diff --git a/.delivery/project.toml b/.delivery/project.toml deleted file mode 100644 index 4066e55..0000000 --- a/.delivery/project.toml +++ /dev/null @@ -1,9 +0,0 @@ -[local_phases] -unit = 'rspec spec/' -lint = 'cookstyle --display-cop-names --extra-details' -syntax = "berks install -e integration" -provision = "echo skipping" -deploy = "echo skipping" -smoke = "echo skipping" -functional = "echo skipping" -cleanup = "echo skipping" diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 5a29577..0000000 --- a/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -.bundle/ -berks-cookbooks/ -.kitchen/ -.vagrant/ -.coverage/ -*.swp -Berksfile.lock -Gemfile.lock -Vagrantfile diff --git a/.rubocop.yml b/.rubocop.yml deleted file mode 100644 index 389f270..0000000 --- a/.rubocop.yml +++ /dev/null @@ -1,4 +0,0 @@ -Chef/Modernize/FoodcriticComments: - Enabled: true -Chef/Style/CopyrightCommentFormat: - Enabled: true diff --git a/.zuul.yaml b/.zuul.yaml deleted file mode 100644 index f578684..0000000 --- a/.zuul.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- project: - templates: - - openstack-chef-jobs diff --git a/Berksfile b/Berksfile deleted file mode 100644 index 98e72f9..0000000 --- a/Berksfile +++ /dev/null @@ -1,22 +0,0 @@ -source 'https://supermarket.chef.io' - -solver :ruby, :required - -metadata - -[ - %w(client dep), - %w(-common dep), - %w(-dns integration), - %w(-image integration), - %w(-integration-test integration), - %w(-network integration), - %w(-ops-database integration), - %w(-ops-messaging integration), -].each do |cookbook, group| - if Dir.exist?("../cookbook-openstack#{cookbook}") - cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}", group: group - else - cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}", group: group - end -end diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index bb03231..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,36 +0,0 @@ -Contributing -============ - -How To Get Started ------------------- - -If you would like to contribute to the development of OpenStack Chef Cookbooks, -you must follow the steps in this page: - - http://docs.openstack.org/infra/manual/developers.html - -Gerrit Workflow ---------------- - -Once those steps have been completed, changes to OpenStack -should be submitted for review via the Gerrit tool, following -the workflow documented at: - - http://docs.openstack.org/infra/manual/developers.html#development-workflow - -Pull requests submitted through GitHub will be ignored. - -Bugs ----- - -Bugs should be filed on Launchpad, not GitHub: - - https://bugs.launchpad.net/openstack-chef - -Contacts --------- - -Mailing list: groups.google.com/group/opscode-chef-openstack -IRC: #openstack-chef is our channel on irc.oftc.net -Wiki: https://wiki.openstack.org/wiki/Chef/GettingStarted and https://docs.getchef.com/openstack.html -Twitter: @chefopenstack diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 68c771a..0000000 --- a/LICENSE +++ /dev/null @@ -1,176 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - diff --git a/README.rst b/README.rst index 4367a41..4ee2c5f 100644 --- a/README.rst +++ b/README.rst @@ -1,169 +1,10 @@ -OpenStack Chef Cookbook - identity -================================== +This project is no longer maintained. -.. image:: https://governance.openstack.org/badges/cookbook-openstack-identity.svg - :target: https://governance.openstack.org/reference/tags/index.html +The contents of this repository are still available in the Git +source code management system. To see the contents of this +repository before it reached its end of life, please check out the +previous commit with "git checkout HEAD^1". -Description -=========== - -This cookbook installs the OpenStack Identity Service **Keystone** as -part of the OpenStack reference deployment Chef for OpenStack. The -`OpenStack chef-repo`_ contains documentation for using this cookbook in -the context of a full OpenStack deployment. Keystone is installed from -packages, creating the default user, tenant, and roles. It also -registers the identity service and identity endpoint. - -.. _OpenStack chef-repo: https://opendev.org/openstack/openstack-chef - -https://docs.openstack.org/keystone/latest/ - -Requirements -============ - -- Chef 16 or higher -- Chef Workstation 21.10.640 for testing (also includes Berkshelf for - cookbook dependency resolution) - -Platform -======== - -- ubuntu -- redhat -- centos - -Cookbooks -========= - -The following cookbooks are dependencies: - -- 'apache2', '~> 8.6' -- 'openstack-common', '>= 20.0.0' -- 'openstackclient' - -Attributes -========== - -Please see the extensive inline documentation in ``attributes/*.rb`` for -descriptions of all the settable attributes for this cookbook. - -Note that all attributes are in the ``default['openstack']`` "namespace" - -The usage of attributes to generate the ``keystone.conf`` is described -in the openstack-common cookbook. - -Recipes -======= - -openstack-identity::cloud_config --------------------------------- - -- Manage the cloud config file located at ``/root/clouds.yaml`` - -openstack-identity::_credential_tokens --------------------------------------- - -- Helper recipe to manage credential keys. - -If you prefer, you can manually create the keys by doing the following: - -.. code-block:: console - - $ keystone-manage credential_setup \ - --keystone-user keystone --keystone-group keystone - -This should create a directory ``/etc/keystone/credential-keys`` with -the keys residing in it. - -openstack-identity::_fernet_tokens ----------------------------------- - -- Helper recipe to manage fernet tokens - -openstack-identity::openrc --------------------------- - -- Creates a fully usable openrc file to export the needed environment - variables to use the openstack client. - -openstack-identity::registration --------------------------------- - -- Registers the initial keystone endpoint as well as users, tenants and - roles needed for the initial configuration utilizing the custom - resource provided in the openstackclient cookbook. The recipe is - documented in detail with inline comments inside the recipe. - -openstack-identity::server-apache ---------------------------------- - -- Installs and configures the OpenStack Identity Service running inside - of an apache webserver. The recipe is documented in detail with inline - comments inside the recipe. - -License and Author -================== - -+------------+-------------------------------------------------+ -| **Author** | Justin Shepherd (justin.shepherd@rackspace.com) | -+------------+-------------------------------------------------+ -| **Author** | Jason Cannavale (jason.cannavale@rackspace.com) | -+------------+-------------------------------------------------+ -| **Author** | Ron Pedde (ron.pedde@rackspace.com) | -+------------+-------------------------------------------------+ -| **Author** | Joseph Breu (joseph.breu@rackspace.com) | -+------------+-------------------------------------------------+ -| **Author** | William Kelly (william.kelly@rackspace.com) | -+------------+-------------------------------------------------+ -| **Author** | Darren Birkett (darren.birkett@rackspace.co.uk) | -+------------+-------------------------------------------------+ -| **Author** | Evan Callicoat (evan.callicoat@rackspace.com) | -+------------+-------------------------------------------------+ -| **Author** | Matt Ray (matt@opscode.com) | -+------------+-------------------------------------------------+ -| **Author** | Jay Pipes (jaypipes@att.com) | -+------------+-------------------------------------------------+ -| **Author** | John Dewey (jdewey@att.com) | -+------------+-------------------------------------------------+ -| **Author** | Sean Gallagher (sean.gallagher@att.com) | -+------------+-------------------------------------------------+ -| **Author** | Ionut Artarisi (iartarisi@suse.cz) | -+------------+-------------------------------------------------+ -| **Author** | Chen Zhiwei (zhiwchen@cn.ibm.com) | -+------------+-------------------------------------------------+ -| **Author** | Eric Zhou (zyouzhou@cn.ibm.com) | -+------------+-------------------------------------------------+ -| **Author** | Jan Klare (j.klare@cloudbau.de) | -+------------+-------------------------------------------------+ -| **Author** | Christoph Albers (c.albers@x-ion.de) | -+------------+-------------------------------------------------+ -| **Author** | Lance Albertson (lance@osuosl.org) | -+------------+-------------------------------------------------+ - -+---------------+----------------------------------------------+ -| **Copyright** | Copyright 2012, Rackspace US, Inc. | -+---------------+----------------------------------------------+ -| **Copyright** | Copyright 2012-2013, Opscode, Inc. | -+---------------+----------------------------------------------+ -| **Copyright** | Copyright 2012-2013, AT&T