openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Auto-fix usage of modules via FQCN

Browse Source 
Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`

Change-Id: I433d6fe347e21098f563881f3c1fe494231a0b62
This commit is contained in:
Dmitriy Rabotyagov 2025-02-12 12:53:23 +01:00
parent 93c3d2e432
commit a6b4f71010
19 changed files with 125 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
handlers/main.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Restart web server - name: Restart web server
service: ansible.builtin.service:
name: "{{ keystone_system_service_name }}" name: "{{ keystone_system_service_name }}"
enabled: true enabled: true
state: restarted state: restarted
@ -27,7 +27,7 @@
- "venv changed" - "venv changed"
- name: Wait for web server to complete starting - name: Wait for web server to complete starting
wait_for: ansible.builtin.wait_for:
host: "{{ keystone_web_server_bind_address }}" host: "{{ keystone_web_server_bind_address }}"
port: "{{ item }}" port: "{{ item }}"
timeout: 25 timeout: 25
@ -42,7 +42,7 @@
- "Restart web server" - "Restart web server"
- name: Stop uWSGI - name: Stop uWSGI
service: ansible.builtin.service:
name: "{{ item }}" name: "{{ item }}"
state: "stopped" state: "stopped"
daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}" daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}"
@ -56,7 +56,7 @@
- "Restart uWSGI" - "Restart uWSGI"
- name: Start uWSGI - name: Start uWSGI
service: ansible.builtin.service:
name: "{{ item }}" name: "{{ item }}"
enabled: true enabled: true
state: "started" state: "started"
@ -71,7 +71,7 @@
- "Restart uWSGI" - "Restart uWSGI"
- name: Wait for uWSGI socket to be ready - name: Wait for uWSGI socket to be ready
wait_for: ansible.builtin.wait_for:
host: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_uwsgi_bind_address, '127.0.0.1') }}" host: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_uwsgi_bind_address, '127.0.0.1') }}"
port: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_service_port, keystone_uwsgi_ports['keystone-wsgi-public']['socket']) }}" port: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_service_port, keystone_uwsgi_ports['keystone-wsgi-public']['socket']) }}"
timeout: 25 timeout: 25
@ -84,7 +84,7 @@
- "Restart uWSGI" - "Restart uWSGI"
- name: Restart Shibd - name: Restart Shibd
service: ansible.builtin.service:
name: "shibd" name: "shibd"
enabled: true enabled: true
state: "restarted" state: "restarted"
@ -95,7 +95,7 @@
delay: 2 delay: 2
- name: Restart ssh - name: Restart ssh
service: ansible.builtin.service:
name: "{{ keystone_sshd }}" name: "{{ keystone_sshd }}"
state: "restarted" state: "restarted"
@ -104,7 +104,7 @@
nc_command: nc_command:
debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf") debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf")
redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211 redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211
shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}" ansible.builtin.shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}"
changed_when: false changed_when: false
delegate_to: "{{ item }}" delegate_to: "{{ item }}"
with_items: "{{ groups.memcached_all }}" with_items: "{{ groups.memcached_all }}"

