Commit Graph

97 Commits

Author SHA1 Message Date
Zuul b6edfda344 Merge "Drop all remaining logics for certificate resources" 2024-03-08 16:18:59 +00:00
Douglas Mendizábal 8f92d6f508 Update devstack plugin for Secure RBAC
This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.

The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.

Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
2024-03-01 14:09:27 -05:00
Takashi Kajinami 9833751613 Drop all remaining logics for certificate resources
Since we removed certificate order, we no longer have to maintain
these logics.

This also removes the release note for deprecation of symantec
certificate plugin, which was added during this cycle, because
the plugin is also being removed by this change.

Change-Id: I8e901024677e889d05ad8653389fb46487bc7745
2024-02-27 23:33:47 +09:00
Zuul 90a1d5cc55 Merge "Add tempest to devstack how-to" 2023-10-14 20:52:15 +00:00
Tobias Urdin 100c8d078a Bump Hashicorp Vault version to 1.13.2
We are currently testing with a very old version
and we should try with a newer one.

Change-Id: I8f6a1d80734c782f2da08a0b196342fe05fdbd3d
2023-05-29 15:05:39 +02:00
Douglas Mendizábal a54f18af5f Add tempest to devstack how-to
Depends-On: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672
Change-Id: I6fa1ec351a6b7ee22df213bb2c2a62bead7a055d
2023-05-25 14:04:17 +00:00
Douglas Mendizábal 33d42acb04 Update devstack plugin installation doc
This patch updates the installation doc for the devstack plugin.  It
also removes the Vagrant option as it has not been maintained in quite
some time.

Change-Id: I97fc2fac0cb29b1059b668bbe817a2778a8a4a70
2022-09-23 15:56:47 +00:00
Alan Bishop b8b83a16fa devstack: make create_barbican_accounts idempotent
Make devstack's create_barbican_accounts function idempotent by
using get_or_create_XXX functions to configure resources (users,
roles, endpoints, etc.).

This avoids problems in situations such [1], where the cinder service
needs the "creator" role. Cinder ends up creating the role first,
which would cause create_barbican_accounts to subsequently fail if
barbican assumes that it will create the role.

[1] Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d

Change-Id: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
2022-08-11 09:43:59 -07:00
Zuul 4c479ebb50 Merge "Drop configure_keystone_authtoken_middleware function" 2020-08-25 14:26:48 +00:00
Jens Harbott 4b52ae7e54 devstack: Honor SERVICE_PROTOCOL for endpoints
When the tls-proxy service is enabled, all endpoints should be accessed
via https.

Change-Id: Ia96ab003d1651170f11ede1d9cbc3579639565b3
2020-08-10 08:26:08 +02:00
Jens Harbott 6b568e3c2d Drop configure_keystone_authtoken_middleware function
The configure_auth_token_middleware function has been deprecated for some time,
see [0], replace it with configure_keystone_authtoken_middleware.

There no longer is a need for an AUTH_CACHE_DIR since keystone removed PKI
support.

[0] Id0dec1ba72467cce5cacfcfdb2bc0af2bd3a3610

Change-Id: I1507cb04e812cd94c77828fe53c22200aed045b4
2020-08-07 09:09:45 +00:00
Douglas Mendizábal b8266ef402 Use Zuulv3 devstack jobs
This patch updates the gate jobs to stop using legacy
jobs and use the new Zuul v3 jobs instead.

The tempest tests will be re-enabled in a future patch.

Depends-On: I5d2bda5e653ee5d7c17cb7697247802916bdc5f7
Change-Id: Id91f44e8053cf4f40224959021d43736d5525107
2020-04-27 16:41:20 -05:00
Lingxian Kong ce0ab70429 Improve devstack script for vault plugin
- Clean up vault related things before starting new screen session
- Add the clean up functions in the cleanup stage

Change-Id: I6e291a975755491927a971b7c3bf97e5dabafa05
2019-12-14 22:48:43 +13:00
Luigi Toscano 646a0360b9 Fix the barbicanclient installation not from source
- follow the standard installation pattern for barbicanclient:
  only clones if it is installed from source. This way it is
  possible to install and test barbicanclient from pip
  by default, additional jobs can simply add it
  to required-projects;
- define the repository metadata using the GIT* arrays.
  They are also defined by stackrc, but they should be probably
  removed from there;
- remove the useless call of configure_barbicanclient (the same
  steps are already performed by install_barbicanclient).
  Going forward, configure_barbicanclient can be removed

Change-Id: Iea1cd3f82c3b38f03f91b0191846e1ddbbfb1d6c
2019-10-22 18:12:27 +02:00
Brian Haley 2a6fc155d2 Start using the f29 nodeset
The dogtag pki python module has been moved to Python 3 in
Fedora 29.  This patch also fixes a few Python 3
compatibility issues in the DogTag backend plugin.

