This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I81216a7eabe6b99d08ab15a62c046108fcb2bfc5
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.
As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.
Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
Apache needs to respond with all intermediate CA certificates.
Otherwise, haproxy will not be able to validate backend certificate.
That is why -chain.crt file needs to be installed for keystone.
Change-Id: Ibc8267a1c27e1de7ed5bce716199f3264e8c136d
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
There are problems when keystone_idp has legitimately undefined keys,
and also variable name which should be templated.
Change-Id: Iabe61d63994e38cb3f99c8285deff60ef2e9ee55
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.
This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.
A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
Add X-Forwarded-Proto header based on the haproxy termination
and if keystone configured to use SSL for internal connection
Change-Id: Ia627e19923e1e24d2fede49aefb7251bb75d88de
Instead of having own implementation of uwsgi, use common role.
This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.
Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
This adds a new variable to manage TLS v1.3 cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
At the moment keystone_httpd_mpm_server_limit appears as string,
so instead of multiplication of integers we repeat value of
`keystone_httpd_mpm_server_limit` `keystone_httpd_mpm_thread_child` times
which is not what we want to do.
So we apply int filter to ensure we do math operation on integers.
Change-Id: Ib3258eb018f758edb9a6a9424a7be8266c7e9fd6
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ia507320ca552ec60d893e398ad7f68d4283539be
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.
Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I431dd557a90a9fbf086ff7af992363d666937e4b
- Standardise use of default as domain id for federated identities
that is necessary for newer ansible collections.
- Add information about OIDC with mod_auth_openidc.
- General updates to SAML / older documentation.
Change-Id: Ife7176bf5b9b7e52ceec6ef8971349222477414e
Since `service` project is shared, it's confusing to have same naming as
for service_catalog. We add variable
`keystone_service_project_description` that will be used specifically
for `service` project description
Change-Id: I33a88f3782d7cf334ad878e57b07d09dcd77842c
This is necessary to support the new pip resolver.
Depends-On: I9be6bbf4a29a4da2ddf96dc0336bc2a7d8ec9281
Depends-On: I49c75dd11d6c4e8d37fe013b7ffdfd56ff193fcd
Change-Id: I599f9de82a6350599444096e98a0e25a417e18ef
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: I34ab133e218340d21a1b81dc329e7e684872843d
If keystone_security_txt_content is defined in user variables,
the keystone service will host this file at the following locations
/security.txt and /.well-known/security.txt as defined in
https://securitytxt.org/
Depends-On: https://review.opendev.org/766030
Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Depends-On: https://review.opendev.org/744453
Depends-On: https://review.opendev.org/744881
Change-Id: Ie52799cc2129b6e36b99ee65b237bb04a8edf18f
Event notifications are useful for those that need to keep an audit
trail. Turned off by default as these logs contain user specific data
and local data protection laws should be considered.
The default notificiation_opt_outs follow the keystone documentation.
Please see here for more information on CADF notifications:
https://docs.openstack.org/keystone/pike/advanced-topics/event_notifications.html
Change-Id: Id1867b6b50fc769757781eabc208ee9ead65f4c9
Identity providers can be created with specified domain
IDPs are linked to a keystone domain. Currently when we provision a new IDP
it gets created within a new autogenerated domain. Provisioners can now
give a domain_id in an IDP entry within the trusted_idp_list and the IDP
will be created within that domain.
Add IDP display_name to defaults
Allows operator a name different to the one used in the backend
to display to the user in the horizon Identity Provider dropdown.
Change-Id: Iaf9f1b9198f14c903f9801e0ce7da86b74d9c5bd
Added the following parameters to the httpd.conf template
to be used with mod_auth_openidc Apache mod. Params include:
- OIDCStateMaxNumberOfCookies - this takes parameters in the form
<number> <false|true> where number is the maximum number of state
cookies stored in parallel for outstanding auth requests, and the
boolean indicates whether cookies that are still valid over this
amount are deleted
- OIDCDefaultURL - Defines a default URL to be used in case of
3rd-party or OP initiated SSO when no explicit target_link_uri has
been provided. The user is also sent to this URL is in case an
invalid authorization response was received
(ref: https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf)
The reason these have been added is due to some stability issues
that have been seen regarding cached session cookies that subsequently
cause a "state mismatch" error. Being able to limit the number of active cookies
appears to resolve this issue.
Change-Id: Id2248e93f2636407396d4ac8fe29c8943e4a3a57