Commit Graph

33 Commits

Author SHA1 Message Date
Jonathan Rosser d02d038e94 Remove old pre service setup tasks.
These are now in main_pre.yml and the role should be called seperatley
with tasks_from targetting all keystone hosts before being called
again with serial: settings appropraite for H/A deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843740
Change-Id: Iecb5567382d27ae6a875f8937f33aa7bb492252e
2022-05-29 16:14:13 +00:00
Jonathan Rosser 19af9dabc8 Use ssh_keypairs role to generate fernet sync ssh keys
This uses ssh signed certificates so there is no longer the need
to distribute the keystone public key from each keystone host to all
other keystone hosts.

The legacy scripts and authorized key files are removed as a
migration step.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292
Change-Id: If39df0cc80860576abac1830d5cfc66ca50fc655
2022-04-04 15:59:10 +00:00
Jonathan Rosser 9e5e81311c Remove bugfix tasks for the Train release
Change-Id: I3c4b05cf9d27ad57a8345519ec7b23465acc4185
2022-01-31 11:01:00 -05:00
James Gibson 5af8175643 Add security.txt file hosting to keystone
If keystone_security_txt_content is defined in user variables,
the keystone service will host this file at the following locations
/security.txt and /.well-known/security.txt as defined in
https://securitytxt.org/

Depends-On: https://review.opendev.org/766030
Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0
2020-12-11 09:59:39 +00:00
Jonathan Rosser da37165600 Remove task to rescue deployments broken by Stein release-candidate
Stein release candidate contained a bug which interfered with existing
keystone fernet keys. This task is no longer required.

Change-Id: I0d830e92bda5e92ee3046e7ac329358e91d941cf
2020-09-24 13:26:48 +01:00
Dmitriy Rabotyagov dcc16da7e2 Define condition for the first play host one time
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.

Change-Id: Iac06d3f02b1c9ee5e3bfbd28043fbb70d8b1d328
2020-09-08 18:20:43 +03:00
Jonathan Rosser 8e1f7f4ad8 Fix loss of fernet and credential keys during Rocky to Stein upgrade
This applies only to source based installations.

The introduction of smart-sources in [1] created a code path
which deletes the /etc/keystone directory before symlinking it
into the keystone venv and creating the necessary config files.

Unfortunatley this has the side effect of also deleting any fernet
and credential keys which pre-existed in the case of an upgrade from
Rocky. The original keys were deleted simulataneously across the whole
keystone_all group in a way which is makes them unrecoverable in
the absence of a backup taken by the operator.

This change simplifies the smart-sources code to always keep the
keystone config files and fernet keys in the host /etc/keystone.
This ensures that the lifecycle of the fernet keys is not coupled
to the lifecycle of the keystone venvs.

In addition, a task is added to rescue any keys which have been
created in the keystone venv by installations from the Stein
release-candidate.

[1] https://review.opendev.org/#/c/588960/

Closes-Bug: 1833414
Change-Id: Ide611fd3d88e352367220f05dbcf4186ac20319f
2019-06-20 15:46:28 +00:00
Antony Messerli 08ccd4745c Remove keystone directory on source installs
Current behavior only attempts to remove the keystone
directory from the first container and skips
additional containers past the first one.  This
caused upgrades to break as the configs were
still present in any additional containers.

This ensures the keystone directory is removed on
all keystone containers when the install method is
is source.

Change-Id: If588f9ed4bc5d0deeb2b9c1bbeea5e9eb5ce7c79
2019-04-27 09:15:59 -05:00
Kevin Carter 62d9f9c10d
Cleanup files and templates using smart sources
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.

  * Source installs have the configuration files within the venv at
    "<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
    default configuration path to this directory. When the service is
    upgraded the link will move to the new venv path.
  * Distro installs package all of the required configuration files.

To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.

Change-Id: I93cb6463ca1eb93ab7f4e7a3970a7de829efaf66
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2019-01-09 18:30:07 -06:00
Kevin Carter ac9d598d33 Add systemd journal logging to the service config
The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.

OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>

Change-Id: I943bd5f1ac767f83d853cee09a5857f6f9f0efff
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-07-26 16:01:29 +00:00
Markos Chandras 473e2d3629 tasks: Ensure /etc/keystone/credential-keys is created on time
We need to ensure that {{ keystone_credential_key_repository }} is
created along with the rest of directories in order to prevent problems
like the following one:

OSError: [Errno 2] No such file or directory: '/etc/keystone/credential-keys'

Depends-On: I5a78e2120e596d36629b4ba978b2b5df76b149b0
Change-Id: I394e069f9cbea7b85e5f6f53e3d3f9f54494dafe
2018-05-10 21:21:59 +00:00
Jesse Pretorius 43d03a03cc Split user create and ssh key generation
In order to allow an install and config split, but not
to have ssh keys left inside an pre-installed container,
the two tasks are split and tagged appropriately.

