Commit Graph

369 Commits

Author SHA1 Message Date
Andrew Bonney 47bd365532 Re-distribute fernet keys when re-building the primary
Currently when re-building the keystone primary node, a new set
of fernet keys will be created as none exists, despite keys
existing on the secondary nodes.

This patch uses a similar approach to the credential key
distribution where other nodes are checked for keys if none exist
on the first play host. In this case an rsync is performed to
distribute the keys correctly before proceeding.

Change-Id: I92434276aef54805e5cee56e1d22821e11245fe4
2024-02-01 09:36:14 +00:00
Dmitriy Rabotyagov bb62cf36c6 Cleanup upgrade to ssh_keypairs step
We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.

Change-Id: I2c73f087b48fd3e664e0b339f2fb2b77b208f6c5
2023-10-19 10:43:21 +02:00
Dmitriy Rabotyagov a51651213d Install distro_packages in pre-main
Main tasks are executed in a serial manner, so all keystone containers
except the first one end up not having rsync and sshd isntalled, while
we attempt to distribute fernet tokens once running against first host.

So we move installation of distro_packages to pre-main step
that is run in advance without serial approach.

This is alternative approach to [1].

[1] https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/889936

Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/889945
Change-Id: Ia53932f60d271b8f2843b880e024caacc7ae5c3f
2023-09-05 06:30:42 +00:00
Dmitriy Rabotyagov 9ca29f5754 Stop reffering _member_ role
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
2023-08-15 13:18:45 +02:00
Dmitriy Rabotyagov eea1a4853f Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
2023-07-14 20:44:53 +02:00
Zuul 2378e452ad Merge "Rename keystone_ssl to keystone_backend_ssl" 2023-04-20 18:46:50 +00:00
Damian Dabrowski 59f04a63c5 Remove security.txt parts
Keystone is no longer responsible for storing and serving security.txt
file. It is now fully handled by haproxy.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/880110
Change-Id: Iefd090dce0441f81eb4d5b203f61a4587a5beedb
2023-04-11 21:09:57 +00:00
Damian Dabrowski 6661a9dab7 Rename keystone_ssl to keystone_backend_ssl
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.

Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.

Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
2023-04-08 12:53:10 +00:00
Dmitriy Rabotyagov 8017d4dd84 Define venv_tag as separate task for distro
We do define venv_tag locally using python_venv_build role so no need
to do the same as a separate task for source installs. Though this task
is still needed for distro path.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862924
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/866126
Change-Id: I49a45e68bd6030d4bd0667c8384a01088819f260
2022-12-06 11:58:52 +00:00
Zuul ddcca32393 Merge "Bootstrap when running against last backend" 2022-09-24 19:19:53 +00:00
Zuul 3b4fc2e9aa Merge "Add the option to deploy keystone without apache" 2022-09-20 20:52:18 +00:00
Dmitriy Rabotyagov 7868766202 Bootstrap when running against last backend
When deploying keystone for the first time, aliveness check inside
service_bootstrap can not succeed for multi-node setup, as playbook
will disable current backend. So we need to bootstrap host only
when running against last host in play. We also should make sure, that
following tasks will not fail when running against first ones.

Closes-Bug: #1990008
Related-Bug: #1989326
Change-Id: Ifa9a79c34265b225a5e24c30cae47d3f0fa0739f
2022-09-19 14:11:31 +00:00
Erik Berg f28a1cc0a2 Remove redundant vars line
This line was introduced by Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1
for centos-7 support, and should already be covered by the
distribution_major_version line above.

Change-Id: I87dbc866f63cd1240dd0049b5b30a1339e1b1e34
2022-09-14 10:56:02 +02:00
Kevin Carter 3928511919 Add the option to deploy keystone without apache
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.

Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
2022-09-08 14:35:49 -05:00
Jonathan Rosser 05c64f7651 Check the service status during bootstrap against the internal VIP
This change brings the keystone role into line with others such
as cinder which check the service status using the loadbalancer.

This is useful in environments using a proxy server where the
internal VIP can be included in "no_proxy" but the service IP
for the containers are too numerous to list in "no_proxy" and
stay within the 1024 character limit for pam_env.

Change-Id: I1a4aec40618237aa23b4f40b335c141071a56f08
2022-08-08 19:07:57 +00:00
Dmitriy Rabotyagov e26aabe440 Remove mention of haproxy-endpoints role
Keystone role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.

