Commit Graph

16 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov c0da2e5095 Fix linters issue and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
2023-08-07 06:55:22 +00:00
Jonathan Rosser a10d00766e Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible

Change-Id: If9dfa6aaa1e90856c6a4c074fd33b8e49b57a5fc
2021-03-21 20:48:54 +01:00
Jonathan Rosser 4e47093565 Update ansible metadata to indicate support for centos-8
Change-Id: I6b017720f933a06303916e8a1b437c3fb92b7ea6
2020-07-21 12:44:17 +00:00
Jean-Philippe Evrard 4731ec66db Clarify supported SUSE versions
This role only support openSUSE Leap 15, not 42.3, not tumbleweed.
Saying all is confusing and a bad practice. This fixes it, while
ensuring the job is properly defined to test that assertion.

Change-Id: I679939edd56149a2aed29228e5215648956c60da
2019-05-14 11:47:47 +02:00
Mohammed Naser b3c79f944b debian: add ci and update meta
This patch adds the Debian jobs for this role to make sure
it's always passing as well as updates the meta to reflect
it's support of Debian accordingly.

It also clean-up an old variable which is carried for upgrades
that is no longer relevant now.

A new variable has been added to ensure pre-packages, which
have been generally assumed to be installed as a base OS
package, have been installed before installing the application
or configuring the system via the role.

Depends-On: I135ea73604890eae5e9e2a7cdcab81b2b39ad426
Change-Id: I19094b540aff81b7aa029880e404a2990f82e538
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
2019-04-08 08:45:53 +01:00
Markos Chandras baa46072ea SUSE: Add support for openSUSE Leap 15
Change-Id: Ia5b86821ad3bc9458f7a474a13479939dd2ca21d
2018-09-13 15:08:07 +01:00
Jean-Philippe Evrard 07155035bf Add Bionic testing
Now that bionic testing is added into the tests repos, we can
start testing it in the repo.

Depends-On: https://review.openstack.org/#/c/566959/
Change-Id: I4fa2d7a793a2d410049879384a27c82779d9bac7
2018-05-14 20:54:05 +02:00
Jean-Philippe Evrard 60306a670a Add OpenStack-Ansible metadata
We need to add openstack ansible information in the role
metadata to be able to track role maturity. With it,
we can create a role maturity table and take decisions about
role deprecations.

The role status isn't "complete" because no functional test
of the role has been implemented.

Change-Id: Icdacd21c8ce320de31084c52730bf3b87fcb2aef
2017-10-11 08:37:32 +00:00
Jesse Pretorius 2470c01693 Remove unused/unnecessary haproxy_server vars/files
The repo/keys are left over from Newton/Trusty and
were not removed when Trusty support was removed.

The required packages were only necessary in order
to facilitate the repo addition.

The var haproxy_distro_packages is defined in all
distro-specific vars files, so its presence in
defaults is unnecessary.

The apt pinning meta dependency is no longer
required - it's another leftover from Ubuntu Trusty.
A task is included to remove the old config files.

Change-Id: I912cd170d05c4a9befe3420971ddf68ff2ddde2b
2017-08-21 13:21:58 +01:00
Jesse Pretorius ebae945f31 Use package module to install distro packages
Consolidate distro package install tasks into a
single task using the package module and pass
the package list into the name instead of using
a with_items loop. Tidy up some other tasks to
reduce task file sprawl and consolidate some
task actions.

The minimum Ansible version is raised to 2.2 due to a
known bug [1] in Ansible's apt module which does not
update the cache properly if the cache update and the
install are combined in a single task.

[1] https://github.com/ansible/ansible-modules-core/issues/1497

Change-Id: I3717867208f1c379f0eda74e19c064a4b697cc53
2017-05-02 14:33:59 +00:00
Markos Chandras d1b52f012c Add openSUSE Leap support
Add support for the openSUSE Leap distribution

Change-Id: I70b4d118f44c2090e48955effab44189866fbb41
2017-03-22 14:58:04 +00:00
Andy McCrae 6380766d0a Remove Trusty support for haproxy_server role
Change-Id: Ia299c8e4b534c611458b7e136367d4ed68637433
Implements: blueprint trusty-removal
2016-12-15 13:13:14 +00:00
Kevin Carter 4510d37dcd Update HAProxy for multi-OS support
This change implements CentOS7 and Ubuntu 16.04 support for the HAProxy
role. Because RHEL does not package HATop the installation of HATop has
been moved to a source installation so that it can be used universally.

