Commit Graph

468 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov ea5e1adf63 Add quorum support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

Change-Id: Ia51971c077cef647c3d4e07d6cbc14b7bac70788
2023-09-28 14:25:08 +00:00
Jonathan Rosser 3cd93dc6f2 Fix example playbook linter errors
Change-Id: I71c9b4d7afc1244f4f375df99651ccb5d77b0c72
2023-09-28 15:24:30 +01:00
Zuul d461cff5db Merge "Use proper galera port in configuration" 2023-08-14 10:53:42 +00:00
Dmitriy Rabotyagov 029ea741f7 Use proper galera port in configuration
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.

Change-Id: I707dd7ccaa112cc11c3ee32c3fc8029352c8649a
2023-08-07 07:02:48 +00:00
Dmitriy Rabotyagov 1f95cd900e Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I4585a4aad7acf48080e6b2d73bf3e0c2e0dfbff7
2023-07-14 05:49:48 +00:00
Damian Dabrowski 4f785b4e5f Add TLS support to barbican backends
By overriding the variable `barbican_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the barbican backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I68abd8b2c63231ece3b7184d6e52168cee5ce3d1
2023-04-29 18:35:45 +02:00
Dmitriy Rabotyagov f1e6a2448d Ensure service is restarted on unit file changes
At the moment we don't restart services if systemd unit file is changed.

We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now  we ensure that role handlers will also listen for systemd
unit changes.

Change-Id: Id81230eb8b26f7c666d053d70230149fa93c7822
2023-04-10 15:40:16 +02:00
Zuul e697ab8393 Merge "Add /healthcheck to main" 2022-12-13 16:27:46 +00:00
OpenStack Release Bot 4ed7119125 Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I629dbe6b0cacc767653ca7ee988e5e931708cc55
2022-12-13 13:11:56 +00:00
Dmitriy Rabotyagov 18b6ba3b5a Add /healthcheck to main
With [1] we've updated barbican api paste file and added healthcheck
bit. However, it was missed to add /healthcheck to main, so it was not
working at the end.

[1] 78a1984517

Change-Id: I7d61d990b973bea538c7ca2ae059f8bea1bb2039
2022-12-13 11:33:05 +01:00
Dmitriy Rabotyagov 78a1984517 Update barbican api paste
We've used quite old version of api-paste file for Barbican that
did not support microversion or healthcheck.

Change-Id: I612315a459e891725850743e0af20e7934319577
2022-11-14 16:42:47 +01:00
Erik Berg 27ecbea2b7 Remove redundant vars line
This line snuck in with I8efdef7687c46d490e0f7a7a00a7f1ca6c32289f
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.

Change-Id: Idbe06bb3a799ab3043a6356903d37896a3d3010a
2022-09-14 13:11:53 +02:00
James Denton 891a9a7ad6 Entrust nCipher Connect HSM Backend Example
This patch updates Barbican documentation to reflect a
working nCipher Connect HSM backend configuration. Out of
scope are the Security World software install and any changes
to cknfastrc that might be required or necessary.

Change-Id: I0c7ddb7dad74efc0bc932f9a8600661b775a952a
2022-07-29 07:51:26 -05:00
Dmitriy Rabotyagov cb6c38ab92 Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I6a5e16a4fc2a81dedc4bc459f13ac7781292f5a8
2022-06-15 17:40:02 +02:00
Dmitriy Rabotyagov e5e1a59e05 Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.


Change-Id: Iab6ae5aad622051222816985aabecf5a01aacb8f
2022-05-30 16:01:20 +02:00
OpenStack Proposal Bot 3455b7c397 Updated from OpenStack Ansible Tests
Change-Id: I9a255c27bb968b6d205fdf429873ec5051fc27a8
2022-04-04 09:17:07 +00:00
Jonathan Rosser b9da0884b7 Cleanup setup.py config
Change-Id: I0a519a5de81b2f83a342bd806e5fd4fc71aa41d4
2022-04-04 10:16:27 +01:00
Zuul a9bbd610ad Merge "Remove legacy policy.json cleanup handler" 2022-02-03 19:14:32 +00:00
Zuul 836abe3eb4 Merge "Remove SSL variables which appear to be unused" 2022-02-03 19:09:01 +00:00
Jonathan Rosser 02fefcce4e Remove legacy policy.json cleanup handler
Change-Id: I1868ec2320ca057ed4c47d6ddaa56f07b91f0a59
2022-02-02 04:05:28 -05:00
Zuul d82bd1c08d Merge "Use common service setup tasks from a collection rather than in-role" 2022-01-13 13:22:37 +00:00
Jonathan Rosser 4c2980de6c Use common service setup tasks from a collection rather than in-role
Change-Id: Icbb2be9eda5d53c4262a36d7849defc3bf8fffad
2022-01-12 18:27:35 +00:00
Zuul eba6d98dc9 Merge "Refactor use of include_vars" 2022-01-12 15:34:23 +00:00
Jonathan Rosser 31a0cee802 Refactor use of include_vars
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.

This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.

Change-Id: I8efdef7687c46d490e0f7a7a00a7f1ca6c32289f
2022-01-12 08:41:16 +00:00
Jonathan Rosser 7fc659b0dd Do not install python development packages
The python_venv_build role is responsible for setting up the build
environment for python wheels so this role should not install
python development packages

Change-Id: Ice9f3b1484323b611bb12eb6cdc6a6f1f1dfee95
2022-01-11 11:36:21 -05:00
Andrew Bonney 38c3964255 Remove SSL variables which appear to be unused
Whilst enabling TLS v1.3 in other roles these variables were noted
which don't appear to be used anywhere in the role.

