From f48ff324577d43c4564e841ddc0310802af027b3 Mon Sep 17 00:00:00 2001 From: Jiri Podivin Date: Mon, 24 Oct 2022 16:21:36 +0200 Subject: [PATCH] Removing undercloud-tokenflush validation and related role The validation has been removed from the tripleo-validations package as the token management changes made it obsolete.[0] Role, molecule tests, derived CI job and documentation were removed with the validation itself. [0] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/683750 Closes-Bug: #1994029 Signed-off-by: Jiri Podivin Change-Id: I6c4bdff5e253bb054231dae2c3a280322cb18b9f --- .../roles/role-undercloud_tokenflush.rst | 47 -------- playbooks/undercloud-tokenflush.yaml | 21 ---- roles/undercloud_tokenflush/defaults/main.yml | 3 - .../molecule/default/converge.yml | 53 -------- .../molecule/default/molecule.yml | 3 - .../molecule/default/prepare.yml | 113 ------------------ .../non-persistent-token-format/converge.yml | 44 ------- .../non-persistent-token-format/molecule.yml | 3 - .../non-persistent-token-format/prepare.yml | 41 ------- roles/undercloud_tokenflush/tasks/main.yml | 53 -------- roles/undercloud_tokenflush/vars/main.yaml | 9 -- zuul.d/molecule.yaml | 13 -- 12 files changed, 403 deletions(-) delete mode 100644 doc/source/roles/role-undercloud_tokenflush.rst delete mode 100644 playbooks/undercloud-tokenflush.yaml delete mode 100644 roles/undercloud_tokenflush/defaults/main.yml delete mode 100644 roles/undercloud_tokenflush/molecule/default/converge.yml delete mode 100644 roles/undercloud_tokenflush/molecule/default/molecule.yml delete mode 100644 roles/undercloud_tokenflush/molecule/default/prepare.yml delete mode 100644 roles/undercloud_tokenflush/molecule/non-persistent-token-format/converge.yml delete mode 100644 roles/undercloud_tokenflush/molecule/non-persistent-token-format/molecule.yml delete mode 100644 roles/undercloud_tokenflush/molecule/non-persistent-token-format/prepare.yml delete mode 100644 roles/undercloud_tokenflush/tasks/main.yml delete mode 100644 roles/undercloud_tokenflush/vars/main.yaml diff --git a/doc/source/roles/role-undercloud_tokenflush.rst b/doc/source/roles/role-undercloud_tokenflush.rst deleted file mode 100644 index 9195ab673..000000000 --- a/doc/source/roles/role-undercloud_tokenflush.rst +++ /dev/null @@ -1,47 +0,0 @@ -===================== -undercloud_tokenflush -===================== - -An Ansible role to check if `keystone-manage token_flush` is enabled for the keystone user. - -Requirements ------------- - -This role requires an installed and working Undercloud. - -Role Variables --------------- - -- cron_check: <'keystone-manage token_flush'> -- the string to check in the crontab - - -Dependencies ------------- - -No dependencies. - -Example Playbook ----------------- - -.. code-block:: yaml - - - hosts: undercloud - roles: - - { role: undercloud-tokenflush } - -License -------- - -Apache - -Author Information ------------------- - -Red Hat TripleO Validations Team - ----------------- -Full Description ----------------- - -.. ansibleautoplugin:: - :role: roles/undercloud_tokenflush diff --git a/playbooks/undercloud-tokenflush.yaml b/playbooks/undercloud-tokenflush.yaml deleted file mode 100644 index 8b83afa98..000000000 --- a/playbooks/undercloud-tokenflush.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- hosts: undercloud - vars: - metadata: - name: Verify token_flush is enabled in keystone users crontab - description: | - Without a token_flush crontab enabled for the keystone user, the - keystone database can grow very large. This validation checks that - the keystone token_flush crontab has been set up. - groups: - - pre-introspection - categories: - - os - - system - - identity - - cron - products: - - tripleo - cron_check: "keystone-manage token_flush" - roles: - - undercloud_tokenflush diff --git a/roles/undercloud_tokenflush/defaults/main.yml b/roles/undercloud_tokenflush/defaults/main.yml deleted file mode 100644 index 4e1c0a092..000000000 --- a/roles/undercloud_tokenflush/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -cron_check: "keystone-manage token_flush" diff --git a/roles/undercloud_tokenflush/molecule/default/converge.yml b/roles/undercloud_tokenflush/molecule/default/converge.yml deleted file mode 100644 index 48b94f639..000000000 --- a/roles/undercloud_tokenflush/molecule/default/converge.