openstack
/
openstack-ansible-os_keystone
Code Issues Proposed changes

Implement CentOS 7 support in os_keystone 

This change implements CentOS 7 support within the os_keystone role.

Depends-on: I333fb1887339e8dc9ebf10ff137dda3cff629dc0
Change-Id: Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2016-05-23 23:08:24 -05:00 committed by Kevin Carter (cloudnull)
parent 9d0a762371
commit 0de819e92a
28 changed files with 429 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
defaults/main.yml
View File

@ -20,6 +20,9 @@ debug: False
# Options are 'present' and 'latest'
keystone_package_state: "latest"
# Role standard API override this option in the OS variable files
keystone_shibboleth_repo: {}
# These variables are used in 'developer mode' in order to allow the role
# to build an environment directly from a git source without the presence
# of an OpenStack-Ansible repo_server.
@ -44,7 +47,7 @@ keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
- ssl_cert
keystone_system_service_name: apache2
keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
@ -381,10 +384,6 @@ keystone_sp: {}
keystone_service_in_ldap: false
# Keystone Federation SP Packages
keystone_sp_apt_packages:
- libapache2-mod-shib2
# Keystone notification settings
keystone_ceilometer_enabled: false

12
handlers/main.yml
View File

@ -13,13 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Restart Apache
- name: Restart service
service:
name: "apache2"
state: "restarted"
pattern: "apache2"
register: apache_restart
until: apache_restart|success
name: "{{ keystone_system_service_name }}"
state: restarted
pattern: "{{ keystone_system_service_name }}"
register: _restart
until: _restart|success
retries: 5
delay: 2
when: keystone_apache_mod_wsgi_enabled | bool

22
manual-test.rc Normal file
View File

@ -0,0 +1,22 @@
export VIRTUAL_ENV=$(pwd)
export ANSIBLE_HOST_KEY_CHECKING=False
export ANSIBLE_SSH_CONTROL_PATH=/tmp/%%h-%%r
# TODO (odyssey4me) These are only here as they are non-standard folder
# names for Ansible 1.9.x. We are using the standard folder names for
# Ansible v2.x. We can remove this when we move to Ansible 2.x.
export ANSIBLE_ACTION_PLUGINS=${HOME}/.ansible/plugins/action
export ANSIBLE_CALLBACK_PLUGINS=${HOME}/.ansible/plugins/callback
export ANSIBLE_FILTER_PLUGINS=${HOME}/.ansible/plugins/filter
export ANSIBLE_LOOKUP_PLUGINS=${HOME}/.ansible/plugins/lookup
# This is required as the default is the current path or a path specified
# in ansible.cfg
export ANSIBLE_LIBRARY=${HOME}/.ansible/plugins/library
# This is required as the default is '/etc/ansible/roles' or a path
# specified in ansible.cfg
export ANSIBLE_ROLES_PATH=${HOME}/.ansible/roles:$(pwd)/..
echo "Run manual functional tests by executing the following:"
echo "# ./.tox/functional/bin/ansible-playbook -i tests/inventory tests/test.yml -e \"rolename=$(pwd)\""

3
meta/main.yml
View File

@ -24,6 +24,9 @@ galaxy_info:
versions:
- trusty
- xenial
- name: EL
versions:
- 7
categories:
- cloud
- python

10
releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml Normal file
View File

@ -0,0 +1,10 @@
---
features:
- CentOS7/RHEL support has been added to the os_keystone
role.
deprecations:
- The following variables have been deprecated.
`keystone_developer_apt_packages`, `keystone_sp_apt_packages`,
`keystone_idp_apt_packages`, and `keystone_apt_packages`. While
these options are still available when deploying on Ubuntu
14.04, they will be removed during the Ocata cycle.

