openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Auto-fix usage of modules via FQCN

Browse Source 
Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`

Change-Id: I433d6fe347e21098f563881f3c1fe494231a0b62
This commit is contained in:
Dmitriy Rabotyagov 2025-02-12 12:53:23 +01:00
parent 93c3d2e432
commit a6b4f71010
19 changed files with 125 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
handlers/main.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Restart web server
service:
ansible.builtin.service:
name: "{{ keystone_system_service_name }}"
enabled: true
state: restarted
@ -27,7 +27,7 @@
- "venv changed"
- name: Wait for web server to complete starting
wait_for:
ansible.builtin.wait_for:
host: "{{ keystone_web_server_bind_address }}"
port: "{{ item }}"
timeout: 25
@ -42,7 +42,7 @@
- "Restart web server"
- name: Stop uWSGI
service:
ansible.builtin.service:
name: "{{ item }}"
state: "stopped"
daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}"
@ -56,7 +56,7 @@
- "Restart uWSGI"
- name: Start uWSGI
service:
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: "started"
@ -71,7 +71,7 @@
- "Restart uWSGI"
- name: Wait for uWSGI socket to be ready
wait_for:
ansible.builtin.wait_for:
host: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_uwsgi_bind_address, '127.0.0.1') }}"
port: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_service_port, keystone_uwsgi_ports['keystone-wsgi-public']['socket']) }}"
timeout: 25
@ -84,7 +84,7 @@
- "Restart uWSGI"
- name: Restart Shibd
service:
ansible.builtin.service:
name: "shibd"
enabled: true
state: "restarted"
@ -95,7 +95,7 @@
delay: 2
- name: Restart ssh
service:
ansible.builtin.service:
name: "{{ keystone_sshd }}"
state: "restarted"
@ -104,7 +104,7 @@
nc_command:
debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf")
redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211
shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}"
ansible.builtin.shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}"
changed_when: false
delegate_to: "{{ item }}"
with_items: "{{ groups.memcached_all }}"

30
tasks/keystone_apache.yml
View File

@ -14,19 +14,19 @@
# limitations under the License.
- name: Create apache nogroup group
group:
ansible.builtin.group:
name: "nogroup"
system: "yes"
- name: Create apache nogroup user
user:
ansible.builtin.user:
name: "nogroup"
group: "nogroup"
system: "yes"
shell: "/bin/false"
- name: Ensure apache log folder exists
file:
ansible.builtin.file:
dest: "{{ keystone_apache_default_log_folder }}"
state: directory
owner: "{{ keystone_apache_default_log_owner }}"
@ -34,7 +34,7 @@
mode: "0755"
- name: Ensure apache2 MPM for Debian/Ubuntu
apache2_module:
community.general.apache2_module:
name: "{{ item.name }}"
state: "{{ item.state }}"
warn_mpm_absent: false
@ -44,7 +44,7 @@
notify: Restart web server
- name: Ensure apache2 MPM for EL
copy:
ansible.builtin.copy:
content: |
LoadModule mpm_{{ keystone_httpd_mpm_backend }}_module modules/mod_mpm_{{ keystone_httpd_mpm_backend }}.so
@ -57,7 +57,7 @@
## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian
- name: Enable apache2 modules
apache2_module:
community.general.apache2_module:
name: "{{ item.name }}"
state: "{{ item.state }}"
with_items: "{{ keystone_apache_modules }}"
@ -68,7 +68,7 @@
- Restart web server
- name: Place apache2 config files
template:
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
@ -81,7 +81,7 @@
## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian
- name: Disable apache2 modules
apache2_module:
community.general.apache2_module:
name: "{{ item.name }}"
state: "{{ item.state }}"
with_items: "{{ keystone_apache_modules }}"
@ -94,7 +94,7 @@
## NOTE(andymccr):
## We need to enable a module for httpd on RedHat/CentOS using LoadModule inside conf files
- name: Enable/disable proxy_uwsgi_module
lineinfile:
ansible.builtin.lineinfile:
dest: "/etc/httpd/conf.modules.d/00-proxy.conf"
line: "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so"
state: "present"
@ -104,7 +104,7 @@
- Restart web server
- name: Disable default apache site
file:
ansible.builtin.file:
path: "{{ item }}"
state: "absent"
with_items: "{{ keystone_apache_default_sites }}"
@ -112,7 +112,7 @@
- Restart web server
- name: Enabled keystone vhost
file:
ansible.builtin.file:
src: "{{ keystone_apache_site_available }}"
dest: "{{ keystone_apache_site_enabled }}"
state: "link"
@ -123,14 +123,14 @@
- Restart web server
- name: Ensure Apache ServerName
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ keystone_apache_conf }}"
line: "ServerName {{ ansible_facts['hostname'] }}"
notify:
- Restart web server
- name: Ensure Apache ServerTokens
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ keystone_apache_security_conf }}"
regexp: "^ServerTokens"
line: "ServerTokens {{ keystone_apache_servertokens }}"
@ -138,7 +138,7 @@
- Restart web server
- name: Ensure Apache ServerSignature
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ keystone_apache_security_conf }}"
regexp: "^ServerSignature"
line: "ServerSignature {{ keystone_apache_serversignature }}"
@ -146,7 +146,7 @@
- Restart web server
- name: Remove Listen from Apache config
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ keystone_apache_conf }}"
regexp: "^(Listen.*)"
backrefs: true

