openstack
/
openstack-ansible-os_keystone
Code Issues Proposed changes

Fix linters and metadata 

With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
This commit is contained in:
Dmitriy Rabotyagov 2023-07-14 17:19:27 +02:00
parent b73bcd9981
commit eea1a4853f
18 changed files with 302 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

382
defaults/main.yml
View File

@ -20,7 +20,11 @@ debug: False
# for the service setup. The host must already have
# clouds.yaml properly configured.
keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
keystone_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}"
keystone_service_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default(
(keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
@ -39,7 +43,8 @@ keystone_shibboleth_repo: {}
keystone_git_repo: https://opendev.org/openstack/keystone
keystone_git_install_branch: master
keystone_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}"
keystone_upper_constraints_url: >-
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
keystone_git_constraints:
- "--constraint {{ keystone_upper_constraints_url }}"
@ -97,13 +102,19 @@ keystone_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }
## Database info
keystone_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
keystone_db_setup_python_interpreter: "{{ openstack_db_setup_python_interpreter | default((keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}"
keystone_db_setup_python_interpreter: >-
{{
openstack_db_setup_python_interpreter | default(
(keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}"
keystone_galera_user: keystone
keystone_galera_database: keystone
keystone_galera_port: "{{ galera_port | default('3306') }}"
keystone_database_connection_string: >-
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{keystone_galera_port}}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{% if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %}
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{ keystone_galera_port }}/{{
keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{%
if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %}
## Database SSL
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
@ -131,7 +142,8 @@ keystone_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
# Notify
keystone_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
keystone_oslomsg_notify_setup_host: "{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}"
keystone_oslomsg_notify_setup_host: >-
{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}
keystone_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
keystone_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
keystone_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
@ -177,7 +189,7 @@ keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ int
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
# keystone_public_endpoint: "{{ keystone_service_publicuri }}"
# Enable or disable uWSGI as the primary service manager. While uWSGI is used
# for basic deployments, when this option is enabled it will become the sole
@ -215,7 +227,7 @@ keystone_httpd_mpm_max_conn_child: 0
keystone_wsgi_threads: 1
## Cap the maximun number of processes when a user value is unspecified.
keystone_wsgi_processes_max: 16
keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus']|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
keystone_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
keystone_uwsgi_ports:
@ -244,7 +256,8 @@ keystone_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
keystone_pki_keys_path: "{{ keystone_pki_dir ~ '/certs/private/' }}"
keystone_pki_certs_path: "{{ keystone_pki_dir ~ '/certs/certs/' }}"
keystone_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
keystone_pki_intermediate_cert_path: "{{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }}"
keystone_pki_intermediate_cert_path: >-
{{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }}
keystone_pki_regen_cert: ''
# By default, CA creation is controlled using the CA 'condition' field
@ -322,14 +335,16 @@ keystone_pki_install_certificates:
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
# TLS v1.2 and below
keystone_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}"
keystone_ssl_cipher_suite_tls12: >-
{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}
# TLS v1.3
keystone_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
keystone_ssl_cipher_suite_tls13: >-
{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}
# Set these variables to deploy custom certificates
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
#keystone_user_ssl_key: <path to cert on ansible deployment host>
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
# keystone_user_ssl_cert: <path to cert on ansible deployment host>
# keystone_user_ssl_key: <path to cert on ansible deployment host>
# keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
@ -370,187 +385,186 @@ keystone_ldap: {}
keystone_ldap_domain_config_dir: /etc/keystone/domains
## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
#keystone_policy_overrides:
# identity:create_region: "rule:admin_required"
# identity:update_region: "rule:admin_required"
# keystone_policy_overrides:
# identity:create_region: "rule:admin_required"
# identity:update_region: "rule:admin_required"
## Federation
# Enable the following section on the Keystone IdP
keystone_idp: {}
#keystone_idp:
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
# regen_cert: false
# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp"
# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso"
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
# service_providers:
# - id: "sp_1"
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
# # the following settings are optional
# organization_name: example_company
# organization_display_name: Example Corp.
# organization_url: example.com
# contact_company: example_company
# contact_name: John
# contact_surname: Smith
# contact_email: jsmith@example.com
# contact_telephone: 555-55-5555
# contact_type: technical
# keystone_idp:
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
# regen_cert: false
# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp"
# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso"
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
# service_providers:
# - id: "sp_1"
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
# # the following settings are optional
# organization_name: example_company
# organization_display_name: Example Corp.
# organization_url: example.com
# contact_company: example_company
# contact_name: John
# contact_surname: Smith
# contact_email: jsmith@example.com
# contact_telephone: 555-55-5555
# contact_type: technical
# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
keystone_sp: {}
#keystone_sp:
# cert_duration_years: 5
# apache_mod: shibboleth #or mod_auth_openidc
# cadf_notifications: false
# cadf_notifications_opt_out:
# - identity.authenticate.failed
# - identity.authenticate.pending
# - identity.authenticate.success
# trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/"
# trusted_idp_list:
# note that only one of these is supported at any one time for now
# - name: "keystone-idp"
# domain_id: "default"
# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown
# entity_ids:
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