57
tasks/keystone_apache.yml
View File

@ -13,68 +13,89 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create apache nogroup group
group:
name: "nogroup"
system: "yes"
- name: Create apache nogroup user
user:
name: "nogroup"
group: "nogroup"
system: "yes"
shell: "/bin/false"
- name: Drop apache2 config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
with_items:
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
with_items: "{{ keystone_apache_configs }}"
notify:
- Restart Apache
- Restart service
- name: Disable default apache site
file:
path: "/etc/apache2/sites-enabled/000-default.conf"
path: "{{ item }}"
state: "absent"
with_items: "{{ keystone_apache_default_sites }}"
notify:
- Restart Apache
- Restart service
- name: Enabled keystone vhost
file:
src: "/etc/apache2/sites-available/keystone-httpd.conf"
dest: "/etc/apache2/sites-enabled/keystone-httpd.conf"
src: "{{ keystone_apache_site_available }}"
dest: "{{ keystone_apache_site_enabled }}"
state: "link"
when:
- keystone_apache_site_available is defined
- keystone_apache_site_enabled is defined
notify:
- Restart Apache
- Restart service
- name: Ensure Apache ServerName
lineinfile:
dest: "/etc/apache2/apache2.conf"
dest: "{{ keystone_apache_conf }}"
line: "ServerName {{ ansible_hostname }}"
notify:
- Restart Apache
- Restart service
- name: Ensure Apache ServerTokens
lineinfile:
dest: "/etc/apache2/conf-available/security.conf"
dest: "{{ keystone_apache_security_conf }}"
regexp: '^ServerTokens'
line: "ServerTokens {{ keystone_apache_servertokens }}"
notify:
- Restart Apache
- Restart service
- name: Ensure Apache ServerSignature
lineinfile:
dest: "/etc/apache2/conf-available/security.conf"
dest: "{{ keystone_apache_security_conf }}"
regexp: '^ServerSignature'
line: "ServerSignature {{ keystone_apache_serversignature }}"
notify:
- Restart Apache
- Restart service
## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian based systems.
- name: Enable/disable mod_ssl for apache2
apache2_module:
name: ssl
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
when:
- ansible_pkg_mgr == 'apt'
notify:
- Restart Apache
- Restart service
## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian based systems.
- name: Enable/disable mod_shib2 for apache2
apache2_module:
name: shib2
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
ignore_errors: yes
when:
- ansible_pkg_mgr == 'apt'
notify:
- Restart Apache
- Restart service

6
tasks/keystone_federation_sp_setup.yml
View File

@ -32,7 +32,7 @@
creates: "/etc/shibboleth/sp-cert.pem"
when: inventory_hostname == groups['keystone_all'][0]
notify:
- Restart Apache
- Restart service
- Restart Shibd
- name: Store Shibboleth SP key-pair
@ -69,7 +69,7 @@
delay: 2
when: inventory_hostname != groups['keystone_all'][0]
notify:
- Restart Apache
- Restart service
- Restart Shibd
- name: Set appropriate file ownership on the Shibboleth SP key-pair
@ -82,5 +82,5 @@
- "/etc/shibboleth/sp-key.pem"
when: inventory_hostname != groups['keystone_all'][0]
notify:
- Restart Apache
- Restart service
- Restart Shibd

4
tasks/keystone_idp_metadata.yml
View File

@ -20,5 +20,5 @@
become_user: "{{ keystone_system_user_name }}"
when: keystone_idp != {}
notify:
- Restart Apache
- Restart Keystone APIs
- Restart Keystone APIs
- Restart service

3
tasks/keystone_idp_self_signed_create.yml
View File

@ -32,7 +32,8 @@
creates={{ keystone_idp.certfile }}
when: >
inventory_hostname == groups['keystone_all'][0]
notify: Restart Apache
notify:
- Restart service
- name: Set appropriate file ownership on the IdP self-signed cert
file:

3
tasks/keystone_idp_self_signed_distribute.yml
View File

@ -29,7 +29,8 @@
until: memcache_keys|success
retries: 5
delay: 2
notify: Restart Apache
notify:
- Restart service
- name: Set appropriate file ownership on the IdP self-signed cert
file:

