Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one
gets by setting only the latter is warnings in Apache logs.
Note: with Apache 2.3.15 or newer enabling revocation checks causes
certificate validation to fail also when no CRLs for the given certificate
could be found. For details see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck
Co-authored-by: Marek Szuba <m.szuba@gsi.de>
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
Update ChefSpec due to changes made in apache2 cookbook.
Depends-On: https://review.opendev.org/756168
Change-Id: Ie4a830620f217f5879ae4270850214902c202dbf
Signed-off-by: Lance Albertson <lance@osuosl.org>
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.
- Install mod_wsgi as a package on RHEL since there is no built-in
resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI
Depends-On: https://review.opendev.org/702772
Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
This updates all references of let(:chef_run) to cached(:chef_run) to
speed up tests. By doing this, we have to create a new cached(:chef_run)
block whenever we need to adjust node attributes for testing.
In addition:
- Add missing ChefSpec tests for cloud_config and _credential_tokens
recipes
Change-Id: I9f3b86de8f7aa97a5954b2e0f564452e1897a6e3
Python2.7 is going EOL soon, let us deploy python3 for Rocky from the
start, so we avoid having to switch later.
Also update Berksfile to allow dependency testing and require chef >= 14 now.
Change-Id: Id4c06c8fc136ae3cde97e751373049db989de21e
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.
Clean up the old openrc template a bit.
Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
This uses edit_resource to add a notification in the identity apache
configuration when it gets updated. This is a workaround due to the fact
we are using a version of the apache2 cookbook that is still using
definitions and cannot add notifications with definitions.
This is intended to ensure we only restart apache when the configuration
is updated. Otherwise, the old behaviour was to restart apache on every
run which is problematic in production environments. I have been using
this in our production wrapper cookbook for the past year or so without
any issue.
This will be removed in the Stein release when we migrate to the newer
apache2 cookbook which uses proper resources.
Change-Id: I13de063d1e7ffd356d754eb0f2d8286a3c694836
Signed-off-by: Lance Albertson <lance@osuosl.org>
fog-openstack-1.x already appends "auth/tokens" so we no longer need to
do that. In addition, comment out endpoint type until this PR [1] gets
merged and released.
[1] https://github.com/fog/fog-openstack/pull/494
Depends-On: https://review.opendev.org/666176
Change-Id: I2a73e87648bff58180c6ee2355a733a8e030fa4b
Signed-off-by: Lance Albertson <lance@osuosl.org>
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.
Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.
At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.
[0] I01d44e48053cad7aeb92636f4b41649204006c93
Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.
[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components
Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.
Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.
Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
* rename keystone-main to keystone-public to better align with Keystone
conventions[0]
[0] https://review.openstack.org/194442
Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
instead of hard coded vault name the attribute
['openstack']['secret']['secrets_data_bag'] is used.
Change-Id: I286fbfe89395544d1f8d0139acca0d689e4737fa
Closes-Bug: #1714523
- the original invocation of keystone-manage bootstrap was in the wrong recipe,
so it needed to be moved to server-apache for resource ordering. restored the
original flags used
- regen .rubocop_todo.yml to pass rubocop
Closes-Bug: #1714510
Change-Id: I9d3916e7f306d4c0463ec93cad40d2e78bd7eed8
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Removed deprecated credential_setup
Change-Id: I518ed83f7e19c590e7846160889faf46db274b3a
We now only support fernet tokens, for which token flushing is no longer
needed, see [1]. So we drop the corresponding cron job and the
attributes to configure it. This also gets rid of the error messages
which it is currently producing.
[1] https://docs.openstack.org/security-guide/identity/tokens.html#fernet-tokens
Change-Id: Ia5fe5f5d0c98ca0a77f03478edfe1777e0a89612
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability
Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
enabled by default.
- removes executable bit from metadata.rb
Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata
Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.
So we switch to using the variant provided by upstream instead.
Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
* added a small ruby block with a loop to check if the keystonen admin
endpoint is up before trying to register projects, users etc.
* will wait 60 seconds for admin endpoint to become ready and raise
error specific exception otherwise if Timeout::Error was raised
Change-Id: Ief678b0f40685e91ced9bddde95b916f4587b330
- Removed v2 support
- Workover Endpoint creation
Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
providers/register.rb
spec/register_spec.rb
resources/register.rb
libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
ubuntu auto-enables it
- bumbed ubuntu version to 16.04
Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.
Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
The default apache port overlaps with horizon, but
uses a different address syntax, *:80 vs 0.0.0.0:80.
This causes apache2 to sometimes fail on startup with
Address already in use: AH00072: make_sock: could not bind to address [::]:80
Change-Id: Ib45393b0244dd4cffb440c84c614ba9a104df105
The option "verbose" in the [DEFAULT] section is deprecated, it's
default value would be false anyway.
Change-Id: Ib7809425ca5c1651cd7642f3a6cf56cb7f6444aa
Instead of creating an artificial, non-functional identity-internal
endpoint use the identity-main backend that is provided via the default
config for both public and internal endpoints.
Change-Id: Ia7d7f11108f0945ccd944d7e4a5c7f7ef68bc654
* the apache2 cookbook got patched recently and now uses an array of
"ipaddress:port" to define where apache2 should listen
Depends-On: I7304932c19398c2bd245bbb7cbad6df4f487047e
Change-Id: Id91fb812ba91dab2803c68d24adaddbe0fde7a5e
* added recipe for fernet_tokens (recipes/_fernet_tokens.rb)
* moved pki setup to seperate recipe (recipes/_pki_tokens.rb)
* included fernet or pki tokens recipe based on auth strategy attibute
* adapted spec accordingly and added specs for fernet_tokens
Change-Id: I37af3e8e5d4b93e0de7f4ef2d999a05573eefc26
* endpoint type (admin, internal, public) and service (identitiy, network etc.)
was switched during refactoring, this patch reverts this unintended switching
Change-Id: Ia5bddfc5e2fd77cd6e9e855c680b079f78fc1c3f
Depends-On: Iec485deaf415e4187a323435cce2b6bbadfc5d42
* added new logic into templates/default/keystone.conf.erb
* refactored attributes throughout all recipes that were connected to
the attributes used for the keystone.conf.erb template to adapt the new
template attribute syntax
* moved all attributes from attributes/default.rb that were used in
keystone_conf.erb to attributes/keystone_conf.rb
* removed all attributes from default.rb and keystone.conf.erb which are set
as default in attributes, openstack doc and used to render the template
* finished split between public, internal and admin endpoints
* refactored endpoint and bind_service logic to fit the new common cookbook
* adapted specs
* added endpoint and bind_service attributes (moved from common)
* removed keystone eventlet configuration (removed in mitaka)
* moved templated service catalog to its own section
* removed deprecated recipe for keystone server deployment without apache (also
removed corresponding specs)
* moved recipe openrc (and template + specs) from common here, to remove inverse dependency in common
cookbook
* adapted the specs (unit tests) to work again
* removed qpid as a messaging option (can be included in a wrapper)
* deleted default attributes from keystone.conf.rb originated in
openstack-common
* removed suse as supported platform
* included current master of apache2 cookbook to utilize new listen logic
* removed rubocop exceptions in recipes and libraries and regenerated the
.rubocop_todo.yaml conaining all remaining exceptions
Change-Id: I3262b2e6f792f37c32a446e6567790b82bdd4613
Implements: blueprint cookbook-refactoring
Depends-On: I0547182085eed91d05384fdd7734408a839a9a2c
The current hack just does a apache reload, but a full
restart is required on centos.
Change-Id: I1deb415bc6f8d035775c9bd723ae8b2207c333e6
Closes-Bug: #1512480