# metadata_file: 'metadata-keystone-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: keystone-idp-mapping
# rules:
# - remote:
# - type: openstack_user
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
# attributes:
# - name: openstack_user
# id: openstack_user
# - name: openstack_roles
# id: openstack_roles
# - name: openstack_project
# id: openstack_project
# - name: openstack_user_domain
# id: openstack_user_domain
# - name: openstack_project_domain
# id: openstack_project_domain
# keystone_sp:
# cert_duration_years: 5
# apache_mod: shibboleth #or mod_auth_openidc
# cadf_notifications: false
# cadf_notifications_opt_out:
# - identity.authenticate.failed
# - identity.authenticate.pending
# - identity.authenticate.success
# trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/"
# trusted_idp_list:
# note that only one of these is supported at any one time for now
# - name: "keystone-idp"
# domain_id: "default"
# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown
# entity_ids:
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
# metadata_file: 'metadata-keystone-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: keystone-idp-mapping
# rules:
# - remote:
# - type: openstack_user
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
# attributes:
# - name: openstack_user
# id: openstack_user
# - name: openstack_roles
# id: openstack_roles
# - name: openstack_project
# id: openstack_project
# - name: openstack_user_domain
# id: openstack_user_domain
# - name: openstack_project_domain
# id: openstack_project_domain
#
# - name: 'testshib-idp'
# entity_ids:
# - 'https://idp.testshib.org/idp/shibboleth'
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
# metadata_file: 'metadata-testshib-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: testshib-idp-mapping
# rules:
# - remote:
# - type: eppn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
# - name: 'testshib-idp'
# entity_ids:
# - 'https://idp.testshib.org/idp/shibboleth'
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
# metadata_file: 'metadata-testshib-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: testshib-idp-mapping
# rules:
# - remote:
# - type: eppn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
#
# - name: 'adfs-idp'
# entity_ids:
# - 'http://adfs.contoso.com/adfs/services/trust'
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
# metadata_file: 'metadata-adfs-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: adfs-idp-mapping
# rules:
# - remote:
# - type: upn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
# attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn
# - name: 'adfs-idp'
# entity_ids:
# - 'http://adfs.contoso.com/adfs/services/trust'
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
# metadata_file: 'metadata-adfs-idp.xml'
# metadata_reload: 1800
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: saml2
# mapping:
# name: adfs-idp-mapping
# rules:
# - remote:
# - type: upn
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# - user:
# name: '{0}'
# attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn
#
# - name: "keycloak-oidc-idp"
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
# oidc_client_id: keystone
# oidc_client_secret: secret
# oidc_crypto_passphrase: random string
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
# oidc_oauth_introspection_endpoint: endpoint address (optional)
# oidc_oauth_client_id: string (optional)
# oidc_oauth_client_secret: secret (optional)
# oidc_pkce_method: plain | S256 | referred_tb (optional)
# oidc_outgoing_proxy: "proxy address" (optional setting)
# oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one (optional)
# oidc_state_max_number_of_cookies: 5 false (optional)
# oidc_default_url: https://example.com/callback (optional)
# entity_ids:
# - 'https://identity-provider/openid-endpoint/'
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: openid
# mapping:
# name: keycloak-oidc-idp-openid-mapping
# rules:
# - remote:
# - type: OIDC-email
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
# - name: "keycloak-oidc-idp"
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
# oidc_client_id: keystone
# oidc_client_secret: secret
# oidc_crypto_passphrase: random string
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
# oidc_oauth_introspection_endpoint: endpoint address (optional)
# oidc_oauth_client_id: string (optional)
# oidc_oauth_client_secret: secret (optional)
# oidc_pkce_method: plain | S256 | referred_tb (optional)
# oidc_outgoing_proxy: "proxy address" (optional setting)
# oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one (optional)
# oidc_state_max_number_of_cookies: 5 false (optional)
# oidc_default_url: https://example.com/callback (optional)
# entity_ids:
# - 'https://identity-provider/openid-endpoint/'
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: openid
# mapping:
# name: keycloak-oidc-idp-openid-mapping
# rules:
# - remote:
# - type: OIDC-email
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
keystone_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
@ -581,7 +595,7 @@ keystone_optional_oslomsg_amqp1_pip_packages:
# template engine and copied to the target host.
# keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
#: Tunable file-based overrides
## Tunable file-based overrides
# The contents of these files, if they exist, are read from the
# specified path on the deployment host, interpreted by the
# template engine and copied to the target host. If they do
@ -589,7 +603,7 @@ keystone_optional_oslomsg_amqp1_pip_packages:
shibboleth_cert_user_file_path: "/etc/openstack_deploy/keystone/sp-cert.pem"
shibboleth_key_user_file_path: "/etc/openstack_deploy/keystone/sp-key.pem"
#: Tunable var-based overrides
## Tunable var-based overrides
# The contents of these are templated over the default files.
keystone_keystone_conf_overrides: {}
keystone_keystone_default_conf_overrides: {}
@ -643,7 +657,7 @@ keystone_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | defaul
# directory on the deploy host to create and store SSH keypairs
keystone_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}"
#Each keystone host needs a signed ssh certificate to log into the others
# Each keystone host needs a signed ssh certificate to log into the others
keystone_ssh_keypairs:
- name: "keystone-{{ inventory_hostname }}"
cert:
@ -652,7 +666,7 @@ keystone_ssh_keypairs:
valid_from: "{{ keystone_ssh_key_valid_from | default('always') }}"
valid_to: "{{ keystone_ssh_key_valid_to | default('forever') }}"
#Each keystone host needs the signed ssh certificate installing to the keystone user
# Each keystone host needs the signed ssh certificate installing to the keystone user
keystone_ssh_keypairs_install_keys:
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
@ -660,10 +674,10 @@ keystone_ssh_keypairs_install_keys:
- cert: "keystone-{{ inventory_hostname }}"
dest: "{{ keystone_system_user_home }}/.ssh/id_rsa"
#Each compute host must trust the SSHD certificate authoritiy in the sshd configuration
# Each compute host must trust the SSHD certificate authoritiy in the sshd configuration
keystone_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
#Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user
# Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user
keystone_ssh_keypairs_principals:
- user: "{{ keystone_system_user_name }}"
principals: "{{ keystone_ssh_key_principals | default(['keystone']) }}"

