{"id":385,"sha1":"c9325e52c3db639275a2cc99a4e130a45564fd6f","playbook":{"id":4,"items":{"plays":104,"tasks":1377,"results":1365,"hosts":2,"files":504,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":8,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:39:52.478534Z","ended":"2025-12-08T14:14:54.510371Z","duration":"00:35:02.031837","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.3","server_version":"1.7.4","status":"failed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2014, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n## Verbosity Options\ndebug: false\n\n# Set the host which will execute the shade modules\n# for the service setup. The host must already have\n# clouds.yaml properly configured.\nkeystone_service_setup_host: \"{{ openstack_service_setup_host | default('localhost') }}\"\nkeystone_service_setup_host_python_interpreter: >-\n {{\n openstack_service_setup_host_python_interpreter | default(\n (keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n }}\n\n# Set the package install state for distribution packages\n# Options are 'present' and 'latest'\nkeystone_package_state: \"{{ package_state | default('latest') }}\"\n\n# Set installation method.\nkeystone_install_method: \"{{ service_install_method | default('source') }}\"\nkeystone_venv_python_executable: \"{{ openstack_venv_python_executable | default('python3') }}\"\n\n# Centos shibboleth repository options\nkeystone_centos_shibboleth_mirror: \"https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux{{ ansible_facts['distribution_major_version'] }}\"\nkeystone_centos_shibboleth_key: \"https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key\"\n\n# Role standard API override this option in the OS variable files\nkeystone_shibboleth_repo: {}\n\nkeystone_git_repo: https://opendev.org/openstack/keystone\nkeystone_git_install_branch: master\nkeystone_upper_constraints_url: >-\n {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}\nkeystone_git_constraints:\n - \"--constraint {{ keystone_upper_constraints_url }}\"\n\nkeystone_pip_install_args: \"{{ pip_install_options | default('') }}\"\n\n# Name of the virtual env to deploy into\nkeystone_venv_tag: \"{{ venv_tag | default('untagged') }}\"\nkeystone_bin: \"{{ _keystone_bin }}\"\n\nkeystone_fatal_deprecations: false\n\n## System info\nkeystone_system_user_name: keystone\nkeystone_system_group_name: keystone\nkeystone_system_additional_groups:\n - ssl_cert\n\nkeystone_system_shell: /bin/bash\nkeystone_system_comment: keystone system user\nkeystone_system_user_home: \"/var/lib/{{ keystone_system_user_name }}\"\n\n## Drivers\nkeystone_auth_methods: \"password,token,application_credential\"\nkeystone_identity_driver: sql\nkeystone_token_provider: fernet\nkeystone_token_expiration: 43200\nkeystone_token_cache_time: 3600\n\n# Set the revocation driver used within keystone.\nkeystone_revocation_driver: sql\nkeystone_revocation_cache_time: 3600\nkeystone_revocation_expiration_buffer: 1800\n\n## Fernet config vars\nkeystone_fernet_tokens_key_repository: \"/etc/keystone/fernet-keys\"\nkeystone_fernet_tokens_max_active_keys: 7\n# Any of the following rotation times are valid:\n# reboot, yearly, annually, monthly, weekly, daily, hourly\nkeystone_fernet_rotation: daily\nkeystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh\n\n## Credentials config vars\nkeystone_credential_key_repository: /etc/keystone/credential-keys\n# Any of the following rotation times are valid:\n# reboot, yearly, annually, monthly, weekly, daily, hourly\nkeystone_credential_rotation: weekly\nkeystone_credential_auto_rotation_script: /opt/keystone-credential-rotate.sh\n\nkeystone_assignment_driver: sql\n\nkeystone_resource_cache_time: 