Services, Inc. | -+---------------+----------------------------------------------+ -| **Copyright** | Copyright 2013-2014, SUSE Linux | -+---------------+----------------------------------------------+ -| **Copyright** | GmbH Copyright 2013-2014, IBM, Corp. | -+---------------+----------------------------------------------+ -| **Copyright** | Copyright 2016-2021, Oregon State University | -+---------------+----------------------------------------------+ - -Licensed under the Apache License, Version 2.0 (the "License"); you may -not use this file except in compliance with the License. You may obtain -a copy of the License at - -:: - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. +For any further questions, please email +openstack-discuss@lists.openstack.org or join #openstack-dev on +OFTC. diff --git a/Rakefile b/Rakefile deleted file mode 100644 index 6ec521b..0000000 --- a/Rakefile +++ /dev/null @@ -1,39 +0,0 @@ -task default: ['test'] - -task test: [:syntax, :lint, :unit] - -desc 'Vendor the cookbooks in the Berksfile' -task :berks_prep do - sh %(chef exec berks vendor) -end - -desc 'Run FoodCritic (syntax) tests' -task :syntax do - sh %(chef exec foodcritic --exclude spec -f any .) -end - -desc 'Run RuboCop (lint) tests' -task :lint do - sh %(chef exec cookstyle) -end - -desc 'Run RSpec (unit) tests' -task unit: :berks_prep do - sh %(chef exec rspec --format documentation) -end - -desc 'Remove the berks-cookbooks directory and the Berksfile.lock' -task :clean do - rm_rf [ - 'berks-cookbooks', - 'Berksfile.lock', - ] -end - -desc 'All-in-One Neutron build Infra using Common task' -task :integration do - # Use the common integration task - sh %(wget -nv -t 3 -O Rakefile-Common https://opendev.org/openstack/cookbook-openstack-common/raw/branch/master/Rakefile) - load './Rakefile-Common' - Rake::Task['common_integration'].invoke -end diff --git a/TESTING.md b/TESTING.md deleted file mode 100644 index 1dd45c5..0000000 --- a/TESTING.md +++ /dev/null @@ -1,30 +0,0 @@ -# Testing the Cookbook # - -This cookbook uses [chefdk](https://downloads.chef.io/chef-dk/) and [berkshelf](http://berkshelf.com/) to isolate dependencies. Make sure you have chefdk and the header files for `gecode` installed before continuing. Make sure that you're using gecode version 3. More info [here](https://github.com/opscode/dep-selector-libgecode/tree/0bad63fea305ede624c58506423ced697dd2545e#using-a-system-gecode-instead). For more detailed information on what needs to be installed, you can have a quick look into the bootstrap.sh file in this repository, which does install all the needed things to get going on ubuntu trusty. The tests defined in the Rakefile include lint, style and unit. For integration testing please refere to the [openstack-chef-repo](https://github.com/openstack/openstack-chef-repo). - -We have three test suites which you can run either, individually (there are three rake tasks): - - $ chef exec rake lint - $ chef exec rake style - $ chef exec rake unit - -or altogether: - - $ chef exec rake - -The `rake` tasks will take care of installing the needed cookbooks with `berkshelf`. - -## Rubocop ## - -[Rubocop](https://github.com/bbatsov/rubocop) is a static Ruby code analyzer, based on the community [Ruby style guide](https://github.com/bbatsov/ruby-style-guide). We are attempting to adhere to this where applicable, slowly cleaning up the cookbooks until we can turn on Rubocop for gating the commits. - -## Foodcritic ## - -[Foodcritic](http://acrmp.github.io/foodcritic/) is a lint tool for Chef cookbooks. We ignore the following rules: - -* [FC003](http://acrmp.github.io/foodcritic/#FC003) These cookbooks are not intended for Chef Solo. -* [FC023](http://acrmp.github.io/foodcritic/#FC023) Prefer conditional attributes. - -## Chefspec - -[ChefSpec](https://github.com/sethvargo/chefspec) is a unit testing framework for testing Chef cookbooks. ChefSpec makes it easy to write examples and get fast feedback on cookbook changes without the need for virtual machines or cloud servers. diff --git a/attributes/default.rb b/attributes/default.rb deleted file mode 100644 index efcbdb9..0000000 --- a/attributes/default.rb +++ /dev/null @@ -1,214 +0,0 @@ -# -# Cookbook:: openstack-identity -# Recipe:: default -# -# Copyright:: 2012-2021, AT&T Services, Inc. -# Copyright:: 2013-2021, Chef Software, Inc. -# Copyright:: 2013-2021, IBM Corp. -# Copyright:: 2017-2021, x-ion GmbH -# Copyright:: 2018-2021, Workday, Inc. -# Copyright:: 2019-2021, x-ion GmbH -# Copyright:: 2016-2021, Oregon State University -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Set to some text value if you want templated config files -# to contain a custom banner at the top of the written file -default['openstack']['identity']['custom_template_banner'] = ' -# This file is automatically generated by Chef -# Any changes will be overwritten -' - -%w(internal public).each do |ep_type| - # host for openstack internal/public identity endpoint - default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1' - # scheme for openstack internal/public identity endpoint - default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http' - # port for openstack internal/public identity endpoint - default['openstack']['endpoints'][ep_type]['identity']['port'] = 5000 - # path for openstack internal/public identity endpoint - default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3' -end - -# address for openstack identity service main endpoint to bind to -default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1' -# port for openstack identity service main endpoint to bind to -default['openstack']['bind_service']['public']['identity']['port'] = 5000 - -# identity service token backend for user and service tokens -default['openstack']['identity']['token']['backend'] = 'sql' - -# Specify a location to retrieve keystone-paste.ini from -# which can either be a remote url using http:// or a -# local path to a file using file:// which would generally -# be a distribution file - if this option is left nil then -# the templated version distributed with this cookbook -# will be used (keystone-paste.ini.erb) -default['openstack']['identity']['pastefile_url'] = nil - -# This specifies the pipeline of the keystone V3 API, -# all Identity V3 API requests will be processed by the order of the pipeline. -# this value will be used in the templated version of keystone-paste.ini -# The last item in this pipeline must be service_v3 or an equivalent -# application. It cannot be a filter. -default['openstack']['identity']['pipeline']['api_v3'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3' - -# region to be used for endpoint registration -default['openstack']['identity']['region'] = node['openstack']['region'] - -# enable or disable the usage of syslog -default['openstack']['identity']['syslog']['use'] = false -# syslog log facility to log to in case syslog is used -default['openstack']['identity']['syslog']['facility'] = 'LOG_LOCAL2' -# syslog config facility in case syslog is used -default['openstack']['identity']['syslog']['config_facility'] = 'local2' - -# endpoint type to be used for creating resources -default['openstack']['identity']['endpoint_type'] = 'internalURL' -# user to be created and used for identity service -default['openstack']['identity']['admin_user'] = 'admin' -# project to be created and used for identity service -default['openstack']['identity']['admin_project'] = 'admin' -# domain to be created and used for identity service project -default['openstack']['identity']['admin_project_domain'] = 'default' -# role to be created and used for identity service -default['openstack']['identity']['admin_role'] = 'admin' -# domain to be created and used for identity service user -default['openstack']['identity']['admin_domain_name'] = 'default' - -# specify whether to enable SSL for Keystone API endpoint -default['openstack']['identity']['ssl']['enabled'] = false -# specify server whether to enforce client certificate requirement -default['openstack']['identity']['ssl']['cert_required'] = false -# SSL certificate, keyfile and CA certficate file locations -default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl' -# Protocol for SSL (Apache) -default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3' -# Which ciphers to use with the SSL/TLS protocol (Apache) -# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA' -default['openstack']['identity']['ssl']['ciphers'] = nil -# path of the cert file for SSL. -default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem" -# path of the keyfile for SSL. -default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem" -default['openstack']['identity']['ssl']['chainfile'] = nil -# path of the CA cert file for SSL. -default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem" -# path of the CA cert files for SSL (Apache) -default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/" -# (optional) path