cron_check: keystone-manage token_flush
metadata:
description: 'Without a token_flush crontab enabled for the keystone user, the keystone
database can grow very large. This validation checks that the keystone token_flush
crontab has been set up.
'
groups:
- pre-introspection
name: Verify token_flush is enabled in keystone users crontab
driver:
name: podman
log: true
platforms:
- dockerfile: Dockerfile
environment:
http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
hostname: ubi8
image: ubi8/ubi-init
name: ubi8
pkg_extras: python*-setuptools python*-pyyaml
privileged: true
registry:
url: registry.access.redhat.com
ulimits:
- host
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
- /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
- /opt/yum.repos.d:/etc/yum.repos.d:rw
provisioner:
env:
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
ANSIBLE_STDOUT_CALLBACK: yaml
inventory:
hosts:
all:
hosts:
ubi8:
ansible_python_interpreter: /usr/bin/python3
log: true
name: ansible
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
verifier:
name: testinfra
hosts:
all:
hosts:
ubi8:
ansible_python_interpreter: /usr/bin/python3
- gather_facts: false
hosts: all
name: Converge
tasks:
- include_role:
name: undercloud_tokenflush
name: working detection
- block:
- copy:
content: '[DEFAULT]
container_cli = docker
'
dest: /undercloud.conf
name: Override container_cli
- include_role:
name: undercloud_tokenflush
name: run validation
name: Validate failure
rescue:
- meta: clear_host_errors
name: Clear host errors
- debug:
msg: The validation works! Ending play.
name: Test output
- meta: end_play
name: End play
- fail:
msg: 'The undercloud_tokenflush validation failed to detect
missing cron job.
'
name: Fail the validation at this point
driver:
name: podman
log: true
platforms:
- dockerfile: Dockerfile
environment:
http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
hostname: ubi8
image: ubi8/ubi-init
name: ubi8
pkg_extras: python*-setuptools python*-pyyaml
privileged: true
registry:
url: registry.access.redhat.com
ulimits:
- host
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
- /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
- /opt/yum.repos.d:/etc/yum.repos.d:rw
provisioner:
env:
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}
ANSIBLE_STDOUT_CALLBACK: yaml
inventory:
hosts:
all:
hosts:
ubi8:
ansible_python_interpreter: /usr/bin/python3
log: true
name: ansible
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
verifier:
name: testinfra
hosts:
all:
hosts:
ubi8:
ansible_python_interpreter: /usr/bin/python3
- hosts: all
name: Converge
tasks:
- block:
- copy:
content: '"keystone::token_provider": "fernet"
'
dest: /etc/puppet/service_configs.yaml
name: Set token format to fernet
- include_role:
name: undercloud_tokenflush
name: Ensure validation gracefully passes
name: Skip validation when using fernet tokens
- block:
- copy:
content: '"keystone::token_provider": "jws"
'
dest: /etc/puppet/service_configs.yaml
name: Set token format to jws
- include_role:
name: undercloud_tokenflush
name: Ensure validation gracefully passes
name: Skip validation when using jws tokens
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.