This patch adds a config option to allow
configuring the cache_time for identity elements.
It is also including a complementary fix for
change I49e46e010c543f831959581b2122f59068f2c07b
that missed adjusting the correct template, and
used the wrong comparison "is not None".
Closes-bug: #2054418
Related-bug: #1771114
Change-Id: I57d376eb6c1f0f38cdd028aacf397aaf7f3a1cda
Bug LP 1863232 introduced a new Apache configuration option called
WSGISocketRotation which allows users to disable wsgi socket
rotation. This patch makes this configurable with a new
wsgi-socket-rotation config option that defaults to the Apache
default and can optionally be set to False.
Closes-Bug: #2021550
Change-Id: Ia5852c3ebe84bd0355670f262cbe5e1cd433a08d
We use a default expiration_time (dogpile-expiration-time)
of 600s which means that role assignments will take up to
this amount of time before all caches are updated to
reflect changes. This may not be suitable for some clouds
that make frequent changes to role assignments and lowering
the global value is not recommended so this overrides the
[role] cache_time to a more appropriate value and also
makes it configurable. We leave default value as None so
that the global value is still inherited but this at least
allows it to be customised.
Change-Id: I49e46e010c543f831959581b2122f59068f2c07b
Closes-Bug: #1771114
There is a requirement for some end users where we need to specify
auth_ttl to a higher level. This should help with these users
Change-Id: Ifd515d7c103a6b24c4f5da500442406f04fb372f
* sync charm-helpers to classic charms
* change openstack-origin/source default to zed
* align testing with zed
* add new zed bundles
* add zed bundles to tests.yaml
* add zed tests to osci.yaml and .zuul.yaml
* update build-on and run-on bases
* add bindep.txt for py310
* sync tox.ini and requirements.txt for ruamel
* use charmcraft_channel 2.0/stable
* drop reactive plugin overrides
* move interface/layer env vars to charmcraft.yaml
Change-Id: Idf4a6cd1e0888576f890b00aa5b343936900d6dd
Add new option default_authorization_ttl used for
federation to set validity of group memberships
coming from a mapping.
Closes-Bug: #1970388
Change-Id: I4a8dbc501e14d1201ceed27077554924c56e3abd
- Add 22.04 to charmcraft.yaml
- Update metadata to include jammy
- Remove impish from metadata
- Update osci.yaml to include py3.10 default job
- Modify tox.ini to remove py35,py36,py37 tox target and add py310
target.
- ensure that the openstack-origin is yoga
Change-Id: I82a3ae55422e0871bddf37debf1089c9a9a3e843
The [cache]/expiration_time currently caches items for the default
of 600s and is not configurable via the charm. This change adds a
dogpile-cache-expiration config option that will default to 600s
so as not to cause any behavior changes by default.
Closes-Bug: #1899117
Change-Id: I639b2b77d5db69744897b6798613a797d05fe23b
Co-authored-by: Chris MacNaughton <chris.macnaughton@canonical.com>
Expose catalog-cache-expiration which can be used to specify how
long catalogue entries will be cached for. In addiontion inform
charms that receive notifications of endpoint changes what this
setting is.
Change-Id: I3ce72efc5bd96c987748f66a275f92941daa8fe5
Stop the use of the admin_token and use the bootstrap process
to initialize Keystone instead. Fortunately the implementation
of the bootstrap process is both idempotent when it needs to be
and it can be safely called on an existing deployment.
Subsequently we can migrate by just removing the admin_token
from the configuration and create new credentials for use by
the charm with a call to ``keystone-manage bootstrap``.
Remove configuration templates for versions prior to Mitaka, by
doing this we need to move any configuration initially defined
prior to Miataka forward to the ``templates/mitaka`` folder.
A side effect of this migration is that newly bootstrapped
deployments will get their ``default`` domain created with a
literal ID of ``default``. Prior to this change third party
software making assumptions about that being the case may have
had issues.
Closes-Bug: #1859844
Closes-Bug: #1837113
Related-Bug: #1774733
Closes-Bug: #1648719
Closes-Bug: #1578678
Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/191
Change-Id: I23940720c24527ee34149f035c3bdf9ff54812c9
This feature adds a "password-security-compliance" option to the
charm to enable setting of keys in the "[security_compliance]" section
of the keystone.conf file. This section was added in the Newton
release, and so this feature supports this from the Newton release.
It also protects the service accounts from two of the PCI-DSS options
but setting the user options 'ignore_password_expiry' and
'ignore_change_password_upon_first_use' to True to prevent the cloud
from being broken.
Change-Id: If7c54fae73188284bd9b03a53626cdf52158b994
Closes-Bug: #1776688
This patchset implements policy overrides for keystone. It uses the
code in charmhelpers.
Closed-Bug: #1741723
Change-Id: I187f4493392178d87ef7dbd67de841bbeae0c65d
This patchset adds more Fernet token implementation:
1. Adds a cron job to rotate / sync keys to other units.
2. Adds additional tests around gating on config.
3. Adds rotation / syncing with more robust key handling.
Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
Remove configuration options which no longer have effect
(the supporting code has been removed).
Update and fix formatting of `README.md`.
Remove templates for no longer supported OpenStack releases.
Change-Id: Ibbda87738d98f6ad97da212ad1b56be88b33e9a3
Starting OpenStack Rocky the currently used `uuid` token format
is no longer supported and we need to change to use `fernet` tokens.
This change provides basic functionalty to initialize fernet token
repository and distribute keys to non-leader units.
A configuration option is also added allowing change of token format
in a controlled manner prior to upgrading to OpenStack Rocky.
