diff --git a/tasks/keystone_credential.yml b/tasks/keystone_credential.yml index bb1abc9f..ba819b0b 100644 --- a/tasks/keystone_credential.yml +++ b/tasks/keystone_credential.yml @@ -14,9 +14,9 @@ # limitations under the License. - include_tasks: keystone_credential_create.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_credential_distribute.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_credential_autorotate.yml diff --git a/tasks/keystone_credential_autorotate.yml b/tasks/keystone_credential_autorotate.yml index 184431a5..ff500ee7 100644 --- a/tasks/keystone_credential_autorotate.yml +++ b/tasks/keystone_credential_autorotate.yml @@ -34,8 +34,7 @@ user: "{{ keystone_system_user_name }}" job: "{{ keystone_credential_auto_rotation_script }}" cron_file: keystone-credential-rotate - when: > - inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host # This makes sure that no auto rotation jobs are on any other hosts. - name: Remove extra auto rotation job @@ -44,5 +43,4 @@ user: "{{ keystone_system_user_name }}" cron_file: keystone-credential-rotate state: "absent" - when: > - inventory_hostname != groups['keystone_all'][0] + when: not _keystone_is_first_play_host diff --git a/tasks/keystone_federation_sp_shib_setup.yml b/tasks/keystone_federation_sp_shib_setup.yml index 6065b660..d4c84b9d 100644 --- a/tasks/keystone_federation_sp_shib_setup.yml +++ b/tasks/keystone_federation_sp_shib_setup.yml @@ -32,7 +32,7 @@ dest: "{{ item.dest }}" mode: "{{ item.mode|default('0640') }}" when: - - inventory_hostname == groups['keystone_all'][0] + - _keystone_is_first_play_host - item.content != '' with_items: - { content: "{{ shibboleth_cert_user_content }}", dest: "/etc/shibboleth/sp-cert.pem" } @@ -46,7 +46,7 @@ command: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}" args: creates: "/etc/shibboleth/sp-cert.pem" - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host notify: - Manage LB - Restart web server @@ -57,20 +57,20 @@ src: "/etc/shibboleth/sp-cert.pem" register: _keystone_sp_cert changed_when: false - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - name: Store sp key slurp: src: "/etc/shibboleth/sp-key.pem" register: _keystone_sp_key changed_when: false - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - name: Register a fact for the cert and key set_fact: keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}" keystone_sp_key_fact: "{{ _keystone_sp_key.content }}" - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - name: Distribute sp key copy: @@ -79,7 +79,7 @@ owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" mode: "0640" - when: inventory_hostname != groups['keystone_all'][0] + when: not _keystone_is_first_play_host notify: - Manage LB - Restart web server @@ -92,7 +92,7 @@ owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" mode: "0640" - when: inventory_hostname != groups['keystone_all'][0] + when: not _keystone_is_first_play_host notify: - Manage LB - Restart web server @@ -106,7 +106,7 @@ with_items: - "/etc/shibboleth/sp-cert.pem" - "/etc/shibboleth/sp-key.pem" - when: inventory_hostname != groups['keystone_all'][0] + when: not _keystone_is_first_play_host notify: - Manage LB - Restart web server diff --git a/tasks/keystone_fernet.yml b/tasks/keystone_fernet.yml index 613f3b3e..20760709 100644 --- a/tasks/keystone_fernet.yml +++ b/tasks/keystone_fernet.yml @@ -14,9 +14,9 @@ # limitations under the License. - include_tasks: keystone_fernet_keys_create.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_fernet_keys_distribute.