Change-Id: Ib21a5f5caa590daa827e45d26015bf32abe39cf2
2022-06-14 14:42:36 +02:00
Jonathan Rosser d02d038e94 Remove old pre service setup tasks.
These are now in main_pre.yml and the role should be called seperatley
with tasks_from targetting all keystone hosts before being called
again with serial: settings appropraite for H/A deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843740
Change-Id: Iecb5567382d27ae6a875f8937f33aa7bb492252e
2022-05-29 16:14:13 +00:00
Jonathan Rosser 7ab6882066 Add a new main tasks file for pre-service setup
There are a number of tasks and use of the ssh keypair setup role
which must happen on all of the keystone hosts before the service
itself is deployed.

Previously, the keystone role ran with serial (1,100%), and the
pre-service setup tasks iterated over ansible_play_hosts
during the deployment of the first keystone host using delegate_to.
This makes the control flow of the role hard to understand and
causes issues when the pre-service tasks need to include further
roles which also use delegate_to, such as the ssh-keypairs role.

This change introduces a new 'main' tasks file for the pre-service
setup  which can be called independantly with no restriction on
serial:. This means that the pre-service setup can be completed
on all keystone hosts using normal ansible tasks without iteration
or delegate_to, and the role can be called a second time with the usual
main.yml and serial: settings to deploy the service itself and
maintain operation in a H/A deployment. In addition, the behaviour
of --limit will now be more obvious.

Change-Id: Ifcd2afe217205684b0ea3917a3776666d10ffae7
2022-05-29 16:14:07 +00:00
Zuul ec14b0a728 Merge "Set pki_dir when keystone calls the pki role" 2022-05-05 09:22:33 +00:00
Zuul 05f0cd9027 Merge "Handle host with unset ansible_host" 2022-05-04 13:12:10 +00:00
Jonathan Rosser e667befb70 Set pki_dir when keystone calls the pki role
This is needed to use the deployment wide location for the CA and
certificate store.

Change-Id: I1b9658a7ef4efc66c9ad5636474a19302589ecfb
2022-05-04 13:20:36 +01:00
Zuul db823b6370 Merge "Tidy IDP setup task files" 2022-04-26 14:44:54 +00:00
Zuul fdcdf41e28 Merge "Migrate ssl certificate generation to the PKI role" 2022-04-26 14:32:25 +00:00
Sven Anders 54a4e496b9 Handle host with unset ansible_host
We are having all machines in DNS and want to be able to change IP addresses in DNS. So we do not 
use ansible_host in our host_vars/machine.yml

As os_keystone is the first Ansible role we use. We will make similar changes to other roles later 
on.

Change-Id: Ic9f43cc3f6b62b5098e85afcf55f008c022517f6
2022-04-26 13:39:33 +00:00
Jonathan Rosser 19af9dabc8 Use ssh_keypairs role to generate fernet sync ssh keys
This uses ssh signed certificates so there is no longer the need
to distribute the keystone public key from each keystone host to all
other keystone hosts.

The legacy scripts and authorized key files are removed as a
migration step.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292
Change-Id: If39df0cc80860576abac1830d5cfc66ca50fc655
2022-04-04 15:59:10 +00:00
Jonathan Rosser be2efe9f8f Tidy IDP setup task files
Remove task files with just a single task and move the tasks up
one layer.

Change-Id: Iffdc333170987aa49d267ee749542c875a262d97
2022-03-10 09:58:57 +00:00
Jonathan Rosser 14a2bd072c Migrate ssl certificate generation to the PKI role
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.

This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.

A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
2022-03-10 09:58:39 +00:00
Dmitriy Rabotyagov cb7eaa7ce3 Use uwsgi role for keystone
Instead of having own implementation of uwsgi, use common role.

This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.

Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
2022-02-09 12:10:18 +02:00
Zuul 419cb210a9 Merge "Remove legacy nginx cleanup tasks" 2022-02-03 23:58:05 +00:00
Jonathan Rosser 63b5981152 Remove legacy nginx cleanup tasks
Change-Id: Ia3f22083aab60bca3a64f989f2f94120a95504b9
2022-02-01 03:53:24 -05:00
Jonathan Rosser 9e5e81311c Remove bugfix tasks for the Train release
Change-Id: I3c4b05cf9d27ad57a8345519ec7b23465acc4185
2022-01-31 11:01:00 -05:00
Zuul bc053f483f Merge "Fix ordering error enabling/disabling Apache modules" 2022-01-26 21:42:32 +00:00
Zuul 3b401d7610 Merge "Use common service setup tasks from a collection rather than in-role" 2022-01-14 10:30:21 +00:00
Zuul 1c36c9c0d8 Merge "Use memcached plugin from collection" 2022-01-13 16:44:31 +00:00
Jonathan Rosser 0985cfa47d Use common service setup tasks from a collection rather than in-role
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/824115
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/821093/7
Change-Id: I09f9fda3699ece3300a666d0c103da4e022d70e2
2022-01-13 11:26:37 +00:00
Jonathan Rosser a9c453bb64 Refactor use of include_vars
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.

