diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index c95ba50684..163cca2afd 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -857,8 +857,6 @@ default_project_domain_id: "default" default_user_domain_name: "Default" default_user_domain_id: "default" -# Valid options are [ fernet ] -keystone_token_provider: "fernet" # Keystone fernet token expiry in seconds. Default is 1 day. fernet_token_expiry: 86400 # Keystone window to allow expired fernet tokens. Default is 2 days. diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index a6f94057c6..146e7601b1 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -35,7 +35,7 @@ keystone_services: keystone-ssh: container_name: "keystone_ssh" group: "keystone" - enabled: "{{ keystone_token_provider == 'fernet' }}" + enabled: true image: "{{ keystone_ssh_image_full }}" volumes: - "{{ node_config_directory }}/keystone-ssh/:{{ container_config_directory }}/:ro" @@ -48,7 +48,7 @@ keystone_services: keystone-fernet: container_name: "keystone_fernet" group: "keystone" - enabled: "{{ keystone_token_provider == 'fernet' }}" + enabled: true image: "{{ keystone_fernet_image_full }}" volumes: - "{{ node_config_directory }}/keystone-fernet/:{{ container_config_directory }}/:ro" @@ -140,7 +140,7 @@ keystone_default_volumes: - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - "{{ kolla_dev_repos_directory ~ '/keystone/keystone:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/keystone' if keystone_dev_mode | bool else '' }}" - "kolla_logs:/var/log/kolla/" - - "{% if keystone_token_provider == 'fernet' %}keystone_fernet_tokens:/etc/keystone/fernet-keys{% endif %}" + - "keystone_fernet_tokens:/etc/keystone/fernet-keys" keystone_extra_volumes: "{{ default_extra_volumes }}" diff --git a/ansible/roles/keystone/tasks/bootstrap_service.yml b/ansible/roles/keystone/tasks/bootstrap_service.yml index dd9b4c3143..58ae7bd000 100644 --- a/ansible/roles/keystone/tasks/bootstrap_service.yml +++ b/ansible/roles/keystone/tasks/bootstrap_service.yml @@ -71,5 +71,4 @@ run_once: True delegate_to: "{{ groups['keystone'][0] }}" when: - - keystone_token_provider == 'fernet' - groups['keystone_fernet_running'] is not defined diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index ffccd79023..804d3d27ae 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -200,14 +200,12 @@ -n {{ (groups['keystone'] | length) }} changed_when: false register: cron_jobs_json - when: keystone_token_provider == 'fernet' delegate_to: localhost - name: Set fact with the generated cron jobs for building the crontab later set_fact: cron_jobs: "{{ (cron_jobs_json.stdout | from_json).cron_jobs }}" ignore_errors: "{{ ansible_check_mode }}" - when: keystone_token_provider == 'fernet' - name: Copying files for keystone-fernet vars: diff --git a/ansible/roles/keystone/tasks/deploy.yml b/ansible/roles/keystone/tasks/deploy.yml index e24a17c042..d71e7068d6 100644 --- a/ansible/roles/keystone/tasks/deploy.yml +++ b/ansible/roles/keystone/tasks/deploy.yml @@ -13,8 +13,6 @@ meta: flush_handlers - include_tasks: distribute_fernet.yml - when: - - keystone_token_provider == 'fernet' - import_tasks: register.yml diff --git a/ansible/roles/keystone/tasks/precheck.yml b/ansible/roles/keystone/tasks/precheck.yml index 1ca2f0a6f3..ffcb39850e 100644 --- a/ansible/roles/keystone/tasks/precheck.yml +++ b/ansible/roles/keystone/tasks/precheck.yml @@ -67,5 +67,3 @@ 120, 240, 480, 720, 1440, 3600, 7200, 10800, 14400, 21600, 43200, 60480, 120960, 151200, 201600, 302400, 604800. These values ensure an evenly-spaced run schedule as they divide 7 days without remainder. - when: - - keystone_token_provider == 'fernet' diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2 index f1e787b6f5..92f317ab32 100644 --- a/ansible/roles/keystone/templates/keystone.conf.j2 +++ b/ansible/roles/keystone/templates/keystone.conf.j2 @@ -29,7 +29,7 @@ domain_config_dir = /etc/keystone/domains [token] revoke_by_id = False -provider = {{ keystone_token_provider }} +provider = fernet expiration = {{ fernet_token_expiry }} allow_expired_window = {{ fernet_token_allow_expired_window }} diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst index e5b9b286ce..9a51c93316 100644 --- a/doc/source/reference/shared-services/keystone-guide.rst +++ b/doc/source/reference/shared-services/keystone-guide.rst @@ -4,14 +4,8 @@ Keystone - Identity service =========================== -Tokens ------- - -The Keystone token provider is configured via ``keystone_token_provider``. The -default value for this is ``fernet``. - Fernet Tokens -~~~~~~~~~~~~~ +------------- Fernet tokens require the use of keys that must be synchronised between Keystone servers. Kolla Ansible deploys two containers to handle this - diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 54b1648071..de376ce922 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -455,9 +455,6 @@ workaround_ansible_issue_8743: yes # Keystone - Identity Options ############################# -# Valid options are [ fernet ] -#keystone_token_provider: 'fernet' - #keystone_admin_user: "admin" #keystone_admin_project: "admin" diff --git a/releasenotes/notes/drop-keystone-token-provider-variable-6d18857276295bd6.yaml b/releasenotes/notes/drop-keystone-token-provider-variable-6d18857276295bd6.yaml new file mode 100644 index 0000000000..1daf939c8e --- /dev/null +++ b/releasenotes/notes/drop-keystone-token-provider-variable-6d18857276295bd6.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - The variable keystone_token_provider does not exist anymore, + because there is no alternative.