Add controller-token role

This patch adds this new role created from: - validations/controller-token.yaml Change-Id: Ifa1485a2c250078bdd88552ab4886bc53b988d5e Implements: blueprint validation-framework Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2019-02-25 15:08:38 +01:00 · 2019-02-25 15:08:38 +01:00 · ca09fe51ea
parent 1e671512c8
commit ca09fe51ea
5 changed files with 63 additions and 0 deletions
--- a/playbooks/controller-token.yaml
+++ b/playbooks/controller-token.yaml
@ -0,0 +1,13 @@
+---
+- hosts: undercloud, Controller
+  vars:
+    metadata:
+      name: Verify that keystone admin token is disabled
+      description: >
+        This validation checks that keystone admin token is disabled on both
+        undercloud and overcloud controller after deployment.
+      groups:
+      - post-deployment
+    keystone_conf_file: "/var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf"
+  roles:
+    - controller-token
--- a/roles/controller-token/defaults/main.yml
+++ b/roles/controller-token/defaults/main.yml
@ -0,0 +1,2 @@
+---
+keystone_conf_file: "/var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf"
--- a/roles/controller-token/meta/main.yml
+++ b/roles/controller-token/meta/main.yml
@ -0,0 +1,27 @@
+galaxy_info:
+  author: TripleO Validations Team
+  company: Red Hat
+  license: Apache
+  min_ansible_version: 2.4
+
+  platforms:
+  - name: CentOS
+    versions:
+    - 7
+  - name: RHEL
+    versions:
+    - 7
+
+  categories:
+    - cloud
+    - baremetal
+    - system
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
--- a/roles/controller-token/tasks/main.yml
+++ b/roles/controller-token/tasks/main.yml
@ -0,0 +1,13 @@
+---
+- name: Fetch token value
+  become: true
+  ini:
+    path: "{{ keystone_conf_file }}"
+    section: DEFAULT
+    key: admin_token
+    ignore_missing_file: True
+  register: token_result
+
+- name: Check if token value is disabled.
+  fail: msg="Keystone admin token is not disabled."
+  when: token_result.value != None
--- a/roles/controller-token/vars/main.yml
+++ b/roles/controller-token/vars/main.yml
@ -0,0 +1,8 @@
+---
+metadata:
+  name: Verify that keystone admin token is disabled
+  description: >
+    This validation checks that keystone admin token is disabled on both
+    undercloud and overcloud controller after deployment.
+  groups:
+  - post-deployment