Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one
gets by setting only the latter is warnings in Apache logs.
Note: with Apache 2.3.15 or newer enabling revocation checks causes
certificate validation to fail also when no CRLs for the given certificate
could be found. For details see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck
Co-authored-by: Marek Szuba <m.szuba@gsi.de>
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.
- Install mod_wsgi as a package on RHEL since there is no built-in
resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI
Depends-On: https://review.opendev.org/702772
Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
This updates all references of let(:chef_run) to cached(:chef_run) to
speed up tests. By doing this, we have to create a new cached(:chef_run)
block whenever we need to adjust node attributes for testing.
In addition:
- Add missing ChefSpec tests for cloud_config and _credential_tokens
recipes
Change-Id: I9f3b86de8f7aa97a5954b2e0f564452e1897a6e3
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.
Clean up the old openrc template a bit.
Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.
Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.
At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.
[0] I01d44e48053cad7aeb92636f4b41649204006c93
Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.
[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components
Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
* rename keystone-main to keystone-public to better align with Keystone
conventions[0]
[0] https://review.openstack.org/194442
Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
- Keystone config updates for Ocata
- Style and lint fixes to support newer chefdk
- Rewrote metadata.rb for readability
Change-Id: Ie1d5f27a9cf8803044568a31e4dae7654b02c9a1
- Remove recipe for PKI tokens as they have been dropped from keystone
- Use Fernet tokens unconditionally
- Cleanup paste deployment according to keystone changes in Ocata
Change-Id: I28c27caacc09a3e46eca135a6c4f5a841f4715f9
The use of the keystone_wsgi_file that we copy in order to create our
keystone apps is deprecated and the file will be removed for Ocata.
So we switch to using the variant provided by upstream instead.
Change-Id: I8970d4ee9692fd13d52b2304ff3a1ae93b693500
- Removed v2 support
- Workover Endpoint creation
Identity Endpoints now will be bootstrapped
- Removed bootstrap_token
- Added domain_creation
- Edited openrc to work with itendity_v3
- changed "tenant"-naming to project
- Removed unused files and functions
providers/register.rb
spec/register_spec.rb
resources/register.rb
libraries/machters.rb
- rewrote specs
- updated readme
- added apache_site disable keystone since
ubuntu auto-enables it
- bumbed ubuntu version to 16.04
Change-Id: I0f8955f05de9b33711c54b9a198f45018cceb8e1
Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.
Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
* added new logic into templates/default/keystone.conf.erb
* refactored attributes throughout all recipes that were connected to
the attributes used for the keystone.conf.erb template to adapt the new
template attribute syntax
* moved all attributes from attributes/default.rb that were used in
keystone_conf.erb to attributes/keystone_conf.rb
* removed all attributes from default.rb and keystone.conf.erb which are set
as default in attributes, openstack doc and used to render the template
* finished split between public, internal and admin endpoints
* refactored endpoint and bind_service logic to fit the new common cookbook
* adapted specs
* added endpoint and bind_service attributes (moved from common)
* removed keystone eventlet configuration (removed in mitaka)
* moved templated service catalog to its own section
* removed deprecated recipe for keystone server deployment without apache (also
removed corresponding specs)
* moved recipe openrc (and template + specs) from common here, to remove inverse dependency in common
cookbook
* adapted the specs (unit tests) to work again
* removed qpid as a messaging option (can be included in a wrapper)
* deleted default attributes from keystone.conf.rb originated in
openstack-common
* removed suse as supported platform
* included current master of apache2 cookbook to utilize new listen logic
* removed rubocop exceptions in recipes and libraries and regenerated the
.rubocop_todo.yaml conaining all remaining exceptions
Change-Id: I3262b2e6f792f37c32a446e6567790b82bdd4613
Implements: blueprint cookbook-refactoring
Depends-On: I0547182085eed91d05384fdd7734408a839a9a2c
This commit adds LDAP connection pool configuration settings currently
missing from keystone.conf template.
Change-Id: If76f71564e055608342352ddb80fbba8d078d61d
Closes-bug: #1480577
Add three configurations in identity_mapping group to support
keystone multi-domain.
Change-Id: I9fa68baba9144b8270f49e0c66ba283736640d08
Closes-bug: #1473897
Keystone is recommended to run under apache and the service side
is already deprecated and will be removed in the M release.
This patch adds a new recipe, server-apache, to allow keystone
under apache.
I intentionally just copied the existing server recipe and spec to
create the new ones and I figure those will just be removed in
the M release anyway, no need for "common" type code here.
The majority of the recipe code is exactly the same, just the
last lines, "Start of Apache..." have been added.
This should also work with the existing dashboard cookbook with the
one exception that the apache 3.1 cookbook is needed. There's already
a patch out for that.
