The new parameter allows to toggle the apache configuration management.
This will be useful once we get [1] so that we can migrate services to
the new configuration management one by one.
[1] https://review.opendev.org/c/openstack/tripleo-ansible/+/853481
Change-Id: Id1ddbae4946e5c428d0f21ef89e20a11665a370e
The hiera function is deprecated and does not work with the latest
hieradata version 5. It should be replaced by the new lookup
function[1].
[1] https://puppet.com/docs/puppet/7/hiera_automatic.html
With the lookup function, we can define value type and merge behavior,
but these are kept default at this moment to limit scope of this change
to just simple replacement. Adding value type might be useful to make
sure the value is in expected type (especially when a boolean value is
expected), but we will revisit that later.
example:
lookup(<NAME>, [<VALUE TYPE>], [<MERGE BEHAVIOR>], [<DEFAULT VALUE>])
Change-Id: I48b647bf5c908c93bf1e297cf4a108050cbc2c81
When Memcached uses IPv6 network, python-memcached requires that each
server name is formatted as is described in the following example.
inet6:[<host>]:<port>
This change ensures the format is properly applied according to
the IP protocol version and cache backend used.
Note that the parameter in keystone was not properly formatted even
when IPs are used to set the parameter. This change fixes that and
ensure the parameter is properly configured.
Also, this change fixes the timing to apply any2array. The function
should be applied before we check the first memcache server by [0],
otherwise the logic to detect IPv6 address does not work as intended.
Closes-Bug: #1964824
Change-Id: I22f8fc7f59b4eeac10c3a274c36daeaa1861fd69
These parameters were used before we introduced tripleo-ansible roles
to manage keystone resources.
Change-Id: Ib23ceb4c15cc4f430bfd037f72c119c50fce7203
Since database parameters in the base classes were deprecated, it is
likely that db classes are no longer included automatically in a future
release. Let's ensure that the db classes are included so that
database parameters are always set.
Change-Id: I2a28cd1b7a92776b711eb784db3c4a486dcf6a85
This follows other clustered services (like RabbitMQ) and
uses *_node_names (which contain FQDNs), instead of *_node_ips.
Certificate for Memcached TLS is also created using FQDN.
Because of this, validation failed when using pymemcache.
This patch fixes this issue.
Closes-Bug: #1929574
Change-Id: I9d0ddcc88098a5b891829192f1ce656842d0aa15
This change makes that haproxy monitors service availability by sending
HTTP request which is responsed by healthcheck middleware, to ensure
that backend api can respond to requests.
Change-Id: Idbfe6a8e110ec24d9fe64e43d82772bb05fa00ba
These parameters are always set to False since we implemented
management of keystone resources and default volume type in tht.
Change-Id: Ib53c6c10ba737b0504f30e7260cace6d18c2f033
The port defaults to hiera('memcached_authtoken_port', 11211)
for authtoken middleware and hiera('memcached_port', 11211)
for other uses. Different ports might be set for security
and performance tuning.
Change-Id: I567d6b2cd66d5eb98971cd54987c1fbea3c1da78
This patch includes and starts using the
keystone::cache class explicitly.
The other parameters will be removed in [1].
[1] https://review.opendev.org/#/c/746643/
Change-Id: I6c0e8d33538edc1d521e38f028ff2772614feb99
The token_flush cron job is no longer required, because now tripleo use
fernet token which doesn't persist token in database.
Change-Id: I8ad037cf59a5216c0d799be8bd499b7fb2d811c9
This patch introduces a cron job configuration to purge expired or
soft-deleted trust from keystone database.
Depends-on: https://review.opendev.org/#/c/739378/
Change-Id: Ic140f8466e5f561b2936e7e4b29fdd8393cea01c
This patch removes usage of the keystone::enable_bootstrap parameter,
because it has been deprecated[1] and has no effect now.
Note that we currently implement bootstrap process in t-h-t, thus
we don't need to include keystone::bootstrap in puppet-tripleo.
[1] bc1ff1d7cb01ac02790c3302a3da6e994598d9f6
Change-Id: I9e29f774afe26c56f0091aa28ef5517f26fe1e4b
Currently when Memcached is disabled in the deployment, puppet-tripleo
fails because some manifests expect that memcached_node_ips is defined
in hieradata.
This patch ensures that we define the default value ([]) for
memcached_node_ips, so that puppet-tripleo doesn't fail even if
the parameter doesn't appear in heradata.
Change-Id: I6d3e32f7f8f0751bdfbd0b6f2e79c5d85e1af284
... because now the parameter is defined in tht.
Depends-on: https://review.opendev.org/#/c/724870/
Change-Id: I19dc7e041a3c5afff348e897150c61f1c0d70969
By default OpenIdc uses shared memory caching mode, which will
not work for multiple controller nodes. puppet-tripleo already
configured to calculate memcached servers for OpenIdc, but for
some reason doesn't set "openidc_cache_type" to "memcache", so
shm is used.
There are a number of options available for "openidc_cache_type",
but memcache is the only one that will currently work for multiple
controllers:
- shm and file are stored locally on every node;
- redis requires mod_auth_openidc to be compiled with redis
support, but it is not generally the case.
