We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Iac06d3f02b1c9ee5e3bfbd28043fbb70d8b1d328
This change sets the user argument in the cron module which is
required in future versions of ansible when the cron_file argument
is also used.
Filter deprecations for skipped items have also been fixed.
Change-Id: I803cd3c62707880e873662ea86590274b2766d21
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The Fernet autorotation cron task should use keystone_system_user_name instead
of hardcoding the user.
Change-Id: Ia39021de872025a12a4bef263290df363d17c979
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config
These tags have been chosen as they are namespaced
and cover the two major functions of the role.
Documentation has been updated to inform how each tag
influences the function of the role.
Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
ansible-lint 2.7.0 was recently released, update the role's test
requirements to use it.
The tox test has been changed to run ansible-lint against this role,
rather than the test playbook which would only apply to this role's
dependencies.
Also update the 'Drop fernet key auto rotate script' task to use mode
"0755", matching the comment above the task and to resolve a violation
of new rule, [ANSIBLE0009] Octal file permissions must contain leading
zero.
Change-Id: I09396f8938cf8f0b5d48bc5b7215ecea2c426e94
This change makes the use of fernet tokens production ready. The changes are
as follows:
* Ensures that the keys are rotated on every playbook execution
* Removes the need to sync keys back to a deployment host when distributing
them to other keystone hosts.
* Creates an autonomous key rotation process that can rotate on the following
intervals [reboot, yearly, annually, monthly, weekly, daily, hourly] to all
hosts from any keystone fernet host.
* Fixes the section in `keystone.conf` which was named "fernet_key" instead
of "fernet_token".
Change-Id: I50f6a852930728631f5c681a8aa0f1321d7424ac
Related-Bug: #1463569
Closes-Bug: #1468256
Dmitriy Rabotyagov