8
tasks/keystone_install.yml
View File

@ -17,6 +17,10 @@
when:
- ansible_pkg_mgr == 'apt'
- include: keystone_install_yum.yml
when:
- ansible_pkg_mgr == 'yum'
- name: Create WSGI symlinks
file:
src: "{{ item.src }}"
@ -132,8 +136,8 @@
- not keystone_developer_mode | bool
- keystone_get_venv | changed or keystone_venv_dir | changed
notify:
- Restart Apache
- Restart Keystone APIs
- Restart service
- name: Install pip packages
pip:
@ -149,8 +153,8 @@
when:
- keystone_get_venv | failed or keystone_developer_mode | bool
notify:
- Restart Apache
- Restart Keystone APIs
- Restart service
- name: Update virtualenv path
command: >

10
tasks/keystone_install_apt.yml
View File

@ -30,7 +30,7 @@
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_apt_packages }}"
with_items: "{{ keystone_packages }}"
- name: Install Apache apt packages
apt:
@ -40,7 +40,7 @@
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_apache_apt_packages }}"
with_items: "{{ keystone_apache_packages }}"
when: keystone_apache_mod_wsgi_enabled | bool
- name: Install IdP apt packages
@ -51,7 +51,7 @@
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_idp_apt_packages }}"
with_items: "{{ keystone_idp_packages }}"
when:
- keystone_apache_mod_wsgi_enabled | bool
- keystone_idp != {}
@ -64,7 +64,7 @@
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_sp_apt_packages }}"
with_items: "{{ keystone_sp_packages }}"
when:
- keystone_apache_mod_wsgi_enabled | bool
- keystone_sp != {}
@ -77,6 +77,6 @@
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_developer_apt_packages }}"
with_items: "{{ keystone_developer_packages }}"
when:
- keystone_developer_mode | bool

114
tasks/keystone_install_yum.yml Normal file
View File

@ -0,0 +1,114 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create keystone dir
file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner|default(keystone_system_user_name) }}"
group: "{{ item.group|default(keystone_system_group_name) }}"
mode: "{{ item.mode|default('0755') }}"
with_items:
- { path: "/etc/pki/tls/certs", owner: "root", group: "root" }
- { path: "/etc/pki/tls/private", owner: "root", group: "root" }
- { path: "/var/lock/keystone", mode: "2755" }
- { path: "/var/log/httpd", mode: "2755" }
- name: Create system links
file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
state: "link"
with_items:
- { src: "/etc/pki/tls/certs", dest: "/etc/ssl/certs" }
- { src: "/etc/pki/tls/private", dest: "/etc/ssl/private" }
- { src: "/var/log/httpd", dest: "/var/log/apache2" }
- name: Install yum packages
yum:
pkg: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_packages
- name: Install Apache yum packages
yum:
pkg: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_apache_packages }}"
when: keystone_apache_mod_wsgi_enabled | bool
- name: Install IdP yum packages
yum:
pkg: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_idp_packages
when: keystone_idp is defined
#TODO(cloudnull) Remove this task once we move to Ansible 2.1
# where we can leverage the `yum_repository` module:
# https://docs.ansible.com/ansible/yum_repository_module.html
- name: Add shibboleth repo
copy:
content: |
[{{ item.name }}]
name={{ item.name }}
description={{ item.description }}
baseurl={{ item.baseurl }}
gpgkey={{ item.gpgkey }}
gpgcheck=1
enabled=1
dest: "/etc/yum.repos.d/{{ item.file }}.repo"
register: add_repos
until: add_repos|success
retries: 5
delay: 2
with_items:
- "{{ keystone_shibboleth_repo }}"
when: keystone_sp is defined
- name: Install SP yum packages
yum:
pkg: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_sp_packages
when: keystone_sp is defined
- name: Install developer mode yum packages
yum:
pkg: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: keystone_developer_packages
when:
- keystone_developer_mode | bool

2
tasks/keystone_key_distribute.yml
View File

@ -17,5 +17,5 @@
authorized_key:
user: "{{ keystone_system_user_name }}"
key: "{{ hostvars[item]['keystone_pubkey'] | b64decode }}"
with_items: "{{ groups['keystone_all'] }}"
when: hostvars[item]['keystone_pubkey'] is defined
with_items: "{{ groups['keystone_all'] }}"

