undercloud_tokenflush¶
Role Documentation¶
Welcome to the “undercloud_tokenflush” role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the “undercloud_tokenflush” role.
cron_check: keystone-manage token_flush
Role Variables: main.yaml¶
metadata:
description: 'Without a token_flush crontab enabled for the keystone user, the keystone
database can grow very large. This validation checks that the keystone token_flush
crontab has been set up.
'
groups:
- pre-introspection
name: Verify token_flush is enabled in keystone users crontab
Molecule Scenarios¶
Molecule is being used to test the “undercloud_tokenflush” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
Scenario: default¶
Example default configuration¶
driver:
name: podman
log: true
platforms:
- dockerfile: ../../../../.config/molecule/Dockerfile
environment:
http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
hostname: centos
image: centos/centos:stream8
name: centos
pkg_extras: python*-setuptools python*-pyyaml
privileged: true
registry:
url: quay.io
ulimits:
- host
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
provisioner:
env:
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
ANSIBLE_ROLES_PATH: ${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles
ANSIBLE_STDOUT_CALLBACK: yaml
inventory:
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
log: true
name: ansible
options:
vvv: true
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
verifier:
name: ansible
Molecule Inventory¶
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
Example default playbook¶
- gather_facts: false
hosts: all
name: Converge
tasks:
- include_role:
name: undercloud_tokenflush
name: working detection
- block:
- copy:
content: '[DEFAULT]
container_cli = docker
'
dest: /undercloud.conf
name: Override container_cli
- include_role:
name: undercloud_tokenflush
name: run validation
name: Validate failure
rescue:
- meta: clear_host_errors
name: Clear host errors
- debug:
msg: The validation works! Ending play.
name: Test output
- meta: end_play
name: End play
- fail:
msg: 'The undercloud_tokenflush validation failed to detect
missing cron job.
'
name: Fail the validation at this point
Scenario: non-persistent-token-format¶
Example non-persistent-token-format configuration¶
driver:
name: podman
log: true
platforms:
- dockerfile: ../../../../.config/molecule/Dockerfile
environment:
http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
hostname: centos
image: centos/centos:stream8
name: centos
pkg_extras: python*-setuptools python*-pyyaml
privileged: true
registry:
url: quay.io
ulimits:
- host
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
provisioner:
env:
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
ANSIBLE_ROLES_PATH: ${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles
ANSIBLE_STDOUT_CALLBACK: yaml
inventory:
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
log: true
name: ansible
options:
vvv: true
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
verifier:
name: ansible
Molecule Inventory¶
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
Example non-persistent-token-format playbook¶
- hosts: all
name: Converge
tasks:
- block:
- copy:
content: '"keystone::token_provider": "fernet"
'
dest: /etc/puppet/service_configs.yaml
name: Set token format to fernet
- include_role:
name: undercloud_tokenflush
name: Ensure validation gracefully passes
name: Skip validation when using fernet tokens
- block:
- copy:
content: '"keystone::token_provider": "jws"
'
dest: /etc/puppet/service_configs.yaml
name: Set token format to jws
- include_role:
name: undercloud_tokenflush
name: Ensure validation gracefully passes
name: Skip validation when using jws tokens