* Update openstack-ansible-os_keystone from branch 'master'
to 47bd3655326339c6413f631b4d4c6f5413c4defd
- Re-distribute fernet keys when re-building the primary
Currently when re-building the keystone primary node, a new set
of fernet keys will be created as none exists, despite keys
existing on the secondary nodes.
This patch uses a similar approach to the credential key
distribution where other nodes are checked for keys if none exist
on the first play host. In this case an rsync is performed to
distribute the keys correctly before proceeding.
Change-Id: I92434276aef54805e5cee56e1d22821e11245fe4
* Update openstack-ansible-os_keystone from branch 'master'
to 7dbec322737844620d4fd2d09415cae07325b3de
- Add quorum queues support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I81216a7eabe6b99d08ab15a62c046108fcb2bfc5
* Update openstack-ansible-os_keystone from branch 'master'
to e79507f44e1e4dec6681956f654057cc42e84986
- Merge "Cleanup upgrade to ssh_keypairs step"
- Cleanup upgrade to ssh_keypairs step
We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.
Change-Id: I2c73f087b48fd3e664e0b339f2fb2b77b208f6c5
* Update openstack-ansible-os_keystone from branch 'master'
to 2ed76dee5d5e0d10e3af818428178926518a99cd
- oidc: fix overloading of redirect_uri for cli client
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.
As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.
Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
* Update openstack-ansible-os_keystone from branch 'master'
to b54478e7e1e82bde1eddcab63126e9b2d423f68f
- oidc: fix recognition of x forwarded headers from v2.4.11
The Apache mod_auth_openidc requires explicit configuration in
order to read the X-Forwarded-Proto from the reverse proxy as
of version v2.4.11 which comes in from Ubuntu Jammy.
Eventually this will need to become the default and the
variable added in this patch can be removed.
Change-Id: Ic9d37a8463d137508d20de20b10af806a223f852
* Update openstack-ansible-os_keystone from branch 'master'
to 6976701fc4aa3965d312039803092ef200d2c00a
- Fix example playbook linters
Example playbook was containing incorrect formatting which caused
linters job to fail
Change-Id: Ice1b49d31e81c19f3c40b4b7c1cd5ff85128eed3
* Update openstack-ansible-os_keystone from branch 'master'
to a51651213d7777a1b9e84c6ac10e026c1ac7aa83
- Install distro_packages in pre-main
Main tasks are executed in a serial manner, so all keystone containers
except the first one end up not having rsync and sshd isntalled, while
we attempt to distribute fernet tokens once running against first host.
So we move installation of distro_packages to pre-main step
that is run in advance without serial approach.
This is alternative approach to [1].
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/889936
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/889945
Change-Id: Ia53932f60d271b8f2843b880e024caacc7ae5c3f
* Update openstack-ansible-os_keystone from branch 'master'
to f66934de35c60692279c2731cb40e2a4de2d319e
- Fix docs jobs after sphinx update
Doc jobs for the role are failing now with line being too long. Adding
new line fix the issue as link is treated properly afterwards.
Change-Id: I4deeacd9d953e3bf1bde208a4011455f8dd6fbe0
* Update openstack-ansible-os_keystone from branch 'master'
to 3956812d3d6c1f67a48bf2379634699f1f4748fa
- Merge "Stop reffering _member_ role"
- Stop reffering _member_ role
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
* Update openstack-ansible-os_keystone from branch 'master'
to fffdd962d6095b371cd285b809095897d68e47a6
- Merge "Install libldap-common for keystone"
- Install libldap-common for keystone
Is the package is not installed it's not possible to validate the
tls cert of the ldap-server.
This package went from depends to suggests in jammy release.
Change-Id: Ia9e2e35d3898727af67c4d07115bad6d0582dda4
* Update openstack-ansible-os_keystone from branch 'master'
to eea1a4853f542de0745c3eff91462cd9b8b82872
- Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
* Update openstack-ansible-os_keystone from branch 'master'
to b73bcd9981255dfa6eb39fb8ef25a5f852b00b17
- Fix SSL logic in keystone-httpd.conf.j2
Defining SSL parameters has nothing to do with
keystone_service_internaluri_proto. It should not be taken into
consideration there.
