Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223 Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c
This commit is contained in:
parent
b73bcd9981
commit
eea1a4853f
@ -20,7 +20,11 @@ debug: False
|
|||||||
# for the service setup. The host must already have
|
# for the service setup. The host must already have
|
||||||
# clouds.yaml properly configured.
|
# clouds.yaml properly configured.
|
||||||
keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
|
keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
|
||||||
keystone_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}"
|
keystone_service_setup_host_python_interpreter: >-
|
||||||
|
{{
|
||||||
|
openstack_service_setup_host_python_interpreter | default(
|
||||||
|
(keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
|
||||||
|
}}
|
||||||
|
|
||||||
# Set the package install state for distribution packages
|
# Set the package install state for distribution packages
|
||||||
# Options are 'present' and 'latest'
|
# Options are 'present' and 'latest'
|
||||||
@ -39,7 +43,8 @@ keystone_shibboleth_repo: {}
|
|||||||
|
|
||||||
keystone_git_repo: https://opendev.org/openstack/keystone
|
keystone_git_repo: https://opendev.org/openstack/keystone
|
||||||
keystone_git_install_branch: master
|
keystone_git_install_branch: master
|
||||||
keystone_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}"
|
keystone_upper_constraints_url: >-
|
||||||
|
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
|
||||||
keystone_git_constraints:
|
keystone_git_constraints:
|
||||||
- "--constraint {{ keystone_upper_constraints_url }}"
|
- "--constraint {{ keystone_upper_constraints_url }}"
|
||||||
|
|
||||||
@ -97,13 +102,19 @@ keystone_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }
|
|||||||
|
|
||||||
## Database info
|
## Database info
|
||||||
keystone_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
|
keystone_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
|
||||||
keystone_db_setup_python_interpreter: "{{ openstack_db_setup_python_interpreter | default((keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}"
|
keystone_db_setup_python_interpreter: >-
|
||||||
|
{{
|
||||||
|
openstack_db_setup_python_interpreter | default(
|
||||||
|
(keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
|
||||||
|
}}
|
||||||
keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}"
|
keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}"
|
||||||
keystone_galera_user: keystone
|
keystone_galera_user: keystone
|
||||||
keystone_galera_database: keystone
|
keystone_galera_database: keystone
|
||||||
keystone_galera_port: "{{ galera_port | default('3306') }}"
|
keystone_galera_port: "{{ galera_port | default('3306') }}"
|
||||||
keystone_database_connection_string: >-
|
keystone_database_connection_string: >-
|
||||||
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{keystone_galera_port}}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{% if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %}
|
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{ keystone_galera_port }}/{{
|
||||||
|
keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{%
|
||||||
|
if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %}
|
||||||
## Database SSL
|
## Database SSL
|
||||||
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
|
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
|
||||||
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
|
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
|
||||||
@ -131,7 +142,8 @@ keystone_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
|
|||||||
|
|
||||||
# Notify
|
# Notify
|
||||||
keystone_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
|
keystone_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
|
||||||
keystone_oslomsg_notify_setup_host: "{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}"
|
keystone_oslomsg_notify_setup_host: >-
|
||||||
|
{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}
|
||||||
keystone_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
|
keystone_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
|
||||||
keystone_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
|
keystone_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
|
||||||
keystone_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
|
keystone_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
|
||||||
@ -177,7 +189,7 @@ keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ int
|
|||||||
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
||||||
|
|
||||||
## Set this value to override the "public_endpoint" keystone.conf variable
|
## Set this value to override the "public_endpoint" keystone.conf variable
|
||||||
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
# keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
||||||
|
|
||||||
# Enable or disable uWSGI as the primary service manager. While uWSGI is used
|
# Enable or disable uWSGI as the primary service manager. While uWSGI is used
|
||||||
# for basic deployments, when this option is enabled it will become the sole
|
# for basic deployments, when this option is enabled it will become the sole
|
||||||
@ -215,7 +227,7 @@ keystone_httpd_mpm_max_conn_child: 0
|
|||||||
keystone_wsgi_threads: 1
|
keystone_wsgi_threads: 1
|
||||||
## Cap the maximun number of processes when a user value is unspecified.
|
## Cap the maximun number of processes when a user value is unspecified.
|
||||||
keystone_wsgi_processes_max: 16
|
keystone_wsgi_processes_max: 16
|
||||||
keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus']|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
|
keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
|
||||||
keystone_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
|
keystone_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
|
||||||
|
|
||||||
keystone_uwsgi_ports:
|
keystone_uwsgi_ports:
|
||||||
@ -244,7 +256,8 @@ keystone_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
|
|||||||
keystone_pki_keys_path: "{{ keystone_pki_dir ~ '/certs/private/' }}"
|
keystone_pki_keys_path: "{{ keystone_pki_dir ~ '/certs/private/' }}"
|
||||||
keystone_pki_certs_path: "{{ keystone_pki_dir ~ '/certs/certs/' }}"
|
keystone_pki_certs_path: "{{ keystone_pki_dir ~ '/certs/certs/' }}"
|
||||||
keystone_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
|
keystone_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
|
||||||
keystone_pki_intermediate_cert_path: "{{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }}"
|
keystone_pki_intermediate_cert_path: >-
|
||||||
|
{{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }}
|
||||||
keystone_pki_regen_cert: ''
|
keystone_pki_regen_cert: ''
|
||||||
|
|
||||||
# By default, CA creation is controlled using the CA 'condition' field
|
# By default, CA creation is controlled using the CA 'condition' field
|
||||||
@ -322,14 +335,16 @@ keystone_pki_install_certificates:
|
|||||||
|
|
||||||
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
|
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
|
||||||
# TLS v1.2 and below
|
# TLS v1.2 and below
|
||||||
keystone_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}"