To avoid providing illusion of freedom of choice, it would
be right to hardcode this in puppet-tripleo.
Closes-Bug: #1873239
rhbz: #1824506
Change-Id: I7cbc462b2ff99b7b0d3ff58fda1b52ccf85fc86d
Downcase in puppet 6.14 throws an error if the input to it is Undef. We
can avoid this by checking for a value before trying to downcase.
See context https://review.rdoproject.org/r/#/c/26297/
Change-Id: Ib2e97060523a4198a14949a15c9171b56928699c
It's now done by Ansible, we don't need this code anymore.
Depends-On: I96a3351fca26cd8bb122a86cb4c3a58d5f88573e
Change-Id: I3fa4448fc81935d4df61f873a73d3fffc6f9e3bb
keystone_resources_managed, default to
hiera('keystone_resources_managed', true) for backward compatibility,
will allow to disable Puppet to manage the keystone resources, like
endpoints, roles, services, projects and users; and instead use Ansible.
Change-Id: If4b275d3caf6098e7774d938ab89333396fbc15d
Changing cache/enabled=False by default has dropped performance.
keystone local cache also got disabled with this.
This reverts commit 469d432195.
Depends-On: https://review.opendev.org/#/c/688770/
Closes-Bug: #1847585
Change-Id: I2af70755746f3fc3eb10eba2188ad2772704d988
We don't need token_flush job for keystone now as we use fernet
token which does not require to be persisted inside database.
Change-Id: I164b42d292481530b024ed9f329dd9bfa11aceaf
Cleaning up the puppet tacker code since we're removing the service
definitions.
Change-Id: Iee2e75c1afd836b08132823ffe26cccdd6ef0002
Depends-On: https://review.opendev.org/#/c/682463/
Related-Bug: #1714270
Presently there are several roles: audit, observer, and key-manger:
service-admin that are used in Barbican policy but not generated
by Keystone during a TripleO Deployment.
This change updates Keystone's manifest to include creation of these
missing roles then the Barbican API is included as part of a depl-
oyment.
Change-Id: I6d5d0a37abeb54600bb70e22fabde9479320ab81
The keystone module always expects memcached_node_ips to be defined
in hieradata, the value of which is used to configure mod_auth_openidc
when OpenID Connect is enabled for federation. In some cases, such as
when using a trimmed down custom Controller role for development purposes,
memcached may not even be deployed. This will result in memcached_node_ips
not being set, which causes a deployment failure.
This patch defaults memcached_ips to an empty list, which allows a
deployment of keystone to succeed even when memcached is not being
deployed.
Change-Id: If44b6d11f8c41c96bd823c3e38bacdc08034986d
The ssl_cert_admin and ssl_key_admin are being removed from
puppet-keystone so we need to stop using them in puppet-tripleo.
Change-Id: Ibe97accb22820d02abfa076515967336da4c8800
Needed-By: https://review.opendev.org/#/c/658382/
This initial change duplicates the existing Nova Placement parameters
and classes with extracted versions to avoid disrupting CI during the
switch.
Change-Id: Ieb5b6586bfcdcf4fe5aef7338ee17f7c9e55b607
This changes all the puppet 3 validate_* functions
to use the validate_legacy function.
The validate_legacy function has been available since
about three years but require Puppet >= 4.4.0 and since
there is Puppet 4.10.12 as latest we should assume people
are running a fairly new Puppet 4 version.
This is the first step to then remove all validate function
calls and use proper types for parameter as described in spec [1].
[1] https://review.openstack.org/#/c/568929/
Change-Id: Iee8c082b5e4dcb7b035faa56a2182718947ad495
Barbican has a very specific set of keystone roles that it uses in order
to properly enforce RBAC. One of them (and the most important) is the
creator role. Which you'll assign to your users in order to allow them
to create and retrieve secrets (the other role that can do this is
admin... but we don't want to rely on this).
For usability, lets create this role automatically as part of the
TripleO installation.
Closes-Bug: #1812209
Change-Id: I9d5f912684a0987a6bdf244321215bd5595a0fa0
These have been dropped from some of the puppet classes by default. We
still need to include them so our debug logging works.
Change-Id: I4e65219d9669fdd16b2663b7239354330ffbae38
When we switch to not using instack_undercloud, we missed the role
assignment that was done in there.
By simply adding it to the puppet role we get it back.
Change-Id: I074d2878ee9cfc6061d68ecd989832c636c065ec
Closes-Bug: #1799177
This solves the problem that bootstrap_nodeid, which is set to the
first node in each role via t-h-t, can match potentially more than
one node - e.g in the event that a service is deployed such that it
spans more than one role.
The SERVICE_short_bootstrap_node_name is automatically generated
based on the composable service template service_name, and this
considers all roles where the service is enabled, e.g it should
only evaluate true once regardles off the roles where the service
is enabled.
Change-Id: I48ec4549552910f3cb8db960b0ff10a6c61b4bb9
Partial-Bug: #1792613
Ghanshyam Mann
yatin