Theoretically speaking, environment can have TLS disabled on frontend
but enabled on backend.
Change-Id: I81b66a7388c335958badf7135f4289c3423cb229
* Update openstack-ansible-os_keystone from branch 'master'
to 2378e452adb7a60e12e3c6f975c1961c2713a3c4
- Merge "Rename keystone_ssl to keystone_backend_ssl"
- Rename keystone_ssl to keystone_backend_ssl
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.
Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.
Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
* Update openstack-ansible-os_keystone from branch 'master'
to 674c8a5434b50a9bebf7430092feb5778821fdd3
- Merge "Use chain cert file for apache"
- Use chain cert file for apache
Apache needs to respond with all intermediate CA certificates.
Otherwise, haproxy will not be able to validate backend certificate.
That is why -chain.crt file needs to be installed for keystone.
Change-Id: Ibc8267a1c27e1de7ed5bce716199f3264e8c136d
* Update openstack-ansible-os_keystone from branch 'master'
to 59f04a63c584419a125739959d4dfaf60c94ebde
- Remove security.txt parts
Keystone is no longer responsible for storing and serving security.txt
file. It is now fully handled by haproxy.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/880110
Change-Id: Iefd090dce0441f81eb4d5b203f61a4587a5beedb
* Update openstack-ansible-os_keystone from branch 'master'
to a020ff87cde136a5c507b2cdc719d8c1dd85824d
- Test multiple keystone containers for os_keystone tests
Keystone has particular ordering requirements for setting up
multiple instances and distributing fernet keys.
Run the infra jobs for the os_keystone role as these test
three keystone containers simultaneously.
Change-Id: Ia454d95a48dff1fa1856137df74a548d9c7d8a11
* Update openstack-ansible-os_keystone from branch 'master'
to d83b32adca48f37b1020d23cb6a48ace15833c6b
- Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I83fbde781bbedd6e84f2ff1b1136b4558bf1da00
* Update openstack-ansible-os_keystone from branch 'master'
to 8017d4dd84a7b1069fff7bf6f5b3ae27c31590cd
- Define venv_tag as separate task for distro
We do define venv_tag locally using python_venv_build role so no need
to do the same as a separate task for source installs. Though this task
is still needed for distro path.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/862924
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/866126
Change-Id: I49a45e68bd6030d4bd0667c8384a01088819f260
* Update openstack-ansible-os_keystone from branch 'master'
to 1add87ad2fb1ca7ba7ba7974cd20bd1b6957951f
- Merge "Improve way of cache backend selection"
- Improve way of cache backend selection
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.
Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.
[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
* Update openstack-ansible-os_keystone from branch 'master'
to ddcca3239344b9814fdb7554bac0f26c1907c53b
- Merge "Bootstrap when running against last backend"
- Bootstrap when running against last backend
When deploying keystone for the first time, aliveness check inside
service_bootstrap can not succeed for multi-node setup, as playbook
will disable current backend. So we need to bootstrap host only
when running against last host in play. We also should make sure, that
following tasks will not fail when running against first ones.
Closes-Bug: #1990008
Related-Bug: #1989326
Change-Id: Ifa9a79c34265b225a5e24c30cae47d3f0fa0739f
* Update openstack-ansible-os_keystone from branch 'master'
to 3b4fc2e9aa7552fb9e78a52de4a30861099a024e
- Merge "Add the option to deploy keystone without apache"
- Add the option to deploy keystone without apache
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
* Update openstack-ansible-os_keystone from branch 'master'
to f28a1cc0a216980a034c14a44e212111f04c66a9
- Remove redundant vars line
This line was introduced by Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1
for centos-7 support, and should already be covered by the
distribution_major_version line above.
Change-Id: I87dbc866f63cd1240dd0049b5b30a1339e1b1e34
* Update openstack-ansible-os_keystone from branch 'master'
to 05c64f7651a93bfa987a939fce680c3d4b13df30
- Check the service status during bootstrap against the internal VIP
This change brings the keystone role into line with others such
as cinder which check the service status using the loadbalancer.