Change-Id: I468d1178179d70edfe4b19d40a9a32b35ad18258
2017-06-21 06:23:09 +00:00
Jean-Philippe Evrard 559e5a1b44 Remove {{ in when
Cleaning up the warnings like:

[WARNING]: when statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found:
_apache2_module.stdout.find('{{ item.name }} already') == -1

Change-Id: I3180afb2f4a90179df1e3142eda906366ac4c9e8
2017-05-27 20:54:10 +00:00
Jesse Pretorius 2ffe5dbe66 Ensure that ansible facts folder exists
In https://review.openstack.org/452196 the use
of local facts was implemented, but there is no
guarantee that the facts folder exists. If this
is the case then the fact setting fails.

This patch ensures that the fact folder exists
before using it.

Change-Id: Ic0f9ba7406614870f337a965fa70993141e7a357
2017-05-08 21:17:09 +00:00
Logan V 33e5ca3eb6 Fix double when statements
Fixing a bug that indroduced duplicate when statements in
Ief28c6bed8daa38120207de61aba327c9fe49d3a.

Change-Id: I189325d2d8de17680a08ab1fefb2fe6628f58612
2017-03-20 11:01:46 -05:00
Logan V 86c42e0697 Allow role to run in a serial playbook
When a playbook runs os_keystone in serial, the SSH and fernet key
distribution are broken. This fixes both items allowing the role
to be run in a serialized playbook.

Change-Id: Ief28c6bed8daa38120207de61aba327c9fe49d3a
2017-03-10 13:11:46 +00:00
Travis Truman a4c5811465 Implementing stricter permissions on config files
The security guide suggests that service config files
should be owned by root and in the service user group with 0640 permissions.

Change-Id: I5dc6e2c44ac5607fc1ff1c9fd2653eb23ef794bf
2017-02-08 09:18:34 -05:00
Andrey 0c57099367 Change permission for conf folder
According to the security guide config files should not be
reachable by any users except the owner and root.

Change-Id: I5caba528ae85a8209de7637ecfdd9407e10ea0df
2017-01-19 09:21:06 +00:00
Travis Truman d208029342 Ansible 2.x - Address deprecation warning of bare variables
Ansible 2.2 will not allow "bare" variable references
in with_* loops. See https://docs.ansible.com/ansible/porting_guide_2.0.html#deprecated
for details.

Change-Id: I0e14d913a069fa25b90cfd8daf922ae093056203
2016-07-11 08:57:41 -04:00
Jimmy McCrory 44d053c888 Only install to virtual environment
Remove all tasks and variables related to toggling between installation
of keystone inside or outside of a Python virtual environment.
Installing within a venv is now the only supported deployment.

Additionally, a few changes have been made to make the creation of the
venv more resistant to interruptions during a run of the role.
* unarchiving a pre-built venv will now also occur when the venv
  directory is created, not only after being downloaded
* virtualenv-tools is run against both pre-built and non pre-built venvs
  to account for interruptions during or prior to unarchiving

Change-Id: Ic0a0dac84a26aba2ef0ce5410dc7c722570cd410
Implements: blueprint only-install-venvs
2016-07-06 18:42:09 -07:00
Travis Truman 8797fc707a Cleanup/standardize usage of tags
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config

These tags have been chosen as they are namespaced
and cover the two major functions of the role.

Documentation has been updated to inform how each tag
influences the function of the role.

Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
2016-05-24 15:51:03 -04:00
Jenkins 71dbfbf03e Merge "Changed the ordering for sudoers where used" 2016-03-07 10:08:13 +00:00
Travis Truman c35ba5fbce Removing unneeded with_items usage for clarity
Change-Id: Ia893b793b308da076124f7b97d1e558feaa39277
2016-03-06 16:31:19 -05:00
Kevin Carter 9e07da8feb Changed the ordering for sudoers where used
The sudoers file was being created in the pre-install tasks
which causes an incorrect configuration variable to be dropped
when the venv env is not turned on. To correct this issue the
sudoers template is now dropped in the post install task file
after the bin_path fact has been set.

This change also removes the directory create task for heat, keystone,
glance, and swift because no sudoers files are needed for these services.

Re-Implementation-Of: https://review.openstack.org/#/c/277674/1
Change-Id: I609c9c12579dc1897787d19a1f58fe3e919b5e35
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-03-03 09:53:14 -06:00
Kevin Carter 7d4cc4a217
Updated role to be an independent role
This change makes it so that the OS_keystone role is an independent
role and can be installed / tested stand-alone.

Implements: blueprint independent-role-repositories
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-02-26 14:13:43 -06:00
Kevin Carter 423d0cfa7d Implement keystone venv support
This commit conditionally allows the os_keystone role to
install build and deploy within a venv. This is the new
default behavior of the role however the functionality
can be disabled.

