openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Perform an atomic policy file change

Browse Source 
The policy.json file is currently read continually by the
services and is not only read on service start. We therefore
cannot template directly to the file read by the service
(if the service is already running) because the new policies
may not be valid until the service restarts. This is
particularly important during a major upgrade. We therefore
only put the policy file in place after the service restart.

This patch also tidies up the handlers and some of the install
tasks to simplify them and reduce the tasks/code a little.

Change-Id: Ie913e5eb75f3601107b53bab7bda4a02ab1c1024
This commit is contained in:
Jesse Pretorius 2017-04-03 16:51:26 +01:00
parent cee7a02143
commit 94293c86c2
18 changed files with 281 additions and 297 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
handlers/main.yml
View File

@ -13,114 +13,156 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Restart service on first node
- name: Restart web server on first node
debug:
msg: "Restarting web server on first node"
changed_when: true
notify:
- Restart web server
- Wait for web server to complete starting
when:
- inventory_hostname == groups['keystone_all'][0]
tags:
- keystone-config
- name: Restart web server on other nodes
debug:
msg: "Restarting web server on other nodes"
changed_when: true
notify:
- Restart web server
- Wait for web server to complete starting
when:
- inventory_hostname != groups['keystone_all'][0]
tags:
- keystone-config
- name: Restart web server
service:
name: "{{ keystone_system_service_name }}"
name: "{{ (keystone_apache_enabled | bool) | ternary(keystone_system_service_name, 'nginx') }}"
enabled: yes
state: restarted
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _restart
until: _restart|success
until: _restart | success
retries: 5
delay: 2
when:
- inventory_hostname == groups['keystone_all'][0]
- (keystone_apache_enabled | bool) or (keystone_mod_wsgi_enabled | bool)
notify:
- Wait for keystone service port
tags:
- keystone-config
- name: Restart Nginx on first node
service:
name: nginx
state: restarted
register: keystone_restart
until: keystone_restart | success
retries: 5
delay: 2
when:
- inventory_hostname == groups['keystone_all'][0]
- not keystone_apache_enabled | bool
tags:
- keystone-config
- name: Restart Keystone APIs on first node
service:
name: "{{ item }}"
state: "restarted"
register: keystone_restart
until: keystone_restart | success
retries: 5
delay: 2
with_items: "{{ keystone_wsgi_program_names }}"
when:
- inventory_hostname == groups['keystone_all'][0]
- not keystone_mod_wsgi_enabled | bool
notify:
- Wait for keystone service port
tags:
- keystone-config
- name: Wait for keystone service port
- name: Wait for web server to complete starting
wait_for:
port: "{{ keystone_service_port }}"
port: "{{ item }}"
timeout: 25
delay: 10
register: keystone_wait_check
until: keystone_wait_check | success
with_items:
- "{{ keystone_service_port }}"
- "{{ keystone_admin_port }}"
register: _wait_check
until: _wait_check | success
retries: 5
tags:
- keystone-config
- name: Restart service on other nodes
service:
name: "{{ keystone_system_service_name }}"
state: restarted
register: _restart
until: _restart|success
retries: 5
delay: 2
- name: Restart uWSGI on first node
debug:
msg: "Restart uWSGI on first node"
changed_when: true
when:
- inventory_hostname == groups['keystone_all'][0]
notify:
- Stop uWSGI
- Copy new policy file into place
- Start uWSGI
- Wait for uWSGI socket to be ready
tags:
- keystone-config
- name: Restart uWSGI on other nodes
debug:
msg: "Restart uWSGI on other nodes"
changed_when: true
when:
- inventory_hostname != groups['keystone_all'][0]
- (keystone_apache_enabled | bool) or (keystone_mod_wsgi_enabled | bool)
notify:
- Stop uWSGI
- Copy new policy file into place
- Start uWSGI
- Wait for uWSGI socket to be ready
tags:
- keystone-config
- name: Restart Nginx on other nodes
service:
name: nginx
state: restarted
register: keystone_restart
until: keystone_restart | success
retries: 5
delay: 2
when:
- inventory_hostname != groups['keystone_all'][0]
- not keystone_apache_enabled | bool
tags:
- keystone-config
- name: Restart Keystone APIs on other nodes
- name: Stop uWSGI
service:
name: "{{ item }}"
state: "restarted"
register: keystone_restart
until: keystone_restart | success
state: "stopped"
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _stop
until: _stop | success
retries: 5
delay: 2
with_items: "{{ keystone_wsgi_program_names }}"
when:
- inventory_hostname != groups['keystone_all'][0]
- not keystone_mod_wsgi_enabled | bool
tags:
- keystone-config
# Note (odyssey4me):
# The policy.json file is currently read continually by the services
# and is not only read on service start. We therefore cannot template
# directly to the file read by the service because the new policies
# may not be valid until the service restarts. This is particularly
# important during a major upgrade. We therefore only put the policy
# file in place after the service has been stopped.
#
- name: Copy new policy file into place
copy:
src: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
dest: "/etc/keystone/policy.json"
remote_src: yes
tags:
- keystone-config
- name: Start uWSGI
service:
name: "{{ item }}"
enabled: yes
state: "started"
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _start
until: _start | success
retries: 5
delay: 2
with_items: "{{ keystone_wsgi_program_names }}"
when:
- not keystone_mod_wsgi_enabled | bool
tags:
- keystone-config
- name: Wait for uWSGI socket to be ready
wait_for:
port: "{{ item }}"
timeout: 25
delay: 10
with_items:
- "{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}"
- "{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
when:
- not keystone_mod_wsgi_enabled | bool
register: _wait_check
until: _wait_check | success
retries: 5
tags:
- keystone-config
- name: Restart Shibd
service:
name: "shibd"
enabled: yes
state: "restarted"
register: shibd_restart
until: shibd_restart|success
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _restart
until: _restart | success
retries: 5
delay: 2
tags:
@ -132,3 +174,4 @@
become_user: "{{ keystone_system_user_name }}"
tags:
- keystone-config

