Commit Graph

483 Commits

Author SHA1 Message Date
Ghanshyam Mann 44d13c8c64 Retire openstack-chef: remove repo content
OpenStack-chef project is retiring
- https://review.opendev.org/c/openstack/governance/+/905279

this commit remove the content of this project repo

Depends-On: https://review.opendev.org/c/openstack/project-config/+/909134
Change-Id: Ida0639315944c8c7852ec37fb10f133e8ab9c455
2024-02-17 20:50:52 -08:00
Lance Albertson f052ede42b CentOS 8 support
- Update package names
- Migrate to using apache2_mod_wsgi resource and require apache2 ~> 8.6
- Update ChefSpec

Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-database/+/815139
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-messaging/+/815137
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-integration-test/+/815171
Change-Id: Ib21c5b2dbd13aa57de926e71db62d042374cabd4
Signed-off-by: Lance Albertson <lance@osuosl.org>
2021-10-22 16:31:00 -07:00
Lance Albertson e76dcb39e1 Chef 17 support
- Require Chef >= 16.0
- Remove bind from Berksfile
- Update copyright years

Depends-On: https://review.opendev.org/c/openstack/cookbook-openstackclient/+/813953
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-database/+/814032
Depends-On: https://review.opendev.org/c/openstack/cookbook-openstack-ops-messaging/+/814035
Change-Id: I5d4f38f56e5a411b83b02d2fd9fff2e013947d71
Signed-off-by: Lance Albertson <lance@osuosl.org>
2021-10-14 11:57:40 -07:00
Marek Szuba f70a3454c5 Make the name of default Keystone site for Apache2 a platform option
Since at least Debian 9 (Stretch) the name of the relevant site has been
'wsgi-keystone' rather than 'keystone'. Then again, as of 21.04 Ubuntu
continues to use the old site name.

Tha relevant attribute is also set for RHEL so that recipe validation
doesn't fail due to missing resource name, even though the resource in
question is currently guarded by 'if platform_family?("debian")'.

Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: I34b342d0b51cd5e11b1e5de95578ac47939895f9
2021-07-20 22:14:24 +00:00
Karim El Aammari c5211ab38f Possibility to set SSLCARevocationPath for keystone as chef default attribute "ca_revocation_path"
Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one
gets by setting only the latter is warnings in Apache logs.

Note: with Apache 2.3.15 or newer enabling revocation checks causes
certificate validation to fail also when no CRLs for the given certificate
could be found. For details see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck

Co-authored-by: Marek Szuba <m.szuba@gsi.de>
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
2021-07-20 13:26:02 +01:00
Ghanshyam Mann 114b459cad Moving IRC network reference to OFTC
Also pull bind cookbook from git to fix version pinning issues.

Change-Id: I9bd4f54d9d10e9f3aba98a297213304507b9967d
Signed-off-by: Lance Albertson <lance@osuosl.org>
2021-07-15 11:11:04 -07:00
Lance Albertson 5f40cfe1d8 Update to Chef Workstation 21.2.303
- Cookstyle fixes

Depends-On: https://review.opendev.org/c/openstack/openstack-chef/+/779389
Change-Id: Ib044399cb7fd28cbb874cb08f1a87ca376518e6f
Signed-off-by: Lance Albertson <lance@osuosl.org>
2021-03-08 16:15:20 -08:00
Lance Albertson 9ed88a8ff4 Cookstyle 6.19.5 fixes
Update ChefSpec due to changes made in apache2 cookbook.

Depends-On: https://review.opendev.org/756168
Change-Id: Ie4a830620f217f5879ae4270850214902c202dbf
Signed-off-by: Lance Albertson <lance@osuosl.org>
2020-10-05 17:13:24 -07:00
Lance Albertson 9a45f9e60a Chef 16 updates
Depends-On: https://review.opendev.org/740342
Depends-On: https://review.opendev.org/747542
Depends-On: https://review.opendev.org/747554
Depends-On: https://review.opendev.org/747555
Change-Id: I4ad921b46ee476d9e866303e33be7b8803cdff98
Signed-off-by: Lance Albertson <lance@osuosl.org>
2020-08-27 17:20:28 -07:00
Lance Albertson 368296c9e5 Updates for Train
Changed:
- Update release to train
- Update to apache2 ~> 8.1