6
tasks/keystone_credential.yml
View File

@ -14,12 +14,12 @@
# limitations under the License.
- name: Including keystone_credential_create tasks
include_tasks: keystone_credential_create.yml
ansible.builtin.include_tasks: keystone_credential_create.yml
when: _keystone_is_first_play_host
- name: Including keystone_credential_distribute tasks
include_tasks: keystone_credential_distribute.yml
ansible.builtin.include_tasks: keystone_credential_distribute.yml
when: _keystone_is_first_play_host
- name: Including keystone_credential_autorotate tasks
include_tasks: keystone_credential_autorotate.yml
ansible.builtin.include_tasks: keystone_credential_autorotate.yml

6
tasks/keystone_credential_autorotate.yml
View File

@ -19,7 +19,7 @@
# execution and while the script may be world read/executable its contains only
# the necessary bits that are required to run the rotate and sync commands.
- name: Drop credential key auto rotate script
template:
ansible.builtin.template:
src: "keystone-credential-rotate.sh.j2"
dest: "{{ keystone_credential_auto_rotation_script }}"
owner: "{{ keystone_system_user_name }}"
@ -28,7 +28,7 @@
# This creates the auto rotation job on the first keystone host.
- name: Create auto rotation job
cron:
ansible.builtin.cron:
name: "Credential auto rotate job"
special_time: "{{ keystone_credential_rotation }}"
user: "{{ keystone_system_user_name }}"
@ -38,7 +38,7 @@
# This makes sure that no auto rotation jobs are on any other hosts.
- name: Remove extra auto rotation job
cron:
ansible.builtin.cron:
name: "Credential auto rotate job"
user: "{{ keystone_system_user_name }}"
cron_file: keystone-credential-rotate

22
tasks/keystone_credential_create.yml
View File

@ -14,12 +14,12 @@
# limitations under the License.
- name: Check if credential keys already exist
stat:
ansible.builtin.stat:
path: "{{ keystone_credential_key_repository }}/0"
register: _credential_keys
- name: Check for credential keys on all Keystone containers
find:
ansible.builtin.find:
paths: "{{ keystone_credential_key_repository }}"
patterns: "^[0-9]+$"
use_regex: true
@ -29,7 +29,7 @@
with_items: "{{ groups['keystone_all'] }}"
- name: Aggregate the collected file lists
set_fact:
ansible.builtin.set_fact:
existing_credential_keys: >-
{% set _var = [] -%}
{% for result in credential_key_list.results -%}
@ -43,7 +43,7 @@
when: not credential_key_list is skipped
- name: Collect the existing keys from containers
slurp:
ansible.builtin.slurp:
src: "{{ item.file }}"
delegate_to: "{{ item.host }}"
with_items: "{{ existing_credential_keys }}"
@ -51,7 +51,7 @@
when: existing_credential_keys is defined
- name: Ensure the target directory exists on the master Keystone container
file:
ansible.builtin.file:
path: "{{ keystone_credential_key_repository }}"
state: directory
owner: "{{ keystone_system_user_name }}"
@ -60,7 +60,7 @@
when: not collected_existing_credential_keys is skipped
- name: Drop the existing credential keys in the master Keystone container
copy:
ansible.builtin.copy:
content: "{{ item.1 | b64decode }}"
dest: "{{ keystone_credential_key_repository }}/{{ item.0 }}"
owner: "{{ keystone_system_user_name }}"
@ -71,7 +71,7 @@
with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}"
- name: Create credential keys for Keystone # noqa: no-changed-when
command: >
ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_setup
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
@ -86,7 +86,7 @@
when: create_credential_keys is skipped
block:
- name: Rotate credential keys for Keystone # noqa: no-changed-when
command: >
ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
@ -96,7 +96,7 @@
# so in case it fails, we need to try perform the migraton and attempt rotation after that
rescue:
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: >
ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
@ -104,7 +104,7 @@
become_user: "{{ keystone_system_user_name }}"
- name: Rotate credential keys for Keystone # noqa: no-changed-when
command: >
ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
@ -113,7 +113,7 @@
always:
# Let's run migration at the end anyway, as we need it after successfull rotation.
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: >
ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"