1
handlers/main.yml
View File

@ -101,6 +101,7 @@
debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf")
redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211
shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}"
changed_when: false
delegate_to: "{{ item }}"
with_items: "{{ groups.memcached_all }}"
listen: flush cache

12
meta/main.yml
View File

@ -18,19 +18,21 @@ galaxy_info:
description: Installation and setup of keystone
company: Rackspace
license: Apache2
min_ansible_version: 2.4
role_name: os_keystone
namespace: openstack
min_ansible_version: "2.10"
platforms:
- name: Debian
versions:
- buster
- bullseye
- name: Ubuntu
versions:
- bionic
- focal
- jammy
- name: EL
versions:
- 8
categories:
- "9"
galaxy_tags:
- cloud
- python
- keystone

4
tasks/keystone_apache.yml
View File

@ -31,6 +31,7 @@
state: directory
owner: "{{ keystone_apache_default_log_owner }}"
group: "{{ keystone_apache_default_log_grp }}"
mode: "0755"
## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian
@ -51,6 +52,7 @@
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "0644"
with_items: "{{ keystone_apache_configs }}"
notify:
- Restart web server
@ -76,7 +78,7 @@
line: 'LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so'
state: "present"
when:
- ansible_facts['pkg_mgr'] == 'dnf'
- ansible_facts['pkg_mgr'] == 'dnf'
notify:
- Restart web server

