Commit Graph

205 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 7dbec32273 Add quorum queues support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Change-Id: I81216a7eabe6b99d08ab15a62c046108fcb2bfc5
2023-11-10 17:00:57 +01:00
Andrew Bonney 2ed76dee5d oidc: fix overloading of redirect_uri for cli client
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.

As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.

Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
2023-10-20 14:04:31 +01:00
Dmitriy Rabotyagov a51651213d Install distro_packages in pre-main
Main tasks are executed in a serial manner, so all keystone containers
except the first one end up not having rsync and sshd isntalled, while
we attempt to distribute fernet tokens once running against first host.

So we move installation of distro_packages to pre-main step
that is run in advance without serial approach.

This is alternative approach to [1].

[1] https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/889936

Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/889945
Change-Id: Ia53932f60d271b8f2843b880e024caacc7ae5c3f
2023-09-05 06:30:42 +00:00
Dmitriy Rabotyagov 9ca29f5754 Stop reffering _member_ role
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
2023-08-15 13:18:45 +02:00
Dmitriy Rabotyagov eea1a4853f Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
2023-07-14 20:44:53 +02:00
Zuul 2378e452ad Merge "Rename keystone_ssl to keystone_backend_ssl" 2023-04-20 18:46:50 +00:00
Zuul 674c8a5434 Merge "Use chain cert file for apache" 2023-04-18 15:29:23 +00:00
Damian Dabrowski 59f04a63c5 Remove security.txt parts
Keystone is no longer responsible for storing and serving security.txt
file. It is now fully handled by haproxy.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/880110
Change-Id: Iefd090dce0441f81eb4d5b203f61a4587a5beedb
2023-04-11 21:09:57 +00:00
Damian Dabrowski 6661a9dab7 Rename keystone_ssl to keystone_backend_ssl
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.

Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.

Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
2023-04-08 12:53:10 +00:00
Damian Dabrowski 931695475c Use chain cert file for apache
Apache needs to respond with all intermediate CA certificates.
Otherwise, haproxy will not be able to validate backend certificate.
That is why -chain.crt file needs to be installed for keystone.

Change-Id: Ibc8267a1c27e1de7ed5bce716199f3264e8c136d
2023-04-08 14:52:34 +02:00
Dmitriy Rabotyagov 0a24c61e3e Improve way of cache backend selection
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.

Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.

[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
2022-09-23 10:49:09 +02:00
Kevin Carter 3928511919 Add the option to deploy keystone without apache
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.

Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
2022-09-08 14:35:49 -05:00
Zuul 056623431a Merge "Add PKCE method for OIDC" 2022-08-12 11:30:16 +00:00
mroth26 ec9ffea3ca Add PKCE method for OIDC
Change-Id: Icb77fff4a2f823f4c2a84dc77c21e4ddf0c8e22c
2022-08-08 16:23:58 +02:00
Andrew Bonney 89bff18166 tls1.2: update ciphers to latest recommendations
Based upon usual recommendations from:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

Change-Id: Iaf5e41417a5226c42ef742d0b6478895d9256769
2022-08-05 10:44:13 +01:00
Jonathan Rosser 4f02985c43 Fix certificate installation for keystone
There are problems when keystone_idp has legitimately undefined keys,
and also variable name which should be templated.

Change-Id: Iabe61d63994e38cb3f99c8285deff60ef2e9ee55
2022-05-04 17:39:10 +01:00
Jonathan Rosser fcbf8ede8f Ensure that openstack_ssh_keyspairs_dir has a default value
This is otherwise undefined in functional tests

Change-Id: Ia57b67e5636690327264b1213c0eb491afd8750d
2022-05-04 07:59:17 +01:00
Zuul fdcdf41e28 Merge "Migrate ssl certificate generation to the PKI role" 2022-04-26 14:32:25 +00:00
Jonathan Rosser 19af9dabc8 Use ssh_keypairs role to generate fernet sync ssh keys
This uses ssh signed certificates so there is no longer the need
to distribute the keystone public key from each keystone host to all
other keystone hosts.

The legacy scripts and authorized key files are removed as a
migration step.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292
Change-Id: If39df0cc80860576abac1830d5cfc66ca50fc655
2022-04-04 15:59:10 +00:00
Marcus Bahn dc62f04827 add oauth support
Some OIDCOAuth* variables were needed to allow CLI access via `--os-auth-type v3oidcaccesstoken`.

