Since at least Debian 9 (Stretch) the name of the relevant site has been
'wsgi-keystone' rather than 'keystone'. Then again, as of 21.04 Ubuntu
continues to use the old site name.
Tha relevant attribute is also set for RHEL so that recipe validation
doesn't fail due to missing resource name, even though the resource in
question is currently guarded by 'if platform_family?("debian")'.
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: I34b342d0b51cd5e11b1e5de95578ac47939895f9
Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one
gets by setting only the latter is warnings in Apache logs.
Note: with Apache 2.3.15 or newer enabling revocation checks causes
certificate validation to fail also when no CRLs for the given certificate
could be found. For details see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck
Co-authored-by: Marek Szuba <m.szuba@gsi.de>
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
Update ChefSpec due to changes made in apache2 cookbook.
Depends-On: https://review.opendev.org/756168
Change-Id: Ie4a830620f217f5879ae4270850214902c202dbf
Signed-off-by: Lance Albertson <lance@osuosl.org>
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.
- Install mod_wsgi as a package on RHEL since there is no built-in
resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI
Depends-On: https://review.opendev.org/702772
Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
I've run into this issue on systems that already have python2-urllib3
installed, but it's older than what gets installed from the RDO
repository and breaks the db sync for keystone. By adding it here, that
will ensure it's always upgraded before we try running db sync.
Change-Id: If876315001c8136fad654d7408ec9f656ef48775
Python2.7 is going EOL soon, let us deploy python3 for Rocky from the
start, so we avoid having to switch later.
Also update Berksfile to allow dependency testing and require chef >= 14 now.
Change-Id: Id4c06c8fc136ae3cde97e751373049db989de21e
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.
Clean up the old openrc template a bit.
Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
This is in preparation of dropping the admin endpoint, we need this
attribute in place first so we can reference it in other cookbooks.
Change-Id: Idee227f26fcc74412873c5afd02dfcce32145ea7
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.
Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
Setting the keystone option [auth]/methods by default blocks additions
like application_credential that was newly added to Keystone in Queens.
Let's stick to Keystone's defaults instead, deployments can override
these settings if they need to.
Also drop some even older version of these attributes that haven't been
used at all anymore for some time.
Change-Id: I10b31efe1e94fc69cda65e2f7fb7a669afb166ba
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.
At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.
[0] I01d44e48053cad7aeb92636f4b41649204006c93
Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.
[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components
Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.
Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.
Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
* rename keystone-main to keystone-public to better align with Keystone
conventions[0]
[0] https://review.openstack.org/194442
Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Removed deprecated credential_setup
Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a
We now only support fernet tokens, for which token flushing is no longer
needed, see [1]. So we drop the corresponding cron job and the
attributes to configure it. This also gets rid of the error messages
which it is currently producing.
[1] https://docs.openstack.org/security-guide/identity/tokens.html#fernet-tokens
Change-Id: Ia5fe5f5d0c98ca0a77f03478edfe1777e0a89612
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability
Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
enabled by default.
- removes executable bit from metadata.rb
Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata
Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
* added a small ruby block with a loop to check if the keystonen admin
endpoint is up before trying to register projects, users etc.
* will wait 60 seconds for admin endpoint to become ready and raise
error specific exception otherwise if Timeout::Error was raised
Change-Id: Ief678b0f40685e91ced9bddde95b916f4587b330
- Removed v2 support
- Workover Endpoint creation
Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
providers/register.rb
spec/register_spec.rb
resources/register.rb
libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
ubuntu auto-enables it
- bumbed ubuntu version to 16.04
Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.
Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
* added a lot of inline comments for attributes, recipes and provider
* updated README to the current state of the cookbook
Change-Id: Ic7b7ae6d26ce56e2237fe3215aff9ab447946b48
The option "verbose" in the [DEFAULT] section is deprecated, it's
default value would be false anyway.
