* Update openstack-ansible-os_barbican from branch 'master'
to ea5e1adf63ee9f1cd3334d1e0b3288edc9cd7894
- Add quorum support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
Change-Id: Ia51971c077cef647c3d4e07d6cbc14b7bac70788
* Update openstack-ansible-os_barbican from branch 'master'
to d461cff5dbe95a3cefb81b38ccc2dacef56f67ea
- Merge "Use proper galera port in configuration"
- Use proper galera port in configuration
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I707dd7ccaa112cc11c3ee32c3fc8029352c8649a
* Update openstack-ansible-os_barbican from branch 'master'
to 1f95cd900e741abcd91bea244a0432695e022a00
- Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I4585a4aad7acf48080e6b2d73bf3e0c2e0dfbff7
* Update openstack-ansible-os_barbican from branch 'master'
to 4f785b4e5f1805824f86c431c2e209e4e2f42b24
- Add TLS support to barbican backends
By overriding the variable `barbican_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the barbican backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I68abd8b2c63231ece3b7184d6e52168cee5ce3d1
* Update openstack-ansible-os_barbican from branch 'master'
to f1e6a2448df41b83215242ca863f55deff966940
- Ensure service is restarted on unit file changes
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: Id81230eb8b26f7c666d053d70230149fa93c7822
* Update openstack-ansible-os_barbican from branch 'master'
to e697ab839302407b8c93baf232e3a819c29b7569
- Merge "Add /healthcheck to main"
- Add /healthcheck to main
With [1] we've updated barbican api paste file and added healthcheck
bit. However, it was missed to add /healthcheck to main, so it was not
working at the end.
[1] 78a1984517
Change-Id: I7d61d990b973bea538c7ca2ae059f8bea1bb2039
* Update openstack-ansible-os_barbican from branch 'master'
to 4ed71191250b0e15cce4183bccff8d5d4d9890f9
- Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I629dbe6b0cacc767653ca7ee988e5e931708cc55
* Update openstack-ansible-os_barbican from branch 'master'
to 78a1984517b6164dd92a9e23c81b78c18db17459
- Update barbican api paste
We've used quite old version of api-paste file for Barbican that
did not support microversion or healthcheck.
Change-Id: I612315a459e891725850743e0af20e7934319577
* Update openstack-ansible-os_barbican from branch 'master'
to 27ecbea2b786876f402e4fbb51669858de62a45a
- Remove redundant vars line
This line snuck in with I8efdef7687c46d490e0f7a7a00a7f1ca6c32289f
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: Idbe06bb3a799ab3043a6356903d37896a3d3010a
* Update openstack-ansible-os_barbican from branch 'master'
to 891a9a7ad660b8874982ee59d7b9793122ab5399
- Entrust nCipher Connect HSM Backend Example
This patch updates Barbican documentation to reflect a
working nCipher Connect HSM backend configuration. Out of
scope are the Security World software install and any changes
to cknfastrc that might be required or necessary.
Change-Id: I0c7ddb7dad74efc0bc932f9a8600661b775a952a
* Update openstack-ansible-os_barbican from branch 'master'
to cb6c38ab92e8f9df1b7e22e50286e62e7904963e
- Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I6a5e16a4fc2a81dedc4bc459f13ac7781292f5a8
* Update openstack-ansible-os_barbican from branch 'master'
to e5e1a59e05df9f09e21e13d4bec9056b0a93accd
- Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: Iab6ae5aad622051222816985aabecf5a01aacb8f
* Update openstack-ansible-os_barbican from branch 'master'
to 836abe3eb47aa7018287c7d654ad0813e996529f
- Merge "Remove SSL variables which appear to be unused"
- Remove SSL variables which appear to be unused
Whilst enabling TLS v1.3 in other roles these variables were noted
which don't appear to be used anywhere in the role.
Change-Id: I6b06486328ec0af05a17272be99a14911be9f4f7
* Update openstack-ansible-os_barbican from branch 'master'
to d82bd1c08de88eaddb5d496bd7e3378be77ef5f4
- Merge "Use common service setup tasks from a collection rather than in-role"
- Use common service setup tasks from a collection rather than in-role
Change-Id: Icbb2be9eda5d53c4262a36d7849defc3bf8fffad
* Update openstack-ansible-os_barbican from branch 'master'
to eba6d98dc963970b6043bb7aef877baf00f03ab9
- Merge "Refactor use of include_vars"
- Refactor use of include_vars
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I8efdef7687c46d490e0f7a7a00a7f1ca6c32289f
* Update openstack-ansible-os_barbican from branch 'master'
to 7fc659b0dd9d415c72d2bca8af4c5c773e91f288
- Do not install python development packages
The python_venv_build role is responsible for setting up the build
environment for python wheels so this role should not install
python development packages
Change-Id: Ice9f3b1484323b611bb12eb6cdc6a6f1f1dfee95
* Update openstack-ansible-os_barbican from branch 'master'
to 3e642f2f72ce63c506667d30ce058db460479859
- Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ic58f085c8b1250b1db831fa8c74215abd2519704
* Update openstack-ansible-os_barbican from branch 'master'
to f34ec895b9a1b8a320e85a1b26e00a0cb4078bfc
- Use config_template as a collection
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: I59d063df6b8e165bc1f1026562a0f0be45f1feaf
* Update openstack-ansible-os_barbican from branch 'master'
to 8dbcc8d0ca5260a08c02744ad54bb6fca64ba9c8
- Merge "Refactor galera_use_ssl behaviour"
- Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: Ia55488a9fcc6b2824276bf824197ae8ea7af0177
* Update openstack-ansible-os_barbican from branch 'master'
to 5f57e71ed8aec90e88d3fa84cda38bf2acb414f1
- Changed minversion in tox to 3.18.0
The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23
Change-Id: Ie0ecf45a31353957132e743a05a794be967bb124
* Update openstack-ansible-os_barbican from branch 'master'
to 05c5ab38e430654ea5093960e995ef5fc79e784c
- Allow to symlink barbican_user_libraries
When barbican uses PKCS#11 crypt plugin, libCryptoki2 library tends to
search for Chrystoki.conf inside /etc by default. At the same time it's
tricky to place file there at once since approriate permissions not
always could be set for files that reside directly in /etc.