|
keystone_ssl_cipher_suite_tls12: >-
|
||||||
|
{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}
|
||||||
# TLS v1.3
|
# TLS v1.3
|
||||||
keystone_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
|
keystone_ssl_cipher_suite_tls13: >-
|
||||||
|
{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}
|
||||||
|
|
||||||
# Set these variables to deploy custom certificates
|
# Set these variables to deploy custom certificates
|
||||||
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
|
# keystone_user_ssl_cert: <path to cert on ansible deployment host>
|
||||||
#keystone_user_ssl_key: <path to cert on ansible deployment host>
|
# keystone_user_ssl_key: <path to cert on ansible deployment host>
|
||||||
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
# keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
||||||
|
|
||||||
# Set to true when terminating SSL/TLS at a load balancer
|
# Set to true when terminating SSL/TLS at a load balancer
|
||||||
keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
|
keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
|
||||||
@ -370,187 +385,186 @@ keystone_ldap: {}
|
|||||||
keystone_ldap_domain_config_dir: /etc/keystone/domains
|
keystone_ldap_domain_config_dir: /etc/keystone/domains
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Policy vars
|
## Policy vars
|
||||||
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
||||||
# with the access controls in the default policy.json. E.g.
|
# with the access controls in the default policy.json. E.g.
|
||||||
#keystone_policy_overrides:
|
# keystone_policy_overrides:
|
||||||
# identity:create_region: "rule:admin_required"
|
# identity:create_region: "rule:admin_required"
|
||||||
# identity:update_region: "rule:admin_required"
|
# identity:update_region: "rule:admin_required"
|
||||||
|
|
||||||
## Federation
|
## Federation
|
||||||
|
|
||||||
# Enable the following section on the Keystone IdP
|
# Enable the following section on the Keystone IdP
|
||||||
keystone_idp: {}
|
keystone_idp: {}
|
||||||
#keystone_idp:
|
# keystone_idp:
|
||||||
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
|
# certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
|
||||||
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
|
# keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
|
||||||
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
|
# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
|
||||||
# regen_cert: false
|
# regen_cert: false
|
||||||
# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp"
|
# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp"
|
||||||
# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso"
|
# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso"
|
||||||
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
|
# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
|
||||||
# service_providers:
|
# service_providers:
|
||||||
# - id: "sp_1"
|
# - id: "sp_1"
|
||||||
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
|
# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
|
||||||
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
|
# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
|
||||||
# # the following settings are optional
|
# # the following settings are optional
|
||||||
# organization_name: example_company
|
# organization_name: example_company
|
||||||
# organization_display_name: Example Corp.
|
# organization_display_name: Example Corp.
|
||||||
# organization_url: example.com
|
# organization_url: example.com
|
||||||
# contact_company: example_company
|
# contact_company: example_company
|
||||||
# contact_name: John
|
# contact_name: John
|
||||||
# contact_surname: Smith
|
# contact_surname: Smith
|
||||||
# contact_email: jsmith@example.com
|
# contact_email: jsmith@example.com
|
||||||
# contact_telephone: 555-55-5555
|
# contact_telephone: 555-55-5555
|
||||||
# contact_type: technical
|
# contact_type: technical
|
||||||
|
|
||||||
# Enable the following section in order to install and configure
|
# Enable the following section in order to install and configure
|
||||||
# Keystone as a Resource Service Provider (SP) and to configure
|
# Keystone as a Resource Service Provider (SP) and to configure
|
||||||
# trusts with specific Identity Providers (IdP).
|
# trusts with specific Identity Providers (IdP).
|
||||||
keystone_sp: {}
|
keystone_sp: {}
|
||||||
#keystone_sp:
|
# keystone_sp:
|
||||||
# cert_duration_years: 5
|
# cert_duration_years: 5
|
||||||
# apache_mod: shibboleth #or mod_auth_openidc
|
# apache_mod: shibboleth #or mod_auth_openidc
|
||||||
# cadf_notifications: false
|
# cadf_notifications: false
|
||||||
# cadf_notifications_opt_out:
|
# cadf_notifications_opt_out:
|
||||||
# - identity.authenticate.failed
|
# - identity.authenticate.failed
|
||||||
# - identity.authenticate.pending
|
# - identity.authenticate.pending
|
||||||
# - identity.authenticate.success
|
# - identity.authenticate.success
|
||||||
# trusted_dashboard_list:
|
# trusted_dashboard_list:
|
||||||
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
||||||
# - "https://{{ horizon_server_name }}/auth/websso/"
|
# - "https://{{ horizon_server_name }}/auth/websso/"
|
||||||
# trusted_idp_list:
|
# trusted_idp_list:
|
||||||
# note that only one of these is supported at any one time for now
|
# note that only one of these is supported at any one time for now
|
||||||
# - name: "keystone-idp"
|
# - name: "keystone-idp"
|
||||||
# domain_id: "default"
|
# domain_id: "default"
|
||||||
# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown
|
# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown
|
||||||
# entity_ids:
|
# entity_ids:
|
||||||
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
|
# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
|
||||||
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
|
# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
|
||||||
# metadata_file: 'metadata-keystone-idp.xml'
|
# metadata_file: 'metadata-keystone-idp.xml'
|
||||||
# metadata_reload: 1800
|
# metadata_reload: 1800
|
||||||
# federated_identities:
|
# federated_identities:
|
||||||
# - domain: default
|
# - domain: default
|
||||||
# project: fedproject
|
# project: fedproject
|
||||||
# group: fedgroup
|
# group: fedgroup
|
||||||
# role: _member_
|
# role: _member_
|
||||||
# protocols:
|
# protocols:
|
||||||
# - name: saml2
|
# - name: saml2
|
||||||
# mapping:
|
# mapping:
|
||||||
# name: keystone-idp-mapping
|
# name: keystone-idp-mapping
|
