Commit Graph

89 Commits

Author SHA1 Message Date
Ghanshyam Mann 44d13c8c64 Retire openstack-chef: remove repo content
OpenStack-chef project is retiring
- https://review.opendev.org/c/openstack/governance/+/905279

this commit remove the content of this project repo

Depends-On: https://review.opendev.org/c/openstack/project-config/+/909134
Change-Id: Ida0639315944c8c7852ec37fb10f133e8ab9c455
2024-02-17 20:50:52 -08:00
Karim El Aammari c5211ab38f Possibility to set SSLCARevocationPath for keystone as chef default attribute "ca_revocation_path"
Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one
gets by setting only the latter is warnings in Apache logs.

Note: with Apache 2.3.15 or newer enabling revocation checks causes
certificate validation to fail also when no CRLs for the given certificate
could be found. For details see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck

Co-authored-by: Marek Szuba <m.szuba@gsi.de>
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
2021-07-20 13:26:02 +01:00
Lance Albertson 453ab3bb95 Update to apache2 ~> 8.0 cookbook
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.

- Install mod_wsgi as a package on RHEL since there is no built-in
  resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
  with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
  by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI

Depends-On: https://review.opendev.org/702772

Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
2020-01-30 09:28:25 -08:00
Lance Albertson 3d3d0b2f9c Improve ChefSpec test speed by enabling caching
This updates all references of let(:chef_run) to cached(:chef_run) to
speed up tests. By doing this, we have to create a new cached(:chef_run)
block whenever we need to adjust node attributes for testing.

In addition:

- Add missing ChefSpec tests for cloud_config and _credential_tokens
  recipes

Change-Id: I9f3b86de8f7aa97a5954b2e0f564452e1897a6e3
2019-12-17 18:59:42 -08:00
Jens Harbott f2902385ef Add a cloud_config recipe
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.

Clean up the old openrc template a bit.

Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
2019-08-30 14:29:33 +00:00
Jens Harbott 284d54be79 Drop admin endpoints
The admin endpoints offer no special functionality, users may talk to
the public endpoints instead. The only historic use case has been the
keystone v2 admin endpoint, but with keystone v3 API, even that is no
longer needed, except that it's use is hardcoded in keystonemiddleware.
So we prepare everything for completely getting rid of the admin
Identity endpoint, but still create it during bootstrap.

Also drop explicitly creating resources that are created during keystone
bootstrap anyway.

[0]
https://opendev.org/openstack/openstack-chef-specs/src/branch/master/specs/ocata/all/drop-admin-endpoints.rst

Depends-On: https://review.openstack.org/652052
Depends-On: https://review.openstack.org/652064
Depends-On: https://review.openstack.org/652098
Depends-On: https://review.openstack.org/652589
Change-Id: Iddfae1c2cb29217cd9aae89d56bc65fa935fcd28
2019-04-18 11:06:34 +00:00
Jens Harbott 4313c5711f Drop support for a templated catalog
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.

Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
2019-04-04 12:49:31 +00:00
Jens Harbott e30e2cf418 Fixup keystone endpoint handling
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.

At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.

[0] I01d44e48053cad7aeb92636f4b41649204006c93

Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
2018-07-16 12:24:46 -07:00
Samuel Cassiba 7657e34eda Simplify identity endpoint
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.

[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components

Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
2018-06-28 16:24:31 -07:00
Samuel Cassiba aff741a327 Rename keystone-main service
* rename keystone-main to keystone-public to better align with Keystone
  conventions[0]

[0] https://review.openstack.org/194442

Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
2018-03-23 06:51:19 -07:00
Samuel Cassiba 8a967c291a Keystone config updates for Ocata, style and lint fixes
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability

Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
2017-08-02 02:17:27 -04:00
Jens Rosenboom f8b8302aae Fixup Identity service deployment for Ocata
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata

Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
2017-03-10 10:47:31 +00:00
Jens Rosenboom 1bb86dd4ce Fix wsgi app creation
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.

So we switch to using the variant provided by upstream instead.

Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
2017-02-21 11:55:45 +01:00
Christoph Albers 4dcd956337 use_cookbook-openstackclient/identity_v3
- Removed v2 support
- Workover Endpoint creation
  Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
  providers/register.rb
  spec/register_spec.rb
  resources/register.rb
  libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
  ubuntu auto-enables it
- bumbed ubuntu version to 16.04

Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
2016-09-29 17:52:30 +02:00
Lance Albertson 0751804867 Include option to set SSLCertificateChainFile
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.

Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
2016-08-13 12:36:11 -07:00
Jan Klare a3f18966ea refactoring final step
* added new logic into templates/default/keystone.conf.erb
* refactored attributes throughout all recipes that were connected to
  the attributes used for the keystone.conf.erb template to adapt the new
  template attribute syntax
* moved all attributes from attributes/default.rb that were used in
  keystone_conf.erb to attributes/keystone_conf.rb
* removed all attributes from default.rb and keystone.conf.erb which are set
  as default in attributes, openstack doc and used to render the template
* finished split between public, internal and admin endpoints
* refactored endpoint and bind_service logic to fit the new common cookbook
* adapted specs
* added endpoint and bind_service attributes (moved from common)
* removed keystone eventlet configuration (removed in mitaka)
* moved templated service catalog to its own section
* removed deprecated recipe for keystone server deployment without apache (also
  removed corresponding specs)
* moved recipe openrc (and template + specs) from common here, to remove inverse dependency in common
  cookbook
* adapted the specs (unit tests) to work again
* removed qpid as a messaging option (can be included in a wrapper)
* deleted default attributes from keystone.conf.rb originated in
  openstack-common
* removed suse as supported platform
* included current master of apache2 cookbook to utilize new listen logic
* removed rubocop exceptions in recipes and libraries and regenerated the
  .rubocop_todo.yaml conaining all remaining exceptions

Change-Id: I3262b2e6f792f37c32a446e6567790b82bdd4613
Implements: blueprint cookbook-refactoring
Depends-On: I0547182085eed91d05384fdd7734408a839a9a2c
2016-02-08 10:17:20 +01:00
Mark Vanderwiel f178a00b84 Sync keystone paste.ini with liberty changes
Change-Id: I6bddae9fc83a5fc133e43a27e96e1a7110c94cfb
Partial-Bug: #1501064
2015-09-29 16:48:11 -05:00
wenchma 9cb5f85141 Add the authorization configuration options
Add the following two configuration options:

  * external = keystone.auth.plugins.external.DefaultDomain
  * methods = external, password, token, oauth1

Change-Id: I7e9b195bd0d87824771deb23b42608ba3ec58610
Closes-bug: #1482460
2015-08-11 11:09:14 +08:00
Imtiaz Chowdhury b117e31b60 Add LDAP connection pool settings
This commit adds LDAP connection pool configuration settings currently
missing from keystone.conf template.

Change-Id: If76f71564e055608342352ddb80fbba8d078d61d
Closes-bug: #1480577
2015-08-01 12:05:17 -07:00
wenchma 3d4707453c Add identity_mapping section configurations
Add three configurations in identity_mapping group to support
keystone multi-domain.

Change-Id: I9fa68baba9144b8270f49e0c66ba283736640d08
Closes-bug: #1473897
2015-07-15 10:09:03 +08:00
Mark Vanderwiel 8bf715d8d8 Allow keystone under apache
Keystone is recommended to run under apache and the service side
is already deprecated and will be removed in the M release.
This patch adds a new recipe, server-apache, to allow keystone
under apache.

I intentionally just copied the existing server recipe and spec to
create the new ones and I figure those will just be removed in
the M release anyway, no need for "common" type code here.

The majority of the recipe code is exactly the same, just the
last lines, "Start of Apache..." have been added.

This should also work with the existing dashboard cookbook with the
one exception that the apache 3.1 cookbook is needed.  There's already
a patch out for that.

I don't plan on changing the default kilo role to use this, that will
be done once we branch for liberty.

Change-Id: I1641e1e5c6bf56d0765ef6e54ae32848431f6d6e
Implements: blueprint keystone-apache
2015-06-23 09:10:02 -05:00
Mark Vanderwiel 808e27fff5 Allow rabbit mq kombu ssl configuration
Add the rest of the kombu ssl configuration options.

Change-Id: Ifba96ecd08de5b18b1e365f6f5c25677a9008af2
Partial-Bug: 1464706
2015-06-16 10:28:03 -05:00
Mark Vanderwiel ccac1491cf Allow oslo rabbit heartbeat configuration
In order to allow components to better handle and respond to mq failures,
oslo has some heartbeat options that are useful.

Change-Id: Ied6ad4af67f8915e91c7515f43121da9ee294456
Partial-Bug: #1462438
2015-06-15 03:07:02 +00:00
wenchma 141b2738b4 Add rabbitmq max_retries and retry_interval attributes in keystone conf
Oslo.message using rabbit_max_retries and rabbit_retry_interval to
define reconnect rabbitmq server times and interval when can not
connect to rabbitmq server.

Change-Id: I54236d1d0243e73eb27dd8984cfb86f8bbf7a271
Closes-bug: #1439968
2015-06-12 14:38:35 +08:00
Mark Vanderwiel 7efb488a86 Fix for rabbit mq support
Add logic for kombu_ssl_version and HA rabbit mq keys.