to certificate-revocation lists (Apache) -default['openstack']['identity']['ssl']['ca_revocation_path'] = nil - -# Fernet keys to read from databags/vaults. This should be changed in the -# environment when rotating keys (with the defaults below, the items -# 'fernet_key0' and 'fernet_key1' will be read from the databag/vault -# 'keystone). -# For more information please read: -# https://docs.openstack.org/keystone/queens/admin/identity-fernet-token-faq.html -default['openstack']['identity']['fernet']['keys'] = [0, 1] -default['openstack']['identity']['conf']['fernet_tokens']['key_repository'] = - '/etc/keystone/fernet-tokens' - -# Credential keys to read from databags/vaults. This should be changed in the -# environment when rotating keys (with the defaults below, the items -# 'credential_key0' and 'credential_key1' will be read from the databag/vault -# 'keystone). -# For more information please read: -# https://docs.openstack.org/keystone/queens/admin/identity-credential-encryption.html -default['openstack']['identity']['credential']['keys'] = [0, 1] -default['openstack']['identity']['conf']['credential']['key_repository'] = - '/etc/keystone/credential-tokens' - -# configuration directory for keystone domain specific options -default['openstack']['identity']['domain_config_dir'] = '/etc/keystone/domains' - -# keystone service user name -default['openstack']['identity']['user'] = 'keystone' -# keystone service user group -default['openstack']['identity']['group'] = 'keystone' - -# platform defaults -case node['platform_family'] -when 'rhel' - # platform specific package and service name options - case node['platform_version'].to_i - when 8 - default['openstack']['identity']['platform'] = { - 'memcache_python_packages' => ['python3-memcached'], - # TODO(ramereth): python3-urllib3 is here to workaround an issue if - # it's already been installed from the base repository which is - # incompatible with what's shipped with RDO. This should be removed - # once fixed upstream. - 'keystone_packages' => - %w( - openstack-keystone - openstack-selinux - python3-urllib3 - ), - 'keystone_apache2_site' => 'keystone', # currently unused on RHEL - 'keystone_service' => 'openstack-keystone', - 'keystone_process_name' => 'keystone-all', - 'package_options' => '', - } - when 7 - default['openstack']['identity']['platform'] = { - 'memcache_python_packages' => ['python-memcached'], - # TODO(ramereth): python2-urllib3 is here to workaround an issue if - # it's already been installed from the base repository which is - # incompatible with what's shipped with RDO. This should be removed - # once fixed upstream. - 'keystone_packages' => - %w( - openstack-keystone - openstack-selinux - python2-urllib3 - ), - 'keystone_apache2_site' => 'keystone', # currently unused on RHEL - 'keystone_service' => 'openstack-keystone', - 'keystone_process_name' => 'keystone-all', - 'package_options' => '', - } - end -when 'debian' - # platform specific package and service name options - default['openstack']['identity']['platform'] = { - 'memcache_python_packages' => ['python3-memcache'], - 'keystone_packages' => - %w( - keystone - python3-keystone - ), - 'keystone_apache2_site' => platform?('ubuntu') ? 'keystone' : 'wsgi-keystone', - 'keystone_service' => 'keystone', - 'keystone_process_name' => 'keystone-all', - 'package_overrides' => '', - } -end - -# array of bare options for openrc (e.g. 'option=value') -default['openstack']['misc_openrc'] = nil - -%w(openrc cloud_config).each do |file_type| - default['openstack']['identity'][file_type]['path'] = '/root' - default['openstack']['identity'][file_type]['path_mode'] = '0700' - default['openstack']['identity'][file_type]['file_mode'] = '0600' - default['openstack']['identity'][file_type]['user'] = 'root' - default['openstack']['identity'][file_type]['group'] = 'root' -end - -# openrc file name -default['openstack']['identity']['openrc']['file'] = 'openrc' -# cloud_config file name -default['openstack']['identity']['cloud_config']['file'] = 'clouds.yaml' -# cloud_config cloud name -default['openstack']['identity']['cloud_config']['cloud_name'] = 'default' diff --git a/attributes/keystone_conf.rb b/attributes/keystone_conf.rb deleted file mode 100644 index ac85014..0000000 --- a/attributes/keystone_conf.rb +++ /dev/null @@ -1,27 +0,0 @@ -# options to add to the keystone.conf as secrets (will not be saved in node -# attribute) -default['openstack']['identity']['conf_secrets'] = {} -default['openstack']['identity']['conf'].tap do |conf| - # [DEFAULT] - if node['openstack']['identity']['syslog']['use'] - # [DEFAULT] option in keystone.conf to read additional logging.conf - conf['DEFAULT']['log_config_append'] = '/etc/openstack/logging.conf' - else - # [DEFAULT] option in keystone.conf to set keystone log dir - conf['DEFAULT']['log_dir'] = '/var/log/keystone' - end - if node['openstack']['identity']['notification_driver'] == 'messaging' - # [DEFAULT] option in keystone.conf to define mq notification topics - conf['DEFAULT']['notification_topics'] = 'notifications' - end - - # [assignment] option in keystone.conf to set driver - conf['assignment']['driver'] = 'sql' - - # [cache] option in keystone.conf to set oslo backend - conf['cache']['enabled'] = true - conf['cache']['backend'] = 'oslo_cache.memcache_pool' - - # [policy] option in keystone.conf to set policy backend driver - conf['policy']['driver'] = 'sql' -end diff --git a/metadata.rb b/metadata.rb deleted file mode 100644 index 34e9e76..0000000 --- a/metadata.rb +++ /dev/null @@ -1,18 +0,0 @@ -name 'openstack-identity' -maintainer 'openstack-chef' -maintainer_email 'openstack-discuss@lists.openstack.org' -license 'Apache-2.0' -description 'The OpenStack Identity service Keystone.' -version '20.0.0' - -%w(ubuntu redhat centos).each do |os| - supports os -end - -depends 'apache2', '~> 8.6' -depends 'openstackclient' -depends 'openstack-common', '>= 20.0.0' - -issues_url 'https://launchpad.net/openstack-chef' -source_url 'https://opendev.org/openstack/cookbook-openstack-identity' -chef_version '>= 16.0' diff --git a/recipes/_credential_tokens.rb b/recipes/_credential_tokens.rb deleted file mode 100644 index 8cebbac..0000000 --- a/recipes/_credential_tokens.rb +++ /dev/null @@ -1,47 +0,0 @@ -# -# Cookbook:: openstack-identity -# Recipe:: _credential_tokens -# -# Copyright:: 2020-2021, Oregon State University -# -# Licensed under the Apache License, Version 2.0 (the 'License'); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an 'AS IS' BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This recipe is automatically included in openstack-identity::service-apache. -# It will add the needed configuration options to the keystone.conf and create -# the needed credential keys from predefined secrets (e.g. encrypted data -# bags or vaults). - -class ::Chef::Recipe - include ::Openstack -end - -key_repository = node['openstack']['identity']['conf']['credential']['key_repository'] -keystone_user = node['openstack']['identity']['user'] -keystone_group = node['openstack']['identity']['group'] - -directory key_repository do - owner keystone_user - group keystone_group - mode '700' -end - -node['openstack']['identity']['credential']['keys'].each do |key_index| - key = secret(node['openstack']['secret']['secrets_data_bag'], "credential_key#{key_index}") - file File.join(key_repository, key_index.to_s) do - content key - owner keystone_user - group keystone_group - mode '400' - sensitive true - end -end diff --git a/recipes/_fernet_tokens.rb b/recipes/_fernet_tokens.rb deleted file mode 100644 index 9215cc4..0000000 --- a/recipes/_fernet_tokens.rb +++ /dev/null @@ -1,51 +0,0 @@ -# -# Cookbook:: openstack-identity -# Recipe:: _fernet_tokens -# -# Copyright:: 2020-2021, Oregon State University -# -# Licensed under the Apache License, Version 2.0 (the 'License'); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an 'AS IS' BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This recipe is automatically included in openstack-identity::service-apache. -# It will add the needed configuration options to the keystone.conf and create -# the needed fernet keys from predefined secrets (e.g. encrypted data bags or vaults). - -class ::Chef::Recipe - include ::Openstack -end - -key_repository = node['openstack']['identity']['conf']['fernet_tokens']['key_repository'] -keystone_user = node['openstack']['identity']['user'] -keystone_group = node['openstack']['identity']['group'] - -directory key_repository do - owner keystone_user - group keystone_group - mode '700' -end - -node['openstack']['identity']['fernet']['keys'].each do |key_index| - key = secret(node['openstack']['secret']['secrets_data_bag'], "fernet_key#{key_index}") - file File.join(key_repository, key_index.to_s) do - content key - owner keystone_user - group keystone_group - mode '400' - sensitive true - end -end - -execute 'keystone-manage