undercloud_tokenflush

Role Documentation

Welcome to the “undercloud_tokenflush” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “undercloud_tokenflush” role.

cron_check: keystone-manage token_flush

Role Variables: main.yaml

metadata:
  description: 'Without a token_flush crontab enabled for the keystone user, the keystone
    database can grow very large.  This validation checks that the keystone token_flush
    crontab has been set up.

    '
  groups:
  - pre-introspection
  name: Verify token_flush is enabled in keystone users crontab

Molecule Scenarios

Molecule is being used to test the “undercloud_tokenflush” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Example default configuration
driver:
  name: podman
log: true
platforms:
- dockerfile: Dockerfile
  environment:
    http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
    https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
  hostname: ubi8
  image: ubi8/ubi-init
  name: ubi8
  pkg_extras: python*-setuptools python*-pyyaml
  privileged: true
  registry:
    url: registry.access.redhat.com
  ulimits:
  - host
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
  - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
  - /opt/yum.repos.d:/etc/yum.repos.d:rw
provisioner:
  env:
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
    ANSIBLE_STDOUT_CALLBACK: yaml
  inventory:
    hosts:
      all:
        hosts:
          ubi8:
            ansible_python_interpreter: /usr/bin/python3
  log: true
  name: ansible
scenario:
  test_sequence:
  - destroy
  - create
  - prepare
  - converge
  - verify
  - destroy
verifier:
  name: testinfra
Molecule Inventory
hosts:
  all:
    hosts:
      ubi8:
        ansible_python_interpreter: /usr/bin/python3
Example default playbook
- gather_facts: false
  hosts: all
  name: Converge
  tasks:
  - include_role:
      name: undercloud_tokenflush
    name: working detection
  - block:
    - copy:
        content: '[DEFAULT]

          container_cli = docker

          '
        dest: /undercloud.conf
      name: Override container_cli
    - include_role:
        name: undercloud_tokenflush
      name: run validation
    name: Validate failure
    rescue:
    - meta: clear_host_errors
      name: Clear host errors
    - debug:
        msg: The validation works! Ending play.
      name: Test output
    - meta: end_play
      name: End play
  - fail:
      msg: 'The undercloud_tokenflush validation failed to detect

        missing cron job.

        '
    name: Fail the validation at this point

Scenario: non-persistent-token-format

Example non-persistent-token-format configuration
driver:
  name: podman
log: true
platforms:
- dockerfile: Dockerfile
  environment:
    http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
    https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
  hostname: ubi8
  image: ubi8/ubi-init
  name: ubi8
  pkg_extras: python*-setuptools python*-pyyaml
  privileged: true
  registry:
    url: registry.access.redhat.com
  ulimits:
  - host
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
  - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
  - /opt/yum.repos.d:/etc/yum.repos.d:rw
provisioner:
  env:
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
    ANSIBLE_STDOUT_CALLBACK: yaml
  inventory:
    hosts:
      all:
        hosts:
          ubi8:
            ansible_python_interpreter: /usr/bin/python3
  log: true
  name: ansible
scenario:
  test_sequence:
  - destroy
  - create
  - prepare
  - converge
  - verify
  - destroy
verifier:
  name: testinfra
Molecule Inventory
hosts:
  all:
    hosts:
      ubi8:
        ansible_python_interpreter: /usr/bin/python3
Example non-persistent-token-format playbook
- hosts: all
  name: Converge
  tasks:
  - block:
    - copy:
        content: '"keystone::token_provider": "fernet"

          '
        dest: /etc/puppet/service_configs.yaml
      name: Set token format to fernet
    - include_role:
        name: undercloud_tokenflush
      name: Ensure validation gracefully passes
    name: Skip validation when using fernet tokens
  - block:
    - copy:
        content: '"keystone::token_provider": "jws"

          '
        dest: /etc/puppet/service_configs.yaml
      name: Set token format to jws
    - include_role:
        name: undercloud_tokenflush
      name: Ensure validation gracefully passes
    name: Skip validation when using jws tokens