Commit Graph

342 Commits

Author SHA1 Message Date
Zuul ae431710e0 Merge "Adds service_user_id into relation data" 2024-01-15 18:48:09 +00:00
Erlon R. Cruz 86a323abfe Adds service_user_id into relation data
This is necessary to avoid collisions between
same usernames used service users.

Depends-on: I4fbfa8fba84b11c4e30e4db9a0c358db1e8c94f1
Closes-Bug: #2030755
Change-Id: I500fd131cbd6cd5c2b38fdbe81b8b48e50a3e3f7
2023-10-24 16:11:37 -03:00
Alex Kavanagh 85571b5837 Improve platform mocking
Patch out charmhelpers.osplatform.get_platform() and
charmhelpers.core.host.lsb_release() globally in the unit tests to
insulate the unit tests from the platform that the unit tests are being
run on.

Change-Id: I4fbfa8fba84b11c4e30e4db9a0c358db1e8c94f1
2023-10-24 18:40:05 +01:00
Corey Bryant ac87b4bce5 Add package-upgrade action
The package-upgrade action performs package upgrades for the current
OpenStack release.

The code path used is similar to the openstack-upgrade action, with the
difference being that package-upgrade will not execute if an openstack
upgrade is available (based on the openstack-origin setting).

This change includes a charm-helpers sync.

Change-Id: Ifd99ea307a6e4d1d034d7c1e494e2cd8abd894e9
2023-06-02 11:23:25 +01:00
Zuul 0f974bb539 Merge "Add service user password rotation actions" 2023-02-28 18:40:15 +00:00
Alex Kavanagh 2271a961b7 Add service user password rotation actions
This patch adds two actions:

 1. An action to list the service usernames that can be rotated.
 2. An action to rotate a service username that is on the list of
    usernames that can be rotated.

Change-Id: I3a8a6af7ec8b0ea32da04eff34fafd32f43cee0e
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1005
2023-02-24 18:57:02 +00:00
Gabriel Cocenza 04480c4ff4 Add support for HAProxy L7 checks
This change add several configuration options to enable HTTP checks
to the HAProxy configuration, instead of the default TCP connection
checks (which continue to be the default)

Closes-Bug: #1880610
Change-Id: I50a9442ae66da71793a5e9904d23c26d1fbbdf42
2023-02-17 20:45:04 +00:00
Jorge Merlino 55bd702224 Add admin-role parameter value to identity relation
This parameter is added to the relation in order to configure service
tokens on related services. The role of the service user is required for
service token validation.

Closes-Bug: #1992840
Change-Id: Id7e84d38a9f774179808137548307c9174a87f87
2022-10-13 16:26:08 -03:00
Zuul 9b2f7e545d Merge "Refactor admin password related actions code for better maintenance" 2022-05-16 10:24:44 +00:00
Edward Hope-Morley 08960ba9b7 Set service_type on identity relation
Also applies osci.yaml fix for Jammy.

Change-Id: I4cf5d8c0855bb9a3cd6068335fe8100366c0a66d
Related-Bug: #1965967
2022-03-29 14:21:51 +01:00
Tianqi c3587026cc Refactor admin password related actions code for better maintenance
Moved rotate-admin-password action to admin-password.py and made
changes to the unit test accordingly. Putting admin password
related actions together will reduce confusion and improve
maintainability

Change-Id: I27f8d3a279833dde5f6021e9d78a5ab2f05445b2
2022-03-28 18:21:31 -04:00
Pedro Castillo ae178d7471 Add rotate-admin-password action
This action allows the user to easily rotate the admin user's
password by replacing it with a randomly generated one.

Change-Id: I6ce69be15b11b00f804d3143d835ec3ce6515865
Related-Bug: #1927280
Func-Test-PR: https://github.com/openstack-charmers/zaza-openstack-tests/pull/720
2022-03-21 19:55:34 +00:00
Tianqi 4949830cea Add get-admin-password action with unit test
Implemented a new action to provide users the possibility of
retrieving Keystone service's admin password via juju action.
The result of this action is equivalent to running
“juju run --unit {keystone unit} leader-get admin_passwd”.