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -# Copyright 2019 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -- name: Converge - hosts: all - gather_facts: false - tasks: - - name: working detection - include_role: - name: undercloud_tokenflush - - - name: Validate failure - block: - - name: Override container_cli - copy: - dest: "{{ ansible_env.HOME }}/undercloud.conf" - content: | - [DEFAULT] - container_cli = docker - - - name: run validation - include_role: - name: undercloud_tokenflush - rescue: - - name: Clear host errors - meta: clear_host_errors - - - name: Test output - debug: - msg: The validation works! Ending play. - - - name: End play - meta: end_play - - - name: Fail the validation at this point - fail: - msg: | - The undercloud_tokenflush validation failed to detect - missing cron job. diff --git a/roles/undercloud_tokenflush/molecule/default/molecule.yml b/roles/undercloud_tokenflush/molecule/default/molecule.yml deleted file mode 100644 index ba05cf07d..000000000 --- a/roles/undercloud_tokenflush/molecule/default/molecule.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# inherits tripleo-validations/.config/molecule/config.yml -# To override default values, please take a look at the config.yml. diff --git a/roles/undercloud_tokenflush/molecule/default/prepare.yml b/roles/undercloud_tokenflush/molecule/default/prepare.yml deleted file mode 100644 index 01af68f5a..000000000 --- a/roles/undercloud_tokenflush/molecule/default/prepare.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- -# Copyright 2019 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -- name: Prepare - hosts: all - gather_facts: false - tasks: - - name: Ensure we get needed facts - setup: - gather_subset: - - '!all' - - '!any' - - '!min' - - env - - - name: install hiera - package: - name: hiera - - - name: create hiera tree - file: - path: /etc/puppet - state: directory - - - name: populate hiera.yaml - copy: - dest: /etc/puppet/hiera.yaml - content: | - :backends: - - yaml - :yaml: - :datadir: "/etc/puppet/" - :hierarchy: - - "service_configs" - - - name: populate service config content - copy: - dest: /etc/puppet/service_configs.yaml - content: | - "keystone::token_provider": "uuid" - - - name: populate undercloud.conf - copy: - dest: "{{ ansible_env.HOME }}/undercloud.conf" - content: | - [DEFAULT] - container_cli = podman - - - name: Populate successful podman CLI - copy: - dest: /usr/bin/podman - mode: 0755 - content: | - #!/bin/bash - action="$1" - shift - container="$1" - shift - command="$@" - - case $container in - 'heat_api_cron') - echo '# This is a comment that should be ignored' - echo '0 12 14 2 * heat-manage purge_deleted' - ;; - 'keystone_cron') - echo '# This is a comment that should be ignored' - echo '0 12 14 2 * keystone-manage token_flush' - ;; - *) - echo "Unknown container ${container}" - ;; - esac - - - name: Populate buggy docker CLI - copy: - dest: /usr/bin/docker - mode: 0755 - content: | - #!/bin/bash - action="$1" - shift - container="$1" - shift - command="$@" - - case $container in - 'heat_api_cron') - echo '# This is a comment that should be ignored' - echo '0 12 14 2 * some-other command' - ;; - 'keystone_cron') - echo '# This is a comment that should be ignored' - echo '0 12 14 2 * some-other command' - ;; - *) - echo "Unknown container ${container}" - ;; - esac diff --git a/roles/undercloud_tokenflush/molecule/non-persistent-token-format/converge.yml b/roles/undercloud_tokenflush/molecule/non-persistent-token-format/converge.yml deleted file mode 100644 index e0ce258f0..000000000 --- a/roles/undercloud_tokenflush/molecule/non-persistent-token-format/converge.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Copyright 2020 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -- name: Converge - hosts: all - - tasks: - - name: Skip validation when using fernet tokens - block: - - name: Set token format to fernet - copy: - dest: /etc/puppet/service_configs.yaml - content: | - "keystone::token_provider": "fernet" - - - name: Ensure validation gracefully passes - include_role: - name: undercloud_tokenflush - - - name: Skip validation when using jws tokens - block: - - name: Set token format to jws - copy: - dest: /etc/puppet/service_configs.yaml - content: | - "keystone::token_provider": "jws" - - - name: Ensure validation gracefully passes - include_role: - name: undercloud_tokenflush diff --git a/roles/undercloud_tokenflush/molecule/non-persistent-token-format/molecule.yml b/roles/undercloud_tokenflush/molecule/non-persistent-token-format/molecule.yml deleted file mode 100644 index ba05cf07d..000000000 --- a/roles/undercloud_tokenflush/molecule/non-persistent-token-format/molecule.