From 3bffbca3c77b79c250b51ac04e65b26dbb7d3914 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Tue, 23 Sep 2025 11:35:48 +0200 Subject: [PATCH] keystone: Add support for deploying httpd for federation Depends-On: https://review.opendev.org/c/openstack/kolla/+/954707 Change-Id: I1f519b3ce8b7f2ceee2eaef88e4afc8ca8fa2f6e Signed-off-by: Michal Nasiadka --- ansible/roles/keystone/defaults/main.yml | 84 +++++++++---- ansible/roles/keystone/handlers/main.yml | 14 +++ ansible/roles/keystone/tasks/config.yml | 23 +++- .../keystone/templates/httpd-keystone.conf.j2 | 113 ++++++++++++++++++ .../keystone/templates/keystone-httpd.json.j2 | 63 ++++++++++ .../service-uwsgi-config/defaults/main.yml | 1 + .../templates/uwsgi.ini.j2 | 3 + tests/templates/globals-default.j2 | 4 + zuul.d/project.yaml | 1 + zuul.d/scenarios/keystone-federation.yaml | 37 ++++++ 10 files changed, 317 insertions(+), 26 deletions(-) create mode 100644 ansible/roles/keystone/templates/httpd-keystone.conf.j2 create mode 100644 ansible/roles/keystone/templates/keystone-httpd.json.j2 create mode 100644 zuul.d/scenarios/keystone-federation.yaml diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index 3d236dfef7..0b98275f8c 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -31,19 +31,6 @@ keystone_services: backend_http_extra: - "balance {{ 'source' if enable_keystone_federation | bool else 'roundrobin' }}" - "option httpchk" - keystone-ssh: - container_name: "keystone_ssh" - group: "keystone" - enabled: true - image: "{{ keystone_ssh_image_full }}" - volumes: - - "{{ node_config_directory }}/keystone-ssh/:{{ container_config_directory }}/:ro" - - "/etc/localtime:/etc/localtime:ro" - - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - - "kolla_logs:/var/log/kolla/" - - "keystone_fernet_tokens:/etc/keystone/fernet-keys" - dimensions: "{{ keystone_ssh_dimensions }}" - healthcheck: "{{ keystone_ssh_healthcheck }}" keystone-fernet: container_name: "keystone_fernet" group: "keystone" @@ -57,6 +44,27 @@ keystone_services: - "keystone_fernet_tokens:/etc/keystone/fernet-keys" dimensions: "{{ keystone_fernet_dimensions }}" healthcheck: "{{ keystone_fernet_healthcheck }}" + keystone-httpd: + container_name: "keystone_httpd" + group: "keystone" + enabled: "{{ enable_keystone_federation | bool }}" + image: "{{ keystone_httpd_image_full }}" + volumes: "{{ keystone_httpd_default_volumes + keystone_httpd_extra_volumes }}" + dimensions: "{{ keystone_httpd_dimensions }}" + healthcheck: "{{ keystone_httpd_healthcheck }}" + keystone-ssh: + container_name: "keystone_ssh" + group: "keystone" + enabled: true + image: "{{ keystone_ssh_image_full }}" + volumes: + - "{{ node_config_directory }}/keystone-ssh/:{{ container_config_directory }}/:ro" + - "/etc/localtime:/etc/localtime:ro" + - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" + - "kolla_logs:/var/log/kolla/" + - "keystone_fernet_tokens:/etc/keystone/fernet-keys" + dimensions: "{{ keystone_ssh_dimensions }}" + healthcheck: "{{ keystone_ssh_healthcheck }}" #################### # Config Validate @@ -105,6 +113,10 @@ keystone_image: "{{ docker_image_url }}keystone" keystone_service_tag: "{{ keystone_tag }}" keystone_image_full: "{{ keystone_image }}:{{ keystone_service_tag }}" +keystone_httpd_image: "{{ docker_image_url }}httpd" +keystone_httpd_tag: "{{ keystone_tag }}" +keystone_httpd_image_full: "{{ keystone_httpd_image }}:{{ keystone_httpd_tag }}" + keystone_fernet_image: "{{ docker_image_url }}keystone-fernet" keystone_fernet_tag: "{{ keystone_tag }}" keystone_fernet_image_full: "{{ keystone_fernet_image }}:{{ keystone_fernet_tag }}" @@ -114,6 +126,7 @@ keystone_ssh_tag: "{{ keystone_tag }}" keystone_ssh_image_full: "{{ keystone_ssh_image }}:{{ keystone_ssh_tag }}" keystone_dimensions: "{{ default_container_dimensions }}" +keystone_httpd_dimensions: "{{ default_container_dimensions }}" keystone_fernet_dimensions: "{{ default_container_dimensions }}" keystone_ssh_dimensions: "{{ default_container_dimensions }}" @@ -130,18 +143,18 @@ keystone_healthcheck: test: "{% if keystone_enable_healthchecks | bool %}{{ keystone_healthcheck_test }}{% else %}NONE{% endif %}" timeout: "{{ keystone_healthcheck_timeout }}" -keystone_ssh_enable_healthchecks: "{{ enable_container_healthchecks }}" -keystone_ssh_healthcheck_interval: "{{ default_container_healthcheck_interval }}" -keystone_ssh_healthcheck_retries: "{{ default_container_healthcheck_retries }}" -keystone_ssh_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}" -keystone_ssh_healthcheck_test: ["CMD-SHELL", "healthcheck_listen sshd {{ keystone_ssh_port }}"] -keystone_ssh_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}" -keystone_ssh_healthcheck: - interval: "{{ keystone_ssh_healthcheck_interval }}" - retries: "{{ keystone_ssh_healthcheck_retries }}" - start_period: "{{ keystone_ssh_healthcheck_start_period }}" - test: "{% if keystone_ssh_enable_healthchecks | bool %}{{ keystone_ssh_healthcheck_test }}{% else %}NONE{% endif %}" - timeout: "{{ keystone_ssh_healthcheck_timeout }}" +keystone_httpd_enable_healthchecks: "{{ enable_container_healthchecks }}" +keystone_httpd_healthcheck_interval: "{{ default_container_healthcheck_interval }}" +keystone_httpd_healthcheck_retries: "{{ default_container_healthcheck_retries }}" +keystone_httpd_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}" +keystone_httpd_healthcheck_test: ["CMD-SHELL", "healthcheck_curl {{ 'https' if keystone_enable_tls_backend | bool else 'http' }}://{{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}"] +keystone_httpd_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}" +keystone_httpd_healthcheck: + interval: "{{ keystone_httpd_healthcheck_interval }}" + retries: "{{ keystone_httpd_healthcheck_retries }}" + start_period: "{{ keystone_httpd_healthcheck_start_period }}" + test: "{% if keystone_httpd_enable_healthchecks | bool %}{{ keystone_httpd_healthcheck_test }}{% else %}NONE{% endif %}" + timeout: "{{ keystone_httpd_healthcheck_timeout }}" keystone_fernet_enable_healthchecks: "{{ enable_container_healthchecks }}" keystone_fernet_healthcheck_interval: "{{ default_container_healthcheck_interval }}" @@ -156,6 +169,19 @@ keystone_fernet_healthcheck: test: "{% if keystone_fernet_enable_healthchecks | bool %}{{ keystone_fernet_healthcheck_test }}{% else %}NONE{% endif %}" timeout: "{{ keystone_fernet_healthcheck_timeout }}" +keystone_ssh_enable_healthchecks: "{{ enable_container_healthchecks }}" +keystone_ssh_healthcheck_interval: "{{ default_container_healthcheck_interval }}" +keystone_ssh_healthcheck_retries: "{{ default_container_healthcheck_retries }}" +keystone_ssh_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}" +keystone_ssh_healthcheck_test: ["CMD-SHELL", "healthcheck_listen sshd {{ keystone_ssh_port }}"] +keystone_ssh_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}" +keystone_ssh_healthcheck: + interval: "{{ keystone_ssh_healthcheck_interval }}" + retries: "{{ keystone_ssh_healthcheck_retries }}" + start_period: "{{ keystone_ssh_healthcheck_start_period }}" + test: "{% if keystone_ssh_enable_healthchecks | bool %}{{ keystone_ssh_healthcheck_test }}{% else %}NONE{% endif %}" + timeout: "{{ keystone_ssh_healthcheck_timeout }}" + keystone_default_volumes: - "{{ node_config_directory }}/keystone/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" @@ -165,7 +191,14 @@ keystone_default_volumes: - "{{ '/dev/shm:/dev/shm' }}" - "keystone_fernet_tokens:/etc/keystone/fernet-keys" +keystone_httpd_default_volumes: + - "{{ node_config_directory }}/keystone-httpd/:{{ container_config_directory }}/:ro" + - "/etc/localtime:/etc/localtime:ro" + - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" + - "kolla_logs:/var/log/kolla/" + keystone_extra_volumes: "{{ default_extra_volumes }}" +keystone_httpd_extra_volumes: "{{ keystone_extra_volumes }}" #################### # OpenStack @@ -266,3 +299,4 @@ keystone_copy_certs: "{{ kolla_copy_ca_into_containers | bool or keystone_enable # WSGI ############ keystone_wsgi_provider: "uwsgi" +keystone_wsgi_socket_port: "5001" diff --git a/ansible/roles/keystone/handlers/main.yml b/ansible/roles/keystone/handlers/main.yml index c149877918..8d5f1fd049 