30
tasks/keystone_apache.yml
View File

@ -14,19 +14,19 @@
# limitations under the License. # limitations under the License.
- name: Create apache nogroup group - name: Create apache nogroup group
group: ansible.builtin.group:
name: "nogroup" name: "nogroup"
system: "yes" system: "yes"
- name: Create apache nogroup user - name: Create apache nogroup user
user: ansible.builtin.user:
name: "nogroup" name: "nogroup"
group: "nogroup" group: "nogroup"
system: "yes" system: "yes"
shell: "/bin/false" shell: "/bin/false"
- name: Ensure apache log folder exists - name: Ensure apache log folder exists
file: ansible.builtin.file:
dest: "{{ keystone_apache_default_log_folder }}" dest: "{{ keystone_apache_default_log_folder }}"
state: directory state: directory
owner: "{{ keystone_apache_default_log_owner }}" owner: "{{ keystone_apache_default_log_owner }}"
@ -34,7 +34,7 @@
mode: "0755" mode: "0755"
- name: Ensure apache2 MPM for Debian/Ubuntu - name: Ensure apache2 MPM for Debian/Ubuntu
apache2_module: community.general.apache2_module:
name: "{{ item.name }}" name: "{{ item.name }}"
state: "{{ item.state }}" state: "{{ item.state }}"
warn_mpm_absent: false warn_mpm_absent: false
@ -44,7 +44,7 @@
notify: Restart web server notify: Restart web server
- name: Ensure apache2 MPM for EL - name: Ensure apache2 MPM for EL
copy: ansible.builtin.copy:
content: | content: |
LoadModule mpm_{{ keystone_httpd_mpm_backend }}_module modules/mod_mpm_{{ keystone_httpd_mpm_backend }}.so LoadModule mpm_{{ keystone_httpd_mpm_backend }}_module modules/mod_mpm_{{ keystone_httpd_mpm_backend }}.so
@ -57,7 +57,7 @@
## NOTE(cloudnull): ## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian ## Module enable/disable process is only functional on Debian
- name: Enable apache2 modules - name: Enable apache2 modules
apache2_module: community.general.apache2_module:
name: "{{ item.name }}" name: "{{ item.name }}"
state: "{{ item.state }}" state: "{{ item.state }}"
with_items: "{{ keystone_apache_modules }}" with_items: "{{ keystone_apache_modules }}"
@ -68,7 +68,7 @@
- Restart web server - Restart web server
- name: Place apache2 config files - name: Place apache2 config files
template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: "root" owner: "root"
@ -81,7 +81,7 @@
## NOTE(cloudnull): ## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian ## Module enable/disable process is only functional on Debian
- name: Disable apache2 modules - name: Disable apache2 modules
apache2_module: community.general.apache2_module:
name: "{{ item.name }}" name: "{{ item.name }}"
state: "{{ item.state }}" state: "{{ item.state }}"
with_items: "{{ keystone_apache_modules }}" with_items: "{{ keystone_apache_modules }}"
@ -94,7 +94,7 @@
## NOTE(andymccr): ## NOTE(andymccr):
## We need to enable a module for httpd on RedHat/CentOS using LoadModule inside conf files ## We need to enable a module for httpd on RedHat/CentOS using LoadModule inside conf files
- name: Enable/disable proxy_uwsgi_module - name: Enable/disable proxy_uwsgi_module
lineinfile: ansible.builtin.lineinfile:
dest: "/etc/httpd/conf.modules.d/00-proxy.conf" dest: "/etc/httpd/conf.modules.d/00-proxy.conf"
line: "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so" line: "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so"
state: "present" state: "present"
@ -104,7 +104,7 @@
- Restart web server - Restart web server
- name: Disable default apache site - name: Disable default apache site
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: "absent" state: "absent"
with_items: "{{ keystone_apache_default_sites }}" with_items: "{{ keystone_apache_default_sites }}"
@ -112,7 +112,7 @@
- Restart web server - Restart web server
- name: Enabled keystone vhost - name: Enabled keystone vhost
file: ansible.builtin.file:
src: "{{ keystone_apache_site_available }}" src: "{{ keystone_apache_site_available }}"
dest: "{{ keystone_apache_site_enabled }}" dest: "{{ keystone_apache_site_enabled }}"
state: "link" state: "link"
@ -123,14 +123,14 @@
- Restart web server - Restart web server
- name: Ensure Apache ServerName - name: Ensure Apache ServerName
lineinfile: ansible.builtin.lineinfile:
dest: "{{ keystone_apache_conf }}" dest: "{{ keystone_apache_conf }}"
line: "ServerName {{ ansible_facts['hostname'] }}" line: "ServerName {{ ansible_facts['hostname'] }}"
notify: notify:
- Restart web server - Restart web server
- name: Ensure Apache ServerTokens - name: Ensure Apache ServerTokens
lineinfile: ansible.builtin.lineinfile:
dest: "{{ keystone_apache_security_conf }}" dest: "{{ keystone_apache_security_conf }}"
regexp: "^ServerTokens" regexp: "^ServerTokens"
line: "ServerTokens {{ keystone_apache_servertokens }}" line: "ServerTokens {{ keystone_apache_servertokens }}"
@ -138,7 +138,7 @@
- Restart web server - Restart web server
- name: Ensure Apache ServerSignature - name: Ensure Apache ServerSignature
lineinfile: ansible.builtin.lineinfile:
dest: "{{ keystone_apache_security_conf }}" dest: "{{ keystone_apache_security_conf }}"
regexp: "^ServerSignature" regexp: "^ServerSignature"
line: "ServerSignature {{ keystone_apache_serversignature }}" line: "ServerSignature {{ keystone_apache_serversignature }}"
@ -146,7 +146,7 @@
- Restart web server - Restart web server
- name: Remove Listen from Apache config - name: Remove Listen from Apache config
lineinfile: ansible.builtin.lineinfile:
dest: "{{ keystone_apache_conf }}" dest: "{{ keystone_apache_conf }}"
regexp: "^(Listen.*)" regexp: "^(Listen.*)"
backrefs: true backrefs: true

6
tasks/keystone_credential.yml
View File

@ -14,12 +14,12 @@
# limitations under the License. # limitations under the License.
- name: Including keystone_credential_create tasks - name: Including keystone_credential_create tasks
include_tasks: keystone_credential_create.yml ansible.builtin.include_tasks: keystone_credential_create.yml
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Including keystone_credential_distribute tasks - name: Including keystone_credential_distribute tasks
include_tasks: keystone_credential_distribute.yml ansible.builtin.include_tasks: keystone_credential_distribute.yml
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Including keystone_credential_autorotate tasks - name: Including keystone_credential_autorotate tasks
include_tasks: keystone_credential_autorotate.yml ansible.builtin.include_tasks: keystone_credential_autorotate.yml

6
tasks/keystone_credential_autorotate.yml
View File

@ -19,7 +19,7 @@
# execution and while the script may be world read/executable its contains only # execution and while the script may be world read/executable its contains only
# the necessary bits that are required to run the rotate and sync commands. # the necessary bits that are required to run the rotate and sync commands.
- name: Drop credential key auto rotate script - name: Drop credential key auto rotate script
template: ansible.builtin.template:
src: "keystone-credential-rotate.sh.j2" src: "keystone-credential-rotate.sh.j2"
dest: "{{ keystone_credential_auto_rotation_script }}" dest: "{{ keystone_credential_auto_rotation_script }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -28,7 +28,7 @@
# This creates the auto rotation job on the first keystone host. # This creates the auto rotation job on the first keystone host.
- name: Create auto rotation job - name: Create auto rotation job
cron: ansible.builtin.cron:
name: "Credential auto rotate job" name: "Credential auto rotate job"
special_time: "{{ keystone_credential_rotation }}" special_time: "{{ keystone_credential_rotation }}"
user: "{{ keystone_system_user_name }}" user: "{{ keystone_system_user_name }}"
@ -38,7 +38,7 @@
# This makes sure that no auto rotation jobs are on any other hosts. # This makes sure that no auto rotation jobs are on any other hosts.
- name: Remove extra auto rotation job - name: Remove extra auto rotation job
cron: ansible.builtin.cron:
name: "Credential auto rotate job" name: "Credential auto rotate job"
user: "{{ keystone_system_user_name }}" user: "{{ keystone_system_user_name }}"
cron_file: keystone-credential-rotate cron_file: keystone-credential-rotate