Unfortunately, there is a bug in the dogtag pki module
that must be fixed before the gate will pass. [1]

This patch temporarily makes the DogTag gate non-voting
to unblock the gate while we wait for a fix from the
DogTag maintainers.

[1] https://pagure.io/dogtagpki/issue/3108

Depends-on: https://review.opendev.org/#/c/662529/
Change-Id: Iaa7a535c410c726fa8e7346c2ef775fbaf58eb61
2019-09-18 12:15:53 -05:00
zhulingjie 2b99217219 Replace git.openstack.org URLs with opendev.org URLs
Change-Id: If528c06d9d5ff84d9d7df8ce946a46012d148417
2019-05-23 12:50:09 +08:00
Le Hou 28405cb046 Update to opendev
Change-Id: I0d079752c19cba21be6f02caa1aed9b917999495
2019-04-23 15:35:42 +08:00
Zuul 9499e27c22 Merge "Add venv support to the devstack plugin" 2019-03-07 07:40:59 +00:00
ghanshyam b4fe45496c Set Tempest's service_availability setting for Barbican
Tempest's service_available config option includes all the service
availability which is further used by tests to take decision of skip
or run the test.

For example, [service_available].barbican is true then, barbican test will run
or if [service_available].barbican is false then, all barbican related tests either
in barbican tempest plugin or any other plugins[1] will be skipped.

So it is important that when barbican is installed via devstack plugin then,
it set the service_available.barbican value to True in tempest conf.

This commit add the setting of barbican service[2] on barbican devstack plugin.

Related-Bug: #1743688
Related-Bug: #1817154

[1] 0a0f9b342a/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py (L53)
[2] 123dd7d416/barbican_tempest_plugin/config.py (L18)

Change-Id: I7fd60d48802cc5e9071c39eaeb83351bec36cc41
2019-02-26 12:04:43 +00:00
Adam Harwell 31bc8d0596 Add venv support to the devstack plugin
Change-Id: Ie550297be682b2cfe7c1b2dd4a37b8d855394709
2019-02-21 15:10:16 -08:00
Tim Burke 5ca3ca0240 Workaround for failing gates
Work with 389-ds-base-1.4.0.20.  Following
https://pagure.io/389-ds-base/c/4fd73c5 `dscreate fromfile`
got renamed to `dscreate from-file`.

Save dogtag server files for future debug.

Removed pip install of dogtag-pki which installed old Dogtag client code.

Temporarily skipping paging tests and making grenade non-voting.

Change-Id: I4bbc3d39c8d4a3591374e5c4a733a987f001a896
2019-01-14 17:55:36 -06:00
Miriam Yumi 947aa6e1de Fix tempest_roles for devstack plugin
Currently the devstack plugin sets creator role for tempest user, but it may
conflict with other roles already set to that configuration key. This patch
adds the creator role to the list of roles instead of replacing its value.

Change-Id: I8bdfc31bb2baeabe1d599ea6e9be3c473531f8b6
2018-09-21 15:05:31 -03:00
Ade Lee 9298413ab1 Revise diretory server install commands
The Dogtag gate is broken because the directory server install
commands have changed.  Fix gate script to use the newer commands.

Change-Id: I546c324ddfb9d156f38a963d6d47b9562e1caed6
2018-08-22 14:54:04 -04:00
Lingxian Kong 960371a83b Use absolute path for vault root token file in devstack
I met with the following error when I was installing lastest version
devstack for Barbican:

+++ /opt/stack/barbican/devstack/lib/barbican:configure_vault_plugin:613 :   cat vault_root_token_id
cat: vault_root_token_id: No such file or directory

Change-Id: Iaf81c6bf8ac42048b138360151f7df8fe70bc0cd
2018-08-14 19:55:31 +12:00
Paul Belanger 1705cbdd95 Switch to fedora-latest for testing
This bumps testing on fedora to 28, it also allows openstack-infra in
the future to make changes to fedora much easier.