3600\nkeystone_resource_driver: sql\n\nkeystone_bind_address: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\n\n## Database info\nkeystone_db_setup_host: \"{{ openstack_db_setup_host | default('localhost') }}\"\nkeystone_db_setup_python_interpreter: >-\n {{\n openstack_db_setup_python_interpreter | default(\n (keystone_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n }}\nkeystone_galera_address: \"{{ galera_address | default('127.0.0.1') }}\"\nkeystone_galera_user: keystone\nkeystone_galera_database: keystone\nkeystone_galera_port: \"{{ galera_port | default('3306') }}\"\nkeystone_database_connection_string: >-\n mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}:{{ keystone_galera_port }}/{{\n keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_verify_cert=true{%\n if keystone_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}{% endif %}\n## Database SSL\nkeystone_galera_use_ssl: \"{{ galera_use_ssl | default(False) }}\"\nkeystone_galera_ssl_ca_cert: \"{{ galera_ssl_ca_cert | default('') }}\"\n# Database tuning\nkeystone_database_enabled: true\nkeystone_db_max_overflow: \"{{ openstack_db_max_overflow | default('50') }}\"\nkeystone_db_max_pool_size: \"{{ openstack_db_max_pool_size | default('5') }}\"\nkeystone_db_pool_timeout: \"{{ openstack_db_pool_timeout | default('30') }}\"\nkeystone_db_connection_recycle_time: \"{{ openstack_db_connection_recycle_time | default('600') }}\"\n\n## Oslo Messaging\nkeystone_messaging_enabled: true\n\n# RPC\nkeystone_oslomsg_rpc_configure: false\nkeystone_oslomsg_rpc_host_group: \"{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}\"\nkeystone_oslomsg_rpc_setup_host: \"{{ (keystone_oslomsg_rpc_host_group in groups) | ternary(groups[keystone_oslomsg_rpc_host_group][0], 'localhost') }}\"\nkeystone_oslomsg_rpc_transport: \"{{ oslomsg_rpc_transport | default('rabbit') }}\"\nkeystone_oslomsg_rpc_servers: \"{{ oslomsg_rpc_servers | default('127.0.0.1') }}\"\nkeystone_oslomsg_rpc_port: \"{{ oslomsg_rpc_port | default('5672') }}\"\nkeystone_oslomsg_rpc_use_ssl: \"{{ oslomsg_rpc_use_ssl | default(False) }}\"\nkeystone_oslomsg_rpc_userid: keystone\nkeystone_oslomsg_rpc_policies: []\n# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues\n# are not used - vhost name will be prefixed with leading `/`.\nkeystone_oslomsg_rpc_vhost:\n - name: /keystone\n state: \"{{ keystone_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}\"\n - name: keystone\n state: \"{{ keystone_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}\"\nkeystone_oslomsg_rpc_ssl_version: \"{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}\"\nkeystone_oslomsg_rpc_ssl_ca_file: \"{{ oslomsg_rpc_ssl_ca_file | default('') }}\"\n\n# Notify\nkeystone_oslomsg_notify_configure: \"{{ oslomsg_notify_configure | default(keystone_ceilometer_enabled) }}\"\nkeystone_oslomsg_notify_host_group: \"{{ oslomsg_notify_host_group | default('rabbitmq_all') }}\"\nkeystone_oslomsg_notify_setup_host: >-\n {{ (keystone_oslomsg_notify_host_group in groups) | ternary(groups[keystone_oslomsg_notify_host_group][0], 'localhost') }}\nkeystone_oslomsg_notify_transport: \"{{ oslomsg_notify_transport | default('rabbit') }}\"\nkeystone_oslomsg_notify_servers: \"{{ oslomsg_notify_servers | default('127.0.0.1') }}\"\nkeystone_oslomsg_notify_port: \"{{ oslomsg_notify_port | default('5672') }}\"\nkeystone_oslomsg_notify_use_ssl: \"{{ oslomsg_notify_use_ssl | default(False) }}\"\nkeystone_oslomsg_notify_userid: \"{{ keystone_oslomsg_rpc_userid }}\"\nkeystone_oslomsg_notify_password: \"{{ keystone_oslomsg_rpc_password }}\"\nkeystone_oslomsg_notify_vhost: \"{{ keystone_oslomsg_rpc_vhost }}\"\nkeystone_oslomsg_notify_ssl_version: \"{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}\"\nkeystone_oslomsg_notify_ssl_ca_file: \"{{ oslomsg_notify_ssl_ca_file | default('') }}\"\nkeystone_oslomsg_notify_policies: []\n\n## RabbitMQ integration\nkeystone_oslomsg_rabbit_quorum_queues: \"{{ oslomsg_rabbit_quorum_queues | default(True) }}\"\nkeystone_oslomsg_rabbit_stream_fanout: \"{{ oslomsg_rabbit_stream_fanout | default(keystone_oslomsg_rabbit_quorum_queues) }}\"\nkeystone_oslomsg_rabbit_transient_quorum_queues: \"{{ oslomsg_rabbit_transient_quorum_queues | default(keystone_oslomsg_rabbit_stream_fanout) }}\"\nkeystone_oslomsg_rabbit_qos_prefetch_count: \"{{ oslomsg_rabbit_qos_prefetch_count | default(keystone_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}\"\nkeystone_oslomsg_rabbit_queue_manager: \"{{ oslomsg_rabbit_queue_manager | default(keystone_oslomsg_rabbit_quorum_queues) }}\"\nkeystone_oslomsg_rabbit_quorum_delivery_limit: \"{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}\"\nkeystone_oslomsg_rabbit_quorum_max_memory_bytes: \"{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}\"\n\n## Role info\nkeystone_role_name: admin\n\n## Admin info\nkeystone_admin_user_name: admin\nkeystone_admin_tenant_name: admin\nkeystone_admin_description: Admin Tenant\n\n## Service Type and Data\nkeystone_service_setup: true\nkeystone_service_region: \"{{ service_region | default('RegionOne') }}\"\nkeystone_service_name: keystone\nkeystone_service_port: 5000\nkeystone_service_type: identity\nkeystone_service_description: \"Keystone Identity Service\"\nkeystone_service_tenant_name: service\nkeystone_service_project_description: \"OpenStack Services\"\n\nkeystone_service_proto: http\nkeystone_service_publicuri_proto: \"{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}\"\nkeystone_service_adminuri_proto: \"{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}\"\nkeystone_service_internaluri_proto: \"{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}\"\n\nkeystone_service_internaluri_insecure: false\nkeystone_service_adminuri_insecure: false\n\nkeystone_service_publicuri: \"{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}\"\nkeystone_service_internaluri: \"{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}\"\nkeystone_service_adminuri: \"{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}\"\n\n## Set this value to override the \"public_endpoint\" keystone.conf variable\n# keystone_public_endpoint: \"{{ keystone_service_publicuri }}\"\n\n# Enable or disable uWSGI as the primary service manager. While uWSGI is used\n# for basic deployments, when this option is enabled it will become the sole\n# service manager instead of being a proxy target.\nkeystone_use_uwsgi: false\n\n# Apache web server will handle all requests and will act as a\n# reverse proxy to uWSGI when the `keystone_use_uwsgi` option is not enabled.\n# If internal TLS/SSL certificates are configured, they are implemented in\n# this web server's configuration. Using a web server for endpoints is\n# far better for scale and allows the use of additional modules to improve\n# performance or security, leaving uWSGI to only have to be used for running\n# the service.\n#\nkeystone_web_server_bind_address: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\n\n## Apache setup\nkeystone_apache_log_level: info\nkeystone_apache_custom_log_format: combined\n\n## uWSGI setup\nkeystone_wsgi_threads: 1\n## Cap the maximun number of processes when a user value is unspecified.\nkeystone_wsgi_processes_max: 16\nkeystone_wsgi_processes: \"{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}\"\nkeystone_uwsgi_bind_address: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\n\nkeystone_uwsgi_ports:\n keystone-wsgi-public:\n socket: 35358\n\nkeystone_uwsgi_ini_overrides: {}\nkeystone_default_uwsgi_overrides:\n uwsgi:\n socket: \"127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}\"\n\n# Define if communication between haproxy and service backends should be\n# encrypted with TLS.