fernet_setup' do - command "keystone-manage fernet_setup --keystone-user #{keystone_user} --keystone-group #{keystone_group}" - creates '/etc/keystone/fernet-keys' -end diff --git a/recipes/cloud_config.rb b/recipes/cloud_config.rb deleted file mode 100644 index fcfeb86..0000000 --- a/recipes/cloud_config.rb +++ /dev/null @@ -1,60 +0,0 @@ -# -# Cookbook:: openstack-identity -# recipe:: cloud_config -# -# Copyright:: 2019-2021, x-ion GmbH -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This recipe creates a fully usable cloud config file to be used directly -# by the openstack client or sdk. - -class ::Chef::Recipe - include ::Openstack -end - -ksadmin_project = node['openstack']['identity']['admin_project'] -project_domain_name = node['openstack']['identity']['admin_project_domain'] -ksadmin_user = node['openstack']['identity']['admin_user'] -admin_domain_name = node['openstack']['identity']['admin_domain_name'] - -ksadmin_pass = get_password 'user', ksadmin_user - -identity_endpoint = public_endpoint 'identity' -auth_url = identity_endpoint.to_s - -cloud_config = node['openstack']['identity']['cloud_config'] - -directory cloud_config['path'] do - owner cloud_config['user'] - group cloud_config['group'] - mode cloud_config['path_mode'] - recursive true -end - -template "#{cloud_config['path']}/#{cloud_config['file']}" do - source 'cloud_config.erb' - owner cloud_config['user'] - group cloud_config['group'] - mode cloud_config['file_mode'] - sensitive true - variables( - cloud_name: cloud_config['cloud_name'], - user: ksadmin_user, - user_domain_name: admin_domain_name, - project: ksadmin_project, - project_domain_name: project_domain_name, - password: ksadmin_pass, - identity_endpoint: auth_url - ) -end diff --git a/recipes/openrc.rb b/recipes/openrc.rb deleted file mode 100644 index 8b33f67..0000000 --- a/recipes/openrc.rb +++ /dev/null @@ -1,59 +0,0 @@ -# -# Cookbook:: openstack-identity -# recipe:: openrc -# -# Copyright:: 2014-2021, IBM Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This recipe create a fully usable openrc file to export the needed environment -# variables to use the openstack client. - -class ::Chef::Recipe - include ::Openstack -end - -ksadmin_project = node['openstack']['identity']['admin_project'] -project_domain_name = node['openstack']['identity']['admin_project_domain'] -ksadmin_user = node['openstack']['identity']['admin_user'] -admin_domain_name = node['openstack']['identity']['admin_domain_name'] - -ksadmin_pass = get_password 'user', ksadmin_user - -identity_endpoint = public_endpoint 'identity' -auth_url = identity_endpoint.to_s - -openrc_config = node['openstack']['identity']['openrc'] - -directory openrc_config['path'] do - owner openrc_config['user'] - group openrc_config['group'] - mode openrc_config['path_mode'] - recursive true -end - -template "#{openrc_config['path']}/#{openrc_config['file']}" do - source 'openrc.erb' - owner openrc_config['user'] - group openrc_config['group'] - mode openrc_config['file_mode'] - sensitive true - variables( - user: ksadmin_user, - user_domain_name: admin_domain_name, - project: ksadmin_project, - project_domain_name: project_domain_name, - password: ksadmin_pass, - identity_endpoint: auth_url - ) -end diff --git a/recipes/registration.rb b/recipes/registration.rb deleted file mode 100644 index ab9cc8e..0000000 --- a/recipes/registration.rb +++ /dev/null @@ -1,83 +0,0 @@ -# -# Cookbook:: openstack-identity -# Recipe:: setup -# -# Copyright:: 2012-2021, Rackspace US, Inc. -# Copyright:: 2012-2021, Chef Software, Inc. -# Copyright:: 2020-2021, Oregon State University -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This recipe registers the initial keystone endpoint as well as users, tenants -# and roles needed for the initial configuration utilizing the LWRP provided -# inside of this cookbook. The recipe is documented in detail with inline -# comments inside the recipe. - -require 'chef/mixin/shell_out' - -class ::Chef::Recipe - include ::Openstack -end - -identity_endpoint = public_endpoint 'identity' -identity_internal_endpoint = internal_endpoint 'identity' -auth_url = identity_internal_endpoint.to_s - -# define the credentials to use for the initial admin user -admin_project = node['openstack']['identity']['admin_project'] -admin_user = node['openstack']['identity']['admin_user'] -admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] -admin_domain = node['openstack']['identity']['admin_domain_name'] - -# endpoint type to use when creating resources -# NOTE(frickler): fog-openstack defaults to the 'admin' endpoint for -# Identity operations, so we need to override this after we dropped that one -# TODO(ramereth): commenting this out until -# https://github.com/fog/fog-openstack/pull/494 gets merged and released. -# endpoint_type = node['openstack']['identity']['endpoint_type'] - -connection_params = { - openstack_auth_url: auth_url, - openstack_username: admin_user, - openstack_api_key: admin_pass, - openstack_project_name: admin_project, - openstack_domain_id: admin_domain, - # openstack_endpoint_type: endpoint_type, -} - -ruby_block 'wait for identity endpoint' do - block do - begin - Timeout.timeout(60) do - until Net::HTTP.get_response(URI(auth_url)).message == 'OK' - Chef::Log.info 'waiting for identity endpoint to be up...' - sleep 1 - end - end - rescue Timeout::Error - raise 'Waited 60 seconds for identity endpoint to become ready'\ - ' and will not wait any longer' - end - end -end - -# create default service role -openstack_role 'service' do - connection_params connection_params -end - -node.default['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s -node.default['openstack']['identity']['publicURL'] = identity_endpoint.to_s - -Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}" -Chef::Log.info "Keystone PublicURL: #{identity_endpoint}" diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb deleted file mode 100644 index 8be6b2d..0000000 --- a/recipes/server-apache.rb +++ /dev/null @@ -1,261 +0,0 @@ -# -# Cookbook:: openstack-identity -# Recipe:: server-apache -# -# Copyright:: 2015-2021, IBM Corp. Inc. -# Copyright:: 2016-2021, Oregon State University -# -# Licensed under the Apache License, Version 2.0 (the 'License'); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an 'AS IS' BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This recipe installs and configures the OpenStack Identity Service running -# inside of an apache webserver. The recipe is documented in detail with inline -# comments inside the recipe. - -# load the methods defined in cookbook-openstack-common libraries -class ::Chef::Recipe - include ::Openstack - include Apache2::Cookbook::Helpers -end - -# include the logging recipe from openstack-common if syslog usage is enbaled -if node['openstack']['identity']['syslog']['use'] - include_recipe 'openstack-common::logging' -end - -platform_options = node['openstack']['identity']['platform'] - -identity_internal_endpoint = internal_endpoint 'identity' -identity_endpoint = public_endpoint 'identity' - -# define the address where the keystone public endpoint will be reachable -ie = identity_endpoint -# define the keystone public endpoint full path -api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/" - -# define the credentials to use for the initial admin user -admin_project = node['openstack']['identity']['admin_project'] -admin_user = node['openstack']['identity']['admin_user'] -admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] -admin_role = node['openstack']['identity']['admin_role'] -region = node['openstack']['identity']['region'] -keystone_user = node['openstack']['identity']['user'] -keystone_group = node['openstack']['identity']['group'] - -# install the database python adapter packages for the selected database -# service_type -db_type = node['openstack']['db']['identity']['service_type'] -unless db_type == 'sqlite' - node['openstack']['db']['python_packages'][db_type].each do |pkg| - package "identity cookbook package #{pkg}" do - package_name pkg - options platform_options['package_options'] - action :upgrade - end - end -end - -# install the python memcache adapter packages -platform_options['memcache_python_packages'].each do |pkg| - package "identity cookbook package #{pkg}" do - package_name pkg - options platform_options['package_options'] - action :upgrade - end -end - -# install the keystone packages -platform_options['keystone_packages'].each do |pkg| - package "identity cookbook package #{pkg}" do - package_name pkg - options platform_options['package_options'] - action :upgrade - end -end - -# stop and disable the service keystone itself, since it should be run inside -# of apache -service 'keystone' do - service_name platform_options['keystone_service'] - action [:stop, :disable] -end - -# disable default keystone config file from UCA package -apache2_site platform_options['keystone_apache2_site'] do - action :disable - only_if { platform_family?