Set token format to jws
|
||||
copy:
|
||||
dest: /etc/puppet/service_configs.yaml
|
||||
content: |
|
||||
"keystone::token_provider": "jws"
|
||||
|
||||
- name: Ensure validation gracefully passes
|
||||
include_role:
|
||||
name: undercloud_tokenflush
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
gather_facts: false
|
||||
|
||||
tasks:
|
||||
- name: install hiera
|
||||
package:
|
||||
name: hiera
|
||||
|
||||
- name: create hiera tree
|
||||
file:
|
||||
path: /etc/puppet/
|
||||
state: directory
|
||||
|
||||
- name: lay down hiera data files
|
||||
copy:
|
||||
dest: /etc/puppet/hiera.yaml
|
||||
content: |
|
||||
:backends:
|
||||
- yaml
|
||||
:yaml:
|
||||
:datadir: "/etc/puppet/"
|
||||
:hierarchy:
|
||||
- "service_configs"
|
|
@ -1,29 +1,50 @@
|
|||
---
|
||||
- name: Get the path of tripleo undercloud config file
|
||||
- name: Fetch token provider
|
||||
become: true
|
||||
hiera: name="tripleo_undercloud_conf_file"
|
||||
hiera:
|
||||
name: keystone::token_provider
|
||||
|
||||
- name: Get the Container CLI from the undercloud.conf file
|
||||
become: true
|
||||
validations_read_ini:
|
||||
path: "{{ tripleo_undercloud_conf_file }}"
|
||||
section: DEFAULT
|
||||
key: container_cli
|
||||
ignore_missing_file: true
|
||||
register: container_cli
|
||||
- name: Check if keystone_cron container is available
|
||||
when:
|
||||
- ansible_facts['keystone::token_provider'] != 'fernet'
|
||||
- ansible_facts['keystone::token_provider'] != 'jws'
|
||||
block:
|
||||
|
||||
- name: Get keystone crontab
|
||||
become: true
|
||||
shell: |
|
||||
set -o pipefail
|
||||
{{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#'
|
||||
register: cron_result
|
||||
changed_when: false
|
||||
- name: Get the path of tripleo undercloud config file
|
||||
become: true
|
||||
hiera: name="tripleo_undercloud_conf_file"
|
||||
|
||||
- name: Check keystone crontab
|
||||
fail:
|
||||
- name: Get the Container CLI from the undercloud.conf file
|
||||
become: true
|
||||
validations_read_ini:
|
||||
path: "{{ tripleo_undercloud_conf_file }}"
|
||||
section: DEFAULT
|
||||
key: container_cli
|
||||
ignore_missing_file: true
|
||||
register: container_cli
|
||||
|
||||
- name: Get keystone crontab
|
||||
become: true
|
||||
shell: |
|
||||
set -o pipefail
|
||||
{{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#'
|
||||
register: cron_result
|
||||
changed_when: false
|
||||
|
||||
- name: Check keystone crontab
|
||||
fail:
|
||||
msg: >-
|
||||
keystone token_flush does not appear to be enabled via cron.
|
||||
You should add '<desired interval> keystone-manage token_flush'
|
||||
to the keystone users crontab."
|
||||
when: "cron_result.stdout.find('keystone-manage token_flush') == -1"
|
||||
|
||||
- name: Describe why token flush validation was skipped
|
||||
debug:
|
||||
msg: >-
|
||||
keystone token_flush does not appear to be enabled via cron.
|
||||
You should add '<desired interval> keystone-manage token_flush'
|
||||
to the keystone users crontab."
|
||||
when: "cron_result.stdout.find('keystone-manage token_flush') == -1"
|
||||
Skipping token flush validation since you are using a non-persistent
|
||||
token format ({{ ansible_facts['keystone::token_provider'] }}). You do
|
||||
not need a separate keystone_cron container to periodically prune tokens
|
||||
from keystone's database.
|
||||
when:
|
||||
- ansible_facts['keystone::token_provider'] == 'fernet' or ansible_facts['keystone::token_provider'] == 'jws'
|
||||
|
|
Loading…
Reference in New Issue