Change-Id: Ie9e51926c96125a543e05eaa1912684fb01fecda
Implements: blueprint enable-venv-support-within-the-roles
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2015-10-14 13:59:47 -05:00
kevin 2c27b7771e Compartmentalizing RabbitMQ
Presently all services use the single root virtual host within RabbitMQ
and while this is “OK” for small to mid sized deployments however it
would be better to divide services into logical resource groups within
RabbitMQ which will bring with it additional security. This change set
provides OSAD better compartmentalization of consumer services that use
RabbitMQ.

UpgradeImpact
DocImpact
Change-Id: I6f9d07522faf133f3c1c84a5b9046a55d5789e52
Implements: blueprint compartmentalize-rabbitmq
2015-09-11 11:08:50 -05:00
Miguel Grinberg 0f3dcf6e0e Keystone Federation Identity Provider Configuration
This change adds the bits necessary to configure Keystone as an
identity provider (IdP) for an external service provider (SP).

* New variables to configure Keystone as an identity provider are now
  supported under a root `keystone_idp` variable. Example configurations
  can be seen in Keystone's defaults file. This configuration includes
  the location of the signing certificate, authentication endpoints and
  list of allowed service providers.

* xmlsec1 is installed in the Keystone containers when IdP configuration
  is enabled.

* The IdP metadata and signing certiciate are generated and installed.

Implements: blueprint keystone-federation
Change-Id: I81455e593e3059633a55f7e341511d5ad9eba76f
2015-07-23 20:46:52 +01:00
Andy McCrae 1ee26028ee Adjust SSH key creation method for Keystone
This patch ensures that the authorized_keys ansible module, as well as
the built in "generate_ssh_keys" flag for user creation, so that we can
avoid using shell out commands.

Additionally, this moves the key synchronisation to use ansible
variables instead of the memcache server.

Change-Id: I0072b8d0977ab9aea10dd95080756f6864612013
Closes-Bug: #1477512
2015-07-23 14:15:40 +01:00
kevin 88fe59f04d Updated default fernet key usage
This change makes the use of fernet tokens production ready. The changes are
as follows:
  * Ensures that the keys are rotated on every playbook execution
  * Removes the need to sync keys back to a deployment host when distributing
    them to other keystone hosts.
  * Creates an autonomous key rotation process that can rotate on the following
    intervals [reboot, yearly, annually, monthly, weekly, daily, hourly] to all
    hosts from any keystone fernet host.
  * Fixes the section in `keystone.conf` which was named "fernet_key" instead
    of "fernet_token".

Change-Id: I50f6a852930728631f5c681a8aa0f1321d7424ac
Related-Bug: #1463569
Closes-Bug: #1468256
2015-06-30 09:54:31 -05:00
Ian Cordasco 9e4a02482d Add support for deploying Keystone with Fernet
This change adds a number of new tasks that are dependent on the value
of the Keystone token provider (keystone_token_provider) user variable.

If the keystone_token_provider user_variable is set to
keystone.token.providers.fernet.Provider then the playbooks will
appropriately create the fernet keys and distribute them to the rest of
the keystone containers.

This also implements key rotation for generated fernet keys similar to
how the os_nova roles implement key rotation.

Finally, we also need to build cryptography from master for now.
Currently, 0.8.x and 0.9.x use versions of cffi<1.0 which causes a bug
when used with mod_wsgi and Apache. This is fixed in cryptography master
and will be released in 1.0.

Closes-bug: 1463569
Change-Id: I8605e0490a8889d57c6b1b7e03e078fb0da978ab
2015-06-22 08:53:53 -05:00
Kevin Carter d2bff403bd Updated ldap config to support multi domain
Enables default domain support using ldap. This change moves the
ldap config to the default domain and enables domain specific
drivers.

Change-Id: I85f6610a25617fdea1fc216b53df0ab30260fed9
Cloes-Bug: 1447768
2015-05-08 18:18:46 +00:00
Kevin Carter 9f68cf8781 Convert existing roles into galaxy roles
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.

Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
  simplistic approach. This change duplicates code within the roles but
  ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
  Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
  anyone who may want or need to dive into the JSON blob that is created.
  In the inventory a properties field is used for items that customize containers
  within the inventory.
* The environment map has been modified to support additional host groups to
  enable the seperation of infrastructure pieces. While the old infra_hosts group
  will still work this change allows for groups to be divided up into seperate
  chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
  variables extracted into the separate file
  etc/openstack_deploy/user_secrets.yml in order to allow seperate
  security settings on that file.

Items Excised:
* All of the roles have had the LXC logic removed from within them which
  should allow roles to be consumed outside of the `os-ansible-deployment`
  reference architecture.

Note:
* the directory rpc_deployment still exists and is presently pointed at plays
  containing a deprecation warning instructing the user to move to the standard
  playbooks directory.
* While all of the rackspace specific components and variables have been removed
  and or were refactored the repository still relies on an upstream mirror of
  Openstack built python files and container images. This upstream mirror is hosted
  at rackspace at "http://rpc-repo.rackspace.com" though this is
  not locked to and or tied to rackspace specific installations. This repository
  contains all of the needed code to create and/or clone your own mirror.

DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
2015-02-18 10:56:25 +00:00