Commit Graph

58 Commits

Author SHA1 Message Date
Ghanshyam Mann 7696ada9d2 Retire openstack-chef: remove repo content
OpenStack-chef project is retiring
- https://review.opendev.org/c/openstack/governance/+/905279

this commit remove the content of this project repo

Depends-On: https://review.opendev.org/c/openstack/project-config/+/909134
Change-Id: Ifae4bf9ef4e6b4c89571f9fc3c45ef3f5349fb4d
2024-02-17 20:49:42 -08:00
Lance Albertson 2f13299f3e Chef 17 support
- Remove bind from Berksfile
- Update copyright years
- Require Chef >= 16.0

Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-identity/+/814051
Change-Id: Ie4c83015a5ea141ea398be77cccf8eacc283d470
Signed-off-by: Lance Albertson <lance@osuosl.org>
2021-10-14 12:50:26 -07:00
Lance Albertson 5178e1c937 Cookstyle 6.19.5 fixes
Depends-On: https://review.opendev.org/756168
Change-Id: Idfa343580b1dce6860d522ca62b63b818353aab8
Signed-off-by: Lance Albertson <lance@osuosl.org>
2020-10-05 17:29:04 -07:00
Lance Albertson d6844783ea Chef 16 updates
Depends-On: https://review.opendev.org/747556
Change-Id: Ic4ddb3c0f4b840578ee074c1279330db5822bfa3
Signed-off-by: Lance Albertson <lance@osuosl.org>
2020-08-27 17:38:00 -07:00
Lance Albertson 0d15f40999 Stein fixes
- Cookstyle fixes
- Refactor Berksfile to use groups so we can exclude integration testing
  cookbooks
- Update documentation
- Cleanup line wraps
- Enable sensitive resources for the template[/etc/heat/heat.conf] to
  resources improve security.
- Update delivery configuration to exclude integration cookbooks
- Fix ChefSpec output.
- Add missing ChefSpec tests
- Switch package installations to send packages as arrays instead of individual
  package resources. This generally speeds up chef runs.
- Cleanup array syntax using %w() instead of []

Depends-On: https://review.opendev.org/701027
Depends-On: https://review.opendev.org/706101
Depends-On: https://review.opendev.org/706151
Depends-On: https://review.opendev.org/706157
Depends-On: https://review.opendev.org/708059
Depends-On: https://review.opendev.org/713285

Change-Id: Ifb3a9de9eecc370e46f43a73ed77008a7b21594b
2020-03-19 11:31:45 -07:00
Lance Albertson d98d4a9757 Start heat services in addition to enabling them
I noticed this was missing during some upgrade testing when I noticed the heat
services didn't start back up after shutting them down for the upgrade and
running chef. I'm not sure why this was set to enable only.

Change-Id: I8048270047767bda7414b2baee176f7bc9ab7a8b
Signed-off-by: Lance Albertson <lance@osuosl.org>
2019-10-12 11:25:35 -07:00
Lance Albertson cd52c71b6c Fixes for fog-openstack, admin endpoint and common pkgs on Debian
This provides a collection of fixes required to converge properly:

- fog-openstack-1.x already appends "auth/tokens" so we no longer need
  to do that
- Remove references to deprecated
  node['openstack']['api']['auth']['version'] attribute
- Remove creation of admin deprecated endpoints
- Add python-heat to common packages on Debian system so that the
  heat-manage binary is available
- Remove and refactor use of deprecated identity_uri_transform function

Change-Id: Idfd9aed09ccd5c3871cac71dbe0b51c921f1ec0e
Signed-off-by: Lance Albertson <lance@osuosl.org>
2019-08-05 14:37:22 -07:00
Roger Luethi dd41637548 Add openstack-orchestration::dashboard recipe
Starting with Queens, upstream has moved the Orchestration (heat)
dashboard from the main dashboard package into a separate package.

backport: queens

Change-Id: Ifb2018623bd4df250c2d3d8c5a7473f6cff94fe8
2018-10-31 08:44:40 +01:00
Samuel Cassiba 0fb71ae5d8 Simplify identity endpoint
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.

[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components

Change-Id: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Implements: blueprint simplify-identity-endpoint
2018-06-14 19:16:04 -07:00
Samuel Cassiba 5b2632d052 Remove deprecated cloudwatch recipe
* Queens removed cloudwatch outright[0], which has been deprecated since
  Havana.

