Merge "Execute service setup against a delegated host using Ansible built-in modules"

defaults/main.yml

@@ -16,6 +16,11 @@
 ## Verbosity Options
 debug: False
 
+# Set the host which will execute the shade modules
+# for the service setup. The host must already have
+# clouds.yaml properly configured.
+keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
+
 # Set the package install state for distribution and pip packages
 # Options are 'present' and 'latest'
 keystone_package_state: "latest"
@@ -415,10 +420,6 @@ keystone_service_in_ldap: false
 # Keystone notification settings
 keystone_ceilometer_enabled: false
 
-# Keystone packages that must be installed before anything else
-keystone_requires_pip_packages:
-  - virtualenv
-
 # Common pip packages
 keystone_pip_packages:
   - keystone

releasenotes/notes/keystone-service-setup-host-cd3ee3346af823e6.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    The service updates for keystone will now be executed
+    through delegation to the ``keystone_service_setup_host`` which,
+    by default, is ``localhost`` (the deploy host). Deployers can
+    opt to rather change this to the utility container by implementing
+    the following override in ``user_variables.yml``.
+
+    .. code-block:: yaml
+
+      keystone_service_setup_host: "{{ groups['utility_all'][0] }}"
+
+deprecations:
+  - |
+    The variable ``keystone_requires_pip_packages`` is no longer required
+    and has therefore been removed.

tasks/keystone_install_source.yml

@@ -22,19 +22,6 @@
       {% endfor %}
   when: keystone_developer_mode | bool
 
-- name: Install required pip packages
-  pip:
-    name: "{{ keystone_requires_pip_packages }}"
-    state: "{{ keystone_pip_package_state }}"
-    extra_args: >-
-      {{ keystone_developer_mode | ternary(pip_install_developer_constraints | default('--constraint /opt/developer-pip-constraints.txt'), '') }}
-      {{ (pip_install_upper_constraints is defined) | ternary('--constraint ' + pip_install_upper_constraints | default(''),'') }}
-      {{ pip_install_options | default('') }}
-  register: install_packages
-  until: install_packages is success
-  retries: 5
-  delay: 2
-
 - name: Retrieve checksum for venv download
   uri:
     url: "{{ keystone_venv_download_url | replace('tgz', 'checksum') }}"

tasks/keystone_service_bootstrap.yml

@@ -0,0 +1,48 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Wait for services to be up
+  uri:
+    url: "{{ item }}"
+    method: "HEAD"
+    status_code: 300
+  with_items:
+    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}"
+    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
+  register: _wait_check
+  until: _wait_check  is success
+  retries: 12
+  delay: 5
+
+- name: Bootstrap keystone admin and endpoint
+  command: |
+     {{ keystone_bin }}/keystone-manage bootstrap \
+     --bootstrap-username {{ keystone_admin_user_name }} \
+     --bootstrap-password {{ keystone_auth_admin_password }} \
+     --bootstrap-project-name {{ keystone_admin_tenant_name }} \
+     --bootstrap-role-name {{ keystone_role_name }} \
+     --bootstrap-service-name {{ keystone_service_name }} \
+     --bootstrap-region-id {{ keystone_service_region }} \
+     --bootstrap-admin-url {{ keystone_service_adminuri }} \
+     --bootstrap-public-url {{ keystone_service_publicuri }} \
+     --bootstrap-internal-url {{ keystone_service_internaluri }}
+  no_log: true
+  become: yes
+  become_user: "{{ keystone_system_user_name }}"
+  changed_when: false
+  register: add_service
+  until: add_service is success
+  retries: 5
+  delay: 10

tasks/keystone_service_setup.yml

@@ -1,161 +0,0 @@
----
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-- name: Wait for services to be up
-  uri:
-    url: "{{ item }}"
-    method: "HEAD"
-    status_code: 300
-  with_items:
-    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}"
-    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
-  register: _wait_check
-  until: _wait_check  is success
-  retries: 12
-  delay: 5
-
-- name: Bootstrap keystone admin and endpoint
-  command: |
-     {{ keystone_bin }}/keystone-manage bootstrap \
-     --bootstrap-username {{ keystone_admin_user_name }} \
-     --bootstrap-password {{ keystone_auth_admin_password }} \
-     --bootstrap-project-name {{ keystone_admin_tenant_name }} \
-     --bootstrap-role-name {{ keystone_role_name }} \
-     --bootstrap-service-name {{ keystone_service_name }} \
-     --bootstrap-region-id {{ keystone_service_region }} \
-     --bootstrap-admin-url {{ keystone_service_adminuri }} \
-     --bootstrap-public-url {{ keystone_service_publicuri }} \
-     --bootstrap-internal-url {{ keystone_service_internaluri }}
-  no_log: true
-  become: yes
-  become_user: "{{ keystone_system_user_name }}"
-  changed_when: false
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-
-# Create a service tenant
-- name: Ensure service tenant
-  keystone:
-    command: "ensure_tenant"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}/v3"
-    ignore_catalog: True
-    tenant_name: "{{ keystone_service_tenant_name }}"
-    description: "{{ keystone_service_description }}"
-  no_log: true
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-
-# Add the default user role
-- name: Ensure default keystone user role
-  keystone:
-    command: "ensure_role"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}/v3"
-    ignore_catalog: True
-    role_name: "{{ keystone_default_role_name }}"
-  no_log: true
-  register: add_member_role
-  when: not keystone_service_in_ldap | bool
-  until: add_member_role is success
-  retries: 5
-  delay: 10
-
-# Create a service
-- name: Ensure Keystone Service
-  keystone:
-    command: "ensure_service"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}/v3"
-    ignore_catalog: True
-    service_name: "{{ keystone_service_name }}"
-    service_type: "{{ keystone_service_type }}"
-    description: "{{ keystone_service_description }}"
-  no_log: true
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-
-# Create a service user
-- name: Ensure Keystone user
-  keystone:
-    command: "ensure_user"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}/v3"
-    ignore_catalog: True
-    user_name: "{{ keystone_service_user_name }}"
-    tenant_name: "{{ keystone_service_tenant_name }}"
-    password: "{{ keystone_service_password }}"
-  no_log: true
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-
-# Add a role to the user
-- name: Ensure Keystone user to Admin role
-  keystone:
-    command: "ensure_user_role"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}/v3"
-    ignore_catalog: True
-    user_name: "{{ keystone_service_user_name }}"
-    tenant_name: "{{ keystone_service_tenant_name }}"
-    role_name: "{{ keystone_role_name }}"
-  no_log: true
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-
-# Create an endpoint
-- name: Update Keystone endpoint
-  keystone:
-    command: "ensure_endpoint"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}/v3"
-    ignore_catalog: True
-    region_name: "{{ keystone_service_region }}"
-    service_name: "{{ keystone_service_name }}"
-    service_type: "{{ keystone_service_type }}"
-    endpoint_list:
-      - url: "{{ keystone_service_publicuri }}"
-        interface: "public"
-      - url: "{{ keystone_service_internaluri }}"
-        interface: "internal"
-      - url: "{{ keystone_service_adminuri }}"
-        interface: "admin"
-  no_log: true
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10