||||||
# rules:
|
# rules:
|
||||||
# - remote:
|
# - remote:
|
||||||
# - type: openstack_user
|
# - type: openstack_user
|
||||||
# local:
|
# local:
|
||||||
# - group:
|
# - group:
|
||||||
# name: fedgroup
|
# name: fedgroup
|
||||||
# domain:
|
# domain:
|
||||||
# name: Default
|
# name: Default
|
||||||
# user:
|
# user:
|
||||||
# name: '{0}'
|
# name: '{0}'
|
||||||
# attributes:
|
# attributes:
|
||||||
# - name: openstack_user
|
# - name: openstack_user
|
||||||
# id: openstack_user
|
# id: openstack_user
|
||||||
# - name: openstack_roles
|
# - name: openstack_roles
|
||||||
# id: openstack_roles
|
# id: openstack_roles
|
||||||
# - name: openstack_project
|
# - name: openstack_project
|
||||||
# id: openstack_project
|
# id: openstack_project
|
||||||
# - name: openstack_user_domain
|
# - name: openstack_user_domain
|
||||||
# id: openstack_user_domain
|
# id: openstack_user_domain
|
||||||
# - name: openstack_project_domain
|
# - name: openstack_project_domain
|
||||||
# id: openstack_project_domain
|
# id: openstack_project_domain
|
||||||
#
|
#
|
||||||
# - name: 'testshib-idp'
|
# - name: 'testshib-idp'
|
||||||
# entity_ids:
|
# entity_ids:
|
||||||
# - 'https://idp.testshib.org/idp/shibboleth'
|
# - 'https://idp.testshib.org/idp/shibboleth'
|
||||||
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
|
# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
|
||||||
# metadata_file: 'metadata-testshib-idp.xml'
|
# metadata_file: 'metadata-testshib-idp.xml'
|
||||||
# metadata_reload: 1800
|
# metadata_reload: 1800
|
||||||
# federated_identities:
|
# federated_identities:
|
||||||
# - domain: default
|
# - domain: default
|
||||||
# project: fedproject
|
# project: fedproject
|
||||||
# group: fedgroup
|
# group: fedgroup
|
||||||
# role: _member_
|
# role: _member_
|
||||||
# protocols:
|
# protocols:
|
||||||
# - name: saml2
|
# - name: saml2
|
||||||
# mapping:
|
# mapping:
|
||||||
# name: testshib-idp-mapping
|
# name: testshib-idp-mapping
|
||||||
# rules:
|
# rules:
|
||||||
# - remote:
|
# - remote:
|
||||||
# - type: eppn
|
# - type: eppn
|
||||||
# local:
|
# local:
|
||||||
# - group:
|
# - group:
|
||||||
# name: fedgroup
|
# name: fedgroup
|
||||||
# domain:
|
# domain:
|
||||||
# name: Default
|
# name: Default
|
||||||
# - user:
|
# - user:
|
||||||
# name: '{0}'
|
# name: '{0}'
|
||||||
#
|
#
|
||||||
# - name: 'adfs-idp'
|
# - name: 'adfs-idp'
|
||||||
# entity_ids:
|
# entity_ids:
|
||||||
# - 'http://adfs.contoso.com/adfs/services/trust'
|
# - 'http://adfs.contoso.com/adfs/services/trust'
|
||||||
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
|
# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
|
||||||
# metadata_file: 'metadata-adfs-idp.xml'
|
# metadata_file: 'metadata-adfs-idp.xml'
|
||||||
# metadata_reload: 1800
|
# metadata_reload: 1800
|
||||||
# federated_identities:
|
# federated_identities:
|
||||||
# - domain: default
|
# - domain: default
|
||||||
# project: fedproject
|
# project: fedproject
|
||||||
# group: fedgroup
|
# group: fedgroup
|
||||||
# role: _member_
|
# role: _member_
|
||||||
# protocols:
|
# protocols:
|
||||||
# - name: saml2
|
# - name: saml2
|
||||||
# mapping:
|
# mapping:
|
||||||
# name: adfs-idp-mapping
|
# name: adfs-idp-mapping
|
||||||
# rules:
|
# rules:
|
||||||
# - remote:
|
# - remote:
|
||||||
# - type: upn
|
# - type: upn
|
||||||
# local:
|
# local:
|
||||||
# - group:
|
# - group:
|
||||||
# name: fedgroup
|
# name: fedgroup
|
||||||
# domain:
|
# domain:
|
||||||
# name: Default
|
# name: Default
|
||||||
# - user:
|
# - user:
|
||||||
# name: '{0}'
|
# name: '{0}'
|
||||||
# attributes:
|
# attributes:
|
||||||
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
||||||
# id: upn
|
# id: upn
|
||||||
#
|
#
|
||||||
# - name: "keycloak-oidc-idp"
|
# - name: "keycloak-oidc-idp"
|
||||||
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
|
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
|
||||||
# oidc_client_id: keystone
|
# oidc_client_id: keystone
|
||||||
# oidc_client_secret: secret
|
# oidc_client_secret: secret
|
||||||
# oidc_crypto_passphrase: random string
|
# oidc_crypto_passphrase: random string
|
||||||
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
|
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
|
||||||
# oidc_oauth_introspection_endpoint: endpoint address (optional)
|
# oidc_oauth_introspection_endpoint: endpoint address (optional)
|
||||||
# oidc_oauth_client_id: string (optional)
|
# oidc_oauth_client_id: string (optional)
|
||||||
# oidc_oauth_client_secret: secret (optional)
|
# oidc_oauth_client_secret: secret (optional)
|
||||||
# oidc_pkce_method: plain | S256 | referred_tb (optional)
|
# oidc_pkce_method: plain | S256 | referred_tb (optional)
|
||||||
# oidc_outgoing_proxy: "proxy address" (optional setting)
|
# oidc_outgoing_proxy: "proxy address" (optional setting)
|
||||||
# oidc_auth_request_params: param=some+url+encoded+value¶m2=and+another+one (optional)
|
# oidc_auth_request_params: param=some+url+encoded+value¶m2=and+another+one (optional)
|
||||||
# oidc_state_max_number_of_cookies: 5 false (optional)
|
# oidc_state_max_number_of_cookies: 5 false (optional)
|
||||||
# oidc_default_url: https://example.com/callback (optional)
|
# oidc_default_url: https://example.com/callback (optional)
|
||||||
# entity_ids:
|
# entity_ids:
|
||||||
# - 'https://identity-provider/openid-endpoint/'
|
# - 'https://identity-provider/openid-endpoint/'
|
||||||
# federated_identities:
|
# federated_identities:
|
||||||
# - domain: default
|
# - domain: default
|
||||||
# project: fedproject
|
# project: fedproject
|
||||||
# group: fedgroup
|
# group: fedgroup
|
||||||
# role: _member_
|
# role: _member_
|
||||||
# protocols:
|
# protocols:
|
||||||
# - name: openid
|
# - name: openid
|
||||||
# mapping:
|
# mapping:
|
||||||
# name: keycloak-oidc-idp-openid-mapping
|
# name: keycloak-oidc-idp-openid-mapping
|
||||||
# rules:
|
# rules:
|
||||||
# - remote:
|
# - remote:
|
||||||
# - type: OIDC-email
|
# - type: OIDC-email
|
||||||
# local:
|
# local:
|
||||||
# - group:
|
# - group:
|
||||||
# name: fedgroup
|
# name: fedgroup
|
||||||
# domain:
|
# domain:
|
||||||
# name: Default
|
# name: Default
|
||||||
# user:
|
# user:
|
||||||
# name: '{0}'
|
# name: '{0}'
|
||||||
|
|
||||||
keystone_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
|
keystone_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
|
||||||
|
|
||||||
@ -581,7 +595,7 @@ keystone_optional_oslomsg_amqp1_pip_packages:
|
|||||||
# template engine and copied to the target host.
|
# template engine and copied to the target host.
|
||||||
# keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
|
# keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
|
||||||
|
|
||||||
#: Tunable file-based overrides
|
## Tunable file-based overrides
|
||||||
# The contents of these files, if they exist, are read from the
|
# The contents of these files, if they exist, are read from the
|
||||||
# specified path on the deployment host, interpreted by the
|
# specified path on the deployment host, interpreted by the
|
||||||
# template engine and copied to the target host. If they do
|
# template engine and copied to the target host. If they do
|
||||||
@ -589,7 +603,7 @@ keystone_optional_oslomsg_amqp1_pip_packages:
|
|||||||
shibboleth_cert_user_file_path: "/etc/openstack_deploy/keystone/sp-cert.pem"
|
shibboleth_cert_user_file_path: "/etc/openstack_deploy/keystone/sp-cert.pem"
|
||||||
shibboleth_key_user_file_path: "/etc/openstack_deploy/keystone/sp-key.pem"
|
shibboleth_key_user_file_path: "/etc/openstack_deploy/keystone/sp-key.pem"
|
||||||
|
|
||||||
#: Tunable var-based overrides
|
## Tunable var-based overrides
|
||||||
# The contents of these are templated over the default files.
|
# The contents of these are templated over the default files.
|
||||||
keystone_keystone_conf_overrides: {}
|
keystone_keystone_conf_overrides: {}
|
||||||
keystone_keystone_default_conf_overrides: {}
|
keystone_keystone_default_conf_overrides: {}
|
||||||
@ -643,7 +657,7 @@ keystone_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | defaul
|
|||||||
# directory on the deploy host to create and store SSH keypairs
|
# directory on the deploy host to create and store SSH keypairs
|
||||||
keystone_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}"
|
keystone_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}"
|
||||||
|
|
||||||
#Each keystone host needs a signed ssh certificate to log into the others
|
# Each keystone host needs a signed ssh certificate to log into the others
|
||||||
keystone_ssh_keypairs:
|
keystone_ssh_keypairs:
|
||||||
- name: "keystone-{{ inventory_hostname }}"
|
- name: "keystone-{{ inventory_hostname }}"
|
||||||
cert:
|
cert:
|
||||||
@ -652,7 +666,7 @@ keystone_ssh_keypairs:
|
|||||||
valid_from: "{{ keystone_ssh_key_valid_from | default('always') }}"
|
valid_from: "{{ keystone_ssh_key_valid_from | default('always') }}"
|
||||||
valid_to: "{{ keystone_ssh_key_valid_to | default('forever') }}"
|
valid_to: "{{ keystone_ssh_key_valid_to | default('forever') }}"
|
||||||
|
|
||||||
#Each keystone host needs the signed ssh certificate installing to the keystone user
|
# Each keystone host needs the signed ssh certificate installing to the keystone user
|
||||||
keystone_ssh_keypairs_install_keys:
|
keystone_ssh_keypairs_install_keys:
|
||||||
owner: "{{ keystone_system_user_name }}"
|
owner: "{{ keystone_system_user_name }}"
|
||||||
group: "{{ keystone_system_group_name }}"
|
group: "{{ keystone_system_group_name }}"
|
||||||
@ -660,10 +674,10 @@ keystone_ssh_keypairs_install_keys:
|
|||||||
- cert: "keystone-{{ inventory_hostname }}"
|
- cert: "keystone-{{ inventory_hostname }}"
|
||||||
dest: "{{ keystone_system_user_home }}/.ssh/id_rsa"
|
dest: "{{ keystone_system_user_home }}/.ssh/id_rsa"
|
||||||
|
|
||||||
#Each compute host must trust the SSHD certificate authoritiy in the sshd configuration
|
# Each compute host must trust the SSHD certificate authoritiy in the sshd configuration
|
||||||
keystone_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
|
keystone_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
|
||||||
|
|
||||||
#Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user
|
# Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user
|
||||||
keystone_ssh_keypairs_principals:
|
keystone_ssh_keypairs_principals:
|
||||||
- user: "{{ keystone_system_user_name }}"
|
- user: "{{ keystone_system_user_name }}"
|
||||||
principals: "{{ keystone_ssh_key_principals | default(['keystone']) }}"
|
principals: "{{ keystone_ssh_key_principals | default(['keystone']) }}"
|
||||||
|
@ -101,6 +101,7 @@
|
|||||||
debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf")
|
debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf")
|
||||||
redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211
|
redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211
|
||||||
shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}"
|
shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}"
|
||||||
|
changed_when: false
|
||||||
delegate_to: "{{ item }}"
|
delegate_to: "{{ item }}"
|
||||||
with_items: "{{ groups.memcached_all }}"
|
with_items: "{{ groups.memcached_all }}"
|
||||||
listen: flush cache
|
listen: flush cache
|
||||||
|
@ -18,19 +18,21 @@ galaxy_info:
|
|||||||
description: Installation and setup of keystone
|
description: Installation and setup of keystone
|
||||||
company: Rackspace
|
company: Rackspace
|
||||||
license: Apache2
|
license: Apache2
|
||||||
min_ansible_version: 2.4
|
role_name: os_keystone
|
||||||
|
namespace: openstack
|
||||||
|
min_ansible_version: "2.10"
