- Cookstyle fixes
- Refactor Berksfile to use groups so we can exclude integration testing
cookbooks
- Update documentation
- Cleanup line wraps
- Enable sensitive resources for the template[/etc/heat/heat.conf] to
resources improve security.
- Update delivery configuration to exclude integration cookbooks
- Fix ChefSpec output.
- Add missing ChefSpec tests
- Switch package installations to send packages as arrays instead of individual
package resources. This generally speeds up chef runs.
- Cleanup array syntax using %w() instead of []
Depends-On: https://review.opendev.org/701027
Depends-On: https://review.opendev.org/706101
Depends-On: https://review.opendev.org/706151
Depends-On: https://review.opendev.org/706157
Depends-On: https://review.opendev.org/708059
Depends-On: https://review.opendev.org/713285
Change-Id: Ifb3a9de9eecc370e46f43a73ed77008a7b21594b
I noticed this was missing during some upgrade testing when I noticed the heat
services didn't start back up after shutting them down for the upgrade and
running chef. I'm not sure why this was set to enable only.
Change-Id: I8048270047767bda7414b2baee176f7bc9ab7a8b
Signed-off-by: Lance Albertson <lance@osuosl.org>
This provides a collection of fixes required to converge properly:
- fog-openstack-1.x already appends "auth/tokens" so we no longer need
to do that
- Remove references to deprecated
node['openstack']['api']['auth']['version'] attribute
- Remove creation of admin deprecated endpoints
- Add python-heat to common packages on Debian system so that the
heat-manage binary is available
- Remove and refactor use of deprecated identity_uri_transform function
Change-Id: Idfd9aed09ccd5c3871cac71dbe0b51c921f1ec0e
Signed-off-by: Lance Albertson <lance@osuosl.org>
Starting with Queens, upstream has moved the Orchestration (heat)
dashboard from the main dashboard package into a separate package.
backport: queens
Change-Id: Ifb2018623bd4df250c2d3d8c5a7473f6cff94fe8
This patch grants heat_domain_admin the admin role in the heat domain
(rather then in the service project).
We use :grant_domain instead of :grant_role, because we are setting a
role in a domain, not in a project.
Note that for the user to actually exist in the heat domain, a
sufficiently recent openstackclient cookbook is required -- otherwise
the domain_name attribute is ignored during user creation.
Also, we remove the user_name attribute (gets ignored by resource
action).
Change-Id: I747e2dedbc517cc3deb2675590fb982459c560a0
This patch removes the openstack_user resource with :grant_domain
action. A user is always created within a specific domain; such a
membership cannot be tacked on later. This resource gave the heat user
the role intended for its project for the domain (i.e., for the Default
domain instead of for the service project).
We add the domain_name attribute that creates the heat user in the
desired domain. Note that this change needs a sufficiently recent
openstackclient cookbook -- otherwise the domain_name attribute is
ignored (which does not matter as long as the heat user is to be created
in the Default domain).
Change-Id: Ifa3d344a3d9094dd1272b126a4dc9ab951c00972
This patch removes the role_name when using openstack_user's :create
action (it gets ignored by the target method).
Note that the spec test would still pass if only the line in
identity_registration.rb (but not the test) were changed, because the
code that actually does grant the role to the resource is executed right
after user creation and before any tests check the resource for the
existence of the role_name attribute. In other words: if the argument
were required in a call but only supplied in another call, the spec
tests would not catch it. Something to watch out for.
Change-Id: Ic45dd42453d9f8ae2a8c4d04f830cff67740cac6
This patch removes duplicate resources from identity_registration.
Identical definitions can be found in the same file.
Change-Id: Ibabac07a86154829a1eb2a5deccc70bf50030c45
- currently non-admin user aren't able to create stacks with i.e.
Resource OS::Heat::SoftwareDeployment
- added heat domain
heat domain_admin
heat_stack_owner and user role
- added missing configuration options
- fixed some smaller ruby /cookstyle offenses
Change-Id: I6ae544dcc6260050304e66e227383e0e944a6bb6
- Switched default linter to cookstyle
- Renamed rake tasks to better conform with Chef conventions
- Normalized template banner
Change-Id: Icc3eca4b2d17a6d1ef66c1c7e75513de0ee3cac9
- Now use cookbook-openstackclient to create endpoints role service and
user
- added domain creation and access granting
- added values to work with identity_v3
- rewrote specs to work again
- updated readme
Change-Id: If5c3758c786b2d11cec6d64dc57530367acd2976
Depends-On: I0f8955f05de9b33711c54b9a198f45018cceb8e1
In contrast to other identity URIs, the auth_uri in the client_keystone
section of heat.conf must be the unversioned identity endpoint,
otherwise most resources will not work.
