Commit Graph

197 Commits

Author SHA1 Message Date
Ghanshyam Mann 44d13c8c64 Retire openstack-chef: remove repo content
OpenStack-chef project is retiring
- https://review.opendev.org/c/openstack/governance/+/905279

this commit remove the content of this project repo

Depends-On: https://review.opendev.org/c/openstack/project-config/+/909134
Change-Id: Ida0639315944c8c7852ec37fb10f133e8ab9c455
2024-02-17 20:50:52 -08:00
Lance Albertson f052ede42b CentOS 8 support
- Update package names
- Migrate to using apache2_mod_wsgi resource and require apache2 ~> 8.6
- Update ChefSpec

Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-database/+/815139
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-messaging/+/815137
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-integration-test/+/815171
Change-Id: Ib21c5b2dbd13aa57de926e71db62d042374cabd4
Signed-off-by: Lance Albertson <lance@osuosl.org>
2021-10-22 16:31:00 -07:00
Lance Albertson e76dcb39e1 Chef 17 support
- Require Chef >= 16.0
- Remove bind from Berksfile
- Update copyright years

Depends-On: https://review.opendev.org/c/openstack/cookbook-openstackclient/+/813953
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-database/+/814032
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-messaging/+/814035
Change-Id: I5d4f38f56e5a411b83b02d2fd9fff2e013947d71
Signed-off-by: Lance Albertson <lance@osuosl.org>
2021-10-14 11:57:40 -07:00
Marek Szuba f70a3454c5 Make the name of default Keystone site for Apache2 a platform option
Since at least Debian 9 (Stretch) the name of the relevant site has been
'wsgi-keystone' rather than 'keystone'. Then again, as of 21.04 Ubuntu
continues to use the old site name.

Tha relevant attribute is also set for RHEL so that recipe validation
doesn't fail due to missing resource name, even though the resource in
question is currently guarded by 'if platform_family?("debian")'.

Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: I34b342d0b51cd5e11b1e5de95578ac47939895f9
2021-07-20 22:14:24 +00:00
Lance Albertson 9ed88a8ff4 Cookstyle 6.19.5 fixes
Update ChefSpec due to changes made in apache2 cookbook.

Depends-On: https://review.opendev.org/756168
Change-Id: Ie4a830620f217f5879ae4270850214902c202dbf
Signed-off-by: Lance Albertson <lance@osuosl.org>
2020-10-05 17:13:24 -07:00
Lance Albertson 9a45f9e60a Chef 16 updates
Depends-On: https://review.opendev.org/740342
Depends-On: https://review.opendev.org/747542
Depends-On: https://review.opendev.org/747554
Depends-On: https://review.opendev.org/747555
Change-Id: I4ad921b46ee476d9e866303e33be7b8803cdff98
Signed-off-by: Lance Albertson <lance@osuosl.org>
2020-08-27 17:20:28 -07:00
Lance Albertson c49dedfbcd Stein fixes
- Cookstyle fixes
- Refactor Berksfile to use groups so we can exclude integration testing
  cookbooks
- Update documentation
- Enable sensitive resources for template[/etc/keystone/keystone.conf]
  and execute[bootstrap_keystone] to improve security.
- Update delivery configuration to exclude integration cookbooks

[1] https://docs.openstack.org/keystone/stein/install/keystone-install-rdo.html#install-and-configure-components

Depends-On: https://review.opendev.org/701027
Depends-On: https://review.opendev.org/706101
Depends-On: https://review.opendev.org/706140
Depends-On: https://review.opendev.org/706147
Depends-On: https://review.opendev.org/706158
Change-Id: I6c5005b23ee209650911146e373c4cf082cbee9e
2020-03-23 09:58:16 -07:00
Lance Albertson 453ab3bb95 Update to apache2 ~> 8.0 cookbook
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.

- Install mod_wsgi as a package on RHEL since there is no built-in
  resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
  with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
  by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI

Depends-On: https://review.opendev.org/702772

Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
2020-01-30 09:28:25 -08:00
Lance Albertson b571b3c444 Updates for rocky
- Replace git.openstack.org with opendev.org
- Update some documentation
- Move README.md to README.rst for better rendering
- Drop obsolete bootstrap.sh script
- Drop obsolete default recipe

Change-Id: I7894951c9ac0bbd00007da5face15e9418880bc4
2019-12-06 11:19:50 -08:00
Jens Harbott 87d4d2ed40 Use python3 packages on Ubuntu
Python2.7 is going EOL soon, let us deploy python3 for Rocky from the
start, so we avoid having to switch later.