Further work is required to implement key rotation, actions etc. and
these topics will be addressed in separate commits.
The commit also fixes a instance of missing release check for writing
of `policy.json`, and a few places where writing of `policy.json`
previously was omitted.
Change-Id: I1d0ff22a5f091b02f5700412745572c246103e9e
An arbitarary repository can currently be specified, but it was not yet
made clear in the documentation that a corresponding public key for
accessing this repository could be added. This change specifies that
under the description for the openstack-origin option. Public key can
be added by appending to the deb url, so the below example would work:
juju set openstack-origin nova-compute openstack-origin="deb http://ppa
.launchpad.net/billy-olsen/testfix-kilo/ubuntu vivid main|FA0FD8E1"
Change-Id: I262a2164d4f7b37b4185bdee650371de7be50a55
Closes-Bug: 1503440
The README documentation implies that use-https and
https-service-endpoints are required when enabling SSL/https
with your own CA, SSL cert, and key. Update the README and
config.yaml to explain that config options use-https and
https-service-endpoints should not be set when using ssl_*
config options.
Change-Id: I2e0140f909ef2c57182895f37cf191b6bc80157b
Closes-Bug: #1754682
Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release. This feature is unmaintained and has
no known users.
Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a
Keystone@Queens removes support for the v2 API; switch default
to v3 API from Queens onwards and ensure that charm users can
only provide 3 as via the preferred-api-version for >= Queens.
Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b
The default HAProxy timeout values are fairly strict. On a busy cloud
it is common to exceed one or more of these timeouts. The only
indication that HAProxy has exceeded a timeout and dropped the
connection is errors such as "BadStatusLine" or "EOF." These can be
very difficult to diagnose when intermittent.
This charm-helpers sync pulls in the change to update the default
timeout values to more real world settings. These values have been
extensively tested in ServerStack. Configured values will not be
overridden.
Partial Bug: #1736171
Change-Id: I973962a5c1538b0d9afbebea8cebf50d938ecfb5
Resync charm-helpers to pickup the latest code for calculation
of worker process configuration, creating better default
worker configuration when deploying in LXD containers.
Switch the skew between public and admin processes to favour
public 0.75/0.25 as the public API endpoints of a service will
typically get a larger number of hits.
Fixup unit test for minor behavioural change in charm-helpers.
Change-Id: I4ab1d28f907ce29d5602b48ba7a438fc3690277c
Closes-Bug: 1665270
Closes-Bug: 1686049
- Remove Precise-Icehouse Amulet test definitions if they exist.
- Add Xenial-Newton Amulet test definitions.
- Add Yakkety-Newton Amulet test definitions.
- Use the percona-cluster charm in tests instead of the mysql charm.
Change-Id: Ia4c324b6fedec1dc607062a89eea7595d43c0060
The keystone charm runs the keystone API under apache2 for liberty
and above. This patch enables the keystone API to run under apache2
when deployed from source for liberty and above.
Change-Id: I5eccf38aad9668248f4f94523d61f7bd40ed5c30
Change the worker-multiplier to a floating point config option type
instead of integer. This allows users to specify workers to be less
than the number of CPUs, which is useful in deployments with multiple
services deployed into containers on top of bare metal.
The fix is to simply change the config option type and to sync in
the necessary update from lp:charm-helpers.
Partial-Bug: #1602444
Change-Id: I534165aa2fc45a28f6b3f3bb2f708789daf5ba8c
Signed-off-by: Billy Olsen <billy.olsen@gmail.com>
Implement DNS high availability. Pass the correct information to
hacluster to register a DNS entry with MAAS 2.0 or greater rather
than using a virtual IP.
Charm-helpers sync to bring in DNS HA helpers
Change-Id: I62bb49fbaebdd3c787f96f4b6ad107f8e3e368a7
openstack-origin-git currently only supports YAML that specifies
the git repositories to deploy from.
This adds support for default openstack-origin-git values. The
default values supported are: icehouse, kilo, liberty, mitaka,
and master. For example: openstack-origin-git=master.
Change-Id: I03839dc0abfb7465578cbb4eedfdab5043d053e6
Add charmhelpers.contrib.hardening and calls to install,
config-changed, upgrade-charm and update-status hooks. Also
add new config option to allow one or more hardening
modules to be applied at runtime.
Change-Id: I5f85699adcb5c37ffcda971a3ed5f1f965fd7fb6
This changes enables the Keystone v3 api. It can be toggled on and off via the
preferred-api-version option.
When services join the identity-service relation they will be presented with a
new parameter api_version which is the maximum api version the keystone charm
supports and matches what was set via preferred-api-version.
If preferred-api-version is set to 3 then the charm will render a new
policy.json which adds support for domains etc when keystone is checking
authorisation. The new policy.json requires an admin domain to be created and
specifies that a user is classed as an admin of the whole cloud if they have
the admin role against that admin domain.
The admin domain, called admin_domain, is created by the charm. The name of
this domain is currently not user configurable. The role that enables a user to
be classed as an admin is specified by the old charm option admin-role. The
charm grants admin-role to the admin-user against the admin_domain.
Switching a deployed cloud from preferred-api-version 2 to
preferred-api-version 3 is supported. Switching from preferred-api-version 3 to
preferred-api-version 2 should work from the charm point of view but may cause
problems if there are duplicate users between domains or may have unintended
consequences like escalating the privilege of some users so is not recommended.
Change-Id: I8eec2a90e0acbf56ee72cb5036a0a21f4a77a2c3
Adds in the config option for overriding public endpoint addresses
and introduces a unit tests to ensure that the override for the
public address is functioning correctly.
Closes-Bug: #1398182
Rodrigo Barbieri