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_fernet_keys_autorotate.yml diff --git a/tasks/keystone_fernet_keys_autorotate.yml b/tasks/keystone_fernet_keys_autorotate.yml index 855bc6b5..dc789c96 100644 --- a/tasks/keystone_fernet_keys_autorotate.yml +++ b/tasks/keystone_fernet_keys_autorotate.yml @@ -34,8 +34,7 @@ user: "{{ keystone_system_user_name }}" job: "{{ keystone_fernet_auto_rotation_script }}" cron_file: keystone-fernet-rotate - when: > - inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host # This makes sure that no auto rotation jobs are on any other hosts. - name: Remove extra auto rotation job @@ -44,5 +43,4 @@ user: "{{ keystone_system_user_name }}" cron_file: keystone-fernet-rotate state: "absent" - when: > - inventory_hostname != groups['keystone_all'][0] + when: not _keystone_is_first_play_host diff --git a/tasks/keystone_idp_self_signed_create.yml b/tasks/keystone_idp_self_signed_create.yml index d2f70243..1a505350 100644 --- a/tasks/keystone_idp_self_signed_create.yml +++ b/tasks/keystone_idp_self_signed_create.yml @@ -30,8 +30,7 @@ -out {{ keystone_idp.certfile }} -extensions v3_ca creates={{ keystone_idp.certfile }} - when: > - inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host notify: - Manage LB - Restart web server diff --git a/tasks/keystone_idp_setup.yml b/tasks/keystone_idp_setup.yml index 6782fb64..de7e03a3 100644 --- a/tasks/keystone_idp_setup.yml +++ b/tasks/keystone_idp_setup.yml @@ -14,13 +14,13 @@ # limitations under the License. - include_tasks: keystone_idp_self_signed_create.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_idp_self_signed_store.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_idp_self_signed_distribute.yml - when: inventory_hostname != groups['keystone_all'][0] + when: not _keystone_is_first_play_host - include_tasks: keystone_idp_metadata.yml diff --git a/tasks/keystone_key_distribute.yml b/tasks/keystone_key_distribute.yml index cdb882d1..1be91c5f 100644 --- a/tasks/keystone_key_distribute.yml +++ b/tasks/keystone_key_distribute.yml @@ -17,6 +17,6 @@ authorized_key: user: "{{ keystone_system_user_name }}" key: "{{ keystone_pubkey | b64decode }}" - when: inventory_hostname == ansible_play_batch[0] + when: _keystone_is_first_play_host delegate_to: "{{ item }}" with_items: "{{ ansible_play_hosts }}" diff --git a/tasks/keystone_key_populate.yml b/tasks/keystone_key_populate.yml index cb59986e..5eac9cb7 100644 --- a/tasks/keystone_key_populate.yml +++ b/tasks/keystone_key_populate.yml @@ -22,4 +22,4 @@ - name: Register a fact for the keystone pub key set_fact: keystone_pubkey: "{{ ansible_play_batch | map('extract', hostvars, 'keystone_pub') | map(attribute='content') | map('b64decode') | join('\n') | b64encode }}" - when: inventory_hostname == ansible_play_batch[0] + when: _keystone_is_first_play_host diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml index e050f2a7..61da4490 100644 --- a/tasks/keystone_ldap_setup.yml +++ b/tasks/keystone_ldap_setup.yml @@ -27,7 +27,7 @@ with_dict: "{{ keystone_ldap }}" delegate_to: "{{ keystone_service_setup_host }}" when: - - "inventory_hostname == ((groups['keystone_all'] | intersect(ansible_play_hosts)) | list)[-1]" + - "_keystone_is_last_play_host" vars: ansible_python_interpreter: "{{ keystone_service_setup_host_python_interpreter }}" diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml index da10d0b0..772029c5 100644 --- a/tasks/keystone_post_install.yml +++ b/tasks/keystone_post_install.yml @@ -25,7 +25,7 @@ daemon_reload: yes delegate_to: "{{ item }}" with_items: "{{ ansible_play_hosts }}" - when: "inventory_hostname == ansible_play_hosts[0]" + when: _keystone_is_first_play_host - name: Generate the keystone system user ssh key user: @@ -33,7 +33,7 @@ generate_ssh_key: "yes" delegate_to: "{{ item }}" with_items: "{{ ansible_play_hosts }}" - when: "inventory_hostname == ansible_play_hosts[0]" + when: _keystone_is_first_play_host - name: Copy keystone configuration files config_template: diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml index f0e03ed2..5a34662b 100644 --- a/tasks/keystone_pre_install.yml +++ b/tasks/keystone_pre_install.yml @@ -20,7 +20,7 @@ system: "yes" delegate_to: "{{ item }}" with_items: "{{ ansible_play_hosts }}" - when: "inventory_hostname == ansible_play_hosts[0]" + when: _keystone_is_first_play_host - name: create additional