\nkeystone_backend_ssl: \"{{ openstack_service_backend_ssl | default(False) }}\"\n\n# The local address used for the keystone node\nkeystone_node_address: \"{{ management_address | default('127.0.0.1') }}\"\n\n# Storage location for SSL certificate authority\nkeystone_pki_dir: \"{{ openstack_pki_dir }}\"\n\n# Delegated host for operating the certificate authority\nkeystone_pki_setup_host: \"{{ openstack_pki_setup_host | default('localhost') }}\"\n\nkeystone_pki_keys_path: \"{{ keystone_pki_dir ~ '/certs/private/' }}\"\nkeystone_pki_certs_path: \"{{ keystone_pki_dir ~ '/certs/certs/' }}\"\nkeystone_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name }}\"\nkeystone_pki_intermediate_cert_path: >-\n {{ keystone_pki_dir ~ '/roots/' ~ keystone_pki_intermediate_cert_name ~ '/certs/' ~ keystone_pki_intermediate_cert_name ~ '.crt' }}\nkeystone_pki_regen_cert: \"\"\n\n# By default, CA creation is controlled using the CA 'condition' field\nkeystone_pki_create_ca: true\n# SAN which will be used by HTTP role to generate certificatess\nkeystone_pki_san: \"{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address) }}\"\n# An optional private certificate authority for when Keystone is an IDP\nkeystone_idp_authority_name: \"KeystoneIDPAuthority\"\nkeystone_pki_authorities:\n - name: \"{{ keystone_idp_authority_name }}\"\n country: \"GB\"\n state_or_province_name: \"England\"\n organization_name: \"Example Corporation\"\n organizational_unit_name: \"IT Security\"\n cn: \"Keystone IDP CA\"\n provider: selfsigned\n basic_constraints: \"CA:TRUE\"\n key_usage:\n - digitalSignature\n - keyCertSign\n not_after: \"+3650d\"\n condition: \"{{ (keystone_idp['certfile'] is defined) and _keystone_is_first_play_host }}\"\n\n# Set to the value of keystone_idp_authority_name to regenerate the IDP CA\nkeystone_pki_regen_ca: \"\"\n\n# Installation details for SSL certificates\nkeystone_pki_install_certificates:\n # IDP certificates\n - src: \"{{ keystone_pki_dir ~ '/roots/' ~ keystone_idp_authority_name ~ '/certs/' ~ keystone_idp_authority_name ~ '.crt' }}\"\n dest: \"{{ keystone_idp['certfile'] | default('') }}\"\n owner: \"{{ keystone_system_user_name }}\"\n group: \"keystone_system_group_name\"\n mode: \"0640\"\n condition: \"{{ keystone_idp['certfile'] is defined | bool }}\"\n - src: \"{{ keystone_pki_dir ~ '/roots/' ~ keystone_idp_authority_name ~ '/private/' ~ keystone_idp_authority_name ~ '.key.pem' }}\"\n dest: \"{{ keystone_idp['keyfile'] | default('') }}\"\n owner: \"{{ keystone_system_user_name }}\"\n group: \"{{ keystone_system_group_name }}\"\n mode: \"0640\"\n condition: \"{{ keystone_idp['keyfile'] is defined | bool }}\"\n\nkeystone_ssl_protocol: \"{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}\"\n# TLS v1.2 and below\nkeystone_ssl_cipher_suite_tls12: >-\n {{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}\n# TLS v1.3\nkeystone_ssl_cipher_suite_tls13: >-\n {{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}\n\n# Set these variables to deploy custom certificates\n# keystone_user_ssl_cert: \n# keystone_user_ssl_key: \n# keystone_user_ssl_ca_cert: \n\n# External SSL forwarding proto\nkeystone_secure_proxy_ssl_header: X-Forwarded-Proto\n\n## Override memcached_servers\nkeystone_memcached_servers: \"{{ memcached_servers }}\"\n\n## Caching\n# This is a list of strings, each string contains a cache server's\n# information (IP:port for example)\n# The cache_servers default backend is memcached, so this variable\n# should point to a list of memcached servers.