Fixed:
- Cookstyle
- ChefSpec

Removed:
- Unused .rubocop.yml

Change-Id: I2dc8c767ac4f6bb0635ffa4a64d6e8e47fc29093
Depends-On: https://review.opendev.org/731850
Depends-On: https://review.opendev.org/731851
Depends-On: https://review.opendev.org/731855
Depends-On: https://review.opendev.org/731858
2020-06-09 09:58:00 -07:00
Lance Albertson c49dedfbcd Stein fixes
- Cookstyle fixes
- Refactor Berksfile to use groups so we can exclude integration testing
  cookbooks
- Update documentation
- Enable sensitive resources for template[/etc/keystone/keystone.conf]
  and execute[bootstrap_keystone] to improve security.
- Update delivery configuration to exclude integration cookbooks

[1] https://docs.openstack.org/keystone/stein/install/keystone-install-rdo.html#install-and-configure-components

Depends-On: https://review.opendev.org/701027
Depends-On: https://review.opendev.org/706101
Depends-On: https://review.opendev.org/706140
Depends-On: https://review.opendev.org/706147
Depends-On: https://review.opendev.org/706158
Change-Id: I6c5005b23ee209650911146e373c4cf082cbee9e
2020-03-23 09:58:16 -07:00
Lance Albertson 453ab3bb95 Update to apache2 ~> 8.0 cookbook
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.

- Install mod_wsgi as a package on RHEL since there is no built-in
  resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
  with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
  by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI

Depends-On: https://review.opendev.org/702772

Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
2020-01-30 09:28:25 -08:00
Lance Albertson 21255e36b4 Upgrade python2-urllib3 on CentOS
I've run into this issue on systems that already have python2-urllib3
installed, but it's older than what gets installed from the RDO
repository and breaks the db sync for keystone. By adding it here, that
will ensure it's always upgraded before we try running db sync.

Change-Id: If876315001c8136fad654d7408ec9f656ef48775
2020-01-22 16:05:30 -08:00
Lance Albertson e6d377db3e Use Ubuntu 18.04 for ChefSpec tests
Change-Id: Icabebd997591b7208c92aa0a01f066d87c0f1b84
2020-01-06 11:44:50 -08:00
Lance Albertson 3d3d0b2f9c Improve ChefSpec test speed by enabling caching
This updates all references of let(:chef_run) to cached(:chef_run) to
speed up tests. By doing this, we have to create a new cached(:chef_run)
block whenever we need to adjust node attributes for testing.

In addition:

- Add missing ChefSpec tests for cloud_config and _credential_tokens
  recipes

Change-Id: I9f3b86de8f7aa97a5954b2e0f564452e1897a6e3
2019-12-17 18:59:42 -08:00
Lance Albertson b571b3c444 Updates for rocky
- Replace git.openstack.org with opendev.org
- Update some documentation
- Move README.md to README.rst for better rendering
- Drop obsolete bootstrap.sh script
- Drop obsolete default recipe

Change-Id: I7894951c9ac0bbd00007da5face15e9418880bc4
2019-12-06 11:19:50 -08:00
Jens Harbott 87d4d2ed40 Use python3 packages on Ubuntu
Python2.7 is going EOL soon, let us deploy python3 for Rocky from the
start, so we avoid having to switch later.

Also update Berksfile to allow dependency testing and require chef >= 14 now.

Change-Id: Id4c06c8fc136ae3cde97e751373049db989de21e
2019-11-26 10:46:40 +00:00
inspurericzhang 65e61a916d Replace git.openstack.org with opendev.org
Change-Id: Ib8f7bf2608b06178388b91fc7b90460896bce416
2019-11-19 17:47:15 +08:00
Zuul 1649fd8426 Merge "Add a cloud_config recipe" 2019-09-10 09:43:02 +00:00
Jens Harbott f2902385ef Add a cloud_config recipe
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.

Clean up the old openrc template a bit.

Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
2019-08-30 14:29:33 +00:00
Lance Albertson 5c2bfb4990 Properly notify apache restarts on keystone configuration updates
This uses edit_resource to add a notification in the identity apache
configuration when it gets updated. This is a workaround due to the fact
we are using a version of the apache2 cookbook that is still using
definitions and cannot add notifications with definitions.