22
tasks/keystone_credential_create.yml
View File

@ -14,12 +14,12 @@
# limitations under the License. # limitations under the License.
- name: Check if credential keys already exist - name: Check if credential keys already exist
stat: ansible.builtin.stat:
path: "{{ keystone_credential_key_repository }}/0" path: "{{ keystone_credential_key_repository }}/0"
register: _credential_keys register: _credential_keys
- name: Check for credential keys on all Keystone containers - name: Check for credential keys on all Keystone containers
find: ansible.builtin.find:
paths: "{{ keystone_credential_key_repository }}" paths: "{{ keystone_credential_key_repository }}"
patterns: "^[0-9]+$" patterns: "^[0-9]+$"
use_regex: true use_regex: true
@ -29,7 +29,7 @@
with_items: "{{ groups['keystone_all'] }}" with_items: "{{ groups['keystone_all'] }}"
- name: Aggregate the collected file lists - name: Aggregate the collected file lists
set_fact: ansible.builtin.set_fact:
existing_credential_keys: >- existing_credential_keys: >-
{% set _var = [] -%} {% set _var = [] -%}
{% for result in credential_key_list.results -%} {% for result in credential_key_list.results -%}
@ -43,7 +43,7 @@
when: not credential_key_list is skipped when: not credential_key_list is skipped
- name: Collect the existing keys from containers - name: Collect the existing keys from containers
slurp: ansible.builtin.slurp:
src: "{{ item.file }}" src: "{{ item.file }}"
delegate_to: "{{ item.host }}" delegate_to: "{{ item.host }}"
with_items: "{{ existing_credential_keys }}" with_items: "{{ existing_credential_keys }}"
@ -51,7 +51,7 @@
when: existing_credential_keys is defined when: existing_credential_keys is defined
- name: Ensure the target directory exists on the master Keystone container - name: Ensure the target directory exists on the master Keystone container
file: ansible.builtin.file:
path: "{{ keystone_credential_key_repository }}" path: "{{ keystone_credential_key_repository }}"
state: directory state: directory
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -60,7 +60,7 @@
when: not collected_existing_credential_keys is skipped when: not collected_existing_credential_keys is skipped
- name: Drop the existing credential keys in the master Keystone container - name: Drop the existing credential keys in the master Keystone container
copy: ansible.builtin.copy:
content: "{{ item.1 | b64decode }}" content: "{{ item.1 | b64decode }}"
dest: "{{ keystone_credential_key_repository }}/{{ item.0 }}" dest: "{{ keystone_credential_key_repository }}/{{ item.0 }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -71,7 +71,7 @@
with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}" with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}"
- name: Create credential keys for Keystone # noqa: no-changed-when - name: Create credential keys for Keystone # noqa: no-changed-when
command: > ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_setup {{ keystone_bin }}/keystone-manage credential_setup
--keystone-user "{{ keystone_system_user_name }}" --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}" --keystone-group "{{ keystone_system_group_name }}"
@ -86,7 +86,7 @@
when: create_credential_keys is skipped when: create_credential_keys is skipped
block: block:
- name: Rotate credential keys for Keystone # noqa: no-changed-when - name: Rotate credential keys for Keystone # noqa: no-changed-when
command: > ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_rotate {{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}" --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}" --keystone-group "{{ keystone_system_group_name }}"
@ -96,7 +96,7 @@
# so in case it fails, we need to try perform the migraton and attempt rotation after that # so in case it fails, we need to try perform the migraton and attempt rotation after that
rescue: rescue:
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: > ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_migrate {{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}" --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}" --keystone-group "{{ keystone_system_group_name }}"
@ -104,7 +104,7 @@
become_user: "{{ keystone_system_user_name }}" become_user: "{{ keystone_system_user_name }}"
- name: Rotate credential keys for Keystone # noqa: no-changed-when - name: Rotate credential keys for Keystone # noqa: no-changed-when
command: > ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_rotate {{ keystone_bin }}/keystone-manage credential_rotate
--keystone-user "{{ keystone_system_user_name }}" --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}" --keystone-group "{{ keystone_system_group_name }}"
@ -113,7 +113,7 @@
always: always:
# Let's run migration at the end anyway, as we need it after successfull rotation. # Let's run migration at the end anyway, as we need it after successfull rotation.
- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
command: > ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage credential_migrate {{ keystone_bin }}/keystone-manage credential_migrate
--keystone-user "{{ keystone_system_user_name }}" --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}" --keystone-group "{{ keystone_system_group_name }}"

14
tasks/keystone_db_sync.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Check current state of Keystone DB - name: Check current state of Keystone DB
command: "{{ keystone_bin }}/keystone-manage db_sync --check" ansible.builtin.command: "{{ keystone_bin }}/keystone-manage db_sync --check"
become: true become: true
become_user: "{{ keystone_system_user_name }}" become_user: "{{ keystone_system_user_name }}"
register: keystone_db_sync_check register: keystone_db_sync_check
@ -23,7 +23,7 @@
run_once: true run_once: true
- name: Set the db sync local facts - name: Set the db sync local facts
ini_file: community.general.ini_file:
dest: "/etc/ansible/facts.d/openstack_ansible.fact" dest: "/etc/ansible/facts.d/openstack_ansible.fact"
section: keystone section: keystone
option: "{{ item.name }}" option: "{{ item.name }}"
@ -36,7 +36,7 @@
state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}" state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}"
- name: Refresh local facts - name: Refresh local facts
setup: ansible.builtin.setup:
filter: ansible_local filter: ansible_local
gather_subset: "!all" gather_subset: "!all"
tags: tags:
@ -45,14 +45,14 @@
# When keystone is initially built, the service does not yet exist on the # When keystone is initially built, the service does not yet exist on the
# host this task is executed on. Detect the presence of the services. # host this task is executed on. Detect the presence of the services.
- name: Test if keystone service exists - name: Test if keystone service exists
service: # noqa: args[module] ansible.builtin.service: # noqa: args[module]
name: "{{ item }}" name: "{{ item }}"
check_mode: true check_mode: true
register: keystone_service_exists register: keystone_service_exists
with_items: "{{ keystone_services.keys() | list }}" with_items: "{{ keystone_services.keys() | list }}"
- name: Ensure keystone service is stopped - name: Ensure keystone service is stopped
service: ansible.builtin.service:
name: "{{ item.name }}" name: "{{ item.name }}"
state: stopped state: stopped
register: _stop register: _stop
@ -67,7 +67,7 @@
- Restart uWSGI - Restart uWSGI
- name: Perform a Keystone DB sync expand - name: Perform a Keystone DB sync expand
command: "{{ keystone_bin }}/keystone-manage db_sync --expand" ansible.builtin.command: "{{ keystone_bin }}/keystone-manage db_sync --expand"
changed_when: false changed_when: false
become: true become: true
become_user: "{{ keystone_system_user_name }}" become_user: "{{ keystone_system_user_name }}"
@ -77,7 +77,7 @@
notify: flush cache notify: flush cache
- name: Perform a Keystone DB sync contract - name: Perform a Keystone DB sync contract
command: "{{ keystone_bin }}/keystone-manage db_sync --contract" ansible.builtin.command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
changed_when: false changed_when: false
become: true become: true
become_user: "{{ keystone_system_user_name }}" become_user: "{{ keystone_system_user_name }}"

