With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: If9dfa6aaa1e90856c6a4c074fd33b8e49b57a5fc
This role only support openSUSE Leap 15, not 42.3, not tumbleweed.
Saying all is confusing and a bad practice. This fixes it, while
ensuring the job is properly defined to test that assertion.
Change-Id: I679939edd56149a2aed29228e5215648956c60da
This patch adds the Debian jobs for this role to make sure
it's always passing as well as updates the meta to reflect
it's support of Debian accordingly.
It also clean-up an old variable which is carried for upgrades
that is no longer relevant now.
A new variable has been added to ensure pre-packages, which
have been generally assumed to be installed as a base OS
package, have been installed before installing the application
or configuring the system via the role.
Depends-On: I135ea73604890eae5e9e2a7cdcab81b2b39ad426
Change-Id: I19094b540aff81b7aa029880e404a2990f82e538
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Now that bionic testing is added into the tests repos, we can
start testing it in the repo.
Depends-On: https://review.openstack.org/#/c/566959/
Change-Id: I4fa2d7a793a2d410049879384a27c82779d9bac7
We need to add openstack ansible information in the role
metadata to be able to track role maturity. With it,
we can create a role maturity table and take decisions about
role deprecations.
The role status isn't "complete" because no functional test
of the role has been implemented.
Change-Id: Icdacd21c8ce320de31084c52730bf3b87fcb2aef
The repo/keys are left over from Newton/Trusty and
were not removed when Trusty support was removed.
The required packages were only necessary in order
to facilitate the repo addition.
The var haproxy_distro_packages is defined in all
distro-specific vars files, so its presence in
defaults is unnecessary.
The apt pinning meta dependency is no longer
required - it's another leftover from Ubuntu Trusty.
A task is included to remove the old config files.
Change-Id: I912cd170d05c4a9befe3420971ddf68ff2ddde2b
Consolidate distro package install tasks into a
single task using the package module and pass
the package list into the name instead of using
a with_items loop. Tidy up some other tasks to
reduce task file sprawl and consolidate some
task actions.
The minimum Ansible version is raised to 2.2 due to a
known bug [1] in Ansible's apt module which does not
update the cache properly if the cache update and the
install are combined in a single task.
[1] https://github.com/ansible/ansible-modules-core/issues/1497
Change-Id: I3717867208f1c379f0eda74e19c064a4b697cc53
This change implements CentOS7 and Ubuntu 16.04 support for the HAProxy
role. Because RHEL does not package HATop the installation of HATop has
been moved to a source installation so that it can be used universally.
Implements: blueprint multi-platform-host
Change-Id: Ib4f33185202b694b9611cc5fd6323c30a1c8d489
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch adds the option to provide an SSL certificate for the
Keystone service (either self-signed or user provided) and to
configure the endpoints and Keystone service appropriately.
* A new boolean variable called 'keystone_ssl' enables/disables
the configuration of SSL for the Keystone service.
* The server key/certificate (and optionally a CA cert) are
distributed to all keystone containers and used for the setup
of SSL endpoints if the appropriate protocol is set.
* The internal/public and the admin endpoints can be set to be
served via http or https seperately via the
'keystone_service_*_proto' variables.
* The logic to determine the appropriate load balancing
configuration based on the Keystone endpoint protocol has
been implemented in the haproxy vars.
* Two new variables have been implemented for a user-provided
server key and certificate:
- keystone_user_ssl_cert: <path to cert on deployment host>
- keystone_user_ssl_key: <path to cert on deployment host>
If either of these is not defined, but a Keystone endpoint
has been configured for SSL, then the missing cert/key
will be self generated on the first Keystone container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- keystone_user_ssl_ca_cert: <path to cert on deployment host>
* A new variable called 'keystone_ssl_self_signed_subject' has
been implemented to allow the user to override the certificate
properties, such as the CN and subjectAltName.
Upgrade notes:
* The SSL-based client authentication configuration in Apache
has been removed as it appears to be unused.
* The minimum Ansible version for the os_keystone and
haproxy_server roles have been increased to v1.9.0 as it's
the minimum version that supports ternary filters.
* The boolean 'keystone_ssl_enabled' has been renamed to
'keystone_ssl'. This maintains a pattern set in the haproxy
role for enablement of ssl offloading in the load balancer.
* The Apache configuration appropriately implements the
'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The 'keystone_self_signed_regen' variable has been renamed
to 'keystone_ssl_self_signed_regen'.
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem
- /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key
DocImpact
Partial-Bug: #1466827
Implements: blueprint keystone-federation
Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
This new role is now providing the ability for a user to pin apt
packages as they see fit. The idea is to allow someone to implement
pinning in a generic way that can be represented as a global variable
or as a hostvar. The new role has been added to all install roles as
a dependency which will allow it to ensure that packages are pinned
everywhere as would be expected.
Change-Id: I354e8515570fa7174366ba57d57aece3c304568e
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.
Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
simplistic approach. This change duplicates code within the roles but
ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
anyone who may want or need to dive into the JSON blob that is created.
In the inventory a properties field is used for items that customize containers
within the inventory.
* The environment map has been modified to support additional host groups to
enable the seperation of infrastructure pieces. While the old infra_hosts group
will still work this change allows for groups to be divided up into seperate
chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
variables extracted into the separate file
etc/openstack_deploy/user_secrets.yml in order to allow seperate
security settings on that file.
Items Excised:
* All of the roles have had the LXC logic removed from within them which
should allow roles to be consumed outside of the `os-ansible-deployment`
reference architecture.
Note:
* the directory rpc_deployment still exists and is presently pointed at plays
containing a deprecation warning instructing the user to move to the standard
playbooks directory.
* While all of the rackspace specific components and variables have been removed
and or were refactored the repository still relies on an upstream mirror of
Openstack built python files and container images. This upstream mirror is hosted
at rackspace at "http://rpc-repo.rackspace.com" though this is
not locked to and or tied to rackspace specific installations. This repository
contains all of the needed code to create and/or clone your own mirror.
DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e