tasks/keystone_service_update.yml

@@ -0,0 +1,142 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Note(odyssey4me):
+# This set of tasks specifically runs against the last keystone
+# node in the cluster to ensure that the modules have access to
+# the endpoints which were bootstrapped in keystone_service_bootstrap.
+
+# We set the python interpreter to the ansible runtime venv if
+# the delegation is to localhost so that we get access to the
+# appropriate python libraries in that venv. If the delegation
+# is to another host, we assume that it is accessible by the
+# system python instead.
+- name: Update the service
+  delegate_to: "{{ keystone_service_setup_host }}"
+  vars:
+    ansible_python_interpreter: >-
+      {{ (keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
+  block:
+    - name: Wait for services to be up
+      uri:
+        url: "{{ item.url }}"
+        validate_certs: "{{ item.validate_certs }}"
+        method: "HEAD"
+        status_code: 300
+      with_items:
+        - url: "{{ keystone_service_adminuri }}"
+          validate_certs: "{{ not keystone_service_adminuri_insecure }}"
+        - url: "{{ keystone_service_internaluri }}"
+          validate_certs: "{{ not keystone_service_internaluri_insecure }}"
+      register: _wait_check
+      until: _wait_check | success
+      retries: 12
+      delay: 5
+
+    - name: Add service project
+      os_project:
+        cloud: default
+        state: present
+        name: "{{ keystone_service_tenant_name }}"
+        description: "{{ keystone_service_description }}"
+        domain_id: "default"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not keystone_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+
+    - name: Add default role
+      os_keystone_role:
+        cloud: default
+        state: present
+        name: "{{ keystone_default_role_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not keystone_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+
+    - name: Add service to the keystone service catalog
+      os_keystone_service:
+        cloud: default
+        state: present
+        name: "{{ keystone_service_name }}"
+        service_type: "{{ keystone_service_type }}"
+        description: "{{ keystone_service_description }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+
+    - name: Add service user
+      os_user:
+        cloud: default
+        state: present
+        name: "{{ keystone_service_user_name }}"
+        password: "{{ keystone_service_password }}"
+        domain: default
+        default_project: "{{ keystone_service_tenant_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not keystone_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+      no_log: True
+
+    - name: Add service user to admin role
+      os_user_role:
+        cloud: default
+        state: present
+        user: "{{ keystone_service_user_name }}"
+        role: "{{ keystone_role_name }}"
+        project: "{{ keystone_service_tenant_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not keystone_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+
+    - name: Add endpoints to keystone endpoint catalog
+      os_keystone_endpoint:
+        cloud: default
+        state: present
+        service: "{{ keystone_service_name }}"
+        endpoint_interface: "{{ item.interface }}"
+        url: "{{ item.url }}"
+        region: "{{ keystone_service_region }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      with_items:
+        - interface: "public"
+          url: "{{ keystone_service_publicuri }}"
+        - interface: "internal"
+          url: "{{ keystone_service_internaluri }}"
+        - interface: "admin"
+          url: "{{ keystone_service_adminuri }}"

tasks/main.yml

@@ -130,10 +130,17 @@
 - name: Flush handlers
   meta: flush_handlers
 
-- include_tasks: keystone_service_setup.yml
+- include_tasks: keystone_service_bootstrap.yml
   when:
-    - keystone_service_setup | bool
-  run_once: yes
+    - "inventory_hostname == ((groups['keystone_all'] | intersect(ansible_play_hosts)) | list)[0]"
+    - "keystone_service_setup | bool"
+  tags:
+    - keystone-config
+
+- include_tasks: keystone_service_update.yml
+  when:
+    - "inventory_hostname == ((groups['keystone_all'] | intersect(ansible_play_hosts)) | list)[-1]"
+    - "keystone_service_setup | bool"
   tags:
     - keystone-config
 

tests/host_vars/localhost.yml

@@ -15,5 +15,3 @@
 
 bridges:
   - "br-mgmt"
-
-ansible_python_interpreter: "/usr/bin/python2"