Also update Berksfile to allow dependency testing and require chef >= 14 now.

Change-Id: Id4c06c8fc136ae3cde97e751373049db989de21e
2019-11-26 10:46:40 +00:00
Zuul 1649fd8426 Merge "Add a cloud_config recipe" 2019-09-10 09:43:02 +00:00
Jens Harbott f2902385ef Add a cloud_config recipe
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.

Clean up the old openrc template a bit.

Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
2019-08-30 14:29:33 +00:00
Lance Albertson 5c2bfb4990 Properly notify apache restarts on keystone configuration updates
This uses edit_resource to add a notification in the identity apache
configuration when it gets updated. This is a workaround due to the fact
we are using a version of the apache2 cookbook that is still using
definitions and cannot add notifications with definitions.

This is intended to ensure we only restart apache when the configuration
is updated. Otherwise, the old behaviour was to restart apache on every
run which is problematic in production environments. I have been using
this in our production wrapper cookbook for the past year or so without
any issue.

This will be removed in the Stein release when we migrate to the newer
apache2 cookbook which uses proper resources.

Change-Id: I13de063d1e7ffd356d754eb0f2d8286a3c694836
Signed-off-by: Lance Albertson <lance@osuosl.org>
2019-07-07 19:10:52 -07:00
Zuul df72871ac8 Merge "Fixes to support fog-openstack-1.x" 2019-07-05 08:37:21 +00:00
Roger Luethi f9a1116736 Disable UCA keystone apache2 site early
If the chef-client fails between keystone package installation and the
disabling of the default keystone config file from UCA package, then
apache2 may end up with conflicting site configurations trying to bind
to the same port.

backport: stable/queens

Change-Id: Ib52a4d5195f9ef8d7caa8478c8293fe894624ee5
2019-07-05 06:39:26 +00:00
Lance Albertson b185a5205d Fixes to support fog-openstack-1.x
fog-openstack-1.x already appends "auth/tokens" so we no longer need to
do that.  In addition, comment out endpoint type until this PR [1] gets
merged and released.

[1] https://github.com/fog/fog-openstack/pull/494

Depends-On: https://review.opendev.org/666176
Change-Id: I2a73e87648bff58180c6ee2355a733a8e030fa4b
Signed-off-by: Lance Albertson <lance@osuosl.org>
2019-07-03 16:03:07 -07:00
Jens Harbott 284d54be79 Drop admin endpoints
The admin endpoints offer no special functionality, users may talk to
the public endpoints instead. The only historic use case has been the
keystone v2 admin endpoint, but with keystone v3 API, even that is no
longer needed, except that it's use is hardcoded in keystonemiddleware.
So we prepare everything for completely getting rid of the admin
Identity endpoint, but still create it during bootstrap.

Also drop explicitly creating resources that are created during keystone
bootstrap anyway.

[0]
https://opendev.org/openstack/openstack-chef-specs/src/branch/master/specs/ocata/all/drop-admin-endpoints.rst

Depends-On: https://review.openstack.org/652052
Depends-On: https://review.openstack.org/652064
Depends-On: https://review.openstack.org/652098
Depends-On: https://review.openstack.org/652589
Change-Id: Iddfae1c2cb29217cd9aae89d56bc65fa935fcd28
2019-04-18 11:06:34 +00:00
Jens Harbott 4313c5711f Drop support for a templated catalog
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.

Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
2019-04-04 12:49:31 +00:00
Jens Harbott e30e2cf418 Fixup keystone endpoint handling
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.

At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.

[0] I01d44e48053cad7aeb92636f4b41649204006c93

Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
2018-07-16 12:24:46 -07:00
Zuul 41b3463312 Merge "Simplify identity endpoint" 2018-07-03 06:31:58 +00:00
Samuel Cassiba 7657e34eda Simplify identity endpoint
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.

[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components

Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
2018-06-28 16:24:31 -07:00
Jens Harbott 7d8b8b5c27 Fix token handling for keystone
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.

Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.

Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
2018-06-28 12:58:39 +00:00
Jens Harbott 7e9d7c9966 Use variables keystone_user and keystone_group
We define these variables from the corresponding node attributes, use
then instead of accessing the node attributes afterwards.