This is intended to ensure we only restart apache when the configuration
is updated. Otherwise, the old behaviour was to restart apache on every
run which is problematic in production environments. I have been using
this in our production wrapper cookbook for the past year or so without
any issue.

This will be removed in the Stein release when we migrate to the newer
apache2 cookbook which uses proper resources.

Change-Id: I13de063d1e7ffd356d754eb0f2d8286a3c694836
Signed-off-by: Lance Albertson <lance@osuosl.org>
2019-07-07 19:10:52 -07:00
Zuul df72871ac8 Merge "Fixes to support fog-openstack-1.x" 2019-07-05 08:37:21 +00:00
Roger Luethi f9a1116736 Disable UCA keystone apache2 site early
If the chef-client fails between keystone package installation and the
disabling of the default keystone config file from UCA package, then
apache2 may end up with conflicting site configurations trying to bind
to the same port.

backport: stable/queens

Change-Id: Ib52a4d5195f9ef8d7caa8478c8293fe894624ee5
2019-07-05 06:39:26 +00:00
Lance Albertson b185a5205d Fixes to support fog-openstack-1.x
fog-openstack-1.x already appends "auth/tokens" so we no longer need to
do that.  In addition, comment out endpoint type until this PR [1] gets
merged and released.

[1] https://github.com/fog/fog-openstack/pull/494

Depends-On: https://review.opendev.org/666176
Change-Id: I2a73e87648bff58180c6ee2355a733a8e030fa4b
Signed-off-by: Lance Albertson <lance@osuosl.org>
2019-07-03 16:03:07 -07:00
Zuul c8a2a909b0 Merge "Drop admin endpoints" 2019-05-06 12:09:04 +00:00
OpenDev Sysadmins 1ad3f2ec04 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:36:39 +00:00
Jens Harbott 284d54be79 Drop admin endpoints
The admin endpoints offer no special functionality, users may talk to
the public endpoints instead. The only historic use case has been the
keystone v2 admin endpoint, but with keystone v3 API, even that is no
longer needed, except that it's use is hardcoded in keystonemiddleware.
So we prepare everything for completely getting rid of the admin
Identity endpoint, but still create it during bootstrap.

Also drop explicitly creating resources that are created during keystone
bootstrap anyway.

[0]
https://opendev.org/openstack/openstack-chef-specs/src/branch/master/specs/ocata/all/drop-admin-endpoints.rst

Depends-On: https://review.openstack.org/652052
Depends-On: https://review.openstack.org/652064
Depends-On: https://review.openstack.org/652098
Depends-On: https://review.openstack.org/652589
Change-Id: Iddfae1c2cb29217cd9aae89d56bc65fa935fcd28
2019-04-18 11:06:34 +00:00
Jens Harbott 90fd9ccf59 Add endpoint_type attribute defaulting to internalURL
This is in preparation of dropping the admin endpoint, we need this
attribute in place first so we can reference it in other cookbooks.

Change-Id: Idee227f26fcc74412873c5afd02dfcce32145ea7
2019-04-15 08:17:21 +00:00
Jens Harbott 4313c5711f Drop support for a templated catalog
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.

Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
2019-04-04 12:49:31 +00:00
Jens Harbott af1d3b1485 Stop overriding auth methods
Setting the keystone option [auth]/methods by default blocks additions
like application_credential that was newly added to Keystone in Queens.
Let's stick to Keystone's defaults instead, deployments can override
these settings if they need to.

Also drop some even older version of these attributes that haven't been
used at all anymore for some time.

Change-Id: I10b31efe1e94fc69cda65e2f7fb7a669afb166ba
2019-03-01 09:15:14 +00:00
Zuul eabbbb9b5c Merge "Pin apache2 cookbook to 5.0.1" 2018-12-11 13:54:50 +00:00
Samuel Cassiba 6f6d02faf1 Pin apache2 cookbook to 5.0.1
This change eliminates a kitchen failure with apache2-5.2.1

