... because it was deprecated a few cycles ago[1].
This also removes the hard-coded default of [catalog] driver because
the value currently hard-coded is same as the service default.
[1] cd9f931c45
Change-Id: Ifeadb331d118e2c6e61048b6ace6d6b3d8afcf3e
The python-keystoneclient package removed CLI long ago so installing
the package is now useless. It provides only library implementations
and should be installed by package dependencies.
Change-Id: I46b09092847eeb821f97172e1a912ad8a1b8a2e3
This change fixes the missing logic to ensure the standalone keystone
service is stopped when httpd + mod_wsgi is used to run the keystone
service.
Change-Id: I3ae6b9192c3c3d15fbf25be5d276efbcf2e9639b
By default, the file resource shows differences when the file changes.
This change disables that for the key files so that key contents are
not displayed in output.
Closes-Bug: #1979672
Change-Id: Ic0398cfbb14782ce16710a838e5428be50f2a0b3
... because these were already removed from Keystone during Newton
cycle[1].
Note some parameters like [ssl] enabled were earlier migrated to
the [eventlet_server_ssl] section[2] but later removed during Newton by
a different patch[3].
[1] 20b851b240bc74694737a9a2e8f58816882b59ae
[2] 2ed506995850ff5b60cac0be858d65375d15bf4b
[3] ac039414ce997cfcafa09efa9e089e09c3058b70
Closes-Bug: #1967717
Change-Id: I74fe1bce563ff084ebe43425c3f6ffe51b321014
... because the parameter is almost duplicate of catalog_driver which
more "natively" corresponds to the keystone parameter.
Change-Id: Id80495a191e3cd05507f732335b33b9a493c6d10
... instead of the service command which is deprecated. The systemctl
command is now hard-coded because all OS versions we currently support
now use the systemd provider to manage services.
Change-Id: I6a15b93c3fe07ed2d9c05490a490ab4a20e4727f
Closes-Bug: #1957023
Credential setup should have been enabled by default when
the credential feature in keystone become available in in UCA but we
missed updating the parameter default.
This change updates the parameter because the credential parameter is
available in UCA as well.
Change-Id: I56bcc20d69110f25645c13230036341a9c5c519b
... because these parameters were already removed from keystone by [1].
[1] c838d93c35fdacae5f5bd77a55c62978b8a0b138
Change-Id: Ib7642c957d51c59606ba033b86a6f989c034459e
When public_endpoint is set but different urls are used for endpoints
(especially for admin endpoint and public endpoint), it can cause
problem with self-url detection in keystone because it always assumes
that the url should be directed to that public_endpoint even when
a request comes from admin endpoint.
This patch makes public_endpoint unset by default to avoid issues in
the deployment where admin endpoint and public endpoint are still
separated.
Related-bug: #1889017
Change-Id: Ia43e9dcd8085bbb0954b64873504398a85771032
The bootstrap command will fail if the fernet keys
has not been created/generated or it will fail.
See [1] this output.
[1] http://paste.openstack.org/show/794949/
Change-Id: I560438a9bd402feba425656ba5213a087ab9e663
Because the value for oslo_messaging_notifications/driver is now
a list[1], we should expect that a list is set when multiple drivers
are given.
[1] c7b0cc82fac79b47c3dd9a625cbd5a1eb192ed00
Change-Id: I7f8c3c9ab72e7962e96464842b45f5b7946ea439
Add the new class keystone::cache to manage all configurations for
cache, so that we can reduce the complexity of init.pp .
Change-Id: I0062829d05697ad2159e21458dfb8826853693e1
This converts some more testing to rspec-puppet-facts
so there is only these three missing now until done:
* keystone_init_spec.rb
* keystone_federation_identity_provider_spec.rb
* keystone_ldap_spec.rb
Also does cleanup of some formatting for documentation
and testing specs.
Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
This class combines the keystone-manage bootstrap command
from init, the keystone::endpoint functionality that manages
the keystone endpoints and the keystone::roles::admin class
that manages users and projects.
This is one of the steps to make sure we only have a single
point of entry for bootstrapping (keystone-manage bootstrap)
and then only managing resources after that.