18
tasks/keystone_federation_sp_shib_setup.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Drop Shibboleth Config - name: Drop Shibboleth Config
template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -27,7 +27,7 @@
- Restart Shibd - Restart Shibd
- name: Copy Shibboleth SP key-pair (if provided) - name: Copy Shibboleth SP key-pair (if provided)
copy: ansible.builtin.copy:
content: "{{ item.content }}" content: "{{ item.content }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
@ -42,7 +42,7 @@
- Restart Shibd - Restart Shibd
- name: Generate the Shibboleth SP key-pair - name: Generate the Shibboleth SP key-pair
command: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}" ansible.builtin.command: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}"
args: args:
creates: "/etc/shibboleth/sp-cert.pem" creates: "/etc/shibboleth/sp-cert.pem"
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
@ -51,27 +51,27 @@
- Restart Shibd - Restart Shibd
- name: Store sp cert - name: Store sp cert
slurp: ansible.builtin.slurp:
src: "/etc/shibboleth/sp-cert.pem" src: "/etc/shibboleth/sp-cert.pem"
register: _keystone_sp_cert register: _keystone_sp_cert
changed_when: false changed_when: false
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Store sp key - name: Store sp key
slurp: ansible.builtin.slurp:
src: "/etc/shibboleth/sp-key.pem" src: "/etc/shibboleth/sp-key.pem"
register: _keystone_sp_key register: _keystone_sp_key
changed_when: false changed_when: false
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Register a fact for the cert and key - name: Register a fact for the cert and key
set_fact: ansible.builtin.set_fact:
keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}" keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}"
keystone_sp_key_fact: "{{ _keystone_sp_key.content }}" keystone_sp_key_fact: "{{ _keystone_sp_key.content }}"
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Distribute sp key - name: Distribute sp key
copy: ansible.builtin.copy:
dest: "/etc/shibboleth/sp-key.pem" dest: "/etc/shibboleth/sp-key.pem"
content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_key_fact'] | b64decode }}" content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_key_fact'] | b64decode }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -83,7 +83,7 @@
- Restart Shibd - Restart Shibd
- name: Distribute sp cert - name: Distribute sp cert
copy: ansible.builtin.copy:
dest: "/etc/shibboleth/sp-cert.pem" dest: "/etc/shibboleth/sp-cert.pem"
content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_cert_fact'] | b64decode }}" content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_cert_fact'] | b64decode }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -95,7 +95,7 @@
- Restart Shibd - Restart Shibd
- name: Set appropriate file ownership on the Shibboleth SP key-pair - name: Set appropriate file ownership on the Shibboleth SP key-pair
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
owner: "_shibd" owner: "_shibd"
group: "_shibd" group: "_shibd"

6
tasks/keystone_fernet.yml
View File

@ -14,12 +14,12 @@
# limitations under the License. # limitations under the License.
- name: Including keystone_fernet_keys_create tasks - name: Including keystone_fernet_keys_create tasks
include_tasks: keystone_fernet_keys_create.yml ansible.builtin.include_tasks: keystone_fernet_keys_create.yml
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Including keystone_fernet_keys_distribute tasks - name: Including keystone_fernet_keys_distribute tasks
include_tasks: keystone_fernet_keys_distribute.yml ansible.builtin.include_tasks: keystone_fernet_keys_distribute.yml
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Including keystone_fernet_keys_autorotate tasks - name: Including keystone_fernet_keys_autorotate tasks
include_tasks: keystone_fernet_keys_autorotate.yml ansible.builtin.include_tasks: keystone_fernet_keys_autorotate.yml

6
tasks/keystone_fernet_keys_autorotate.yml
View File

@ -19,7 +19,7 @@
# execution and while the script may be world read/executable its contains only # execution and while the script may be world read/executable its contains only
# the necessary bits that are required to run the rotate and sync commands. # the necessary bits that are required to run the rotate and sync commands.
- name: Drop fernet key auto rotate script - name: Drop fernet key auto rotate script
template: ansible.builtin.template:
src: "keystone-fernet-rotate.sh.j2" src: "keystone-fernet-rotate.sh.j2"
dest: "{{ keystone_fernet_auto_rotation_script }}" dest: "{{ keystone_fernet_auto_rotation_script }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -28,7 +28,7 @@
# This creates the auto rotation job on the first keystone host. # This creates the auto rotation job on the first keystone host.
- name: Create auto rotation job - name: Create auto rotation job
cron: ansible.builtin.cron:
name: "Fernet auto rotate job" name: "Fernet auto rotate job"
special_time: "{{ keystone_fernet_rotation }}" special_time: "{{ keystone_fernet_rotation }}"
user: "{{ keystone_system_user_name }}" user: "{{ keystone_system_user_name }}"
@ -38,7 +38,7 @@
# This makes sure that no auto rotation jobs are on any other hosts. # This makes sure that no auto rotation jobs are on any other hosts.
- name: Remove extra auto rotation job - name: Remove extra auto rotation job
cron: ansible.builtin.cron:
name: "Fernet auto rotate job" name: "Fernet auto rotate job"
user: "{{ keystone_system_user_name }}" user: "{{ keystone_system_user_name }}"
cron_file: keystone-fernet-rotate cron_file: keystone-fernet-rotate