63
tasks/keystone_apache.yml
View File

@ -38,20 +38,23 @@
## Module enable/disable process is only functional on Debian based systems.
- name: Enable/disable apache2 modules
command: "{{ (item.state == 'present') | ternary('a2enmod','a2dismod') }} {{ item.name }}"
register: horizon_apache2_module
register: _apache2_module
changed_when:
- horizon_apache2_module.stdout.find('{{ item.name }} already') == -1
- horizon_apache2_module.stderr.find('{{ item.name }} does not exist') == -1
- _apache2_module.stdout.find('{{ item.name }} already') == -1
- _apache2_module.stderr.find('{{ item.name }} does not exist') == -1
failed_when: false
with_items:
- "{{ { 'name': 'ssl', 'state': (keystone_ssl | bool) | ternary('present', 'absent') } }}"
- "{{ { 'name': 'shib2', 'state': ( keystone_sp != {} ) | ternary('present', 'absent') } }}"
- "{{ { 'name': 'proxy_http', 'state': (keystone_mod_wsgi_enabled | bool) | ternary('absent', 'present') } }}"
- name: "ssl"
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib2"
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
- name: "proxy_http"
state: "{{ (keystone_mod_wsgi_enabled | bool) | ternary('absent', 'present') }}"
when:
- ansible_pkg_mgr == 'apt'
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
## NOTE(andymccr):
## We need to enable a module for httpd on RedHat/CentOS using LoadModule inside conf files
@ -63,8 +66,8 @@
when:
- ansible_pkg_mgr == 'yum'
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Drop apache2 config files
template:
@ -74,8 +77,8 @@
group: "root"
with_items: "{{ keystone_apache_configs }}"
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Disable default apache site
file:
@ -83,8 +86,8 @@
state: "absent"
with_items: "{{ keystone_apache_default_sites }}"
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Enabled keystone vhost
file:
@ -95,16 +98,16 @@
- keystone_apache_site_available is defined
- keystone_apache_site_enabled is defined
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Ensure Apache ServerName
lineinfile:
dest: "{{ keystone_apache_conf }}"
line: "ServerName {{ ansible_hostname }}"
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Ensure Apache ServerTokens
lineinfile:
@ -112,8 +115,8 @@
regexp: '^ServerTokens'
line: "ServerTokens {{ keystone_apache_servertokens }}"
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Ensure Apache ServerSignature
lineinfile:
@ -121,25 +124,15 @@
regexp: '^ServerSignature'
line: "ServerSignature {{ keystone_apache_serversignature }}"
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: remove Listen from Apache config
- name: Remove Listen from Apache config
lineinfile:
dest: "{{ keystone_apache_conf }}"
regexp: '^(Listen.*)'
backrefs: yes
line: '#\1'
notify:
- Restart service on first node
- Restart service on other nodes
## NOTE(mgariepy):
## We need to enable httpd on CentOS if not it won't start when the container is restarted.
- name: Load service
service:
name: "{{ keystone_system_service_name }}"
enabled: "yes"
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes

16
tasks/keystone_federation_sp_setup.yml
View File

@ -33,8 +33,8 @@
changed_when: false
when: inventory_hostname == groups['keystone_all'][0]
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- Restart Shibd
- name: Store sp cert
@ -66,8 +66,8 @@
mode: "0640"
when: inventory_hostname != groups['keystone_all'][0]
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- Restart Shibd
- name: Distribute sp cert
@ -79,8 +79,8 @@
mode: "0640"
when: inventory_hostname != groups['keystone_all'][0]
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- Restart Shibd
- name: Set appropriate file ownership on the Shibboleth SP key-pair
@ -93,6 +93,6 @@
- "/etc/shibboleth/sp-key.pem"
when: inventory_hostname != groups['keystone_all'][0]
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- Restart Shibd

8
tasks/keystone_idp_metadata.yml
View File

@ -20,7 +20,7 @@
become_user: "{{ keystone_system_user_name }}"
when: keystone_idp != {}
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes

4
tasks/keystone_idp_self_signed_create.yml
View File

@ -33,8 +33,8 @@
when: >
inventory_hostname == groups['keystone_all'][0]
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Set appropriate file ownership on the IdP self-signed cert
file:

4
tasks/keystone_idp_self_signed_distribute.yml
View File

@ -30,8 +30,8 @@
retries: 5
delay: 2
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Set appropriate file ownership on the IdP self-signed cert
file:

24
tasks/keystone_init_common.yml
View File

@ -1,24 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_init_systemd.yml
static: no
when:
- ansible_service_mgr == 'systemd'
- name: Load service
service:
name: "{{ program_name }}"
enabled: "yes"

18
tasks/keystone_init_systemd.yml
View File

@ -31,6 +31,11 @@
mode: "0644"
owner: "root"
group: "root"
notify:
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Place the systemd init script
config_template:
@ -41,13 +46,8 @@
group: "root"
config_overrides: "{{ keystone_uwsgi_init_overrides }}"
config_type: "ini"
register: systemd_init
- name: Reload the systemd daemon
command: "systemctl daemon-reload"
when: systemd_init | changed
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes

100
tasks/keystone_install.yml
View File

@ -61,96 +61,79 @@
name: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
until: install_packages | success
retries: 5
delay: 2
with_items: "{{ keystone_distro_packages }}"
- name: Install distro packages for Apache
- name: Install web server distro packages
package:
name: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
until: install_packages | success
retries: 5
delay: 2
with_items: "{{ keystone_apache_distro_packages }}"
when:
- keystone_apache_enabled | bool
with_items: "{{ (keystone_apache_enabled | bool) | ternary(keystone_apache_distro_packages, keystone_nginx_distro_packages) }}"
notify:
- Restart web server on first node
- Restart web server on other nodes
- name: Install distro packages for mod_wsgi
- name: Install mod_wsgi/mod_proxy_uwsgi distro packages
package:
name: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
until: install_packages | success
retries: 5
delay: 2
with_items: "{{ keystone_mod_wsgi_distro_packages }}"
when:
- keystone_mod_wsgi_enabled | bool
- name: Install distro packages for mod_proxy_uwsgi
package:
name: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_mod_proxy_uwsgi_distro_packages }}"
when:
- not keystone_mod_wsgi_enabled | bool
- name: Install distro packages for Nginx
package:
name: "{{ item }}"
state: "{{ keystone_package_state }}"
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: "{{ keystone_nginx_distro_packages }}"
when:
- not keystone_apache_enabled | bool
with_items: "{{ (keystone_mod_wsgi_enabled | bool) | ternary(keystone_mod_wsgi_distro_packages, keystone_mod_proxy_uwsgi_distro_packages) }}"
notify:
- Restart web server on first node
- Restart web server on other nodes
- name: Install distro packages for IdP
package:
name: "{{ item }}"
state: "{{ keystone_package_state }}"
state: "{{ (keystone_idp != {}) | ternary(keystone_package_state, 'absent') }}"
autoremove: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}"
when:
- keystone_apache_enabled | bool
register: install_packages
until: install_packages|success
until: install_packages | success
retries: 5
delay: 2
with_items: "{{ keystone_idp_distro_packages }}"
when:
- keystone_apache_enabled | bool
- keystone_idp != {}
notify:
- Restart web server on first node
- Restart web server on other nodes
- name: Install distro packages for SP
package:
name: "{{ item }}"
state: "{{ keystone_package_state }}"
state: "{{ (keystone_sp != {}) | ternary(keystone_package_state, 'absent') }}"
autoremove: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}"
when:
- keystone_apache_enabled | bool
register: install_packages
until: install_packages|success
until: install_packages | success
retries: 5
delay: 2
with_items: "{{ keystone_sp_distro_packages }}"
when:
- keystone_apache_enabled | bool
- keystone_sp != {}
notify:
- Restart web server on first node
- Restart web server on other nodes
- name: Install distro packages for developer mode
package:
name: "{{ item }}"
state: "{{ keystone_package_state }}"
state: "{{ (keystone_developer_mode | bool) | ternary(keystone_package_state, 'absent') }}"
autoremove: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}"
register: install_packages
until: install_packages|success
until: install_packages | success
retries: 5
delay: 2
with_items: "{{ keystone_developer_mode_distro_packages }}"
when:
- keystone_developer_mode | bool
- name: Create developer mode constraint file
copy:
@ -201,10 +184,10 @@
copy: "no"
when: keystone_get_venv | changed
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Install pip packages
pip:
@ -222,10 +205,10 @@
delay: 2
when: keystone_get_venv | failed or keystone_get_venv | skipped
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: CentOS remove python from path first
file:
@ -251,6 +234,9 @@
dest: admin
- src: "{{ keystone_bin }}/keystone-wsgi-public"
dest: main
notify:
- Restart web server on first node
- Restart web server on other nodes
- name: Record the need for a db sync
ini_file:

16
tasks/keystone_ldap_setup.yml
View File

@ -35,10 +35,10 @@
mode: "0640"
with_dict: "{{ keystone_ldap }}"
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes
# Bug 1547542 - Older versions of the keystone role would deploy a blank
# keystone.Default.conf and this will cause errors when adding LDAP-backed
@ -49,7 +49,7 @@
state: absent
when: keystone_ldap.Default is not defined
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes

16
tasks/keystone_nginx.yml
View File

@ -24,8 +24,8 @@
path: /etc/nginx/sites-enabled/default
state: absent
notify:
- Restart Nginx on first node
- Restart Nginx on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Configure custom nginx log format
lineinfile:
@ -33,8 +33,8 @@
dest: "/etc/nginx/nginx.conf"
line: "log_format custom '{{ keystone_nginx_access_log_format_combined }} {{ keystone_nginx_access_log_format_extras }}';"
notify:
- Restart Nginx on first node
- Restart Nginx on other nodes
- Restart web server on first node
- Restart web server on other nodes
# Configure app
- name: Configure virtual hosts
@ -43,8 +43,8 @@
dest: "/etc/nginx/{{ keystone_nginx_conf_path }}/{{ item }}.conf"
with_items: "{{ keystone_wsgi_program_names }}"
notify:
- Restart Nginx on first node
- Restart Nginx on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Link to enable virtual hosts
file:
@ -54,5 +54,5 @@
with_items: "{{ keystone_wsgi_program_names }}"
when: ansible_os_family == "Debian"
notify:
- Restart Nginx on first node
- Restart Nginx on other nodes
- Restart web server on first node
- Restart web server on other nodes

26
tasks/keystone_post_install.yml
View File

@ -32,14 +32,14 @@
config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"
config_type: "ini"
- src: "policy.json.j2"
dest: "/etc/keystone/policy.json"
dest: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
config_overrides: "{{ keystone_policy_overrides }}"
config_type: "json"
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Copy Keystone Federation SP SSO callback template
copy:
@ -51,10 +51,10 @@
when:
- keystone_idp != {}
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Clean up Keystone Federation SP SSO callback template
file:
@ -63,7 +63,7 @@
when:
- keystone_idp == {}
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart service on first node
- Restart service on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- Restart web server on first node
- Restart web server on other nodes