Closes-Bug: #1858657
Change-Id: I231c4b73016f7e7b4ba7f06219dd8e212402a339
2022-03-04 21:51:03 +00:00
Liam Young 6f4894ea13 Related charm specify roles to be granted to admin
A charm joined to keystone via the identity-service relation can
now specify additional roles that can be granted to admin. This
is done by setting the relation data key `add_role_to_admin` the
value is a comma seperated list of roles that should be granted
to admin.

Change-Id: I7ecac3d64eece1845dc963886e09cc2be149ae03
2022-02-25 13:19:40 +00:00
Hervé Beraud 9a5bf82fae Use unittest.mock instead of mock
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.

Note that https://github.com/openstack/charms.openstack is used during tests
and he need `mock`, unfortunatelly it doesn't declare `mock` in its
requirements so it retrieve mock from other charm project (cross dependency).
So we depend on charms.openstack first and when
Ib1ed5b598a52375e29e247db9ab4786df5b6d142 will be merged then CI
will pass without errors.

Drop Python 3.5 testing.

Rework some unit tests that use unittest.mock features not introduced
until Python 3.7.

Depends-On: Ib1ed5b598a52375e29e247db9ab4786df5b6d142
Change-Id: I029c77ed697620725dc040d1849a691eb10c9351
2021-12-14 13:33:00 +00:00
Zuul 1a3523c7d8 Merge "Spelling fixes found (mostly) by Codespell." 2021-11-24 11:41:42 +00:00
James Troup 817b97871e Spelling fixes found (mostly) by Codespell.
Change-Id: I2803dc7efc8c357ca48a5284a3c95793363e0263
2021-11-23 19:33:04 +00:00
Chris MacNaughton 9b8b81a0bc Use the application data bag to set id and id_service notifications
When purely using relation-set from a leader, updates after
the leader has changed can lead to old data being persisted
on a relation in addition to newer data being set by the new
leader. When this happens, there can be issues with services
using old data to talk to other related services.

This change introduces the use of the application data bag
to ensure that all units related to keystone get the same
data from the leader, regardless of leadership changes.
While this change enables the application data bag for these
relations, it still sends the per-unit relation data as well
to maintain backwards compatibility. Charms that consume the
identity-service and identity-notification relations will
need an update to use the application data bag to complete
this change.

Partial-Bug: #1902264
Change-Id: Iadd795fec605e7704e5a6673906452279bbecb34
2021-09-01 11:47:47 +00:00
Frode Nordahl 3143cb6638 Revert "Enable health check httpchk options in haproxy."
This reverts commit 579daa6820.

Reason for revert: This change breaks Keystone with TLS enabled

Change-Id: I20d3a476ef6f9ae1ae0bd4a5254e57f27a4d5917
2021-08-16 07:19:31 +00:00
John P Lettman 579daa6820 Enable health check httpchk options in haproxy.
Adds backend options for 'admin-port' and 'public-port' in
HAProxyContext. HAProxy will now expect 200-300 statuses and the string
"stable".

test_haproxy_context_service_enabled updated to reflect expected ctxt.

Closes-Bug: #1933233
Change-Id: I88cef4539f5d7dc70f6fbaacfb2ff768e958d346
2021-08-04 13:46:11 -04:00
Billy Olsen 7f0317313f Strip whitespace from admin passwords
While admin passwords are discouraged, they are used by some users
and using a file to import into the config option may include new
line characters. Strip the white space from the admin password to
prevent confusion for users.

Change-Id: I986b10e960153daed9d0d0cbf81d9c9e918a2150
Closes-Bug: #1895004
2021-04-03 09:54:06 -07:00
Frode Nordahl e9fc1de43b
Process subordinate releases packages map
For principal - subordinate plugin type relations where the
principal Python payload imports code from packages managed by a
subordinate, upgrades can be problematic.

This change will allow a subordinate charm that have opted into the
feature to inform its principal about all implemented release -
packages combinations ahead of time. With this information in place
the principal can do the upgrade in one operation without risk of
charm relation RPC type processing at a critical moment.

Also sync c-h.