14
tasks/keystone_db_sync.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Check current state of Keystone DB
command: "{{ keystone_bin }}/keystone-manage db_sync --check"
ansible.builtin.command: "{{ keystone_bin }}/keystone-manage db_sync --check"
become: true
become_user: "{{ keystone_system_user_name }}"
register: keystone_db_sync_check
@ -23,7 +23,7 @@
run_once: true
- name: Set the db sync local facts
ini_file:
community.general.ini_file:
dest: "/etc/ansible/facts.d/openstack_ansible.fact"
section: keystone
option: "{{ item.name }}"
@ -36,7 +36,7 @@
state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}"
- name: Refresh local facts
setup:
ansible.builtin.setup:
filter: ansible_local
gather_subset: "!all"
tags:
@ -45,14 +45,14 @@
# When keystone is initially built, the service does not yet exist on the
# host this task is executed on. Detect the presence of the services.
- name: Test if keystone service exists
service: # noqa: args[module]
ansible.builtin.service: # noqa: args[module]
name: "{{ item }}"
check_mode: true
register: keystone_service_exists
with_items: "{{ keystone_services.keys() | list }}"
- name: Ensure keystone service is stopped
service:
ansible.builtin.service:
name: "{{ item.name }}"
state: stopped
register: _stop
@ -67,7 +67,7 @@
- Restart uWSGI
- name: Perform a Keystone DB sync expand
command: "{{ keystone_bin }}/keystone-manage db_sync --expand"
ansible.builtin.command: "{{ keystone_bin }}/keystone-manage db_sync --expand"
changed_when: false
become: true
become_user: "{{ keystone_system_user_name }}"
@ -77,7 +77,7 @@
notify: flush cache
- name: Perform a Keystone DB sync contract
command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
ansible.builtin.command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
changed_when: false
become: true
become_user: "{{ keystone_system_user_name }}"

18
tasks/keystone_federation_sp_shib_setup.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Drop Shibboleth Config
template:
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}"
@ -27,7 +27,7 @@
- Restart Shibd
- name: Copy Shibboleth SP key-pair (if provided)
copy:
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode | default('0640') }}"
@ -42,7 +42,7 @@
- Restart Shibd
- name: Generate the Shibboleth SP key-pair
command: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}"
ansible.builtin.command: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}"
args:
creates: "/etc/shibboleth/sp-cert.pem"
when: _keystone_is_first_play_host
@ -51,27 +51,27 @@
- Restart Shibd
- name: Store sp cert
slurp:
ansible.builtin.slurp:
src: "/etc/shibboleth/sp-cert.pem"
register: _keystone_sp_cert
changed_when: false
when: _keystone_is_first_play_host
- name: Store sp key
slurp:
ansible.builtin.slurp:
src: "/etc/shibboleth/sp-key.pem"
register: _keystone_sp_key
changed_when: false
when: _keystone_is_first_play_host
- name: Register a fact for the cert and key
set_fact:
ansible.builtin.set_fact:
keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}"
keystone_sp_key_fact: "{{ _keystone_sp_key.content }}"
when: _keystone_is_first_play_host
- name: Distribute sp key
copy:
ansible.builtin.copy:
dest: "/etc/shibboleth/sp-key.pem"
content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_key_fact'] | b64decode }}"
owner: "{{ keystone_system_user_name }}"
@ -83,7 +83,7 @@
- Restart Shibd
- name: Distribute sp cert
copy:
ansible.builtin.copy:
dest: "/etc/shibboleth/sp-cert.pem"
content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_cert_fact'] | b64decode }}"
owner: "{{ keystone_system_user_name }}"
@ -95,7 +95,7 @@
- Restart Shibd
- name: Set appropriate file ownership on the Shibboleth SP key-pair
file:
ansible.builtin.file:
path: "{{ item }}"
owner: "_shibd"
group: "_shibd"

