By overriding the variable `aodh_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the aodh backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ibb4d7b465f07fff6c172b38aa647fd8d6a4fcd43
This line snuck in with I6e1931e55c3b492ea0b5eb6e093c7cb5f5e826ac
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: Ia84ef13bb31b52e7f3875ed731cf06ddbcdb5951
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I6e1931e55c3b492ea0b5eb6e093c7cb5f5e826ac
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: I8012108a59b52156fefc0d73011465066f922c4e
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Depends-On: Ia88b8e606a19ad8ee20665e125df1079b0a771ff
Change-Id: I88c4317a711ec9c8e00b13a2f4deede1e53830b1
When we were migrating service to uwsgi usage, we clean forgot to
trigger uwsgi restart on service config change.
Change-Id: I267740e0a2c342e1ac3277a236d8a7f23830134b
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: I1171b6a45563e4eccf45e8840e5dd332001ff3b7
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Ia57c07c583be6e3fb9582b1d4a2da0deb4854154
This patch moves aodh-api from usage of apache with mod_wsgi
to uWSGI role, which means unification across another roles and
reduced maintenance costs
During migration period tasks that ensures apache won't listen
on panko_service_port are present, but they are supposed to be removed
after train release.
Depends-On: https://review.opendev.org/678025/
Change-Id: I9377d46b4b79f79dbf448b23c67ff21b80714b6c
This patch refactors the openstack user/service/endpoints creation to
service_setup.yml which will eventually be managed by
openstack-ansible-tests.
Depends-On: https://review.opendev.org/674295/
Change-Id: I7c0dac84dd127a9c33a8a3eb97d547e3d04497f5
This patch refactors the database creation to db_setup.yml which
will eventually be managed by openstack-ansible-tests.
This also re-orders the mq_setup to be done earlier so these system
level dependencies are ready before service activation.
Change-Id: I3f459958e7d420e7adfc6f3747080e3fc20f59d7
The variables aodh_developer_mode and aodh_venv_download
no longer carry any meaning. This review changes glance to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.
As part of this, we move the source build out of its own file
because it's now a single task to include the venv build role.
This is just to make it easier to follow the code.
Change-Id: I04e119c1404d8681ef7e5d964c95fbeb8970756b
The private option on include role was never implemented and
will no longer be developed. This change removes the option
so ansible no longer raises a deprecation warning.
Change-Id: Ic6d9833c3f801476890ba4313f9ea3860cef155a
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
It is possible that the hostname of the system does not match the
one in the inventory which means that the delegate_to or the
comparision to inventory_hostname will fail in the tasks later.
Change-Id: I811fa941aa18352fc410f578d849a68ad0d50bfe
In order to enable the service setup host python interpreter to
be changed easily, we make it a variable. This will be useful
when someone sets the service setup host to be the utility
container, because we'll be able to set this var by default.
Depends-On: https://review.openstack.org/632125
Change-Id: I8ab51d6035d06fea1ee1d7d6427be03115f41924
Currently the devel packages are installed everywhere,
but they only need to be where the wheels are built.
Also, there is already a task to install the packages
needed on the target hosts when installing - so we do
not need to give the same list to the venv install role
because they will already have been installed.
Change-Id: I59394c17c8a5475cc41b583268e45df1da561e7d
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.
We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.
This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:
1. Replaces 'developer mode' with an equivalent mechanism
that uses the common role and is simpler to understand.
We will also simplify the provisioning of pip install
arguments when doing this.
2. Simplifies the installation of optional pip packages.
Right now it's more complicated than it needs to be due
to us needing to keep the py_pkgs plugin working in the
integrated build.
3. Deduplicates the distro package installs. Right now the
role installs the distro packages twice - just before
building the venv, and during the python_venv_build role
execution.
Depends-On: https://review.openstack.org/598957
Change-Id: I4cee1b0b7d5bc3fa53052dabe66e6acdb69afd18
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
The use of 'include_tasks' and a loop of variables creates
a situation where a user is unable to use tags to scope the
inclusion of only the MQ tasks when running the playbooks.
The use-case this is important for is when the rabbitmq
containers are destroyed and rebuilt in order to resolve
an issue with them, and the user wishes to quickly recreate
all the vhosts/users.
Ansible's 'include_tasks' is a dynamic inclusion, and dynamic
inclusions are not included when using tags. The nice thing
about dynamic inclusions is that they completely skip all
tasks when the condition does not apply, cutting down deploy
time. However, given the use-case, we should rather take on
the extra deployment time.
This patch changes the dynamic inclusion to a static one,
adds a 'common-mq' tag to cover all MQ implementations,
and re-implements the 'common-rabbitmq' tag for the tasks
that relate to RabbitMQ specifically.
It also implements conditionals for each task set so that
the rpc/notify tasks can be skipped if a vhost/user is not
required for that purpose (eg: swift does not use RPC, and
most roles will not use notifications by default).
Depends-On: https://review.openstack.org/588191
Change-Id: I02b3d5adff04783f36d0be60637e63d1fcffac34
The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.
OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>
Change-Id: I7bd5419e7f02593a16614746a974b5f8ab3aa504
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
Change-Id: Ia05fc004e11eada426bc81c45bbc3732b9126bbe