If the chef-client fails between keystone package installation and the
disabling of the default keystone config file from UCA package, then
apache2 may end up with conflicting site configurations trying to bind
to the same port.
Change-Id: Ib52a4d5195f9ef8d7caa8478c8293fe894624ee5
(cherry picked from commit ebfa5bbdb5)
Turns out that the chef server thinks that '6' is an invalid version,
need to use '6.0' instead, otherwise uploading the cookbook to a chef
server fails.
Change-Id: I848b3fd923fface842578ae614c2d9b1e14a0892
Setting the keystone option [auth]/methods by default blocks additions
like application_credential that was newly added to Keystone in Queens.
Let's stick to Keystone's defaults instead, deployments can override
these settings if they need to.
Also drop some even older version of these attributes that haven't been
used at all anymore for some time.
Added version bump for stable/queens and pin for apache2 cookbook.
Change-Id: I10b31efe1e94fc69cda65e2f7fb7a669afb166ba
(cherry picked from commit af1d3b1485)
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.
At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.
[0] I01d44e48053cad7aeb92636f4b41649204006c93
Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.
[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components
Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.
Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.
Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
We define these variables from the corresponding node attributes, use
then instead of accessing the node attributes afterwards.
Change-Id: I1215d24f341e0ae37b7e0be978578aa2985e4af1
* rename keystone-main to keystone-public to better align with Keystone
conventions[0]
[0] https://review.openstack.org/194442
Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
Zuul no longer requires the project-name for in-repo configuration.
Omitting it makes forking or renaming projects easier.
Change-Id: I680e12ba32a72d56536de04f542900dface4aeda
The step that ran keystone-manage credential_setup has been removed
as "deprecated" with the "Initial identity Pike updates" [1].
However, the Pike CLI documentation for keystone-manage does not
indicate that the command is deprecated [2] and the install-guide
continues to use it [3].
Also, I got this error message on a Pike installation (Ubuntu):
ERROR keystone.common.fernet_utils [...] Either [credential] key_repository
does not exist or Keystone does not have sufficient permission to access
it: /etc/keystone/credential-keys/
For these reasons, this patch reinstates the keystone-manage
credential_setup step.
[1] commit 5279aa4fbc
(Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a)
[2] https://docs.openstack.org/keystone/pike/cli/index.html
[3] https://docs.openstack.org/keystone/pike/install/keystone-install-ubuntu.html
Change-Id: Iad5afd70ab99d968a6546bd19e5e5831a8299a49
instead of hard coded vault name the attribute
['openstack']['secret']['secrets_data_bag'] is used.
Change-Id: I286fbfe89395544d1f8d0139acca0d689e4737fa
Closes-Bug: #1714523
- the original invocation of keystone-manage bootstrap was in the wrong recipe,
so it needed to be moved to server-apache for resource ordering. restored the
original flags used
- regen .rubocop_todo.yml to pass rubocop
Closes-Bug: #1714510
Change-Id: I9d3916e7f306d4c0463ec93cad40d2e78bd7eed8
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Removed deprecated credential_setup
Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a
We now only support fernet tokens, for which token flushing is no longer
needed, see [1]. So we drop the corresponding cron job and the
attributes to configure it. This also gets rid of the error messages
which it is currently producing.
[1] https://docs.openstack.org/security-guide/identity/tokens.html#fernet-tokens
Change-Id: Ia5fe5f5d0c98ca0a77f03478edfe1777e0a89612
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability
Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
enabled by default.
- removes executable bit from metadata.rb
Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata
Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.
So we switch to using the variant provided by upstream instead.
Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
* added a small ruby block with a loop to check if the keystonen admin
endpoint is up before trying to register projects, users etc.
* will wait 60 seconds for admin endpoint to become ready and raise
error specific exception otherwise if Timeout::Error was raised
Change-Id: Ief678b0f40685e91ced9bddde95b916f4587b330
- Removed v2 support
- Workover Endpoint creation
Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
providers/register.rb
spec/register_spec.rb
resources/register.rb
libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
ubuntu auto-enables it
- bumbed ubuntu version to 16.04
Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.
Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39