6
tasks/keystone_fernet.yml
View File

@ -14,12 +14,12 @@
# limitations under the License.
- name: Including keystone_fernet_keys_create tasks
include_tasks: keystone_fernet_keys_create.yml
ansible.builtin.include_tasks: keystone_fernet_keys_create.yml
when: _keystone_is_first_play_host
- name: Including keystone_fernet_keys_distribute tasks
include_tasks: keystone_fernet_keys_distribute.yml
ansible.builtin.include_tasks: keystone_fernet_keys_distribute.yml
when: _keystone_is_first_play_host
- name: Including keystone_fernet_keys_autorotate tasks
include_tasks: keystone_fernet_keys_autorotate.yml
ansible.builtin.include_tasks: keystone_fernet_keys_autorotate.yml

6
tasks/keystone_fernet_keys_autorotate.yml
View File

@ -19,7 +19,7 @@
# execution and while the script may be world read/executable its contains only
# the necessary bits that are required to run the rotate and sync commands.
- name: Drop fernet key auto rotate script
template:
ansible.builtin.template:
src: "keystone-fernet-rotate.sh.j2"
dest: "{{ keystone_fernet_auto_rotation_script }}"
owner: "{{ keystone_system_user_name }}"
@ -28,7 +28,7 @@
# This creates the auto rotation job on the first keystone host.
- name: Create auto rotation job
cron:
ansible.builtin.cron:
name: "Fernet auto rotate job"
special_time: "{{ keystone_fernet_rotation }}"
user: "{{ keystone_system_user_name }}"
@ -38,7 +38,7 @@
# This makes sure that no auto rotation jobs are on any other hosts.
- name: Remove extra auto rotation job
cron:
ansible.builtin.cron:
name: "Fernet auto rotate job"
user: "{{ keystone_system_user_name }}"
cron_file: keystone-fernet-rotate

12
tasks/keystone_fernet_keys_create.yml
View File

@ -14,12 +14,12 @@
# limitations under the License.
- name: Check if fernet keys already exist
stat:
ansible.builtin.stat:
path: "{{ keystone_fernet_tokens_key_repository }}/0"
register: _fernet_keys
- name: Check for fernet keys on all Keystone containers
find:
ansible.builtin.find:
paths: "{{ keystone_fernet_tokens_key_repository }}"
when: not _fernet_keys.stat.exists
register: _fernet_key_list
@ -27,7 +27,7 @@
with_items: "{{ groups['keystone_all'] }}"
- name: Identify hosts with existing fernet keys
set_fact:
ansible.builtin.set_fact:
existing_fernet_hosts: >-
{% set _var = [] -%}
{% for result in _fernet_key_list.results -%}
@ -39,7 +39,7 @@
when: not _fernet_key_list is skipped
- name: Copy the fernet key repository to the primary
command: >
ansible.builtin.command: >
rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
-avz
--delete
@ -56,7 +56,7 @@
- skip_ansible_lint
- name: Create fernet keys for Keystone # noqa: no-changed-when
command: >
ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage fernet_setup
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"
@ -67,7 +67,7 @@
- _fernet_keys_shared is skipped
- name: Rotate fernet keys for Keystone # noqa: no-changed-when
command: >
ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage fernet_rotate
--keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}"

2
tasks/keystone_idp_setup.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Generate IdP metadata
shell: |
ansible.builtin.shell: |
{{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
become: true
become_user: "{{ keystone_system_user_name }}"

