We are having all machines in DNS and want to be able to change IP addresses in DNS. So we do not
use ansible_host in our host_vars/machine.yml
As os_keystone is the first Ansible role we use. We will make similar changes to other roles later
on.
Change-Id: Ic9f43cc3f6b62b5098e85afcf55f008c022517f6
Replacing usage of ansible_ssh_host, ansible_ssh_user,
ansible_ssh_port with ansible_host, ansible_user and ansible_port
Change-Id: I4adb6484c13523a2527adc62846b736b0c5f228e
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config
These tags have been chosen as they are namespaced
and cover the two major functions of the role.
Documentation has been updated to inform how each tag
influences the function of the role.
Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
ansible-lint 2.3.7 added a rule checking for use of the deprecated
'sudo' and 'sudo_user' directives. They have been replaced with 'become'
and 'become_user' respectively.
Change-Id: I2271fe8468840884f19f41abba37e696c6296350
This change makes the use of fernet tokens production ready. The changes are
as follows:
* Ensures that the keys are rotated on every playbook execution
* Removes the need to sync keys back to a deployment host when distributing
them to other keystone hosts.
* Creates an autonomous key rotation process that can rotate on the following
intervals [reboot, yearly, annually, monthly, weekly, daily, hourly] to all
hosts from any keystone fernet host.
* Fixes the section in `keystone.conf` which was named "fernet_key" instead
of "fernet_token".
Change-Id: I50f6a852930728631f5c681a8aa0f1321d7424ac
Related-Bug: #1463569
Closes-Bug: #1468256
This change adds a number of new tasks that are dependent on the value
of the Keystone token provider (keystone_token_provider) user variable.
If the keystone_token_provider user_variable is set to
keystone.token.providers.fernet.Provider then the playbooks will
appropriately create the fernet keys and distribute them to the rest of
the keystone containers.
This also implements key rotation for generated fernet keys similar to
how the os_nova roles implement key rotation.
Finally, we also need to build cryptography from master for now.
Currently, 0.8.x and 0.9.x use versions of cffi<1.0 which causes a bug
when used with mod_wsgi and Apache. This is fixed in cryptography master
and will be released in 1.0.
Closes-bug: 1463569
Change-Id: I8605e0490a8889d57c6b1b7e03e078fb0da978ab