{"id":418,"sha1":"7e59d936478ff8770271a9081982e3fd493621f7","playbook":{"id":4,"items":{"plays":107,"tasks":2438,"results":2413,"hosts":13,"files":511,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-14T10:21:40.790759Z","ended":"2025-12-14T11:05:36.775743Z","duration":"00:43:55.984984","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.13.5","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2018, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nkeystone_core_files: []\n\nuwsgi_keystone_services: |-\n {% set services = {} %}\n {% for key, value in keystone_services.items() %}\n {% if (value['group'] in group_names) and\n (('condition' not in value) or ('condition' in value and value['condition']))\n and ('wsgi_app' in value and value['wsgi_app']) %}\n {% set _ = value.update(\n {\n 'wsgi_venv': (keystone_install_method == 'source') | ternary(keystone_bin | dirname, None),\n 'uwsgi_uid': keystone_system_user_name,\n 'uwsgi_guid': keystone_system_group_name,\n 'uwsgi_processes': keystone_wsgi_processes,\n 'uwsgi_threads': keystone_wsgi_threads,\n }\n ) %}\n {% set _ = services.update({key: value}) %}\n {% endif %}\n {% endfor %}\n {{ services }}\n\n_keystone_is_first_play_host: >-\n {{\n (keystone_services['keystone-wsgi-public']['group'] in group_names and\n inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | select('in', ansible_play_hosts)) | list)[0]) | bool\n }}\n_keystone_is_last_play_host: >-\n {{\n (keystone_services['keystone-wsgi-public']['group'] in group_names and\n inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | select('in', ansible_play_hosts)) | list)[-1]) | bool\n }}\n\n_keystone_oslomsg_rpc_vhost_conf: >-\n {{\n (keystone_oslomsg_rpc_vhost is string) | ternary(\n keystone_oslomsg_rpc_vhost, keystone_oslomsg_rpc_vhost | selectattr('state', 'eq', 'present') | map(attribute='name') | first)\n }}\n\n_keystone_oslomsg_notify_vhost_conf: >-\n {{\n (keystone_oslomsg_notify_vhost is string) | ternary(\n keystone_oslomsg_notify_vhost, keystone_oslomsg_notify_vhost | selectattr('state', 'eq', 'present') | map(attribute='name') | first)\n }}\n\n_keystone_cache_backend_map:\n dogpile:\n - oslo_cache.memcache_pool\n - dogpile.cache.pymemcache\n - dogpile.cache.memcached\n - dogpile.cache.bmemcached\n mongo:\n - oslo_cache.mongo\n etcd3gw:\n - oslo_cache.etcd3gw\n\n_keystone_cache_backend_package: |-\n {% set oslo = namespace(backend='dogpile') %}\n {% for key, value in _keystone_cache_backend_map.items() %}\n {% if keystone_cache_backend in value %}\n {% set oslo.backend = key %}\n {%- endif %}\n {%- endfor %}\n oslo.cache[{{ oslo.backend }}]\n\nkeystone_sp_apache_mod_shib: >-\n {{\n (\n keystone_sp != {} and (keystone_sp.apache_mod is undefined or (\n keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))\n )\n }}\nkeystone_sp_apache_mod_auth_openidc: >-\n {{ (keystone_sp != {} and keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc') }}\n\n_keystone_httpd_vhost_ssl: |-\n {% set ssl_options = {} %}\n {% if (keystone_user_ssl_cert is defined and keystone_user_ssl_cert) and (keystone_user_ssl_key is defined and keystone_user_ssl_key) %}\n {% set _ = ssl_options.update({'cert': keystone_user_ssl_cert, 'key': keystone_user_ssl_key}) %}\n {% if keystone_user_ssl_ca_cert is defined and keystone_user_ssl_ca_cert %}\n {% set _ = ssl_options.update({'ca': keystone_user_ssl_ca_cert}) %}\n {% endif %}\n {% else %}\n {% set _ = ssl_options.update({'san': keystone_pki_san}) %}\n {% endif %}\n {{ ssl_options }}\n\n_keystone_httpd_base_options:\n - Options +FollowSymLinks\n\n_keystone_httpd_shib_options:\n - \"ShibURLScheme {{ keystone_service_publicuri_proto }}\"\n - \"ProxyPass /Shibboleth.sso !