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- buster
|
- bullseye
|
||||||
- name: Ubuntu
|
- name: Ubuntu
|
||||||
versions:
|
versions:
|
||||||
- bionic
|
|
||||||
- focal
|
- focal
|
||||||
|
- jammy
|
||||||
- name: EL
|
- name: EL
|
||||||
versions:
|
versions:
|
||||||
- 8
|
- "9"
|
||||||
categories:
|
galaxy_tags:
|
||||||
- cloud
|
- cloud
|
||||||
- python
|
- python
|
||||||
- keystone
|
- keystone
|
||||||
|
@ -31,6 +31,7 @@
|
|||||||
state: directory
|
state: directory
|
||||||
owner: "{{ keystone_apache_default_log_owner }}"
|
owner: "{{ keystone_apache_default_log_owner }}"
|
||||||
group: "{{ keystone_apache_default_log_grp }}"
|
group: "{{ keystone_apache_default_log_grp }}"
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
## NOTE(cloudnull):
|
## NOTE(cloudnull):
|
||||||
## Module enable/disable process is only functional on Debian
|
## Module enable/disable process is only functional on Debian
|
||||||
@ -51,6 +52,7 @@
|
|||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: "root"
|
owner: "root"
|
||||||
group: "root"
|
group: "root"
|
||||||
|
mode: "0644"
|
||||||
with_items: "{{ keystone_apache_configs }}"
|
with_items: "{{ keystone_apache_configs }}"
|
||||||
notify:
|
notify:
|
||||||
- Restart web server
|
- Restart web server
|
||||||
@ -76,7 +78,7 @@
|
|||||||
line: 'LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so'
|
line: 'LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so'
|
||||||
state: "present"
|
state: "present"
|
||||||
when:
|
when:
|
||||||
- ansible_facts['pkg_mgr'] == 'dnf'
|
- ansible_facts['pkg_mgr'] == 'dnf'
|
||||||
notify:
|
notify:
|
||||||
- Restart web server
|
- Restart web server
|
||||||
|
|
||||||
|
@ -13,10 +13,13 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
- include_tasks: keystone_credential_create.yml
|
- name: Including keystone_credential_create tasks
|
||||||
|
include_tasks: keystone_credential_create.yml
|
||||||
when: _keystone_is_first_play_host
|
when: _keystone_is_first_play_host
|
||||||
|
|
||||||
- include_tasks: keystone_credential_distribute.yml
|
- name: Including keystone_credential_distribute tasks
|
||||||
|
include_tasks: keystone_credential_distribute.yml
|
||||||
when: _keystone_is_first_play_host
|
when: _keystone_is_first_play_host
|
||||||
|
|
||||||
- include_tasks: keystone_credential_autorotate.yml
|
- name: Including keystone_credential_autorotate tasks
|
||||||
|
include_tasks: keystone_credential_autorotate.yml
|
||||||
|
@ -70,7 +70,7 @@
|
|||||||
register: drop_existing_credential_keys
|
register: drop_existing_credential_keys
|
||||||
with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}"
|
with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}"
|
||||||
|
|
||||||
- name: Create credential keys for Keystone
|
- name: Create credential keys for Keystone # noqa: no-changed-when
|
||||||
command: >
|
command: >
|
||||||
{{ keystone_bin }}/keystone-manage credential_setup
|
{{ keystone_bin }}/keystone-manage credential_setup
|
||||||
--keystone-user "{{ keystone_system_user_name }}"
|
--keystone-user "{{ keystone_system_user_name }}"
|
||||||
@ -82,7 +82,7 @@
|
|||||||
- not _credential_keys.stat.exists
|
- not _credential_keys.stat.exists
|
||||||
- not drop_existing_credential_keys is changed
|
- not drop_existing_credential_keys is changed
|
||||||
|
|
||||||
- name: Ensure newest key is used for credential in Keystone
|
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
|
||||||
command: >
|
command: >
|
||||||
{{ keystone_bin }}/keystone-manage credential_migrate
|
{{ keystone_bin }}/keystone-manage credential_migrate
|
||||||
--keystone-user "{{ keystone_system_user_name }}"
|
--keystone-user "{{ keystone_system_user_name }}"
|
||||||
@ -91,7 +91,7 @@
|
|||||||
become_user: "{{ keystone_system_user_name }}"
|
become_user: "{{ keystone_system_user_name }}"
|
||||||
when: create_credential_keys is skipped
|
when: create_credential_keys is skipped
|
||||||
|
|
||||||
- name: Rotate credential keys for Keystone
|
- name: Rotate credential keys for Keystone # noqa: no-changed-when
|
||||||
command: >
|
command: >
|
||||||
{{ keystone_bin }}/keystone-manage credential_rotate
|
{{ keystone_bin }}/keystone-manage credential_rotate
|
||||||
--keystone-user "{{ keystone_system_user_name }}"
|
--keystone-user "{{ keystone_system_user_name }}"
|
||||||
|
@ -28,11 +28,12 @@
|
|||||||
section: keystone
|
section: keystone
|
||||||
option: "{{ item.name }}"
|
option: "{{ item.name }}"
|
||||||
value: "{{ item.state }}"
|
value: "{{ item.state }}"
|
||||||
|
mode: "0644"
|
||||||
with_items:
|
with_items:
|
||||||
- name: "need_db_expand"
|
- name: "need_db_expand"
|
||||||
state: "{{ (keystone_db_sync_check.rc | int == 2) | bool }}"
|
state: "{{ (keystone_db_sync_check.rc | int == 2) | bool }}"
|
||||||
- name: "need_db_migrate"
|
- name: "need_db_migrate"
|
||||||
state: "{{ (keystone_db_sync_check.rc | int in [2, 3] ) | bool }}"
|
state: "{{ (keystone_db_sync_check.rc | int in [2, 3]) | bool }}"
|
||||||
- name: "need_db_contract"
|
- name: "need_db_contract"
|
||||||
state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}"
|
state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}"
