Commit Graph

453 Commits

Author SHA1 Message Date
Roger Luethi efb53255ea Disable UCA keystone apache2 site early
If the chef-client fails between keystone package installation and the
disabling of the default keystone config file from UCA package, then
apache2 may end up with conflicting site configurations trying to bind
to the same port.

Change-Id: Ib52a4d5195f9ef8d7caa8478c8293fe894624ee5
(cherry picked from commit ebfa5bbdb5)
2019-07-05 10:42:19 +02:00
OpenDev Sysadmins 5fa3c305c1 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:36:39 +00:00
Jens Harbott b4683fe828 Fix apache2 version cap
Turns out that the chef server thinks that '6' is an invalid version,
need to use '6.0' instead, otherwise uploading the cookbook to a chef
server fails.

Change-Id: I848b3fd923fface842578ae614c2d9b1e14a0892
2019-03-11 15:24:47 +00:00
Jens Harbott b181654077 Stop overriding auth methods
Setting the keystone option [auth]/methods by default blocks additions
like application_credential that was newly added to Keystone in Queens.
Let's stick to Keystone's defaults instead, deployments can override
these settings if they need to.

Also drop some even older version of these attributes that haven't been
used at all anymore for some time.

Added version bump for stable/queens and pin for apache2 cookbook.

Change-Id: I10b31efe1e94fc69cda65e2f7fb7a669afb166ba
(cherry picked from commit af1d3b1485)
2019-03-05 12:49:28 +00:00
Samuel Cassiba 1ab4fa07e1 Migrate Zuul jobs to openstack/openstack-chef
Change-Id: Ieedd3abd7cfd876e45ad3447502fc524300926f7
2018-08-31 23:24:46 -07:00
Samuel Cassiba 0834a7ce04 stable/queens release patch
Change-Id: I646f9c88c0a7982ffe67c5e2082f71acd21f37ae
2018-07-26 20:54:50 -07:00
Jens Harbott e30e2cf418 Fixup keystone endpoint handling
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.

At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.

[0] I01d44e48053cad7aeb92636f4b41649204006c93

Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
2018-07-16 12:24:46 -07:00
Zuul 41b3463312 Merge "Simplify identity endpoint" 2018-07-03 06:31:58 +00:00
Samuel Cassiba 7657e34eda Simplify identity endpoint
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.

[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components

Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
2018-06-28 16:24:31 -07:00
Jens Harbott 7d8b8b5c27 Fix token handling for keystone
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.

Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.

Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
2018-06-28 12:58:39 +00:00
Jens Harbott 7e9d7c9966 Use variables keystone_user and keystone_group
We define these variables from the corresponding node attributes, use
then instead of accessing the node attributes afterwards.

Change-Id: I1215d24f341e0ae37b7e0be978578aa2985e4af1
2018-06-28 12:58:03 +00:00
Samuel Cassiba df5472c9c8 Add delivery config
Change-Id: Ia10c3c30f4c4e024f64b9a08f8b0d5213e3f5302
Implements: blueprint deprecate-rakefiles
2018-04-11 22:24:47 -07:00
Samuel Cassiba aff741a327 Rename keystone-main service
* rename keystone-main to keystone-public to better align with Keystone
  conventions[0]

[0] https://review.openstack.org/194442

Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
2018-03-23 06:51:19 -07:00
Samuel Cassiba a781e6c11f
starting queens development patch and use git.openstack.org
* use git.openstack.org instead of github for berks dependency
resolution

Change-Id: Icddbddfae5ec075c9c113287135a02bad48144e7
2018-03-06 13:01:59 +01:00
Zuul 4c607a3fb2 Merge "Zuul: Remove project name" 2018-02-14 18:51:42 +00:00
Samuel Cassiba 23884c6b52 Removed deprecated postgres test
Change-Id: I07fb6f7f668a4ea0c04a149c8f8cb94e739468d8
Implements: blueprint modern-chef
2018-02-07 07:42:12 -08:00
James E. Blair db5eb09a26 Zuul: Remove project name
Zuul no longer requires the project-name for in-repo configuration.
Omitting it makes forking or renaming projects easier.