See https://docs.egi.eu/providers/cloud-compute/openstack/aai/#cli-access and https://docs.egi.eu/providers/cloud-compute/openstack/aai/#apache-configuration

Change-Id: I693684e4dc85c096f46a3385d70202c39d379d25
2022-03-10 11:47:11 +01:00
Jonathan Rosser 14a2bd072c Migrate ssl certificate generation to the PKI role
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.

This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.

A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
2022-03-10 09:58:39 +00:00
Zuul ba9d685380 Merge "Define X-Forwarded-Proto for keystone" 2022-02-15 18:58:13 +00:00
Dmitriy Rabotyagov 6fae2bdade Define X-Forwarded-Proto for keystone
Add X-Forwarded-Proto header based on the haproxy termination
and if keystone configured to use SSL for internal connection

Change-Id: Ia627e19923e1e24d2fede49aefb7251bb75d88de
2022-02-09 23:03:39 +00:00
Dmitriy Rabotyagov cb7eaa7ce3 Use uwsgi role for keystone
Instead of having own implementation of uwsgi, use common role.

This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.

Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
2022-02-09 12:10:18 +02:00
Jonathan Rosser 7424f8f69a Remove legacy db pooling variables
Change-Id: I54edc22032950f640d824bb8baf170d3599d0f4b
2022-02-01 04:12:55 -05:00
Andrew Bonney dfa253d72c Adjust default configuration to support TLS v1.3
This adds a new variable to manage TLS v1.3 cipher suites.

The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
2022-01-10 13:49:45 +00:00
Zuul 2efea71159 Merge "Drop keystone_default_role_name" 2022-01-04 17:36:13 +00:00
Dmitriy Rabotyagov 145b219a83 Fix keystone_httpd_mpm_max_requests default value
At the moment keystone_httpd_mpm_server_limit appears as string,
so instead of multiplication of integers we repeat value of
`keystone_httpd_mpm_server_limit` `keystone_httpd_mpm_thread_child` times
which is not what we want to do.
So we apply int filter to ensure we do math operation on integers.

Change-Id: Ib3258eb018f758edb9a6a9424a7be8266c7e9fd6
2022-01-02 10:48:10 +02:00
Dmitriy Rabotyagov 4e27667dd2 Drop keystone_default_role_name
This variable has no effect and not really used anywhere.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/822998
Change-Id: Ic46ee2a55c464be521ef79a781957633ccdae57b
2021-12-27 13:05:24 +02:00
Damian Dabrowski b36b942aed Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ia507320ca552ec60d893e398ad7f68d4283539be
2021-12-03 16:54:38 +01:00
Zuul 91c397dc8b Merge "Drop Nginx webserver support" 2021-11-26 15:14:18 +00:00
Dmitriy Rabotyagov eb9a0c6cea Drop Nginx webserver support
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.

Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
2021-11-22 10:36:35 +00:00
Dmitriy Rabotyagov c5145fd120 Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: I431dd557a90a9fbf086ff7af992363d666937e4b
2021-09-20 13:08:38 +03:00
Georgina f8116e3f24 Updates to federation documentation
- Standardise use of default as domain id for federated identities
that is necessary for newer ansible collections.

- Add information about OIDC with mod_auth_openidc.

- General updates to SAML / older documentation.

Change-Id: Ife7176bf5b9b7e52ceec6ef8971349222477414e
2021-07-15 16:36:21 +00:00
Zuul fc2bc15904 Merge "Add variables for rabbitmq ssl configuration" 2021-05-17 13:04:42 +00:00
Jonathan Rosser d67c498269 Add variables for rabbitmq ssl configuration
Change-Id: Ie4bdbd1f4d530844dced5161de57665f9dc97fd3
2021-05-13 14:37:56 +00:00
Dmitriy Rabotyagov 700730dfd9 Use common name for service project description
Since `service` project is shared, it's confusing to have same naming as
for service_catalog. We add variable
`keystone_service_project_description` that will be used specifically
for `service` project description

Change-Id: I33a88f3782d7cf334ad878e57b07d09dcd77842c
2021-04-23 10:40:53 +03:00
Jonathan Rosser 5c7d93a817 Switch default virtualenv to python3
Change-Id: I54153709f0a41b0421491c591efeaeef2c160dcc
2021-03-10 08:44:13 +00:00
Jonathan Rosser 489c169874 Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I8721b4fa97b41fb0c92f9eb99b61d31634e9aac6
2021-02-23 18:06:10 +00:00
Zuul 20cf64fa0c Merge "Move keystone pip package from a constraint to a requirement" 2021-02-05 21:07:49 +00:00
Jonathan Rosser 05c7f80711 Move keystone pip package from a constraint to a requirement
This is necessary to support the new pip resolver.