Change-Id: I6b06486328ec0af05a17272be99a14911be9f4f7
2022-01-10 10:54:29 +00:00
OpenStack Proposal Bot e071fe0e5a Updated from OpenStack Ansible Tests
Change-Id: I72457c646cbc610b9683c08ed8fa5292bb7938e6
2021-12-17 16:45:24 +00:00
OpenStack Proposal Bot 2c7d9c0cb1 Updated from OpenStack Ansible Tests
Change-Id: Id621cd0d1f58343f53d343fc833b838625bbde36
2021-12-04 17:39:33 +00:00
Damian Dabrowski 3e642f2f72 Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ic58f085c8b1250b1db831fa8c74215abd2519704
2021-12-03 11:39:55 +01:00
Dmitriy Rabotyagov f34ec895b9 Use config_template as a collection
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814



Change-Id: I59d063df6b8e165bc1f1026562a0f0be45f1feaf
2021-11-30 15:17:13 +02:00
Zuul 8dbcc8d0ca Merge "Refactor galera_use_ssl behaviour" 2021-10-06 13:00:10 +00:00
Dmitriy Rabotyagov 13042f76c3 Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: Ia55488a9fcc6b2824276bf824197ae8ea7af0177
2021-09-17 17:00:33 +03:00
likui 5f57e71ed8 Changed minversion in tox to 3.18.0
The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23

Change-Id: Ie0ecf45a31353957132e743a05a794be967bb124
2021-07-03 21:13:53 +08:00
Dmitriy Rabotyagov 05c5ab38e4 Allow to symlink barbican_user_libraries
When barbican uses PKCS#11 crypt plugin, libCryptoki2 library tends to
search for Chrystoki.conf inside /etc by default. At the same time it's
tricky to place file there at once since approriate permissions not
always could be set for files that reside directly in /etc.
As a workaround to this Chrystoki.conf can be placed inside /opt and
symlinked to /etc to satisfy library.

Change-Id: I6267d3b65f514c4ad4cb5494f111463e685b6fbb
2021-06-24 20:05:51 +03:00
Dmitriy Rabotyagov 9375d4d1d6 Replace linters test with integarted one
We've created integrated linters check job a while back and it's successfully
working for several releases. At the moment we experience difficulties
with future maintenance of the linters check from the openstack-ansible-tests
repo. So instead of fixing current one, we replace it with modern version of
the test.


Change-Id: I5fd4c274a43fb161b6b5996c75d14de415e72d45
2021-05-21 15:52:21 +03:00
Zuul 983f7a639d Merge "Add variables for rabbitmq ssl configuration" 2021-05-18 16:12:46 +00:00
Jonathan Rosser 55595fa93e Add variables for rabbitmq ssl configuration
Change-Id: I69b5d844e5fd20bc8078910f27999f4ece66f47f
2021-05-17 07:55:24 +00:00
Zuul c7a15e8987 Merge "Updated from OpenStack Ansible Tests" 2021-04-19 13:48:11 +00:00
Zuul b17610891d Merge "[goal] Deprecate the JSON formatted policy file" 2021-04-19 10:43:12 +00:00
OpenStack Proposal Bot ec6d452ba4 Updated from OpenStack Ansible Tests
Change-Id: I812d73afef6c07953f3772bf2d383d9688acdf4e
2021-04-19 09:56:49 +00:00
Dmitriy Rabotyagov e5535186a2 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.

config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I9d26b1b4a14360a8b38d6df19621b474c6391de9
2021-04-06 11:10:07 +00:00
OpenStack Proposal Bot 99c016c3a2 Updated from OpenStack Ansible Tests
Change-Id: I4c24eb1a4bbe78630135b1ff8361b98a46e361e2
2021-03-22 08:46:09 +00:00
Jonathan Rosser 5f62076c0e Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I45f7032da03ae5b74924b8d1355ed3f72a0830aa
2021-03-16 07:59:45 +00:00
OpenStack Proposal Bot d75fec6e0f Updated from OpenStack Ansible Tests
Change-Id: Ie80412f07ad98d7de61f93ea6f2fe971e9e090dd
2021-03-12 22:17:40 +00:00
Zuul a3ba2ef0ae Merge "Remove references to unsupported operating systems" 2021-03-11 10:40:06 +00:00
Jonathan Rosser cbb08b0125 Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible

Change-Id: Ibf3f1c2670288aa00469126d2ce74ac00954094a
2021-03-10 18:38:06 +00:00
Jonathan Rosser fe9a859de5 Switch default virtualenv to python3
Change-Id: I3e52273517a8857446a0446aa8229ce86c21d261
2021-03-10 08:42:00 +00:00
Dmitriy Rabotyagov d681cd30fc [doc] Add barbican configuration page
We add some extra description about how barbican configuration
can be done, with samples of integrations configs for PKCS#11 and
Vault store backends.

Change-Id: I985810384f2296484d2dbbe17a93dddece62ce09
2021-02-17 18:20:15 +00:00
Dmitriy Rabotyagov 89201715a4 Fix crypto_plugin defenition
Change-Id: I4cabd8a9a89a24c3a3a64efcbc8758bb32bbb752
2021-02-11 12:49:52 +00:00
Zuul 67b3512613 Merge "Move barbican pip packages from constraints to requirements" 2021-01-26 19:22:56 +00:00