Merge "Drop admin endpoints"
This commit is contained in:
commit
c8a2a909b0
|
@ -8,6 +8,7 @@
|
|||
# Copyright 2013, IBM Corp.
|
||||
# Copyright 2017, x-ion GmbH
|
||||
# Copyright 2018, Workday, Inc.
|
||||
# Copyright 2019, x-ion GmbH
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -55,19 +56,7 @@ default['openstack']['identity']['token']['backend'] = 'sql'
|
|||
# will be used (keystone-paste.ini.erb)
|
||||
default['openstack']['identity']['pastefile_url'] = nil
|
||||
|
||||
# This specify the pipeline of the keystone public API,
|
||||
# all Identity public API requests will be processed by the order of the pipeline.
|
||||
# this value will be used in the templated version of keystone-paste.ini
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service'
|
||||
# This specify the pipeline of the keystone admin API,
|
||||
# all Identity admin API requests will be processed by the order of the pipeline.
|
||||
# this value will be used in the templated version of keystone-paste.ini
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service'
|
||||
# This specify the pipeline of the keystone V3 API,
|
||||
# This specifies the pipeline of the keystone V3 API,
|
||||
# all Identity V3 API requests will be processed by the order of the pipeline.
|
||||
# this value will be used in the templated version of keystone-paste.ini
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
|
|
|
@ -38,15 +38,20 @@ auth_url = ::URI.decode identity_internal_endpoint.to_s
|
|||
admin_project = node['openstack']['identity']['admin_project']
|
||||
admin_user = node['openstack']['identity']['admin_user']
|
||||
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
|
||||
admin_role = node['openstack']['identity']['admin_role']
|
||||
admin_domain = node['openstack']['identity']['admin_domain_name']
|
||||
|
||||
# endpoint type to use when creating resources
|
||||
# NOTE(frickler): fog-openstack defaults to the 'admin' endpoint for
|
||||
# Identity operations, so we need to override this after we dropped that one
|
||||
endpoint_type = node['openstack']['identity']['endpoint_type']
|
||||
|
||||
connection_params = {
|
||||
openstack_auth_url: "#{auth_url}/auth/tokens",
|
||||
openstack_username: admin_user,
|
||||
openstack_api_key: admin_pass,
|
||||
openstack_project_name: admin_project,
|
||||
openstack_domain_id: admin_domain,
|
||||
openstack_auth_url: "#{auth_url}/auth/tokens",
|
||||
openstack_username: admin_user,
|
||||
openstack_api_key: admin_pass,
|
||||
openstack_project_name: admin_project,
|
||||
openstack_domain_id: admin_domain,
|
||||
openstack_endpoint_type: endpoint_type,
|
||||
}
|
||||
|
||||
ruby_block 'wait for identity endpoint' do
|
||||
|
@ -65,31 +70,13 @@ ruby_block 'wait for identity endpoint' do
|
|||
end
|
||||
end
|
||||
|
||||
openstack_domain 'identity' do
|
||||
connection_params connection_params
|
||||
end
|
||||
|
||||
openstack_user admin_user do
|
||||
domain_name admin_domain
|
||||
role_name admin_role
|
||||
connection_params connection_params
|
||||
action :grant_domain
|
||||
end
|
||||
|
||||
# create default service role
|
||||
openstack_role 'service' do
|
||||
connection_params connection_params
|
||||
end
|
||||
|
||||
# create default role for horizon dashboard login
|
||||
openstack_role '_member_' do
|
||||
connection_params connection_params
|
||||
end
|
||||
|
||||
node.normal['openstack']['identity']['adminURL'] = identity_internal_endpoint.to_s
|
||||
node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
|
||||
node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
|
||||
|
||||
Chef::Log.info "Keystone AdminURL: #{identity_internal_endpoint}"
|
||||
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
|
||||
Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"
|
||||
|
|
|
@ -170,7 +170,6 @@ end
|
|||
# set keystone config parameters for endpoints, memcache
|
||||
node.default['openstack']['identity']['conf'].tap do |conf|
|
||||
conf['DEFAULT']['public_endpoint'] = api_endpoint
|
||||
conf['DEFAULT']['admin_endpoint'] = api_endpoint
|
||||
conf['memcache']['servers'] = memcache_servers if memcache_servers
|
||||
end
|
||||
|
||||
|
@ -204,6 +203,7 @@ execute 'keystone-manage db_sync' do
|
|||
end
|
||||
|
||||
# bootstrap keystone after keystone.conf is generated
|
||||
# TODO(frickler): drop admin endpoint once keystonemiddleware is fixed
|
||||
execute 'bootstrap_keystone' do
|
||||
command "keystone-manage bootstrap \\
|
||||
--bootstrap-password #{admin_pass} \\
|
||||
|
|
|