('debian') } -end - -# create the keystone config directory and set correct permissions -directory '/etc/keystone' do - owner keystone_user - group keystone_group - mode '700' -end - -# create keystone domain config dir if needed -directory node['openstack']['identity']['domain_config_dir'] do - owner keystone_user - group keystone_group - mode '700' - only_if { node['openstack']['identity']['domain_specific_drivers_enabled'] } -end - -# delete the keystone.db sqlite file if another db backend is used -file '/var/lib/keystone/keystone.db' do - action :delete - not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' } -end - -# include the recipes to setup tokens -include_recipe 'openstack-identity::_fernet_tokens' -include_recipe 'openstack-identity::_credential_tokens' - -# define the address to bind the keystone apache public service to -bind_service = node['openstack']['bind_service']['public']['identity'] -bind_address = bind_address bind_service - -# set the keystone database credentials -db_user = node['openstack']['db']['identity']['username'] -db_pass = get_password 'db', 'keystone' -node.default['openstack']['identity']['conf_secrets'] -.[]('database')['connection'] = - db_uri('identity', db_user, db_pass) - -# search for memcache servers using the method from cookbook-openstack-common -memcache_servers = memcached_servers.join ',' - -# If a keystone-paste.ini is specified use it. -# TODO(jh): Starting with Rocky keystone-paste.ini is no longer being used -# and this block can be removed -if node['openstack']['identity']['pastefile_url'] - remote_file '/etc/keystone/keystone-paste.ini' do - action :create_if_missing - source node['openstack']['identity']['pastefile_url'] - owner keystone_user - group keystone_group - mode '644' - end -else - template '/etc/keystone/keystone-paste.ini' do - source 'keystone-paste.ini.erb' - owner keystone_user - group keystone_group - mode '644' - end -end - -# set keystone config parameter for rabbitmq if rabbit is the rpc_backend -if node['openstack']['mq']['service_type'] == 'rabbit' - node.default['openstack']['identity']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'identity' -end - -# set keystone config parameters for endpoints, memcache -node.default['openstack']['identity']['conf'].tap do |conf| - conf['DEFAULT']['public_endpoint'] = api_endpoint - conf['memcache']['servers'] = memcache_servers if memcache_servers -end - -# merge all config options and secrets to be used in the keystone.conf.erb -keystone_conf_options = merge_config_options 'identity' - -# create the keystone.conf from attributes -template '/etc/keystone/keystone.conf' do - source 'openstack-service.conf.erb' - cookbook 'openstack-common' - owner keystone_user - group keystone_group - mode '640' - sensitive true - variables( - service_config: keystone_conf_options - ) - notifies :restart, 'service[apache2]' -end - -# delete all secrets saved in the attribute -# node['openstack']['identity']['conf_secrets'] after creating the keystone.conf -ruby_block "delete all attributes in node['openstack']['identity']['conf_secrets']" do - block do - node.rm(:openstack, :identity, :conf_secrets) - end -end - -# sync db after keystone.conf is generated -execute 'keystone-manage db_sync' do - user 'root' - only_if { node['openstack']['db']['identity']['migrate'] } -end - -# bootstrap keystone after keystone.conf is generated -# TODO(frickler): drop admin endpoint once keystonemiddleware is fixed -execute 'bootstrap_keystone' do - command "keystone-manage bootstrap \\ - --bootstrap-password #{admin_pass} \\ - --bootstrap-username #{admin_user} \\ - --bootstrap-project-name #{admin_project} \\ - --bootstrap-role-name #{admin_role} \\ - --bootstrap-service-name keystone \\ - --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{identity_internal_endpoint} \\ - --bootstrap-public-url #{identity_endpoint} \\ - --bootstrap-internal-url #{identity_internal_endpoint}" - sensitive true -end - -#### Start of Apache specific work - -# service['apache2'] is defined in the apache2_default_install resource -# but other resources are currently unable to reference it. To work -# around this issue, define the following helper in your cookbook: -service 'apache2' do - extend Apache2::Cookbook::Helpers - service_name lazy { apache_platform_service_name } - supports restart: true, status: true, reload: true - action :nothing -end - -apache2_install 'openstack' do - listen "#{bind_address}:#{bind_service['port']}" -end - -apache2_mod_wsgi 'openstack' -apache2_module 'ssl' if node['openstack']['identity']['ssl']['enabled'] - -# create the keystone apache directory -keystone_apache_dir = "#{default_docroot_dir}/keystone" -directory keystone_apache_dir do - owner 'root' - group 'root' - mode '755' -end - -# create the keystone apache config using template -template "#{apache_dir}/sites-available/identity.conf" do - extend Apache2::Cookbook::Helpers - source 'wsgi-keystone.conf.erb' - variables( - server_host: bind_address, - server_port: bind_service['port'], - server_entry: '/usr/bin/keystone-wsgi-public', - server_alias: 'identity', - log_dir: default_log_dir, - run_dir: lock_dir, - user: keystone_user, - group: keystone_group - ) - notifies :restart, 'service[apache2]' -end - -apache2_site 'identity' do - notifies :restart, 'service[apache2]', :immediately -end diff --git a/spec/cloud_config_spec.rb b/spec/cloud_config_spec.rb deleted file mode 100644 index de9a84d..0000000 --- a/spec/cloud_config_spec.rb +++ /dev/null @@ -1,94 +0,0 @@ -require_relative 'spec_helper' -require 'yaml' - -describe 'openstack-identity::cloud_config' do - describe 'ubuntu' do - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - let(:node) { runner.node } - cached(:chef_run) do - runner.converge(described_recipe) - end - - include_context 'identity_stubs' - - describe '/root/clouds.yaml' do - let(:file) { chef_run.template('/root/clouds.yaml') } - - it 'creates the /root/clouds.yaml file' do - expect(chef_run).to create_directory('/root').with( - owner: 'root', - group: 'root', - mode: '0700', - recursive: true - ) - expect(chef_run).to create_template(file.name).with( - sensitive: true, - user: 'root', - group: 'root', - mode: '0600', - variables: { - cloud_name: 'default', - identity_endpoint: 'http://127.0.0.1:5000/v3', - password: 'admin', - project: 'admin', - project_domain_name: 'default', - user_domain_name: 'default', - user: 'admin', - } - ) - end - - cloud_yaml = { - 'clouds' => { - 'default' => { - 'auth' => { - 'username' => 'admin', - 'user_domain_name' => 'default', - 'password' => 'admin', - 'project_name' => 'admin', - 'project_domain_name' => 'default', - 'auth_url' => 'http://127.0.0.1:5000/v3', - }, - 'identity_api_version' => 3, - 'region_name' => 'RegionOne', - }, - }, - } - - it 'contains auth environment variables' do - expect(chef_run).to render_file(file.name).with_content(YAML.dump(cloud_yaml)) - end - - context 'override auth environment variables' do - cloud_yaml_override = { - 'clouds' => { - 'cloud-config-override' => { - 'auth' => { - 'username' => 'identity_admin', - 'user_domain_name' => 'admin-domain-override', - 'password' => 'identity_admin_pass', - 'project_name' => 'admin-project-name-override', - 'project_domain_name' => 'admin-domain-name-override', - 'auth_url' => 'https://public.identity:1234/', - }, - 'identity_api_version' => 3, - 'region_name' => 'RegionOne', - }, - }, - } - cached(:chef_run) do - node.override['openstack']['identity']['cloud_config']['cloud_name'] = 'cloud-config-override' - node.override['openstack']['identity']['admin_user'] = 'identity_admin' - node.override['openstack']['identity']['admin_project_domain'] = 'admin-domain-name-override' - node.override['openstack']['identity']['admin_project'] = 'admin-project-name-override' - node.override['openstack']['identity']['admin_domain_name'] = 'admin-domain-override' - node.override['openstack']['endpoints']['public']['identity']['uri'] = 'https://public.identity:1234/' - runner.converge(described_recipe) - end - it 'contains overridden auth environment variables' do - expect(chef_run).to render_file(file.name).with_content(YAML.dump(cloud_yaml_override)) - end - end - end - end -end diff --git a/spec/credential_tokens_spec.rb b/spec/credential_tokens_spec.rb deleted file mode 100644 index 3a94d16..0000000 --- a/spec/credential_tokens_spec.rb +++ /dev/null @@ -1,29 +0,0 @@ - -require_relative 'spec_helper' - -describe 'openstack-identity::_credential_tokens' do - describe 'ubuntu' do - include_context 'identity_stubs' - - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - let(:node) { runner.node } - cached(:chef_run) { runner.converge(described_recipe) } - - it do - expect(chef_run).to create_directory('/etc/keystone/credential-tokens') - .with(owner: 'keystone', user: 'keystone', mode: '700') - end - - [0, 1].each do |key_index| - it do - expect(chef_run).to create_file("/etc/keystone/credential-tokens/#{key_index}") - .with( - content: "thisiscredentialkey#{key_index}", - owner: 'keystone', - group: 'keystone', - mode: '400' - ) - end - end - end -end diff --git a/spec/fernet_tokens_spec.rb b/spec/fernet_tokens_spec.rb deleted file mode 100644 index d6024aa..0000000 --- a/spec/fernet_tokens_spec.rb +++ /dev/null @@ -1,34 +0,0 @@ - -require_relative 'spec_helper' - -describe 'openstack-identity::_fernet_tokens' do - describe 'ubuntu' do - include_context 'identity_stubs' - - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - let(:node) { runner.node } - cached(:chef_run) { runner.converge(described_recipe) } - - it do - expect(chef_run).to create_directory('/etc/keystone/fernet-tokens') - .with(owner: 'keystone', user: 'keystone', mode: '700') - end - - [0, 1].each do |key_index| - it do - expect(chef_run).to create_file("/etc/keystone/fernet-tokens/#{key_index}") - .with( - content: "thisisfernetkey#{key_index}", - owner: 'keystone', - group: 'keystone', - mode: '400' - ) - end - end - it do - expect(chef_run).to run_execute('keystone-manage fernet_setup').with( - command: 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone' - ) - end - end -end diff --git a/spec/openrc_spec.rb b/spec/openrc_spec.rb deleted file mode 100644 index c6c36b9..0000000 --- a/spec/openrc_spec.rb +++ /dev/null @@ -1,82 +0,0 @@ -require_relative 'spec_helper' - -describe 'openstack-identity::openrc' do - describe 'ubuntu' do - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - let(:node) { runner.node } - cached(:chef_run) do - runner.converge(described_recipe) - end - - include_context 'identity_stubs' - - describe '/root/openrc' do - let(:file) { chef_run.template('/root/openrc') } - - it 'creates the /root/openrc file' do - expect(chef_run).to create_directory('/root').with( - owner: 'root', - group: 'root', - mode: '0700', - recursive: true - ) - expect(chef_run).to create_template(file.name).with( - sensitive: true, - user: 'root', - group: 'root', - mode: '0600' - ) - end - - it 'contains auth environment variables' do - [ - /^export OS_USERNAME=admin$/, - /^export OS_USER_DOMAIN_NAME=default$/, - /^export OS_PASSWORD=admin$/, - /^export OS_PROJECT_NAME=admin$/, - /^export OS_PROJECT_DOMAIN_NAME=default$/, - /^export OS_IDENTITY_API_VERSION=3$/, - %r{^export OS_AUTH_URL=http://127.0.0.1:5000/v3$}, - /^export OS_REGION_NAME=RegionOne$/, - ].each do |line| - expect(chef_run).to render_file(file.name).with_content(line) - end - end - - context 'misc_openrc array' do - cached(:chef_run) do - node.override['openstack']['misc_openrc'] = ['export MISC1=OPTION1', 'export MISC2=OPTION2'] - runner.converge(described_recipe) - end - it 'templates misc_openrc array correctly' do - expect(chef_run).to render_file(file.name).with_content( - /^export MISC1=OPTION1$/ - ) - expect(chef_run).to render_file(file.name).with_content( - /^export MISC2=OPTION2$/ - ) - end - end - - context 'override auth environment variables' do - cached(:chef_run) do - node.override['openstack']['identity']['admin_project'] = 'admin-project-name-override' - node.override['openstack']['identity']['admin_user'] = 'identity_admin' - node.override['openstack']['identity']['admin_domain_id'] = 'admin-domain-override' - node.override['openstack']['endpoints']['public']['identity']['uri'] = 'https://public.identity:1234/' - runner.converge(described_recipe) - end - it 'contains overridden auth environment variables' do - [ - /^export OS_USERNAME=identity_admin$/, - /^export OS_PROJECT_NAME=admin-project-name-override$/, - /^export OS_PASSWORD=identity_admin_pass$/, - %r{^export OS_AUTH_URL=https://public.identity:1234/$}, - ].each do |line| - expect(chef_run).to render_file(file.name).with_content(line) - end - end - end - end - end -end diff --git a/spec/registration_spec.rb b/spec/registration_spec.rb deleted file mode 100644 index 66806d8..0000000 --- a/spec/registration_spec.rb +++ /dev/null @@ -1,37 +0,0 @@ - -require_relative 'spec_helper' - -describe 'openstack-identity::registration' do - describe 'ubuntu' do - let(:node) { runner.node } - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - cached(:chef_run) { runner.converge(described_recipe) } - - include_context 'identity_stubs' - - connection_params = { - openstack_auth_url: 'http://127.0.0.1:5000/v3', - openstack_username: 'admin', - openstack_api_key: 'admin', - openstack_project_name: 'admin', - openstack_domain_id: 'default', - # openstack_endpoint_type: 'internalURL', - } - - describe 'keystone bootstrap' do - context 'default values' do - it do - expect(chef_run).to run_ruby_block('wait for identity endpoint') - end - - it 'create service role' do - expect(chef_run).to create_openstack_role( - 'service' - ).with( - connection_params: connection_params - ) - end - end - end - end -end diff --git a/spec/server-apache-redhat_spec.rb b/spec/server-apache-redhat_spec.rb deleted file mode 100644 index e452c03..0000000 --- a/spec/server-apache-redhat_spec.rb +++ /dev/null @@ -1,35 +0,0 @@ - -require_relative 'spec_helper' - -describe 'openstack-identity::server-apache' do - ALL_RHEL.each do |p| - context "redhat #{p[:version]}" do - let(:runner) { ChefSpec::SoloRunner.new(p) } - let(:node) { runner.node } - cached(:chef_run) do - runner.converge(described_recipe) - end - - include_context 'identity_stubs' - - it 'upgrades keystone packages' do - expect(chef_run).to upgrade_package('identity cookbook package openstack-keystone') - expect(chef_run).to upgrade_package('identity cookbook package openstack-selinux') - end - - case p - when REDHAT_7 - it 'upgrades python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python-memcached') - expect(chef_run).to upgrade_package('identity cookbook package python2-urllib3') - end - - when REDHAT_8 - it 'upgrades python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python3-memcached') - expect(chef_run).to upgrade_package('identity cookbook package python3-urllib3') - end - end - end - end -end diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb deleted file mode 100644 index d383df1..0000000 --- a/spec/server-apache_spec.rb +++ /dev/null @@ -1,464 +0,0 @@ - -require_relative 'spec_helper' - -describe 'openstack-identity::server-apache' do - describe 'ubuntu' do - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - let(:node) { runner.node } - cached(:chef_run) do - runner.converge(described_recipe) - end - - include Helpers - include_context 'identity_stubs' - - service_name = 'keystone' - service_user = 'admin' - region = 'RegionOne' - project_name = 'admin' - role_name = 'admin' - password = 'admin' - public_url = 'http://127.0.0.1:5000/v3' - - context 'syslog true' do - cached(:chef_run) do - node.override['openstack']['identity']['syslog']['use'] = true - runner.converge(described_recipe) - end - it 'runs logging recipe if node attributes say to' do - expect(chef_run).to include_recipe('openstack-common::logging') - end - end - - it 'does not run logging recipe' do - expect(chef_run).not_to include_recipe('openstack-common::logging') - end - - it 'upgrades mysql python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python3-mysqldb') - end - - it 'upgrades memcache python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python3-memcache') - end - - it 'upgrades keystone packages' do - expect(chef_run).to upgrade_package('identity cookbook package python3-keystone') - expect(chef_run).to upgrade_package('identity cookbook package keystone') - end - - it do - expect(chef_run).to disable_apache2_site('keystone') - end - - it 'bootstrap with keystone-manage' do - expect(chef_run).to run_execute('bootstrap_keystone').with( - command: "keystone-manage bootstrap \\ - --bootstrap-password #{password} \\ - --bootstrap-username #{service_user} \\ - --bootstrap-project-name #{project_name} \\ - --bootstrap-role-name #{role_name} \\ - --bootstrap-service-name #{service_name} \\ - --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{public_url} \\ - --bootstrap-public-url #{public_url} \\ - --bootstrap-internal-url #{public_url}", - sensitive: true - ) - end - - describe '/etc/keystone' do - let(:dir) { chef_run.directory('/etc/keystone') } - - it 'creates directory /etc/keystone' do - expect(chef_run).to create_directory(dir.name).with( - user: 'keystone', - group: 'keystone', - mode: '700' - ) - end - end - - describe '/etc/keystone/domains' do - let(:dir) { '/etc/keystone/domains' } - - it 'does not create /etc/keystone/domains by default' do - expect(chef_run).not_to create_directory(dir) - end - - context 'domain_specific_drivers_enabled true' do - cached(:chef_run) do - node.override['openstack']['identity']['domain_specific_drivers_enabled'] = true - runner.converge(described_recipe) - end - it 'creates /etc/keystone/domains when domain_specific_drivers_enabled enabled' do - expect(chef_run).to create_directory(dir).with( - user: 'keystone', - group: 