Merge "Simplify identity endpoint"
This commit is contained in:
commit
41b3463312
|
@ -29,11 +29,11 @@ default['openstack']['identity']['custom_template_banner'] = '
|
|||
'
|
||||
|
||||
%w(admin internal public).each do |ep_type|
|
||||
# host for openstack admin/internal/public identity endpoint
|
||||
# host for openstack identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
|
||||
# scheme for openstack admin/internal/public identity endpoint
|
||||
# scheme for openstack identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
|
||||
# path for openstack admin/internal/public identity endpoint
|
||||
# path for openstack identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3'
|
||||
end
|
||||
|
||||
|
@ -41,17 +41,11 @@ end
|
|||
default['openstack']['endpoints']['public']['identity']['port'] = 5000
|
||||
# port for openstack internal identity endpoint
|
||||
default['openstack']['endpoints']['internal']['identity']['port'] = 5000
|
||||
# port for openstack admin identity endpoint
|
||||
default['openstack']['endpoints']['admin']['identity']['port'] = 35357
|
||||
|
||||
# address for openstack identity service main endpoint to bind to
|
||||
default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1'
|
||||
# port for openstack identity service main endpoint to bind to
|
||||
default['openstack']['bind_service']['public']['identity']['port'] = 5000
|
||||
# address for openstack identity service admin endpoint to bind to
|
||||
default['openstack']['bind_service']['admin']['identity']['host'] = '127.0.0.1'
|
||||
# port for openstack identity service admin endpoint to bind to
|
||||
default['openstack']['bind_service']['admin']['identity']['port'] = 35357
|
||||
|
||||
# identity service catalog backend for service endpoints
|
||||
default['openstack']['identity']['catalog']['backend'] = 'sql'
|
||||
|
|
|
@ -29,10 +29,11 @@ project_domain_name = node['openstack']['identity']['admin_project_domain']
|
|||
ksadmin_user = node['openstack']['identity']['admin_user']
|
||||
admin_domain_name = node['openstack']['identity']['admin_domain_name']
|
||||
|
||||
auth_api_version = node['openstack']['api']['auth']['version']
|
||||
# auth_api_version = node['openstack']['api']['auth']['version']
|
||||
ksadmin_pass = get_password 'user', ksadmin_user
|
||||
identity_public_endpoint = public_endpoint 'identity'
|
||||
auth_url = auth_uri_transform identity_public_endpoint.to_s, auth_api_version
|
||||
|
||||
identity_endpoint = public_endpoint 'identity'
|
||||
auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
|
||||
|
||||
directory node['openstack']['openrc']['path'] do
|
||||
owner node['openstack']['openrc']['user']
|
||||
|
|
|
@ -30,10 +30,8 @@ class ::Chef::Recipe
|
|||
include ::Openstack
|
||||
end
|
||||
|
||||
identity_admin_endpoint = admin_endpoint 'identity'
|
||||
identity_internal_endpoint = internal_endpoint 'identity'
|
||||
identity_public_endpoint = public_endpoint 'identity'
|
||||
auth_url = ::URI.decode identity_admin_endpoint.to_s
|
||||
identity_endpoint = public_endpoint 'identity'
|
||||
auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
|
||||
|
||||
# define the credentials to use for the initial admin user
|
||||
admin_project = node['openstack']['identity']['admin_project']
|
||||
|
@ -50,17 +48,17 @@ connection_params = {
|
|||
openstack_domain_name: admin_domain,
|
||||
}
|
||||
|
||||
ruby_block 'wait for identity admin endpoint' do
|
||||
ruby_block 'wait for identity endpoint' do
|
||||
block do
|
||||
begin
|
||||
Timeout.timeout(60) do
|
||||
until Net::HTTP.get_response(URI(auth_url)).message == 'OK'
|
||||
Chef::Log.info 'waiting for identity admin endpoint to be up...'
|
||||
Chef::Log.info 'waiting for identity endpoint to be up...'