This is especially required since we are getting rid of the
admin token and cannot manage resources before keystone-manage
bootstrap has created the user, project, service and endpoints
for us.
These resources should always be in the default domain and
deployments should manage domain specific configuration themselves
using the provider resources.
This class uses the default values from the keystone-manage
bootstrap command.
In the past puppet-keystone has always created a openstack project
that is assumed as a admin project even though the bootstrap command
creates the admin project. Since this uses the default values from
the bootstrap command we should move away from having an openstack
project, if we need that in testing it should be created there and
not in the default deployment.
Depends-On: https://review.opendev.org/#/c/698528/
Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
This patch removes the validation in the keyston::service
class. This functionality should be replaced by using
something like the healthcheck module [1].
In the future somebody might want to implement a
keystone_validator provider that does a proper keystone
check but the http_conn_validator should be sufficient enough.
[1] https://github.com/voxpupuli/puppet-healthcheck
Change-Id: Ia20cf42ec23cdbfa1a499b3c5fcece1e5bbb8c22
Remove public_bind_host and public_port configured under eventlet
section as they were alrady deprecated.
Set public_endpoint from public_bind_host and public_port so that
these information can be refered by provider code to get endpoint
even if public_endpoint isn't explicitly given.
Change-Id: Ic38e41b31155a7d3a4f1f5fc606421dd525c1025
The usage of eventlet server in keystone was already depreacted,
so we should deprecate parameters related to the feature.
Notes:
- public_bind_host and public_port still remain as valid parameters,
to wait until users migrate to public_endpoint, which should be
used instead.
- admin_endpoint does not affect keystone configuration, but it is
not yet deprecated as it is still used when validate_service is True.
Change-Id: Ibc8023caf8ad4ee16ebc08a943bdcc9f188c73c1
This patch migrates configuration options related to eventlet server
from DEFAULT section to eventlet_server, as the ones in DEFAULT
section was deprecated[1]
[1] I6dd718c4d54056d0e29978f393ec45f7291f802d
Change-Id: I1a726c706f509f2a2be68098cda8431cddc0fe92
oslo.messaging RabbitMQ driver have now a new option that allow user to
run the RabbitMQ heartbeat over a native python thread.
These change allow user to use this new option.
Change-Id: If5cb4855e20fe9553b4a4a0d787918923a4334ba
Closes-Bug: #1840868
So that we can increase it from the default 114688
Useful in case for example the OS-Federation mapping is too large.
If this limit is breached keystone will return a 413 Entity Too Large
and not log anything to keystone.log.
Closes-Bug: #1835161
Change-Id: If9fc5c0bb5d6216b8656ee1673e1812c543de305
Signed-off-by: Johan Guldmyr <johan.guldmyr@csc.fi>
We were checking for the value of a database setting which is now
managed via puppet-olso in the keystone init class. We should not be
checking the values set by another class in the unit tests. This change
updates the unit tests to just make sure we're including the
keystone::db class rather than the values configured by it.
Change-Id: I0a1b1adec24ba528b623ad0b17e5bba16e0b279a
This changes all the puppet 3 validate_* functions
to use the validate_legacy function.
The validate_legacy function has been available since
about three years but require Puppet >= 4.4.0 and since
there is Puppet 4.10.12 as latest we should assume people
are running a fairly new Puppet 4 version.
This is the first step to then remove all validate function
calls and use proper types for parameter as described in spec [1].
[1] https://review.openstack.org/#/c/568929/
Depends-On: https://review.openstack.org/#/c/639215/
Change-Id: Idd720f18893bea0ec1d26859e0a6907a5daa8980
This config option in Keystone was deprecated for
removal since the Pike release and was removed in
the Rocky release.
We used this value to determine if the appropriate
memcache package was required which is causing issues
when puppet-oslo with manage_memcache_package is set to true
(default value is true).
This deprecates this parameter and removes the memcache
package installation logic which is superceeded by the
oslo::cache class since Rocky release.
Depends-On: https://review.openstack.org/#/c/632962/
Change-Id: I95a5982097529f119d99f0e7c77ac53d62da5733