Implements: blueprint multi-platform-host
Change-Id: Ib4f33185202b694b9611cc5fd6323c30a1c8d489
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-05-27 11:12:17 +00:00
Jesse Pretorius dd43fba828 Keystone SSL cert/key distribution and configuration
This patch adds the option to provide an SSL certificate for the
Keystone service (either self-signed or user provided) and to
configure the endpoints and Keystone service appropriately.

* A new boolean variable called 'keystone_ssl' enables/disables
  the configuration of SSL for the Keystone service.

* The server key/certificate (and optionally a CA cert) are
  distributed to all keystone containers and used for the setup
  of SSL endpoints if the appropriate protocol is set.

* The internal/public and the admin endpoints can be set to be
  served via http or https seperately via the
  'keystone_service_*_proto' variables.

* The logic to determine the appropriate load balancing
  configuration based on the Keystone endpoint protocol has
  been implemented in the haproxy vars.

* Two new variables have been implemented for a user-provided
  server key and certificate:
  - keystone_user_ssl_cert: <path to cert on deployment host>
  - keystone_user_ssl_key: <path to cert on deployment host>
  If either of these is not defined, but a Keystone endpoint
  has been configured for SSL, then the missing cert/key
  will be self generated on the first Keystone container and
  distributed to the other containers.

* A new variable has been implemented for a user-provided CA
  certificate:
  - keystone_user_ssl_ca_cert: <path to cert on deployment host>

* A new variable called 'keystone_ssl_self_signed_subject' has
  been implemented to allow the user to override the certificate
  properties, such as the CN and subjectAltName.

Upgrade notes:

* The SSL-based client authentication configuration in Apache
  has been removed as it appears to be unused.

* The minimum Ansible version for the os_keystone and
  haproxy_server roles have been increased to v1.9.0 as it's
  the minimum version that supports ternary filters.

* The boolean 'keystone_ssl_enabled' has been renamed to
  'keystone_ssl'. This maintains a pattern set in the haproxy
  role for enablement of ssl offloading in the load balancer.

* The Apache configuration appropriately implements the
  'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
  directive in order to ensure that the appropriate signing
  certificate is provided to the browser.

* The 'keystone_self_signed_regen' variable has been renamed
  to 'keystone_ssl_self_signed_regen'.

* The default names for the deployed keys/certificates have been
  changed:
  - /etc/ssl/certs/apache.cert  > /etc/ssl/certs/keystone.pem
  - /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key

DocImpact
Partial-Bug: #1466827
Implements: blueprint keystone-federation
Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
2015-08-19 07:51:09 +00:00
Kevin Carter 2837510697 added role to pin packages
This new role is now providing the ability for a user to pin apt
packages as they see fit. The idea is to allow someone to implement
pinning in a generic way that can be represented as a global variable
or as a hostvar. The new role has been added to all install roles as
a dependency which will allow it to ensure that packages are pinned
everywhere as would be expected.

Change-Id: I354e8515570fa7174366ba57d57aece3c304568e
2015-05-08 13:22:42 -05:00
Kevin Carter a2c6594a70 Convert existing roles into galaxy roles
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.

Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
  simplistic approach. This change duplicates code within the roles but
  ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
  Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
  anyone who may want or need to dive into the JSON blob that is created.
  In the inventory a properties field is used for items that customize containers
  within the inventory.
* The environment map has been modified to support additional host groups to
  enable the seperation of infrastructure pieces. While the old infra_hosts group
  will still work this change allows for groups to be divided up into seperate
  chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
  variables extracted into the separate file
  etc/openstack_deploy/user_secrets.yml in order to allow seperate
  security settings on that file.

Items Excised:
* All of the roles have had the LXC logic removed from within them which
  should allow roles to be consumed outside of the `os-ansible-deployment`
  reference architecture.

Note:
* the directory rpc_deployment still exists and is presently pointed at plays
  containing a deprecation warning instructing the user to move to the standard
  playbooks directory.
* While all of the rackspace specific components and variables have been removed
  and or were refactored the repository still relies on an upstream mirror of
  Openstack built python files and container images. This upstream mirror is hosted
  at rackspace at "http://rpc-repo.rackspace.com" though this is
  not locked to and or tied to rackspace specific installations. This repository
  contains all of the needed code to create and/or clone your own mirror.

DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
2015-02-18 10:56:25 +00:00