|
||||
sleep 1
|
||||
end
|
||||
end
|
||||
rescue Timeout::Error
|
||||
raise 'Waited 60 seconds for identity admin endpoint to become ready'\
|
||||
raise 'Waited 60 seconds for identity endpoint to become ready'\
|
||||
' and will not wait any longer'
|
||||
end
|
||||
end
|
||||
|
@ -87,10 +85,6 @@ openstack_role '_member_' do
|
|||
connection_params connection_params
|
||||
end
|
||||
|
||||
node.normal['openstack']['identity']['adminURL'] = identity_admin_endpoint.to_s
|
||||
node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
|
||||
node.normal['openstack']['identity']['publicURL'] = identity_public_endpoint.to_s
|
||||
node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
|
||||
|
||||
Chef::Log.info "Keystone AdminURL: #{identity_admin_endpoint}"
|
||||
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
|
||||
Chef::Log.info "Keystone PublicURL: #{identity_public_endpoint}"
|
||||
Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"
|
||||
|
|
|
@ -48,9 +48,7 @@ end
|
|||
|
||||
platform_options = node['openstack']['identity']['platform']
|
||||
|
||||
identity_admin_endpoint = admin_endpoint 'identity'
|
||||
identity_internal_endpoint = internal_endpoint 'identity'
|
||||
identity_public_endpoint = public_endpoint 'identity'
|
||||
identity_endpoint = public_endpoint 'identity'
|
||||
|
||||
# define the credentials to use for the initial admin user
|
||||
admin_project = node['openstack']['identity']['admin_project']
|
||||
|
@ -125,14 +123,8 @@ include_recipe 'openstack-identity::_credential_tokens'
|
|||
include_recipe 'openstack-identity::_fernet_tokens'
|
||||
|
||||
# define the address to bind the keystone apache public service to
|
||||
public_bind_service = node['openstack']['bind_service']['public']['identity']
|
||||
public_bind_address = bind_address public_bind_service
|
||||
# define the address to bind the keystone apache admin service to
|
||||
admin_bind_service = node['openstack']['bind_service']['admin']['identity']
|
||||
admin_bind_address = bind_address admin_bind_service
|
||||
|
||||
# define the address where the keystone admin endpoint will be reachable
|
||||
identity_admin_endpoint = admin_endpoint 'identity'
|
||||
bind_service = node['openstack']['bind_service']['public']['identity']
|
||||
bind_address = bind_address bind_service
|
||||
|
||||
# set the keystone database credentials
|
||||
db_user = node['openstack']['db']['identity']['username']
|
||||
|
@ -145,13 +137,9 @@ node.default['openstack']['identity']['conf_secrets']
|
|||
memcache_servers = memcached_servers.join ','
|
||||
|
||||
# define the address where the keystone public endpoint will be reachable
|
||||
identity_public_endpoint = public_endpoint 'identity'
|
||||
ie = identity_public_endpoint
|
||||
ie = identity_endpoint
|
||||
# define the keystone public endpoint full path
|
||||
api_public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
|
||||
ae = identity_admin_endpoint
|
||||
# define the keystone admin endpoint full path
|
||||
api_admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/"
|
||||
api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
|
||||
|
||||
# If a keystone-paste.ini is specified use it.
|
||||
# If platform_family is RHEL and we do not specify keystone-paste.ini,
|
||||
|
@ -181,8 +169,7 @@ end
|
|||
|
||||
# set keystone config parameters for admin_token, endpoints and memcache
|
||||
node.default['openstack']['identity']['conf'].tap do |conf|
|
||||
conf['DEFAULT']['public_endpoint'] = api_public_endpoint
|
||||
conf['DEFAULT']['admin_endpoint'] = api_admin_endpoint
|
||||
conf['DEFAULT']['public_endpoint'] = api_endpoint
|
||||
conf['memcache']['servers'] = memcache_servers if memcache_servers
|
||||
end
|
||||
|
||||
|
@ -227,8 +214,7 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated'
|
|||
# populate the templated catlog
|
||||
# TODO: (jklare) this should be done in a helper method
|
||||
uris = {
|
||||
'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'),
|
||||
'identity' => identity_public_endpoint.to_s.gsub('%25', '%'),
|
||||
'identity' => identity_endpoint.to_s.gsub('%25', '%'),
|
||||
'image' => image_public_endpoint.to_s.gsub('%25', '%'),
|
||||
