openstack/tripleo-validations
Code Issues Proposed changes

Removing undercloud-tokenflush validation and related role

Browse Source 
The validation has been	removed	from the tripleo-validations package
as the token management	changes	made it	obsolete.[0]

Role, molecule tests, derived CI job and documentation were removed with the validation itself.

[0] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/683750

Closes-Bug: #1994029

Signed-off-by: Jiri Podivin <jpodivin@redhat.com>
Change-Id: I6c4bdff5e253bb054231dae2c3a280322cb18b9f
This commit is contained in:
Jiri Podivin 2022-10-24 16:21:36 +02:00
parent 54aa994870
commit f48ff32457
12 changed files with 0 additions and 403 deletions
doc/source/roles
role-undercloud_tokenflush.rst
playbooks
undercloud-tokenflush.yaml
roles/undercloud_tokenflush
defaults
main.yml
molecule
default
converge.ymlmolecule.ymlprepare.yml
non-persistent-token-format
converge.ymlmolecule.ymlprepare.yml
tasks
main.yml
vars
main.yaml
zuul.d
molecule.yaml

47
doc/source/roles/role-undercloud_tokenflush.rst

@ -1,47 +0,0 @@
=====================
undercloud_tokenflush
=====================
An Ansible role to check if `keystone-manage token_flush` is enabled for the keystone user.
Requirements
------------
This role requires an installed and working Undercloud.
Role Variables
--------------
- cron_check: <'keystone-manage token_flush'> -- the string to check in the crontab
Dependencies
------------
No dependencies.
Example Playbook
----------------
.. code-block:: yaml
- hosts: undercloud
roles:
- { role: undercloud-tokenflush }
License
-------
Apache
Author Information
------------------
Red Hat TripleO Validations Team
----------------
Full Description
----------------
.. ansibleautoplugin::
:role: roles/undercloud_tokenflush

21
playbooks/undercloud-tokenflush.yaml

@ -1,21 +0,0 @@
---
- hosts: undercloud
vars:
metadata:
name: Verify token_flush is enabled in keystone users crontab
description: |
Without a token_flush crontab enabled for the keystone user, the
keystone database can grow very large. This validation checks that
the keystone token_flush crontab has been set up.
groups:
- pre-introspection
categories:
- os
- system
- identity
- cron
products:
- tripleo
cron_check: "keystone-manage token_flush"
roles:
- undercloud_tokenflush

3
roles/undercloud_tokenflush/defaults/main.yml

@ -1,3 +0,0 @@
---
cron_check: "keystone-manage token_flush"

53
roles/undercloud_tokenflush/molecule/default/converge.yml

@ -1,53 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
tasks:
- name: working detection
include_role:
name: undercloud_tokenflush
- name: Validate failure
block:
- name: Override container_cli
copy:
dest: "{{ ansible_env.HOME }}/undercloud.conf"
content: |
[DEFAULT]
container_cli = docker
- name: run validation
include_role:
name: undercloud_tokenflush
rescue:
- name: Clear host errors
meta: clear_host_errors
- name: Test output
debug:
msg: The validation works! Ending play.
- name: End play
meta: end_play
- name: Fail the validation at this point
fail:
msg: |
The undercloud_tokenflush validation failed to detect
missing cron job.

3
roles/undercloud_tokenflush/molecule/default/molecule.yml

@ -1,3 +0,0 @@
---
# inherits tripleo-validations/.config/molecule/config.yml
# To override default values, please take a look at the config.yml.

113
roles/undercloud_tokenflush/molecule/default/prepare.yml

@ -1,113 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Ensure we get needed facts
setup:
gather_subset:
- '!all'
- '!any'
- '!min'
- env
- name: install hiera
package:
name: hiera
- name: create hiera tree
file:
path: /etc/puppet
state: directory
- name: populate hiera.yaml
copy:
dest: /etc/puppet/hiera.yaml
content: |
:backends:
- yaml
:yaml:
:datadir: "/etc/puppet/"
:hierarchy:
- "service_configs"
- name: populate service config content
copy:
dest: /etc/puppet/service_configs.yaml
content: |
"keystone::token_provider": "uuid"
- name: populate undercloud.conf
copy:
dest: "{{ ansible_env.HOME }}/undercloud.conf"
content: |
[DEFAULT]
container_cli = podman
- name: Populate successful podman CLI
copy:
dest: /usr/bin/podman
mode: 0755
content: |
#!/bin/bash
action="$1"
shift
container="$1"
shift
command="$@"
case $container in
'heat_api_cron')
echo '# This is a comment that should be ignored'
echo '0 12 14 2 * heat-manage purge_deleted'
;;
'keystone_cron')
echo '# This is a comment that should be ignored'
echo '0 12 14 2 * keystone-manage token_flush'
;;
*)
echo "Unknown container ${container}"
;;
esac
- name: Populate buggy docker CLI
copy:
dest: /usr/bin/docker
mode: 0755
content: |
#!/bin/bash
action="$1"
shift
container="$1"
shift
command="$@"
case $container in
'heat_api_cron')
echo '# This is a comment that should be ignored'
echo '0 12 14 2 * some-other command'
;;
'keystone_cron')
echo '# This is a comment that should be ignored'
echo '0 12 14 2 * some-other command'
;;
*)
echo "Unknown container ${container}"
;;
esac