4
tasks/keystone_ldap_setup.yml
View File

@ -35,8 +35,8 @@
mode: "0644"
with_dict: "{{ keystone_ldap }}"
notify:
- Restart Apache
- Restart Keystone APIs
- Restart service
# Bug 1547542 - Older versions of the keystone role would deploy a blank
# keystone.Default.conf and this will cause errors when adding LDAP-backed
@ -47,5 +47,5 @@
state: absent
when: keystone_ldap.Default is not defined
notify:
- Restart Apache
- Restart Keystone APIs
- Restart service

4
tasks/keystone_post_install.yml
View File

@ -36,8 +36,8 @@
config_overrides: "{{ keystone_policy_overrides }}"
config_type: "json"
notify:
- Restart Apache
- Restart Keystone APIs
- Restart service
- name: Drop Keystone Configs
copy:
@ -47,6 +47,6 @@
group: "{{ keystone_system_group_name }}"
mode: "0644"
notify:
- Restart Apache
- Restart Keystone APIs
- Restart service

6
tasks/keystone_ssl_key_create.yml
View File

@ -28,7 +28,8 @@
-out {{ keystone_ssl_cert }}
-extensions v3_ca
creates={{ keystone_ssl_cert }}
notify: Restart Apache
notify:
- Restart service
- name: Ensure keystone user owns the self-signed key and certificate
file:
@ -39,4 +40,5 @@
with_items:
- "{{ keystone_ssl_key }}"
- "{{ keystone_ssl_cert }}"
notify: Restart Apache
notify:
- Restart service

9
tasks/keystone_ssl_user_provided.yml
View File

@ -21,7 +21,8 @@
group: "root"
mode: "0644"
when: keystone_user_ssl_cert is defined
notify: Restart Apache
notify:
- Restart service
- name: Drop user provided ssl key
copy:
@ -31,7 +32,8 @@
group: "root"
mode: "0640"
when: keystone_user_ssl_key is defined
notify: Restart Apache
notify:
- Restart service
- name: Drop user provided ssl CA cert
copy:
@ -41,4 +43,5 @@
group: "root"
mode: "0644"
when: keystone_user_ssl_ca_cert is defined
notify: Restart Apache
notify:
- Restart service

1
tasks/main.yml
View File

@ -28,6 +28,7 @@
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
- "{{ ansible_os_family | lower }}.yml"
tags:
- always

15
templates/keystone-httpd.conf.j2
View File

@ -56,6 +56,14 @@
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
{% endif %}
<Directory /var/www/cgi-bin/keystone>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
<VirtualHost *:{{ keystone_admin_port }}>
@ -88,4 +96,11 @@
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData
{% endif %}
<Directory /var/www/cgi-bin/keystone>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>

23
tests/test-install-keystone.yml
View File

@ -14,16 +14,14 @@
# limitations under the License.
- name: Playbook for deploying keystone
hosts: keystone_all
hosts: "infra1"
user: root
gather_facts: true
pre_tasks:
tasks:
- name: Ensure rabbitmq vhost
rabbitmq_vhost:
name: "{{ keystone_rabbitmq_vhost }}"
state: "present"
delegate_to: "10.100.100.2"
when: inventory_hostname == groups['keystone_all'][0]
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ keystone_rabbitmq_userid }}"
@ -33,22 +31,18 @@
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "10.100.100.2"
when: inventory_hostname == groups['keystone_all'][0]
- name: Create DB for service
mysql_db:
login_user: "root"
login_password: "secrete"
login_host: "localhost"
login_host: "127.0.0.1"
name: "{{ keystone_galera_database }}"
state: "present"
delegate_to: "10.100.100.2"
when: inventory_hostname == groups['keystone_all'][0]
- name: Grant access to the DB for the service
mysql_user:
login_user: "root"
login_password: "secrete"
login_host: "localhost"
login_host: "127.0.0.1"
name: "{{ keystone_galera_database }}"
password: "{{ keystone_container_mysql_password }}"
host: "{{ item }}"
@ -57,8 +51,13 @@
with_items:
- "localhost"
- "%"
delegate_to: "10.100.100.2"
when: inventory_hostname == groups['keystone_all'][0]
vars_files:
- test-vars.yml
- name: Playbook for deploying keystone
hosts: keystone_all
user: root
gather_facts: true
roles:
- role: "{{ rolename | basename }}"
tasks:

1
tests/test-prepare-containers.yml
View File

@ -20,6 +20,7 @@
- role: "lxc_container_create"
lxc_container_release: trusty
lxc_container_backing_store: dir
debug: true
global_environment_variables:
PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
post_tasks:

35
tests/test-prepare-host.yml
View File

@ -16,11 +16,11 @@
- name: Playbook for configuring LXC host
hosts: localhost
pre_tasks:
# Make sure OS does not have a stale package cache.
- name: Update apt cache
- name: Ensure apt cache is always refreshed
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
when:
- ansible_pkg_mgr == 'apt'
- name: Ensure root's new public ssh key is in authorized_keys
authorized_key:
user: root
@ -32,11 +32,36 @@
stat:
path: /etc/nodepool/provider
register: nodepool
- name: Set the files to copy into the container cache for OpenStack-CI instances
- name: Set the files to copy into the container cache for OpenStack-CI instances (rhel)
set_fact:
lxc_container_cache_files:
- { src: '/etc/pip.conf', dest: '/etc/pip.conf' }
when: nodepool.stat.exists | bool
when:
- nodepool.stat.exists | bool
- ansible_pkg_mgr == 'yum'
- name: Set the files to copy into the container cache for OpenStack-CI instances (deb)
set_fact:
lxc_container_cache_files:
- { src: '/etc/pip.conf', dest: '/etc/pip.conf' }
- { src: '/etc/apt/apt.conf.d/99unauthenticated', dest: '/etc/apt/apt.conf.d/99unauthenticated' }
when:
- nodepool.stat.exists | bool
- ansible_pkg_mgr == 'apt'
- name: Determine the existing Ubuntu repo configuration
shell: 'awk "/^deb .*ubuntu\/? {{ ansible_distribution_release }} main/ {print \$2; exit}" /etc/apt/sources.list'
register: ubuntu_repo
changed_when: false
when: ansible_pkg_mgr == 'apt'
- name: Set apt repo facts based on discovered information
set_fact:
lxc_container_template_main_apt_repo: "{{ ubuntu_repo.stdout }}"
lxc_container_template_security_apt_rep: "{{ ubuntu_repo.stdout }}"
when: ansible_pkg_mgr == 'apt'
- name: install the epel repo rpm from a remote repo
yum:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
state: "present"
when: ansible_pkg_mgr == 'yum'
roles:
- role: "lxc_hosts"
lxc_net_address: 10.100.100.1

2
tests/test-vars.yml
View File

@ -28,10 +28,10 @@ keystone_rabbitmq_password: "secrete"
keystone_rabbitmq_port: 5671
keystone_rabbitmq_servers: 10.100.100.2
keystone_rabbitmq_use_ssl: true
keystone_ssl: true
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
keystone_requirements_git_install_branch: master
keystone_ssl: true
keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
keystone_service_password: "secrete"

8
tox.ini
View File

@ -145,6 +145,11 @@ commands =
[testenv:functional]
# Ignore_errors is set to true so that the logs are collected at the
# end of the run. This will not produce a failse positive. Any
# exception will be mark the run as "failed" and exit 1 after all of
# the commands have been iterated through.
ignore_errors = True
# NOTE(odyssey4me): this target does not use constraints because
# it doesn't work in OpenStack-CI yet. Once that's fixed, we can
# drop the install_command.
@ -160,7 +165,8 @@ commands =
-e "rolename={toxinidir}" \
-e "install_test_packages=True" \
{toxinidir}/tests/test.yml -vvvv
bash -c 'mkdir -p {toxinidir}/logs'
bash -c 'rsync -av --ignore-errors /var/log/ /openstack/log/ {toxinidir}/logs/ || true'
# NOTE(andymccr): this will test keystone with uwsgi & nginx
[testenv:func_uwsgi-nginx]

