kolla-ansible/ansible/roles/keystone/tasks/config.yml

---
- name: Ensuring config directories exist
  file:
    path: "{{ node_config_directory }}/{{ item.key }}"
    state: "directory"
    owner: "{{ config_owner_user }}"
    group: "{{ config_owner_group }}"
    mode: "0770"
  become: true
  when:
    - inventory_hostname in groups[item.value.group]
    - item.value.enabled | bool
  with_dict: "{{ keystone_services }}"

- name: Check if policies shall be overwritten
  stat:
    path: "{{ item }}"
  delegate_to: localhost
  run_once: True
  register: keystone_policy
  with_first_found:
    - files: "{{ supported_policy_format_list }}"
      paths:
        - "{{ node_custom_config }}/keystone/"
      skip: true

- name: Set keystone policy file
  set_fact:
    keystone_policy_file: "{{ keystone_policy.results.0.stat.path | basename }}"
    keystone_policy_file_path: "{{ keystone_policy.results.0.stat.path }}"
  when:
    - keystone_policy.results

- name: Check if Keystone domain-specific config is supplied
  stat:
    path: "{{ node_custom_config }}/keystone/domains"
  delegate_to: localhost
  run_once: True
  register: keystone_domain_directory

- include_tasks: copy-certs.yml
  when:
    - kolla_copy_ca_into_containers | bool or keystone_enable_tls_backend | bool

- name: Copying over config.json files for services
  template:
    src: "{{ item.key }}.json.j2"
    dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
    mode: "0660"
  become: true
  with_dict: "{{ keystone_services }}"
  when:
    - inventory_hostname in groups[item.value.group]
    - item.value.enabled | bool
  notify:
    - Restart {{ item.key }} container

- name: Copying over keystone.conf
  vars:
    service_name: "{{ item.key }}"
  merge_configs:
    sources:
      - "{{ role_path }}/templates/keystone.conf.j2"
      - "{{ node_custom_config }}/global.conf"
      - "{{ node_custom_config }}/keystone.conf"
      - "{{ node_custom_config }}/keystone/{{ item.key }}.conf"
      - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/keystone.conf"
    dest: "{{ node_config_directory }}/{{ item.key }}/keystone.conf"
    mode: "0660"
  become: true
  with_dict: "{{ keystone_services }}"
  when:
    - inventory_hostname in groups[item.value.group]
    - item.key in [ "keystone", "keystone-fernet" ]
    - item.value.enabled | bool
  notify:
    - Restart {{ item.key }} container

- name: Copying keystone-startup script for keystone
  vars:
    keystone: "{{ keystone_services['keystone'] }}"
  template:
    src: "keystone-startup.sh.j2"
    dest: "{{ node_config_directory }}/keystone/keystone-startup.sh"
    mode: "0660"
  become: true
  when:
    - inventory_hostname in groups[keystone.group]
    - keystone.enabled | bool
  notify:
    - Restart keystone container

- name: Create Keystone domain-specific config directory
  vars:
    keystone: "{{ keystone_services.keystone }}"
  file:
    dest: "{{ node_config_directory }}/keystone/domains/"
    state: "directory"
    mode: "0770"
  become: true
  when:
    - inventory_hostname in groups[keystone.group]
    - keystone.enabled | bool
    - keystone_domain_directory.stat.exists

- name: Get file list in custom domains folder
  find:
    path: "{{ node_custom_config }}/keystone/domains"
    recurse: no
    file_type: file
  delegate_to: localhost
  register: keystone_domains
  when: keystone_domain_directory.stat.exists

- name: Copying Keystone Domain specific settings
  vars:
    keystone: "{{ keystone_services.keystone }}"
  template:
    src: "{{ item.path }}"
    dest: "{{ node_config_directory }}/keystone/domains/"
    mode: "0660"
  become: true
  register: keystone_domains
  when:
    - inventory_hostname in groups[keystone.group]
    - keystone.enabled | bool
    - keystone_domain_directory.stat.exists
  with_items: "{{ keystone_domains.files|default([]) }}"
  notify:
    - Restart keystone container

