From eea1a4853f542de0745c3eff91462cd9b8b82872 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Fri, 14 Jul 2023 17:19:27 +0200 Subject: [PATCH] Fix linters and metadata With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223 Change-Id: Id92330b3c709201a74612c8353cefa75778eac0c --- defaults/main.yml | 382 +++++++++--------- handlers/main.yml | 1 + meta/main.yml | 12 +- tasks/keystone_apache.yml | 4 +- tasks/keystone_credential.yml | 9 +- tasks/keystone_credential_create.yml | 6 +- tasks/keystone_db_sync.yml | 8 +- tasks/keystone_federation_sp_shib_setup.yml | 10 +- tasks/keystone_fernet.yml | 9 +- tasks/keystone_fernet_keys_create.yml | 4 +- tasks/keystone_idp_setup.yml | 1 + tasks/keystone_install.yml | 8 +- tasks/keystone_key_setup.yml | 12 +- tasks/keystone_post_install.yml | 1 + tasks/main.yml | 52 ++- .../main_keystone_federation_sp_idp_setup.yml | 4 +- tasks/main_pre.yml | 18 +- vars/main.yml | 12 +- 18 files changed, 302 insertions(+), 251 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 607c6356..2b51f3c7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,7 +20,11 @@ debug: False # for the service setup. The host must already have # clouds.yaml properly configured. keystone_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" -keystone_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +keystone_service_setup_host_python_interpreter: >- + {{ + openstack_service_setup_host_python_interpreter | default( + (keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} # Set the package install state for distribution packages # Options are 'present' and 'latest' @@ -39,7 +43,8 @@ keystone_shibboleth_repo: {} keystone_git_repo: https://opendev.org/openstack/keystone keystone_git_install_branch: master -keystone_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}" +keystone_upper_constraints_url: >- + {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }} keystone_git_constraints: - "--constraint {{ keystone_upper_constraints_url }}" @@ -97,13 +102,19 @@ keystone_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') } ## Database info keystone_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}" -keystone_db_setup_python_interpreter: "{{ openstack_db_setup_python_interpreter | default((keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +keystone_db_setup_python_interpreter: >- + {{ + openstack_db_setup_python_interpreter | default( + (keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} keystone_galera_address: "{{ galera_address | default('127.0.0.1') }}" keystone_galera_user: keystone keystone_galera_database: keystone keystone_galera_port: "{{ galera_port | default('3306') }}" keystone_database_connection_string: >- - mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{keystone_galera_port}}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{% if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %} + mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{ keystone_galera_port }}/{{ + keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{% + if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %} ## Database SSL keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}" @@ -131,7 +142,8 @@ keystone_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}" # Notify keystone_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}" -keystone_oslomsg_notify_setup_host: "{{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}" +keystone_oslomsg_notify_setup_host: >- + {{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }} keystone_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}" keystone_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}" keystone_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}" @@ -177,7 +189,7 @@ keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ int keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" ## Set this value to override the "public_endpoint" keystone.conf variable -#keystone_public_endpoint: "{{ keystone_service_publicuri }}" +# keystone_public_endpoint: "{{ keystone_service_publicuri }}" # Enable or disable uWSGI as the primary service manager. While uWSGI is used # for basic deployments, when this option is enabled it will become the sole @@ -215,7 +227,7 @@ keystone_httpd_mpm_max_conn_child: 0 keystone_wsgi_threads: 1 ## Cap the