groups group: @@ -31,7 +31,7 @@ with_nested: - "{{ ansible_play_hosts }}" - "{{ keystone_system_additional_groups }}" - when: "inventory_hostname == ansible_play_hosts[0]" + when: _keystone_is_first_play_host - name: Remove old key file(s) if found file: @@ -44,7 +44,7 @@ - "{{ keystone_system_user_home }}/.ssh/id_rsa.pub" when: - keystone_recreate_keys | bool - - "inventory_hostname == ansible_play_hosts[0]" + - _keystone_is_first_play_host delegate_to: "{{ item[0] }}" - name: Create the keystone system user @@ -59,7 +59,7 @@ home: "{{ keystone_system_user_home }}" delegate_to: "{{ item }}" with_items: "{{ ansible_play_hosts }}" - when: "inventory_hostname == ansible_play_hosts[0]" + when: _keystone_is_first_play_host # NOTE(jrosser) this block is to undo symlinking of /etc/keystone into # the keystone venv introduced in change-id I93cb6463ca1eb93ab7f4e7a3970a7de829efaf66. @@ -129,7 +129,7 @@ owner: root group: root delegate_to: "{{ item[0] }}" - when: "inventory_hostname == ansible_play_hosts[0]" + when: _keystone_is_first_play_host # NOTE (jrosser) This recovers Stein release candidate deployments into a # state where the fernet and credential keys will not be lost on subsequent upgrades. diff --git a/tasks/keystone_ssl_self_signed.yml b/tasks/keystone_ssl_self_signed.yml index 1cfe3a15..ebf9a997 100644 --- a/tasks/keystone_ssl_self_signed.yml +++ b/tasks/keystone_ssl_self_signed.yml @@ -14,10 +14,10 @@ # limitations under the License. - include_tasks: keystone_ssl_key_create.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_ssl_key_store.yml - when: inventory_hostname == groups['keystone_all'][0] + when: _keystone_is_first_play_host - include_tasks: keystone_ssl_key_distribute.yml - when: inventory_hostname != groups['keystone_all'][0] + when: not _keystone_is_first_play_host diff --git a/tasks/main.yml b/tasks/main.yml index 9aa0a4de..a3a69d2d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -65,8 +65,7 @@ - import_tasks: db_setup.yml when: - - "keystone_services['keystone-wsgi-public']['group'] in group_names" - - "inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]" + - "_keystone_is_first_play_host" vars: _oslodb_setup_host: "{{ keystone_db_setup_host }}" _oslodb_ansible_python_interpreter: "{{ keystone_db_setup_python_interpreter }}" @@ -83,8 +82,7 @@ - import_tasks: mq_setup.yml when: - - "keystone_services['keystone-wsgi-public']['group'] in group_names" - - "inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]" + - "_keystone_is_first_play_host" vars: _oslomsg_rpc_setup_host: "{{ keystone_oslomsg_rpc_setup_host }}" _oslomsg_rpc_userid: "{{ keystone_oslomsg_rpc_userid }}" @@ -164,7 +162,7 @@ - import_tasks: keystone_service_bootstrap.yml when: - - "inventory_hostname == ((groups['keystone_all'] | intersect(ansible_play_hosts)) | list)[0]" + - "_keystone_is_first_play_host" - "keystone_service_setup | bool" tags: - keystone-config @@ -186,7 +184,8 @@ - url: "{{ keystone_service_internaluri }}" validate_certs: "{{ not keystone_service_internaluri_insecure }}" register: _wait_check - when: "inventory_hostname == ((groups['keystone_all'] | intersect(ansible_play_hosts)) | list)[-1]" + when: + - "_keystone_is_last_play_host" until: _wait_check is success retries: 12 delay: 5 @@ -216,7 +215,7 @@ url: "{{ keystone_service_adminuri }}" service: "{{ keystone_service_name }}" when: - - "inventory_hostname == ((groups['keystone_all'] | intersect(ansible_play_hosts)) | list)[-1]" + - "_keystone_is_last_play_host" - "keystone_service_setup | bool" tags: - keystone-config diff --git a/vars/main.yml b/vars/main.yml index aeab73d4..831245dd 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,4 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -keystone_core_files: [] \ No newline at end of file +keystone_core_files: [] + +_keystone_is_first_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool }}" +_keystone_is_last_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool }}"