54 lines
1.7 KiB
YAML
54 lines
1.7 KiB
YAML
---
|
|
- name: Fetch token provider
|
|
become: true
|
|
hiera:
|
|
name: keystone::token_provider
|
|
|
|
- name: Check if keystone_cron container is available
|
|
when:
|
|
- ansible_facts['keystone::token_provider'] != 'fernet'
|
|
- ansible_facts['keystone::token_provider'] != 'jws'
|
|
block:
|
|
- name: Ensure we get needed facts
|
|
setup:
|
|
gather_subset:
|
|
- '!all'
|
|
- '!any'
|
|
- '!min'
|
|
- env
|
|
|
|
- name: Get the Container CLI from the undercloud.conf file
|
|
become: true
|
|
validations_read_ini:
|
|
path: "{{ ansible_env.HOME }}/undercloud.conf"
|
|
section: DEFAULT
|
|
key: container_cli
|
|
ignore_missing_file: true
|
|
register: container_cli
|
|
|
|
- name: Get keystone crontab
|
|
become: true
|
|
shell: |
|
|
set -o pipefail
|
|
{{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#'
|
|
register: cron_result
|
|
changed_when: false
|
|
|
|
- name: Check keystone crontab
|
|
fail:
|
|
msg: >-
|
|
keystone token_flush does not appear to be enabled via cron.
|
|
You should add '<desired interval> keystone-manage token_flush'
|
|
to the keystone users crontab."
|
|
when: "cron_result.stdout.find('keystone-manage token_flush') == -1"
|
|
|
|
- name: Describe why token flush validation was skipped
|
|
debug:
|
|
msg: >-
|
|
Skipping token flush validation since you are using a non-persistent
|
|
token format ({{ ansible_facts['keystone::token_provider'] }}). You do
|
|
not need a separate keystone_cron container to periodically prune tokens
|
|
from keystone's database.
|
|
when:
|
|
- ansible_facts['keystone::token_provider'] == 'fernet' or ansible_facts['keystone::token_provider'] == 'jws'
|