|
||||||
|
|
||||||
@ -46,7 +47,7 @@
|
|||||||
# When keystone is initially built, the service does not yet exist on the
|
# When keystone is initially built, the service does not yet exist on the
|
||||||
# host this task is executed on. Detect the presence of the services.
|
# host this task is executed on. Detect the presence of the services.
|
||||||
- name: Test if keystone service exists
|
- name: Test if keystone service exists
|
||||||
service:
|
service: # noqa: args[module]
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
check_mode: yes
|
check_mode: yes
|
||||||
register: keystone_service_exists
|
register: keystone_service_exists
|
||||||
@ -70,6 +71,7 @@
|
|||||||
|
|
||||||
- name: Perform a Keystone DB sync expand
|
- name: Perform a Keystone DB sync expand
|
||||||
command: "{{ keystone_bin }}/keystone-manage db_sync --expand"
|
command: "{{ keystone_bin }}/keystone-manage db_sync --expand"
|
||||||
|
changed_when: false
|
||||||
become: yes
|
become: yes
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
become_user: "{{ keystone_system_user_name }}"
|
||||||
when:
|
when:
|
||||||
@ -79,6 +81,7 @@
|
|||||||
|
|
||||||
- name: Perform a Keystone DB sync migrate
|
- name: Perform a Keystone DB sync migrate
|
||||||
command: "{{ keystone_bin }}/keystone-manage db_sync --migrate"
|
command: "{{ keystone_bin }}/keystone-manage db_sync --migrate"
|
||||||
|
changed_when: false
|
||||||
become: yes
|
become: yes
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
become_user: "{{ keystone_system_user_name }}"
|
||||||
when:
|
when:
|
||||||
@ -88,6 +91,7 @@
|
|||||||
|
|
||||||
- name: Perform a Keystone DB sync contract
|
- name: Perform a Keystone DB sync contract
|
||||||
command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
|
command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
|
||||||
|
changed_when: false
|
||||||
become: yes
|
become: yes
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
become_user: "{{ keystone_system_user_name }}"
|
||||||
when:
|
when:
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: "{{ keystone_system_user_name }}"
|
owner: "{{ keystone_system_user_name }}"
|
||||||
group: "{{ keystone_system_group_name }}"
|
group: "{{ keystone_system_group_name }}"
|
||||||
mode: "{{ item.mode|default('0644') }}"
|
mode: "{{ item.mode | default('0644') }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" }
|
- { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" }
|
||||||
- { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" }
|
- { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" }
|
||||||
@ -29,8 +29,8 @@
|
|||||||
- name: Copy Shibboleth SP key-pair (if provided)
|
- name: Copy Shibboleth SP key-pair (if provided)
|
||||||
copy:
|
copy:
|
||||||
content: "{{ item.content }}"
|
content: "{{ item.content }}"
|
||||||
dest: "{{ item.dest }}" # noqa 206
|
dest: "{{ item.dest }}"
|
||||||
mode: "{{ item.mode|default('0640') }}"
|
mode: "{{ item.mode | default('0640') }}"
|
||||||
when:
|
when:
|
||||||
- _keystone_is_first_play_host
|
- _keystone_is_first_play_host
|
||||||
- item.content | length > 0
|
- item.content | length > 0
|
||||||
@ -66,8 +66,8 @@
|
|||||||
|
|
||||||
- name: Register a fact for the cert and key
|
- name: Register a fact for the cert and key
|
||||||
set_fact:
|
set_fact:
|
||||||
keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}"
|
keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}"
|
||||||
keystone_sp_key_fact: "{{ _keystone_sp_key.content }}"
|
keystone_sp_key_fact: "{{ _keystone_sp_key.content }}"
|
||||||
when: _keystone_is_first_play_host
|
when: _keystone_is_first_play_host
|
||||||
|
|
||||||
- name: Distribute sp key
|
- name: Distribute sp key
|
||||||
|
@ -13,10 +13,13 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
- include_tasks: keystone_fernet_keys_create.yml
|
- name: Including keystone_fernet_keys_create tasks
|
||||||
|
include_tasks: keystone_fernet_keys_create.yml
|
||||||
when: _keystone_is_first_play_host
|
when: _keystone_is_first_play_host
|
||||||
|
|
||||||
- include_tasks: keystone_fernet_keys_distribute.yml
|
- name: Including keystone_fernet_keys_distribute tasks
|
||||||
|
include_tasks: keystone_fernet_keys_distribute.yml
|
||||||
when: _keystone_is_first_play_host
|
when: _keystone_is_first_play_host
|
||||||
|
|
||||||
- include_tasks: keystone_fernet_keys_autorotate.yml
|
- name: Including keystone_fernet_keys_autorotate tasks
|
||||||
|
include_tasks: keystone_fernet_keys_autorotate.yml
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
path: "{{ keystone_fernet_tokens_key_repository }}/0"
|
path: "{{ keystone_fernet_tokens_key_repository }}/0"
|
||||||
register: _fernet_keys
|
register: _fernet_keys
|
||||||
|
|
||||||
- name: Create fernet keys for Keystone
|
- name: Create fernet keys for Keystone # noqa: no-changed-when
|
||||||
command: >
|
command: >
|
||||||
{{ keystone_bin }}/keystone-manage fernet_setup
|
{{ keystone_bin }}/keystone-manage fernet_setup
|
||||||
--keystone-user "{{ keystone_system_user_name }}"
|
--keystone-user "{{ keystone_system_user_name }}"
|
||||||
@ -27,7 +27,7 @@
|
|||||||
become_user: "{{ keystone_system_user_name }}"
|
become_user: "{{ keystone_system_user_name }}"
|
||||||
when: not _fernet_keys.stat.exists
|
when: not _fernet_keys.stat.exists
|
||||||
|
|
||||||
- name: Rotate fernet keys for Keystone
|
- name: Rotate fernet keys for Keystone # noqa: no-changed-when
|
||||||
command: >
|
command: >
|
||||||
{{ keystone_bin }}/keystone-manage fernet_rotate
|
{{ keystone_bin }}/keystone-manage fernet_rotate
|
||||||
--keystone-user "{{ keystone_system_user_name }}"
|
