Skip to content

chore: update mod_auth_openidc and use the ansible container by default to setup keystone #1464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cardoe merged 3 commits into from
Dec 2, 2025
Merged

chore: update mod_auth_openidc and use the ansible container by default to setup keystone #1464

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8885d03
chore(keystone): variablize mod_auth_openidc version
cardoe Dec 1, 2025
5b564f6
chore(keystone): bump mod_auth_openidc to 2.4.16.11
cardoe Dec 1, 2025
5012b8f
feat: switch to running the ansible container for bootstrap by default
cardoe Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 ansible/keystone_bootstrap.yaml → ansible/keystone-post-deploy.yaml
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion components/images-openstack.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ images:

tags:
# these are common across all these OpenStack Helm installations
bootstrap: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
bootstrap: "ghcr.io/rackerlabs/understack/ansible:latest"
db_init: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
db_drop: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
ks_user: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
Expand Down
6 changes: 1 addition & 5 deletions components/keystone/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,11 @@
---
release_group: null

images:
tags:
bootstrap: "ghcr.io/rackerlabs/understack/ansible:latest"

bootstrap:
enabled: true
ks_user: admin
script: |
ansible-runner run /runner --playbook keystone_bootstrap.yaml -vv
ansible-runner run /runner --playbook keystone-post-deploy.yaml -vv

network:
# configure OpenStack Helm to use Undercloud's ingress
Expand Down
7 changes: 5 additions & 2 deletions containers/keystone/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,12 @@
ARG OPENSTACK_VERSION="required_argument"
FROM quay.io/airshipit/keystone:${OPENSTACK_VERSION}-ubuntu_jammy

ADD --checksum=sha256:deb52ea8304a41ee0331e4ba87a9f82ff643464b6d34084e161f58ec11c25a69 https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.16.5/libapache2-mod-auth-openidc_2.4.16.5-1.jammy_amd64.deb /tmp
# renovate: datasource=github-releases depName=OpenIDC/mod_auth_openidc
ARG MOD_AUTH_OPENIDC_VERSION=2.4.16.11

Check warning on line 7 in containers/keystone/Dockerfile

View workflow job for this annotation

GitHub Actions / openstack (keystone) / build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "MOD_AUTH_OPENIDC_VERSION")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ARG MOD_AUTH_OPENIDC_SHA256=f5b8751fe2dc7e249c8bf0f7b376cecf90427ba8ba280f18f850fc658047f091

Check warning on line 8 in containers/keystone/Dockerfile

View workflow job for this annotation

GitHub Actions / openstack (keystone) / build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "MOD_AUTH_OPENIDC_SHA256")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ADD --checksum=sha256:${MOD_AUTH_OPENIDC_SHA256} https://github.com/OpenIDC/mod_auth_openidc/releases/download/v${MOD_AUTH_OPENIDC_VERSION}/libapache2-mod-auth-openidc_${MOD_AUTH_OPENIDC_VERSION}-1.jammy_amd64.deb /tmp

RUN apt-get update && \
apt-get install -y --no-install-recommends \
/tmp/libapache2-mod-auth-openidc_2.4.16.5-1.jammy_amd64.deb \
/tmp/libapache2-mod-auth-openidc_${MOD_AUTH_OPENIDC_VERSION}-1.jammy_amd64.deb \
&& apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/*.deb
Loading