Currently when re-building the keystone primary node, a new set
of fernet keys will be created as none exists, despite keys
existing on the secondary nodes.
This patch uses a similar approach to the credential key
distribution where other nodes are checked for keys if none exist
on the first play host. In this case an rsync is performed to
distribute the keys correctly before proceeding.
Change-Id: I92434276aef54805e5cee56e1d22821e11245fe4
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config
These tags have been chosen as they are namespaced
and cover the two major functions of the role.
Documentation has been updated to inform how each tag
influences the function of the role.
Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
ansible-lint 2.3.7 added a rule checking for use of the deprecated
'sudo' and 'sudo_user' directives. They have been replaced with 'become'
and 'become_user' respectively.
Change-Id: I2271fe8468840884f19f41abba37e696c6296350
This commit conditionally allows the os_keystone role to
install build and deploy within a venv. This is the new
default behavior of the role however the functionality
can be disabled.
Change-Id: Ie9e51926c96125a543e05eaa1912684fb01fecda
Implements: blueprint enable-venv-support-within-the-roles
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This change simply enables fernet to be the default token backend
and disables the keystone memcached configuration for token storage.
Change-Id: I1037a7fce567e476f07a5d3c220379d656248160
Related-Bug: #1463569
This change adds a number of new tasks that are dependent on the value
of the Keystone token provider (keystone_token_provider) user variable.
If the keystone_token_provider user_variable is set to
keystone.token.providers.fernet.Provider then the playbooks will
appropriately create the fernet keys and distribute them to the rest of
the keystone containers.
This also implements key rotation for generated fernet keys similar to
how the os_nova roles implement key rotation.
Finally, we also need to build cryptography from master for now.
Currently, 0.8.x and 0.9.x use versions of cffi<1.0 which causes a bug
when used with mod_wsgi and Apache. This is fixed in cryptography master
and will be released in 1.0.
Closes-bug: 1463569
Change-Id: I8605e0490a8889d57c6b1b7e03e078fb0da978ab
Andrew Bonney