Closes-Bug: #1806111
Change-Id: I95567d5d047eb64842436e671b74a633e6f509f4
2021-03-24 14:49:31 +01:00
Seyeong Kim 1e6d8e004b Exposing internal url over the relation.
There are scenarios where a keystone's consumer might want to talk to
keystone over the internal url, exposing this information over the
relation would allow services like openstack-dashboard to implement
a configuration option equivalent to `use-internal-endpoint` provided
by nova-cloud-controller.

Closes-bug: #1812361
Change-Id: I129a686ed9d20035894a36500cb64d1798d3f9d2
Co-Authored-By: Felipe Reyes <felipe.reyes@canonical.com>
2021-02-17 13:37:17 -03:00
Alex Kavanagh 31649bee99 Updates for testing period for 20.01 release
Includes updates to charmhelpers/charms.openstack for cert_utils
and unit-get for the install hook error on Juju 2.9

* charm-helpers sync for classic charms
* rebuild for reactive charms
* ensure tox.ini is from release-tools
* ensure requirements.txt files are from release-tools
* On reactive charms:
  - ensure master branch for charms.openstack
  - ensure master branch for charm-helpers

* Fixes to unit tests due to removal of unit_get from context.

Change-Id: I83f12c9e010468be34637056e645f2bfc732f2df
2021-01-18 15:23:07 +00:00
Alex Kavanagh c7e34558c4 Make Fernet key distribution more robust
The related bug indicated that the Fernet keys could get out of sync
between the leader and non-leader units.  This patchset assumes that
hooks fail, or that units are off-line when the rotation occurs.  Thus
it tries hard to ensure that the keys are in sync.  It still uses juju
to 'send' the keys from the leader to the subordinate units, so in that
sense, it is not a fix to the related bug, but it does make it more
robust.

Change-Id: Id40a3ccbe565bd742e3fdbd5190deb6b21204a82
Related-Bug: #1849519
2020-11-17 15:24:49 +00:00
Liam Young 57b9d62aaf Make catalog-cache-expiration configurable
Expose catalog-cache-expiration which can be used to specify how
long catalogue entries will  be cached for. In addiontion inform
charms that receive notifications of endpoint changes what this
setting is.

Change-Id: I3ce72efc5bd96c987748f66a275f92941daa8fe5
2020-09-29 15:59:38 +00:00
Zuul c64776b628 Merge "Do not leak credentials on leader-set failure" 2020-09-14 08:07:36 +00:00
Aurelien Lourot f9aa92c7ce Do not leak credentials on leader-set failure
This will also give us more insights into the leader-set failure
happening in the linked bug.

Also updated project files from latest release-tools templates.

Also blacklisted libjuju 2.8.3 which causes spurious
JujuAPIError's.

Change-Id: I51b890098df6d918c1d84adba272559ef45411bb
Partial-Bug: #1890256
2020-09-11 12:23:12 +02:00
Zuul 4de6a4bf7a Merge "Fix performance issue when updating endpoints" 2020-09-09 09:51:11 +00:00
Alex Kavanagh 13f5ce49fe Fix performance issue when updating endpoints
This patch eliminates almost all the manager.py calls when
updating/checking the endpoints from the relation(s) with other charms.

Change-Id: Ibb7999239ec9927e76052b7e45c4545127b5919a
Closes-Bug: #1890602
2020-09-08 16:31:31 +01:00
Liam Young f72ae6160b Tell clients what roles were created
If a client requests a role then inform them what role was
actually created or already existed.

If a client requests the creation of a role and that role already
exists with a different mix of upper and lower case then the new
role is not created. This is because keystone purports to be case
insensative. However the client may not be case insesative (horizon)
and may assume that the role was created. This change replies to
the client with a new key 'created_roles'. This tells the client
what the case sensative name actually is.

Change-Id: Idc0865a688886a2066dfcdbd15e30118ae5c5bb8
Closes-Bug: #1890437
2020-08-27 13:21:39 +00:00
James Page e02f0590a7 endpoint notification v2 API compatibility
Fallback to v2 API behaviour for processing endpoints for older
OpenStack releases where the v2 API is still the default.

Change-Id: Ieb9afed0a6442fac48f8e1ccc0f5c34626a3be18
Closes-Bug: 1889180
2020-07-28 10:13:55 +01:00
James Page 0a054f17e1 notifications: provide complete set of endpoints
Depending on the order of hook execution its possible for a charm
requesting notification of endpoint changes via the subscribe_ep_change
relation key will only get a partial set of information based on
services which are registered after their service is registered.