'compute' => compute_public_endpoint.to_s.gsub('%25', '%'),
|
||||
'ec2' => ec2_public_endpoint.to_s.gsub('%25', '%'),
|
||||
|
@ -262,9 +248,9 @@ execute 'bootstrap_keystone' do
|
|||
--bootstrap-role-name #{admin_role} \\
|
||||
--bootstrap-service-name keystone \\
|
||||
--bootstrap-region-id #{region} \\
|
||||
--bootstrap-admin-url #{identity_admin_endpoint} \\
|
||||
--bootstrap-public-url #{identity_public_endpoint} \\
|
||||
--bootstrap-internal-url #{identity_internal_endpoint}"
|
||||
--bootstrap-admin-url #{identity_endpoint} \\
|
||||
--bootstrap-public-url #{identity_endpoint} \\
|
||||
--bootstrap-internal-url #{identity_endpoint}"
|
||||
end
|
||||
|
||||
#### Start of Apache specific work
|
||||
|
@ -274,8 +260,7 @@ apache_listen = Array(node['apache']['listen']) # include already defined listen
|
|||
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
|
||||
# a different address syntax. *:80 vs 0.0.0.0:80
|
||||
apache_listen -= ['*:80']
|
||||
apache_listen += ["#{public_bind_address}:#{public_bind_service['port']}"]
|
||||
apache_listen += ["#{admin_bind_address}:#{admin_bind_service['port']}"]
|
||||
apache_listen += ["#{bind_address}:#{bind_service['port']}"]
|
||||
node.normal['apache']['listen'] = apache_listen.uniq
|
||||
|
||||
# include the apache2 default recipe and the recipes for mod_wsgi
|
||||
|
@ -292,44 +277,27 @@ directory keystone_apache_dir do
|
|||
mode 0o0755
|
||||
end
|
||||
|
||||
wsgi_apps = {
|
||||
'public' => {
|
||||
server_host: public_bind_address,
|
||||
server_port: public_bind_service['port'],
|
||||
server_entry: '/usr/bin/keystone-wsgi-public',
|
||||
server_alias: 'identity',
|
||||
},
|
||||
'admin' => {
|
||||
server_host: admin_bind_address,
|
||||
server_port: admin_bind_service['port'],
|
||||
server_entry: '/usr/bin/keystone-wsgi-admin',
|
||||
server_alias: 'identity_admin',
|
||||
},
|
||||
}
|
||||
|
||||
# create the keystone apache config using the web_app resource from the apache2
|
||||
# cookbook
|
||||
wsgi_apps.each do |app, opt|
|
||||
web_app "keystone-#{app}" do
|
||||
template 'wsgi-keystone.conf.erb'
|
||||
server_host opt[:server_host]
|
||||
server_port opt[:server_port]
|
||||
server_entry opt[:server_entry]
|
||||
server_alias opt[:server_alias]
|
||||
server_suffix app
|
||||
log_dir node['apache']['log_dir']
|
||||
log_debug node['openstack']['identity']['debug']
|
||||
user keystone_user
|
||||
group keystone_group
|
||||
use_ssl node['openstack']['identity']['ssl']['enabled']
|
||||
cert_file node['openstack']['identity']['ssl']['certfile']
|
||||
chain_file node['openstack']['identity']['ssl']['chainfile']
|
||||
key_file node['openstack']['identity']['ssl']['keyfile']
|
||||
ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
|
||||
cert_required node['openstack']['identity']['ssl']['cert_required']
|
||||
protocol node['openstack']['identity']['ssl']['protocol']
|
||||
ciphers node['openstack']['identity']['ssl']['ciphers']
|
||||
end
|
||||
web_app 'identity' do
|
||||
template 'wsgi-keystone.conf.erb'
|
||||
server_host bind_address
|
||||
server_port bind_service['port']
|
||||
server_entry '/usr/bin/keystone-wsgi-public'
|
||||
server_alias 'identity'
|
||||
server_suffix app
|
||||
log_dir node['apache']['log_dir']
|
||||
log_debug node['openstack']['identity']['debug']
|
||||
user keystone_user
|
||||
group keystone_group
|
||||
use_ssl node['openstack']['identity']['ssl']['enabled']
|
||||
cert_file node['openstack']['identity']['ssl']['certfile']
|
||||
chain_file node['openstack']['identity']['ssl']['chainfile']
|
||||
key_file node['openstack']['identity']['ssl']['keyfile']
|
||||
ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
|
||||
cert_required node['openstack']['identity']['ssl']['cert_required']
|
||||
protocol node['openstack']['identity']['ssl']['protocol']
|
||||
ciphers node['openstack']['identity']['ssl']['ciphers']
|
||||
end
|
||||
|
||||
# disable default keystone config file from UCA package
|
||||
|
|
|
@ -12,7 +12,7 @@ describe 'openstack-identity::registration' do
|
|||
include_context 'identity_stubs'
|
||||
|
||||
connection_params = {
|
||||
openstack_auth_url: 'http://127.0.0.1:35357/v3/auth/tokens',
|
||||
openstack_auth_url: 'http://127.0.0.1:5000/v3/auth/tokens',
