Removing undercloud-tokenflush validation and related role
The validation has been removed from the tripleo-validations package
as the token management changes made it obsolete.[0]
Role, molecule tests, derived CI job and documentation were removed with the validation itself.
[0] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/683750
Closes-Bug: #1994029
Signed-off-by: Jiri Podivin <jpodivin@redhat.com>
Change-Id: I6c4bdff5e253bb054231dae2c3a280322cb18b9f
(cherry picked from commit f48ff32457
)
This commit is contained in:
parent
8406ff979c
commit
7641a508e8
|
@ -1,47 +0,0 @@
|
||||||
=====================
|
|
||||||
undercloud_tokenflush
|
|
||||||
=====================
|
|
||||||
|
|
||||||
An Ansible role to check if `keystone-manage token_flush` is enabled for the keystone user.
|
|
||||||
|
|
||||||
Requirements
|
|
||||||
------------
|
|
||||||
|
|
||||||
This role requires an installed and working Undercloud.
|
|
||||||
|
|
||||||
Role Variables
|
|
||||||
--------------
|
|
||||||
|
|
||||||
- cron_check: <'keystone-manage token_flush'> -- the string to check in the crontab
|
|
||||||
|
|
||||||
|
|
||||||
Dependencies
|
|
||||||
------------
|
|
||||||
|
|
||||||
No dependencies.
|
|
||||||
|
|
||||||
Example Playbook
|
|
||||||
----------------
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
|
||||||
|
|
||||||
- hosts: undercloud
|
|
||||||
roles:
|
|
||||||
- { role: undercloud-tokenflush }
|
|
||||||
|
|
||||||
License
|
|
||||||
-------
|
|
||||||
|
|
||||||
Apache
|
|
||||||
|
|
||||||
Author Information
|
|
||||||
------------------
|
|
||||||
|
|
||||||
Red Hat TripleO Validations Team
|
|
||||||
|
|
||||||
----------------
|
|
||||||
Full Description
|
|
||||||
----------------
|
|
||||||
|
|
||||||
.. ansibleautoplugin::
|
|
||||||
:role: roles/undercloud_tokenflush
|
|
|
@ -1,21 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: undercloud
|
|
||||||
vars:
|
|
||||||
metadata:
|
|
||||||
name: Verify token_flush is enabled in keystone users crontab
|
|
||||||
description: |
|
|
||||||
Without a token_flush crontab enabled for the keystone user, the
|
|
||||||
keystone database can grow very large. This validation checks that
|
|
||||||
the keystone token_flush crontab has been set up.
|
|
||||||
groups:
|
|
||||||
- pre-introspection
|
|
||||||
categories:
|
|
||||||
- os
|
|
||||||
- system
|
|
||||||
- identity
|
|
||||||
- cron
|
|
||||||
products:
|
|
||||||
- tripleo
|
|
||||||
cron_check: "keystone-manage token_flush"
|
|
||||||
roles:
|
|
||||||
- undercloud_tokenflush
|
|
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
cron_check: "keystone-manage token_flush"
|
|
|
@ -1,53 +0,0 @@
|
||||||
---
|
|
||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
|
|
||||||
- name: Converge
|
|
||||||
hosts: all
|
|
||||||
gather_facts: false
|
|
||||||
tasks:
|
|
||||||
- name: working detection
|
|
||||||
include_role:
|
|
||||||
name: undercloud_tokenflush
|
|
||||||
|
|
||||||
- name: Validate failure
|
|
||||||
block:
|
|
||||||
- name: Override container_cli
|
|
||||||
copy:
|
|
||||||
dest: "{{ ansible_env.HOME }}/undercloud.conf"
|
|
||||||
content: |
|
|
||||||
[DEFAULT]
|
|
||||||
container_cli = docker
|
|
||||||
|
|
||||||
- name: run validation
|
|
||||||
include_role:
|
|
||||||
name: undercloud_tokenflush
|
|
||||||
rescue:
|
|
||||||
- name: Clear host errors
|
|
||||||
meta: clear_host_errors
|
|
||||||
|
|
||||||
- name: Test output
|
|
||||||
debug:
|
|
||||||
msg: The validation works! Ending play.
