Merge "Cleanup files and templates using smart sources"
This commit is contained in:
commit
c351a180ba
|
@ -458,22 +458,10 @@ keystone_optional_oslomsg_amqp1_pip_packages:
|
||||||
# by the py_pkgs lookup.
|
# by the py_pkgs lookup.
|
||||||
keystone_role_project_group: keystone_all
|
keystone_role_project_group: keystone_all
|
||||||
|
|
||||||
#: Tunable file-based overrides
|
# NOTE(cloudnull): Tunable SSO callback file file-based overrides If defined,
|
||||||
# The contents of these files, if they exist, are read from the
|
# it'll be read from the deployment host, interpreted by the
|
||||||
# specified path on the deployment host, interpreted by the
|
# template engine and copied to the target host.
|
||||||
# template engine and copied to the target host. If they do
|
# keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
|
||||||
# not exist then the default files will be sourced from the
|
|
||||||
# service git repository.
|
|
||||||
keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json"
|
|
||||||
keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
|
|
||||||
|
|
||||||
# If the above-mentioned files do not exist, then the defaults
|
|
||||||
# inside the venvs will be used, but cached at this location
|
|
||||||
# on the deployment host. Using the cache makes the re-use
|
|
||||||
# of the files faster when deploying, but is also required in
|
|
||||||
# order to still be able to apply the config_template override.
|
|
||||||
keystone_config_cache_path: "{{ lookup('env', 'HOME') | default('/opt', true) }}/cache/keystone"
|
|
||||||
keystone_config_cache_path_owner: "{{ lookup('env', 'USER') | default('root', true) }}"
|
|
||||||
|
|
||||||
#: Tunable var-based overrides
|
#: Tunable var-based overrides
|
||||||
# The contents of these are templated over the default files.
|
# The contents of these are templated over the default files.
|
||||||
|
|
|
@ -54,36 +54,6 @@
|
||||||
- "venv changed"
|
- "venv changed"
|
||||||
- "Restart uWSGI"
|
- "Restart uWSGI"
|
||||||
|
|
||||||
# Note (odyssey4me):
|
|
||||||
# The policy.json file is currently read continually by the services
|
|
||||||
# and is not only read on service start. We therefore cannot template
|
|
||||||
# directly to the file read by the service because the new policies
|
|
||||||
# may not be valid until the service restarts. This is particularly
|
|
||||||
# important during a major upgrade. We therefore only put the policy
|
|
||||||
# file in place after the service has been stopped.
|
|
||||||
#
|
|
||||||
- name: Check whether a custom policy file is being used
|
|
||||||
stat:
|
|
||||||
path: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
|
|
||||||
register: _custom_policy_file
|
|
||||||
listen:
|
|
||||||
- "venv changed"
|
|
||||||
- "Restart uWSGI"
|
|
||||||
|
|
||||||
- name: Copy new policy file into place
|
|
||||||
copy:
|
|
||||||
src: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
|
|
||||||
dest: "/etc/keystone/policy.json"
|
|
||||||
owner: "root"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "0640"
|
|
||||||
remote_src: yes
|
|
||||||
when:
|
|
||||||
- _custom_policy_file['stat']['exists'] | bool
|
|
||||||
listen:
|
|
||||||
- "venv changed"
|
|
||||||
- "Restart uWSGI"
|
|
||||||
|
|
||||||
- name: Start uWSGI
|
- name: Start uWSGI
|
||||||
service:
|
service:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