This is useful in environments using a proxy server where the
internal VIP can be included in "no_proxy" but the service IP
for the containers are too numerous to list in "no_proxy" and
stay within the 1024 character limit for pam_env.
Change-Id: I1a4aec40618237aa23b4f40b335c141071a56f08
* Update openstack-ansible-os_keystone from branch 'master'
to e26aabe440b75d134ee90907656207445ddfcf64
- Remove mention of haproxy-endpoints role
Keystone role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.
Change-Id: Ib21a5f5caa590daa827e45d26015bf32abe39cf2
* Update openstack-ansible-os_keystone from branch 'master'
to 235bc0d03721c8efa43e5bc76ec625d80f13b189
- Merge "Remove old pre service setup tasks."
- Remove old pre service setup tasks.
These are now in main_pre.yml and the role should be called seperatley
with tasks_from targetting all keystone hosts before being called
again with serial: settings appropraite for H/A deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843740
Change-Id: Iecb5567382d27ae6a875f8937f33aa7bb492252e
* Update openstack-ansible-os_keystone from branch 'master'
to ca382d2c03e49ae3ae048876eca78a1a66a3c812
- Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: I7f03a145490529e703aced630c49d08b0e59a435
* Update openstack-ansible-os_keystone from branch 'master'
to 7ab6882066f2053c7b4adb2e6efaa9f14c398c7e
- Add a new main tasks file for pre-service setup
There are a number of tasks and use of the ssh keypair setup role
which must happen on all of the keystone hosts before the service
itself is deployed.
Previously, the keystone role ran with serial (1,100%), and the
pre-service setup tasks iterated over ansible_play_hosts
during the deployment of the first keystone host using delegate_to.
This makes the control flow of the role hard to understand and
causes issues when the pre-service tasks need to include further
roles which also use delegate_to, such as the ssh-keypairs role.
This change introduces a new 'main' tasks file for the pre-service
setup which can be called independantly with no restriction on
serial:. This means that the pre-service setup can be completed
on all keystone hosts using normal ansible tasks without iteration
or delegate_to, and the role can be called a second time with the usual
main.yml and serial: settings to deploy the service itself and
maintain operation in a H/A deployment. In addition, the behaviour
of --limit will now be more obvious.
Change-Id: Ifcd2afe217205684b0ea3917a3776666d10ffae7
* Update openstack-ansible-os_keystone from branch 'master'
to a0c419c9b87961b5ea8cbd27f657075a46ce03a3
- Merge "Fix certificate installation for keystone"
- Fix certificate installation for keystone
There are problems when keystone_idp has legitimately undefined keys,
and also variable name which should be templated.
Change-Id: Iabe61d63994e38cb3f99c8285deff60ef2e9ee55
* Update openstack-ansible-os_keystone from branch 'master'
to ec14b0a728c3687b8c4f7775e9b677c374790672
- Merge "Set pki_dir when keystone calls the pki role"
- Set pki_dir when keystone calls the pki role
This is needed to use the deployment wide location for the CA and
certificate store.
Change-Id: I1b9658a7ef4efc66c9ad5636474a19302589ecfb
* Update openstack-ansible-os_keystone from branch 'master'
to 05f0cd9027caf22582bd33f9ea4be01ff6d92b4b
- Merge "Handle host with unset ansible_host"
- Handle host with unset ansible_host
We are having all machines in DNS and want to be able to change IP addresses in DNS. So we do not
use ansible_host in our host_vars/machine.yml
As os_keystone is the first Ansible role we use. We will make similar changes to other roles later
on.