I don't plan on changing the default kilo role to use this, that will
be done once we branch for liberty.
Change-Id: I1641e1e5c6bf56d0765ef6e54ae32848431f6d6e
Implements: blueprint keystone-apache
In order to allow components to better handle and respond to mq failures,
oslo has some heartbeat options that are useful.
Change-Id: Ied6ad4af67f8915e91c7515f43121da9ee294456
Partial-Bug: #1462438
Oslo.message using rabbit_max_retries and rabbit_retry_interval to
define reconnect rabbitmq server times and interval when can not
connect to rabbitmq server.
Change-Id: I54236d1d0243e73eb27dd8984cfb86f8bbf7a271
Closes-bug: #1439968
Currently, one cannot enable SSL for Keystone service endpoint since
the recipes do not allow configuring the SSL specific parameters. To
address this issue, this commit defines some new node attributes for
specifying SSL key, certificate and CA certificate paths. Also, this
commit exposes few other node attributes giving users more flexibility
in their SSL deployment options.
Closes-Bug #1441385
Change-Id: I2ee71f4f11e0cba619418bd5c356ec490c3be6e4
In some cases, keystone notifications are required. This
Add identity to the list of component that could use messaging.
Another patch to Common must go in before this one.
Change-Id: I0ef0274991510197b28de496f2af53d9e88fa2cd
Partial-Bug: #1439306
Several filters have been added and removed. The pipeline default has also
changed.
Change-Id: Iaa1ed6642d72bc94580ec2a280e8dc8ad1e483c3
Closes-Bug: #1428814
Trying to stay in sync with base, many section changes in kilo.
* Remove all unused key=value, as they making diff a nightmare
* Put in ALL section headers, makes diff easier each time
* Did NOT change any defaults or logic
* Updated spec to use specific section matching to unsure correctness
To see the diff, just diff template against base sample here:
http://git.openstack.org/cgit/openstack/keystone/plain/etc/keystone.conf.sample
Change-Id: Iec379ddac6749ed9d4aea1a5501f9986845afce1
Closes-Bug: #1433717
Change server recipe and template to allow the pipeline of
public_api, admin_api, api_v3 to be set.
Change-Id: Iab81c5e20aca2e7af2ea27c1c4c8a01dc40240ac
Closes-Bug: #1358142
Change server recipe and template to allow the admin_bind_host
to be set to the identity_admin endpoint defined in Common.
Change-Id: I1043d8e9137ea2a6c8f84ee3a2da4f98e3c82521
Closes-Bug: #1368282
We may want to set hash_algorithm to be 'sha2', so we
should allow hash_algorithm to be configurable.
Change-Id: I9be1afb1df9705f5d96c5c3c1caf4f5e4b563042
Closes-Bug: #1370825
* This change allows further flexibility with
handling keystone-paste.ini
* We now support pulling from a local file
(redhat use case), pulling from a remote file,
and finally template functionality (default)
* We support a misc_paste chef attribute to add
custom lines to the keystone-paste.ini when using
the templated version
Change-Id: I9a9adf3fd63df7a36deea274aac51ecd08335bfa
There are no attributes in this template file, which means it just
overrides the existing keystone-paste.ini, and needs to be updated for
each release.
Additionally, the current template file adds in options that are listed
as deprecated, resulting in warnings in keystone.log. Removing the
template file will mean the packaged keystone-paste.ini is used.
This patch removes the keystone-paste.ini template and adds an attribute
to allow a keystone-paste.ini file to be specified.
Change-Id: Id2e6df82acea480320eaf3d07c0570802e4424ca
Closes-Bug: #1313828
It was not possible to set the RPC connection properties in keystone.
This patch adds attributes for them.
Change-Id: I9f653f924f8f7dcd00d6dd97b655b2b14c9a2620
Closes-Bug: #1310747
To be consistent with recent changes in
commit: d706b87f9d57efff21bbbd3df1800362b55d8e74
Original change was commit: f67346f092945cc8221705be269d8e0003fcb9e5
For endpoints, use the endpoint.port for setting for in conf files
instead of directly accessing the common default attributes.
Change-Id: I78dab813928923c9eef15275fbe0c2e2b6dfe776
Allow the bind interface address to take precendence, but default
to binding to the host attribute of the Identity API endpoint.
This brings the identity cookbook into conformance with the
other cookbooks regarding the service interface binding.
Closes-Bug: 1277266
Change-Id: I9634e2a359a6ce52b694859a7e84a57638bad5be
This change uses the [token] provider configuration rather than
the deprecated [signing] token_format to select between PKI and UUID
tokens.
Closes-Bug: #1273946
Change-Id: Ia03c2375326c14d4783df3c0774599c795b25cf2