12
tasks/keystone_fernet_keys_create.yml
View File

@ -14,12 +14,12 @@
# limitations under the License. # limitations under the License.
- name: Check if fernet keys already exist - name: Check if fernet keys already exist
stat: ansible.builtin.stat:
path: "{{ keystone_fernet_tokens_key_repository }}/0" path: "{{ keystone_fernet_tokens_key_repository }}/0"
register: _fernet_keys register: _fernet_keys
- name: Check for fernet keys on all Keystone containers - name: Check for fernet keys on all Keystone containers
find: ansible.builtin.find:
paths: "{{ keystone_fernet_tokens_key_repository }}" paths: "{{ keystone_fernet_tokens_key_repository }}"
when: not _fernet_keys.stat.exists when: not _fernet_keys.stat.exists
register: _fernet_key_list register: _fernet_key_list
@ -27,7 +27,7 @@
with_items: "{{ groups['keystone_all'] }}" with_items: "{{ groups['keystone_all'] }}"
- name: Identify hosts with existing fernet keys - name: Identify hosts with existing fernet keys
set_fact: ansible.builtin.set_fact:
existing_fernet_hosts: >- existing_fernet_hosts: >-
{% set _var = [] -%} {% set _var = [] -%}
{% for result in _fernet_key_list.results -%} {% for result in _fernet_key_list.results -%}
@ -39,7 +39,7 @@
when: not _fernet_key_list is skipped when: not _fernet_key_list is skipped
- name: Copy the fernet key repository to the primary - name: Copy the fernet key repository to the primary
command: > ansible.builtin.command: >
rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
-avz -avz
--delete --delete
@ -56,7 +56,7 @@
- skip_ansible_lint - skip_ansible_lint
- name: Create fernet keys for Keystone # noqa: no-changed-when - name: Create fernet keys for Keystone # noqa: no-changed-when
command: > ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage fernet_setup {{ keystone_bin }}/keystone-manage fernet_setup
--keystone-user "{{ keystone_system_user_name }}" --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}" --keystone-group "{{ keystone_system_group_name }}"
@ -67,7 +67,7 @@
- _fernet_keys_shared is skipped - _fernet_keys_shared is skipped
- name: Rotate fernet keys for Keystone # noqa: no-changed-when - name: Rotate fernet keys for Keystone # noqa: no-changed-when
command: > ansible.builtin.command: >
{{ keystone_bin }}/keystone-manage fernet_rotate {{ keystone_bin }}/keystone-manage fernet_rotate
--keystone-user "{{ keystone_system_user_name }}" --keystone-user "{{ keystone_system_user_name }}"
--keystone-group "{{ keystone_system_group_name }}" --keystone-group "{{ keystone_system_group_name }}"

2
tasks/keystone_idp_setup.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Generate IdP metadata - name: Generate IdP metadata
shell: | ansible.builtin.shell: |
{{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }} {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
become: true become: true
become_user: "{{ keystone_system_user_name }}" become_user: "{{ keystone_system_user_name }}"

20
tasks/keystone_install.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Create keystone dir - name: Create keystone dir
file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: directory state: directory
owner: "{{ item.owner | default(keystone_system_user_name) }}" owner: "{{ item.owner | default(keystone_system_user_name) }}"
@ -27,7 +27,7 @@
- ansible_facts['pkg_mgr'] == 'dnf' - ansible_facts['pkg_mgr'] == 'dnf'
- name: Create system links - name: Create system links
file: ansible.builtin.file:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
state: "link" state: "link"
@ -37,7 +37,7 @@
- ansible_facts['pkg_mgr'] == 'dnf' - ansible_facts['pkg_mgr'] == 'dnf'
- name: Add shibboleth repo - name: Add shibboleth repo
yum_repository: ansible.builtin.yum_repository:
name: "shibboleth" name: "shibboleth"
description: "shibboleth Repo" description: "shibboleth Repo"
baseurl: "{{ keystone_centos_shibboleth_mirror }}" baseurl: "{{ keystone_centos_shibboleth_mirror }}"
@ -48,7 +48,7 @@
- keystone_sp != {} - keystone_sp != {}
- name: Install distro packages - name: Install distro packages
package: ansible.builtin.package:
name: "{{ keystone_package_list }}" name: "{{ keystone_package_list }}"
state: "{{ keystone_package_state }}" state: "{{ keystone_package_state }}"
update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}" update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
@ -62,13 +62,13 @@
- Restart uWSGI - Restart uWSGI
- name: Install/remove apache mod packages for federated authentication - name: Install/remove apache mod packages for federated authentication
package: ansible.builtin.package:
name: "{{ item.name }}" name: "{{ item.name }}"
state: "{{ item.state }}" state: "{{ item.state }}"
with_items: "{{ keystone_sp_apache_mod_packages }}" with_items: "{{ keystone_sp_apache_mod_packages }}"
- name: Install the python venv - name: Install the python venv
import_role: ansible.builtin.import_role:
name: "python_venv_build" name: "python_venv_build"
vars: vars:
venv_python_executable: "{{ keystone_venv_python_executable }}" venv_python_executable: "{{ keystone_venv_python_executable }}"
@ -100,7 +100,7 @@
when: keystone_install_method == 'distro' when: keystone_install_method == 'distro'
block: block:
- name: Record the osa version deployed - name: Record the osa version deployed
ini_file: community.general.ini_file:
dest: "/etc/ansible/facts.d/openstack_ansible.fact" dest: "/etc/ansible/facts.d/openstack_ansible.fact"
section: keystone section: keystone
option: venv_tag option: venv_tag
@ -111,7 +111,7 @@
# for keystone user $HOME: # for keystone user $HOME:
# https://bugs.launchpad.net/cloud-archive/+bug/2060235 # https://bugs.launchpad.net/cloud-archive/+bug/2060235
- name: Ensure SSH keys has right permissions - name: Ensure SSH keys has right permissions
file: ansible.builtin.file:
path: "{{ keystone_system_user_home }}/.ssh/id_rsa" path: "{{ keystone_system_user_home }}/.ssh/id_rsa"
mode: "0600" mode: "0600"
when: when:
@ -119,7 +119,7 @@
- ansible_facts['distribution'] | lower == 'ubuntu' - ansible_facts['distribution'] | lower == 'ubuntu'
- name: Initialise the upgrade facts - name: Initialise the upgrade facts
ini_file: community.general.ini_file:
dest: "/etc/ansible/facts.d/openstack_ansible.fact" dest: "/etc/ansible/facts.d/openstack_ansible.fact"
section: keystone section: keystone
option: "{{ item.name }}" option: "{{ item.name }}"
@ -140,7 +140,7 @@
('need_db_contract' not in ansible_local['openstack_ansible']['keystone']) ('need_db_contract' not in ansible_local['openstack_ansible']['keystone'])
- name: Create WSGI symlinks - name: Create WSGI symlinks
file: ansible.builtin.file:
src: "{{ keystone_bin }}/keystone-wsgi-public" src: "{{ keystone_bin }}/keystone-wsgi-public"
dest: "/var/www/cgi-bin/keystone/main" dest: "/var/www/cgi-bin/keystone/main"
state: link state: link