Change-Id: Ib7809425ca5c1651cd7642f3a6cf56cb7f6444aa
Instead of creating an artificial, non-functional identity-internal
endpoint use the identity-main backend that is provided via the default
config for both public and internal endpoints.
Change-Id: Ia7d7f11108f0945ccd944d7e4a5c7f7ef68bc654
* added recipe for fernet_tokens (recipes/_fernet_tokens.rb)
* moved pki setup to seperate recipe (recipes/_pki_tokens.rb)
* included fernet or pki tokens recipe based on auth strategy attibute
* adapted spec accordingly and added specs for fernet_tokens
Change-Id: I37af3e8e5d4b93e0de7f4ef2d999a05573eefc26
* endpoint type (admin, internal, public) and service (identitiy, network etc.)
was switched during refactoring, this patch reverts this unintended switching
Change-Id: Ia5bddfc5e2fd77cd6e9e855c680b079f78fc1c3f
Depends-On: Iec485deaf415e4187a323435cce2b6bbadfc5d42
* added new logic into templates/default/keystone.conf.erb
* refactored attributes throughout all recipes that were connected to
the attributes used for the keystone.conf.erb template to adapt the new
template attribute syntax
* moved all attributes from attributes/default.rb that were used in
keystone_conf.erb to attributes/keystone_conf.rb
* removed all attributes from default.rb and keystone.conf.erb which are set
as default in attributes, openstack doc and used to render the template
* finished split between public, internal and admin endpoints
* refactored endpoint and bind_service logic to fit the new common cookbook
* adapted specs
* added endpoint and bind_service attributes (moved from common)
* removed keystone eventlet configuration (removed in mitaka)
* moved templated service catalog to its own section
* removed deprecated recipe for keystone server deployment without apache (also
removed corresponding specs)
* moved recipe openrc (and template + specs) from common here, to remove inverse dependency in common
cookbook
* adapted the specs (unit tests) to work again
* removed qpid as a messaging option (can be included in a wrapper)
* deleted default attributes from keystone.conf.rb originated in
openstack-common
* removed suse as supported platform
* included current master of apache2 cookbook to utilize new listen logic
* removed rubocop exceptions in recipes and libraries and regenerated the
.rubocop_todo.yaml conaining all remaining exceptions
Change-Id: I3262b2e6f792f37c32a446e6567790b82bdd4613
Implements: blueprint cookbook-refactoring
Depends-On: I0547182085eed91d05384fdd7734408a839a9a2c
This commit adds LDAP connection pool configuration settings currently
missing from keystone.conf template.
Change-Id: If76f71564e055608342352ddb80fbba8d078d61d
Closes-bug: #1480577
Add three configurations in identity_mapping group to support
keystone multi-domain.
Change-Id: I9fa68baba9144b8270f49e0c66ba283736640d08
Closes-bug: #1473897
Keystone is recommended to run under apache and the service side
is already deprecated and will be removed in the M release.
This patch adds a new recipe, server-apache, to allow keystone
under apache.
I intentionally just copied the existing server recipe and spec to
create the new ones and I figure those will just be removed in
the M release anyway, no need for "common" type code here.
The majority of the recipe code is exactly the same, just the
last lines, "Start of Apache..." have been added.
This should also work with the existing dashboard cookbook with the
one exception that the apache 3.1 cookbook is needed. There's already
a patch out for that.
I don't plan on changing the default kilo role to use this, that will
be done once we branch for liberty.
Change-Id: I1641e1e5c6bf56d0765ef6e54ae32848431f6d6e
Implements: blueprint keystone-apache
Currently, one cannot enable SSL for Keystone service endpoint since
the recipes do not allow configuring the SSL specific parameters. To
address this issue, this commit defines some new node attributes for
specifying SSL key, certificate and CA certificate paths. Also, this
commit exposes few other node attributes giving users more flexibility
in their SSL deployment options.
Closes-Bug #1441385
Change-Id: I2ee71f4f11e0cba619418bd5c356ec490c3be6e4
Ghanshyam Mann