Change-Id: Ic9f43cc3f6b62b5098e85afcf55f008c022517f6
* Update openstack-ansible-os_keystone from branch 'master'
to fcbf8ede8fd4bf428085488cf171a4d908b3c26f
- Ensure that openstack_ssh_keyspairs_dir has a default value
This is otherwise undefined in functional tests
Change-Id: Ia57b67e5636690327264b1213c0eb491afd8750d
* Update openstack-ansible-os_keystone from branch 'master'
to db823b637084bfa6dec1a72c5001c54bce9088d6
- Merge "Tidy IDP setup task files"
- Tidy IDP setup task files
Remove task files with just a single task and move the tasks up
one layer.
Change-Id: Iffdc333170987aa49d267ee749542c875a262d97
* Update openstack-ansible-os_keystone from branch 'master'
to fdcdf41e280b560088153c3806df03bad9eb064d
- Merge "Migrate ssl certificate generation to the PKI role"
- Migrate ssl certificate generation to the PKI role
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.
This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.
A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
* Update openstack-ansible-os_keystone from branch 'master'
to 6e84e3a4c7202f19f897843b2debbf92efa8a897
- Merge "Use ssh_keypairs role to generate fernet sync ssh keys"
- Use ssh_keypairs role to generate fernet sync ssh keys
This uses ssh signed certificates so there is no longer the need
to distribute the keystone public key from each keystone host to all
other keystone hosts.
The legacy scripts and authorized key files are removed as a
migration step.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292
Change-Id: If39df0cc80860576abac1830d5cfc66ca50fc655
* Update openstack-ansible-os_keystone from branch 'master'
to 30f199ce301be740a9813ca2287b16de0c372936
- Merge "Drop distributed_lock parameter"
- Drop distributed_lock parameter
It has been dropped in Victoria and don't have any effect now.
Change-Id: Ia8a520acc70dbde4e04d429c1f980af89516094d
* Update openstack-ansible-os_keystone from branch 'master'
to ba9d6853806148600dfedb353d415884f4afe31d
- Merge "Define X-Forwarded-Proto for keystone"
- Define X-Forwarded-Proto for keystone
Add X-Forwarded-Proto header based on the haproxy termination
and if keystone configured to use SSL for internal connection
Change-Id: Ia627e19923e1e24d2fede49aefb7251bb75d88de
* Update openstack-ansible-os_keystone from branch 'master'
to cb3a1b487a11039f8942f994e6575e8e43a72d4c
- Merge "Use uwsgi role for keystone"
- Use uwsgi role for keystone
Instead of having own implementation of uwsgi, use common role.
This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.
Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
* Update openstack-ansible-os_keystone from branch 'master'
to cbe25b61e4e1c85df972ad690a7d273ba333cb1d
- Merge "Switch keystone logging to syslog"
- Switch keystone logging to syslog
Instead of using file logging we switch apache conf to log into syslog
which results in journald. This aligns with other services way of
logging.
Change-Id: I4c619500f7df389a60a7baf0d444ddbc7fc2a9dc
* Update openstack-ansible-os_keystone from branch 'master'
to 9803388b572b1bca762ef980e51567fc2b4be6df
- Merge "Drop ProxyPass out of VHost"
- Drop ProxyPass out of VHost
As ProxyPass defined out of VHost, it has global effect, resulting
in Horizon Identity section to be jsut proxied to keystone API
instead of rederred by Django as instructed by Horizon VHost.
Change-Id: I596614f55a8db8e814b1d24a78c3f1a9d0e00bb2
Closes-Bug: #1960342
* Update openstack-ansible-os_keystone from branch 'master'
to 9e5e81311cc99c39aa893f4a8b83a02c93aaf513
- Remove bugfix tasks for the Train release
Change-Id: I3c4b05cf9d27ad57a8345519ec7b23465acc4185
* Update openstack-ansible-os_keystone from branch 'master'
to bc053f483f72793c5451a452d10df5b1741c9946
- Merge "Fix ordering error enabling/disabling Apache modules"
- Fix ordering error enabling/disabling Apache modules
When site configuration already exists, a change to make a module
'absent' would fail as the module was removed before the
configuration.
This change ensures modules are enabled first, before site
configuration changes, and finally any required modules are
disabled.
Change-Id: I56a6c47e4d95e86dc1e0d731f1e39eeec6ac7dc8