Depends-On: I9be6bbf4a29a4da2ddf96dc0336bc2a7d8ec9281
Depends-On: I49c75dd11d6c4e8d37fe013b7ffdfd56ff193fcd
Change-Id: I599f9de82a6350599444096e98a0e25a417e18ef
2021-01-18 16:40:51 +00:00
Dmitriy Rabotyagov 50347cf3f6 Use global service variables
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.

Change-Id: I34ab133e218340d21a1b81dc329e7e684872843d
2021-01-08 17:14:46 +02:00
James Gibson 5af8175643 Add security.txt file hosting to keystone
If keystone_security_txt_content is defined in user variables,
the keystone service will host this file at the following locations
/security.txt and /.well-known/security.txt as defined in
https://securitytxt.org/

Depends-On: https://review.opendev.org/766030
Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0
2020-12-11 09:59:39 +00:00
Zuul 2b125eca31 Merge "Add CADF notifications for federated keystone" 2020-10-13 16:39:19 +00:00
Zuul fe82d21135 Merge "Use the utility host for db setup tasks" 2020-08-17 18:16:56 +00:00
Jonathan Rosser 3e0b1ae0af Use the utility host for db setup tasks
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.

Depends-On: https://review.opendev.org/744453
Depends-On: https://review.opendev.org/744881
Change-Id: Ie52799cc2129b6e36b99ee65b237bb04a8edf18f
2020-08-05 10:39:46 +00:00
Georgina e3294f0f91 Add CADF notifications for federated keystone
Event notifications are useful for those that need to keep an audit
trail. Turned off by default as these logs contain user specific data
and local data protection laws should be considered.
The default notificiation_opt_outs follow the keystone documentation.
Please see here for more information on CADF notifications:
https://docs.openstack.org/keystone/pike/advanced-topics/event_notifications.html

Change-Id: Id1867b6b50fc769757781eabc208ee9ead65f4c9
2020-07-27 19:02:45 +00:00
Georgina Shippey 4c9642765e Identity Providers support improvments
Identity providers can be created with specified domain
IDPs are linked to a keystone domain. Currently when we provision a new IDP
it gets created within a new autogenerated domain. Provisioners can now
give a domain_id in an IDP entry within the trusted_idp_list and the IDP
will be created within that domain.

Add IDP display_name to defaults
Allows operator a name different to the one used in the backend
to display to the user in the horizon Identity Provider dropdown.

Change-Id: Iaf9f1b9198f14c903f9801e0ce7da86b74d9c5bd
2020-07-06 13:08:53 +00:00
Danny Meloy eda646382a Add Paramaters to httpd.conf template
Added the following parameters to the httpd.conf template
to be used with mod_auth_openidc Apache mod. Params include:
- OIDCStateMaxNumberOfCookies - this takes parameters in the form
<number> <false|true> where number is the maximum number of state
cookies stored in parallel for outstanding auth requests, and the
boolean indicates whether cookies that are still valid over this
amount are deleted
- OIDCDefaultURL - Defines a default URL to be used in case of
3rd-party or OP initiated SSO when no explicit target_link_uri has
been provided. The user is also sent to this URL is in case an
invalid authorization response was received
(ref: https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf)

The reason these have been added is due to some stability issues
that have been seen regarding cached session cookies that subsequently
cause a "state mismatch" error. Being able to limit the number of active cookies
appears to resolve this issue.

Change-Id: Id2248e93f2636407396d4ac8fe29c8943e4a3a57
2020-06-17 18:31:13 +01:00
Dmitriy Rabotyagov 93ab16bc59 Cleanup after repo_build and pip_install retirement
Change-Id: I644635ee0cf4db252eae554185ae84d835b3c63d
2020-05-12 22:09:28 +03:00