4
tasks/keystone_key_setup.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Ensure .ssh directory is present - name: Ensure .ssh directory is present
file: ansible.builtin.file:
state: directory state: directory
path: "{{ keystone_system_user_home }}/.ssh" path: "{{ keystone_system_user_home }}/.ssh"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
@ -22,7 +22,7 @@
mode: "0755" mode: "0755"
- name: Create ssh keys for synchronising fernet keys - name: Create ssh keys for synchronising fernet keys
include_role: ansible.builtin.include_role:
name: openstack.osa.ssh_keypairs name: openstack.osa.ssh_keypairs
args: args:
apply: apply:

4
tasks/keystone_ldap_setup.yml
View File

@ -33,7 +33,7 @@
ansible_python_interpreter: "{{ keystone_service_setup_host_python_interpreter }}" ansible_python_interpreter: "{{ keystone_service_setup_host_python_interpreter }}"
- name: Create Keystone LDAP domain configs - name: Create Keystone LDAP domain configs
template: ansible.builtin.template:
src: keystone.domain.conf.j2 src: keystone.domain.conf.j2
dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf" dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
owner: "root" owner: "root"
@ -49,7 +49,7 @@
# keystone.Default.conf and this will cause errors when adding LDAP-backed # keystone.Default.conf and this will cause errors when adding LDAP-backed
# domains. # domains.
- name: Remove Keystone Default domain configuration file if not needed - name: Remove Keystone Default domain configuration file if not needed
file: ansible.builtin.file:
path: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf" path: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf"
state: absent state: absent
when: keystone_ldap.Default is not defined when: keystone_ldap.Default is not defined

12
tasks/keystone_post_install.yml
View File

@ -17,7 +17,7 @@
# the key rotation script will not be able to copy the # the key rotation script will not be able to copy the
# keys to the other nodes when they rotate. # keys to the other nodes when they rotate.
- name: Enable SSHD on all keystone hosts - name: Enable SSHD on all keystone hosts
systemd: ansible.builtin.systemd:
name: "{{ keystone_sshd }}" name: "{{ keystone_sshd }}"
state: started state: started
enabled: true enabled: true
@ -54,7 +54,7 @@
- keystone-policy-override - keystone-policy-override
- name: Remove legacy policy.yaml file - name: Remove legacy policy.yaml file
file: ansible.builtin.file:
path: "/etc/keystone/policy.yaml" path: "/etc/keystone/policy.yaml"
state: absent state: absent
when: when:
@ -66,13 +66,13 @@
# because we only want to copy the original files once. and we # because we only want to copy the original files once. and we
# don't want to need multiple tasks. # don't want to need multiple tasks.
- name: Preserve original configuration file(s) - name: Preserve original configuration file(s)
command: "cp {{ item.target_f }} {{ item.target_f }}.original" ansible.builtin.command: "cp {{ item.target_f }} {{ item.target_f }}.original"
args: args:
creates: "{{ item.target_f }}.original" creates: "{{ item.target_f }}.original"
with_items: "{{ keystone_core_files }}" with_items: "{{ keystone_core_files }}"
- name: Fetch override files - name: Fetch override files
fetch: ansible.builtin.fetch:
src: "{{ item.target_f }}" src: "{{ item.target_f }}"
dest: "{{ item.tmp_f }}" dest: "{{ item.tmp_f }}"
flat: true flat: true
@ -95,7 +95,7 @@
- Restart web server - Restart web server
- name: Cleanup fetched temp files - name: Cleanup fetched temp files
file: ansible.builtin.file:
path: "{{ item.tmp_f }}" path: "{{ item.tmp_f }}"
state: absent state: absent
changed_when: false changed_when: false
@ -104,7 +104,7 @@
with_items: "{{ keystone_core_files }}" with_items: "{{ keystone_core_files }}"
- name: Copy sso callback file - name: Copy sso callback file
copy: ansible.builtin.copy:
src: "{{ keystone_sso_callback_file_path }}" src: "{{ keystone_sso_callback_file_path }}"
dest: "/etc/keystone/sso_callback_template.html" dest: "/etc/keystone/sso_callback_template.html"
mode: "0644" mode: "0644"

