Turns out that the chef server thinks that '6' is an invalid version,
need to use '6.0' instead, otherwise uploading the cookbook to a chef
server fails.
Cherry-pick from stable/queens, amended with the actual cap, which was
brought into stable/queens together with a different patch in order to
unblock the CI.
Change-Id: I848b3fd923fface842578ae614c2d9b1e14a0892
(cherry picked from commit b4683fe828)
This was missed in [0], need to update the cookbook minor version.
[0] https://review.openstack.org/579112
Change-Id: Ic343ea26641a4d419b568990bd47870988788d4e
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.
Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.
Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
We define these variables from the corresponding node attributes, use
then instead of accessing the node attributes afterwards.
Change-Id: I1215d24f341e0ae37b7e0be978578aa2985e4af1
Zuul no longer requires the project-name for in-repo configuration.
Omitting it makes forking or renaming projects easier.
Change-Id: I680e12ba32a72d56536de04f542900dface4aeda
The step that ran keystone-manage credential_setup has been removed
as "deprecated" with the "Initial identity Pike updates" [1].
However, the Pike CLI documentation for keystone-manage does not
indicate that the command is deprecated [2] and the install-guide
continues to use it [3].
Also, I got this error message on a Pike installation (Ubuntu):
ERROR keystone.common.fernet_utils [...] Either [credential] key_repository
does not exist or Keystone does not have sufficient permission to access
it: /etc/keystone/credential-keys/
For these reasons, this patch reinstates the keystone-manage
credential_setup step.
[1] commit 5279aa4fbc
(Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a)
[2] https://docs.openstack.org/keystone/pike/cli/index.html
[3] https://docs.openstack.org/keystone/pike/install/keystone-install-ubuntu.html
Change-Id: Iad5afd70ab99d968a6546bd19e5e5831a8299a49
instead of hard coded vault name the attribute
['openstack']['secret']['secrets_data_bag'] is used.
Change-Id: I286fbfe89395544d1f8d0139acca0d689e4737fa
Closes-Bug: #1714523
- the original invocation of keystone-manage bootstrap was in the wrong recipe,
so it needed to be moved to server-apache for resource ordering. restored the
original flags used
- regen .rubocop_todo.yml to pass rubocop
Closes-Bug: #1714510
Change-Id: I9d3916e7f306d4c0463ec93cad40d2e78bd7eed8
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Removed deprecated credential_setup
Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a
We now only support fernet tokens, for which token flushing is no longer
needed, see [1]. So we drop the corresponding cron job and the
attributes to configure it. This also gets rid of the error messages
which it is currently producing.
[1] https://docs.openstack.org/security-guide/identity/tokens.html#fernet-tokens
Change-Id: Ia5fe5f5d0c98ca0a77f03478edfe1777e0a89612
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability
Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
enabled by default.
- removes executable bit from metadata.rb
Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata
Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.
So we switch to using the variant provided by upstream instead.
Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
* added a small ruby block with a loop to check if the keystonen admin
endpoint is up before trying to register projects, users etc.
* will wait 60 seconds for admin endpoint to become ready and raise
error specific exception otherwise if Timeout::Error was raised
Change-Id: Ief678b0f40685e91ced9bddde95b916f4587b330
- Removed v2 support
- Workover Endpoint creation
Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
providers/register.rb
spec/register_spec.rb
resources/register.rb
libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
ubuntu auto-enables it
- bumbed ubuntu version to 16.04
Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.
Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
* added a lot of inline comments for attributes, recipes and provider
* updated README to the current state of the cookbook
Change-Id: Ic7b7ae6d26ce56e2237fe3215aff9ab447946b48
The default apache port overlaps with horizon, but
uses a different address syntax, *:80 vs 0.0.0.0:80.
This causes apache2 to sometimes fail on startup with
Address already in use: AH00072: make_sock: could not bind to address [::]:80
Change-Id: Ib45393b0244dd4cffb440c84c614ba9a104df105
The option "verbose" in the [DEFAULT] section is deprecated, it's
default value would be false anyway.
Change-Id: Ib7809425ca5c1651cd7642f3a6cf56cb7f6444aa
Version 3.2.0 of the apache2 cookbook was released, update our
dependency so that we are compatible with the other openstack
cookbooks and berkshelf resolution can succeed. Drop the reference to
the github version.
Change-Id: I55110726ee846f579849ea039a759ef1a0ad9bff