This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
Change-Id: Ia51971c077cef647c3d4e07d6cbc14b7bac70788
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I707dd7ccaa112cc11c3ee32c3fc8029352c8649a
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I4585a4aad7acf48080e6b2d73bf3e0c2e0dfbff7
By overriding the variable `barbican_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the barbican backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I68abd8b2c63231ece3b7184d6e52168cee5ce3d1
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: Id81230eb8b26f7c666d053d70230149fa93c7822
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I629dbe6b0cacc767653ca7ee988e5e931708cc55
With [1] we've updated barbican api paste file and added healthcheck
bit. However, it was missed to add /healthcheck to main, so it was not
working at the end.
[1] 78a1984517
Change-Id: I7d61d990b973bea538c7ca2ae059f8bea1bb2039
We've used quite old version of api-paste file for Barbican that
did not support microversion or healthcheck.
Change-Id: I612315a459e891725850743e0af20e7934319577
This line snuck in with I8efdef7687c46d490e0f7a7a00a7f1ca6c32289f
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: Idbe06bb3a799ab3043a6356903d37896a3d3010a
This patch updates Barbican documentation to reflect a
working nCipher Connect HSM backend configuration. Out of
scope are the Security World software install and any changes
to cknfastrc that might be required or necessary.
Change-Id: I0c7ddb7dad74efc0bc932f9a8600661b775a952a
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I6a5e16a4fc2a81dedc4bc459f13ac7781292f5a8
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: Iab6ae5aad622051222816985aabecf5a01aacb8f
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I8efdef7687c46d490e0f7a7a00a7f1ca6c32289f
The python_venv_build role is responsible for setting up the build
environment for python wheels so this role should not install
python development packages
Change-Id: Ice9f3b1484323b611bb12eb6cdc6a6f1f1dfee95
Whilst enabling TLS v1.3 in other roles these variables were noted
which don't appear to be used anywhere in the role.
Change-Id: I6b06486328ec0af05a17272be99a14911be9f4f7
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ic58f085c8b1250b1db831fa8c74215abd2519704
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: I59d063df6b8e165bc1f1026562a0f0be45f1feaf
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: Ia55488a9fcc6b2824276bf824197ae8ea7af0177
When barbican uses PKCS#11 crypt plugin, libCryptoki2 library tends to
search for Chrystoki.conf inside /etc by default. At the same time it's
tricky to place file there at once since approriate permissions not
always could be set for files that reside directly in /etc.
As a workaround to this Chrystoki.conf can be placed inside /opt and
symlinked to /etc to satisfy library.
Change-Id: I6267d3b65f514c4ad4cb5494f111463e685b6fbb
We've created integrated linters check job a while back and it's successfully
working for several releases. At the moment we experience difficulties
with future maintenance of the linters check from the openstack-ansible-tests
repo. So instead of fixing current one, we replace it with modern version of
the test.
Change-Id: I5fd4c274a43fb161b6b5996c75d14de415e72d45
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.
config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I9d26b1b4a14360a8b38d6df19621b474c6391de9
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Ibf3f1c2670288aa00469126d2ce74ac00954094a
We add some extra description about how barbican configuration
can be done, with samples of integrations configs for PKCS#11 and
Vault store backends.
Change-Id: I985810384f2296484d2dbbe17a93dddece62ce09