{"id":441,"sha1":"92776c2b1d8bea2deb7447b8ca6273103e8d4a9d","playbook":{"id":5,"items":{"plays":108,"tasks":618,"results":960,"hosts":9,"files":456,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":8,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-15T10:19:13.597292Z","ended":"2025-12-15T10:42:26.420131Z","duration":"00:23:12.822839","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.3","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2015, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Drop Shibboleth Config\n  ansible.builtin.template:\n    src: \"{{ item.src }}\"\n    dest: \"{{ item.dest }}\"\n    owner: \"{{ keystone_system_user_name }}\"\n    group: \"{{ keystone_system_group_name }}\"\n    mode: \"{{ item.mode | default('0644') }}\"\n  with_items:\n    - { src: \"shibboleth-attribute-map.xml.j2\", dest: \"/etc/shibboleth/attribute-map.xml\" }\n    - { src: \"shibboleth2.xml.j2\", dest: \"/etc/shibboleth/shibboleth2.xml\" }\n  notify:\n    - Restart Shibd\n\n- name: Copy Shibboleth SP key-pair (if provided)\n  ansible.builtin.copy:\n    content: \"{{ item.content }}\"\n    dest: \"{{ item.dest }}\"\n    mode: \"{{ item.mode | default('0640') }}\"\n  when:\n    - _keystone_is_first_play_host\n    - item.content | length > 0\n  with_items:\n    - { content: \"{{ shibboleth_cert_user_content }}\", dest: \"/etc/shibboleth/sp-cert.pem\" }\n    - { content: \"{{ shibboleth_key_user_content }}\", dest: \"/etc/shibboleth/sp-key.pem\" }\n  notify:\n    - Restart web server\n    - Restart Shibd\n\n- name: Generate the Shibboleth SP key-pair\n  ansible.builtin.command: \"shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}\"\n  args:\n    creates: \"/etc/shibboleth/sp-cert.pem\"\n  when: _keystone_is_first_play_host\n  notify:\n    - Restart web server\n    - Restart Shibd\n\n- name: Store sp cert\n  ansible.builtin.slurp:\n    src: \"/etc/shibboleth/sp-cert.pem\"\n  register: _keystone_sp_cert\n  changed_when: false\n  when: _keystone_is_first_play_host\n\n- name: Store sp key\n  ansible.builtin.slurp:\n    src: \"/etc/shibboleth/sp-key.pem\"\n  register: _keystone_sp_key\n  changed_when: false\n  when: _keystone_is_first_play_host\n\n- name: Register a fact for the cert and key\n  ansible.builtin.set_fact:\n    keystone_sp_cert_fact: \"{{ _keystone_sp_cert.content }}\"\n    keystone_sp_key_fact: \"{{ _keystone_sp_key.content }}\"\n  when: _keystone_is_first_play_host\n\n- name: Distribute sp key\n  ansible.builtin.copy:\n    dest: \"/etc/shibboleth/sp-key.pem\"\n    content: \"{{ hostvars[groups['keystone_all'][0]]['keystone_sp_key_fact'] | b64decode }}\"\n    owner: \"{{ keystone_system_user_name }}\"\n    group: \"{{ keystone_system_group_name }}\"\n    mode: \"0640\"\n  when: not _keystone_is_first_play_host\n  notify:\n    - Restart web server\n    - Restart Shibd\n\n- name: Distribute sp cert\n  ansible.builtin.copy:\n    dest: \"/etc/shibboleth/sp-cert.pem\"\n    content: \"{{ hostvars[groups['keystone_all'][0]]['keystone_sp_cert_fact'] | b64decode }}\"\n    owner: \"{{ keystone_system_user_name }}\"\n    group: \"{{ keystone_system_group_name }}\"\n    mode: \"0640\"\n  when: not _keystone_is_first_play_host\n  notify:\n    - Restart web server\n    - Restart Shibd\n\n- name: Set appropriate file ownership on the Shibboleth SP key-pair\n  ansible.builtin.file:\n    path: \"{{ item }}\"\n    owner: \"_shibd\"\n    group: \"_shibd\"\n  with_items:\n    - \"/etc/shibboleth/sp-cert.pem\"\n    - \"/etc/shibboleth/sp-key.pem\"\n  when: not _keystone_is_first_play_host\n  notify:\n    - Restart web server\n    - Restart Shibd\n","created":"2025-12-15T10:19:14.972482Z","updated":"2025-12-15T10:19:14.972510Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-os_keystone/tasks/keystone_federation_sp_shib_setup.yml"}