maximun number of processes when a user value is unspecified. keystone_wsgi_processes_max: 16 -keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus']|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}" +keystone_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}" keystone_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" keystone_uwsgi_ports: @@ -244,7 +256,8 @@ keystone_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" keystone_pki_keys_path: "{{ keystone_pki_dir ~ '/certs/private/' }}" keystone_pki_certs_path: "{{ keystone_pki_dir ~ '/certs/certs/' }}" keystone_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}" -keystone_pki_intermediate_cert_path: "{{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }}" +keystone_pki_intermediate_cert_path: >- + {{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }} keystone_pki_regen_cert: '' # By default, CA creation is controlled using the CA 'condition' field @@ -322,14 +335,16 @@ keystone_pki_install_certificates: keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}" # TLS v1.2 and below -keystone_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}" +keystone_ssl_cipher_suite_tls12: >- + {{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }} # TLS v1.3 -keystone_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}" +keystone_ssl_cipher_suite_tls13: >- + {{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }} # Set these variables to deploy custom certificates -#keystone_user_ssl_cert: -#keystone_user_ssl_key: -#keystone_user_ssl_ca_cert: +# keystone_user_ssl_cert: +# keystone_user_ssl_key: +# keystone_user_ssl_ca_cert: # Set to true when terminating SSL/TLS at a load balancer keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}" @@ -370,187 +385,186 @@ keystone_ldap: {} keystone_ldap_domain_config_dir: /etc/keystone/domains - ## Policy vars # Provide a list of access controls to update the default policy.json with. These changes will be merged # with the access controls in the default policy.json. E.g. -#keystone_policy_overrides: -# identity:create_region: "rule:admin_required" -# identity:update_region: "rule:admin_required" +# keystone_policy_overrides: +# identity:create_region: "rule:admin_required" +# identity:update_region: "rule:admin_required" ## Federation # Enable the following section on the Keystone IdP keystone_idp: {} -#keystone_idp: -# certfile: "/etc/keystone/ssl/idp_signing_cert.pem" -# keyfile: "/etc/keystone/ssl/idp_signing_key.pem" -# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}" -# regen_cert: false -# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp" -# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso" -# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml -# service_providers: -# - id: "sp_1" -# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth -# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP -# # the following settings are optional -# organization_name: example_company -# organization_display_name: Example Corp. -# organization_url: example.com -# contact_company: example_company -# contact_name: John -# contact_surname: Smith -# contact_email: jsmith@example.com -# contact_telephone: 555-55-5555 -# contact_type: technical +# keystone_idp: +# certfile: "/etc/keystone/ssl/idp_signing_cert.pem" +# keyfile: "/etc/keystone/ssl/idp_signing_key.pem" +# self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}" +# regen_cert: false +# idp_entity_id: "{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp" +# idp_sso_endpoint: "{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso" +# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml +# service_providers: +# - id: "sp_1" +# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth +# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP +# # the following settings are optional +# organization_name: example_company +# organization_display_name: Example Corp. +# organization_url: example.com +# contact_company: example_company +# contact_name: John +# contact_surname: Smith +# contact_email: jsmith@example.com +# contact_telephone: 555-55-5555 +# contact_type: technical # Enable the following section in order to install and configure # Keystone as a Resource Service Provider (SP) and to configure # trusts with specific Identity Providers (IdP). keystone_sp: {} -#keystone_sp: -# cert_duration_years: 5 -# apache_mod: shibboleth #or mod_auth_openidc -# cadf_notifications: false -# cadf_notifications_opt_out: -# - identity.authenticate.failed -# - identity.authenticate.pending -# - identity.authenticate.success -# trusted_dashboard_list: -# - "https://{{ external_lb_vip_address }}/auth/websso/" -# - "https://{{ horizon_server_name }}/auth/websso/" -# trusted_idp_list: -# note that only one of these is supported at any one time for now -# - name: "keystone-idp" -# domain_id: "default" -# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown -# entity_ids: -# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp' -# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata' -# metadata_file: 'metadata-keystone-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: keystone-idp-mapping -# rules: -# - remote: -# - type: openstack_user -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# user: -# name: '{0}' -# attributes: -# - name: openstack_user -# id: openstack_user -# - name: openstack_roles -# id: openstack_roles -# - name: openstack_project -# id: openstack_project -# - name: openstack_user_domain -# id: openstack_user_domain -# - name: openstack_project_domain -# id: openstack_project_domain +# keystone_sp: +# cert_duration_years: 5 +# apache_mod: shibboleth #or mod_auth_openidc +# cadf_notifications: false +# cadf_notifications_opt_out: +# - identity.authenticate.failed +# - identity.authenticate.pending +# - identity.authenticate.success +# trusted_dashboard_list: +# - "https://{{ external_lb_vip_address }}/auth/websso/" +# - "https://{{ horizon_server_name }}/auth/websso/" +# trusted_idp_list: +# note that only one of these is supported at any one time for now +# - name: "keystone-idp" +# domain_id: "default" +# display_name: "Keystone IDP" # Optional, used in Horizon IDP dropdown +# entity_ids: +# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp' +# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata' +# metadata_file: 'metadata-keystone-idp.xml' +# metadata_reload: 1800 +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: saml2 +# mapping: +# name: keystone-idp-mapping +# rules: +# - remote: +# - type: openstack_user +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# user: +# name: '{0}' +# attributes: +# - name: openstack_user +# id: openstack_user +# - name: openstack_roles +# id: openstack_roles +# - name: openstack_project +# id: openstack_project +# - name: openstack_user_domain +# id: openstack_user_domain +# - name: openstack_project_domain +# id: openstack_project_domain # -# - name: 'testshib-idp' -# entity_ids: -# - 'https://idp.testshib.org/idp/shibboleth' -# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml' -# metadata_file: 'metadata-testshib-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: testshib-idp-mapping -# rules: -# - remote: -# - type: eppn -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# - user: -# name: '{0}' +# - name: 'testshib-idp' +# entity_ids: +# - 'https://idp.testshib.org/idp/shibboleth' +# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml' +# metadata_file: 'metadata-testshib-idp.xml' +# metadata_reload: 1800 +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: saml2 +# mapping: +# name: testshib-idp-mapping +# rules: +# - remote: +# - type: eppn +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# - user: +# name: '{0}' # -# - name: 'adfs-idp' -# entity_ids: -# - 'http://adfs.contoso.com/adfs/services/trust' -# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' -# metadata_file: 'metadata-adfs-idp.xml' -# metadata_reload: 1800 -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: saml2 -# mapping: -# name: adfs-idp-mapping -# rules: -# - remote: -# - type: upn -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# - user: -# name: '{0}' -# attributes: -# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' -# id: upn +# - name: 'adfs-idp' +# entity_ids: +# - 'http://adfs.contoso.com/adfs/services/trust' +# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' +# metadata_file: 'metadata-adfs-idp.xml' +# metadata_reload: 1800 +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: saml2 +# mapping: +# name: adfs-idp-mapping +# rules: +# - remote: +# - type: upn +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# - user: +# name: '{0}' +# attributes: +# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' +# id: upn # -# - name: "keycloak-oidc-idp" -# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration -# oidc_client_id: keystone -# oidc_client_secret: secret -# oidc_crypto_passphrase: random string -# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth -# oidc_oauth_introspection_endpoint: endpoint address (optional) -# oidc_oauth_client_id: string (optional) -# oidc_oauth_client_secret: secret (optional) -# oidc_pkce_method: plain | S256 | referred_tb (optional) -# oidc_outgoing_proxy: "proxy address" (optional setting) -# oidc_auth_request_params: param=some+url+encoded+value¶m2=and+another+one (optional) -# oidc_state_max_number_of_cookies: 5 false (optional) -# oidc_default_url: https://example.com/callback (optional) -# entity_ids: -# - 'https://identity-provider/openid-endpoint/' -# federated_identities: -# - domain: default -# project: fedproject -# group: fedgroup -# role: _member_ -# protocols: -# - name: openid -# mapping: -# name: keycloak-oidc-idp-openid-mapping -# rules: -# - remote: -# - type: OIDC-email -# local: -# - group: -# name: fedgroup -# domain: -# name: Default -# user: -# name: '{0}' +# - name: "keycloak-oidc-idp" +# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration +# oidc_client_id: keystone +# oidc_client_secret: secret +# oidc_crypto_passphrase: random string +# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth +# oidc_oauth_introspection_endpoint: endpoint address (optional) +# oidc_oauth_client_id: string (optional) +# oidc_oauth_client_secret: secret (optional) +# oidc_pkce_method: plain | S256 | referred_tb (optional) +# oidc_outgoing_proxy: "proxy address" (optional setting) +# oidc_auth_request_params: param=some+url+encoded+value¶m2=and+another+one (optional) +# oidc_state_max_number_of_cookies: 5 false (optional) +# oidc_default_url: https://example.com/callback (optional) +# entity_ids: +# - 'https://identity-provider/openid-endpoint/' +# federated_identities: +# - domain: default +# project: fedproject +# group: fedgroup +# role: _member_ +# protocols: +# - name: openid +# mapping: +# name: keycloak-oidc-idp-openid-mapping +# rules: +# - remote: +# - type: OIDC-email +# local: +# - group: +# name: fedgroup +# domain: +# name: Default +# user: +# name: '{0}' keystone_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}" @@ -581,7 +595,7 @@ keystone_optional_oslomsg_amqp1_pip_packages: # template engine and copied to the target host. # keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html" -#: Tunable file-based overrides +## Tunable file-based overrides # The contents of these files, if they exist, are read from the # specified path on the deployment host, interpreted by the # template engine and copied to the target host. If they do @@ -589,7 +603,7 @@ keystone_optional_oslomsg_amqp1_pip_packages: shibboleth_cert_user_file_path: "/etc/openstack_deploy/keystone/sp-cert.pem" shibboleth_key_user_file_path: "/etc/openstack_deploy/keystone/sp-key.pem" -#: Tunable var-based overrides +## Tunable var-based overrides # The contents of these are templated over the default files. keystone_keystone_conf_overrides: {} keystone_keystone_default_conf_overrides: {} @@ -643,7 +657,7 @@ keystone_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | defaul # directory on the deploy host to create and store SSH keypairs keystone_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}" -#Each keystone host needs a signed ssh certificate to log into the others +# Each keystone host needs a signed ssh certificate to log into the others keystone_ssh_keypairs: - name: "keystone-{{ inventory_hostname }}" cert: @@ -652,7 +666,7 @@ keystone_ssh_keypairs: valid_from: "{{ keystone_ssh_key_valid_from | default('always') }}" valid_to: "{{ keystone_ssh_key_valid_to | default('forever') }}" -#Each keystone host needs the signed ssh certificate installing to the keystone user +# Each keystone host needs the signed ssh certificate installing to the keystone user keystone_ssh_keypairs_install_keys: owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" @@ -660,10 +674,10 @@ keystone_ssh_keypairs_install_keys: - cert: "keystone-{{ inventory_hostname }}" dest: "{{ keystone_system_user_home }}/.ssh/id_rsa" -#Each compute host must trust the SSHD certificate authoritiy in the sshd configuration +# Each compute host must trust the SSHD certificate authoritiy in the sshd configuration keystone_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}" -#Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user +# Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user keystone_ssh_keypairs_principals: - user: "{{ keystone_system_user_name }}" principals: "{{ keystone_ssh_key_principals | default(['keystone']) }}" diff --git a/handlers/main.yml b/handlers/main.yml index b0fccf6e..67706d3c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -101,6 +101,7 @@ debian: nc -q 1 $(awk '/^\-l/ {print $2}' "/etc/memcached.conf" | awk -F, '{print $1}') $(awk '/^\-p/ {print $2}' "/etc/memcached.conf") redhat: nc $(awk -F '-l' '/^OPTIONS/ {print $2}' "/etc/sysconfig/memcached" | awk -F ',' '{gsub(/"/, "", $1); print $1}' | awk -F '-' '{print $1}') 11211 shell: "echo 'flush_all' | {{ nc_command.get(ansible_facts['os_family'] | lower) }}" + changed_when: false delegate_to: "{{ item }}" with_items: "{{ groups.memcached_all }}" listen: flush cache diff --git a/meta/main.yml b/meta/main.yml index 213588d5..0bfa4023 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,19 +18,21 @@ galaxy_info: description: Installation and setup of keystone company: Rackspace license: Apache2 - min_ansible_version: 2.4 + role_name: os_keystone + namespace: openstack + min_ansible_version: "2.10" platforms: - name: Debian versions: - - buster + - bullseye - name: Ubuntu versions: - - bionic - focal + - jammy - name: EL versions: - - 8 - categories: + - "9" + galaxy_tags: - cloud - python - keystone diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml index f24eceb3..5626fe49 100644 --- a/tasks/keystone_apache.yml +++ b/tasks/keystone_apache.yml @@ -31,6 +31,7 @@ state: directory owner: "{{ keystone_apache_default_log_owner }}" group: "{{ keystone_apache_default_log_grp }}" + mode: "0755" ## NOTE(cloudnull): ## Module enable/disable process is only functional on Debian @@ -51,6 +52,7 @@ dest: "{{ item.dest }}" owner: "root" group: "root" + mode: "0644" with_items: "{{ keystone_apache_configs }}" notify: - Restart web server @@ -76,7 +78,7 @@ line: 'LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so' state: "present" when: - - ansible_facts['pkg_mgr'] == 'dnf' + - ansible_facts['pkg_mgr'] == 'dnf' notify: - Restart web server diff --git a/tasks/keystone_credential.yml b/tasks/keystone_credential.yml index ba819b0b..02d221c8 100644 --- a/tasks/keystone_credential.yml +++ b/tasks/keystone_credential.yml @@ -13,10 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: keystone_credential_create.yml +- name: Including keystone_credential_create tasks + include_tasks: keystone_credential_create.yml when: _keystone_is_first_play_host -- include_tasks: keystone_credential_distribute.yml +- name: Including keystone_credential_distribute tasks + include_tasks: keystone_credential_distribute.yml when: _keystone_is_first_play_host -- include_tasks: keystone_credential_autorotate.yml +- name: Including keystone_credential_autorotate tasks + include_tasks: keystone_credential_autorotate.yml diff --git a/tasks/keystone_credential_create.yml b/tasks/keystone_credential_create.yml index 5001ced8..f0fce59b 100644 --- a/tasks/keystone_credential_create.yml +++ b/tasks/keystone_credential_create.yml @@ -70,7 +70,7 @@ register: drop_existing_credential_keys with_indexed_items: "{{ collected_existing_credential_keys.results | map(attribute='content') | list | unique }}" -- name: Create credential keys for Keystone +- name: Create credential keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage credential_setup --keystone-user "{{ keystone_system_user_name }}" @@ -82,7 +82,7 @@ - not _credential_keys.stat.exists - not drop_existing_credential_keys is changed -- name: Ensure newest key is used for credential in Keystone +- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage credential_migrate --keystone-user "{{ keystone_system_user_name }}" @@ -91,7 +91,7 @@ become_user: "{{ keystone_system_user_name }}" when: create_credential_keys is skipped -- name: Rotate credential keys for Keystone +- name: Rotate credential keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage credential_rotate --keystone-user "{{ keystone_system_user_name }}" diff --git a/tasks/keystone_db_sync.yml b/tasks/keystone_db_sync.yml index 364b994d..49ed1f89 100644 --- a/tasks/keystone_db_sync.yml +++ b/tasks/keystone_db_sync.yml @@ -28,11 +28,12 @@ section: keystone option: "{{ item.name }}" value: "{{ item.state }}" + mode: "0644" with_items: - name: "need_db_expand" state: "{{ (keystone_db_sync_check.rc | int == 2) | bool }}" - name: "need_db_migrate" - state: "{{ (keystone_db_sync_check.rc | int in [2, 3] ) | bool }}" + state: "{{ (keystone_db_sync_check.rc | int in [2, 3]) | bool }}" - name: "need_db_contract" state: "{{ (keystone_db_sync_check.rc | int in [2, 3, 4]) | bool }}" @@ -46,7 +47,7 @@ # When keystone is initially built, the service does not yet exist on the # host this task is executed on. Detect the presence of the services. - name: Test if keystone service exists - service: + service: # noqa: args[module] name: "{{ item }}" check_mode: yes register: keystone_service_exists @@ -70,6 +71,7 @@ - name: Perform a Keystone DB sync expand command: "{{ keystone_bin }}/keystone-manage db_sync --expand" + changed_when: false become: yes become_user: "{{ keystone_system_user_name }}" when: @@ -79,6 +81,7 @@ - name: Perform a Keystone DB sync migrate command: "{{ keystone_bin }}/keystone-manage db_sync --migrate" + changed_when: false become: yes become_user: "{{ keystone_system_user_name }}" when: @@ -88,6 +91,7 @@ - name: Perform a Keystone DB sync contract command: "{{ keystone_bin }}/keystone-manage db_sync --contract" + changed_when: false become: yes become_user: "{{ keystone_system_user_name }}" when: diff --git a/tasks/keystone_federation_sp_shib_setup.yml b/tasks/keystone_federation_sp_shib_setup.yml index 10138041..b370f8cd 100644 --- a/tasks/keystone_federation_sp_shib_setup.yml +++ b/tasks/keystone_federation_sp_shib_setup.yml @@ -19,7 +19,7 @@ dest: "{{ item.dest }}" owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" - mode: "{{ item.mode|default('0644') }}" + mode: "{{ item.mode | default('0644') }}" with_items: - { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" } - { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" } @@ -29,8 +29,8 @@ - name: Copy Shibboleth SP key-pair (if provided) copy: content: "{{ item.content }}" - dest: "{{ item.dest }}" # noqa 206 - mode: "{{ item.mode|default('0640') }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode | default('0640') }}" when: - _keystone_is_first_play_host - item.content | length > 0 @@ -66,8 +66,8 @@ - name: Register a fact for the cert and key set_fact: - keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}" - keystone_sp_key_fact: "{{ _keystone_sp_key.content }}" + keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}" + keystone_sp_key_fact: "{{ _keystone_sp_key.content }}" when: _keystone_is_first_play_host - name: Distribute sp key diff --git a/tasks/keystone_fernet.yml b/tasks/keystone_fernet.yml index 20760709..a1169c27 100644 --- a/tasks/keystone_fernet.yml +++ b/tasks/keystone_fernet.yml @@ -13,10 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: keystone_fernet_keys_create.yml +- name: Including keystone_fernet_keys_create tasks + include_tasks: keystone_fernet_keys_create.yml when: _keystone_is_first_play_host -- include_tasks: keystone_fernet_keys_distribute.yml +- name: Including keystone_fernet_keys_distribute tasks + include_tasks: keystone_fernet_keys_distribute.yml when: _keystone_is_first_play_host -- include_tasks: keystone_fernet_keys_autorotate.yml +- name: Including keystone_fernet_keys_autorotate tasks + include_tasks: keystone_fernet_keys_autorotate.yml diff --git a/tasks/keystone_fernet_keys_create.yml b/tasks/keystone_fernet_keys_create.yml index 2d95a924..591b5ecf 100644 --- a/tasks/keystone_fernet_keys_create.yml +++ b/tasks/keystone_fernet_keys_create.yml @@ -18,7 +18,7 @@ path: "{{ keystone_fernet_tokens_key_repository }}/0" register: _fernet_keys -- name: Create fernet keys for Keystone +- name: Create fernet keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" @@ -27,7 +27,7 @@ become_user: "{{ keystone_system_user_name }}" when: not _fernet_keys.stat.exists -- name: Rotate fernet keys for Keystone +- name: Rotate fernet keys for Keystone # noqa: no-changed-when command: > {{ keystone_bin }}/keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" diff --git a/tasks/keystone_idp_setup.yml b/tasks/keystone_idp_setup.yml index 61a45213..17c0490a 100644 --- a/tasks/keystone_idp_setup.yml +++ b/tasks/keystone_idp_setup.yml @@ -18,6 +18,7 @@ {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }} become: yes become_user: "{{ keystone_system_user_name }}" + changed_when: false when: keystone_idp != {} notify: - Restart uWSGI diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml index 3b83ffd1..c3214119 100644 --- a/tasks/keystone_install.yml +++ b/tasks/keystone_install.yml @@ -17,9 +17,9 @@ file: path: "{{ item.path }}" state: directory - owner: "{{ item.owner|default(keystone_system_user_name) }}" - group: "{{ item.group|default(keystone_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" + owner: "{{ item.owner | default(keystone_system_user_name) }}" + group: "{{ item.group | default(keystone_system_group_name) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - { path: "/var/lock/keystone", mode: "2755" } - { path: "/var/log/httpd", mode: "2755" } @@ -111,6 +111,7 @@ section: keystone option: venv_tag value: "{{ keystone_venv_tag }}" + mode: "0644" - name: Initialise the upgrade facts ini_file: @@ -118,6 +119,7 @@ section: keystone option: "{{ item.name }}" value: "{{ item.state }}" + mode: "0644" with_items: - name: "need_db_expand" state: "True" diff --git a/tasks/keystone_key_setup.yml b/tasks/keystone_key_setup.yml index 287173be..14967acf 100644 --- a/tasks/keystone_key_setup.yml +++ b/tasks/keystone_key_setup.yml @@ -29,12 +29,12 @@ tags: - keystone-key vars: - ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}" - ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}" - ssh_keypairs: "{{ keystone_ssh_keypairs }}" - ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}" - ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}" - ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}" + ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}" + ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}" + ssh_keypairs: "{{ keystone_ssh_keypairs }}" + ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}" + ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}" + ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}" tags: - always diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml index 25be7db4..01ac34e4 100644 --- a/tasks/keystone_post_install.yml +++ b/tasks/keystone_post_install.yml @@ -107,6 +107,7 @@ copy: src: "{{ keystone_sso_callback_file_path }}" dest: "/etc/keystone/sso_callback_template.html" + mode: "0644" when: - keystone_sso_callback_file_path is defined notify: diff --git a/tasks/main.yml b/tasks/main.yml index a3307cd6..03a27fd6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,11 +53,12 @@ - name: Fact for apache module shibboleth to be installed set_fact: - keystone_sp_apache_mod_shib: - "{{ (keystone_sp != {} and - (keystone_sp.apache_mod is undefined or - (keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc')) - ) | ternary('true', 'false') }}" + keystone_sp_apache_mod_shib: >- + {{ + (keystone_sp != {} and (keystone_sp.apache_mod is undefined or ( + keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc')) + ) | ternary('true', 'false') + }} tags: - always @@ -70,7 +71,8 @@ tags: - always -- include_role: +- name: Including osa.db_setup role + include_role: name: openstack.osa.db_setup apply: tags: @@ -91,7 +93,8 @@ tags: - always -- include_role: +- name: Including osa.mq_setup role + include_role: name: openstack.osa.mq_setup apply: tags: @@ -113,40 +116,46 @@ tags: - always -- import_tasks: keystone_install.yml +- name: Importing keystone_install tasks + import_tasks: keystone_install.yml tags: - keystone-install -- name: refresh local facts +- name: Refresh local facts setup: filter: ansible_local gather_subset: "!all" tags: - keystone-config -- import_tasks: keystone_post_install.yml +- name: Importing keystone_post_install tasks + import_tasks: keystone_post_install.yml tags: - keystone-config -- import_tasks: keystone_fernet.yml +- name: Importing keystone_fernet tasks + import_tasks: keystone_fernet.yml when: - "'fernet' in keystone_token_provider" - keystone_service_setup | bool tags: - keystone-config -- import_tasks: keystone_db_sync.yml +- name: Importing keystone_db_sync tasks + import_tasks: keystone_db_sync.yml when: - "keystone_database_enabled | bool" tags: - keystone-config -- import_tasks: keystone_credential.yml +- name: Importing keystone_credential tasks + import_tasks: keystone_credential.yml when: keystone_service_setup | bool tags: - keystone-config -- import_tasks: keystone_federation_sp_shib_setup.yml +- name: Importing keystone_federation_sp_shib_setup tasks + import_tasks: keystone_federation_sp_shib_setup.yml when: - keystone_sp_apache_mod_shib - not (keystone_use_uwsgi | bool) @@ -172,7 +181,8 @@ tags: - keystone-config -- import_tasks: "keystone_apache.yml" +- name: Importing keystone_apache tasks + import_tasks: "keystone_apache.yml" when: - not (keystone_use_uwsgi | bool) tags: @@ -191,7 +201,8 @@ - name: Flush handlers meta: flush_handlers -- include_tasks: keystone_service_bootstrap.yml +- name: Including keystone_service_bootstrap tasks + include_tasks: keystone_service_bootstrap.yml args: apply: tags: @@ -225,7 +236,8 @@ retries: 12 delay: 5 -- include_role: +- name: Including osa.service_setup role + include_role: name: openstack.osa.service_setup apply: tags: @@ -259,7 +271,8 @@ tags: - always -- import_tasks: keystone_ldap_setup.yml +- name: Including keystone_ldap_setup tasks + import_tasks: keystone_ldap_setup.yml when: - keystone_service_setup | bool - keystone_ldap != {} @@ -269,7 +282,8 @@ - name: Flush handlers meta: flush_handlers -- include_tasks: keystone_idp_setup.yml +- name: Including keystone_idp_setup tasks + include_tasks: keystone_idp_setup.yml args: apply: tags: diff --git a/tasks/main_keystone_federation_sp_idp_setup.yml b/tasks/main_keystone_federation_sp_idp_setup.yml index fb23fbf8..d00e9cc8 100644 --- a/tasks/main_keystone_federation_sp_idp_setup.yml +++ b/tasks/main_keystone_federation_sp_idp_setup.yml @@ -1,4 +1,6 @@ -- include_tasks: keystone_federation_sp_idp_setup.yml +--- +- name: Including keystone_federation_sp_idp_setup tasks + include_tasks: keystone_federation_sp_idp_setup.yml with_items: "{{ keystone_sp.trusted_idp_list }}" loop_control: loop_var: trusted_idp diff --git a/tasks/main_pre.yml b/tasks/main_pre.yml index c238135b..77732807 100644 --- a/tasks/main_pre.yml +++ b/tasks/main_pre.yml @@ -13,19 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: create the system group - group: - name: "{{ keystone_system_group_name }}" - state: "present" - system: "yes" - -- name: create additional groups +- name: Create system groups group: name: "{{ item }}" state: "present" system: "yes" - with_items: - - "{{ keystone_system_additional_groups }}" + with_items: "{{ [keystone_system_group_name] + keystone_system_additional_groups }}" - name: Create the keystone system user user: @@ -44,8 +37,8 @@ src: "{{ item.src | default(omit) }}" dest: "{{ item.dest | default(omit) }}" state: "{{ item.state | default('directory') }}" - owner: "{{ item.owner|default(keystone_system_user_name) }}" - group: "{{ item.group|default(keystone_system_group_name) }}" + owner: "{{ item.owner | default(keystone_system_user_name) }}" + group: "{{ item.group | default(keystone_system_group_name) }}" mode: "{{ item.mode | default(omit) }}" force: "{{ item.force | default(omit) }}" with_items: @@ -71,6 +64,7 @@ owner: root group: root -- import_tasks: keystone_key_setup.yml +- name: Importing keystone_key_setup tasks + import_tasks: keystone_key_setup.yml tags: - keystone-install diff --git a/vars/main.yml b/vars/main.yml index 1cd2fb71..e0fa30b8 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -35,8 +35,16 @@ uwsgi_keystone_services: |- {% endfor %} {{ services }} -_keystone_is_first_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool }}" -_keystone_is_last_play_host: "{{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool }}" +_keystone_is_first_play_host: >- + {{ + (keystone_services['keystone-wsgi-public']['group'] in group_names and + inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[0]) | bool + }} +_keystone_is_last_play_host: >- + {{ + (keystone_services['keystone-wsgi-public']['group'] in group_names and + inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | intersect(ansible_play_hosts)) | list)[-1]) | bool + }} _keystone_cache_backend_map: dogpile: - oslo_cache.memcache_pool