Currently when re-building the keystone primary node, a new set
of fernet keys will be created as none exists, despite keys
existing on the secondary nodes.
This patch uses a similar approach to the credential key
distribution where other nodes are checked for keys if none exist
on the first play host. In this case an rsync is performed to
distribute the keys correctly before proceeding.
Change-Id: I92434276aef54805e5cee56e1d22821e11245fe4
We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.
Change-Id: I2c73f087b48fd3e664e0b339f2fb2b77b208f6c5
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
When deploying keystone for the first time, aliveness check inside
service_bootstrap can not succeed for multi-node setup, as playbook
will disable current backend. So we need to bootstrap host only
when running against last host in play. We also should make sure, that
following tasks will not fail when running against first ones.
Closes-Bug: #1990008
Related-Bug: #1989326
Change-Id: Ifa9a79c34265b225a5e24c30cae47d3f0fa0739f
This line was introduced by Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1
for centos-7 support, and should already be covered by the
distribution_major_version line above.
Change-Id: I87dbc866f63cd1240dd0049b5b30a1339e1b1e34
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
This change brings the keystone role into line with others such
as cinder which check the service status using the loadbalancer.
This is useful in environments using a proxy server where the
internal VIP can be included in "no_proxy" but the service IP
for the containers are too numerous to list in "no_proxy" and
stay within the 1024 character limit for pam_env.
Change-Id: I1a4aec40618237aa23b4f40b335c141071a56f08
Keystone role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.
Change-Id: Ib21a5f5caa590daa827e45d26015bf32abe39cf2
These are now in main_pre.yml and the role should be called seperatley
with tasks_from targetting all keystone hosts before being called
again with serial: settings appropraite for H/A deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843740
Change-Id: Iecb5567382d27ae6a875f8937f33aa7bb492252e
There are a number of tasks and use of the ssh keypair setup role
which must happen on all of the keystone hosts before the service
itself is deployed.
Previously, the keystone role ran with serial (1,100%), and the
pre-service setup tasks iterated over ansible_play_hosts
during the deployment of the first keystone host using delegate_to.
This makes the control flow of the role hard to understand and
causes issues when the pre-service tasks need to include further
roles which also use delegate_to, such as the ssh-keypairs role.
This change introduces a new 'main' tasks file for the pre-service
setup which can be called independantly with no restriction on
serial:. This means that the pre-service setup can be completed
on all keystone hosts using normal ansible tasks without iteration
or delegate_to, and the role can be called a second time with the usual
main.yml and serial: settings to deploy the service itself and
maintain operation in a H/A deployment. In addition, the behaviour
of --limit will now be more obvious.
Change-Id: Ifcd2afe217205684b0ea3917a3776666d10ffae7
We are having all machines in DNS and want to be able to change IP addresses in DNS. So we do not
use ansible_host in our host_vars/machine.yml
As os_keystone is the first Ansible role we use. We will make similar changes to other roles later
on.
Change-Id: Ic9f43cc3f6b62b5098e85afcf55f008c022517f6
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.
This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.
A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
Instead of having own implementation of uwsgi, use common role.
This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.
Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I51e629ad111b90877ce3ee3ee0353be687f41d35
When site configuration already exists, a change to make a module
'absent' would fail as the module was removed before the
configuration.
This change ensures modules are enabled first, before site
configuration changes, and finally any required modules are
disabled.
Change-Id: I56a6c47e4d95e86dc1e0d731f1e39eeec6ac7dc8
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.
Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
Simplify maintained codebase by getting rid of library/keystone_sp can
use looping instead now.
Updates to openstack collections in terms of naming, as well as using
newer implemented functionalities.
Change-Id: I2f02ca712f309285310693b191f0d1cd1be8e24d
While shibboleth and mod_auth_openidc can theoretically co installed
now, unfortunately the shibboleth enabled configuation will cause
issues when using mod_auth_openidc.
As we only drop the configuration for one of these apache mods at a time
I have decided that it is best we only support one of these packages
being present at any time to avoid conflicts.
Change-Id: Ib0ebf1711db42dd00b3e14c1e5604fed2632437d
Since `service` project is shared, it's confusing to have same naming as
for service_catalog. We add variable
`keystone_service_project_description` that will be used specifically
for `service` project description
Change-Id: I33a88f3782d7cf334ad878e57b07d09dcd77842c
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.
config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.
We make a separate task not to restart service when it's not needed.
[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I41ee59a901e54860067edd277fdade394b0b8858
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I1624730385a7b54cf36a94d313cc298430129736