4
tasks/keystone_service_bootstrap.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Wait for service to be up - name: Wait for service to be up
uri: ansible.builtin.uri:
url: "{{ keystone_service_internaluri }}" url: "{{ keystone_service_internaluri }}"
method: "HEAD" method: "HEAD"
status_code: 300 status_code: 300
@ -24,7 +24,7 @@
delay: 5 delay: 5
- name: Bootstrap keystone admin and endpoint - name: Bootstrap keystone admin and endpoint
command: | ansible.builtin.command: |
{{ keystone_bin }}/keystone-manage bootstrap \ {{ keystone_bin }}/keystone-manage bootstrap \
--bootstrap-username {{ keystone_admin_user_name }} \ --bootstrap-username {{ keystone_admin_user_name }} \
--bootstrap-password {{ keystone_auth_admin_password }} \ --bootstrap-password {{ keystone_auth_admin_password }} \

52
tasks/main.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Fail if our required secrets are not present - name: Fail if our required secrets are not present
fail: ansible.builtin.fail:
msg: "Please set the {{ item }} variable prior to applying this role." msg: "Please set the {{ item }} variable prior to applying this role."
when: (item is undefined) or (item is none) when: (item is undefined) or (item is none)
with_items: "{{ keystone_required_secrets }}" with_items: "{{ keystone_required_secrets }}"
@ -22,7 +22,7 @@
- always - always
- name: Fail if service was deployed using a different installation method - name: Fail if service was deployed using a different installation method
fail: ansible.builtin.fail:
msg: "Switching installation methods for OpenStack services is not supported" msg: "Switching installation methods for OpenStack services is not supported"
when: when:
- ansible_local is defined - ansible_local is defined
@ -32,7 +32,7 @@
- ansible_local.openstack_ansible.keystone.install_method != keystone_install_method - ansible_local.openstack_ansible.keystone.install_method != keystone_install_method
- name: Gather variables for each operating system - name: Gather variables for each operating system
include_vars: "{{ lookup('first_found', params) }}" ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars: vars:
params: params:
files: files:
@ -47,12 +47,12 @@
- always - always
- name: Gather variables for installation method - name: Gather variables for installation method
include_vars: "{{ keystone_install_method }}_install.yml" ansible.builtin.include_vars: "{{ keystone_install_method }}_install.yml"
tags: tags:
- always - always
- name: Fact for apache module shibboleth to be installed - name: Fact for apache module shibboleth to be installed
set_fact: ansible.builtin.set_fact:
keystone_sp_apache_mod_shib: >- keystone_sp_apache_mod_shib: >-
{{ {{
(keystone_sp != {} and (keystone_sp.apache_mod is undefined or ( (keystone_sp != {} and (keystone_sp.apache_mod is undefined or (
@ -63,7 +63,7 @@
- always - always
- name: Fact for apache module mod_auth_openidc to be installed - name: Fact for apache module mod_auth_openidc to be installed
set_fact: ansible.builtin.set_fact:
keystone_sp_apache_mod_auth_openidc: keystone_sp_apache_mod_auth_openidc:
"{{ (keystone_sp != {} and "{{ (keystone_sp != {} and
keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc') keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc')
@ -72,7 +72,7 @@
- always - always
- name: Including osa.db_setup role - name: Including osa.db_setup role
include_role: ansible.builtin.include_role:
name: openstack.osa.db_setup name: openstack.osa.db_setup
apply: apply:
tags: tags:
@ -94,7 +94,7 @@
- always - always
- name: Including osa.mq_setup role - name: Including osa.mq_setup role
include_role: ansible.builtin.include_role:
name: openstack.osa.mq_setup name: openstack.osa.mq_setup
apply: apply:
tags: tags:
@ -121,25 +121,25 @@
- always - always
- name: Importing keystone_install tasks - name: Importing keystone_install tasks
import_tasks: keystone_install.yml ansible.builtin.import_tasks: keystone_install.yml
tags: tags:
- keystone-install - keystone-install
- name: Refresh local facts - name: Refresh local facts
setup: ansible.builtin.setup:
filter: ansible_local filter: ansible_local
gather_subset: "!all" gather_subset: "!all"
tags: tags:
- keystone-config - keystone-config
- name: Importing keystone_post_install tasks - name: Importing keystone_post_install tasks
import_tasks: keystone_post_install.yml ansible.builtin.import_tasks: keystone_post_install.yml
tags: tags:
- keystone-config - keystone-config
- post-install - post-install
- name: Importing keystone_fernet tasks - name: Importing keystone_fernet tasks
import_tasks: keystone_fernet.yml ansible.builtin.import_tasks: keystone_fernet.yml
when: when:
- "'fernet' in keystone_token_provider" - "'fernet' in keystone_token_provider"
- keystone_service_setup | bool - keystone_service_setup | bool
@ -147,20 +147,20 @@
- keystone-config - keystone-config
- name: Importing keystone_db_sync tasks - name: Importing keystone_db_sync tasks
import_tasks: keystone_db_sync.yml ansible.builtin.import_tasks: keystone_db_sync.yml
when: when:
- "keystone_database_enabled | bool" - "keystone_database_enabled | bool"
tags: tags:
- keystone-config - keystone-config
- name: Importing keystone_credential tasks - name: Importing keystone_credential tasks
import_tasks: keystone_credential.yml ansible.builtin.import_tasks: keystone_credential.yml
when: keystone_service_setup | bool when: keystone_service_setup | bool
tags: tags:
- keystone-config - keystone-config
- name: Importing keystone_federation_sp_shib_setup tasks - name: Importing keystone_federation_sp_shib_setup tasks
import_tasks: keystone_federation_sp_shib_setup.yml ansible.builtin.import_tasks: keystone_federation_sp_shib_setup.yml
when: when:
- keystone_sp_apache_mod_shib - keystone_sp_apache_mod_shib
- not (keystone_use_uwsgi | bool) - not (keystone_use_uwsgi | bool)
@ -168,7 +168,7 @@
- keystone-config - keystone-config
- name: Create and install SSL certificates - name: Create and install SSL certificates
include_role: ansible.builtin.include_role:
name: pki name: pki
tasks_from: main_certs.yml tasks_from: main_certs.yml
vars: vars:
@ -187,14 +187,14 @@
- keystone-config - keystone-config
- name: Importing keystone_apache tasks - name: Importing keystone_apache tasks
import_tasks: "keystone_apache.yml" ansible.builtin.import_tasks: "keystone_apache.yml"
when: when:
- not (keystone_use_uwsgi | bool) - not (keystone_use_uwsgi | bool)
tags: tags:
- keystone-config - keystone-config
- name: Import uwsgi role - name: Import uwsgi role
import_role: ansible.builtin.import_role:
name: uwsgi name: uwsgi
vars: vars:
uwsgi_services: "{{ uwsgi_keystone_services }}" uwsgi_services: "{{ uwsgi_keystone_services }}"
@ -204,10 +204,10 @@
- uwsgi - uwsgi
- name: Flush handlers - name: Flush handlers
meta: flush_handlers ansible.builtin.meta: flush_handlers
- name: Including keystone_service_bootstrap tasks - name: Including keystone_service_bootstrap tasks
include_tasks: keystone_service_bootstrap.yml ansible.builtin.include_tasks: keystone_service_bootstrap.yml
args: args:
apply: apply:
tags: tags:
@ -224,7 +224,7 @@
# the endpoints which were bootstrapped in keystone_service_bootstrap. # the endpoints which were bootstrapped in keystone_service_bootstrap.
- name: Wait for services to be up - name: Wait for services to be up
delegate_to: "{{ keystone_service_setup_host }}" delegate_to: "{{ keystone_service_setup_host }}"
uri: ansible.builtin.uri:
url: "{{ item.url }}" url: "{{ item.url }}"
validate_certs: "{{ item.validate_certs }}" validate_certs: "{{ item.validate_certs }}"
method: "HEAD" method: "HEAD"
@ -242,7 +242,7 @@
delay: 5 delay: 5
- name: Including osa.service_setup role - name: Including osa.service_setup role
include_role: ansible.builtin.include_role:
name: openstack.osa.service_setup name: openstack.osa.service_setup
apply: apply:
tags: tags:
@ -277,7 +277,7 @@
- always - always
- name: Including keystone_ldap_setup tasks - name: Including keystone_ldap_setup tasks
import_tasks: keystone_ldap_setup.yml ansible.builtin.import_tasks: keystone_ldap_setup.yml
when: when:
- keystone_service_setup | bool - keystone_service_setup | bool
- keystone_ldap != {} - keystone_ldap != {}
@ -285,10 +285,10 @@
- keystone-config - keystone-config
- name: Flush handlers - name: Flush handlers
meta: flush_handlers ansible.builtin.meta: flush_handlers
- name: Including keystone_idp_setup tasks - name: Including keystone_idp_setup tasks
include_tasks: keystone_idp_setup.yml ansible.builtin.include_tasks: keystone_idp_setup.yml
args: args:
apply: apply:
tags: tags:
@ -300,7 +300,7 @@
- always - always
- name: Diagnose common problems with keystone deployments - name: Diagnose common problems with keystone deployments
command: "{{ keystone_bin }}/keystone-manage doctor" ansible.builtin.command: "{{ keystone_bin }}/keystone-manage doctor"
become: true become: true
become_user: "{{ keystone_system_user_name }}" become_user: "{{ keystone_system_user_name }}"
register: keystone_doctor register: keystone_doctor