\n# If empty, caching is disabled.\nkeystone_cache_backend: \"{{ openstack_cache_backend | default('oslo_cache.memcache_pool') }}\"\nkeystone_cache_backend_map: \"{{ openstack_cache_backend_map | default(_keystone_cache_backend_map) }}\"\nkeystone_cache_servers: \"{{ keystone_memcached_servers.split(',') }}\"\n\n## LDAP Section\n# Define Keystone LDAP domain configuration here.\n# This may be used to add configuration for a LDAP identity back-end.\n# See the http://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html\n#\n# Each top-level entry is a domain name. Each entry below that are key: value pairs for\n# the ldap section in the domain-specific configuration file.\n#\n# (EXAMPLE LAYOUT)\n# keystone_ldap:\n# Users:\n# url: \"ldap://127.0.0.1\"\n# user: \"root\"\n# password: \"secrete\"\n# ...\n\nkeystone_ldap: {}\nkeystone_ldap_domain_config_dir: /etc/keystone/domains\n\n## Policy vars\n# Provide a list of access controls to update the default policy.json with. These changes will be merged\n# with the access controls in the default policy.json. E.g.\n# keystone_policy_overrides:\n# identity:create_region: \"rule:admin_required\"\n# identity:update_region: \"rule:admin_required\"\n\n## Federation\n\n# Enable the following section on the Keystone IdP\nkeystone_idp: {}\n# keystone_idp:\n# certfile: \"/etc/keystone/ssl/idp_signing_cert.pem\"\n# keyfile: \"/etc/keystone/ssl/idp_signing_key.pem\"\n# self_signed_cert_subject: \"/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}\"\n# regen_cert: false\n# idp_entity_id: \"{{ keystone_service_publicuri }}/v3//OS-FEDERATION/saml2/idp\"\n# idp_sso_endpoint: \"{{ keystone_service_publicuri }}/v3/OS-FEDERATION/saml2/sso\"\n# idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml\n# service_providers:\n# - id: \"sp_1\"\n# auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth\n# sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP\n# # the following settings are optional\n# organization_name: example_company\n# organization_display_name: Example Corp.\n# organization_url: example.com\n# contact_company: example_company\n# contact_name: John\n# contact_surname: Smith\n# contact_email: jsmith@example.com\n# contact_telephone: 555-55-5555\n# contact_type: technical\n\n# Enable the following section in order to install and configure\n# Keystone as a Resource Service Provider (SP) and to configure\n# trusts with specific Identity Providers (IdP).\nkeystone_sp: {}\n# keystone_sp:\n# cert_duration_years: 5\n# apache_mod: shibboleth #or mod_auth_openidc\n# cadf_notifications: false\n# cadf_notifications_opt_out:\n# - identity.authenticate.failed\n# - identity.authenticate.pending\n# - identity.authenticate.success\n# trusted_dashboard_list:\n# - \"https://{{ external_lb_vip_address }}/auth/websso/\"\n# - \"https://{{ horizon_server_name }}/auth/websso/\"\n# trusted_idp_list:\n# note that only one of these is supported at any one time for now\n# - name: \"keystone-idp\"\n# domain_id: \"default\"\n# display_name: \"Keystone IDP\" # Optional, used in Horizon IDP dropdown\n# entity_ids:\n# - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'\n# metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'\n# metadata_file: 'metadata-keystone-idp.xml'\n# metadata_reload: 1800\n# federated_identities:\n# - domain: Default\n# project: fedproject\n# group: fedgroup\n# role: member\n# protocols:\n# - name: saml2\n# mapping:\n# name: keystone-idp-mapping\n# rules:\n# - remote:\n# - type: openstack_user\n# local:\n# - group:\n# name: fedgroup\n# domain:\n# name: Default\n# user:\n# name: '{0}'\n# attributes:\n# - name: openstack_user\n# id: openstack_user\n# - name: openstack_roles\n# id: openstack_roles\n# - name: openstack_project\n# id: openstack_project\n# - name: openstack_user_domain\n# id: openstack_user_domain\n# - name: openstack_project_domain\n# id: openstack_project_domain\n#\n# - name: 'testshib-idp'\n# entity_ids:\n# - 'https://idp.testshib.org/idp/shibboleth'\n# metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'\n# metadata_file: 'metadata-testshib-idp.xml'\n# metadata_reload: 1800\n# federated_identities:\n# - domain: Default\n# project: fedproject\n# group: fedgroup\n# role: member\n# protocols:\n# - name: saml2\n# mapping:\n# name: testshib-idp-mapping\n# rules:\n# - remote:\n# - type: eppn\n# local:\n# - group:\n# name: fedgroup\n# domain:\n# name: Default\n# - user:\n# name: '{0}'\n#\n# - name: 'adfs-idp'\n# entity_ids:\n# - 'http://adfs.contoso.com/adfs/services/trust'\n# metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'\n# metadata_file: 'metadata-adfs-idp.xml'\n# metadata_reload: 1800\n# federated_identities:\n# - domain: Default\n# project: fedproject\n# group: fedgroup\n# role: member\n# protocols:\n# - name: saml2\n# mapping:\n# name: adfs-idp-mapping\n# rules:\n# - remote:\n# - type: upn\n# local:\n# - group:\n# name: fedgroup\n# domain:\n# name: Default\n# - user:\n# name: '{0}'\n# attributes:\n# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'\n# id: upn\n#\n# - name: \"keycloak-oidc-idp\"\n# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration\n# oidc_client_id: keystone\n# oidc_client_secret: secret\n# oidc_crypto_passphrase: random string\n# oidc_redirect_path: /oidc_redirect\n# oidc_oauth_introspection_endpoint: endpoint address (optional)\n# oidc_oauth_client_id: string (optional)\n# oidc_oauth_client_secret: secret (optional)\n# oidc_pkce_method: plain | S256 | referred_tb (optional)\n# oidc_outgoing_proxy: \"proxy address\" (optional setting)\n# oidc_auth_request_params: param=some+url+encoded+value¶m2=and+another+one (optional)\n# oidc_state_max_number_of_cookies: 5 false (optional)\n# oidc_default_url: https://example.com/callback (optional)\n# entity_ids:\n# - 'https://identity-provider/openid-endpoint/'\n# federated_identities:\n# - domain: Default\n# project: fedproject\n# group: fedgroup\n# role: member\n# protocols:\n# - name: openid\n# mapping:\n# name: keycloak-oidc-idp-openid-mapping\n# rules:\n# - remote:\n# - type: OIDC-email\n# local:\n# - group:\n# name: fedgroup\n# domain:\n# name: Default\n# user:\n# name: '{0}'\n\nkeystone_service_in_ldap: \"{{ service_ldap_backend_enabled | default(False) }}\"\n\n# Keystone notification settings\nkeystone_ceilometer_enabled: \"{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}\"\n\n# Common pip packages\nkeystone_pip_packages:\n - \"git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone\"\n - ldappool\n - osprofiler\n - PyMySQL\n - \"{{ _keystone_cache_backend_package }}\"\n - python-openstackclient\n - systemd-python\n - pyngus\n\n# Specific pip packages provided by the user\nkeystone_user_pip_packages: []\n\n# NOTE(cloudnull): Tunable SSO callback file file-based overrides If defined,\n# it'll be read from the deployment host, interpreted by the\n# template engine and copied to the target host.\n# keystone_sso_callback_file_path: \"/etc/openstack_deploy/keystone/sso_callback_template.html\"\n\n## Tunable file-based overrides\n# The contents of these files, if they exist, are read from the\n# specified path on the deployment host, interpreted by the\n# template engine and copied to the target host. If they do\n# not exist then they will be generated on first playbook run.\nshibboleth_cert_user_file_path: \"/etc/openstack_deploy/keystone/sp-cert.pem\"\nshibboleth_key_user_file_path: \"/etc/openstack_deploy/keystone/sp-key.pem\"\n\n## Tunable var-based overrides\n# The contents of these are templated over the default files.