Is the package is not installed it's not possible to validate the
tls cert of the ldap-server.
This package went from depends to suggests in jammy release.
Change-Id: Ia9e2e35d3898727af67c4d07115bad6d0582dda4
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
The python_venv_build role is responsible for setting up the build
environment for python wheels so this role should not install
python development packages
Change-Id: I0958bdb0b4a04d3398fc2c42f10d54cc7c30f0f8
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.
Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
While shibboleth and mod_auth_openidc can theoretically co installed
now, unfortunately the shibboleth enabled configuation will cause
issues when using mod_auth_openidc.
As we only drop the configuration for one of these apache mods at a time
I have decided that it is best we only support one of these packages
being present at any time to avoid conflicts.
Change-Id: Ib0ebf1711db42dd00b3e14c1e5604fed2632437d
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.
This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.
Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
The use of nginx-full causes a service restart on package update
which brings down the keystone endpoints.
Change-Id: Ic9cc341edb6f2f0ba76bd301c9782fbcc5951544
Related-Bug: 1847395
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi python3
plugin.
The keystone package includes a dependency for apache2, python3-keystone
should be used instead.
Change-Id: Idbef95bc115755994156ab0fee7538370392e67d
uw_apache test was runned against xenial, which is not currrently
supported, due to which job was updated to run on bionic nodeset.
We also need to enable proxy_uwsgi for debian based distros.
Co-Authored-By: Guilherme Steinmuller Pimentel <gsteinmuller@vexxhost.com>
Co-Authored-By: Marc Gariépy <gariepy.marc@gmail.com>
Change-Id: Ibff3aa2a1ac1bbf2493aaf2419ee1e4dd763934c
This patch adds support for this role to be able to deploy on
Debian Stretch.
Change-Id: I97bcfacc55b8afcda6792dd19e7f947cdec38ce4
Needed-By: I9a92b73c419a0dc1cca40dacfef75de61a61db94