44
roles/undercloud_tokenflush/molecule/non-persistent-token-format/converge.yml

@ -1,44 +0,0 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
tasks:
- name: Skip validation when using fernet tokens
block:
- name: Set token format to fernet
copy:
dest: /etc/puppet/service_configs.yaml
content: |
"keystone::token_provider": "fernet"
- name: Ensure validation gracefully passes
include_role:
name: undercloud_tokenflush
- name: Skip validation when using jws tokens
block:
- name: Set token format to jws
copy:
dest: /etc/puppet/service_configs.yaml
content: |
"keystone::token_provider": "jws"
- name: Ensure validation gracefully passes
include_role:
name: undercloud_tokenflush

3
roles/undercloud_tokenflush/molecule/non-persistent-token-format/molecule.yml

@ -1,3 +0,0 @@
---
# inherits tripleo-validations/.config/molecule/config.yml
# To override default values, please take a look at the config.yml.

41
roles/undercloud_tokenflush/molecule/non-persistent-token-format/prepare.yml

@ -1,41 +0,0 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: install hiera
package:
name: hiera
- name: create hiera tree
file:
path: /etc/puppet/
state: directory
- name: lay down hiera data files
copy:
dest: /etc/puppet/hiera.yaml
content: |
:backends:
- yaml
:yaml:
:datadir: "/etc/puppet/"
:hierarchy:
- "service_configs"

53
roles/undercloud_tokenflush/tasks/main.yml

@ -1,53 +0,0 @@
---
- name: Fetch token provider
become: true
hiera:
name: keystone::token_provider
- name: Check if keystone_cron container is available
when:
- ansible_facts['keystone::token_provider'] != 'fernet'
- ansible_facts['keystone::token_provider'] != 'jws'
block:
- name: Ensure we get needed facts
setup:
gather_subset:
- '!all'
- '!any'
- '!min'
- env
- name: Get the Container CLI from the undercloud.conf file
become: true
validations_read_ini:
path: "{{ ansible_env.HOME }}/undercloud.conf"
section: DEFAULT
key: container_cli
ignore_missing_file: true
register: container_cli
- name: Get keystone crontab
become: true
shell: |
set -o pipefail
{{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#'
register: cron_result
changed_when: false
- name: Check keystone crontab
fail:
msg: >-
keystone token_flush does not appear to be enabled via cron.
You should add '<desired interval> keystone-manage token_flush'
to the keystone users crontab."
when: "cron_result.stdout.find('keystone-manage token_flush') == -1"
- name: Describe why token flush validation was skipped
debug:
msg: >-
Skipping token flush validation since you are using a non-persistent
token format ({{ ansible_facts['keystone::token_provider'] }}). You do
not need a separate keystone_cron container to periodically prune tokens
from keystone's database.
when:
- ansible_facts['keystone::token_provider'] == 'fernet' or ansible_facts['keystone::token_provider'] == 'jws'

9
roles/undercloud_tokenflush/vars/main.yaml

@ -1,9 +0,0 @@
---
metadata:
name: Verify token_flush is enabled in keystone users crontab
description: >
Without a token_flush crontab enabled for the keystone user, the
keystone database can grow very large. This validation checks that
the keystone token_flush crontab has been set up.
groups:
- pre-introspection

13
zuul.d/molecule.yaml

@ -32,7 +32,6 @@
- tripleo-validations-centos-8-molecule-tripleo_haproxy
- tripleo-validations-centos-8-molecule-undercloud_debug
- tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted
- tripleo-validations-centos-8-molecule-undercloud_tokenflush
- tripleo-validations-centos-8-molecule-validation_init
gate:
jobs:
@ -63,7 +62,6 @@
- tripleo-validations-centos-8-molecule-tripleo_haproxy
- tripleo-validations-centos-8-molecule-undercloud_debug
- tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted
- tripleo-validations-centos-8-molecule-undercloud_tokenflush
- tripleo-validations-centos-8-molecule-validation_init
name: tripleo-validations-molecule-jobs
- job:
@ -614,17 +612,6 @@
vars:
tripleo_validations_role_name: undercloud_process_count
voting: false
- job:
files:
- ^roles/undercloud_tokenflush/.*
- ^tests/prepare-test-host.yml
- ^ci/playbooks/pre.yml
- ^ci/playbooks/run.yml
- ^molecule-requirements.txt
name: tripleo-validations-centos-8-molecule-undercloud_tokenflush
parent: tripleo-validations-centos-8-base
vars:
tripleo_validations_role_name: undercloud_tokenflush
- job:
files:
- ^roles/validation_init/.*