As a workaround to this Chrystoki.conf can be placed inside /opt and
symlinked to /etc to satisfy library.
Change-Id: I6267d3b65f514c4ad4cb5494f111463e685b6fbb
* Update openstack-ansible-os_barbican from branch 'master'
to 9375d4d1d673209c96f85a8863532003f5b82ec5
- Replace linters test with integarted one
We've created integrated linters check job a while back and it's successfully
working for several releases. At the moment we experience difficulties
with future maintenance of the linters check from the openstack-ansible-tests
repo. So instead of fixing current one, we replace it with modern version of
the test.
Change-Id: I5fd4c274a43fb161b6b5996c75d14de415e72d45
* Update openstack-ansible-os_barbican from branch 'master'
to b17610891d1a853ffa5a2a0d3676022c1698a202
- Merge "[goal] Deprecate the JSON formatted policy file"
- [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.
config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I9d26b1b4a14360a8b38d6df19621b474c6391de9
* Update openstack-ansible-os_barbican from branch 'master'
to 5f62076c0e0c6aca07fa19dd3c7775000de31c3f
- Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654
Change-Id: I45f7032da03ae5b74924b8d1355ed3f72a0830aa
* Update openstack-ansible-os_barbican from branch 'master'
to a3ba2ef0ae2cb5816012cd4c0a0d3c6f67113523
- Merge "Remove references to unsupported operating systems"
- Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Ibf3f1c2670288aa00469126d2ce74ac00954094a
* Update openstack-ansible-os_barbican from branch 'master'
to d681cd30fc12e389e776d40755ee86047069839e
- [doc] Add barbican configuration page
We add some extra description about how barbican configuration
can be done, with samples of integrations configs for PKCS#11 and
Vault store backends.
Change-Id: I985810384f2296484d2dbbe17a93dddece62ce09
* Update openstack-ansible-os_barbican from branch 'master'
to 67b35126134cf140409e99e7b508e2ca14e86f05
- Merge "Move barbican pip packages from constraints to requirements"
- Move barbican pip packages from constraints to requirements
This is necessary to support the new pip resolver
Change-Id: I2ce8e7494dc367bd64fb36947ebce0e7c949c493
* Update openstack-ansible-os_barbican from branch 'master'
to 23600cb468d818558ba853bf7f0704817012d2e1
- [reno] Stop publishing release notes
Since we copy all release notes to the integrated repo there is not need
in publishing release notes for each repository. We should only verify their
validity and linting.
Change-Id: I88ece478298b2db9ad528c153f9f8c3348c50e18
* Update openstack-ansible-os_barbican from branch 'master'
to f43f76e27a5b83e0c1bf2b3ce686f1e80afba3fb
- Use global service variables
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: Idea74ec31c3a5a9edbf9f32b81563256e0d496b9
* Update openstack-ansible-os_barbican from branch 'master'
to ddf65cdc3ef44b534cbbb713ae5228368ec31855
- Merge "Add deployment of the external libraries"
- Add deployment of the external libraries
Deployment of user libraries might be needed for interaction of PKCS#11 module
with external HSM solutions.
Change-Id: I0a0754052a0d48792322243341171593bbbd1a41
* Update openstack-ansible-os_barbican from branch 'master'
to 34c28b79f92c7c958a159543190c42db863e1fa3
- Merge "Allow multibackend support for Barbican"
- Allow multibackend support for Barbican
This patch introduces 2 new variables that are designed to help deployer
with barbican configuration. They are designed to support multibackend
caonfiguration of the barbican while default behavior should not change.
Change-Id: I3369c4254f3b48f12ed9731f18d980044e6d0b43
* Update openstack-ansible-os_barbican from branch 'master'
to 4b546feb6a786829fd771f8ff935c8815da6aa97
- Merge "Clean up barbican.conf"
- Clean up barbican.conf
Drop out default or misconfigured variables from barbican.conf to
make config file readable.
This should not affect existing deployments since plugin config has to be
overriden anyway.
Depends-On: https://review.opendev.org/759082
Change-Id: I2a0756b851c9e862b2312b47d37b723386d6915c
* Update openstack-ansible-os_barbican from branch 'master'
to 2d47f6ba2ef19c3819210ad93c34f612543304fb
- Merge "Cleanup stop handler and barbican_apache_* variables"
- Cleanup stop handler and barbican_apache_* variables
Since handler was added for upgrade purposes, we can drop it now.
We also remove not used barbican_apache_* variables since we've migrated
to the uwsgi usage several releases ago.
Change-Id: Ib19834a1ae4751f7439afaabb532220f873e4b8f
* Update openstack-ansible-os_barbican from branch 'master'
- Merge "Reduce number of processes on small systems"
- Reduce number of processes on small systems
Even the most modest 4C/8T system would run with the maximum 16 processes
due to the calculation being VCPU*2.
We devide amount of CPUs to number of threads for hyperthreaded CPUs
Change-Id: I1181959604a59d0f599f5a0f0a43e348649ba74f
* Update openstack-ansible-os_barbican from branch 'master'
- Trigger uwsgi restart
When we were migrating service to uwsgi usage, we clean forgot to
trigger uwsgi restart on service config change.
Change-Id: I6ed502e8e581ef1d703079ee494d9f3bc4617833