--keystone-user "{{ keystone_system_user_name }}"
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
{{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
|
{{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
|
||||||
become: yes
|
become: yes
|
||||||
become_user: "{{ keystone_system_user_name }}"
|
become_user: "{{ keystone_system_user_name }}"
|
||||||
|
changed_when: false
|
||||||
when: keystone_idp != {}
|
when: keystone_idp != {}
|
||||||
notify:
|
notify:
|
||||||
- Restart uWSGI
|
- Restart uWSGI
|
||||||
|
@ -17,9 +17,9 @@
|
|||||||
file:
|
file:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ item.owner|default(keystone_system_user_name) }}"
|
owner: "{{ item.owner | default(keystone_system_user_name) }}"
|
||||||
group: "{{ item.group|default(keystone_system_group_name) }}"
|
group: "{{ item.group | default(keystone_system_group_name) }}"
|
||||||
mode: "{{ item.mode|default('0755') }}"
|
mode: "{{ item.mode | default('0755') }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { path: "/var/lock/keystone", mode: "2755" }
|
- { path: "/var/lock/keystone", mode: "2755" }
|
||||||
- { path: "/var/log/httpd", mode: "2755" }
|
- { path: "/var/log/httpd", mode: "2755" }
|
||||||
@ -111,6 +111,7 @@
|
|||||||
section: keystone
|
section: keystone
|
||||||
option: venv_tag
|
option: venv_tag
|
||||||
value: "{{ keystone_venv_tag }}"
|
value: "{{ keystone_venv_tag }}"
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
- name: Initialise the upgrade facts
|
- name: Initialise the upgrade facts
|
||||||
ini_file:
|
ini_file:
|
||||||
@ -118,6 +119,7 @@
|
|||||||
section: keystone
|
section: keystone
|
||||||
option: "{{ item.name }}"
|
option: "{{ item.name }}"
|
||||||
value: "{{ item.state }}"
|
value: "{{ item.state }}"
|
||||||
|
mode: "0644"
|
||||||
with_items:
|
with_items:
|
||||||
- name: "need_db_expand"
|
- name: "need_db_expand"
|
||||||
state: "True"
|
state: "True"
|
||||||
|
@ -29,12 +29,12 @@
|
|||||||
tags:
|
tags:
|
||||||
- keystone-key
|
- keystone-key
|
||||||
vars:
|
vars:
|
||||||
ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}"
|
ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}"
|
||||||
ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}"
|
ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}"
|
||||||
ssh_keypairs: "{{ keystone_ssh_keypairs }}"
|
ssh_keypairs: "{{ keystone_ssh_keypairs }}"
|
||||||
ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}"
|
ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}"
|
||||||
ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}"
|
ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}"
|
||||||
ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}"
|
ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
@ -107,6 +107,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: "{{ keystone_sso_callback_file_path }}"
|
src: "{{ keystone_sso_callback_file_path }}"
|
||||||
dest: "/etc/keystone/sso_callback_template.html"
|
dest: "/etc/keystone/sso_callback_template.html"
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- keystone_sso_callback_file_path is defined
|
- keystone_sso_callback_file_path is defined
|
||||||
notify:
|
notify:
|
||||||
|
@ -53,11 +53,12 @@
|
|||||||
|
|
||||||
- name: Fact for apache module shibboleth to be installed
|
- name: Fact for apache module shibboleth to be installed
|
||||||
set_fact:
|
set_fact:
|
||||||
keystone_sp_apache_mod_shib:
|
keystone_sp_apache_mod_shib: >-
|
||||||
"{{ (keystone_sp != {} and
|
{{
|
||||||
(keystone_sp.apache_mod is undefined or
|
(keystone_sp != {} and (keystone_sp.apache_mod is undefined or (
|
||||||
(keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
|
keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
|
||||||
) | ternary('true', 'false') }}"
|
) | ternary('true', 'false')
|
||||||
|
}}
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -70,7 +71,8 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- include_role:
|
- name: Including osa.db_setup role
|
||||||
|
include_role:
|
||||||
name: openstack.osa.db_setup
|
name: openstack.osa.db_setup
|
||||||
apply:
|
apply:
|
||||||
tags:
|
tags:
|
||||||
@ -91,7 +93,8 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- include_role:
|
- name: Including osa.mq_setup role
|
||||||
|
include_role:
|
||||||
name: openstack.osa.mq_setup
|
name: openstack.osa.mq_setup
|
||||||
apply:
|
apply:
|
||||||
tags:
|
tags:
|
||||||
@ -113,40 +116,46 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- import_tasks: keystone_install.yml
|
- name: Importing keystone_install tasks
|
||||||
|
import_tasks: keystone_install.yml
|
||||||
tags:
|
tags:
|
||||||
- keystone-install
|
- keystone-install
|
||||||
|
|
||||||
- name: refresh local facts
|
- name: Refresh local facts
|
||||||
setup:
|
setup:
|
||||||
filter: ansible_local
|
filter: ansible_local
|
||||||
gather_subset: "!all"
|
gather_subset: "!all"
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: keystone_post_install.yml
|
- name: Importing keystone_post_install tasks
|
||||||
|
import_tasks: keystone_post_install.yml
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: keystone_fernet.yml
|
- name: Importing keystone_fernet tasks
|
||||||
|
import_tasks: keystone_fernet.yml
|
||||||
when:
|
when:
|
||||||
- "'fernet' in keystone_token_provider"
|
- "'fernet' in keystone_token_provider"
|
||||||
- keystone_service_setup | bool
|
- keystone_service_setup | bool
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: keystone_db_sync.yml
|
- name: Importing keystone_db_sync tasks
|
||||||
|
import_tasks: keystone_db_sync.yml
|
||||||
when:
|
when:
|
||||||
- "keystone_database_enabled | bool"
|
- "keystone_database_enabled | bool"