Change-Id: I9888e0b69c3ba2a60e3ac7bb84261ace6688b9e3
* use new logic for heat.conf template
* move all attributes that are used in heat.conf to
attributes/heat_conf.rb
* remove all attributes that are just setting default values
* add new default attributes so that the authorisation setup will be
functional again
* refactored endpoint and bind_service logic to fit the new common
cookbook
* adapt specs accordingly
* removed qpid as a messaging option (can be included in a wrapper)
* removed fedora as supported platform
* removed deprecated Gemfile
* removed logic for setting up a dedicated domain for Heat, should be
done in a wrapper
* update README.md accordingly (still incomplete)
Implements: blueprint cookbook-refactoring
Change-Id: I16a29e28068d106f0edcbe04cb529aabbbed1ac5
Cleaned up all the minor rubocop issues, the ones left relate to
complex logic and what I think is a bug in rubocop for nested
vs compact modules/class definitions.
Change-Id: I75515d7b1faadb6de6377081fc7d5281a4c64c7d
Remove deprecated keys and use identity_uri via the new transform
helper method.
Change-Id: I988a902d42942109047bcc69d4b02ec4ba66ae41
Implements: blueprint identity-uri
Since we have no attribute overrides for api-paste.ini, no
need to have a template resource for it. Until we need to
have some attribute, removing this will take away burden of
keeping in sync with base openstack code.
Change-Id: I4cb0aec2dc39c9b7f4c8096f24acc28399ae95a8
Closes-Bug: #1433152
Now that admin_endpoint, public_endpoint, and internal_endpoint
in the common library are working, these are the changes to use
them in the openstack-orchestration recipes.
Partial-Bug: 1412919
Change-Id: Ib89150c12ea833137b5f96c8ac5443c8aac364b4
Recently commit https://review.openstack.org/#/c/131698/ have
added some security related attributes. Add them into the recipe.
This command could also work under default configurations.
Change-Id: I0aa806874dabe040a395e96ecb2a6f62f658a6ec
To setup heat for template defined users, several identity registration
steps need to happen. The first is creating the role for it.
This can be done with the current identity registration provider.
The next three steps (doc in the code as todo) deal with the domain and
requires keystone v3 (bug-1267137). These are handled by a script shipped
with heat, heat-keystone-setup-domain.
Change-Id: I74154ccae609526ec92b916bac4ff8bc60aed170
Related-Bug: #1369654
To avoid unauthorized users to read secrete information in
heat.conf, heat.conf should be set as 640 instead of 644.
Fix bug 1370870
Change-Id: I02756cea10113ca89ddeaa9232d04c75380756e8
*_python_packages attributes are being moved to -common in order to
remove the duplication from all the cookbooks which are using them
Change-Id: Ia0d26ef915dc27b8654d1ed0dec63b2ecef05743
Implements: blueprint move-python-db-client-attrs-to-common
We need to explicitly run heat-manage with heat user/group.
Running as root may cause files in /var/log/heat/* to be owned by
root, and this will cause heat services from being able to start (due
to being unable to write to files in that directory).
This is a non-issue when you install from packages as the package
post-install typically does a heat-manage with the correct user, and
this ensures logs are created w/ correct ownership.
Change-Id: I6aede4f2b768cb191527ec27b0c8132c0582ebf2
The common recipe has been pulling in the entire
python-keystone package, which is the entire Keystone
set of services. This hasn't been necessary since
some time after Grizzly, when the tokenauth middleware
was moved to the client.
Change-Id: Ifb133d570e2ad94df822aa512edeb37aabdf349b
Related-Bug: #1305318
Sometimes you want the actual endpoint IP to be a load
balanced IP, but the bind IP to be a local IP (different per node).
This change allows that by using attributes from the [orchestration-*-bind]
namespace
Implements blueprint increase-ip-binding-flexibility
Change-Id: I9ea0e1e61c23026bf24926b264e289ff80314ac2
https://review.openstack.org/73108
The original change does not work for the case where the api-cfn recipe
is included from within another recipe.
This revert does not cause any harm, it justs registers
api-cfn with identity unnecessarily.
The real solution is probably a refactoring of the common identity recipe.
Created blueprint identity-registration-cleanup for this future work.
Change-Id: I43646182a7465cdddd55b1f840764ba1b147451e
Closes-Bug: #1309123
Remove the policy.json template, as they contain no templated variables.
This would allow use of the policy.json files provided via the package,
and decrease the need to sync them with upstream
Change-Id: I2e4e3b5ed25b1449678e33dbd4ea45fcb6cac946
Implements: blueprint remove-policy-templates
The new get_secret method allows the 'secrets' databag to be renamed,
just like all other databags.
Change-Id: Ic8be5d19a112d78e22716c0cd571efc7186ac9ce
Related-Bug: #1288784