With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
When deploying keystone for the first time, aliveness check inside
service_bootstrap can not succeed for multi-node setup, as playbook
will disable current backend. So we need to bootstrap host only
when running against last host in play. We also should make sure, that
following tasks will not fail when running against first ones.
Closes-Bug: #1990008
Related-Bug: #1989326
Change-Id: Ifa9a79c34265b225a5e24c30cae47d3f0fa0739f
This line was introduced by Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1
for centos-7 support, and should already be covered by the
distribution_major_version line above.
Change-Id: I87dbc866f63cd1240dd0049b5b30a1339e1b1e34
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
These are now in main_pre.yml and the role should be called seperatley
with tasks_from targetting all keystone hosts before being called
again with serial: settings appropraite for H/A deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843740
Change-Id: Iecb5567382d27ae6a875f8937f33aa7bb492252e
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.
This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.
A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
Instead of having own implementation of uwsgi, use common role.
This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.
Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I51e629ad111b90877ce3ee3ee0353be687f41d35
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.
Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
Since `service` project is shared, it's confusing to have same naming as
for service_catalog. We add variable
`keystone_service_project_description` that will be used specifically
for `service` project description
Change-Id: I33a88f3782d7cf334ad878e57b07d09dcd77842c
This must be done after DB migrations are complete so the
role can be run a second time taking tasks_from this file.
Change-Id: I9f6161d8184d60a765fb72eb53d32664aa298441
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Iac06d3f02b1c9ee5e3bfbd28043fbb70d8b1d328
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Depends-On: https://review.opendev.org/744453
Depends-On: https://review.opendev.org/744881
Change-Id: Ie52799cc2129b6e36b99ee65b237bb04a8edf18f
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.
This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.
Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
This patch refactors the openstack user/service/endpoints creation to
service_setup.yml which will eventually be managed by
openstack-ansible-tests.
Change-Id: I4f6aa37a5290bd9fcdc732ab502ef66ea3df7ff7
This patch refactors the database creation to db_setup.yml which
will eventually be managed by openstack-ansible-tests.
This also re-orders the mq_setup to be done earlier so these system
level dependencies are ready before service activation.
We have been using run_once only for keystone role. As we have a
keystone group in the inventory, we re replacing run_once for the
conditionals to match the pattern across all the other roles.
Change-Id: Idb5ea861a87fe077f7c716f1157acd8e39257c5b
As the keystone credential_migrate command can access
the keystone database in cases the os_keystone role
stopped prematurely, the db setup playbook is moved
in front of the `keystone_credential_create.yml` playbook
to prevent and race condition.
Change-Id: I8c89be0ffb4f23b79c0463bff2eb135b9769eb2a
Closed-Bug: #1829438
Instead of including the tasks and then skipping them all because
we have no LDAP configuration provided, we avoid including it at
all.
Change-Id: I1480045e9ecc5611fa1b97ae4c4ae3097a42eb9e
In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
for the setup of the domain was mistakenly applied to all tasks
including laying down the template.
This patch moves the conditional which ensures the domain is setup
on the first host to the task in question to ensure that everything
is good and well with the world again.
Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
Closes-Bug: #1804827
This patch removes the conditional inclusion of messaging sections
of the service configuration.
The patch conidtionally selects the notifier driver.
Change-Id: If7b8ebe285614e7140b11631d8665bdfd1acece7
To ensure that the domains can be created, we only execute
the tasks on the last member of the keystone_all group so
that the load balancer has at least one other host to work
against.
We also replace the OSA keystone module in the task with
the standard Ansible module, and delegate the task to the
service setup host.
Change-Id: I66ed21cdcf42d0c2012062c8cf74305fecbec312
The use of 'include_tasks' and a loop of variables creates
a situation where a user is unable to use tags to scope the
inclusion of only the MQ tasks when running the playbooks.
The use-case this is important for is when the rabbitmq
containers are destroyed and rebuilt in order to resolve
an issue with them, and the user wishes to quickly recreate
all the vhosts/users.
Ansible's 'include_tasks' is a dynamic inclusion, and dynamic
inclusions are not included when using tags. The nice thing
about dynamic inclusions is that they completely skip all
tasks when the condition does not apply, cutting down deploy
time. However, given the use-case, we should rather take on
the extra deployment time.
This patch changes the dynamic inclusion to a static one,
adds a 'common-mq' tag to cover all MQ implementations,
and re-implements the 'common-rabbitmq' tag for the tasks
that relate to RabbitMQ specifically.
It also implements conditionals for each task set so that
the rpc/notify tasks can be skipped if a vhost/user is not
required for that purpose (eg: swift does not use RPC, and
most roles will not use notifications by default).
Depends-On: https://review.openstack.org/588191
Change-Id: I559062788264ed54b0a21b678f420f8d33d2c663
The var keystone_services['keystone-api']['group'] is not defined.