Change-Id: I1215d24f341e0ae37b7e0be978578aa2985e4af1
2018-06-28 12:58:03 +00:00
Samuel Cassiba aff741a327 Rename keystone-main service
* rename keystone-main to keystone-public to better align with Keystone
  conventions[0]

[0] https://review.openstack.org/194442

Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
2018-03-23 06:51:19 -07:00
Samuel Cassiba 8ba453b9f5 identity refactor for Pike and Chef 13
- implemented foodcritic and cookstyle corrections
- deprecated node.foo.bar method access for node['foo']['bar'] bracket syntax
- moved apt package_overrides to common cookbook

Implements blueprint modern-chef

Change-Id: I9ab420186b2f93cfc7fcc7be7c406a3176a991e1
2017-12-10 20:04:21 -08:00
Roger Luethi 1302239274 Re-add keystone-manage credential_setup
The step that ran keystone-manage credential_setup has been removed
as "deprecated" with the "Initial identity Pike updates" [1].

However, the Pike CLI documentation for keystone-manage does not
indicate that the command is deprecated [2] and the install-guide
continues to use it [3].

Also, I got this error message on a Pike installation (Ubuntu):

ERROR keystone.common.fernet_utils [...] Either [credential] key_repository
does not exist or Keystone does not have sufficient permission to access
it: /etc/keystone/credential-keys/

For these reasons, this patch reinstates the keystone-manage
credential_setup step.

[1] commit 5279aa4fbc
    (Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a)
[2] https://docs.openstack.org/keystone/pike/cli/index.html
[3] https://docs.openstack.org/keystone/pike/install/keystone-install-ubuntu.html

Change-Id: Iad5afd70ab99d968a6546bd19e5e5831a8299a49
2017-11-02 13:52:23 +01:00
Stefan Hoffmann 9a8b6424ba make fernet key file resource sensitive
Change-Id: I5481547214c7a96b64f3a183f494e3807c1c7735
Closes-Bug: #1719861
2017-09-27 14:43:06 +02:00
Jenkins a66540d815 Merge "use variable fernet-key data bag" 2017-09-22 21:15:12 +00:00
Stefan Hoffmann 79e57bd799 use variable fernet-key data bag
instead of hard coded vault name the attribute
['openstack']['secret']['secrets_data_bag'] is used.

Change-Id: I286fbfe89395544d1f8d0139acca0d689e4737fa
Closes-Bug: #1714523
2017-09-19 09:55:50 +02:00
Jenkins 1961a12a43 Merge "Initial identity Pike updates" 2017-09-13 14:07:00 +00:00
Samuel Cassiba 995fe07550 Corrected keystone bootstrapping command
- the original invocation of keystone-manage bootstrap was in the wrong recipe,
  so it needed to be moved to server-apache for resource ordering. restored the
  original flags used
- regen .rubocop_todo.yml to pass rubocop

Closes-Bug: #1714510
Change-Id: I9d3916e7f306d4c0463ec93cad40d2e78bd7eed8
2017-09-01 10:14:25 -04:00
Samuel Cassiba 5279aa4fbc Initial identity Pike updates
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Removed deprecated credential_setup

Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a
2017-08-30 23:57:20 -04:00
Jens Harbott 275c12c3a6 Drop token-flush cronjob
We now only support fernet tokens, for which token flushing is no longer
needed, see [1]. So we drop the corresponding cron job and the
attributes to configure it. This also gets rid of the error messages
which it is currently producing.

[1] https://docs.openstack.org/security-guide/identity/tokens.html#fernet-tokens

Change-Id: Ia5fe5f5d0c98ca0a77f03478edfe1777e0a89612
2017-08-21 12:26:26 +00:00
Samuel Cassiba 8a967c291a Keystone config updates for Ocata, style and lint fixes
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability

Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
2017-08-02 02:17:27 -04:00
Samuel Cassiba 36d484e301 Corrects SELinux enablement
- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
  enabled by default.
- removes executable bit from metadata.rb

Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
2017-04-04 13:58:35 +00:00
Jens Rosenboom f8b8302aae Fixup Identity service deployment for Ocata
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata

Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
2017-03-10 10:47:31 +00:00
Jens Rosenboom 1bb86dd4ce Fix wsgi app creation
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.

So we switch to using the variant provided by upstream instead.

Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
2017-02-21 11:55:45 +01:00
Christoph Albers 2f858e3678 RPC_backend / transport_url workover
- removed deprecated rabbitmq attributes
- added rabbit_transport_url

Change-Id: I0ca0fcc1e261eeadb76c9355a0f14499085d9bda
2016-12-20 11:45:20 +00:00
Jenkins b9b6b26616 Merge "Deprecated python-keystoneclient" 2016-12-20 11:01:48 +00:00
Samuel Cassiba 1cccaa0842 Deprecated python-keystoneclient
- deleted client.rb
- deprecated python-keystoneclient references

Implements blueprint newton-xenial

Change-Id: Ia1406308a9c78a0361cd0e2e0844f0e7a3cf4b9f
2016-12-14 20:11:48 -08:00
Jan Klare 9f8ba8fda6 Wait for identity endpoint instead of sleeping
* added a small ruby block with a loop to check if the keystonen admin
  endpoint is up before trying to register projects, users etc.
* will wait 60 seconds for admin endpoint to become ready and raise
  error specific exception otherwise if Timeout::Error was raised

Change-Id: Ief678b0f40685e91ced9bddde95b916f4587b330
2016-12-13 13:55:29 +00:00
Christoph Albers 4dcd956337 use_cookbook-openstackclient/identity_v3
- Removed v2 support
- Workover Endpoint creation
  Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
  providers/register.rb
  spec/register_spec.rb
  resources/register.rb
  libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
  ubuntu auto-enables it
- bumbed ubuntu version to 16.04

Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
2016-09-29 17:52:30 +02:00
Lance Albertson 0751804867 Include option to set SSLCertificateChainFile
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.

Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
2016-08-13 12:36:11 -07:00
Jan Klare 4fda2a0d5b Documenation update after refactoring
* added a lot of inline comments for attributes, recipes and provider
* updated README to the current state of the cookbook

Change-Id: Ic7b7ae6d26ce56e2237fe3215aff9ab447946b48
2016-04-27 16:12:01 -05:00
Mark Vanderwiel 27c46d6450 Remove default apache port
The default apache port overlaps with horizon, but
uses a different address syntax, *:80  vs 0.0.0.0:80.
This causes apache2 to sometimes fail on startup with
Address already in use: AH00072: make_sock: could not bind to address [::]:80

Change-Id: Ib45393b0244dd4cffb440c84c614ba9a104df105
2016-04-08 11:18:07 -05:00
Jens Rosenboom 52d8000c1a Fixup identity backend handling
Instead of creating an artificial, non-functional identity-internal
endpoint use the identity-main backend that is provided via the default
config for both public and internal endpoints.

Change-Id: Ia7d7f11108f0945ccd944d7e4a5c7f7ef68bc654
2016-03-03 19:49:42 +01:00
Jan Klare 0271eb1711 use Array for apache2 listen attributes
* the apache2 cookbook got patched recently and now uses an array of
  "ipaddress:port" to define where apache2 should listen

Depends-On: I7304932c19398c2bd245bbb7cbad6df4f487047e
Change-Id: Id91fb812ba91dab2803c68d24adaddbe0fde7a5e
2016-03-03 14:26:41 +01:00
Jan Klare d47ebc4e52 use new bind_address method from common
* use the bind_address method from common to get address for keystone

WIP specs and deps missing

Change-Id: I206c8cbab66dbeb708947cc9b95c8ecfdf6c2c14
2016-02-24 15:42:12 +00:00
Jan Klare 6585d611cb add fernet tokens as optional token deployment method
* added recipe for fernet_tokens (recipes/_fernet_tokens.rb)
* moved pki setup to seperate recipe (recipes/_pki_tokens.rb)
* included fernet or pki tokens recipe based on auth strategy attibute
* adapted spec accordingly and added specs for fernet_tokens

Change-Id: I37af3e8e5d4b93e0de7f4ef2d999a05573eefc26
2016-02-24 16:41:11 +01:00
Jan Klare a26d528b5e invert the order of endpoint and bind_service attributes
* endpoint type (admin, internal, public) and service (identitiy, network etc.)
  was switched during refactoring, this patch reverts this unintended switching

Change-Id: Ia5bddfc5e2fd77cd6e9e855c680b079f78fc1c3f
Depends-On: Iec485deaf415e4187a323435cce2b6bbadfc5d42
2016-02-12 18:38:19 +01:00