9
tasks/keystone_credential.yml
View File

@ -13,10 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: keystone_credential_create.yml
- name: Including keystone_credential_create tasks
include_tasks: keystone_credential_create.yml
when: _keystone_is_first_play_host
- include_tasks: keystone_credential_distribute.yml
- name: Including keystone_credential_distribute tasks
include_tasks: keystone_credential_distribute.yml
when: _keystone_is_first_play_host
- include_tasks: keystone_credential_autorotate.yml
- name: Including keystone_credential_autorotate tasks
include_tasks: keystone_credential_autorotate.yml

6
tasks/keystone_credential_create.yml
View File

@ -70,7 +70,7 @@
register: drop_existing_credential_keys
with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}"
- name: Create credential keys for Keystone
- name: Create credential keys for Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_setup
--keystone-user "{{ keystone_system_user_name }}"
@ -82,7 +82,7 @@
- not _credential_keys.stat.exists
- not drop_existing_credential_keys is changed
- name: Ensure newest key is used for credential in Keystone
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}"
@ -91,7 +91,7 @@
become_user: "{{ keystone_system_user_name }}"
when: create_credential_keys is skipped
- name: Rotate credential keys for Keystone
- name: Rotate credential keys for Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}"

8
tasks/keystone_db_sync.yml
View File

@ -28,11 +28,12 @@
section: keystone
option: "{{ item.name }}"
value: "{{ item.state }}"
mode: "0644"
with_items:
- name: "need_db_expand"
state: "{{ (keystone_db_sync_check.rc | int == 2) | bool }}"
- name: "need_db_migrate"
state: "{{ (keystone_db_sync_check.rc | int in [2, 3] ) | bool }}"
state: "{{ (keystone_db_sync_check.rc | int in [2, 3]) | bool }}"
- name: "need_db_contract"
state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}"
@ -46,7 +47,7 @@
# When keystone is initially built, the service does not yet exist on the
# host this task is executed on. Detect the presence of the services.
- name: Test if keystone service exists
service:
service: # noqa: args[module]
name: "{{ item }}"
check_mode: yes
register: keystone_service_exists
@ -70,6 +71,7 @@
- name: Perform a Keystone DB sync expand
command: "{{ keystone_bin }}/keystone-manage db_sync --expand"
changed_when: false
become: yes
become_user: "{{ keystone_system_user_name }}"
when:
@ -79,6 +81,7 @@
- name: Perform a Keystone DB sync migrate
command: "{{ keystone_bin }}/keystone-manage db_sync --migrate"
changed_when: false
become: yes
become_user: "{{ keystone_system_user_name }}"
when:
@ -88,6 +91,7 @@
- name: Perform a Keystone DB sync contract
command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
changed_when: false
become: yes
become_user: "{{ keystone_system_user_name }}"
when:

10
tasks/keystone_federation_sp_shib_setup.yml
View File

@ -19,7 +19,7 @@
dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
mode: "{{ item.mode|default('0644') }}"
mode: "{{ item.mode | default('0644') }}"
with_items:
- { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" }
- { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" }
@ -29,8 +29,8 @@
- name: Copy Shibboleth SP key-pair (if provided)
copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}" # noqa 206
mode: "{{ item.mode|default('0640') }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode | default('0640') }}"
when:
- _keystone_is_first_play_host
- item.content | length > 0
@ -66,8 +66,8 @@
- name: Register a fact for the cert and key
set_fact:
keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}"
keystone_sp_key_fact: "{{ _keystone_sp_key.content }}"
keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}"
keystone_sp_key_fact: "{{ _keystone_sp_key.content }}"
when: _keystone_is_first_play_host
- name: Distribute sp key

9
tasks/keystone_fernet.yml
View File

@ -13,10 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: keystone_fernet_keys_create.yml
- name: Including keystone_fernet_keys_create tasks
include_tasks: keystone_fernet_keys_create.yml
when: _keystone_is_first_play_host
- include_tasks: keystone_fernet_keys_distribute.yml
- name: Including keystone_fernet_keys_distribute tasks
include_tasks: keystone_fernet_keys_distribute.yml
when: _keystone_is_first_play_host
- include_tasks: keystone_fernet_keys_autorotate.yml
- name: Including keystone_fernet_keys_autorotate tasks
include_tasks: keystone_fernet_keys_autorotate.yml