20
tasks/keystone_install.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Create keystone dir
file:
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner | default(keystone_system_user_name) }}"
@ -27,7 +27,7 @@
- ansible_facts['pkg_mgr'] == 'dnf'
- name: Create system links
file:
ansible.builtin.file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
state: "link"
@ -37,7 +37,7 @@
- ansible_facts['pkg_mgr'] == 'dnf'
- name: Add shibboleth repo
yum_repository:
ansible.builtin.yum_repository:
name: "shibboleth"
description: "shibboleth Repo"
baseurl: "{{ keystone_centos_shibboleth_mirror }}"
@ -48,7 +48,7 @@
- keystone_sp != {}
- name: Install distro packages
package:
ansible.builtin.package:
name: "{{ keystone_package_list }}"
state: "{{ keystone_package_state }}"
update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
@ -62,13 +62,13 @@
- Restart uWSGI
- name: Install/remove apache mod packages for federated authentication
package:
ansible.builtin.package:
name: "{{ item.name }}"
state: "{{ item.state }}"
with_items: "{{ keystone_sp_apache_mod_packages }}"
- name: Install the python venv
import_role:
ansible.builtin.import_role:
name: "python_venv_build"
vars:
venv_python_executable: "{{ keystone_venv_python_executable }}"
@ -100,7 +100,7 @@
when: keystone_install_method == 'distro'
block:
- name: Record the osa version deployed
ini_file:
community.general.ini_file:
dest: "/etc/ansible/facts.d/openstack_ansible.fact"
section: keystone
option: venv_tag
@ -111,7 +111,7 @@
# for keystone user $HOME:
# https://bugs.launchpad.net/cloud-archive/+bug/2060235
- name: Ensure SSH keys has right permissions
file:
ansible.builtin.file:
path: "{{ keystone_system_user_home }}/.ssh/id_rsa"
mode: "0600"
when:
@ -119,7 +119,7 @@
- ansible_facts['distribution'] | lower == 'ubuntu'
- name: Initialise the upgrade facts
ini_file:
community.general.ini_file:
dest: "/etc/ansible/facts.d/openstack_ansible.fact"
section: keystone
option: "{{ item.name }}"
@ -140,7 +140,7 @@
('need_db_contract' not in ansible_local['openstack_ansible']['keystone'])
- name: Create WSGI symlinks
file:
ansible.builtin.file:
src: "{{ keystone_bin }}/keystone-wsgi-public"
dest: "/var/www/cgi-bin/keystone/main"
state: link

4
tasks/keystone_key_setup.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Ensure .ssh directory is present
file:
ansible.builtin.file:
state: directory
path: "{{ keystone_system_user_home }}/.ssh"
owner: "{{ keystone_system_user_name }}"
@ -22,7 +22,7 @@
mode: "0755"
- name: Create ssh keys for synchronising fernet keys
include_role:
ansible.builtin.include_role:
name: openstack.osa.ssh_keypairs
args:
apply:

4
tasks/keystone_ldap_setup.yml
View File

@ -33,7 +33,7 @@
ansible_python_interpreter: "{{ keystone_service_setup_host_python_interpreter }}"
- name: Create Keystone LDAP domain configs
template:
ansible.builtin.template:
src: keystone.domain.conf.j2
dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
owner: "root"
@ -49,7 +49,7 @@
# keystone.Default.conf and this will cause errors when adding LDAP-backed
# domains.
- name: Remove Keystone Default domain configuration file if not needed
file:
ansible.builtin.file:
path: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf"
state: absent
when: keystone_ldap.Default is not defined

12
tasks/keystone_post_install.yml
View File

@ -17,7 +17,7 @@
# the key rotation script will not be able to copy the
# keys to the other nodes when they rotate.
- name: Enable SSHD on all keystone hosts
systemd:
ansible.builtin.systemd:
name: "{{ keystone_sshd }}"
state: started
enabled: true
@ -54,7 +54,7 @@
- keystone-policy-override
- name: Remove legacy policy.yaml file
file:
ansible.builtin.file:
path: "/etc/keystone/policy.yaml"
state: absent
when:
@ -66,13 +66,13 @@
# because we only want to copy the original files once. and we
# don't want to need multiple tasks.
- name: Preserve original configuration file(s)
command: "cp {{ item.target_f }} {{ item.target_f }}.original"
ansible.builtin.command: "cp {{ item.target_f }} {{ item.target_f }}.original"
args:
creates: "{{ item.target_f }}.original"
with_items: "{{ keystone_core_files }}"
- name: Fetch override files
fetch:
ansible.builtin.fetch:
src: "{{ item.target_f }}"
dest: "{{ item.tmp_f }}"
flat: true
@ -95,7 +95,7 @@
- Restart web server
- name: Cleanup fetched temp files
file:
ansible.builtin.file:
path: "{{ item.tmp_f }}"
state: absent
changed_when: false
@ -104,7 +104,7 @@
with_items: "{{ keystone_core_files }}"
- name: Copy sso callback file
copy:
ansible.builtin.copy:
src: "{{ keystone_sso_callback_file_path }}"
dest: "/etc/keystone/sso_callback_template.html"
mode: "0644"