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: keystone_credential.yml
|
- name: Importing keystone_credential tasks
|
||||||
|
import_tasks: keystone_credential.yml
|
||||||
when: keystone_service_setup | bool
|
when: keystone_service_setup | bool
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: keystone_federation_sp_shib_setup.yml
|
- name: Importing keystone_federation_sp_shib_setup tasks
|
||||||
|
import_tasks: keystone_federation_sp_shib_setup.yml
|
||||||
when:
|
when:
|
||||||
- keystone_sp_apache_mod_shib
|
- keystone_sp_apache_mod_shib
|
||||||
- not (keystone_use_uwsgi | bool)
|
- not (keystone_use_uwsgi | bool)
|
||||||
@ -172,7 +181,8 @@
|
|||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: "keystone_apache.yml"
|
- name: Importing keystone_apache tasks
|
||||||
|
import_tasks: "keystone_apache.yml"
|
||||||
when:
|
when:
|
||||||
- not (keystone_use_uwsgi | bool)
|
- not (keystone_use_uwsgi | bool)
|
||||||
tags:
|
tags:
|
||||||
@ -191,7 +201,8 @@
|
|||||||
- name: Flush handlers
|
- name: Flush handlers
|
||||||
meta: flush_handlers
|
meta: flush_handlers
|
||||||
|
|
||||||
- include_tasks: keystone_service_bootstrap.yml
|
- name: Including keystone_service_bootstrap tasks
|
||||||
|
include_tasks: keystone_service_bootstrap.yml
|
||||||
args:
|
args:
|
||||||
apply:
|
apply:
|
||||||
tags:
|
tags:
|
||||||
@ -225,7 +236,8 @@
|
|||||||
retries: 12
|
retries: 12
|
||||||
delay: 5
|
delay: 5
|
||||||
|
|
||||||
- include_role:
|
- name: Including osa.service_setup role
|
||||||
|
include_role:
|
||||||
name: openstack.osa.service_setup
|
name: openstack.osa.service_setup
|
||||||
apply:
|
apply:
|
||||||
tags:
|
tags:
|
||||||
@ -259,7 +271,8 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- import_tasks: keystone_ldap_setup.yml
|
- name: Including keystone_ldap_setup tasks
|
||||||
|
import_tasks: keystone_ldap_setup.yml
|
||||||
when:
|
when:
|
||||||
- keystone_service_setup | bool
|
- keystone_service_setup | bool
|
||||||
- keystone_ldap != {}
|
- keystone_ldap != {}
|
||||||
@ -269,7 +282,8 @@
|
|||||||
- name: Flush handlers
|
- name: Flush handlers
|
||||||
meta: flush_handlers
|
meta: flush_handlers
|
||||||
|
|
||||||
- include_tasks: keystone_idp_setup.yml
|
- name: Including keystone_idp_setup tasks
|
||||||
|
include_tasks: keystone_idp_setup.yml
|
||||||
args:
|
args:
|
||||||
apply:
|
apply:
|
||||||
tags:
|
tags:
|
||||||
|
@ -1,4 +1,6 @@
|
|||||||
- include_tasks: keystone_federation_sp_idp_setup.yml
|
---
|
||||||
|
- name: Including keystone_federation_sp_idp_setup tasks
|
||||||
|
include_tasks: keystone_federation_sp_idp_setup.yml
|
||||||
with_items: "{{ keystone_sp.trusted_idp_list }}"
|
with_items: "{{ keystone_sp.trusted_idp_list }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: trusted_idp
|
loop_var: trusted_idp
|
||||||
|
@ -13,19 +13,12 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
- name: create the system group
|
- name: Create system groups
|
||||||
group:
|
|
||||||
name: "{{ keystone_system_group_name }}"
|
|
||||||
state: "present"
|
|
||||||
system: "yes"
|
|
||||||
|
|
||||||
- name: create additional groups
|
|
||||||
group:
|
group:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: "present"
|
state: "present"
|
||||||
system: "yes"
|
system: "yes"
|
||||||
with_items:
|
with_items: "{{ [keystone_system_group_name] + keystone_system_additional_groups }}"
|
||||||
- "{{ keystone_system_additional_groups }}"
|
|
||||||
|
|
||||||
- name: Create the keystone system user
|
- name: Create the keystone system user
|
||||||
user:
|
user:
|
||||||
@ -44,8 +37,8 @@
|
|||||||
src: "{{ item.src | default(omit) }}"
|
src: "{{ item.src | default(omit) }}"
|
||||||
dest: "{{ item.dest | default(omit) }}"
|
dest: "{{ item.dest | default(omit) }}"
|
||||||
state: "{{ item.state | default('directory') }}"
|
state: "{{ item.state | default('directory') }}"
|
||||||
owner: "{{ item.owner|default(keystone_system_user_name) }}"
|
owner: "{{ item.owner | default(keystone_system_user_name) }}"
|
||||||
group: "{{ item.group|default(keystone_system_group_name) }}"
|
group: "{{ item.group | default(keystone_system_group_name) }}"
|
||||||
mode: "{{ item.mode | default(omit) }}"
|
mode: "{{ item.mode | default(omit) }}"
|
||||||
force: "{{ item.force | default(omit) }}"
|
force: "{{ item.force | default(omit) }}"
|
||||||
with_items:
|
with_items:
|
||||||
@ -71,6 +64,7 @@
|
|||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- import_tasks: keystone_key_setup.yml
|
- name: Importing keystone_key_setup tasks
|
||||||
|
import_tasks: keystone_key_setup.yml
|
||||||
tags:
|
tags:
|
||||||
- keystone-install
|
- keystone-install
|
||||||
|
@ -35,8 +35,16 @@ uwsgi_keystone_services: |-
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
{{ services }}
|
{{ services }}
|
||||||
|
|
||||||
_keystone_is_first_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool }}"
|
_keystone_is_first_play_host: >-
|
||||||
_keystone_is_last_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool }}"
|
{{
|
||||||
|
(keystone_services['keystone-wsgi-public']['group'] in group_names and
|
||||||
|
inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool
|
||||||
|
}}
|
||||||
|
_keystone_is_last_play_host: >-
|
||||||
|
{{
|
||||||
|
(keystone_services['keystone-wsgi-public']['group'] in group_names and
|
||||||
|
inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool
|
||||||
|
}}
|
||||||
_keystone_cache_backend_map:
|
_keystone_cache_backend_map:
|
||||||
dogpile:
|
dogpile:
|
||||||
- oslo_cache.memcache_pool
|
- oslo_cache.memcache_pool
|
||||||
|
Loading…
Reference in New Issue
Block a user