|
|
||||||
|
|
||||||
- name: End play
|
|
||||||
meta: end_play
|
|
||||||
|
|
||||||
- name: Fail the validation at this point
|
|
||||||
fail:
|
|
||||||
msg: |
|
|
||||||
The undercloud_tokenflush validation failed to detect
|
|
||||||
missing cron job.
|
|
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
# inherits tripleo-validations/.config/molecule/config.yml
|
|
||||||
# To override default values, please take a look at the config.yml.
|
|
|
@ -1,113 +0,0 @@
|
||||||
---
|
|
||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
|
|
||||||
- name: Prepare
|
|
||||||
hosts: all
|
|
||||||
gather_facts: false
|
|
||||||
tasks:
|
|
||||||
- name: Ensure we get needed facts
|
|
||||||
setup:
|
|
||||||
gather_subset:
|
|
||||||
- '!all'
|
|
||||||
- '!any'
|
|
||||||
- '!min'
|
|
||||||
- env
|
|
||||||
|
|
||||||
- name: install hiera
|
|
||||||
package:
|
|
||||||
name: hiera
|
|
||||||
|
|
||||||
- name: create hiera tree
|
|
||||||
file:
|
|
||||||
path: /etc/puppet
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: populate hiera.yaml
|
|
||||||
copy:
|
|
||||||
dest: /etc/puppet/hiera.yaml
|
|
||||||
content: |
|
|
||||||
:backends:
|
|
||||||
- yaml
|
|
||||||
:yaml:
|
|
||||||
:datadir: "/etc/puppet/"
|
|
||||||
:hierarchy:
|
|
||||||
- "service_configs"
|
|
||||||
|
|
||||||
- name: populate service config content
|
|
||||||
copy:
|
|
||||||
dest: /etc/puppet/service_configs.yaml
|
|
||||||
content: |
|
|
||||||
"keystone::token_provider": "uuid"
|
|
||||||
|
|
||||||
- name: populate undercloud.conf
|
|
||||||
copy:
|
|
||||||
dest: "{{ ansible_env.HOME }}/undercloud.conf"
|
|
||||||
content: |
|
|
||||||
[DEFAULT]
|
|
||||||
container_cli = podman
|
|
||||||
|
|
||||||
- name: Populate successful podman CLI
|
|
||||||
copy:
|
|
||||||
dest: /usr/bin/podman
|
|
||||||
mode: 0755
|
|
||||||
content: |
|
|
||||||
#!/bin/bash
|
|
||||||
action="$1"
|
|
||||||
shift
|
|
||||||
container="$1"
|
|
||||||
shift
|
|
||||||
command="$@"
|
|
||||||
|
|
||||||
case $container in
|
|
||||||
'heat_api_cron')
|
|
||||||
echo '# This is a comment that should be ignored'
|
|
||||||
echo '0 12 14 2 * heat-manage purge_deleted'
|
|
||||||
;;
|
|
||||||
'keystone_cron')
|
|
||||||
echo '# This is a comment that should be ignored'
|
|
||||||
echo '0 12 14 2 * keystone-manage token_flush'
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Unknown container ${container}"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
- name: Populate buggy docker CLI
|
|
||||||
copy:
|
|
||||||
dest: /usr/bin/docker
|
|
||||||
mode: 0755
|
|
||||||
content: |
|
|
||||||
#!/bin/bash
|
|
||||||
action="$1"
|
|
||||||
shift
|
|
||||||
container="$1"
|
|
||||||
shift
|
|
||||||
command="$@"
|
|
||||||
|
|
||||||
case $container in
|
|
||||||
'heat_api_cron')
|
|
||||||
echo '# This is a comment that should be ignored'
|
|
||||||
echo '0 12 14 2 * some-other command'
|
|
||||||
;;
|
|
||||||
'keystone_cron')
|
|
||||||
echo '# This is a comment that should be ignored'
|
|
||||||
echo '0 12 14 2 * some-other command'
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Unknown container ${container}"
|
|
||||||
;;
|
|
||||||
esac
|
|
|
@ -1,44 +0,0 @@
|
||||||