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# inherits tripleo-validations/.config/molecule/config.yml -# To override default values, please take a look at the config.yml. diff --git a/roles/undercloud_tokenflush/molecule/non-persistent-token-format/prepare.yml b/roles/undercloud_tokenflush/molecule/non-persistent-token-format/prepare.yml deleted file mode 100644 index ddc671dac..000000000 --- a/roles/undercloud_tokenflush/molecule/non-persistent-token-format/prepare.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# Copyright 2020 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -- name: Prepare - hosts: all - gather_facts: false - - tasks: - - name: install hiera - package: - name: hiera - - - name: create hiera tree - file: - path: /etc/puppet/ - state: directory - - - name: lay down hiera data files - copy: - dest: /etc/puppet/hiera.yaml - content: | - :backends: - - yaml - :yaml: - :datadir: "/etc/puppet/" - :hierarchy: - - "service_configs" diff --git a/roles/undercloud_tokenflush/tasks/main.yml b/roles/undercloud_tokenflush/tasks/main.yml deleted file mode 100644 index 84b05dcea..000000000 --- a/roles/undercloud_tokenflush/tasks/main.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: Fetch token provider - become: true - hiera: - name: keystone::token_provider - -- name: Check if keystone_cron container is available - when: - - ansible_facts['keystone::token_provider'] != 'fernet' - - ansible_facts['keystone::token_provider'] != 'jws' - block: - - name: Ensure we get needed facts - setup: - gather_subset: - - '!all' - - '!any' - - '!min' - - env - - - name: Get the Container CLI from the undercloud.conf file - become: true - validations_read_ini: - path: "{{ ansible_env.HOME }}/undercloud.conf" - section: DEFAULT - key: container_cli - ignore_missing_file: true - register: container_cli - - - name: Get keystone crontab - become: true - shell: | - set -o pipefail - {{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#' - register: cron_result - changed_when: false - - - name: Check keystone crontab - fail: - msg: >- - keystone token_flush does not appear to be enabled via cron. - You should add ' keystone-manage token_flush' - to the keystone users crontab." - when: "cron_result.stdout.find('keystone-manage token_flush') == -1" - -- name: Describe why token flush validation was skipped - debug: - msg: >- - Skipping token flush validation since you are using a non-persistent - token format ({{ ansible_facts['keystone::token_provider'] }}). You do - not need a separate keystone_cron container to periodically prune tokens - from keystone's database. - when: - - ansible_facts['keystone::token_provider'] == 'fernet' or ansible_facts['keystone::token_provider'] == 'jws' diff --git a/roles/undercloud_tokenflush/vars/main.yaml b/roles/undercloud_tokenflush/vars/main.yaml deleted file mode 100644 index 006b66724..000000000 --- a/roles/undercloud_tokenflush/vars/main.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -metadata: - name: Verify token_flush is enabled in keystone users crontab - description: > - Without a token_flush crontab enabled for the keystone user, the - keystone database can grow very large. This validation checks that - the keystone token_flush crontab has been set up. - groups: - - pre-introspection diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index 19d698703..9ee8932ef 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -32,7 +32,6 @@ - tripleo-validations-centos-8-molecule-tripleo_haproxy - tripleo-validations-centos-8-molecule-undercloud_debug - tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted - - tripleo-validations-centos-8-molecule-undercloud_tokenflush - tripleo-validations-centos-8-molecule-validation_init gate: jobs: @@ -63,7 +62,6 @@ - tripleo-validations-centos-8-molecule-tripleo_haproxy - tripleo-validations-centos-8-molecule-undercloud_debug - tripleo-validations-centos-8-molecule-undercloud_heat_purge_deleted - - tripleo-validations-centos-8-molecule-undercloud_tokenflush - tripleo-validations-centos-8-molecule-validation_init name: tripleo-validations-molecule-jobs - job: @@ -614,17 +612,6 @@ vars: tripleo_validations_role_name: undercloud_process_count voting: false -- job: - files: - - ^roles/undercloud_tokenflush/.* - - ^tests/prepare-test-host.yml - - ^ci/playbooks/pre.yml - - ^ci/playbooks/run.yml - - ^molecule-requirements.txt - name: tripleo-validations-centos-8-molecule-undercloud_tokenflush - parent: tripleo-validations-centos-8-base - vars: - tripleo_validations_role_name: undercloud_tokenflush - job: files: - ^roles/validation_init/.*