@ -17,11 +17,8 @@ describe 'openstack-identity::registration' do
|
|||
openstack_api_key: 'admin',
|
||||
openstack_project_name: 'admin',
|
||||
openstack_domain_id: 'default',
|
||||
openstack_endpoint_type: 'internalURL',
|
||||
}
|
||||
service_user = 'admin'
|
||||
role_name = 'admin'
|
||||
admin_domain_name = 'default'
|
||||
domain_name = 'identity'
|
||||
|
||||
describe 'keystone bootstrap' do
|
||||
context 'default values' do
|
||||
|
@ -29,24 +26,6 @@ describe 'openstack-identity::registration' do
|
|||
expect(chef_run).to run_ruby_block('wait for identity endpoint')
|
||||
end
|
||||
|
||||
it "registers #{domain_name} domain" do
|
||||
expect(chef_run).to create_openstack_domain(
|
||||
domain_name
|
||||
).with(
|
||||
connection_params: connection_params
|
||||
)
|
||||
end
|
||||
|
||||
it "grants #{service_user} user to #{domain_name} domain" do
|
||||
expect(chef_run).to grant_domain_openstack_user(
|
||||
service_user
|
||||
).with(
|
||||
domain_name: admin_domain_name,
|
||||
role_name: role_name,
|
||||
connection_params: connection_params
|
||||
)
|
||||
end
|
||||
|
||||
it 'create service role' do
|
||||
expect(chef_run).to create_openstack_role(
|
||||
'service'
|
||||
|
@ -54,14 +33,6 @@ describe 'openstack-identity::registration' do
|
|||
connection_params: connection_params
|
||||
)
|
||||
end
|
||||
|
||||
it 'create service role' do
|
||||
expect(chef_run).to create_openstack_role(
|
||||
'_member_'
|
||||
).with(
|
||||
connection_params: connection_params
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -20,9 +20,7 @@ describe 'openstack-identity::server-apache' do
|
|||
project_name = 'admin'
|
||||
role_name = 'admin'
|
||||
password = 'admin'
|
||||
admin_url = 'http://127.0.0.1:5000/v3'
|
||||
public_url = 'http://127.0.0.1:5000/v3'
|
||||
internal_url = 'http://127.0.0.1:5000/v3'
|
||||
|
||||
it 'runs logging recipe if node attributes say to' do
|
||||
node.override['openstack']['identity']['syslog']['use'] = true
|
||||
|
@ -53,9 +51,9 @@ describe 'openstack-identity::server-apache' do
|
|||
--bootstrap-role-name #{role_name} \\
|
||||
--bootstrap-service-name #{service_name} \\
|
||||
--bootstrap-region-id #{region} \\
|
||||
--bootstrap-admin-url #{admin_url} \\
|
||||
--bootstrap-admin-url #{public_url} \\
|
||||
--bootstrap-public-url #{public_url} \\
|
||||
--bootstrap-internal-url #{internal_url}")
|
||||
--bootstrap-internal-url #{public_url}")
|
||||
end
|
||||
|
||||
describe '/etc/keystone' do
|
||||
|
@ -241,26 +239,13 @@ describe 'openstack-identity::server-apache' do
|
|||
let(:path) { '/etc/keystone/keystone-paste.ini' }
|
||||
|
||||
it 'has default api pipeline values' do
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:public_api',
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/
|
||||
)
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:admin_api',
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/
|
||||
)
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:api_v3',
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
|
||||
)
|
||||
end
|
||||
it 'template api pipeline set correct' do
|
||||
node.override['openstack']['identity']['pipeline']['public_api'] = 'public_service'
|
||||
node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3'
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:public_api',
|
||||
/^pipeline = public_service$/
|
||||
)
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:api_v3',
|
||||
/^pipeline = service_v3$/
|
||||
|
|
|
@ -51,42 +51,20 @@ use = egg:keystone#public_service
|
|||
[app:service_v3]
|
||||
use = egg:keystone#service_v3
|
||||
|
||||
[app:admin_service]
|
||||
use = egg:keystone#admin_service
|
||||
|
||||
[pipeline:public_api]
|
||||
pipeline = <%=node['openstack']['identity']['pipeline']['public_api'] %>
|
||||
|
||||
[pipeline:admin_api]
|
||||
pipeline = <%=node['openstack']['identity']['pipeline']['admin_api'] %>
|
||||
|
||||
[pipeline:api_v3]
|
||||
pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %>
|
||||
|
||||
[app:public_version_service]
|
||||
use = egg:keystone#public_version_service
|
||||
|
||||
[app:admin_version_service]
|
||||
use = egg:keystone#admin_version_service
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/v3 = api_v3
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/v3 = api_v3
|
||||
/ = admin_version_api
|
||||
|
||||
<% if node['openstack']['identity']['misc_paste'] %>
|
||||
<% node['openstack']['identity']['misc_paste'].each do |m| %>
|
||||
<%= m %>
|
||||
|
|
Loading…
Reference in New Issue