---
|
|
||||||
# Copyright 2020 Red Hat, Inc.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
|
|
||||||
- name: Converge
|
|
||||||
hosts: all
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: Skip validation when using fernet tokens
|
|
||||||
block:
|
|
||||||
- name: Set token format to fernet
|
|
||||||
copy:
|
|
||||||
dest: /etc/puppet/service_configs.yaml
|
|
||||||
content: |
|
|
||||||
"keystone::token_provider": "fernet"
|
|
||||||
|
|
||||||
- name: Ensure validation gracefully passes
|
|
||||||
include_role:
|
|
||||||
name: undercloud_tokenflush
|
|
||||||
|
|
||||||
- name: Skip validation when using jws tokens
|
|
||||||
block:
|
|
||||||
- name: Set token format to jws
|
|
||||||
copy:
|
|
||||||
dest: /etc/puppet/service_configs.yaml
|
|
||||||
content: |
|
|
||||||
"keystone::token_provider": "jws"
|
|
||||||
|
|
||||||
- name: Ensure validation gracefully passes
|
|
||||||
include_role:
|
|
||||||
name: undercloud_tokenflush
|
|
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
# inherits tripleo-validations/.config/molecule/config.yml
|
|
||||||
# To override default values, please take a look at the config.yml.
|
|
|
@ -1,41 +0,0 @@
|
||||||
---
|
|
||||||
# Copyright 2020 Red Hat, Inc.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
|
|
||||||
- name: Prepare
|
|
||||||
hosts: all
|
|
||||||
gather_facts: false
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: install hiera
|
|
||||||
package:
|
|
||||||
name: hiera
|
|
||||||
|
|
||||||
- name: create hiera tree
|
|
||||||
file:
|
|
||||||
path: /etc/puppet/
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: lay down hiera data files
|
|
||||||
copy:
|
|
||||||
dest: /etc/puppet/hiera.yaml
|
|
||||||
content: |
|
|
||||||
:backends:
|
|
||||||
- yaml
|
|
||||||
:yaml:
|
|
||||||
:datadir: "/etc/puppet/"
|
|
||||||
:hierarchy:
|
|
||||||
- "service_configs"
|
|
|
@ -1,53 +0,0 @@
|
||||||
---
|
|
||||||
- name: Fetch token provider
|
|
||||||
become: true
|
|
||||||
hiera:
|
|
||||||
name: keystone::token_provider
|
|
||||||
|
|
||||||
- name: Check if keystone_cron container is available
|
|
||||||
when:
|
|
||||||
- ansible_facts['keystone::token_provider'] != 'fernet'
|
|
||||||
- ansible_facts['keystone::token_provider'] != 'jws'
|
|
||||||
block:
|
|
||||||
- name: Ensure we get needed facts
|
|
||||||
setup:
|
|
||||||
gather_subset:
|
|
||||||
- '!all'
|
|
||||||
- '!any'
|
|
||||||
- '!min'
|
|
||||||
- env
|
|
||||||
|
|
||||||
- name: Get the Container CLI from the undercloud.conf file
|
|
||||||
become: true
|
|
||||||
validations_read_ini:
|
|
||||||
path: "{{ ansible_env.HOME }}/undercloud.conf"
|
|
||||||
section: DEFAULT
|
|
||||||
key: container_cli
|
|
||||||
ignore_missing_file: true
|
|
||||||
register: container_cli
|
|
||||||
|
|
||||||
- name: Get keystone crontab
|
|
||||||
become: true
|
|
||||||
shell: |
|
|
||||||
set -o pipefail
|
|
||||||
{{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#'
|
|
||||||
register: cron_result
|
|
||||||
changed_when: false
|
|
||||||
|
|
||||||
- name: Check keystone crontab
|
|
||||||
fail:
|
|
||||||
msg: >-
|
|
||||||
keystone token_flush does not appear to be enabled via cron.