This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.

Change-Id: I51e629ad111b90877ce3ee3ee0353be687f41d35
2022-01-12 08:30:36 +00:00
Dmitriy Rabotyagov d5bb4643b0 Use memcached plugin from collection
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/824148
Change-Id: I178b287a604755c0001084e8693afb9a1f080e9b
2022-01-11 16:02:54 +02:00
Andrew Bonney 236f11c31d Fix ordering error enabling/disabling Apache modules
When site configuration already exists, a change to make a module
'absent' would fail as the module was removed before the
configuration.

This change ensures modules are enabled first, before site
configuration changes, and finally any required modules are
disabled.

Change-Id: I56a6c47e4d95e86dc1e0d731f1e39eeec6ac7dc8
2022-01-10 14:13:43 +00:00
Dmitriy Rabotyagov 4e27667dd2 Drop keystone_default_role_name
This variable has no effect and not really used anywhere.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/822998
Change-Id: Ic46ee2a55c464be521ef79a781957633ccdae57b
2021-12-27 13:05:24 +02:00
OpenStack Proposal Bot d5542a5b81 Updated from OpenStack Ansible Tests
Change-Id: I3b6888577d0a32db39e3d795650fd301162535b6
2021-12-04 17:40:15 +00:00
Dmitriy Rabotyagov 59e879d28a Use config_template as a collection
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-tests/+/819897


Change-Id: I9c4caf10192e2a25b1819d47065163ec78356a91
2021-11-30 15:56:09 +00:00
Dmitriy Rabotyagov eb9a0c6cea Drop Nginx webserver support
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.

Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
2021-11-22 10:36:35 +00:00
Zuul 503c350f59 Merge "Refactor out library/keystone_sp and updates to use collections" 2021-07-20 16:54:29 +00:00
Georgina 55a1a35ebe Refactor out library/keystone_sp and updates to use collections
Simplify maintained codebase by getting rid of library/keystone_sp can
use looping instead now.
Updates to openstack collections in terms of naming, as well as using
newer implemented functionalities.

Change-Id: I2f02ca712f309285310693b191f0d1cd1be8e24d
2021-07-05 14:18:49 +00:00
Georgina a57255b9fc Improvements to federation packaging
While shibboleth and mod_auth_openidc can theoretically co installed
now, unfortunately the shibboleth enabled configuation will cause
issues when using mod_auth_openidc.
As we only drop the configuration for one of these apache mods at a time
I have decided that it is best we only support one of these packages
being present at any time to avoid conflicts.

Change-Id: Ib0ebf1711db42dd00b3e14c1e5604fed2632437d
2021-07-05 10:57:32 +00:00
Dmitriy Rabotyagov 700730dfd9 Use common name for service project description
Since `service` project is shared, it's confusing to have same naming as
for service_catalog. We add variable
`keystone_service_project_description` that will be used specifically
for `service` project description

Change-Id: I33a88f3782d7cf334ad878e57b07d09dcd77842c
2021-04-23 10:40:53 +03:00
OpenStack Proposal Bot b6794b6e53 Updated from OpenStack Ansible Tests
Change-Id: I00c1b29a34f65c3f401f55b62da1fb88edb098cd
2021-04-19 09:58:26 +00:00
Dmitriy Rabotyagov d89c6a153a [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.

config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.

We make a separate task not to restart service when it's not needed.

[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I41ee59a901e54860067edd277fdade394b0b8858
2021-04-06 11:13:10 +00:00
Jonathan Rosser 0f2b8e16c9 Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible

Change-Id: I1624730385a7b54cf36a94d313cc298430129736
2021-03-10 12:16:38 +00:00
Jonathan Rosser 489c169874 Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I8721b4fa97b41fb0c92f9eb99b61d31634e9aac6
2021-02-23 18:06:10 +00:00