[0] http://lists.openstack.org/pipermail/openstack-dev/2017-October/123104.html

Change-Id: I4cd53d7aed179787d192d6342ec44fea9332fb66
2018-03-13 08:52:23 -07:00
Samuel Cassiba 2bcd59a687 orchestration refactor for Pike and Chef 13
- implemented foodcritic and cookstyle corrections
- deprecated node.foo.bar method access for node['foo']['bar'] bracket syntax
- added interface for internal endpoint
- moved dpkg options to common cookbook

Implements blueprint modern-chef

Change-Id: I361aed3d84a6e7225d7d803f1855ce37da568eac
2017-12-10 12:32:19 -08:00
Roger Luethi 37737b68c1 Add comments to identity_registration.rb
Change-Id: Idc55def9c744a9af2780cd99addb7cb66393606e
2017-11-16 02:05:30 +00:00
Roger Luethi dc2d594b05 Grant admin role in heat domain to heat_domain_admin
This patch grants heat_domain_admin the admin role in the heat domain
(rather then in the service project).

We use :grant_domain instead of :grant_role, because we are setting a
role in a domain, not in a project.

Note that for the user to actually exist in the heat domain, a
sufficiently recent openstackclient cookbook is required -- otherwise
the domain_name attribute is ignored during user creation.

Also, we remove the user_name attribute (gets ignored by resource
action).

Change-Id: I747e2dedbc517cc3deb2675590fb982459c560a0
2017-11-15 21:36:05 +00:00
Roger Luethi 00341ef50a Remove domain role from heat service user
This patch removes the openstack_user resource with :grant_domain
action. A user is always created within a specific domain; such a
membership cannot be tacked on later. This resource gave the heat user
the role intended for its project for the domain (i.e., for the Default
domain instead of for the service project).

We add the domain_name attribute that creates the heat user in the
desired domain. Note that this change needs a sufficiently recent
openstackclient cookbook -- otherwise the domain_name attribute is
ignored (which does not matter as long as the heat user is to be created
in the Default domain).

Change-Id: Ifa3d344a3d9094dd1272b126a4dc9ab951c00972
2017-11-13 15:07:33 +00:00
Roger Luethi 48fdd181f9 Remove superfluous role_name arguments
This patch removes the role_name when using openstack_user's :create
action (it gets ignored by the target method).

Note that the spec test would still pass if only the line in
identity_registration.rb (but not the test) were changed, because the
code that actually does grant the role to the resource is executed right
after user creation and before any tests check the resource for the
existence of the role_name attribute. In other words: if the argument
were required in a call but only supplied in another call, the spec
tests would not catch it. Something to watch out for.

Change-Id: Ic45dd42453d9f8ae2a8c4d04f830cff67740cac6
2017-11-13 09:34:17 +01:00
Roger Luethi 306f79c0b8 Remove duplicate resources
This patch removes duplicate resources from identity_registration.
Identical definitions can be found in the same file.

Change-Id: Ibabac07a86154829a1eb2a5deccc70bf50030c45
2017-10-30 13:47:16 +01:00
Christoph Albers cb26f25be4 Heat Fixes
- currently non-admin user aren't able to create stacks with i.e.
  Resource OS::Heat::SoftwareDeployment
- added heat domain
        heat domain_admin
        heat_stack_owner and user role
- added missing configuration options
- fixed some smaller ruby /cookstyle offenses
Change-Id: I6ae544dcc6260050304e66e227383e0e944a6bb6
2017-10-06 10:21:54 +02:00
Samuel Cassiba 032dd3c51a Initial orchestration Pike updates
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Normalized template banner

Change-Id: Icc3eca4b2d17a6d1ef66c1c7e75513de0ee3cac9
2017-08-25 10:08:57 -04:00
Samuel Cassiba df79bb4fe9 Reordered metadata.rb for readability, satisfy foodcritic/rubocop
Change-Id: Ib1a753696982f2e3cce133bd6bd56c4c8fa25bc5
2017-08-17 18:00:09 -04:00
Christoph Albers e00cf744d2 RPC_backend / transport_url workover
- removed deprecated rabbitmq attributes
- added rabbit_transport_url

Change-Id: Id1fa34e55c556ffae2a6200bb7138f11808a3abf
2016-12-20 11:45:40 +00:00
Samuel Cassiba b547aaa80c Deprecated python-heatclient
- deleted client.rb
- deprecated python-heatclient references

Implements blueprint newton-xenial

Change-Id: I54d8190f77b7731dfb518871f080f62718cedc47
2016-12-14 20:06:29 -08:00
Christoph Albers f2c3db560e use_cookbook-openstackclient/identity_v3
- Now use cookbook-openstackclient to create endpoints role service and
  user
- added domain creation and access granting
- added values to work with identity_v3
- rewrote specs to work again
- updated readme

Change-Id: If5c3758c786b2d11cec6d64dc57530367acd2976
Depends-On: I0f8955f05de9b33711c54b9a198f45018cceb8e1
2016-09-30 11:59:53 +02:00
Jens Rosenboom 4e99faff68 Fix auth_uri in client_keystone section
In contrast to other identity URIs, the auth_uri in the client_keystone
section of heat.conf must be the unversioned identity endpoint,
otherwise most resources will not work.