While I have no idea why the task wasn't failing outright due to
that, it was having some rather unwanted side-effects - like running
on all keystone containers.
Given that keystone only has one group, we can just use run_once
instead.
Change-Id: Iad494d503bb04741b3b0ea461d8a9ce1988b24c7
There is no record for why we implement the MQ vhost/user creation
outside of the role in the playbook, when we could do it inside the
role.
Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.
In this patch we implement two new variables:
- keystone_oslomsg_rpc_setup_host
- keystone_oslomsg_notify_setup_host
These are used in the role to allow delegation of the MQ vhost/user
setup for each type to any host, but they default to using the first
member of the applicable oslomsg host group.
We also adjust some of the defaults to automatically inherit existing
vars set in group_vars form the integrated build so that we do not
need to do the wiring in the integrated build's group vars. We still
default them in the role too for independent role usage.
Change-Id: I62fb8fc1390402aaee2057833c510a9827fd5292
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
With the dependent patches, the openstack_openrc role is now executed once
on the designated host, so it is no longer required as a meta-dependency for
the role.
Depends-On: https://review.openstack.org/579233
Depends-On: https://review.openstack.org/579959
Depends-On: https://review.openstack.org/580156
Change-Id: I8f193d5f6f1f6020b23a4c4eebf3ad537d61e0b7
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Depends-On: I5a78e2120e596d36629b4ba978b2b5df76b149b0
Depends-On: Ib64dcbc960df7d369d202ce8cf7bdc29b3ee0e0a
Depends-On: Id9dd2dea146709414ab9ce8d439f1587e6776fd4
Depends-On: I2ba89e25c0010c9a5b515a3d0c9c731b30876e74
Depends-On: I0442b0aa94c3d0882d1118ad0c824d123bd21c88
Change-Id: I26848678dd07a409ef3e159cffb4ba6f0a228ab4
Implements: blueprint openstack-distribution-packages
This removes warnings in Ansible 2.4+.
The patch also removes "static:" from the playbooks since that
argument is no longer used by Ansible.
Change-Id: I6e5fcbccd4239db73de20e640a3423d1a2333bbe
We found a bug recently where either oslo.cache or python-memcached
aren't using the `backend_argument` properly with more than one
memcached server defined. Until we get the memcached client libraries
figured out, `memcache_servers` works just the same for a single
memcached instance and it works defined with a ring of memcached
instances.
The current variable used for the directive memcache_servers was
pointing to localhost servers, that were historically used for
UUID token cache. Only the ``keystone_cache_backend_argument``
has the right list of servers, but the variable's content is
already formatted to match the cache_backend_argument directive,
and therefore needs editing to be used in ``memcache_servers``.
This is far too fragile, and simplification was needed. This
patch moves to a new variable (with a graceful deprecation
cycle), ``keystone_cache_servers``, a simple list containing the
servers.
The variable ``keystone_memcached_max_compare_and_set_retry``
wasn't used and was therefore removed too.
Related-Bug: 1743036
Closes-Bug: 1681695
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I85ebce8b41dd440e1866a08aa1329b3df798c04f
Running keystone-doctor should only be done in the
config stage. It makes no sense to run when using
any other tag in isolation.
Change-Id: I782d8a9529ca32ccd413504b13c34cf1f972260d
The memcache token driver was removed in Ocata and the only valid option
is sql, which is only used when keystone_token_provider is uuid.
Change-Id: I1db15e2553893b74d3f7d57d4d50ca2052be04e4
The old fact and fact file were removed in the initial release of Pike
so these tasks shouldn't be necessary in upgrades to or new deployments
of Queens.
Change-Id: Id1e725e21c93f5b0efa734b2cddb6b22423d983a
This patch implements the use of uWSGI exclusively,
always with a web server acting as a reverse proxy.
It removes the option of using uWSGI with Apache
and mod_wsgi.
In the case of Keystone being used in a Federated
Service Provider configuration, it will use Apache
as the web server but for all other environments
it will use Nginx instead.
Change-Id: If6e95fc0d3f7d34780db1aed2b8cedca87499934
By using run_once we avoid skipped tasks and
instead the tasks are filtered way earlier.
For situations where we absolutely need to
execute something on a particular host, we
delegate to that host instead.
This works better when using limits and is
more efficient.
Change-Id: Id2034562b3e26da56c36dd88badddf1a3b623e20
The current rolling upgrade implementation
relies on the role to orchestrate the rolling
upgrade. When the role is executed using
playbook serialisation, the db sync contract
is executed before all hosts are upgraded,
potentially resulting in data corruption.
This patch returns the role to the simpler,
best practice model of expecting that the role
is applied to a single host and that the
playbook handles orchestration. This method
can be used with any form of serialisation.
Depends-On: Ie90cdcbf9e73082a2074c8832b7490d188e178af
Change-Id: I5650f16b9a115bd392012b743788057a94d09226
Dmitriy Rabotyagov