undercloud_tokenflush

An Ansible role to check if keystone-manage token_flush is enabled for the keystone user.

Requirements

This role requires an installed and working Undercloud.

Role Variables

  • cron_check: <’keystone-manage token_flush’> – the string to check in the crontab

Dependencies

No dependencies.

Example Playbook

- hosts: undercloud
  roles:
     - { role: undercloud-tokenflush }

License

Apache

Author Information

Red Hat TripleO Validations Team

Full Description

Role Documentation

Welcome to the “undercloud_tokenflush” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “undercloud_tokenflush” role.

cron_check: keystone-manage token_flush
Role Variables: main.yaml
metadata:
  name: Verify token_flush is enabled in keystone users crontab
  description: >
    Without a token_flush crontab enabled for the keystone user, the
    keystone database can grow very large.  This validation checks that
    the keystone token_flush crontab has been set up.
  groups:
  - pre-introspection
Molecule Scenarios

Molecule is being used to test the “undercloud_tokenflush” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: non-persistent-token-format
Driver: podman:
Molecule Platform(s)
- name: centos
  hostname: centos
  image: centos/centos:stream8
  registry:
    url: quay.io
  dockerfile: ../../../../.config/molecule/Dockerfile
  pkg_extras: python*-setuptools python*-pyyaml
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
  privileged: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') }}"
    https_proxy: "{{ lookup('env', 'https_proxy') }}"
  ulimits:
  - host
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example non-persistent-token-format playbook
- name: Converge
  hosts: all

  tasks:
  - name: Skip validation when using fernet tokens
    block:
    - name: Set token format to fernet
      copy:
        dest: /etc/puppet/service_configs.yaml
        content: |
          "keystone::token_provider": "fernet"

    - name: Ensure validation gracefully passes
      include_role:
        name: undercloud_tokenflush

  - name: Skip validation when using jws tokens
    block:
    - name: Set token format to jws
      copy:
        dest: /etc/puppet/service_configs.yaml
        content: |
          "keystone::token_provider": "jws"

    - name: Ensure validation gracefully passes
      include_role:
        name: undercloud_tokenflush
Scenario: default
Driver: podman:
Molecule Platform(s)
- name: centos
  hostname: centos
  image: centos/centos:stream8
  registry:
    url: quay.io
  dockerfile: ../../../../.config/molecule/Dockerfile
  pkg_extras: python*-setuptools python*-pyyaml
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
  privileged: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') }}"
    https_proxy: "{{ lookup('env', 'https_proxy') }}"
  ulimits:
  - host
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example default playbook
- name: Converge
  hosts: all
  gather_facts: false
  tasks:
  - name: working detection
    include_role:
      name: undercloud_tokenflush

  - name: Validate failure
    block:
    - name: Override container_cli
      copy:
        dest: '{{ ansible_env.HOME }}/undercloud.conf'
        content: |
          [DEFAULT]
          container_cli = docker

    - name: run validation
      include_role:
        name: undercloud_tokenflush
    rescue:
    - name: Clear host errors
      meta: clear_host_errors

    - name: Test output
      debug:
        msg: The validation works! Ending play.

    - name: End play
      meta: end_play

  - name: Fail the validation at this point
    fail:
      msg: |
        The undercloud_tokenflush validation failed to detect
        missing cron job.