|
||||
openstack_username: 'admin',
|
||||
openstack_api_key: 'admin',
|
||||
openstack_project_name: 'admin',
|
||||
|
@ -25,7 +25,7 @@ describe 'openstack-identity::registration' do
|
|||
describe 'keystone bootstrap' do
|
||||
context 'default values' do
|
||||
it do
|
||||
expect(chef_run).to run_ruby_block('wait for identity admin endpoint')
|
||||
expect(chef_run).to run_ruby_block('wait for identity endpoint')
|
||||
end
|
||||
|
||||
it "registers #{domain_name} domain" do
|
||||
|
@ -62,62 +62,6 @@ describe 'openstack-identity::registration' do
|
|||
)
|
||||
end
|
||||
end
|
||||
context 'all different values' do
|
||||
connection_params_other = {
|
||||
openstack_auth_url: 'https://admin.identity:1234/v3/auth/tokens',
|
||||
openstack_username: 'identity_admin',
|
||||
openstack_api_key: 'identity_admin_pass',
|
||||
openstack_project_name: 'admin_project',
|
||||
openstack_domain_name: 'identity_domain',
|
||||
}
|
||||
before do
|
||||
node.set['openstack']['endpoints']['admin']['identity']['uri'] =
|
||||
'https://admin.identity:1234/v3'
|
||||
node.set['openstack']['endpoints']['internal']['identity']['uri'] =
|
||||
'https://internal.identity:5678/v3'
|
||||
node.set['openstack']['endpoints']['public']['identity']['uri'] =
|
||||
'https://public.identity:9753/v3'
|
||||
node.set['openstack']['region'] = 'otherRegion'
|
||||
node.set['openstack']['identity']['admin_project'] = 'admin_project'
|
||||
node.set['openstack']['identity']['admin_user'] = 'identity_admin'
|
||||
node.set['openstack']['identity']['admin_role'] = 'identity_role'
|
||||
node.set['openstack']['identity']['admin_domain_name'] =
|
||||
'identity_domain'
|
||||
end
|
||||
|
||||
it 'registers identity_domain domain' do
|
||||
expect(chef_run).to create_openstack_domain(
|
||||
'identity_domain'
|
||||
).with(
|
||||
connection_params: connection_params_other
|
||||
)
|
||||
end
|
||||
|
||||
it 'grants identity_admin user to identity_domain domain' do
|
||||
expect(chef_run).to grant_domain_openstack_user(
|
||||
'identity_admin'
|
||||
).with(
|
||||
domain_name: 'identity_domain',
|
||||
role_name: 'identity_role',
|
||||
connection_params: connection_params_other
|
||||
)
|
||||
end
|
||||
|
||||
it 'create service role' do
|
||||
expect(chef_run).to create_openstack_role(
|
||||
'service'
|
||||
).with(
|
||||
connection_params: connection_params_other
|
||||
)
|
||||
end
|
||||
it 'create service role' do
|
||||
expect(chef_run).to create_openstack_role(
|
||||
'_member_'
|
||||
).with(
|
||||
connection_params: connection_params_other
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -20,7 +20,6 @@ describe 'openstack-identity::server-apache' do
|
|||
project_name = 'admin'
|
||||
role_name = 'admin'
|
||||
password = 'admin'
|
||||
admin_url = 'http://127.0.0.1:35357/v3'
|
||||
public_url = 'http://127.0.0.1:5000/v3'
|
||||
internal_url = 'http://127.0.0.1:5000/v3'
|
||||
|
||||
|
@ -53,7 +52,7 @@ describe 'openstack-identity::server-apache' do
|
|||
--bootstrap-role-name #{role_name} \\
|
||||
--bootstrap-service-name #{service_name} \\
|
||||
--bootstrap-region-id #{region} \\
|
||||
--bootstrap-admin-url #{admin_url} \\
|
||||
--bootstrap-admin-url #{public_url} \\
|
||||
--bootstrap-public-url #{public_url} \\
|
||||
--bootstrap-internal-url #{internal_url}")
|
||||
end
|
||||
|
@ -140,10 +139,8 @@ describe 'openstack-identity::server-apache' do
|
|||
it 'has correct endpoints' do
|
||||
# values correspond to node attrs set in chef_run above
|
||||
pub = line_regexp('public_endpoint = http://127.0.0.1:5000/')
|
||||
adm = line_regexp('admin_endpoint = http://127.0.0.1:35357/')
|
||||
|
||||
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', pub)
|
||||
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', adm)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -293,16 +290,11 @@ describe 'openstack-identity::server-apache' do
|
|||
end
|
||||
it 'template api pipeline set correct' do
|
||||
node.set['openstack']['identity']['pipeline']['public_api'] = 'public_service'
|
||||
node.set['openstack']['identity']['pipeline']['admin_api'] = 'admin_service'
|
||||
node.set['openstack']['identity']['pipeline']['api_v3'] = 'service_v3'