\"\n - \"\"\n - \" ShibRequestSetting requireSession 1\"\n - \" AuthType shibboleth\"\n - \" ShibExportAssertion Off\"\n - \" Require valid-user\"\n - \"\"\n\n_keystone_httpd_openidc_base_options:\n - \"OIDCClaimPrefix \\\"{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}\\\"\"\n - \"OIDCResponseType \\\"{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}\\\"\"\n - \"OIDCScope \\\"{{ keystone_sp.trusted_idp_list.0.oidc_scope | default('openid email profile') }}\\\"\"\n - \"OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}\"\n - \"OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}\"\n - \"OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}\"\n - \"OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}\"\n - \"OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}\"\n\n_keystone_httpd_openidc_options: |-\n {% set openidc_options = _keystone_httpd_openidc_base_options %}\n {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined and _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 %}\n {% set _ = openidc_options.append('OIDCXForwardedHeaders ' ~ keystone_secure_proxy_ssl_header) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined %}\n {% set _ = openidc_options.append('OIDCOAuthVerifyJwksUri ' ~ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined %}\n {% set _ = openidc_options.append('OIDCOutgoingProxy ' ~ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint is defined %}\n {% set _ = openidc_options.append('OIDCOAuthIntrospectionEndpoint ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_id is defined %}\n {% set _ = openidc_options.append('OIDCOAuthClientID ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_client_id) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined %}\n {% set _ = openidc_options.append('OIDCOAuthClientSecret ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_pkce_method is defined %}\n {% set _ = openidc_options.append('OIDCPKCEMethod ' ~ keystone_sp.trusted_idp_list.0.oidc_pkce_method) %}\n {% endif %}\n {% if keystone_cache_servers | length > 0 -%}\n {% set _ = openidc_options.append('OIDCCacheType memcache') %}\n {% set _ = openidc_options.append('OIDCMemCacheServers \"' ~ keystone_cache_servers | join(' ') ~ '\"') %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_auth_request_params is defined %}\n {% set _ = openidc_options.append('OIDCAuthRequestParams ' ~ keystone_sp.trusted_idp_list.0.oidc_auth_request_params) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies is defined -%}\n {% set _ = openidc_options.append('OIDCStateMaxNumberOfCookies ' ~ keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_default_url is defined %}\n {% set _ = openidc_options.append('OIDCDefaultURL ' ~ keystone_sp.trusted_idp_list.0.oidc_default_url) %}\n {% endif %}\n {% if keystone_sp.trusted_idp_list.0.oidc_claim_delimiter is defined %}\n {% set _ = openidc_options.append('OIDCClaimDelimiter ' ~ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter) %}\n {% endif %}\n {{ openidc_options }}\n\n_keystone_httpd_openidc_location_options:\n - Require valid-user\n - AuthType openid-connect\n\n_keystone_httpd_openidc_locations:\n - path: \"{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}\"\n options: \"{{ _keystone_httpd_openidc_location_options }}\"\n - path: \"/v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth\"\n options:\n - Require valid-user\n - AuthType auth-openidc\n - path: /v3/auth/OS-FEDERATION/websso/openid\n options: \"{{ _keystone_httpd_openidc_location_options }}\"\n - path: /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso\n options: \"{{ _keystone_httpd_openidc_location_options }}\"\n\n_keystone_httpd_shib_locations:\n - path: /CShibboleth.sso\n options:\n - SetHandler shib\n - path: /v3/auth/OS-FEDERATION/websso/saml2\\\n options:\n - AuthType shibboleth\n - ShibRequestSetting requireSession 1\n - ShibRequestSetting exportAssertion 1\n - ShibRequireSession On\n - ShibExportAssertion On\n - Require valid-user\n\n_keystone_httpd_sp_directories:\n - path: /var/www/cgi-bin/keystone\n options:\n - Options Indexes FollowSymLinks MultiViews\n - AllowOverride All\n - Order allow,deny\n - allow from all\n","created":"2025-12-14T10:21:41.672273Z","updated":"2025-12-14T10:21:41.672288Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-os_keystone/vars/main.yml"}