28
tasks/keystone_service_setup.yml
View File

@ -13,19 +13,21 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Wait for keystone admin to come up
wait_for:
host: "{{ ansible_host }}"
port: "{{ keystone_admin_port }}"
timeout: 25
delay: 10
- name: Wait for keystone service to come up
wait_for:
host: "{{ ansible_host }}"
port: "{{ keystone_service_port }}"
timeout: 25
delay: 10
- name: Wait for services to be up
uri:
url: "{{ item['url'] }}"
validate_certs: "{{ item['validate_certs'] }}"
method: "HEAD"
status_code: 300
with_items:
- url: "{{ keystone_service_adminuri }}"
validate_certs: "{{ not keystone_service_adminuri_insecure | bool }}"
- url: "{{ keystone_service_internaluri }}"
validate_certs: "{{ not keystone_service_internaluri_insecure | bool }}"
register: _wait_check
until: _wait_check | success
retries: 12
delay: 5
- name: Bootstrap keystone admin and endpoint
command: |

8
tasks/keystone_ssl_key_create.yml
View File

@ -29,8 +29,8 @@
-extensions v3_ca
creates={{ keystone_ssl_cert }}
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Ensure keystone user owns the self-signed key and certificate
file:
@ -42,5 +42,5 @@
- "{{ keystone_ssl_key }}"
- "{{ keystone_ssl_cert }}"
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes

9
tasks/keystone_ssl_key_distribute.yml
View File

@ -20,6 +20,9 @@
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0640"
notify:
- Restart web server on first node
- Restart web server on other nodes
- name: Distribute self signed ssl cert
copy:
@ -28,6 +31,9 @@
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "0640"
notify:
- Restart web server on first node
- Restart web server on other nodes
- name: Ensure keystone user owns the self-signed key and certificate
file:
@ -37,3 +43,6 @@
with_items:
- "{{ keystone_ssl_key }}"
- "{{ keystone_ssl_cert }}"
notify:
- Restart web server on first node
- Restart web server on other nodes

12
tasks/keystone_ssl_user_provided.yml
View File

@ -22,8 +22,8 @@
mode: "0644"
when: keystone_user_ssl_cert is defined
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Drop user provided ssl key
copy:
@ -34,8 +34,8 @@
mode: "0640"
when: keystone_user_ssl_key is defined
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes
- name: Drop user provided ssl CA cert
copy:
@ -46,5 +46,5 @@
mode: "0644"
when: keystone_user_ssl_ca_cert is defined
notify:
- Restart service on first node
- Restart service on other nodes
- Restart web server on first node
- Restart web server on other nodes

25
tasks/keystone_uwsgi.yml
View File

@ -12,7 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Uwsgi Configuration
- name: Ensure uWSGI directory exists
file:
path: "/etc/uwsgi/"
@ -28,37 +27,21 @@
config_type: ini
with_items: "{{ keystone_wsgi_program_names }}"
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- Restart uWSGI on first node
- Restart uWSGI on other nodes
- include: keystone_init_common.yml
- include: "keystone_init_{{ ansible_service_mgr }}.yml"
vars:
program_name: "{{ keystone_wsgi_public_program_name }}"
service_name: "{{ keystone_wsgi_public_program_name }}"
system_user: "{{ keystone_system_user_name }}"
system_group: "{{ keystone_system_group_name }}"
service_home: "{{ keystone_system_user_home }}"
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- include: keystone_init_common.yml
- include: "keystone_init_{{ ansible_service_mgr }}.yml"
vars:
program_name: "{{ keystone_wsgi_admin_program_name }}"
service_name: "{{ keystone_wsgi_admin_program_name }}"
system_user: "{{ keystone_system_user_name }}"
system_group: "{{ keystone_system_group_name }}"
service_home: "{{ keystone_system_user_home }}"
notify:
- Restart Keystone APIs on first node
- Restart Keystone APIs on other nodes
- name: Ensure uwsgi service started
service:
name: "{{ item }}"
state: started
register: keystone_start
until: keystone_start | success
retries: 5
delay: 2
with_items: "{{ keystone_wsgi_program_names }}"

10
tasks/main.yml
View File

@ -114,15 +114,7 @@
tags:
- keystone-config
- include: keystone_apache.yml
static: no
when: keystone_apache_enabled | bool
tags:
- keystone-config
- include: keystone_nginx.yml
static: no
when: not keystone_apache_enabled | bool
- include: "keystone_{{ (keystone_apache_enabled | bool) | ternary('apache', 'nginx') }}.yml"
tags:
- keystone-config