\nkeystone_keystone_conf_overrides: {}\nkeystone_keystone_default_conf_overrides: {}\nkeystone_policy_overrides: {}\n\nkeystone_required_secrets:\n - keystone_auth_admin_password\n - keystone_container_mysql_password\n - keystone_oslomsg_rpc_password\n - keystone_oslomsg_notify_password\n - keystone_rabbitmq_password\n\nkeystone_uwsgi_init_overrides: {}\n\n## Service Name-Group Mapping\nkeystone_services:\n keystone-wsgi-public:\n group: keystone_all\n wsgi_app: true\n wsgi: \"keystone.wsgi.api:application\"\n uwsgi_overrides: >-\n {{\n (keystone_use_uwsgi | bool) | ternary(\n keystone_default_uwsgi_overrides,\n keystone_default_uwsgi_overrides | combine(keystone_uwsgi_ini_overrides, recursive=True)\n )\n }}\n uwsgi_bind_address: \"{{ (keystone_use_uwsgi | bool) | ternary(keystone_uwsgi_bind_address, []) }}\"\n uwsgi_port: \"{{ (keystone_use_uwsgi | bool) | ternary(keystone_service_port, '') }}\"\n\n## Extra HTTP headers for Keystone\n# Add any additional headers here that Keystone should return.\n#\n# Example:\n#\n# keystone_extra_headers:\n# - parameter: \"Access-Control-Expose-Headers\"\n# value: \"X-Subject-Token\"\n# - parameter: \"Access-Control-Allow-Headers\"\n# value: \"Content-Type, X-Auth-Token\"\n# - parameter: \"Access-Control-Allow-Origin\"\n# value: \"*\"\nkeystone_extra_headers: []\n\n# List of trusted IPs which can pass X-Forwarded-For\nkeystone_set_real_ip_from: []\n\n# Toggle whether memcache should be flushed when doing\n# database migrations. This is sometimes useful when\n# doing upgrades, but should not usually be required.\n# ref: https://bugs.launchpad.net/openstack-ansible/+bug/1793389\nkeystone_flush_memcache: false\n\n# host which holds the ssh certificate authority\nkeystone_ssh_keypairs_setup_host: \"{{ openstack_ssh_keypairs_setup_host | default('localhost') }}\"\n\n# directory on the deploy host to create and store SSH keypairs\nkeystone_ssh_keypairs_dir: \"{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}\"\n\n# Each keystone host needs a signed ssh certificate to log into the others\nkeystone_ssh_keypairs:\n - name: \"keystone-{{ inventory_hostname }}\"\n cert:\n signed_by: \"{{ openstack_ssh_signing_key }}\"\n principals: \"{{ keystone_ssh_key_principals | default('keystone') }}\"\n valid_from: \"{{ keystone_ssh_key_valid_from | default('always') }}\"\n valid_to: \"{{ keystone_ssh_key_valid_to | default('forever') }}\"\n\n# Each keystone host needs the signed ssh certificate installing to the keystone user\nkeystone_ssh_keypairs_install_keys:\n owner: \"{{ keystone_system_user_name }}\"\n group: \"{{ keystone_system_group_name }}\"\n keys:\n - cert: \"keystone-{{ inventory_hostname }}\"\n dest: \"{{ keystone_system_user_home }}/.ssh/id_rsa\"\n\n# Each compute host must trust the SSHD certificate authoritiy in the sshd configuration\nkeystone_ssh_keypairs_install_ca: \"{{ openstack_ssh_keypairs_authorities }}\"\n\n# Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user\nkeystone_ssh_keypairs_principals:\n - user: \"{{ keystone_system_user_name }}\"\n principals: \"{{ keystone_ssh_key_principals | default(['keystone']) }}\"\n\nkeystone_ssh_extra_configuration:\n - regexp: \"^PermitRootLogin\"\n line: \"PermitRootLogin prohibit-password\"\n - regexp: \"^TCPKeepAlive\"\n line: \"TCPKeepAlive yes\"\n - regexp: \"^UseDNS\"\n line: \"UseDNS no\"\n - regexp: \"^X11Forwarding\"\n line: \"X11Forwarding no\"\n - regexp: \"^PasswordAuthentication\"\n line: \"PasswordAuthentication no\"\n","created":"2025-12-08T13:39:53.582421Z","updated":"2025-12-08T13:39:53.582458Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-os_keystone/defaults/main.yml"}