We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Iac06d3f02b1c9ee5e3bfbd28043fbb70d8b1d328
When delegating with the authorized_key module, writes of multiple keys
against the same host's file can occur at the same time, leading to
missing keys.[0]
To avoid conflicting delegation between hosts, the registered
'keystone_pubkey' fact now contains a list of SSH keys of all hosts the
current batch of the play, rather than only the key of the current host.
The first host within each batch will handle distribution of that
batch's keys to all hosts within the play.
[0] https://github.com/ansible/ansible/issues/29693
Change-Id: I386e84eba46aa164db22618b7a6ac53b86eeeaf0
When a playbook runs os_keystone in serial, the SSH and fernet key
distribution are broken. This fixes both items allowing the role
to be run in a serialized playbook.
Change-Id: Ief28c6bed8daa38120207de61aba327c9fe49d3a
This change implements CentOS 7 support within the os_keystone role.
Depends-on: I333fb1887339e8dc9ebf10ff137dda3cff629dc0
Change-Id: Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The 'Create authorized keys file from host vars' task assumes that every
host within the keystone_all group is available. If any host within that
group is offline, excluded through a limit, or has otherwise failed an
earlier task, it will lead to this task failing for every host.
Add a when clause checking for the existence of the keystone_pubkey
hostvar so that the task and remainder of the role can continue when a
keystone_all host is unavailable.
Change-Id: Ie68e537872fec82769c8fffcf5e144d695de59df
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config
These tags have been chosen as they are namespaced
and cover the two major functions of the role.
Documentation has been updated to inform how each tag
influences the function of the role.
Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
Extracting the ssh public key using cat and storing the result in a
fact has resulted in periodic failures in the collection of the key,
and thereafter the failure to appropriately place that key into the
authorised_keys file.
This patch changes the collection method to use the Ansible slurp
module which has been found to be more reliable.
Change-Id: Iac61518129536ce613e91ac894883440a8704998
This patch ensures that the authorized_keys ansible module, as well as
the built in "generate_ssh_keys" flag for user creation, so that we can
avoid using shell out commands.
Additionally, this moves the key synchronisation to use ansible
variables instead of the memcache server.
Change-Id: I0072b8d0977ab9aea10dd95080756f6864612013
Closes-Bug: #1477512
This change makes the use of fernet tokens production ready. The changes are
as follows:
* Ensures that the keys are rotated on every playbook execution
* Removes the need to sync keys back to a deployment host when distributing
them to other keystone hosts.
* Creates an autonomous key rotation process that can rotate on the following
intervals [reboot, yearly, annually, monthly, weekly, daily, hourly] to all
hosts from any keystone fernet host.
* Fixes the section in `keystone.conf` which was named "fernet_key" instead
of "fernet_token".
Change-Id: I50f6a852930728631f5c681a8aa0f1321d7424ac
Related-Bug: #1463569
Closes-Bug: #1468256