Change-Id: I680e12ba32a72d56536de04f542900dface4aeda
2018-02-05 13:58:26 -08:00
Zuul d407581474 Merge "identity refactor for Pike and Chef 13" 2017-12-22 21:35:55 +00:00
Samuel Cassiba 8ba453b9f5 identity refactor for Pike and Chef 13
- implemented foodcritic and cookstyle corrections
- deprecated node.foo.bar method access for node['foo']['bar'] bracket syntax
- moved apt package_overrides to common cookbook

Implements blueprint modern-chef

Change-Id: I9ab420186b2f93cfc7fcc7be7c406a3176a991e1
2017-12-10 20:04:21 -08:00
Zuul b13ee78385 Merge "Add native zuul v3 jobs defined in openstack-chef-repo" 2017-11-30 16:58:21 +00:00
Roger Luethi 1302239274 Re-add keystone-manage credential_setup
The step that ran keystone-manage credential_setup has been removed
as "deprecated" with the "Initial identity Pike updates" [1].

However, the Pike CLI documentation for keystone-manage does not
indicate that the command is deprecated [2] and the install-guide
continues to use it [3].

Also, I got this error message on a Pike installation (Ubuntu):

ERROR keystone.common.fernet_utils [...] Either [credential] key_repository
does not exist or Keystone does not have sufficient permission to access
it: /etc/keystone/credential-keys/

For these reasons, this patch reinstates the keystone-manage
credential_setup step.

[1] commit 5279aa4fbc
    (Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a)
[2] https://docs.openstack.org/keystone/pike/cli/index.html
[3] https://docs.openstack.org/keystone/pike/install/keystone-install-ubuntu.html

Change-Id: Iad5afd70ab99d968a6546bd19e5e5831a8299a49
2017-11-02 13:52:23 +01:00
Jens Harbott 8ea88f33ab Add native zuul v3 jobs defined in openstack-chef-repo
Change-Id: I1bee1117dfd4187a9391d826f6cc7f8ac2aba936
2017-11-02 10:35:32 +00:00
Arun S A G cbbc525cc4 Use the attribute instead of method to get platform_family
Other cookbooks have switched to using the node attribute
https://github.com/openstack/cookbook-openstack-common/blob/master/attributes/default.rb#L292
Using platform_family breaks with chef-client 13.x

Closes-Bug: #1724987

Change-Id: I02fcb5d9403210d913e85487de5ef0dae6066bdc
2017-10-19 14:23:08 -07:00
Stefan Hoffmann 9a8b6424ba make fernet key file resource sensitive
Change-Id: I5481547214c7a96b64f3a183f494e3807c1c7735
Closes-Bug: #1719861
2017-09-27 14:43:06 +02:00
Jenkins a66540d815 Merge "use variable fernet-key data bag" 2017-09-22 21:15:12 +00:00
Stefan Hoffmann 79e57bd799 use variable fernet-key data bag
instead of hard coded vault name the attribute
['openstack']['secret']['secrets_data_bag'] is used.

Change-Id: I286fbfe89395544d1f8d0139acca0d689e4737fa
Closes-Bug: #1714523
2017-09-19 09:55:50 +02:00
Jenkins 1961a12a43 Merge "Initial identity Pike updates" 2017-09-13 14:07:00 +00:00
Samuel Cassiba 995fe07550 Corrected keystone bootstrapping command
- the original invocation of keystone-manage bootstrap was in the wrong recipe,
  so it needed to be moved to server-apache for resource ordering. restored the
  original flags used
- regen .rubocop_todo.yml to pass rubocop

Closes-Bug: #1714510
Change-Id: I9d3916e7f306d4c0463ec93cad40d2e78bd7eed8
2017-09-01 10:14:25 -04:00
Samuel Cassiba 5279aa4fbc Initial identity Pike updates
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Removed deprecated credential_setup

Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a
2017-08-30 23:57:20 -04:00
Jens Harbott 275c12c3a6 Drop token-flush cronjob
We now only support fernet tokens, for which token flushing is no longer
needed, see [1]. So we drop the corresponding cron job and the
attributes to configure it. This also gets rid of the error messages
which it is currently producing.