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:public_api',
|
||||
/^pipeline = public_service$/
|
||||
)
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:admin_api',
|
||||
/^pipeline = admin_service$/
|
||||
)
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:api_v3',
|
||||
/^pipeline = service_v3$/
|
||||
|
@ -335,9 +327,7 @@ describe 'openstack-identity::server-apache' do
|
|||
|
||||
describe 'apache setup' do
|
||||
it 'set apache addresses and ports' do
|
||||
expect(chef_run.node['apache']['listen']).to eq(
|
||||
%w(127.0.0.1:5000 127.0.0.1:35357)
|
||||
)
|
||||
expect(chef_run.node['apache']['listen']).to eq(%w(127.0.0.1:5000))
|
||||
end
|
||||
|
||||
describe 'apache recipes' do
|
||||
|
@ -354,102 +344,85 @@ describe 'openstack-identity::server-apache' do
|
|||
end
|
||||
|
||||
describe 'apache wsgi' do
|
||||
['/etc/apache2/sites-available/keystone-public.conf',
|
||||
'/etc/apache2/sites-available/keystone-admin.conf'].each do |file|
|
||||
it "creates #{file}" do
|
||||
expect(chef_run).to create_template(file).with(
|
||||
user: 'root',
|
||||
group: 'root',
|
||||
mode: '0644'
|
||||
)
|
||||
end
|
||||
let(:file) { '/etc/apache2/sites-available/identity.conf' }
|
||||
|
||||
it 'configures keystone-admin.conf lines' do
|
||||
node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
|
||||
[/^custom_template_banner_value$/,
|
||||
/user=keystone/,
|
||||
/group=keystone/,
|
||||
%r{^ ErrorLog /var/log/apache2/keystone-admin.log$},
|
||||
%r{^ CustomLog /var/log/apache2/keystone-admin_access.log combined$}].each do |line|
|
||||
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-admin.conf').with_content(line)
|
||||
it 'creates identity.conf' do
|
||||
expect(chef_run).to create_template(file).with(
|
||||
user: 'root',
|
||||
group: 'root',
|
||||
mode: '0644'
|
||||
)
|
||||
end
|
||||
|
||||
it 'does not configure keystone-admin.conf' do
|
||||
expect(chef_run).not_to render_file('/etc/apache2/sites-available/keystone-admin.conf')
|
||||
end
|
||||
|
||||
it 'configures identity.conf lines' do
|
||||
node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
|
||||
[/^custom_template_banner_value$/,
|
||||
/user=keystone/,
|
||||
/group=keystone/,
|
||||
%r{^ ErrorLog /var/log/apache2/identity.log$},
|
||||
%r{^ CustomLog /var/log/apache2/identity_access.log combined$}].each do |line|
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not configure identity.conf triggered common lines' do
|
||||
[/^ LogLevel/,
|
||||
/^ SSL/].each do |line|
|
||||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
|
||||
context 'Enable SSL' do
|
||||
let(:file) { '/etc/apache2/sites-available/identity.conf' }
|
||||
before do
|
||||
node.set['openstack']['identity']['ssl']['enabled'] = true
|
||||
end
|
||||
it 'configures identity.conf common ssl lines' do
|
||||
[/^ SSLEngine On$/,
|
||||
%r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
|
||||
%r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
|
||||
%r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$},
|
||||
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
|
||||
it 'configures keystone-public.conf lines' do
|
||||
node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
|
||||
[/^custom_template_banner_value$/,
|
||||
/user=keystone/,
|
||||
/group=keystone/,
|
||||
%r{^ ErrorLog /var/log/apache2/keystone-public.log$},
|
||||
%r{^ CustomLog /var/log/apache2/keystone-public_access.log combined$}].each do |line|
|
||||
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-public.conf').with_content(line)
|
||||
end
|
||||
end
|
||||
|
||||
it "does not configure #{file} triggered common lines" do
|
||||
[/^ LogLevel/,
|
||||
/^ SSL/].each do |line|
|
||||
it 'does not configure identity.conf common ssl lines' do
|
||||
[/^ SSLCertificateChainFile/,
|
||||
/^ SSLCipherSuite/,
|
||||
/^ SSLVerifyClient require/].each do |line|
|
||||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
|
||||
context 'Enable SSL' do
|
||||
before do
|
||||
node.set['openstack']['identity']['ssl']['enabled'] = true
|
||||
end
|
||||
it "configures #{file} common ssl lines" do
|
||||
[/^ SSLEngine On$/,
|
||||
%r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
|
||||