Also, Dogtag now pulls in python3-requests, so no need to remove the
pip installed python2-requests, which is needed by keystone-manage.

Change-Id: I7635f039848f8c3ab052f339344bb1cb8ea4aecd
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-08-08 17:16:26 -04:00
Lingxian Kong 51ad51477b Fix getting secret for vault plugin
The following related tests in 'barbican-vault-devstack-functional' jenkins
job should pass with this patch:

test_secret_get_nones_payload_with_a_octet_stream
test_secret_create_defaults_valid_types_and_encoding
test_secret_create_with_secret_type

This patch also enables kv version 1 in Vault, otherwise the Vault API
interaction in castellan will fail.

Change-Id: Id3b2503b2adb4f1f5eff55bb22f41d904232c284
Story: 2002976
Task: 22984
2018-07-26 22:34:16 +12:00
Lingxian Kong adf96a06e9 Enable vault devstack functional test by default
Update the vault to latest release(0.10.3).

I can volunteer to be the vault plugin maintainer.
my IRC name: lxkong
my email address: anlin.kong@gmail.com

Change-Id: Iff05d55545da258c40bf101279510d37b6996d45
2018-07-24 10:51:51 +12:00
Zuul 4c057e35eb Merge "Add devstack gate for vault" 2018-06-07 01:00:27 +00:00
Nam Nguyen Hoai ee204e0cd2 Update the version of Ubuntu
In the Vagrantfile, it still using trusty64. It is
too old and it should be updated to Ubuntu16.04

Change-Id: I83477eeb40db5c9da2e9ab9cdfb9b31a176800e9
2018-05-30 10:09:00 +07:00
Ade Lee c0d95d4a5c Add devstack gate for vault
Change-Id: I49a646fff88160bda7177d8992d0bdebe6866904
2018-05-22 23:32:22 -07:00
Zuul ffee588a21 Merge "Set debug mode according to ENABLE_DEBUG_LOG_LEVEL" 2018-04-16 20:06:03 +00:00
Jeremy Liu aff00f016b Configure control_exchange to match keystone
keystone is using 'keystone' as default control_exchange [1], barbican needs
to match the value so it could consume related events notifications.

[1] https://github.com/openstack/keystone/blob/master/keystone/conf/__init__.py#L90

Change-Id: I16c0fb7e79545268b058eb6fd1a006a04e3fb61b
2018-04-13 15:53:28 +08:00
Ade Lee 7061d65ca9 Initialize db for Barbican Keystone listener
Barbican keystone listener needs to have its db initialized.
Also adding barbican-keystone-listener to run in devstack.
Functional tests will be added in a subsequent commit.

Change-Id: Ie80a2e67a4ed4e62326b716b4925b7d4aa39eb77
Closed-Bug: 1750333
2018-04-12 00:05:24 -04:00
Jeremy Liu ac22e24782 Remove unused broker configuration in devstack
Change-Id: I25801c1d84dfe9d92874f45f4ec236506451384c
Closes-bug: #1738376
2018-04-04 11:00:19 +08:00
ghanshyam 70aa7291f5 Remove use of unsupported TEMPEST_SERVICES variable
TEMPEST_SERVICES global variable is not supported
by devstack since long back.
- I380dd20e5ed716a0bdf92aa02c3730359b8136e4
- I9c24705e494689f09a885eb0a640efd50db33fcf

Service availability of tempest known services will be
set by devstack with local check.
- I02be777bf93143d946ccbb8e9eff637bfd1928d4

This commit removes the TEMPEST_SERVICES setting.

Change-Id: I381dbd1c2887189333463eb75363937c7509613c
Related-Bug: #1743688
2018-03-23 04:35:45 +00:00
Kaitlin Farr 2fefb2d447 Update to use new stevedore backend option
Depends-On: I87926d6c95ac82b6f74c263c7441614f80348c1e
Change-Id: Ic31870a1aa458d283dcd6bfc4eeb2ad73832c8fa
2018-03-08 00:28:54 +00:00
Nguyen Hung Phuong 430362261f Set debug mode according to ENABLE_DEBUG_LOG_LEVEL
Change-Id: Ia9ec3f12c347f04fc966eb52454469604c6c4496
2018-02-27 16:53:02 +07:00
Kien Nguyen a29f28245c Fix the grenade-devstack-barbican gate
This patch set is to update the command to
start the barbican-svc service after upgrade.