4
tasks/keystone_fernet_keys_create.yml
View File

@ -18,7 +18,7 @@
path: "{{ keystone_fernet_tokens_key_repository }}/0"
register: _fernet_keys
- name: Create fernet keys for Keystone
- name: Create fernet keys for Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage fernet_setup
--keystone-user "{{ keystone_system_user_name }}"
@ -27,7 +27,7 @@
become_user: "{{ keystone_system_user_name }}"
when: not _fernet_keys.stat.exists
- name: Rotate fernet keys for Keystone
- name: Rotate fernet keys for Keystone # noqa: no-changed-when
command: >
{{ keystone_bin }}/keystone-manage fernet_rotate
--keystone-user "{{ keystone_system_user_name }}"

1
tasks/keystone_idp_setup.yml
View File

@ -18,6 +18,7 @@
{{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
become: yes
become_user: "{{ keystone_system_user_name }}"
changed_when: false
when: keystone_idp != {}
notify:
- Restart uWSGI

8
tasks/keystone_install.yml
View File

@ -17,9 +17,9 @@
file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner|default(keystone_system_user_name) }}"
group: "{{ item.group|default(keystone_system_group_name) }}"
mode: "{{ item.mode|default('0755') }}"
owner: "{{ item.owner | default(keystone_system_user_name) }}"
group: "{{ item.group | default(keystone_system_group_name) }}"
mode: "{{ item.mode | default('0755') }}"
with_items:
- { path: "/var/lock/keystone", mode: "2755" }
- { path: "/var/log/httpd", mode: "2755" }
@ -111,6 +111,7 @@
section: keystone
option: venv_tag
value: "{{ keystone_venv_tag }}"
mode: "0644"
- name: Initialise the upgrade facts
ini_file:
@ -118,6 +119,7 @@
section: keystone
option: "{{ item.name }}"
value: "{{ item.state }}"
mode: "0644"
with_items:
- name: "need_db_expand"
state: "True"

12
tasks/keystone_key_setup.yml
View File

@ -29,12 +29,12 @@
tags:
- keystone-key
vars:
ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}"
ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}"
ssh_keypairs: "{{ keystone_ssh_keypairs }}"
ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}"
ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}"
ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}"
ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}"
ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}"
ssh_keypairs: "{{ keystone_ssh_keypairs }}"
ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}"
ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}"
ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}"
tags:
- always

1
tasks/keystone_post_install.yml
View File

@ -107,6 +107,7 @@
copy:
src: "{{ keystone_sso_callback_file_path }}"
dest: "/etc/keystone/sso_callback_template.html"
mode: "0644"
when:
- keystone_sso_callback_file_path is defined
notify:

52
tasks/main.yml
View File

@ -53,11 +53,12 @@
- name: Fact for apache module shibboleth to be installed
set_fact:
keystone_sp_apache_mod_shib:
"{{ (keystone_sp != {} and
(keystone_sp.apache_mod is undefined or
(keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
) | ternary('true', 'false') }}"
keystone_sp_apache_mod_shib: >-
{{
(keystone_sp != {} and (keystone_sp.apache_mod is undefined or (
keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
) | ternary('true', 'false')
}}
tags:
- always
@ -70,7 +71,8 @@
tags:
- always
- include_role:
- name: Including osa.db_setup role
include_role:
name: openstack.osa.db_setup
apply:
tags:
@ -91,7 +93,8 @@
tags:
- always
- include_role:
- name: Including osa.mq_setup role
include_role:
name: openstack.osa.mq_setup
apply:
tags:
@ -113,40 +116,46 @@
tags:
- always
- import_tasks: keystone_install.yml
- name: Importing keystone_install tasks
import_tasks: keystone_install.yml
tags:
- keystone-install
- name: refresh local facts
- name: Refresh local facts
setup:
filter: ansible_local
gather_subset: "!all"
tags:
- keystone-config
- import_tasks: keystone_post_install.yml
- name: Importing keystone_post_install tasks
import_tasks: keystone_post_install.yml
tags:
- keystone-config
- import_tasks: keystone_fernet.yml
- name: Importing keystone_fernet tasks
import_tasks: keystone_fernet.yml
when:
- "'fernet' in keystone_token_provider"
- keystone_service_setup | bool
tags:
- keystone-config
- import_tasks: keystone_db_sync.yml
- name: Importing keystone_db_sync tasks
import_tasks: keystone_db_sync.yml
when:
- "keystone_database_enabled | bool"
tags:
- keystone-config
- import_tasks: keystone_credential.yml
- name: Importing keystone_credential tasks
import_tasks: keystone_credential.yml
when: keystone_service_setup | bool
tags:
- keystone-config
- import_tasks: keystone_federation_sp_shib_setup.yml
- name: Importing keystone_federation_sp_shib_setup tasks
import_tasks: keystone_federation_sp_shib_setup.yml
when:
- keystone_sp_apache_mod_shib
- not (keystone_use_uwsgi | bool)
@ -172,7 +181,8 @@
tags:
- keystone-config
- import_tasks: "keystone_apache.yml"
- name: Importing keystone_apache tasks
import_tasks: "keystone_apache.yml"
when:
- not (keystone_use_uwsgi | bool)
tags:
@ -191,7 +201,8 @@
- name: Flush handlers
meta: flush_handlers
- include_tasks: keystone_service_bootstrap.yml
- name: Including keystone_service_bootstrap tasks
include_tasks: keystone_service_bootstrap.yml
args:
apply:
tags:
@ -225,7 +236,8 @@
retries: 12
delay: 5
- include_role:
- name: Including osa.service_setup role
include_role:
name: openstack.osa.service_setup
apply:
tags:
@ -259,7 +271,8 @@
tags:
- always
- import_tasks: keystone_ldap_setup.yml
- name: Including keystone_ldap_setup tasks
import_tasks: keystone_ldap_setup.yml
when:
- keystone_service_setup | bool
- keystone_ldap != {}
@ -269,7 +282,8 @@
- name: Flush handlers
meta: flush_handlers
- include_tasks: keystone_idp_setup.yml
- name: Including keystone_idp_setup tasks
include_tasks: keystone_idp_setup.yml
args:
apply:
tags:

4
tasks/main_keystone_federation_sp_idp_setup.yml
View File

@ -1,4 +1,6 @@
- include_tasks: keystone_federation_sp_idp_setup.yml
---
- name: Including keystone_federation_sp_idp_setup tasks
include_tasks: keystone_federation_sp_idp_setup.yml
with_items: "{{ keystone_sp.trusted_idp_list }}"
loop_control:
loop_var: trusted_idp

18
tasks/main_pre.yml
View File

@ -13,19 +13,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: create the system group
group:
name: "{{ keystone_system_group_name }}"
state: "present"
system: "yes"
- name: create additional groups
- name: Create system groups
group:
name: "{{ item }}"
state: "present"
system: "yes"
with_items:
- "{{ keystone_system_additional_groups }}"
with_items: "{{ [keystone_system_group_name] + keystone_system_additional_groups }}"
- name: Create the keystone system user
user:
@ -44,8 +37,8 @@
src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
state: "{{ item.state | default('directory') }}"
owner: "{{ item.owner|default(keystone_system_user_name) }}"
group: "{{ item.group|default(keystone_system_group_name) }}"
owner: "{{ item.owner | default(keystone_system_user_name) }}"
group: "{{ item.group | default(keystone_system_group_name) }}"
mode: "{{ item.mode | default(omit) }}"
force: "{{ item.force | default(omit) }}"
with_items:
@ -71,6 +64,7 @@
owner: root
group: root
- import_tasks: keystone_key_setup.yml
- name: Importing keystone_key_setup tasks
import_tasks: keystone_key_setup.yml
tags:
- keystone-install

12
vars/main.yml
View File

@ -35,8 +35,16 @@ uwsgi_keystone_services: |-
{% endfor %}
{{ services }}
_keystone_is_first_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool }}"
_keystone_is_last_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool }}"
_keystone_is_first_play_host: >-
{{
(keystone_services['keystone-wsgi-public']['group'] in group_names and
inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool
}}
_keystone_is_last_play_host: >-
{{
(keystone_services['keystone-wsgi-public']['group'] in group_names and
inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool
}}
_keystone_cache_backend_map:
dogpile:
- oslo_cache.memcache_pool