Since at least Debian 9 (Stretch) the name of the relevant site has been
'wsgi-keystone' rather than 'keystone'. Then again, as of 21.04 Ubuntu
continues to use the old site name.
Tha relevant attribute is also set for RHEL so that recipe validation
doesn't fail due to missing resource name, even though the resource in
question is currently guarded by 'if platform_family?("debian")'.
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: I34b342d0b51cd5e11b1e5de95578ac47939895f9
Update ChefSpec due to changes made in apache2 cookbook.
Depends-On: https://review.opendev.org/756168
Change-Id: Ie4a830620f217f5879ae4270850214902c202dbf
Signed-off-by: Lance Albertson <lance@osuosl.org>
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.
- Install mod_wsgi as a package on RHEL since there is no built-in
resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI
Depends-On: https://review.opendev.org/702772
Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
- Replace git.openstack.org with opendev.org
- Update some documentation
- Move README.md to README.rst for better rendering
- Drop obsolete bootstrap.sh script
- Drop obsolete default recipe
Change-Id: I7894951c9ac0bbd00007da5face15e9418880bc4
Python2.7 is going EOL soon, let us deploy python3 for Rocky from the
start, so we avoid having to switch later.
Also update Berksfile to allow dependency testing and require chef >= 14 now.
Change-Id: Id4c06c8fc136ae3cde97e751373049db989de21e
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.
Clean up the old openrc template a bit.
Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
This uses edit_resource to add a notification in the identity apache
configuration when it gets updated. This is a workaround due to the fact
we are using a version of the apache2 cookbook that is still using
definitions and cannot add notifications with definitions.
This is intended to ensure we only restart apache when the configuration
is updated. Otherwise, the old behaviour was to restart apache on every
run which is problematic in production environments. I have been using
this in our production wrapper cookbook for the past year or so without
any issue.
This will be removed in the Stein release when we migrate to the newer
apache2 cookbook which uses proper resources.
Change-Id: I13de063d1e7ffd356d754eb0f2d8286a3c694836
Signed-off-by: Lance Albertson <lance@osuosl.org>
If the chef-client fails between keystone package installation and the
disabling of the default keystone config file from UCA package, then
apache2 may end up with conflicting site configurations trying to bind
to the same port.
backport: stable/queens
Change-Id: Ib52a4d5195f9ef8d7caa8478c8293fe894624ee5
fog-openstack-1.x already appends "auth/tokens" so we no longer need to
do that. In addition, comment out endpoint type until this PR [1] gets
merged and released.
[1] https://github.com/fog/fog-openstack/pull/494
Depends-On: https://review.opendev.org/666176
Change-Id: I2a73e87648bff58180c6ee2355a733a8e030fa4b
Signed-off-by: Lance Albertson <lance@osuosl.org>
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.
Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.
At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.
[0] I01d44e48053cad7aeb92636f4b41649204006c93
Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.
[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components
Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.
Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.
Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
We define these variables from the corresponding node attributes, use
then instead of accessing the node attributes afterwards.
Change-Id: I1215d24f341e0ae37b7e0be978578aa2985e4af1
* rename keystone-main to keystone-public to better align with Keystone
conventions[0]
[0] https://review.openstack.org/194442
Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
The step that ran keystone-manage credential_setup has been removed
as "deprecated" with the "Initial identity Pike updates" [1].
However, the Pike CLI documentation for keystone-manage does not
indicate that the command is deprecated [2] and the install-guide
continues to use it [3].
Also, I got this error message on a Pike installation (Ubuntu):
ERROR keystone.common.fernet_utils [...] Either [credential] key_repository
does not exist or Keystone does not have sufficient permission to access
it: /etc/keystone/credential-keys/
For these reasons, this patch reinstates the keystone-manage
credential_setup step.
[1] commit 5279aa4fbc
(Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a)
[2] https://docs.openstack.org/keystone/pike/cli/index.html
[3] https://docs.openstack.org/keystone/pike/install/keystone-install-ubuntu.html
Change-Id: Iad5afd70ab99d968a6546bd19e5e5831a8299a49
instead of hard coded vault name the attribute
['openstack']['secret']['secrets_data_bag'] is used.
Change-Id: I286fbfe89395544d1f8d0139acca0d689e4737fa
Closes-Bug: #1714523
- the original invocation of keystone-manage bootstrap was in the wrong recipe,
so it needed to be moved to server-apache for resource ordering. restored the
original flags used
- regen .rubocop_todo.yml to pass rubocop
Closes-Bug: #1714510
Change-Id: I9d3916e7f306d4c0463ec93cad40d2e78bd7eed8
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Removed deprecated credential_setup
Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a
We now only support fernet tokens, for which token flushing is no longer
needed, see [1]. So we drop the corresponding cron job and the
attributes to configure it. This also gets rid of the error messages
which it is currently producing.
[1] https://docs.openstack.org/security-guide/identity/tokens.html#fernet-tokens
Change-Id: Ia5fe5f5d0c98ca0a77f03478edfe1777e0a89612
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability
Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
enabled by default.
- removes executable bit from metadata.rb
Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata
Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.
So we switch to using the variant provided by upstream instead.
Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
* added a small ruby block with a loop to check if the keystonen admin
endpoint is up before trying to register projects, users etc.
* will wait 60 seconds for admin endpoint to become ready and raise
error specific exception otherwise if Timeout::Error was raised
Change-Id: Ief678b0f40685e91ced9bddde95b916f4587b330
- Removed v2 support
- Workover Endpoint creation
Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
providers/register.rb
spec/register_spec.rb
resources/register.rb
libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
ubuntu auto-enables it
- bumbed ubuntu version to 16.04
Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.
Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
* added a lot of inline comments for attributes, recipes and provider
* updated README to the current state of the cookbook
Change-Id: Ic7b7ae6d26ce56e2237fe3215aff9ab447946b48
The default apache port overlaps with horizon, but
uses a different address syntax, *:80 vs 0.0.0.0:80.
This causes apache2 to sometimes fail on startup with
Address already in use: AH00072: make_sock: could not bind to address [::]:80
Change-Id: Ib45393b0244dd4cffb440c84c614ba9a104df105
Instead of creating an artificial, non-functional identity-internal
endpoint use the identity-main backend that is provided via the default
config for both public and internal endpoints.
Change-Id: Ia7d7f11108f0945ccd944d7e4a5c7f7ef68bc654
* the apache2 cookbook got patched recently and now uses an array of
"ipaddress:port" to define where apache2 should listen
Depends-On: I7304932c19398c2bd245bbb7cbad6df4f487047e
Change-Id: Id91fb812ba91dab2803c68d24adaddbe0fde7a5e
* added recipe for fernet_tokens (recipes/_fernet_tokens.rb)
* moved pki setup to seperate recipe (recipes/_pki_tokens.rb)
* included fernet or pki tokens recipe based on auth strategy attibute
* adapted spec accordingly and added specs for fernet_tokens
Change-Id: I37af3e8e5d4b93e0de7f4ef2d999a05573eefc26
* endpoint type (admin, internal, public) and service (identitiy, network etc.)
was switched during refactoring, this patch reverts this unintended switching
Change-Id: Ia5bddfc5e2fd77cd6e9e855c680b079f78fc1c3f
Depends-On: Iec485deaf415e4187a323435cce2b6bbadfc5d42