By overriding the variable `barbican_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the barbican backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I68abd8b2c63231ece3b7184d6e52168cee5ce3d1
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: Id81230eb8b26f7c666d053d70230149fa93c7822
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.
config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I9d26b1b4a14360a8b38d6df19621b474c6391de9
Since handler was added for upgrade purposes, we can drop it now.
We also remove not used barbican_apache_* variables since we've migrated
to the uwsgi usage several releases ago.
Change-Id: Ib19834a1ae4751f7439afaabb532220f873e4b8f
This patch adds option to easily enable barbican extra services.
It replaces barbican service with barbican-api with same functionality.
Change-Id: I76494288e17f1801b4f1055cbb4d9b6b4bd4f475
If there is no policy override configured, but a policy.json
file is present, then it's likely left over from a previous
build. To ensure that we do not carry legacy configuration
files which override the policy-in-code we remove the legacy
file. This is done on restart to ensure that the policy still
applies until the code is updated.
Change-Id: I7faade8b736e9722e986909dd688b628d2cc65e0
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.
We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.
This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:
1. Replaces 'developer mode' with an equivalent mechanism
that uses the common role and is simpler to understand.
We will also simplify the provisioning of pip install
arguments when doing this.
2. Simplifies the installation of optional pip packages.
Right now it's more complicated than it needs to be due
to us needing to keep the py_pkgs plugin working in the
integrated build.
3. Deduplicates the distro package installs. Right now the
role installs the distro packages twice - just before
building the venv, and during the python_venv_build role
execution.
Depends-On: https://review.openstack.org/598957
Change-Id: I1b07bbdfc5ddbc42b40daf00da5ebbc7502eeccf
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.
The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.
OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>
Change-Id: Ic5b57a650bd9f5c385ed0a0a3efd1d530a2d7e81
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: I0c541a43021e1eb15f04dbe2c48e6e8a46d58a4a
During upgrades, if the systemd unit is not reloaded, then the
service is restarted with the existing definition which means
that the new service is never started.
Change-Id: I2dd01cffa14eed4c5982dc93395622a00b8ac4c6
Using ansible systemd module to daemon reload and service reload
is the solution for the future. Let's embrace it!
Change-Id: I808c72fbea6353da102f4d4569b446ec9fbe8df1
Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
In order to make it easier to differentiate between the lists of
python packages, distribution packages, downloaded packages,
package pins and other similar variables the variable names are
being changed to ensure that they have a more explicit suffix
that defines the purpose and makes the naming more consistent.
This is to facilitate a lookup plugin which will be able to look
up all the package lists and present them as a consolidated piece
of data which may be used for artifact preparation.
Change-Id: I9f20c6c53709202fe09f38ffe20f96e860ba188a
The role had no previous support for installation in a virtualenv
Change-Id: I176f811e5ec7e0705037f53997f28bdbed40f0d9
Implements: blueprint only-install-venvs