Change-Id: I9888e0b69c3ba2a60e3ac7bb84261ace6688b9e3
2016-05-02 10:53:36 +02:00
Jan Klare f950ab4b40 update the README after refactoring and align it with other cookbooks
* also removed the empty default recipe

Change-Id: Iff2c536d595f90f932129ab8a2faad17ae41415b
2016-04-26 15:41:26 -05:00
Jens Rosenboom 5d70ac53fa Refactor using new style
* use new logic for heat.conf template
* move all attributes that are used in heat.conf to
  attributes/heat_conf.rb
* remove all attributes that are just setting default values
* add new default attributes so that the authorisation setup will be
  functional again
* refactored endpoint and bind_service logic to fit the new common
  cookbook
* adapt specs accordingly
* removed qpid as a messaging option (can be included in a wrapper)
* removed fedora as supported platform
* removed deprecated Gemfile
* removed logic for setting up a dedicated domain for Heat, should be
  done in a wrapper
* update README.md accordingly (still incomplete)

Implements: blueprint cookbook-refactoring
Change-Id: I16a29e28068d106f0edcbe04cb529aabbbed1ac5
2016-03-08 12:27:39 +01:00
Ethan Lynn 0170665c67 Make auth_uri attribute for ec2authtoken section
Make auth_uri attribute for ec2authtoken section

Closes-Bug: #1480818
Change-Id: I6b3018317e6c4890d193aee6f6b5e101d901e687
2015-08-04 12:57:02 +08:00
Mark Vanderwiel b5fac0e02b Replace deprecated get_secret
Use get_password 'token' instead.

Change-Id: I8a6a22751cfd3f262d44adaa7eb33ae0bcf9cffd
Partial-Bug: #1467662
2015-06-22 15:53:14 -05:00
Mark Vanderwiel 2a0e5aadb0 Allow auth_encryption_key to be configured
Change-Id: Ia3b00d0e93df7297a1391d9954048de146d03306
Closes-Bug: #1465926
2015-06-18 10:48:42 -05:00
Mark Vanderwiel e5627ca58b Cleanup minor rubocop offenses
Cleaned up all the minor rubocop issues, the ones left relate to
complex logic and what I think is a bug in rubocop for nested
vs compact modules/class definitions.

Change-Id: I75515d7b1faadb6de6377081fc7d5281a4c64c7d
2015-05-29 12:11:46 -05:00
Mark Vanderwiel 32fdf00cf1 Use identity_uri_transform for identiry_uri support
Remove deprecated keys and use identity_uri via the new transform
helper method.

Change-Id: I988a902d42942109047bcc69d4b02ec4ba66ae41
Implements: blueprint identity-uri
2015-04-07 06:12:57 +00:00
Jenkins 01e030abaa Merge "Use new "service" role instead of "admin"" 2015-04-06 15:25:26 +00:00
Mark Vanderwiel c8f98f0655 Use new "service" role instead of "admin"
Partial-Bug: #1436050

Change-Id: Ib2d20e95ad44a61f6d68ecd0726b9f29cc0bc595
2015-03-25 08:13:07 -05:00
Mark Vanderwiel ebd8c3a994 Remove api-paste.ini as it provided by package
Since we have no attribute overrides for api-paste.ini, no
need to have a template resource for it.  Until we need to
have some attribute, removing this will take away burden of
keeping in sync with base openstack code.

Change-Id: I4cb0aec2dc39c9b7f4c8096f24acc28399ae95a8
Closes-Bug: #1433152
2015-03-17 10:42:01 -05:00
Ken Thomas 89dd7aebdf Use identity-internal instead of public endpoint
The discussion on using identity-internval vs the public
identity-api endpoint can be found here:
https://groups.google.com/forum/#!topic/opscode-chef-openstack/an9rydsrC0k

Change-Id: Ibb937fa81aeaeba403775e78b76bdac348e05127
Partial-Bug: 1412919
2015-02-03 21:03:46 +00:00
Ken Thomas aab5d086d8 Use new common specific_endpoint routines
Now that admin_endpoint, public_endpoint, and internal_endpoint
in the common library are working, these are the changes to use
them in the openstack-orchestration recipes.

Partial-Bug: 1412919

Change-Id: Ib89150c12ea833137b5f96c8ac5443c8aac364b4
2015-02-02 14:28:18 +00:00
ZHU ZHU 866b5da6bd Add security arguments for command heat-keystone-setup-domain in the recipe
Recently commit https://review.openstack.org/#/c/131698/ have
added some security related attributes. Add them into the recipe.

This command could also work under default configurations.

Change-Id: I0aa806874dabe040a395e96ecb2a6f62f658a6ec
2014-11-12 03:04:45 -06:00
Mark Vanderwiel 0474c549e2 Create role and domain setup for heat template defined users
To setup heat for template defined users, several identity registration
steps need to happen.  The first is creating the role for it.
This can be done with the current identity registration provider.
The next three steps (doc in the code as todo) deal with the domain and
requires keystone v3 (bug-1267137). These are handled by a script shipped
with heat, heat-keystone-setup-domain.