4
tasks/keystone_service_bootstrap.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Wait for service to be up
uri:
ansible.builtin.uri:
url: "{{ keystone_service_internaluri }}"
method: "HEAD"
status_code: 300
@ -24,7 +24,7 @@
delay: 5
- name: Bootstrap keystone admin and endpoint
command: |
ansible.builtin.command: |
{{ keystone_bin }}/keystone-manage bootstrap \
--bootstrap-username {{ keystone_admin_user_name }} \
--bootstrap-password {{ keystone_auth_admin_password }} \

52
tasks/main.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Fail if our required secrets are not present
fail:
ansible.builtin.fail:
msg: "Please set the {{ item }} variable prior to applying this role."
when: (item is undefined) or (item is none)
with_items: "{{ keystone_required_secrets }}"
@ -22,7 +22,7 @@
- always
- name: Fail if service was deployed using a different installation method
fail:
ansible.builtin.fail:
msg: "Switching installation methods for OpenStack services is not supported"
when:
- ansible_local is defined
@ -32,7 +32,7 @@
- ansible_local.openstack_ansible.keystone.install_method != keystone_install_method
- name: Gather variables for each operating system
include_vars: "{{ lookup('first_found', params) }}"
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
@ -47,12 +47,12 @@
- always
- name: Gather variables for installation method
include_vars: "{{ keystone_install_method }}_install.yml"
ansible.builtin.include_vars: "{{ keystone_install_method }}_install.yml"
tags:
- always
- name: Fact for apache module shibboleth to be installed
set_fact:
ansible.builtin.set_fact:
keystone_sp_apache_mod_shib: >-
{{
(keystone_sp != {} and (keystone_sp.apache_mod is undefined or (
@ -63,7 +63,7 @@
- always
- name: Fact for apache module mod_auth_openidc to be installed
set_fact:
ansible.builtin.set_fact:
keystone_sp_apache_mod_auth_openidc:
"{{ (keystone_sp != {} and
keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc')
@ -72,7 +72,7 @@
- always
- name: Including osa.db_setup role
include_role:
ansible.builtin.include_role:
name: openstack.osa.db_setup
apply:
tags:
@ -94,7 +94,7 @@
- always
- name: Including osa.mq_setup role
include_role:
ansible.builtin.include_role:
name: openstack.osa.mq_setup
apply:
tags:
@ -121,25 +121,25 @@
- always
- name: Importing keystone_install tasks
import_tasks: keystone_install.yml
ansible.builtin.import_tasks: keystone_install.yml
tags:
- keystone-install
- name: Refresh local facts
setup:
ansible.builtin.setup:
filter: ansible_local
gather_subset: "!all"
tags:
- keystone-config
- name: Importing keystone_post_install tasks
import_tasks: keystone_post_install.yml
ansible.builtin.import_tasks: keystone_post_install.yml
tags:
- keystone-config
- post-install
- name: Importing keystone_fernet tasks
import_tasks: keystone_fernet.yml
ansible.builtin.import_tasks: keystone_fernet.yml
when:
- "'fernet' in keystone_token_provider"
- keystone_service_setup | bool
@ -147,20 +147,20 @@
- keystone-config
- name: Importing keystone_db_sync tasks
import_tasks: keystone_db_sync.yml
ansible.builtin.import_tasks: keystone_db_sync.yml
when:
- "keystone_database_enabled | bool"
tags:
- keystone-config
- name: Importing keystone_credential tasks
import_tasks: keystone_credential.yml
ansible.builtin.import_tasks: keystone_credential.yml
when: keystone_service_setup | bool
tags:
- keystone-config
- name: Importing keystone_federation_sp_shib_setup tasks
import_tasks: keystone_federation_sp_shib_setup.yml
ansible.builtin.import_tasks: keystone_federation_sp_shib_setup.yml
when:
- keystone_sp_apache_mod_shib
- not (keystone_use_uwsgi | bool)
@ -168,7 +168,7 @@
- keystone-config
- name: Create and install SSL certificates
include_role:
ansible.builtin.include_role:
name: pki
tasks_from: main_certs.yml
vars:
@ -187,14 +187,14 @@
- keystone-config
- name: Importing keystone_apache tasks
import_tasks: "keystone_apache.yml"
ansible.builtin.import_tasks: "keystone_apache.yml"
when:
- not (keystone_use_uwsgi | bool)
tags:
- keystone-config
- name: Import uwsgi role
import_role:
ansible.builtin.import_role:
name: uwsgi
vars:
uwsgi_services: "{{ uwsgi_keystone_services }}"
@ -204,10 +204,10 @@
- uwsgi
- name: Flush handlers
meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: Including keystone_service_bootstrap tasks
include_tasks: keystone_service_bootstrap.yml
ansible.builtin.include_tasks: keystone_service_bootstrap.yml
args:
apply:
tags:
@ -224,7 +224,7 @@
# the endpoints which were bootstrapped in keystone_service_bootstrap.
- name: Wait for services to be up
delegate_to: "{{ keystone_service_setup_host }}"
uri:
ansible.builtin.uri:
url: "{{ item.url }}"
validate_certs: "{{ item.validate_certs }}"
method: "HEAD"
@ -242,7 +242,7 @@
delay: 5
- name: Including osa.service_setup role
include_role:
ansible.builtin.include_role:
name: openstack.osa.service_setup
apply:
tags:
@ -277,7 +277,7 @@
- always
- name: Including keystone_ldap_setup tasks
import_tasks: keystone_ldap_setup.yml
ansible.builtin.import_tasks: keystone_ldap_setup.yml
when:
- keystone_service_setup | bool
- keystone_ldap != {}
@ -285,10 +285,10 @@
- keystone-config
- name: Flush handlers
meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: Including keystone_idp_setup tasks
include_tasks: keystone_idp_setup.yml
ansible.builtin.include_tasks: keystone_idp_setup.yml
args:
apply:
tags:
@ -300,7 +300,7 @@
- always
- name: Diagnose common problems with keystone deployments
command: "{{ keystone_bin }}/keystone-manage doctor"
ansible.builtin.command: "{{ keystone_bin }}/keystone-manage doctor"
become: true
become_user: "{{ keystone_system_user_name }}"
register: keystone_doctor