Change-Id: Ie33642f520ca0d9f13dad8522d5f8af215badd6d
Related-Bug: #1439306
2015-04-24 03:25:36 +00:00
Imtiaz Chowdhury b677c725a5 Make SSL settings configurable for Keystone
Currently, one cannot enable SSL for Keystone service endpoint since
the recipes do not allow configuring the SSL specific parameters. To
address this issue, this commit defines some new node attributes for
specifying SSL key, certificate and CA certificate paths. Also, this
commit exposes few other node attributes giving users more flexibility
in their SSL deployment options.

Closes-Bug #1441385

Change-Id: I2ee71f4f11e0cba619418bd5c356ec490c3be6e4
2015-04-23 05:29:03 +00:00
Mark Vanderwiel 34480278c1 Allow mq setup for keystone
In some cases, keystone notifications are required. This
Add identity to the list of component that could use messaging.

Another patch to Common must go in before this one.

Change-Id: I0ef0274991510197b28de496f2af53d9e88fa2cd
Partial-Bug: #1439306
2015-04-20 08:06:51 +00:00
Mark Vanderwiel ac22c9bfcc keystone paste ini default changed for kilo
Several filters have been added and removed. The pipeline default has also
changed.

Change-Id: Iaa1ed6642d72bc94580ec2a280e8dc8ad1e483c3
Closes-Bug: #1428814
2015-04-07 03:52:10 +00:00
Mark Vanderwiel 2f54d6f77c Sync with new kilo sections
Trying to stay in sync with base, many section changes in kilo.

* Remove all unused key=value, as they making diff a nightmare
* Put in ALL section headers, makes diff easier each time
* Did NOT change any defaults or logic
* Updated spec to use specific section matching to unsure correctness

To see the diff, just diff template against base sample here:
http://git.openstack.org/cgit/openstack/keystone/plain/etc/keystone.conf.sample

Change-Id: Iec379ddac6749ed9d4aea1a5501f9986845afce1
Closes-Bug: #1433717
2015-04-02 15:22:28 +00:00
Mark Vanderwiel fd36e4de0d Cleanup deprecated token backend value
Change-Id: I47609be2e70fb83469546567ed48ab26bbdcce5d
Closes-Bug: #1386248
2014-10-30 09:52:47 -05:00
Yi Cong Lu e0934e9769 Allow API pipeline to be settable in keystone-paste.ini
Change server recipe and template to allow the pipeline of
public_api, admin_api, api_v3 to be set.

Change-Id: Iab81c5e20aca2e7af2ea27c1c4c8a01dc40240ac
Closes-Bug: #1358142
2014-10-17 14:02:48 +08:00
Mark Vanderwiel 00ddcaf587 Allow attributes for domain specific drivers
Change-Id: I5c000d4a752d3076d39e2d0cdde9f46a881ae2bd
Closes-Bug: #1374587
2014-10-09 12:55:12 -05:00
Mark Vanderwiel b026b86506 Add saml attribute section
Add new saml section to keystone.conf for
federation support.

Change-Id: Ic9bf5385ef679b072adf94d52f99106d81ed3f90
Closes-Bug: #1374620
2014-09-30 16:35:37 -05:00
Mark Vanderwiel 0ab0cd3def Allow admin_bind_host to be settable in the keystone.conf
Change server recipe and template to allow the admin_bind_host
to be set to the identity_admin endpoint defined in Common.

Change-Id: I1043d8e9137ea2a6c8f84ee3a2da4f98e3c82521
Closes-Bug: #1368282
2014-09-23 11:24:10 -05:00
chenxiao 067b79fcf8 Allow hash_algorithm to be configurable
We may want to set hash_algorithm to be 'sha2', so we
should allow hash_algorithm to be configurable.

Change-Id: I9be1afb1df9705f5d96c5c3c1caf4f5e4b563042
Closes-Bug: #1370825
2014-09-19 11:42:07 +08:00
Mark Vanderwiel bc8e6a9250 Allow list_limit to be configured
Add list_limit for default, assignment, catalog, identity and policy
sections.