100644 --- a/ansible/roles/keystone/handlers/main.yml +++ b/ansible/roles/keystone/handlers/main.yml @@ -68,6 +68,20 @@ dimensions: "{{ service.dimensions }}" healthcheck: "{{ service.healthcheck | default(omit) }}" +- name: Restart keystone-httpd container + vars: + service_name: "keystone-httpd" + service: "{{ keystone_services[service_name] }}" + become: true + kolla_container: + action: "recreate_or_restart_container" + common_options: "{{ docker_common_options }}" + name: "{{ service.container_name }}" + image: "{{ service.image }}" + volumes: "{{ service.volumes | reject('equalto', '') | list }}" + dimensions: "{{ service.dimensions }}" + healthcheck: "{{ service.healthcheck | default(omit) }}" + - name: Finish keystone database upgrade vars: service_name: "keystone" diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index df6617dd41..3ad2472810 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -147,9 +147,14 @@ project_services: "{{ keystone_services }}" service: "{{ keystone_services['keystone'] }}" service_name: "keystone" + service_uwsgi_config_host: >- + {{ '127.0.0.1' if enable_keystone_federation | bool + else api_interface_address | put_address_in_context('url') }} service_uwsgi_config_http_port: "{{ keystone_listen_port }}" service_uwsgi_config_module: "{{ service.wsgi }}" - service_uwsgi_config_tls_backend: "{{ keystone_enable_tls_backend | bool }}" + service_uwsgi_config_socket_port: "{{ keystone_wsgi_socket_port if enable_keystone_federation | bool else '' }}" + service_uwsgi_config_tls_backend: >- + {{ keystone_enable_tls_backend | bool and (not enable_keystone_federation | bool) }} service_uwsgi_config_tls_cert: "/etc/keystone/certs/keystone-cert.pem" service_uwsgi_config_tls_key: "/etc/keystone/certs/keystone-key.pem" service_uwsgi_config_uid: "keystone" @@ -157,6 +162,22 @@ - service | service_enabled_and_mapped_to_host - keystone_wsgi_provider == "uwsgi" +- name: Copying over httpd-keystone.conf + vars: + service: "{{ keystone_services['keystone-httpd'] }}" + template: + src: "{{ item }}" + dest: "{{ node_config_directory }}/keystone-httpd/httpd-keystone.conf" + mode: "0660" + become: true + when: + - service | service_enabled_and_mapped_to_host + - keystone_wsgi_provider == "uwsgi" + with_first_found: + - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/httpd-keystone.conf" + - "{{ node_custom_config }}/keystone/httpd-keystone.conf" + - "httpd-keystone.conf.j2" + - name: Checking whether keystone-paste.ini file exists vars: service: "{{ keystone_services['keystone'] }}" diff --git a/ansible/roles/keystone/templates/httpd-keystone.conf.j2 b/ansible/roles/keystone/templates/httpd-keystone.conf.j2 new file mode 100644 index 0000000000..435fe7cdd7 --- /dev/null +++ b/ansible/roles/keystone/templates/httpd-keystone.conf.j2 @@ -0,0 +1,113 @@ +{% set keystone_log_dir = '/var/log/kolla/keystone' %} +{% set binary_path = '/var/lib/kolla/venv/bin' %} +{% if keystone_enable_tls_backend | bool %} +{% if kolla_base_distro in ['centos', 'rocky'] %} +LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so +{% else %} +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +{% endif %} +{% endif %} + +{% if kolla_base_distro in ['centos', 'rocky'] %} +LoadModule proxy_module /usr/lib64/httpd/modules/mod_proxy.so +LoadModule proxy_uwsgi_module /usr/lib64/httpd/modules/mod_proxy_uwsgi.so +{% else %} +LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so +LoadModule proxy_uwsgi_module /usr/lib/apache2/modules/mod_proxy_uwsgi.so +{% endif %} + +Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }} + +ServerSignature Off +ServerTokens Prod +TraceEnable off +TimeOut {{ kolla_httpd_timeout }} +KeepAliveTimeout {{ kolla_httpd_keep_alive }} + +ErrorLog "{{ keystone_log_dir }}/apache-error.log" + + CustomLog "{{ keystone_log_dir }}/apache-access.log" common + + +{% if keystone_logging_debug | bool %} +LogLevel info +{% endif %} + + +{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#} +{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#} +{% if kolla_enable_tls_external | bool %} + ServerName {{ keystone_public_url }} +{% endif %} + ErrorLogFormat "%{cu}t %M" + ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log" + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat + CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat + ProxyPass / "uwsgi://localhost:{{ keystone_wsgi_socket_port }}/" + +{% if keystone_enable_tls_backend | bool %} + SSLEngine on + SSLCertificateFile /etc/keystone/certs/keystone-cert.pem + SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem +{% endif -%} + +{% if keystone_enable_federation_openid | bool %} +{% if keystone_federation_oidc_forwarded_headers | length > 0 %} + OIDCXForwardedHeaders "{{ keystone_federation_oidc_forwarded_headers }}" +{% endif %} + OIDCClaimPrefix "OIDC-" + OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}" + OIDCResponseType "{{ keystone_federation_oidc_response_type }}" + OIDCScope "{{ keystone_federation_oidc_scopes }}" + OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }} +{% if keystone_federation_oidc_jwks_uri | length > 0 %} + OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }} +{% endif %} +{% if keystone_federation_openid_certificate_key_ids | length > 0 %} + OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }} +{% endif %} + OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }} + OIDCRedirectURI {{ keystone_public_url }}/redirect_uri +{% if enable_memcached | bool and keystone_oidc_enable_memcached | bool %} + OIDCCacheType memcache + OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}" +{% endif %} +{% for key, value in keystone_federation_oidc_additional_options.items() %} + {{ key }} {{ value }} +{% endfor %} + + + Require valid-user + AuthType openid-connect + + + {# WebSSO authentication endpoint -#} + + Require valid-user + AuthType openid-connect + + +{% for idp in keystone_identity_providers %} +{% if idp.protocol == 'openid' %} + + OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ idp.identifier | urlencode }} + Require valid-user + AuthType openid-connect + +{% endif %} +{% endfor %} + + {# CLI / API authentication endpoint -#} +{% for idp in keystone_identity_providers %} +{% if idp.protocol == 'openid' -%} + + Require valid-user + {# Note(jasonanderson): `auth-openidc` is a special auth type that can -#} + {# additionally handle verifying bearer tokens -#} + AuthType auth-openidc + +{% endif %} +{% endfor %} +{% endif %} + + diff --git a/ansible/roles/keystone/templates/keystone-httpd.json.j2 b/ansible/roles/keystone/templates/keystone-httpd.json.j2 new file mode 100644 index 0000000000..b82376afce --- /dev/null +++ b/ansible/roles/keystone/templates/keystone-httpd.json.j2 @@ -0,0 +1,63 @@ +{% set apache_cmd = '/usr/sbin/apache2' if kolla_base_distro in ['ubuntu', 'debian'] else '/usr/sbin/httpd' %} +{% set apache_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} +{% set apache_user = 'www-data' if kolla_base_distro in ['ubuntu', 'debian'] else 'apache' %} + +{ + "command": "{{ apache_cmd }} -DFOREGROUND", + "config_files": [ + { + "source": "{{ container_config_directory }}/httpd-keystone.conf", + "dest": "/etc/{{ apache_dir }}/httpd-keystone.conf", + "owner": "root", + "perm": "0600" + }{% if keystone_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/keystone-cert.pem", + "dest": "/etc/keystone/certs/keystone-cert.pem", + "owner": "keystone", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/keystone-key.pem", + "dest": "/etc/keystone/certs/keystone-key.pem", + "owner": "keystone", + "perm": "0600" + }{% endif %}{% if keystone_enable_federation_openid | bool %}, + { + "source": "{{ container_config_directory }}/federation/oidc/metadata", + "dest": "{{ keystone_container_federation_oidc_metadata_folder }}", + "owner": "{{ apache_user }}:{{ apache_user }}", + "perm": "0600", + "merge": true + }, + { + "source": "{{ container_config_directory }}/federation/oidc/cert", + "dest": "{{ keystone_container_federation_oidc_idp_certificate_folder }}", + "owner": "{{ apache_user }}:{{ apache_user }}", + "perm": "0600", + "merge": true + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} + ], + "permissions": [ + { + "path": "/var/log/kolla/keystone", + "owner": "keystone:kolla" + }{% if keystone_enable_federation_openid | bool %}, + { + "path": "{{ keystone_container_federation_oidc_metadata_folder }}", + "owner": "{{ apache_user }}:{{ apache_user }}", + "perm": "0700" + }, + { + "path": "{{ keystone_container_federation_oidc_idp_certificate_folder }}", + "owner": "{{ apache_user }}:{{ apache_user }}", + "perm": "0700" + }{% endif %} + ] +} diff --git a/ansible/roles/service-uwsgi-config/defaults/main.yml b/ansible/roles/service-uwsgi-config/defaults/main.yml index 6e5225c926..9c5e13ed33 100644 --- a/ansible/roles/service-uwsgi-config/defaults/main.yml +++ b/ansible/roles/service-uwsgi-config/defaults/main.yml @@ -3,6 +3,7 @@ service_uwsgi_config_host: "{{ api_interface_address | put_address_in_context('u service_uwsgi_config_file: "{{ node_config_directory }}/{{ service_name }}/{{ service_name }}-uwsgi.ini" service_uwsgi_config_log_dir: "{{ ansible_parent_role_names | first }}" service_uwsgi_config_log_file: "{{ service_name }}-uwsgi.log" +service_uwsgi_config_socket_port: "" service_uwsgi_config_tls_backend: false service_uwsgi_config_worker_timeout: 80 service_uwsgi_config_workers: "{{ openstack_service_workers }}" diff --git a/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 b/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 index a7495b4395..8ad80eb425 100644 --- a/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 +++ b/ansible/roles/service-uwsgi-config/templates/uwsgi.ini.j2 @@ -27,6 +27,9 @@ wsgi-file = {{ service_uwsgi_config_wsgi_file }} plugins-dir = {{ '/usr/lib/uwsgi/plugins' if kolla_base_distro in ['ubuntu', 'debian'] else '/usr/lib64/uwsgi' }} plugins = python3 processes = {{ service_uwsgi_config_workers }} +{% if service_uwsgi_config_socket_port | length > 0 %} +socket = {{ service_uwsgi_config_host }}:{{ service_uwsgi_config_socket_port }} +{% endif %} socket-timeout = 30 thunder-lock = true {% if service_uwsgi_config_uid is defined %} diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2 index ddcc631dd4..85ccecde5f 100644 --- a/tests/templates/globals-default.j2 +++ b/tests/templates/globals-default.j2 @@ -283,5 +283,9 @@ enable_ceilometer: "yes" enable_gnocchi: "yes" {% endif %} +{% if scenario == "federation" %} +enable_keystone_federation: true +{% endif %} + mariadb_monitor_read_only_interval: "30000" mariadb_monitor_galera_healthcheck_timeout: "30000" diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index dffc20c4ed..0986241300 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -11,6 +11,7 @@ # NOTE(mnasiadka): Failing since # https://review.opendev.org/c/openstack/kolla-ansible/+/864780 # - kolla-ansible-scenario-container-engine-migration + - kolla-ansible-scenario-federation - kolla-ansible-scenario-haproxy-fqdn - kolla-ansible-scenario-kayobe - kolla-ansible-scenario-openbao diff --git a/zuul.d/scenarios/keystone-federation.yaml b/zuul.d/scenarios/keystone-federation.yaml new file mode 100644 index 0000000000..47e3f3ff88 --- /dev/null +++ b/zuul.d/scenarios/keystone-federation.yaml @@ -0,0 +1,37 @@ +--- +- job: + name: kolla-ansible-federation-base + parent: kolla-ansible-base + voting: false + files: !inherit + - ^ansible/group_vars/all/keystone.yml + - ^ansible/roles/keystone/ + vars: + scenario: federation + scenario_images_extra: + - ^httpd + +- job: + name: kolla-ansible-debian-bookworm-federation + parent: kolla-ansible-federation-base + nodeset: kolla-ansible-debian-bookworm-multi-8GB + +- job: + name: kolla-ansible-rocky-10-federation + parent: kolla-ansible-federation-base + nodeset: kolla-ansible-rocky-10-multi-8GB + +- job: + name: kolla-ansible-ubuntu-noble-federation + parent: kolla-ansible-federation-base + nodeset: kolla-ansible-ubuntu-noble-multi-8GB + +- project-template: + name: kolla-ansible-scenario-federation + description: | + Runs Kolla-Ansible Keystone federation scenario jobs. + check: + jobs: + - kolla-ansible-debian-bookworm-federation + - kolla-ansible-rocky-10-federation + - kolla-ansible-ubuntu-noble-federation