Co-Authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>

Change-Id: I237ef2df09b9fd60bc8b6eeca9ee36ce79052530
2018-02-23 13:07:47 +07:00
Jeremy Liu 73420137a6 Use default policy in code
Delete policy.json from repo since we can use policies registered
in code.

We can also change default policy rules through below steps:

  - generate policy.yaml and copy to /etc/barbican
  - configure `policy_file=policy.yaml` in `oslo_policy` section
  - uncomment rules in policy.yaml and make changes as we desire
  - restart barbican api service
  - test whether new rules take effect on corresponding API

Change-Id: Ia64eac1eb4e30457b323c6ab99d26d3d40c28060
2018-02-09 08:16:43 +00:00
Zuul a06ca26ae6 Merge "Update the documentation link for doc migration" 2017-11-14 07:51:12 +00:00
chenxing 2a58454289 Update the documentation link for doc migration
These links need to be updated due to the doc migration. Current
links are no longer effective.

Change-Id: I218995d5c8cde34286e2133a53bd7d19ae46c75d
2017-10-11 18:11:17 +08:00
Jenkins d2ab56c61c Merge "Revert "Revert "Use devstack functions for deploying barbican-svc""" 2017-10-07 19:10:33 +00:00
Kaitlin Farr cc5858c9ae Use Castellan's backend option instead of api_class
This is a mostely complete solution.  Ideally we could use the stevedore
entry point name 'barbican' instead of the full class name for cinder, but
I87926d6c95ac82b6f74c263c7441614f80348c1e needs to merge first.

Change-Id: I32ed528f585e790bc771473504ab7e4bfeb63de9
2017-09-26 12:42:06 -04:00
Dave McCowan 4ad06c1182 Add flag to allow devstack to run on f26 in gate
In Barbican stable branches, we run a gate job on Fedora 26.
devstack needs FORCE=yes flag to run on f26 for Pike and
earlier releases.

Change-Id: I9de812991c4476af4010cd6ecebb8e3c912abf52
2017-09-13 16:54:43 -06:00
Jeremy Liu bed85c63e1 Revert "Revert "Use devstack functions for deploying barbican-svc""
This reverts commit 3c6df48cbc.

Change-Id: If31494ccbce3aeddff0de6a28651a70a3e33dc65
Depends-On: Id7230198583355a83b1ee4acef3da7cde7118794
2017-09-04 08:42:19 +00:00
Kaitlin Farr 3c6df48cbc Revert "Use devstack functions for deploying barbican-svc"
Castellan unintentionally can't handle a barbican URL that has a path in
addition to the hostname, such as http://ip-address/key-manager, unless
it is followed by a forward slash (http://ip-address/key-manager/ ).  We
should either revert this change before rc1 or merge
https://review.openstack.org/#/c/491942/, make a new release of
Castellan, and beg for a change in upper-constraints for castellan to
handle the new release.

This reverts commit 508a34e23c.

Change-Id: Iceb3a5fa890d64468cd6e7f5dec297d11a274d20
2017-08-08 22:39:11 +00:00
Matthew Treinish 508a34e23c Use devstack functions for deploying barbican-svc
This commit switches barbican to use the devstack common functions for
deploying a wsgi app under uwsgi and apache. This will make the barbican
deployment consistent with the other services.

Change-Id: I8429e9a8f0db98c5f5a345190be71cae862af845
2017-08-01 17:02:55 +00:00
Nam Nguyen Hoai be955bbf27 Using openstack command
This patch updated some points that it will use
openstack command instead of barbican command.

Change-Id: I164f57eae4cc5df18bfe5a95465a617870924759
Closes-Bug: #1697333
2017-06-29 11:21:44 +07:00
Hieu LE f6489d8355 Fix grenade test related to encrypt volume/image
DevStack Ocata version and master use different default images
(Ocata:uec and master:qcow2), this will lead to tempest encrypt test
failure in grenade gate.

This patch hard-code default images in base version and will be
removed if devstack master and ocata patches are proposed.

Change-Id: I997c759fc026366fe48de9ac7e8c58941622c9cd
Co-Authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
2017-06-09 14:04:53 +07:00
Kaitlin Farr eb18c70d3b DevStack plugin set tempest options in test-config section
TEMPEST_CONFIG options should be set in the test-config section,
otherwise they get overridden.

Also adds the creator role to the tempest user.

Change-Id: I6816c1b699e140600e5bb47a251cd0788125f8d0
2017-05-23 13:14:20 -04:00