If this situation happens and a subscribed to service already exists
in the endpoint catalog add these to the JSON dict of information
passed to the requesting charm.

Change-Id: Ibac7ea6de013674b570c3de205d95c0a9d1cd8ae
Closes-Bug: 1887394
2020-07-17 14:24:56 +01:00
Chris MacNaughton 71b7eedfc5 Ensure that certificates are correctly managed.
When the certificates relation is ready before the
HA relation is clustered, the VIP symlinks will not
be created pointing at the correct certificates. This
change updates the HA handlers to ensure that the
certificate relation is handled after clustering,
if there are any certificate relations.

Change-Id: Idfbdaf7919569983cdf159e44a6dad26eccfd195
Closes-Bug: #1886077
2020-07-09 12:34:25 +00:00
Dmitrii Shcherbakov 4eb640ab56 Return an empty string if relation data is missing
None is returned for a relation data value if a key isn't present -
assuming that it's a string is not correct. This change fixes that by
returning an empty string if protocol-name is not present.

Change-Id: I2bab6a69f9f663edee0738ff35b804d81736cb5c
Closes-Bug: #1882084
2020-06-04 20:33:24 +03:00
Liam Young 53bcfd0a06 Check peers before emitting identity data
The checks that keystone was performing before emitting identity
data were applicable to any Openstack api charm so the check
definitions have been moved to charmhelpers so other charms can
use them. The checks as they were are encapsulated in
`check_api_unit_ready` *1

Bug 1818113 was caused by keystone emitting identity data
as soon as the leader was ready but ignoring the state of the
peer units. This is now covered by a new check
`check_api_application_ready` which performs all the local
unit checks and then checks that all peers have reported
as ready too.

In addition `check_api_unit_ready` is now used when
setting the units workload status and `check_api_application_ready`
is used when setting the application workload status.

*1 https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/openstack/utils.py#L2289
*2 https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/openstack/utils.py#L2330

Change-Id: I99830ab2c2482e8beef174424820907ce96fd5d7
Closes-Bug: #1818113
2020-04-24 11:25:55 +00:00
Liam Young 9f8f3abc31 Restart apache when keystone policy changes
Keystone does not reliably pick up policy changes (observed on
Queens) unless apache is restarted. This change triggers a restart
when  policy is changed.

Change-Id: Ia29312baa9c1b8113649fc2826f0464588c3ce11
2020-04-22 12:59:00 +00:00
Frode Nordahl 0a02c30fe5
Replace use of admin_token with Keystone bootstrap
Stop the use of the admin_token and use the bootstrap process
to initialize Keystone instead.  Fortunately the implementation
of the bootstrap process is both idempotent when it needs to be
and it can be safely called on an existing deployment.

Subsequently we can migrate by just removing the admin_token
from the configuration and create new credentials for use by
the charm with a call to ``keystone-manage bootstrap``.

Remove configuration templates for versions prior to Mitaka, by
doing this we need to move any configuration initially defined
prior to Miataka forward to the ``templates/mitaka`` folder.

A side effect of this migration is that newly bootstrapped
deployments will get their ``default`` domain created with a
literal ID of ``default``.  Prior to this change third party
software making assumptions about that being the case may have
had issues.

Closes-Bug: #1859844
Closes-Bug: #1837113
Related-Bug: #1774733
Closes-Bug: #1648719
Closes-Bug: #1578678
Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/191
Change-Id: I23940720c24527ee34149f035c3bdf9ff54812c9
2020-03-13 09:52:10 +01:00
Frode Nordahl 3765c0b123
Unpin flake8 and fix lint
Change-Id: Iacae0fc791003d7f1730363f10f509434b0e671f
2020-03-10 13:39:41 +01:00
James Page dc2f5e5259 Provide admin user ID and project ID
For keystone v3 deployments, provide the admin user and project ID
over identity-service relations.

This may be used by consuming services to build trust between the
service account and the cloud admin account.

