undercloud_tokenflush

undercloud_tokenflush

Role Documentation

Welcome to the “undercloud_tokenflush” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “undercloud_tokenflush” role.
cron_check: keystone-manage token_flush

Role Variables: main.yaml

metadata:
  description: 'Without a token_flush crontab enabled for the keystone user, the keystone
    database can grow very large.  This validation checks that the keystone token_flush
    crontab has been set up.

    '
  groups:
  - pre-introspection
  name: Verify token_flush is enabled in keystone users crontab

Molecule Scenarios

Molecule is being used to test the “undercloud_tokenflush” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Example default configuration
driver:
  name: podman
log: true
platforms:
- dockerfile: ../../../../.config/molecule/Dockerfile
  environment:
    http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
    https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
  hostname: centos
  image: centos/centos:stream8
  name: centos
  pkg_extras: python*-setuptools python*-pyyaml
  privileged: true
  registry:
    url: quay.io
  ulimits:
  - host
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
provisioner:
  env:
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
    ANSIBLE_ROLES_PATH: ${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles
    ANSIBLE_STDOUT_CALLBACK: yaml
  inventory:
    hosts:
      all:
        hosts:
          centos:
            ansible_python_interpreter: /usr/bin/python3
  log: true
  name: ansible
  options:
    vvv: true
scenario:
  test_sequence:
  - destroy
  - create
  - prepare
  - converge
  - verify
  - destroy
verifier:
  name: ansible
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example default playbook
- gather_facts: false
  hosts: all
  name: Converge
  tasks:
  - include_role:
      name: undercloud_tokenflush
    name: working detection
  - block:
    - copy:
        content: '[DEFAULT]

          container_cli = docker

          '
        dest: '{{ ansible_env.HOME }}/undercloud.conf'
      name: Override container_cli
    - include_role:
        name: undercloud_tokenflush
      name: run validation
    name: Validate failure
    rescue:
    - meta: clear_host_errors
      name: Clear host errors
    - debug:
        msg: The validation works! Ending play.
      name: Test output
    - meta: end_play
      name: End play
  - fail:
      msg: 'The undercloud_tokenflush validation failed to detect

        missing cron job.

        '
    name: Fail the validation at this point

Scenario: non-persistent-token-format

Example non-persistent-token-format configuration
driver:
  name: podman
log: true
platforms:
- dockerfile: ../../../../.config/molecule/Dockerfile
  environment:
    http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
    https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
  hostname: centos
  image: centos/centos:stream8
  name: centos
  pkg_extras: python*-setuptools python*-pyyaml
  privileged: true
  registry:
    url: quay.io
  ulimits:
  - host
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
provisioner:
  env:
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
    ANSIBLE_ROLES_PATH: ${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles
    ANSIBLE_STDOUT_CALLBACK: yaml
  inventory:
    hosts:
      all:
        hosts:
          centos:
            ansible_python_interpreter: /usr/bin/python3
  log: true
  name: ansible
  options:
    vvv: true
scenario:
  test_sequence:
  - destroy
  - create
  - prepare
  - converge
  - verify
  - destroy
verifier:
  name: ansible
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example non-persistent-token-format playbook
- hosts: all
  name: Converge
  tasks:
  - block:
    - copy:
        content: '"keystone::token_provider": "fernet"

          '
        dest: /etc/puppet/service_configs.yaml
      name: Set token format to fernet
    - include_role:
        name: undercloud_tokenflush
      name: Ensure validation gracefully passes
    name: Skip validation when using fernet tokens
  - block:
    - copy:
        content: '"keystone::token_provider": "jws"

          '
        dest: /etc/puppet/service_configs.yaml
      name: Set token format to jws
    - include_role:
        name: undercloud_tokenflush
      name: Ensure validation gracefully passes
    name: Skip validation when using jws tokens
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

tripleo-validations 11.6.1.dev73