2
tasks/main_keystone_federation_sp_idp_setup.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Including keystone_federation_sp_idp_setup tasks - name: Including keystone_federation_sp_idp_setup tasks
include_tasks: keystone_federation_sp_idp_setup.yml ansible.builtin.include_tasks: keystone_federation_sp_idp_setup.yml
with_items: "{{ keystone_sp.trusted_idp_list }}" with_items: "{{ keystone_sp.trusted_idp_list }}"
loop_control: loop_control:
loop_var: trusted_idp loop_var: trusted_idp

14
tasks/main_pre.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Gather variables for each operating system - name: Gather variables for each operating system
include_vars: "{{ lookup('first_found', params) }}" ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars: vars:
params: params:
files: files:
@ -29,14 +29,14 @@
- always - always
- name: Create system groups - name: Create system groups
group: ansible.builtin.group:
name: "{{ item }}" name: "{{ item }}"
state: "present" state: "present"
system: "yes" system: "yes"
with_items: "{{ [keystone_system_group_name] + keystone_system_additional_groups }}" with_items: "{{ [keystone_system_group_name] + keystone_system_additional_groups }}"
- name: Create the keystone system user - name: Create the keystone system user
user: ansible.builtin.user:
name: "{{ keystone_system_user_name }}" name: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}" group: "{{ keystone_system_group_name }}"
groups: "{{ keystone_system_additional_groups | join(',') }}" groups: "{{ keystone_system_additional_groups | join(',') }}"
@ -47,7 +47,7 @@
home: "{{ keystone_system_user_home }}" home: "{{ keystone_system_user_home }}"
- name: Create keystone dir - name: Create keystone dir
file: ansible.builtin.file:
path: "{{ item.path | default(omit) }}" path: "{{ item.path | default(omit) }}"
src: "{{ item.src | default(omit) }}" src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}" dest: "{{ item.dest | default(omit) }}"
@ -80,7 +80,7 @@
group: root group: root
- name: Install distro packages - name: Install distro packages
package: ansible.builtin.package:
name: "{{ keystone_distro_packages }}" name: "{{ keystone_distro_packages }}"
state: "{{ keystone_package_state }}" state: "{{ keystone_package_state }}"
update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}" update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
@ -93,7 +93,7 @@
- Restart ssh - Restart ssh
- name: Adjust sshd configuration in container - name: Adjust sshd configuration in container
lineinfile: ansible.builtin.lineinfile:
dest: "/etc/ssh/sshd_config" dest: "/etc/ssh/sshd_config"
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
@ -103,6 +103,6 @@
- Restart ssh - Restart ssh
- name: Importing keystone_key_setup tasks - name: Importing keystone_key_setup tasks
import_tasks: keystone_key_setup.yml ansible.builtin.import_tasks: keystone_key_setup.yml
tags: tags:
- keystone-install - keystone-install