Change-Id: Ida4e1c4a166a0baac4937e088b42f22a8ab524ab
2018-12-10 21:14:33 -08:00
ZhijunWei 87747401c2 Change openstack-dev to openstack-discuss
Change-Id: I11d837c702f2122570f568d47f64696977bb8547
2018-12-04 23:21:03 -05:00
melissaml d139297cf9 Update the URL in README.md
Change-Id: Ie3c70574ccd44d39e72ea59098741b77ed7cb08c
2018-09-23 17:26:51 +08:00
Samuel Cassiba 05a1bee419 Rename openstack-chef-repo references to openstack-chef
Change-Id: Ie1ba251712f38ffc6539d3d00c4a6806f75538ce
2018-08-06 21:49:43 -07:00
Samuel Cassiba 3410066ae1 starting rocky development patch
Depends-On: Ia24eef700ab6c7fe359a17070981dc93e0300a18
Depends-On: I75d827d383f701da8650cd0e9d1f2501e22cf6a2
Change-Id: Id835cbf8fc8cf2dc32a3ecdfffb17b01547fb0db
2018-08-03 06:40:56 -07:00
Jens Harbott e30e2cf418 Fixup keystone endpoint handling
Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.

At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.

[0] I01d44e48053cad7aeb92636f4b41649204006c93

Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
2018-07-16 12:24:46 -07:00
Zuul 41b3463312 Merge "Simplify identity endpoint" 2018-07-03 06:31:58 +00:00
Samuel Cassiba 7657e34eda Simplify identity endpoint
Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.

[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components

Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d
Depends-On: I833cc80421be375aed202c208cf93a0165761226
Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6
Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef
Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89
Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a
Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0
Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba
Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf
Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93
Implements: blueprint simplify-identity-endpoint
2018-06-28 16:24:31 -07:00
Jens Harbott 7d8b8b5c27 Fix token handling for keystone
In order to avoid errors when deploying multiple controller nodes, we
need to deploy credential-tokens from data bags just like we already do
for fernet-tokens. Otherwise each controller would use a different set
of tokens generated locally.

Drop the corresponding calls to keystone-manage, as they are a) not
idempotent and b) generate files that are never used anyway.

Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16
Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
2018-06-28 12:58:39 +00:00
Jens Harbott 7e9d7c9966 Use variables keystone_user and keystone_group
We define these variables from the corresponding node attributes, use
then instead of accessing the node attributes afterwards.

Change-Id: I1215d24f341e0ae37b7e0be978578aa2985e4af1
2018-06-28 12:58:03 +00:00
Samuel Cassiba df5472c9c8 Add delivery config
Change-Id: Ia10c3c30f4c4e024f64b9a08f8b0d5213e3f5302
Implements: blueprint deprecate-rakefiles
2018-04-11 22:24:47 -07:00
Samuel Cassiba aff741a327 Rename keystone-main service
* rename keystone-main to keystone-public to better align with Keystone
  conventions[0]

[0] https://review.openstack.org/194442

Change-Id: I98a5d41b4de3a3d7ef680d00ac898c93c5bc2a41
2018-03-23 06:51:19 -07:00
Samuel Cassiba a781e6c11f
starting queens development patch and use git.openstack.org
* use git.openstack.org instead of github for berks dependency
resolution

Change-Id: Icddbddfae5ec075c9c113287135a02bad48144e7
2018-03-06 13:01:59 +01:00
Zuul 4c607a3fb2 Merge "Zuul: Remove project name" 2018-02-14 18:51:42 +00:00
Samuel Cassiba 23884c6b52 Removed deprecated postgres test
Change-Id: I07fb6f7f668a4ea0c04a149c8f8cb94e739468d8
Implements: blueprint modern-chef
2018-02-07 07:42:12 -08:00
James E. Blair db5eb09a26 Zuul: Remove project name
Zuul no longer requires the project-name for in-repo configuration.
Omitting it makes forking or renaming projects easier.

Change-Id: I680e12ba32a72d56536de04f542900dface4aeda
2018-02-05 13:58:26 -08:00
Zuul d407581474 Merge "identity refactor for Pike and Chef 13" 2017-12-22 21:35:55 +00:00
Samuel Cassiba 8ba453b9f5 identity refactor for Pike and Chef 13
- implemented foodcritic and cookstyle corrections
- deprecated node.foo.bar method access for node['foo']['bar'] bracket syntax
- moved apt package_overrides to common cookbook

Implements blueprint modern-chef

Change-Id: I9ab420186b2f93cfc7fcc7be7c406a3176a991e1
2017-12-10 20:04:21 -08:00
Zuul b13ee78385 Merge "Add native zuul v3 jobs defined in openstack-chef-repo" 2017-11-30 16:58:21 +00:00