- name: Copying over existing policy file
  template:
    src: "{{ keystone_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ keystone_policy_file }}"
    mode: "0660"
  become: true
  when:
    - inventory_hostname in groups[item.value.group]
    - item.key in [ "keystone", "keystone-fernet" ]
    - item.value.enabled | bool
    - keystone_policy_file is defined
  with_dict: "{{ keystone_services }}"
  notify:
    - Restart {{ item.key }} container

- include_tasks: config-federation-oidc.yml
  when:
    - keystone_enable_federation_openid | bool

- name: Copying over wsgi-keystone.conf
  vars:
    keystone: "{{ keystone_services.keystone }}"
  template:
    src: "{{ item }}"
    dest: "{{ node_config_directory }}/keystone/wsgi-keystone.conf"
    mode: "0660"
  become: true
  when:
    - inventory_hostname in groups[keystone.group]
    - keystone.enabled | bool
  with_first_found:
    - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/wsgi-keystone.conf"
    - "{{ node_custom_config }}/keystone/wsgi-keystone.conf"
    - "wsgi-keystone.conf.j2"
  notify:
    - Restart keystone container

- name: Checking whether keystone-paste.ini file exists
  vars:
    keystone: "{{ keystone_services.keystone }}"
  stat:
    path: "{{ node_custom_config }}/keystone/keystone-paste.ini"
  delegate_to: localhost
  run_once: True
  register: check_keystone_paste_ini
  when:
    - keystone.enabled | bool

- name: Copying over keystone-paste.ini
  vars:
    keystone: "{{ keystone_services.keystone }}"
  template:
    src: "{{ node_custom_config }}/keystone/keystone-paste.ini"
    dest: "{{ node_config_directory }}/keystone/keystone-paste.ini"
    mode: "0660"
  become: true
  when:
    - inventory_hostname in groups[keystone.group]
    - keystone.enabled | bool
    - check_keystone_paste_ini.stat.exists
  notify:
    - Restart keystone container

- name: Generate the required cron jobs for the node
  command: >
    {{ ansible_playbook_python }} {{ role_path }}/files/fernet_rotate_cron_generator.py
    -t {{ (fernet_key_rotation_interval | int) // 60 }}
    -i {{ groups['keystone'].index(inventory_hostname) }}
    -n {{ (groups['keystone'] | length) }}    
  changed_when: false
  register: cron_jobs_json
  when: keystone_token_provider == 'fernet'
  delegate_to: localhost

- name: Set fact with the generated cron jobs for building the crontab later
  set_fact:
    cron_jobs: "{{ (cron_jobs_json.stdout | from_json).cron_jobs }}"
  ignore_errors: "{{ ansible_check_mode }}"
  when: keystone_token_provider == 'fernet'

- name: Copying files for keystone-fernet
  vars:
    keystone_fernet: "{{ keystone_services['keystone-fernet'] }}"
  template:
    src: "{{ item.src }}"
    dest: "{{ node_config_directory }}/keystone-fernet/{{ item.dest }}"
    mode: "0660"
  become: true
  ignore_errors: "{{ ansible_check_mode }}"
  with_items:
    - { src: "crontab.j2", dest: "crontab" }
    - { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
    - { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
    - { src: "fernet-push.sh.j2", dest: "fernet-push.sh" }
    - { src: "id_rsa", dest: "id_rsa" }
    - { src: "ssh_config.j2", dest: "ssh_config" }
  when:
    - inventory_hostname in groups[keystone_fernet.group]
    - keystone_fernet.enabled | bool
  notify:
    - Restart keystone-fernet container

- name: Copying files for keystone-ssh
  vars:
    keystone_ssh: "{{ keystone_services['keystone-ssh'] }}"
  template:
    src: "{{ item.src }}"
    dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}"
    mode: "0660"
  become: true
  with_items:
    - { src: "sshd_config.j2", dest: "sshd_config" }
    - { src: "id_rsa.pub", dest: "id_rsa.pub" }
  when:
    - inventory_hostname in groups[keystone_ssh.group]
    - keystone_ssh.enabled | bool
  notify:
    - Restart keystone-ssh container