|
|
|
@ -35,71 +35,74 @@
|
||||||
with_items: "{{ ansible_play_hosts }}"
|
with_items: "{{ ansible_play_hosts }}"
|
||||||
when: "inventory_hostname == ansible_play_hosts[0]"
|
when: "inventory_hostname == ansible_play_hosts[0]"
|
||||||
|
|
||||||
- name: Check whether user-provided configuration files are provided
|
|
||||||
stat:
|
|
||||||
path: "{{ item }}"
|
|
||||||
with_items:
|
|
||||||
- "{{ keystone_policy_default_file_path }}"
|
|
||||||
- "{{ keystone_sso_callback_file_path }}"
|
|
||||||
register: _user_provided_config_files
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Ensure that local config cache path exists on the deploy host
|
|
||||||
file:
|
|
||||||
path: "{{ keystone_config_cache_path }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ keystone_config_cache_path_owner }}"
|
|
||||||
delegate_to: localhost
|
|
||||||
run_once: yes
|
|
||||||
|
|
||||||
- name: Retrieve default configuration files from venv
|
|
||||||
fetch:
|
|
||||||
src: "{{ _keystone_etc }}/keystone/{{ keystone_sso_callback_file_path | basename }}"
|
|
||||||
dest: "{{ keystone_config_cache_path }}/"
|
|
||||||
flat: yes
|
|
||||||
run_once: yes
|
|
||||||
|
|
||||||
- name: Copy keystone configuration files
|
- name: Copy keystone configuration files
|
||||||
config_template:
|
config_template:
|
||||||
content: "{{ item.content | default(omit) }}"
|
src: "keystone.conf.j2"
|
||||||
src: "{{ item.src | default(omit) }}"
|
dest: "/etc/keystone/keystone.conf"
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: "root"
|
owner: "root"
|
||||||
group: "{{ keystone_system_group_name }}"
|
group: "{{ keystone_system_group_name }}"
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
config_overrides: "{{ item.config_overrides }}"
|
config_overrides: "{{ keystone_keystone_conf_overrides }}"
|
||||||
config_type: "{{ item.config_type }}"
|
config_type: "ini"
|
||||||
when:
|
|
||||||
- item.condition | default(True)
|
|
||||||
with_items:
|
|
||||||
- src: "keystone.conf.j2"
|
|
||||||
dest: "/etc/keystone/keystone.conf"
|
|
||||||
config_overrides: "{{ keystone_keystone_conf_overrides }}"
|
|
||||||
config_type: "ini"
|
|
||||||
- src: "{{ keystone_policy_default_file_path }}"
|
|
||||||
dest: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
|
|
||||||
config_overrides: "{{ keystone_policy_overrides }}"
|
|
||||||
config_type: "json"
|
|
||||||
condition: >-
|
|
||||||
{{ _user_provided_config_files['results'][0]['stat']['exists'] | bool }}
|
|
||||||
notify:
|
notify:
|
||||||
- Manage LB
|
- Manage LB
|
||||||
- Restart uWSGI
|
- Restart uWSGI
|
||||||
- Restart web server
|
- Restart web server
|
||||||
|
|
||||||
- name: Copy Keystone Federation SP SSO callback template
|
- name: Implement policy.json if there are overrides configured
|
||||||
copy:
|
copy:
|
||||||
src: >-
|
content: "{{ keystone_policy_overrides | to_nice_json }}"
|
||||||
{{ (_user_provided_config_files['results'][1]['stat']['exists'] | bool) |
|
dest: "/etc/keystone/policy.json"
|
||||||
ternary(keystone_sso_callback_file_path,
|
|
||||||
keystone_config_cache_path ~ '/' ~ keystone_sso_callback_file_path | basename) }}
|
|
||||||
dest: "/etc/keystone/sso_callback_template.html"
|
|
||||||
owner: "{{ keystone_system_user_name }}"
|
|
||||||
group: "{{ keystone_system_group_name }}"
|
|
||||||
mode: "0644"
|
|
||||||
when:
|
when:
|
||||||
- keystone_sp != {}
|
- keystone_policy_overrides != {}
|
||||||
|
|
||||||
|
# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
|
||||||
|
# because we only want to copy the original files once. and we
|
||||||
|
# don't want to need multiple tasks.
|
||||||
|
- name: Preserve original configuration file(s)
|
||||||
|
command: "cp {{ item.target_f }} {{ item.target_f }}.original"
|
||||||
|
args:
|
||||||
|
creates: "{{ item.target_f }}.original"
|
||||||
|
with_items: "{{ keystone_core_files }}"
|
||||||
|
|
||||||
|
- name: Fetch override files
|
||||||
|
fetch:
|
||||||
|
src: "{{ item.target_f }}"
|
||||||
|
dest: "{{ item.tmp_f }}"
|
||||||
|
flat: yes
|
||||||
|
changed_when: false
|
||||||
|
run_once: true
|
||||||
|
with_items: "{{ keystone_core_files }}"
|
||||||
|
|
||||||
|
- name: Copy common config
|
||||||
|
config_template:
|
||||||
|
src: "{{ item.tmp_f }}"
|
||||||
|
dest: "{{ item.target_f }}"
|
||||||
|
owner: "root"
|
||||||
|
group: "{{ item.group | default(keystone_system_group_name) }}"
|
||||||
|
mode: "0640"
|
||||||
|
config_overrides: "{{ item.config_overrides }}"
|
||||||
|
config_type: "{{ item.config_type }}"
|
||||||
|
with_items: "{{ keystone_core_files }}"
|
||||||
|
notify:
|
||||||
|
- Restart uWSGI
|
||||||
|
- Restart web server
|
||||||
|
|
||||||
|
- name: Cleanup fetched temp files
|
||||||
|
file:
|
||||||
|
path: "{{ item.tmp_f }}"
|
||||||
|
state: absent
|
||||||
|
changed_when: false
|
||||||
|
delegate_to: localhost
|
||||||
|
run_once: true
|
||||||
|
with_items: "{{ keystone_core_files }}"
|
||||||
|
|
||||||
|
- name: Copy sso callback file
|
||||||
|
copy:
|
||||||
|
src: "{{ keystone_sso_callback_file_path }}"
|
||||||
|
dest: "/etc/keystone/sso_callback_template.html"
|
||||||
|
when:
|
||||||
|
- keystone_sso_callback_file_path is defined
|
||||||
notify:
|
notify:
|
||||||
- Manage LB
|
|
||||||
- Restart uWSGI
|
- Restart uWSGI
|
||||||
- Restart web server
|
- Restart web server
|
||||||
|
|
|
@ -27,10 +27,10 @@
|
||||||
name: "{{ item[1] }}"
|
name: "{{ item[1] }}"
|
||||||
state: "present"
|
state: "present"
|
||||||
system: "yes"
|
system: "yes"
|
||||||
|
delegate_to: "{{ item[0] }}"
|
||||||
with_nested:
|
with_nested:
|
||||||
- "{{ ansible_play_hosts }}"
|
- "{{ ansible_play_hosts }}"
|
||||||
- "{{ keystone_system_additional_groups }}"
|
- "{{ keystone_system_additional_groups }}"
|
||||||
delegate_to: "{{ item[0] }}"
|
|
||||||
when: "inventory_hostname == ansible_play_hosts[0]"
|
when: "inventory_hostname == ansible_play_hosts[0]"
|
||||||
|
|
||||||
- name: Remove old key file(s) if found
|
- name: Remove old key file(s) if found
|
||||||
|
@ -61,26 +61,68 @@
|
||||||
with_items: "{{ ansible_play_hosts }}"
|
with_items: "{{ ansible_play_hosts }}"
|
||||||
when: "inventory_hostname == ansible_play_hosts[0]"
|
when: "inventory_hostname == ansible_play_hosts[0]"
|
||||||
|
|
||||||
|
# NOTE(cloudnull): During an upgrade the local directory may exist on a source
|
||||||
|
# install. If the directory does exist it will need to be
|
||||||
|
# removed. This is required on source installs because the
|
||||||
|
# config directory is a link.
|
||||||
|
- name: Source config block
|
||||||
|
block:
|
||||||
|
- name: Stat config directory
|
||||||
|
stat:
|
||||||
|
path: "/etc/keystone"
|
||||||
|
register: keystone_conf_dir_stat
|
||||||
|
|
||||||
|
- name: Remove the config directory
|
||||||
|
file:
|
||||||
|
path: "/etc/keystone"
|
||||||
|
state: absent
|
||||||
|
when:
|
||||||
|
- keystone_conf_dir_stat.stat.isdir is defined and
|
||||||
|
keystone_conf_dir_stat.stat.isdir
|
||||||
|
when:
|
||||||
|
- keystone_install_method == 'source'
