diff --git a/defaults/main.yml b/defaults/main.yml index 607c6356..2b51f3c7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,7 +20,11 @@ debug: False # for the service setup. The host must already have # clouds.yaml properly configured. keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" -keystone_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +keystone_service_setup_host_python_interpreter: >- + {{ + openstack_service_setup_host_python_interpreter | default( + (keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} # Set the package install state for distribution packages # Options are 'present' and 'latest' @@ -39,7 +43,8 @@ keystone_shibboleth_repo: {} keystone_git_repo: https://opendev.org/openstack/keystone keystone_git_install_branch: master -keystone_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}" +keystone_upper_constraints_url: >- + {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }} keystone_git_constraints: - "--constraint {{ keystone_upper_constraints_url }}" @@ -97,13 +102,19 @@ keystone_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') } ## Database info keystone_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}" -keystone_db_setup_python_interpreter: "{{ openstack_db_setup_python_interpreter | default((keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +keystone_db_setup_python_interpreter: >- + {{ + openstack_db_setup_python_interpreter | default( + (keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}" keystone_galera_user: keystone keystone_galera_database: keystone keystone_galera_port: "{{ galera_port | default('3306') }}" keystone_database_connection_string: >- - mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{keystone_galera_port}}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{% if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %} + mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{ keystone_galera_port }}/{{ + keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{% + if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %} ## Database SSL keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}" @@ -131,7 +142,8 @@ keystone_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}" # Notify keystone_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}" -keystone_oslomsg_notify_setup_host: "{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}" +keystone_oslomsg_notify_setup_host: >- + {{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }} keystone_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}" keystone_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}" keystone_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}" @@ -177,7 +189,7 @@ keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ int keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" ## Set this value to override the "public_endpoint" keystone.conf variable -#keystone_public_endpoint: "{{ keystone_service_publicuri }}" +# keystone_public_endpoint: "{{ keystone_service_publicuri }}" # Enable or disable uWSGI as the primary service manager. While uWSGI is used # for basic deployments, when this option is enabled it will become the sole @@ -215,7 +227,7 @@ keystone_httpd_mpm_max_conn_child: 0 keystone_wsgi_threads: 1 ## Cap the maximun number of processes when a user value is unspecified. keystone_wsgi_processes_max: 16 -keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus']|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}" +keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}" keystone_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" keystone_uwsgi_ports: @@ -244,7 +256,8 @@ keystone_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" keystone_pki_keys_path: "{{ keystone_pki_dir ~ '/certs/private/' }}" keystone_pki_certs_path: "{{ keystone_pki_dir ~ '/certs/certs/' }}" keystone_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}" -keystone_pki_intermediate_cert_path: "{{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }}" +keystone_pki_intermediate_cert_path: >- + {{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }} keystone_pki_regen_cert: '' # By default, CA creation is controlled using the CA 'condition' field @@ -322,14 +335,16 @@ keystone_pki_install_certificates: keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}" # TLS v1.2 and below -keystone_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}" +keystone_ssl_cipher_suite_tls12: >- + {{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }} # TLS v1.3 -keystone_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}" +keystone_ssl_cipher_suite_tls13: >- + {{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }} # Set