67
vars/redhat-7.yml Normal file
View File

@ -0,0 +1,67 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
keystone_shibboleth_repo:
state: "present"
name: "shibboleth"
description: "shibboleth Repo"
file: shibboleth
baseurl: "http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/"
gpgkey: "http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7//repodata/repomd.xml.key"
keystone_packages:
- ca-certificates
- cronie
- cronie-anacron
- git
- libffi-devel
- libgsasl-devel
- libxml2-devel
- libxslt-devel
- mod_ssl
- mod_wsgi
- openldap
- openldap-devel
- openssl
- python-devel
- rsync
keystone_apache_packages:
- httpd
- httpd-tools
keystone_idp_packages:
- xmlsec1
keystone_sp_packages:
- shibboleth
keystone_developer_packages:
- '@Development Tools'
keystone_apache_default_sites:
- "/etc/httpd/conf.d/userdir.conf"
- "/etc/httpd/conf.d/welcome.conf"
- "/etc/httpd/conf.d/ssl.conf"
keystone_apache_conf: "/etc/httpd/conf/httpd.conf"
keystone_apache_security_conf: "{{ keystone_apache_conf }}"
keystone_apache_configs:
- { src: "keystone-ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf" }
- { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
keystone_system_service_name: httpd

46
vars/ubuntu-14.04.yml
View File

@ -14,7 +14,8 @@
# limitations under the License.
# Common apt packages
keystone_apt_packages:
# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
_keystone_packages:
- debhelper
- dh-apparmor
- docutils-common
@ -30,14 +31,43 @@ keystone_apt_packages:
- python-dev
- rsync
keystone_idp_apt_packages:
- ssl-cert
- xmlsec1
keystone_packages: '{{ _keystone_packages | deprecated(keystone_apt_packages, "keystone_apt_packages", "keystone_packages", "ocata", keystone_fatal_deprecations) }}'
keystone_developer_apt_packages:
- build-essential
keystone_apache_apt_packages:
keystone_apache_packages:
- apache2
- apache2-utils
- libapache2-mod-wsgi
# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
_keystone_idp_packages:
- ssl-cert
- xmlsec1
keystone_idp_packages: '{{ _keystone_idp_packages | deprecated(keystone_idp_apt_packages, "keystone_idp_apt_packages", "keystone_idp_packages", "ocata", keystone_fatal_deprecations) }}'
# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
_keystone_sp_packages:
- libapache2-mod-shib2
keystone_sp_packages: '{{ _keystone_sp_packages | deprecated(keystone_sp_apt_packages, "keystone_sp_apt_packages", "keystone_sp_packages", "ocata", keystone_fatal_deprecations) }}'
# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
_keystone_developer_packages:
- build-essential
keystone_developer_packages: '{{ _keystone_developer_packages | deprecated(keystone_developer_apt_packages, "keystone_developer_apt_packages", "keystone_developer_packages", "ocata", keystone_fatal_deprecations) }}'
keystone_apache_default_sites:
- "/etc/apache2/sites-enabled/000-default.conf"
keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
keystone_apache_conf: "/etc/apache2/apache2.conf"
keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
keystone_apache_configs:
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
keystone_system_service_name: apache2

34
vars/ubuntu-16.04.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
# Common apt packages
keystone_apt_packages:
keystone_packages:
- debhelper
- dh-apparmor
- docutils-common
@ -30,14 +30,30 @@ keystone_apt_packages:
- python-dev
- rsync
keystone_idp_apt_packages:
- ssl-cert
- xmlsec1
keystone_developer_apt_packages:
- build-essential
keystone_apache_apt_packages:
keystone_apache_packages:
- apache2
- apache2-utils
- libapache2-mod-wsgi
keystone_idp_packages:
- ssl-cert
- xmlsec1
keystone_sp_packages:
- libapache2-mod-shib2
keystone_developer_packages:
- build-essential
keystone_apache_default_sites:
- "/etc/apache2/sites-enabled/000-default.conf"
keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
keystone_apache_conf: "/etc/apache2/apache2.conf"
keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
keystone_apache_configs:
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
keystone_system_service_name: apache2