|
||||||
|
|
||||||
# The fernet key repository is needed on all hosts even if only running against
|
# The fernet key repository is needed on all hosts even if only running against
|
||||||
# one host, so the delegation preps the directories on all hosts at once.
|
# one host, so the delegation preps the directories on all hosts at once.
|
||||||
- name: Create keystone dir
|
- name: Create keystone dir
|
||||||
file:
|
file:
|
||||||
path: "{{ item[1].path }}"
|
path: "{{ item[1].path | default(omit) }}"
|
||||||
state: directory
|
src: "{{ item[1].src | default(omit) }}"
|
||||||
|
dest: "{{ item[1].dest | default(omit) }}"
|
||||||
|
state: "{{ item[1].state | default('directory') }}"
|
||||||
owner: "{{ item[1].owner|default(keystone_system_user_name) }}"
|
owner: "{{ item[1].owner|default(keystone_system_user_name) }}"
|
||||||
group: "{{ item[1].group|default(keystone_system_group_name) }}"
|
group: "{{ item[1].group|default(keystone_system_group_name) }}"
|
||||||
mode: "{{ item[1].mode|default(0755) }}"
|
mode: "{{ item[1].mode | default(omit) }}"
|
||||||
|
force: "{{ item[1].force | default(omit) }}"
|
||||||
with_nested:
|
with_nested:
|
||||||
- "{{ ansible_play_hosts }}"
|
- "{{ ansible_play_hosts }}"
|
||||||
- - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
- - path: "/openstack"
|
||||||
- { path: "/etc/keystone", mode: "0750" }
|
mode: "0755"
|
||||||
- { path: "{{ keystone_credential_key_repository }}", mode: "0750" }
|
owner: "root"
|
||||||
- { path: "{{ keystone_ldap_domain_config_dir }}", mode: "0750" }
|
group: "root"
|
||||||
- { path: "/etc/keystone/ssl" }
|
- path: "{{ (keystone_install_method == 'distro') | ternary('/etc/keystone', (keystone_bin | dirname) + '/etc/keystone') }}"
|
||||||
- { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
|
mode: "0755"
|
||||||
- { path: "{{ keystone_system_user_home }}" }
|
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
|
||||||
- { path: "/var/www/cgi-bin", owner: root, group: root }
|
# within the host/container confines when connecting to
|
||||||
- { path: "/var/www/cgi-bin/keystone" }
|
# them using the connection plugin or the root filesystem.
|
||||||
- { path: "/etc/ansible/facts.d", owner: root, group: root }
|
- dest: "/etc/keystone"
|
||||||
|
src: "{{ keystone_bin | dirname | regex_replace('^/', '../') }}/etc/keystone"
|
||||||
|
state: "{{ (keystone_install_method == 'source') | ternary('link', 'directory') }}"
|
||||||
|
force: "{{ (keystone_install_method == 'source') | ternary(true, omit) }}"
|
||||||
|
- path: "{{ keystone_credential_key_repository }}"
|
||||||
|
mode: "0750"
|
||||||
|
- path: "{{ keystone_ldap_domain_config_dir }}"
|
||||||
|
mode: "0750"
|
||||||
|
- path: "/etc/keystone/ssl"
|
||||||
|
- path: "{{ keystone_fernet_tokens_key_repository }}"
|
||||||
|
mode: "2750"
|
||||||
|
- path: "{{ keystone_system_user_home }}"
|
||||||
|
- path: "/var/www/cgi-bin"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
- path: "/var/www/cgi-bin/keystone"
|
||||||
|
- path: "/etc/ansible/facts.d"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
delegate_to: "{{ item[0] }}"
|
delegate_to: "{{ item[0] }}"
|
||||||
when: "inventory_hostname == ansible_play_hosts[0]"
|
when: "inventory_hostname == ansible_play_hosts[0]"
|
||||||
|
|
|
@ -38,4 +38,3 @@ keystone_package_list: |-
|
||||||
{{ packages }}
|
{{ packages }}
|
||||||
|
|
||||||
_keystone_bin: "/usr/bin"
|
_keystone_bin: "/usr/bin"
|
||||||
_keystone_etc: "/etc"
|
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
# Copyright 2018, Rackspace US, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
keystone_core_files: []
|
|
@ -37,5 +37,4 @@ keystone_package_list: |-
|
||||||
{{ packages }}
|
{{ packages }}
|
||||||
|
|
||||||
_keystone_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
|
_keystone_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
|
||||||
_keystone_etc: "{{ _keystone_bin | dirname + '/etc' }}"
|
|
||||||
keystone_uwsgi_bin: "{{ _keystone_bin }}"
|
keystone_uwsgi_bin: "{{ _keystone_bin }}"
|
||||||
|
|
Loading…
Reference in New Issue