these variables to deploy custom certificates -#keystone_user_ssl_cert: -#keystone_user_ssl_key: -#keystone_user_ssl_ca_cert: +# keystone_user_ssl_cert: +# keystone_user_ssl_key: +# keystone_user_ssl_ca_cert: # Set to true when terminating SSL/TLS at a load balancer keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}" @@ -370,187 +385,186 @@ keystone_ldap: {} keystone_ldap_domain_config_dir: /etc/keystone/domains - ## Policy vars # Provide a list of access controls to update the default policy.json with. These changes will be merged # with the access controls in the default policy.json. E.g. -#keystone_policy_overrides: -# identity:create_region: "rule:admin_required" -# identity:update_region: "rule:admin_required" +# keystone_policy_overrides: +# identity:create_region: "rule:admin_required" +# identity:update_region: "rule:admin_required" ## Federation # Enable the following section on the Keystone IdP keystone_idp: {} -#keystone_idp: -# certfile: "/etc/keystone/ssl/idp_signing_cert.pem" -# keyfile: "/etc/keystone/ssl/idp_signing_key.pem" -# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}" -# regen_cert: false -# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp" -# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso" -# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml -# service_providers: -# - id: "sp_1" -# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth -# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP -# # the following settings are optional -# organization_name: example_company -# organization_display_name: Example Corp. -# organization_url: example.com -# contact_company: example_company -# contact_name: John -# contact_surname: Smith -# contact_email: jsmith@example.com -# contact_telephone: 555-55-5555 -# contact_type: technical +# keystone_idp: +# certfile: "/etc/keystone/ssl/idp_signing_cert.pem" +# keyfile: "/etc/keystone/ssl/idp_signing_key.pem" +# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}" +# regen_cert: false +# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp" +# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso" +# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml +# service_providers: +# - id: "sp_1" +# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth +# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP +# # the following settings are optional +# organization_name: example_company +# organization_display_name: Example Corp. +# organization_url: example.com +# contact_company: example_company +# contact_name: John +# contact_surname: Smith +# contact_email: jsmith@example.com +# contact_telephone: 555-55-5555 +# contact_type: technical # Enable the following section in order to install and configure # Keystone as a Resource Service Provider (SP) and to configure # trusts with specific Identity Providers (IdP). keystone_sp: {} -#keystone_sp: -# cert_duration_years: 5 -# apache_mod: shibboleth #or mod_auth_openidc -# cadf_notifications: false -# cadf_notifications_opt_out: -# - identity.authenticate.failed -# - identity.authenticate.pending -# - identity.authenticate.success -# trusted_dashboard_list: -# - "https://{{ external_lb_vip_address }}/auth/websso/" -# - "https://{{ horizon_server_name }}/auth/websso/" -# trusted_idp_list: -# note that only one of these is supported at any one time for now -# - name: "keystone-idp" -# domain_id: "default" -# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown -# entity_ids: -# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp' -# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata' -# metadata_file: 'metadata-keystone-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: keystone-idp-mapping -# rules: -# - remote: -# - type: openstack_user -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# user: -# name: '{0}' -# attributes: -# - name: openstack_user -# id: openstack_user -# - name: openstack_roles -# id: openstack_roles -# - name: openstack_project -# id: openstack_project -# - name: openstack_user_domain -# id: openstack_user_domain -# - name: openstack_project_domain -# id: openstack_project_domain +# keystone_sp: +# cert_duration_years: 5 +# apache_mod: shibboleth #or mod_auth_openidc +# cadf_notifications: false +# cadf_notifications_opt_out: +# - identity.authenticate.failed +# - identity.authenticate.pending +# - identity.authenticate.success +# trusted_dashboard_list: +# - "https://{{ external_lb_vip_address }}/auth/websso/" +# - "https://{{ horizon_server_name }}/auth/websso/" +# trusted_idp_list: +# note that only one of these is supported at any one time for now +# - name: "keystone-idp" +# domain_id: "default" +# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown +# entity_ids: +# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp' +# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata' +# metadata_file: 'metadata-keystone-idp.xml' +# metadata_reload: 1800 +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: saml2 +# mapping: +# name: keystone-idp-mapping +# rules: +# - remote: +# - type: openstack_user +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# user: +# name: '{0}' +# attributes: +# - name: openstack_user +# id: openstack_user +# - name: openstack_roles +# id: openstack_roles +# - name: openstack_project +# id: openstack_project +# - name: openstack_user_domain +# id: openstack_user_domain +# - name: openstack_project_domain +# id: openstack_project_domain # -# - name: 'testshib-idp' -# entity_ids: -# - 'https://idp.testshib.org/idp/shibboleth' -# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml' -# metadata_file: 'metadata-testshib-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: testshib-idp-mapping -# rules: -# - remote: -# - type: eppn -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# - user: -# name: '{0}' +# - name: 'testshib-idp' +# entity_ids: +# - 'https://idp.testshib.org/idp/shibboleth' +# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml' +# metadata_file: 'metadata-testshib-idp.xml' +# metadata_reload: 1800 +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: saml2 +# mapping: +# name: testshib-idp-mapping +# rules: +# - remote: +# - type: eppn +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# - user: +# name: '{0}' # -# - name: 'adfs-idp' -# entity_ids: -# - 'http://adfs.contoso.com/adfs/services/trust' -# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' -# metadata_file: 'metadata-adfs-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: adfs-idp-mapping -# rules: -# - remote: -# - type: upn -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# - user: -# name: '{0}' -# attributes: -# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' -# id: upn +# - name: 'adfs-idp' +# entity_ids: +# - 'http://adfs.contoso.com/adfs/services/trust' +# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' +# metadata_file: 'metadata-adfs-idp.xml' +# metadata_reload: 1800 +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: saml2 +# mapping: +# name: adfs-idp-mapping +# rules: +# - remote: +# - type: upn +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# - user: +# name: '{0}' +# attributes: +# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' +# id: upn # -# - name: "keycloak-oidc-idp" -# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration -# oidc_client_id: keystone -# oidc_client_secret: secret -# oidc_crypto_passphrase: random string -# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth -# oidc_oauth_introspection_endpoint: endpoint address (optional) -# oidc_oauth_client_id: string (optional) -# oidc_oauth_client_secret: secret (optional) -# oidc_pkce_method: plain | S256 | referred_tb (optional) -# oidc_outgoing_proxy: "proxy address" (optional setting) -# oidc_auth_request_params: param=some+url+encoded+value¶m2=and+another+one (optional) -# oidc_state_max_number_of_cookies: 5 false (optional) -# oidc_default_url: https://example.com/callback (optional) -# entity_ids: -# - 'https://identity-provider/openid-endpoint/' -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: openid -# mapping: -# name: keycloak-oidc-idp-openid-mapping -# rules: -# - remote: -# - type: OIDC-email -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# user: -# name: '{0}' +# - name: "keycloak-oidc-idp" +# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration +# oidc_client_id: keystone +# oidc_client_secret: secret +# oidc_crypto_passphrase: random string +# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth +# oidc_oauth_introspection_endpoint: endpoint address (optional) +# oidc_oauth_client_id: string (optional) +# oidc_oauth_client_secret: secret (optional) +# oidc_pkce_method: plain | S256 | referred_tb (optional) +# oidc_outgoing_proxy: "proxy address" (optional setting) +# oidc_auth_request_params: param=some+url+encoded+value¶m2=and+another+one (optional) +# oidc_state_max_number_of_cookies: 5 false (optional) +# oidc_default_url: https://example.com/callback (optional) +# entity_ids: +# - 'https://identity-provider/openid-endpoint/' +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: openid +# mapping: +# name: keycloak-oidc-idp-openid-mapping +# rules: +# - remote: +# - type: OIDC-email +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# user: +# name: '{0}' keystone_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}" @@ -581,7 +595,7 @@ keystone_optional_oslomsg_amqp1_pip_packages: # template engine and copied to the target host. # keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html" -#: Tunable file-based overrides +## Tunable file-based overrides # The contents of these files, if they exist, are read from the # specified path on the deployment host, interpreted by the # template engine and copied to the target host. If they do @@ -589,7 +603,7 @@ keystone_optional_oslomsg_amqp1_pip_packages: shibboleth_cert_user_file_path: "/etc/openstack_deploy/keystone/sp-cert.pem" shibboleth_key_user_file_path: "/etc/openstack_deploy/keystone/sp-key.pem" -#: Tunable var-based overrides +## Tunable var-based overrides # The contents of these are templated over the default files. keystone_keystone_conf_overrides: {} keystone_keystone_default_conf_overrides: {} @@ -643,7 +657,7 @@ keystone_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | defaul # directory on the deploy host to create and store SSH keypairs keystone_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}" -#Each keystone host needs a signed ssh certificate to log into the others +# Each keystone host needs a signed ssh certificate to log into the others keystone_ssh_keypairs: - name: "keystone-{{ inventory_hostname }}" cert: @@ -652,7 +666,7 @@ keystone_ssh_keypairs: valid_from: "{{ keystone_ssh_key_valid_from | default('always') }}" valid_to: "{{ keystone_ssh_key_valid_to | default('forever') }}" -#Each keystone host needs the signed ssh certificate installing to the keystone user +# Each keystone host needs the signed ssh certificate installing to the keystone user keystone_ssh_keypairs_install_keys: owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" @@ -660,10 +674,10 @@ keystone_ssh_keypairs_install_keys: - cert: "keystone-{{ inventory_hostname }}" dest: "{{ keystone_system_user_home }}/.ssh/id_rsa" -#Each compute host must trust the SSHD certificate authoritiy in the sshd configuration +# Each compute host must trust the SSHD certificate authoritiy in the sshd configuration keystone_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}" -#Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user +# Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user keystone_ssh_keypairs_principals: - user: "{{ keystone_system_user_name }}" principals: "{{ keystone_ssh_key_principals | default(['keystone']) }}" diff --git a/handlers/main.yml b/handlers/main.yml index b0fccf6e..67706d3c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -101,6 +101,7 @@ debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf") redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211 shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}" + changed_when: false delegate_to: "{{ item }}" with_items: "{{ groups.memcached_all }}" listen: flush cache diff --git a/meta/main.yml b/meta/main.yml index 213588d5..0bfa4023 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,19 +18,21 @@ galaxy_info: description: Installation and setup of keystone company: Rackspace license: Apache2 - min_ansible_version: 2.4 + role_name: os_keystone + namespace: openstack + min_ansible_version: "2.10" platforms: - name: Debian versions: - - buster + - bullseye - name: Ubuntu versions: - - bionic - focal + - jammy - name: EL versions: - - 8 - categories: + - "9" + galaxy_tags: - cloud - python - keystone diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml index f24eceb3..5626fe49 100644 --- a/tasks/keystone_apache.yml +++ b/tasks/keystone_apache.yml @@ -31,6 +31,7 @@ state: directory owner: "{{ keystone_apache_default_log_owner }}" group: "{{ keystone_apache_default_log_grp }}" + mode: "0755" ## NOTE(cloudnull): ## Module enable/disable process is only functional on Debian @@ -51,6 +52,7 @@ dest: "{{ item.dest }}" owner: "root" group: "root" + mode: "0644" with_items: "{{ keystone_apache_configs }}" notify: - Restart web server @@ -76,7 +78,7 @@ line: 'LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so' state: "present" when: - - ansible_facts['pkg_mgr'] == 'dnf' + - ansible_facts['pkg_mgr'] == 'dnf' notify: - Restart web server diff --git a/tasks/keystone_credential.yml b/tasks/keystone_credential.yml index ba819b0b..02d221c8 100644 --- a/tasks/keystone_credential.yml +++ b/tasks/keystone_credential.yml @@ -13,10 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: keystone_credential_create.yml +- name: Including keystone_credential_create tasks + include_tasks: keystone_credential_create.yml when: _keystone_is_first_play_host -- include_tasks: keystone_credential_distribute.yml +- name: Including keystone_credential_distribute tasks + include_tasks: keystone_credential_distribute.yml when: _keystone_is_first_play_host -- include_tasks: keystone_credential_autorotate.yml +- name: Including keystone_credential_autorotate tasks + include_tasks: keystone_credential_autorotate.yml diff --git a/tasks/keystone_credential_create.yml b/tasks/keystone_credential_create.yml index 5001ced8..f0fce59b 100644 --- a/tasks/keystone_credential_create.yml +++ b/tasks/keystone_credential_create.yml @@ -70,7 +70,7 @@ register: drop_existing_credential_keys with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}" -- name: Create credential keys for Keystone +- name: Create credential keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage credential_setup --keystone-user "{{ keystone_system_user_name }}" @@ -82,7 +82,7 @@ - not _credential_keys.stat.exists - not drop_existing_credential_keys is changed -- name: Ensure newest key is used for credential in Keystone +- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage credential_migrate --keystone-user "{{ keystone_system_user_name }}" @@ -91,7 +91,7 @@ become_user: "{{ keystone_system_user_name }}" when: create_credential_keys is skipped -- name: Rotate credential keys for Keystone +- name: Rotate credential keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage credential_rotate --keystone-user "{{ keystone_system_user_name }}" diff --git a/tasks/keystone_db_sync.yml b/tasks/keystone_db_sync.yml index 364b994d..49ed1f89 100644 --- a/tasks/keystone_db_sync.yml +++ b/tasks/keystone_db_sync.yml @@ -28,11 +28,12 @@ section: keystone option: "{{ item.name }}" value: "{{ item.state }}" + mode: "0644" with_items: - name: "need_db_expand" state: "{{ (keystone_db_sync_check.rc | int == 2) | bool }}" - name: "need_db_migrate" - state: "{{ (keystone_db_sync_check.rc | int in [2, 3] ) | bool }}" + state: "{{ (keystone_db_sync_check.rc | int in [2, 3]) | bool }}" - name: "need_db_contract" state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}" @@ -46,7 +47,7 @@ # When keystone is initially built, the service does not yet exist on the # host this task is executed on. Detect the presence of the services. - name: Test if keystone service exists - service: + service: # noqa: args[module] name: "{{ item }}" check_mode: yes register: keystone_service_exists @@ -70,6 +71,7 @@ - name: Perform a Keystone DB sync expand command: "{{ keystone_bin }}/keystone-manage db_sync --expand" + changed_when: false become: yes become_user: "{{ keystone_system_user_name }}" when: @@ -79,6 +81,7 @@ - name: Perform a Keystone DB sync migrate command: "{{ keystone_bin }}/keystone-manage db_sync --migrate" + changed_when: false become: yes become_user: "{{ keystone_system_user_name }}" when: @@ -88,6 +91,7 @@ - name: Perform a Keystone DB sync contract command: "{{ keystone_bin }}/keystone-manage db_sync --contract" + changed_when: false become: yes become_user: "{{ keystone_system_user_name }}" when: diff --git a/tasks/keystone_federation_sp_shib_setup.yml b/tasks/keystone_federation_sp_shib_setup.yml index 10138041..b370f8cd 100644 --- a/tasks/keystone_federation_sp_shib_setup.yml +++ b/tasks/keystone_federation_sp_shib_setup.yml @@ -19,7 +19,7 @@ dest: "{{ item.dest }}" owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" - mode: "{{ item.mode|default('0644') }}" + mode: "{{ item.mode | default('0644') }}" with_items: - { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" } - { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" } @@ -29,8 +29,8 @@ - name: Copy Shibboleth SP key-pair (if provided) copy: content: "{{ item.content }}" - dest: "{{ item.dest }}" # noqa 206 - mode: "{{ item.mode|default('0640') }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode | default('0640') }}" when: - _keystone_is_first_play_host - item.content | length > 0 @@ -66,8 +66,8 @@ - name: Register a fact for the cert and key set_fact: - keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}" - keystone_sp_key_fact: "{{ _keystone_sp_key.content }}" + keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}" + keystone_sp_key_fact: "{{ _keystone_sp_key.content }}" when: _keystone_is_first_play_host - name: Distribute sp key diff --git a/tasks/keystone_fernet.yml b/tasks/keystone_fernet.yml index 20760709..a1169c27 100644 --- a/tasks/keystone_fernet.yml +++ b/tasks/keystone_fernet.yml @@ -13,10 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: keystone_fernet_keys_create.yml +- name: Including keystone_fernet_keys_create tasks + include_tasks: keystone_fernet_keys_create.yml when: _keystone_is_first_play_host -- include_tasks: keystone_fernet_keys_distribute.yml +- name: Including keystone_fernet_keys_distribute tasks + include_tasks: keystone_fernet_keys_distribute.yml when: _keystone_is_first_play_host -- include_tasks: keystone_fernet_keys_autorotate.yml +- name: Including keystone_fernet_keys_autorotate tasks + include_tasks: keystone_fernet_keys_autorotate.yml diff --git a/tasks/keystone_fernet_keys_create.yml b/tasks/keystone_fernet_keys_create.yml index 2d95a924..591b5ecf 100644 --- a/tasks/keystone_fernet_keys_create.yml +++ b/tasks/keystone_fernet_keys_create.yml @@ -18,7 +18,7 @@ path: "{{ keystone_fernet_tokens_key_repository }}/0" register: _fernet_keys -- name: Create fernet keys for Keystone +- name: Create fernet keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" @@ -27,7 +27,7 @@ become_user: "{{ keystone_system_user_name }}" when: not _fernet_keys.stat.exists -- name: Rotate fernet keys for Keystone +- name: Rotate fernet keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" diff --git a/tasks/keystone_idp_setup.yml b/tasks/keystone_idp_setup.yml index 61a45213..17c0490a 100644 --- a/tasks/keystone_idp_setup.yml +++ b/tasks/keystone_idp_setup.yml @@ -18,6 +18,7 @@ {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }} become: yes become_user: "{{ keystone_system_user_name }}" + changed_when: false when: keystone_idp != {} notify: - Restart uWSGI diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml index 3b83ffd1..c3214119 100644 --- a/tasks/keystone_install.yml +++ b/tasks/keystone_install.yml @@ -17,9 +17,9 @@ file: path: "{{ item.path }}" state: directory - owner: "{{ item.owner|default(keystone_system_user_name) }}" - group: "{{ item.group|default(keystone_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" + owner: "{{ item.owner | default(keystone_system_user_name) }}" + group: "{{ item.group | default(keystone_system_group_name) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - { path: "/var/lock/keystone", mode: "2755" } - { path: "/var/log/httpd", mode: "2755" } @@ -111,6 +111,7 @@ section: keystone option: venv_tag value: "{{ keystone_venv_tag }}" + mode: "0644" - name: Initialise the upgrade facts ini_file: @@ -118,6 +119,7 @@ section: keystone option: "{{ item.name }}" value: "{{ item.state }}" + mode: "0644" with_items: - name: "need_db_expand" state: "True" diff --git a/tasks/keystone_key_setup.yml b/tasks/keystone_key_setup.yml index 287173be..14967acf 100644 --- a/tasks/keystone_key_setup.yml +++ b/tasks/keystone_key_setup.yml @@ -29,12 +29,12 @@ tags: - keystone-key vars: - ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}" - ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}" - ssh_keypairs: "{{ keystone_ssh_keypairs }}" - ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}" - ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}" - ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}" + ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}" + ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}" + ssh_keypairs: "{{ keystone_ssh_keypairs }}" + ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}" + ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}" + ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}" tags: - always diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml index 25be7db4..01ac34e4 100644 --- a/tasks/keystone_post_install.yml +++ b/tasks/keystone_post_install.yml @@ -107,6 +107,7 @@ copy: src: "{{ keystone_sso_callback_file_path }}" dest: "/etc/keystone/sso_callback_template.html" + mode: "0644" when: - keystone_sso_callback_file_path is defined notify: diff --git a/tasks/main.yml b/tasks/main.yml index a3307cd6..03a27fd6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,11 +53,12 @@ - name: Fact for apache module shibboleth to be installed set_fact: - keystone_sp_apache_mod_shib: - "{{ (keystone_sp != {} and - (keystone_sp.apache_mod is undefined or - (keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc')) - ) | ternary('true', 'false') }}" + keystone_sp_apache_mod_shib: >- + {{ + (keystone_sp != {} and (keystone_sp.apache_mod is undefined or ( + keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc')) + ) | ternary('true', 'false') + }} tags: - always @@ -70,7 +71,8 @@ tags: - always -- include_role: +- name: Including osa.db_setup role + include_role: name: openstack.osa.db_setup apply: tags: @@ -91,7 +93,8 @@ tags: - always -- include_role: +- name: Including osa.mq_setup role + include_role: name: openstack.osa.mq_setup apply: tags: @@ -113,40 +116,46 @@ tags: - always -- import_tasks: keystone_install.yml +- name: Importing keystone_install tasks + import_tasks: keystone_install.yml tags: - keystone-install -- name: refresh local facts +- name: Refresh local facts setup: filter: ansible_local gather_subset: "!all" tags: - keystone-config -- import_tasks: keystone_post_install.yml +- name: Importing keystone_post_install tasks + import_tasks: keystone_post_install.yml tags: - keystone-config -- import_tasks: keystone_fernet.yml +- name: Importing keystone_fernet tasks + import_tasks: keystone_fernet.yml when: - "'fernet' in keystone_token_provider" - keystone_service_setup | bool tags: - keystone-config -- import_tasks: keystone_db_sync.yml +- name: Importing keystone_db_sync tasks + import_tasks: keystone_db_sync.yml when: - "keystone_database_enabled | bool" tags: - keystone-config -- import_tasks: keystone_credential.yml +- name: Importing keystone_credential tasks + import_tasks: keystone_credential.yml when: keystone_service_setup | bool tags: - keystone-config -- import_tasks: keystone_federation_sp_shib_setup.yml +- name: Importing keystone_federation_sp_shib_setup tasks + import_tasks: keystone_federation_sp_shib_setup.yml when: - keystone_sp_apache_mod_shib - not (keystone_use_uwsgi | bool) @@ -172,7 +181,8 @@ tags: - keystone-config -- import_tasks: "keystone_apache.yml" +- name: Importing keystone_apache tasks + import_tasks: "keystone_apache.yml" when: - not (keystone_use_uwsgi | bool) tags: @@ -191,7 +201,8 @@ - name: Flush handlers meta: flush_handlers -- include_tasks: keystone_service_bootstrap.yml +- name: Including keystone_service_bootstrap tasks + include_tasks: keystone_service_bootstrap.yml args: apply: tags: @@ -225,7 +236,8 @@ retries: 12 delay: 5 -- include_role: +- name: Including osa.service_setup role + include_role: name: openstack.osa.service_setup apply: tags: @@ -259,7 +271,8 @@ tags: - always -- import_tasks: keystone_ldap_setup.yml +- name: Including keystone_ldap_setup tasks + import_tasks: keystone_ldap_setup.yml when: - keystone_service_setup | bool - keystone_ldap != {} @@ -269,7 +282,8 @@ - name: Flush handlers meta: flush_handlers -- include_tasks: keystone_idp_setup.yml +- name: Including keystone_idp_setup tasks + include_tasks: keystone_idp_setup.yml args: apply: tags: diff --git a/tasks/main_keystone_federation_sp_idp_setup.yml b/tasks/main_keystone_federation_sp_idp_setup.yml index fb23fbf8..d00e9cc8 100644 --- a/tasks/main_keystone_federation_sp_idp_setup.yml +++ b/tasks/main_keystone_federation_sp_idp_setup.yml @@ -1,4 +1,6 @@ -- include_tasks: keystone_federation_sp_idp_setup.yml +--- +- name: Including keystone_federation_sp_idp_setup tasks + include_tasks: keystone_federation_sp_idp_setup.yml with_items: "{{ keystone_sp.trusted_idp_list }}" loop_control: loop_var: trusted_idp diff --git a/tasks/main_pre.yml b/tasks/main_pre.yml index c238135b..77732807 100644 --- a/tasks/main_pre.yml +++ b/tasks/main_pre.yml @@ -13,19 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: create the system group - group: - name: "{{ keystone_system_group_name }}" - state: "present" - system: "yes" - -- name: create additional groups +- name: Create system groups group: name: "{{ item }}" state: "present" system: "yes" - with_items: - - "{{ keystone_system_additional_groups }}" + with_items: "{{ [keystone_system_group_name] + keystone_system_additional_groups }}" - name: Create the keystone system user user: @@ -44,8 +37,8 @@ src: "{{ item.src | default(omit) }}" dest: "{{ item.dest | default(omit) }}" state: "{{ item.state | default('directory') }}" - owner: "{{ item.owner|default(keystone_system_user_name) }}" - group: "{{ item.group|default(keystone_system_group_name) }}" + owner: "{{ item.owner | default(keystone_system_user_name) }}" + group: "{{ item.group | default(keystone_system_group_name) }}" mode: "{{ item.mode | default(omit) }}" force: "{{ item.force | default(omit) }}" with_items: @@ -71,6 +64,7 @@ owner: root group: root -- import_tasks: keystone_key_setup.yml +- name: Importing keystone_key_setup tasks + import_tasks: keystone_key_setup.yml tags: - keystone-install diff --git a/vars/main.yml b/vars/main.yml index 1cd2fb71..e0fa30b8 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -35,8 +35,16 @@ uwsgi_keystone_services: |- {% endfor %} {{ services }} -_keystone_is_first_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool }}" -_keystone_is_last_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool }}" +_keystone_is_first_play_host: >- + {{ + (keystone_services['keystone-wsgi-public']['group'] in group_names and + inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool + }} +_keystone_is_last_play_host: >- + {{ + (keystone_services['keystone-wsgi-public']['group'] in group_names and + inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool + }} _keystone_cache_backend_map: dogpile: - oslo_cache.memcache_pool