2
tasks/main_keystone_federation_sp_idp_setup.yml
View File

@ -1,6 +1,6 @@
---
- name: Including keystone_federation_sp_idp_setup tasks
include_tasks: keystone_federation_sp_idp_setup.yml
ansible.builtin.include_tasks: keystone_federation_sp_idp_setup.yml
with_items: "{{ keystone_sp.trusted_idp_list }}"
loop_control:
loop_var: trusted_idp

14
tasks/main_pre.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Gather variables for each operating system
include_vars: "{{ lookup('first_found', params) }}"
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
@ -29,14 +29,14 @@
- always
- name: Create system groups
group:
ansible.builtin.group:
name: "{{ item }}"
state: "present"
system: "yes"
with_items: "{{ [keystone_system_group_name] + keystone_system_additional_groups }}"
- name: Create the keystone system user
user:
ansible.builtin.user:
name: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
groups: "{{ keystone_system_additional_groups | join(',') }}"
@ -47,7 +47,7 @@
home: "{{ keystone_system_user_home }}"
- name: Create keystone dir
file:
ansible.builtin.file:
path: "{{ item.path | default(omit) }}"
src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
@ -80,7 +80,7 @@
group: root
- name: Install distro packages
package:
ansible.builtin.package:
name: "{{ keystone_distro_packages }}"
state: "{{ keystone_package_state }}"
update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
@ -93,7 +93,7 @@
- Restart ssh
- name: Adjust sshd configuration in container
lineinfile:
ansible.builtin.lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
@ -103,6 +103,6 @@
- Restart ssh
- name: Importing keystone_key_setup tasks
import_tasks: keystone_key_setup.yml
ansible.builtin.import_tasks: keystone_key_setup.yml
tags:
- keystone-install