|
|
||||||
You should add '<desired interval> keystone-manage token_flush'
|
|
||||||
to the keystone users crontab."
|
|
||||||
when: "cron_result.stdout.find('keystone-manage token_flush') == -1"
|
|
||||||
|
|
||||||
- name: Describe why token flush validation was skipped
|
|
||||||
debug:
|
|
||||||
msg: >-
|
|
||||||
Skipping token flush validation since you are using a non-persistent
|
|
||||||
token format ({{ ansible_facts['keystone::token_provider'] }}). You do
|
|
||||||
not need a separate keystone_cron container to periodically prune tokens
|
|
||||||
from keystone's database.
|
|
||||||
when:
|
|
||||||
- ansible_facts['keystone::token_provider'] == 'fernet' or ansible_facts['keystone::token_provider'] == 'jws'
|
|
|
@ -1,9 +0,0 @@
|
||||||
---
|
|
||||||
metadata:
|
|
||||||
name: Verify token_flush is enabled in keystone users crontab
|
|
||||||
description: >
|
|
||||||
Without a token_flush crontab enabled for the keystone user, the
|
|
||||||
keystone database can grow very large. This validation checks that
|
|
||||||
the keystone token_flush crontab has been set up.
|
|
||||||
groups:
|
|
||||||
- pre-introspection
|
|
|
@ -32,7 +32,6 @@
|
||||||
- tripleo-validations-centos-8-molecule-tripleo_haproxy
|
- tripleo-validations-centos-8-molecule-tripleo_haproxy
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_debug
|
- tripleo-validations-centos-8-molecule-undercloud_debug
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted
|
- tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_tokenflush
|
|
||||||
- tripleo-validations-centos-8-molecule-validation_init
|
- tripleo-validations-centos-8-molecule-validation_init
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
|
@ -63,7 +62,6 @@
|
||||||
- tripleo-validations-centos-8-molecule-tripleo_haproxy
|
- tripleo-validations-centos-8-molecule-tripleo_haproxy
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_debug
|
- tripleo-validations-centos-8-molecule-undercloud_debug
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted
|
- tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_tokenflush
|
|
||||||
- tripleo-validations-centos-8-molecule-validation_init
|
- tripleo-validations-centos-8-molecule-validation_init
|
||||||
name: tripleo-validations-molecule-jobs
|
name: tripleo-validations-molecule-jobs
|
||||||
- job:
|
- job:
|
||||||
|
@ -614,17 +612,6 @@
|
||||||
vars:
|
vars:
|
||||||
tripleo_validations_role_name: undercloud_process_count
|
tripleo_validations_role_name: undercloud_process_count
|
||||||
voting: false
|
voting: false
|
||||||
- job:
|
|
||||||
files:
|
|
||||||
- ^roles/undercloud_tokenflush/.*
|
|
||||||
- ^tests/prepare-test-host.yml
|
|
||||||
- ^ci/playbooks/pre.yml
|
|
||||||
- ^ci/playbooks/run.yml
|
|
||||||
- ^molecule-requirements.txt
|
|
||||||
name: tripleo-validations-centos-8-molecule-undercloud_tokenflush
|
|
||||||
parent: tripleo-validations-centos-8-base
|
|
||||||
vars:
|
|
||||||
tripleo_validations_role_name: undercloud_tokenflush
|
|
||||||
- job:
|
- job:
|
||||||
files:
|
files:
|
||||||
- ^roles/validation_init/.*
|
- ^roles/validation_init/.*
|
||||||
|
|
Loading…
Reference in New Issue