%r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
|
||||
%r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$},
|
||||
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
it "does not configure #{file} common ssl lines" do
|
||||
[/^ SSLCertificateChainFile/,
|
||||
/^ SSLCipherSuite/,
|
||||
/^ SSLVerifyClient require/].each do |line|
|
||||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
it "configures #{file} chainfile when set" do
|
||||
node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
|
||||
end
|
||||
it "configures #{file} ciphers when set" do
|
||||
node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLCipherSuite ciphers_value$/)
|
||||
end
|
||||
it "configures #{file} cert_required set" do
|
||||
node.set['openstack']['identity']['ssl']['cert_required'] = true
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLVerifyClient require$/)
|
||||
end
|
||||
it 'configures identity.conf chainfile when set' do
|
||||
node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
|
||||
end
|
||||
it 'configures identity.conf ciphers when set' do
|
||||
node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLCipherSuite ciphers_value$/)
|
||||
end
|
||||
it 'configures identity.conf cert_required set' do
|
||||
node.set['openstack']['identity']['ssl']['cert_required'] = true
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLVerifyClient require$/)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'keystone-public.conf' do
|
||||
it 'configures required lines' do
|
||||
[/^<VirtualHost 127.0.0.1:5000>$/,
|
||||
/^ WSGIDaemonProcess keystone-public/,
|
||||
/^ WSGIProcessGroup keystone-public$/,
|
||||
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line|
|
||||
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-public.conf').with_content(line)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'keystone-admin.conf' do
|
||||
it 'configures required lines' do
|
||||
[/^<VirtualHost 127.0.0.1:35357>$/,
|
||||
/^ WSGIDaemonProcess keystone-admin/,
|
||||
/^ WSGIProcessGroup keystone-admin$/,
|
||||
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-admin$}].each do |line|
|
||||
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-admin.conf').with_content(line)
|
||||
end
|
||||
describe 'identity.conf' do
|
||||
let(:file) { '/etc/apache2/sites-available/identity.conf' }
|
||||
it 'configures required lines' do
|
||||
[/^<VirtualHost 127.0.0.1:5000>$/,
|
||||
/^ WSGIDaemonProcess identity/,
|
||||
/^ WSGIProcessGroup identity$/,
|
||||
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line|
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -4,16 +4,19 @@ require 'chefspec/berkshelf'
|
|||
|
||||
ChefSpec::Coverage.start! { add_filter 'openstack-identity' }
|
||||
|
||||
LOG_LEVEL = :fatal
|
||||
RSpec.configure do |config|
|
||||
config.color = true
|
||||
config.formatter = :documentation
|
||||
config.log_level = :fatal
|
||||
end
|
||||
|
||||
REDHAT_OPTS = {
|
||||
platform: 'redhat',
|
||||
version: '7.3',
|
||||
log_level: LOG_LEVEL,
|
||||
version: '7.4',
|
||||
}.freeze
|
||||
UBUNTU_OPTS = {
|
||||
platform: 'ubuntu',
|
||||
version: '16.04',
|
||||
log_level: LOG_LEVEL,
|
||||
}.freeze
|
||||
|
||||
# Helper methods
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
<%= node['openstack']['identity']['custom_template_banner'] %>
|
||||
|
||||
<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
|
||||
WSGIDaemonProcess keystone-<%= @params[:server_suffix] %> processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-<%= @params[:server_suffix] %>
|
||||
WSGIDaemonProcess identity processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
|
||||
WSGIProcessGroup identity
|
||||
WSGIScriptAlias / <%= @params[:server_entry] %>
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
ErrorLog <%= @params[:log_dir] %>/keystone-<%= @params[:server_suffix] %>.log
|
||||
CustomLog <%= @params[:log_dir] %>/keystone-<%= @params[:server_suffix] %>_access.log combined
|
||||
ErrorLog <%= @params[:log_dir] %>/identity.log
|
||||
CustomLog <%= @params[:log_dir] %>/identity_access.log combined
|
||||
<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
|
||||
LogLevel debug
|
||||
<% end -%>
|
||||
|
|
Loading…
Reference in New Issue