Change-Id: I817827510984d0d46cc83045d91ce93154e6dbad
Closes-Bug: #1354490
2014-08-28 10:28:16 -05:00
Mark Vanderwiel e0800c226e Allow admin and public workers to be configured
* Add 2 new attributes for admin_workers and public_workers
* Add specs

Change-Id: I408463a16782dafc53bead2526c74d59ea4aea40
Closes-Bug: #1353569
2014-08-26 16:55:29 -05:00
Mark Vanderwiel ca7a24b695 Update keystone conf files for Juno
* Update paste.ini
* Update keystone.conf
  - Add in description comments
  - Add project_ for deprecated ldap tenant_
  - Remove unused user and group _domain_id_attributes
* Update specs as needed

Change-Id: Ifbd5fac220fff7723b3de349ca57cd96a4b6910a
Closes-bug: #1351459
2014-08-26 09:44:45 -05:00
Alan Meadows 00354fe02a Additional options for keystone-paste.ini
* This change allows further flexibility with
handling keystone-paste.ini
* We now support pulling from a local file
(redhat use case), pulling from a remote file,
and finally template functionality (default)
* We support a misc_paste chef attribute to add
custom lines to the keystone-paste.ini when using
the templated version

Change-Id: I9a9adf3fd63df7a36deea274aac51ecd08335bfa
2014-06-30 11:54:30 -07:00
Kieren Hynd c6c0a77223 Add TLS options for [ldap] to keystone.conf
Change-Id: I27d27042ca96860e8f04c0f51639aa4e435007b3
Closes-Bug: 1322146
2014-05-28 16:51:11 +01:00
Kieren Hynd 5b90c702eb Configurable assignment driver
Allow the [assignment] backend to be switched (eg; to LDAP) for
http://docs.openstack.org/developer/keystone/configuration.html#read-only-ldap

Change-Id: I9e4d5a4f4538025c55ebd7db39a78c5135af48e1
Closes-Bug: #1318992
2014-05-15 10:32:37 +01:00
Mark Vanderwiel f9aaa9aab6 Allow misc options for keystone.conf
Add support like alreayd exists for openrc and nove.conf.
Add tests.

Change-Id: Ife666ca0fec484deb379d034b4dc1bea8fc1f985
Closes-Bug: #1318822
2014-05-13 10:02:41 -05:00
Andy McCrae 5c264be5c0 Only manage the keystone-paste.ini if specified
There are no attributes in this template file, which means it just
overrides the existing keystone-paste.ini, and needs to be updated for
each release.

Additionally, the current template file adds in options that are listed
as deprecated, resulting in warnings in keystone.log. Removing the
template file will mean the packaged keystone-paste.ini is used.

This patch removes the keystone-paste.ini template and adds an attribute
to allow a keystone-paste.ini file to be specified.

Change-Id: Id2e6df82acea480320eaf3d07c0570802e4424ca
Closes-Bug: #1313828
2014-05-06 10:18:51 +01:00
Luis A. Garcia faf956ba2c Add basic rpc connection properties
It was not possible to set the RPC connection properties in keystone.
This patch adds attributes for them.

Change-Id: I9f653f924f8f7dcd00d6dd97b655b2b14c9a2620
Closes-Bug: #1310747
2014-04-21 14:16:39 -07:00
Mark Vanderwiel bad7236565 Use endpoint for setting compute and ec2 port
To be consistent with recent changes in
commit: d706b87f9d57efff21bbbd3df1800362b55d8e74
Original change was commit: f67346f092945cc8221705be269d8e0003fcb9e5

For endpoints, use the endpoint.port for setting for in conf files
instead of directly accessing the common default attributes.

Change-Id: I78dab813928923c9eef15275fbe0c2e2b6dfe776
2014-03-25 10:27:03 -05:00
Mark Vanderwiel 8f9e0fb8e1 Remove dup identity port attributes
The service and admin ports are now defined in common.

Change-Id: I37ab6b26c4765c9c0b75d3bbc6fc38d36580dbb6
Closes-Bug: 1281108
2014-03-24 11:10:23 -05:00
ericzhou 289266f171 Move paste deploy configuration to keystone-paste.ini.
Change-Id: I56156eef348d1a31b3dd7b765a9b5bb37e26b305
Closes-Bug: #1289133
2014-03-11 20:38:35 +08:00
Matt Odden e94c69b56c Change bind address to use Identity endpoint host
Allow the bind interface address to take precendence, but default
to binding to the host attribute of the Identity API endpoint.
This brings the identity cookbook into conformance with the
other cookbooks regarding the service interface binding.

Closes-Bug: 1277266

Change-Id: I9634e2a359a6ce52b694859a7e84a57638bad5be
2014-02-18 17:26:54 +00:00
Hugh Saunders 1cf0440d63 Add attribute for token expiration time.
Change-Id: I113be79142cf288badd60194d717b14cabcba736
2014-02-17 14:15:41 +00:00
Matt Thompson e1a8f62618 Update keystone.conf to use new provider config
This change uses the [token] provider configuration rather than
the deprecated [signing] token_format to select between PKI and UUID
tokens.

Closes-Bug: #1273946
Change-Id: Ia03c2375326c14d4783df3c0774599c795b25cf2
2014-02-01 00:39:48 +08:00