'keystone', - mode: '700' - ) - end - end - end - - it 'deletes keystone.db' do - expect(chef_run).to delete_file('/var/lib/keystone/keystone.db') - end - - context 'service_type sqlite' do - cached(:chef_run) do - node.override['openstack']['db']['identity']['service_type'] = 'sqlite' - runner.converge(described_recipe) - end - it 'does not delete keystone.db when configured to use sqlite' do - expect(chef_run).not_to delete_file('/var/lib/keystone/keystone.db') - end - end - - describe 'keystone.conf' do - let(:path) { '/etc/keystone/keystone.conf' } - let(:resource) { chef_run.template(path) } - describe 'file properties' do - it 'creates /etc/keystone/keystone.conf' do - expect(chef_run).to create_template(resource.name).with( - user: 'keystone', - group: 'keystone', - mode: '640', - sensitive: true - ) - end - end - - it 'has no list_limits by default' do - expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', /^list_limit = /) - end - - describe '[DEFAULT] section' do - [ - %r{^log_dir = /var/log/keystone$}, - %r{^public_endpoint = http://127.0.0.1:5000/$}, - %r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$}, - ].each do |line| - it do - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', line) - end - end - - describe 'syslog configuration' do - log_file = %r{^log_dir = /var/log/keystone$} - log_conf = %r{^log_config_append = /\w+} - - it do - expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_conf) - end - - context 'syslog true' do - cached(:chef_run) do - node.override['openstack']['identity']['syslog']['use'] = true - runner.converge(described_recipe) - end - it do - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_conf) - expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_file) - end - end - end - end - - describe '[memcache] section' do - it 'has no servers by default' do - # `Openstack#memcached_servers' is stubbed in spec_helper.rb to - # return an empty array, so we expect an empty `servers' list. - r = line_regexp('servers = ') - expect(chef_run).to render_config_file(path).with_section_content('memcache', r) - end - - context 'hostnames are configured' do - cached(:chef_run) do - runner.converge(described_recipe) - end - it 'has servers when hostnames are configured' do - # Re-stub `Openstack#memcached_servers' here - hosts = ['host1:111', 'host2:222'] - r = line_regexp("servers = #{hosts.join(',')}") - - allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers).and_return(hosts) - expect(chef_run).to render_config_file(path).with_section_content('memcache', r) - end - end - end - - describe '[sql] section' do - it 'has a connection' do - r = %r{^connection = mysql\+pymysql://keystone:@127.0.0.1:3306/keystone\?charset=utf8$} - expect(chef_run).to render_config_file(path).with_section_content('database', r) - end - end - - describe '[assignment] section' do - it 'configures driver' do - r = /^driver = sql$/ - expect(chef_run).to render_config_file(path).with_section_content('assignment', r) - end - end - - describe '[policy] section' do - it 'configures driver' do - r = /^driver = sql$/ - expect(chef_run).to render_config_file(path).with_section_content('policy', r) - end - end - describe '[fernet_tokens] section' do - it 'key_repository = /etc/keystone/fernet-tokens' do - r = %r{^key_repository = /etc/keystone/fernet-tokens$} - expect(chef_run).to render_config_file(path).with_section_content('fernet_tokens', r) - end - end - describe '[credential] section' do - it 'key_repository = /etc/keystone/credential-tokens' do - r = %r{^key_repository = /etc/keystone/credential-tokens$} - expect(chef_run).to render_config_file(path).with_section_content('credential', r) - end - end - describe '[cache] section' do - [ - /^enabled = true$/, - /^backend = oslo_cache.memcache_pool$/, - ].each do |line| - it do - expect(chef_run).to render_config_file(path).with_section_content('cache', line) - end - end - end - end - - describe 'db_sync' do - let(:cmd) { 'keystone-manage db_sync' } - - it 'runs migrations' do - expect(chef_run).to run_execute(cmd).with( - user: 'root' - ) - end - - context 'migrate false' do - cached(:chef_run) do - node.override['openstack']['db']['identity']['migrate'] = false - runner.converge(described_recipe) - end - it 'does not run migrations' do - expect(chef_run).not_to run_execute(cmd).with( - user: 'root' - ) - end - end - end - - describe 'keystone-paste.ini as template' do - let(:path) { '/etc/keystone/keystone-paste.ini' } - - it 'has default api pipeline values' do - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:api_v3', - /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/ - ) - end - context 'api_v3 service_v3' do - cached(:chef_run) do - node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3' - runner.converge(described_recipe) - end - it 'template api pipeline set correct' do - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:api_v3', - /^pipeline = service_v3$/ - ) - end - end - context 'misc_paste set' do - cached(:chef_run) do - node.override['openstack']['identity']['misc_paste'] = ['MISC1 = OPTION1', 'MISC2 = OPTION2'] - runner.converge(described_recipe) - end - it 'template misc_paste array correctly' do - expect(chef_run).to render_file(path).with_content( - /^MISC1 = OPTION1$/ - ) - expect(chef_run).to render_file(path).with_content( - /^MISC2 = OPTION2$/ - ) - end - end - end - - context 'keystone-paste.ini as remote file' do - cached(:chef_run) do - node.override['openstack']['identity']['pastefile_url'] = 'http://server/mykeystone-paste.ini' - runner.converge(described_recipe) - end - let(:remote_paste) { chef_run.remote_file('/etc/keystone/keystone-paste.ini') } - - it 'uses a remote file if pastefile_url is specified' do - expect(chef_run).to create_remote_file_if_missing('/etc/keystone/keystone-paste.ini').with( - source: 'http://server/mykeystone-paste.ini', - user: 'keystone', - group: 'keystone', - mode: '644' - ) - end - end - - describe 'apache setup' do - it do - expect(chef_run.template('/etc/keystone/keystone.conf')).to notify('service[apache2]').to(:restart) - end - - it do - expect(chef_run.template('/etc/apache2/sites-available/identity.conf')).to \ - notify('service[apache2]').to(:restart) - end - - it do - expect(chef_run).to install_apache2_install('openstack').with(listen: %w(127.0.0.1:5000)) - end - - it do - expect(chef_run).to create_apache2_mod_wsgi('openstack') - end - - it do - expect(chef_run).to_not enable_apache2_module('ssl') - end - - context 'ssl enabled' do - cached(:chef_run) do - node.override['openstack']['identity']['ssl']['enabled'] = true - runner.converge(described_recipe) - end - it do - expect(chef_run).to enable_apache2_module('ssl') - end - end - - describe 'apache wsgi' do - let(:file) { '/etc/apache2/sites-available/identity.conf' } - - it 'creates identity.conf' do - expect(chef_run).to create_template(file).with( - source: 'wsgi-keystone.conf.erb', - variables: { - group: 'keystone', - log_dir: '/var/log/apache2', - run_dir: '/var/lock', - server_alias: 'identity', - server_entry: '/usr/bin/keystone-wsgi-public', - server_host: '127.0.0.1', - server_port: 5000, - user: 'keystone', - } - ) - end - - it 'does not configure keystone-admin.conf' do - expect(chef_run).not_to render_file('/etc/apache2/sites-available/keystone-admin.conf') - end - - [ - /^$/, - /WSGIDaemonProcess identity processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}$/, - /WSGIProcessGroup identity$/, - %r{WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}, - %r{ErrorLog /var/log/apache2/identity.log$}, - %r{CustomLog /var/log/apache2/identity_access.log combined$}, - %r{WSGISocketPrefix /var/lock$}, - ].each do |line| - it do - expect(chef_run).to render_file(file).with_content(line) - end - end - - context 'custom_template_banner' do - cached(:chef_run) do - node.override['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value' - runner.converge(described_recipe) - end - [ - /^custom_template_banner_value$/, - ].each do |line| - it do - expect(chef_run).to render_file(file).with_content(line) - end - end - end - - [ - /SSLEngine On$/, - /SSLCertificateFile/, - /SSLCertificateKeyFile/, - /SSLCACertificatePath/, - /SSLCARevocationPath/, - /SSLCARevocationCheck/, - /SSLCertificateChainFile/, - /SSLProtocol/, - /SSLCipherSuite/, - /SSLVerifyClient/, - ].each do |line| - it do - expect(chef_run).not_to render_file(file).with_content(line) - end - end - - context 'Enable SSL' do - let(:file) { '/etc/apache2/sites-available/identity.conf' } - cached(:chef_run) do - node.override['openstack']['identity']['ssl']['enabled'] = true - runner.converge(described_recipe) - end - [ - /SSLEngine On$/, - %r{SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$}, - %r{SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$}, - %r{SSLCACertificatePath /etc/keystone/ssl/certs/$}, - /SSLProtocol All -SSLv2 -SSLv3$/, - ].each do |line| - it do - expect(chef_run).to render_file(file).with_content(line) - end - end - [ - /SSLCARevocationPath/, - /SSLCARevocationCheck/, - /SSLCertificateChainFile/, - /SSLCipherSuite/, - /SSLVerifyClient require/, - ].each do |line| - it do - expect(chef_run).not_to render_file(file).with_content(line) - end - end - context 'Enable ca_revocation_path, chainfile, ciphers & cert_required' do - cached(:chef_run) do - node.override['openstack']['identity']['ssl']['enabled'] = true - node.override['openstack']['identity']['ssl']['ca_revocation_path'] = '/etc/keystone/ssl/crl.d' - node.override['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem' - node.override['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value' - node.override['openstack']['identity']['ssl']['cert_required'] = true - runner.converge(described_recipe) - end - [ - %r{SSLCARevocationPath /etc/keystone/ssl/crl.d$}, - /SSLCARevocationCheck chain$/, - %r{SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$}, - /SSLCipherSuite ciphers_value$/, - /SSLVerifyClient require$/, - ].each do |line| - it do - expect(chef_run).to render_file(file).with_content(line) - end - end - end - end - end - end - end -end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb deleted file mode 100644 index ec22953..0000000 --- a/spec/spec_helper.rb +++ /dev/null @@ -1,96 +0,0 @@ -require 'chefspec' -require 'chefspec/berkshelf' - -RSpec.configure do |config| - config.color = true - config.formatter = :documentation - config.log_level = :warn - config.file_cache_path = '/var/chef/cache' -end - -REDHAT_7 = { - platform: 'redhat', - version: '7', -}.freeze - -REDHAT_8 = { - platform: 'redhat', - version: '8', -}.freeze - -ALL_RHEL = [ - REDHAT_7, - REDHAT_8, -].freeze - -UBUNTU_OPTS = { - platform: 'ubuntu', - version: '18.04', -}.freeze - -# Helper methods -module Helpers - # Create an anchored regex to exactly match the entire line - # (name borrowed from grep --line-regexp) - # - # @param [String] str The whole line to match - # @return [Regexp] The anchored/escaped regular expression - def line_regexp(str) - /^#{Regexp.quote(str)}$/ - end -end - -shared_context 'identity_stubs' do - before do - allow_any_instance_of(Chef::Recipe).to receive(:rabbit_servers) - .and_return('rabbit_servers_value') - allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers) - .and_return([]) - allow_any_instance_of(Chef::Recipe).to receive(:get_password) - .with('db', anything) - .and_return('') - allow_any_instance_of(Chef::Recipe).to receive(:get_password) - .with('user', anything) - .and_return('') - allow_any_instance_of(Chef::Recipe).to receive(:get_password) - .with('user', 'guest') - .and_return('guest') - allow_any_instance_of(Chef::Recipe).to receive(:get_password) - .with('user', 'user1') - .and_return('secret1') - allow_any_instance_of(Chef::Recipe).to receive(:get_password) - .with('user', 'identity_admin') - .and_return('identity_admin_pass') - stub_command('/usr/sbin/apache2 -t') - allow_any_instance_of(Chef::Recipe).to receive(:search_for) - .with('os-identity').and_return( - [{ - 'openstack' => { - 'identity' => { - 'admin_tenant_name' => 'admin', - 'admin_user' => 'admin', - }, - }, - }] - ) - allow_any_instance_of(Chef::Recipe).to receive(:get_password) - .with('user', 'admin') - .and_return('admin') - allow_any_instance_of(Chef::Recipe).to receive(:secret) - .with('secrets', 'credential_key0') - .and_return('thisiscredentialkey0') - allow_any_instance_of(Chef::Recipe).to receive(:secret) - .with('secrets', 'credential_key1') - .and_return('thisiscredentialkey1') - allow_any_instance_of(Chef::Recipe).to receive(:secret) - .with('secrets', 'fernet_key0') - .and_return('thisisfernetkey0') - allow_any_instance_of(Chef::Recipe).to receive(:secret) - .with('secrets', 'fernet_key1') - .and_return('thisisfernetkey1') - allow_any_instance_of(Chef::Recipe).to receive(:rabbit_transport_url) - .with('identity') - .and_return('rabbit://openstack:mypass@127.0.0.1:5672') - stub_command("[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]").and_return(true) - end -end diff --git a/templates/default/cloud_config.erb b/templates/default/cloud_config.erb deleted file mode 100644 index d144882..0000000 --- a/templates/default/cloud_config.erb +++ /dev/null @@ -1,12 +0,0 @@ ---- -clouds: - <%= @cloud_name %>: - auth: - username: <%= @user %> - user_domain_name: <%= @user_domain_name %> - password: <%= @password %> - project_name: <%= @project %> - project_domain_name: <%= @project_domain_name %> - auth_url: <%= @identity_endpoint %> - identity_api_version: 3 - region_name: <%= node['openstack']['region'] %> diff --git a/templates/default/keystone-paste.ini.erb b/templates/default/keystone-paste.ini.erb deleted file mode 100644 index 9a36edb..0000000 --- a/templates/default/keystone-paste.ini.erb +++ /dev/null @@ -1,73 +0,0 @@ -<%= node['openstack']['identity']['custom_template_banner'] %> - -# Keystone PasteDeploy configuration file. - -[filter:debug] -use = egg:oslo.middleware#debug - -[filter:request_id] -use = egg:oslo.middleware#request_id - -[filter:build_auth_context] -use = egg:keystone#build_auth_context - -[filter:token_auth] -use = egg:keystone#token_auth - -[filter:json_body] -use = egg:keystone#json_body - -[filter:cors] -use = egg:oslo.middleware#cors -oslo_config_project = keystone - -[filter:http_proxy_to_wsgi] -use = egg:oslo.middleware#http_proxy_to_wsgi - -[filter:healthcheck] -use = egg:oslo.middleware#healthcheck - -[filter:ec2_extension] -use = egg:keystone#ec2_extension - -[filter:ec2_extension_v3] -use = egg:keystone#ec2_extension_v3 - -[filter:s3_extension] -use = egg:keystone#s3_extension - -[filter:url_normalize] -use = egg:keystone#url_normalize - -[filter:sizelimit] -use = egg:oslo.middleware#sizelimit - -[filter:osprofiler] -use = egg:osprofiler#osprofiler - -[app:public_service] -use = egg:keystone#public_service - -[app:service_v3] -use = egg:keystone#service_v3 - -[pipeline:api_v3] -pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %> - -[app:public_version_service] -use = egg:keystone#public_version_service - -[pipeline:public_version_api] -pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service - -[composite:main] -use = egg:Paste#urlmap -/v3 = api_v3 -/ = public_version_api - -<% if node['openstack']['identity']['misc_paste'] %> -<% node['openstack']['identity']['misc_paste'].each do |m| %> -<%= m %> -<% end %> -<% end %> - diff --git a/templates/default/openrc.erb b/templates/default/openrc.erb deleted file mode 100644 index d54cb82..0000000 --- a/templates/default/openrc.erb +++ /dev/null @@ -1,18 +0,0 @@ -<%= node['openstack']['identity']['custom_template_banner'] %> - -# COMMON OPENSTACK ENVS -export OS_USERNAME=<%= @user %> -export OS_USER_DOMAIN_NAME=<%= @user_domain_name %> -export OS_PASSWORD=<%= @password %> -export OS_PROJECT_NAME=<%= @project %> -export OS_PROJECT_DOMAIN_NAME=<%= @project_domain_name %> -export OS_IDENTITY_API_VERSION=3 -export OS_AUTH_URL=<%= @identity_endpoint %> -export OS_REGION_NAME=<%= node['openstack']['region'] %> - -<% if node['openstack']['misc_openrc'] %> -# Misc options -<% node['openstack']['misc_openrc'].each do |m| %> -<%= m %> -<% end %> -<% end %> diff --git a/templates/default/wsgi-keystone.conf.erb b/templates/default/wsgi-keystone.conf.erb deleted file mode 100644 index d29f2ca..0000000 --- a/templates/default/wsgi-keystone.conf.erb +++ /dev/null @@ -1,40 +0,0 @@ -<%= node['openstack']['identity']['custom_template_banner'] %> - -:<%= @server_port %>> - WSGIDaemonProcess identity processes=5 threads=1 user=<%= @user %> group=<%= @group %> display-name=%{GROUP} - WSGIProcessGroup identity - WSGIScriptAlias / <%= @server_entry %> - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - - ErrorLogFormat "%{cu}t %M" - ErrorLog <%= @log_dir %>/identity.log - CustomLog <%= @log_dir %>/identity_access.log combined - - - Require all granted - - <% if node['openstack']['identity']['ssl']['enabled'] -%> - - SSLEngine On - SSLCertificateFile <%= node['openstack']['identity']['ssl']['certfile'] %> - SSLCertificateKeyFile <%= node['openstack']['identity']['ssl']['keyfile'] %> - SSLCACertificatePath <%= node['openstack']['identity']['ssl']['ca_certs_path'] %> - <% if node['openstack']['identity']['ssl']['ca_revocation_path'] %> - SSLCARevocationPath <%= node['openstack']['identity']['ssl']['ca_revocation_path'] %> - SSLCARevocationCheck chain - <% end -%> - <% if node['openstack']['identity']['ssl']['chainfile'] %> - SSLCertificateChainFile <%= node['openstack']['identity']['ssl']['chainfile'] %> - <% end -%> - SSLProtocol <%= node['openstack']['identity']['ssl']['protocol'] %> - <% if node['openstack']['identity']['ssl']['ciphers'] -%> - SSLCipherSuite <%= node['openstack']['identity']['ssl']['ciphers'] %> - <% end -%> - <% if node['openstack']['identity']['ssl']['cert_required'] -%> - SSLVerifyClient require - <% end -%> - <% end -%> - - -WSGISocketPrefix <%= @run_dir %>