Change-Id: I74154ccae609526ec92b916bac4ff8bc60aed170
Related-Bug: #1369654
2014-10-09 14:55:54 -05:00
Mark Vanderwiel 20c63bb66b Add attributes for role and domain info
Change-Id: I439a5f77325833e3e4e23778d453af4542fe64ef
Closes-bug: #1369654
2014-09-26 15:31:16 -05:00
leileiz eea627edda Update heat.conf permission
To avoid unauthorized users to read secrete information in
heat.conf, heat.conf should be set as 640 instead of 644.

Fix bug 1370870
Change-Id: I02756cea10113ca89ddeaa9232d04c75380756e8
2014-09-18 02:51:22 -04:00
Ionuț Arțăriși 744c309388 use new python_packages attributes from -common
*_python_packages attributes are being moved to -common in order to
remove the duplication from all the cookbooks which are using them

Change-Id: Ia0d26ef915dc27b8654d1ed0dec63b2ecef05743
Implements: blueprint move-python-db-client-attrs-to-common
2014-07-02 16:17:39 +02:00
Jenkins e67e8ad3dd Merge "Fix to configure separate endpoint and bind addresses" 2014-05-13 16:02:59 +00:00
Matt Thompson 3f57f8811c Run heat-manage as correct user/group
We need to explicitly run heat-manage with heat user/group.
Running as root may cause files in /var/log/heat/* to be owned by
root, and this will cause heat services from being able to start (due
to being unable to write to files in that directory).
This is a non-issue when you install from packages as the package
post-install typically does a heat-manage with the correct user, and
this ensures logs are created w/ correct ownership.

Change-Id: I6aede4f2b768cb191527ec27b0c8132c0582ebf2
2014-05-09 15:17:27 +01:00
Mark Vanderwiel 2524e4a8c1 Fix to configure separate endpoint and bind addresses
Allow separate endpoint and bind addresses for orchestration.
Update tests.

Change-Id: I216e7973b8114e85928cd69db326e2b52784a7c3
Closes-Bug: #1317646
2014-05-08 15:45:19 -05:00
Mark Vanderwiel c8fa8e1e6b Heat services need keystoneclient not keystone
The common recipe has been pulling in the entire
python-keystone package, which is the entire Keystone
set of services. This hasn't been necessary since
some time after Grizzly, when the tokenauth middleware
was moved to the client.

Change-Id: Ifb133d570e2ad94df822aa512edeb37aabdf349b
Related-Bug: #1305318
2014-05-02 11:11:22 -05:00
Jenkins 79015202cc Merge "Revert bug fix 1279577" 2014-04-29 14:02:19 +00:00
Darren Birkett 2863e67667 Allow binding locally to different IP than endpoint IP
Sometimes you want the actual endpoint IP to be a load
balanced IP, but the bind IP to be a local IP (different per node).

This change allows that by using attributes from the [orchestration-*-bind]
namespace

Implements blueprint increase-ip-binding-flexibility

Change-Id: I9ea0e1e61c23026bf24926b264e289ff80314ac2
2014-04-25 12:42:01 +01:00
Mark Vanderwiel 63914207bf Revert bug fix 1279577
https://review.openstack.org/73108
The original change does not work for the case where the api-cfn recipe
is included from within another recipe.
This revert does not cause any harm, it justs registers
api-cfn with identity unnecessarily.
The real solution is probably a refactoring of the common identity recipe.
Created blueprint identity-registration-cleanup for this future work.

Change-Id: I43646182a7465cdddd55b1f840764ba1b147451e
Closes-Bug: #1309123
2014-04-24 13:04:44 -05:00
Mark Vanderwiel 3839660292 Remove policy json file
Remove the policy.json template, as they contain no templated variables.
This would allow use of the policy.json files provided via the package,
and decrease the need to sync them with upstream

Change-Id: I2e4e3b5ed25b1449678e33dbd4ea45fcb6cac946
Implements: blueprint remove-policy-templates
2014-04-17 11:18:56 -05:00
Luis A. Garcia 646a833740 Use get_secret instead of secret
The new get_secret method allows the 'secrets' databag to be renamed,
just like all other databags.

Change-Id: Ic8be5d19a112d78e22716c0cd571efc7186ac9ce
Related-Bug: #1288784
2014-04-02 08:32:44 -07:00
ericzhou a2933a98f9 Use the library method auth_uri_transform.
Change-Id: I260ac1603a77ffe0390a5bd40aa98491f7e94f41
Imlements: blueprint move-keystone-authtoken-move-auth-uri-logic
2014-03-14 23:56:24 +08:00