[1] https://docs.openstack.org/security-guide/identity/tokens.html#fernet-tokens

Change-Id: Ia5fe5f5d0c98ca0a77f03478edfe1777e0a89612
2017-08-21 12:26:26 +00:00
Jan Klare 862bfdd7c4
starting pike development patch
Change-Id: I638c23934c209d2074256f3f30129cf426e34ae0
2017-08-17 14:19:13 +02:00
Samuel Cassiba 8a967c291a Keystone config updates for Ocata, style and lint fixes
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability

Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
2017-08-02 02:17:27 -04:00
Jenkins 150c363d68 Merge "add new Chef OpenStack Team Logo to README" 2017-05-29 23:56:06 +00:00
Jan Klare f0a5cfbd1e add new Chef OpenStack Team Logo to README
Change-Id: I9a0d3760f2579c5475d202d4894867c8bba42e77
2017-05-29 10:53:08 +02:00
Samuel Cassiba 36d484e301 Corrects SELinux enablement
- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
  enabled by default.
- removes executable bit from metadata.rb

Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
2017-04-04 13:58:35 +00:00
Jenkins f83bc81674 Merge "Fixup Identity service deployment for Ocata" 2017-04-01 14:59:50 +00:00
Jens Rosenboom f8b8302aae Fixup Identity service deployment for Ocata
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata

Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
2017-03-10 10:47:31 +00:00
Andreas Jaeger 41dd09a0a7 Replace obsolete vanity openstack.org URLs
Project specific URLs are obsolete, use docs.openstack.org - and use
https for that site.

Change-Id: I149eec4340711ce46bd38188818db75946d0e67f
2017-03-08 19:40:43 +01:00
Jan Klare ae02664362 starting ocata development patch
Change-Id: I0fe3039cf46cd415b8ece73aec00e3603da793d9
2017-02-23 17:06:22 +01:00
Jens Rosenboom 1bb86dd4ce Fix wsgi app creation
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.

So we switch to using the variant provided by upstream instead.

Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
2017-02-21 11:55:45 +01:00
Christoph Albers 2f858e3678 RPC_backend / transport_url workover
- removed deprecated rabbitmq attributes
- added rabbit_transport_url

Change-Id: I0ca0fcc1e261eeadb76c9355a0f14499085d9bda
2016-12-20 11:45:20 +00:00
Jenkins b9b6b26616 Merge "Deprecated python-keystoneclient" 2016-12-20 11:01:48 +00:00
Samuel Cassiba 1cccaa0842 Deprecated python-keystoneclient
- deleted client.rb
- deprecated python-keystoneclient references

Implements blueprint newton-xenial

Change-Id: Ia1406308a9c78a0361cd0e2e0844f0e7a3cf4b9f
2016-12-14 20:11:48 -08:00
Jan Klare 9f8ba8fda6 Wait for identity endpoint instead of sleeping
* added a small ruby block with a loop to check if the keystonen admin
  endpoint is up before trying to register projects, users etc.
* will wait 60 seconds for admin endpoint to become ready and raise
  error specific exception otherwise if Timeout::Error was raised

Change-Id: Ief678b0f40685e91ced9bddde95b916f4587b330
2016-12-13 13:55:29 +00:00
Jenkins ade1b23af8 Merge "update cookbook dependencies for next release" 2016-12-08 07:50:48 +00:00
Jan Klare 4b35a881b9 update cookbook dependencies for next release
Depends-On: Ib256c315d5439beb8d4ec83c5cc7d7c9b182378a
Change-Id: Ic6b00a08ec29a9a7c04a72c743af5f756db45edf
2016-12-05 12:32:35 +01:00
Flavio Percoco 0dd8100a2a Show team and repo badges on README
This patch adds the team's and repository's badges to the README file.
The motivation behind this is to communicate the project status and
features at first glance.

For more information about this effort, please read this email thread:

http://lists.openstack.org/pipermail/openstack-dev/2016-October/105562.html

To see an example of how this would look like check:

https://gist.github.com/9be741f3b667eb4e72f7e97648335f16

Change-Id: I6eea8331ec2cab9605314401b5cfceb5e13c3e1e
2016-11-26 11:52:40 +01:00
Christoph Albers 4dcd956337 use_cookbook-openstackclient/identity_v3
- Removed v2 support
- Workover Endpoint creation
  Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
  providers/register.rb
  spec/register_spec.rb
  resources/register.rb
  libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
  ubuntu auto-enables it
- bumbed ubuntu version to 16.04

Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
2016-09-29 17:52:30 +02:00
Lance Albertson 0751804867 Include option to set SSLCertificateChainFile
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.

Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
2016-08-13 12:36:11 -07:00
Hendrik Frese ae8f0ec57a Removes unneeded default attribute
The attribute is set false by default as documented here:
http://docs.openstack.org/mitaka/config-reference/identity/options.html

Change-Id: I5b7bc37f08f30014468317b55eaab7a431fb58cb
2016-07-28 15:05:46 +02:00