Change-Id: I6166793a497a283e743210d067eb44c14071e61e
2020-03-05 15:40:04 +00:00
James Page f984c4ec9b endpoint notification: provide full endpoint
When a remote service requests notification about changes to
endpoints, provide the full detail on each endpoint rather than
just a checksum of the internal/admin/public URL's.

This allows consuming services which require explicit configuration
of service endpoint URL's to configure everything via their
relation to keystone rather than directly relating to all required
services.

Change-Id: I39b6e3df17e44c801f5f6bb122407623cbf1c937
2020-03-05 11:21:40 +00:00
Zuul 2b6b708fab Merge "Implement Security Compiance option for password" 2020-02-19 14:50:17 +00:00
Liam Young 068444f466 Send notification on identity-service relation.
Services can optionally request notifications of other services endpoint
changes. They do this by sending a space seperated list of service names
that they wish to be notified of down the identity-service relation e.g

    subscribe_ep_change="placement neutron"

If the endpoints change for any service in the list then a notification is
sent back with a nonce. e.g. if the neutron ep changes the charm will
recieve a json encoded dict of changes:

    'ep_changed': '{"neutron": "1c261658"}'

This removes the need for charms to have two relations for ep notification
changes and allows applications to specify which endpoints they are
interested in.

Closes-Bug: #1862974

Change-Id: I03667af35022c352ea1cf817d97a6a50c2fb5c5d
2020-02-17 10:59:22 +00:00
Alex Kavanagh e83cb05bf8 Implement Security Compiance option for password
This feature adds a "password-security-compliance" option to the
charm to enable setting of keys in the "[security_compliance]" section
of the keystone.conf file.  This section was added in the Newton
release, and so this feature supports this from the Newton release.

It also protects the service accounts from two of the PCI-DSS options
but setting the user options 'ignore_password_expiry' and
'ignore_change_password_upon_first_use' to True to prevent the cloud
from being broken.

Change-Id: If7c54fae73188284bd9b03a53626cdf52158b994
Closes-Bug: #1776688
2020-02-05 18:10:12 +00:00
Liam Young 848ce4b5f4 Do not access DB when it is in maintenance mode.
If the database is in maintenace mode do not attempt to access
it.

Depends-On: I5d8ed7d3935db5568c50f8d585e37a4d0cc6914f
Change-Id: I8cdb42364b7da03129bb8e2debebf6f6947d7ff3
2020-01-30 12:37:36 +00:00
Liam Young fca036ba24 Use get_managed_services_and_ports from ch
Switch to using get_managed_services_and_ports from charmhelpers.

Charmhelper sync included to bring in required
get_managed_services_and_ports method.

Change-Id: Ib2b1f3dead1dbb613591bdf3903ed56e8c14f45c
2020-01-29 08:02:13 +00:00
Liam Young 9192e48568 When resuming exclude haproxy
When resuming services exclude those managed by hacluster, in
this case haproxy. If pacemaker lacks quorum it may shut haproxy
down which will cause this charm to error.

Change-Id: I9ac10807e853f2e83ea9ea9b780f83a79c17be10
2020-01-22 10:23:39 +00:00
Felipe Reyes 0b7ca2624b Notify changes when service key is missing
Services that expose multiple endpoints use a prefix in their keys, this
patch refactors that code to put it in their own function to be reused
by the notifications functionality and make it notificate for changes in
those endpoints (e.g. neutron-api and nova-cloud-controller).

Change-Id: Ieecfc4ef7c85c7f716ceef0c2938ae0c7787953d
Closes-Bug: #1856419
2019-12-19 23:22:27 -03:00
Alex Kavanagh 186769cc05 Policyd override implementation
This patchset implements policy overrides for keystone.  It uses the
code in charmhelpers.

Closed-Bug: #1741723
Change-Id: I187f4493392178d87ef7dbd67de841bbeae0c65d
2019-10-07 20:31:02 +01:00
James Page 15250435f6 Ensure federated identity backend are TLS aware
When the certificates endpoint has completed TLS configuration
via Vault, ensure that any federated identity backends are
updated for the switch to TLS, other the generated SP data
incorrectly used http:// instead of https://

Closes-Bug: 1834442

Change-Id: Ie160095789f5c34bc3509ffce4a7c5c0ec430632
2019-07-03 14:21:28 +01:00