* Update cookbook-openstack-identity from branch 'master'
to f70a3454c5e6a4826245be68450c017e01767ab7
- Make the name of default Keystone site for Apache2 a platform option
Since at least Debian 9 (Stretch) the name of the relevant site has been
'wsgi-keystone' rather than 'keystone'. Then again, as of 21.04 Ubuntu
continues to use the old site name.
Tha relevant attribute is also set for RHEL so that recipe validation
doesn't fail due to missing resource name, even though the resource in
question is currently guarded by 'if platform_family?("debian")'.
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: I34b342d0b51cd5e11b1e5de95578ac47939895f9
* Update cookbook-openstack-identity from branch 'master'
to c5211ab38f015315d3297d0664d8ad8058a36548
- Possibility to set SSLCARevocationPath for keystone as chef default attribute "ca_revocation_path"
Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one
gets by setting only the latter is warnings in Apache logs.
Note: with Apache 2.3.15 or newer enabling revocation checks causes
certificate validation to fail also when no CRLs for the given certificate
could be found. For details see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck
Co-authored-by: Marek Szuba <m.szuba@gsi.de>
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
* Update cookbook-openstack-identity from branch 'master'
to 114b459cadb24c870cbcc8e8ffcf590083a32ebd
- Moving IRC network reference to OFTC
Also pull bind cookbook from git to fix version pinning issues.
Change-Id: I9bd4f54d9d10e9f3aba98a297213304507b9967d
Signed-off-by: Lance Albertson <lance@osuosl.org>
* Update cookbook-openstack-identity from branch 'master'
- Update to apache2 ~> 8.0 cookbook
This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.
- Install mod_wsgi as a package on RHEL since there is no built-in
resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI
Depends-On: https://review.opendev.org/702772
Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
* Update cookbook-openstack-identity from branch 'master'
- Upgrade python2-urllib3 on CentOS
I've run into this issue on systems that already have python2-urllib3
installed, but it's older than what gets installed from the RDO
repository and breaks the db sync for keystone. By adding it here, that
will ensure it's always upgraded before we try running db sync.
Change-Id: If876315001c8136fad654d7408ec9f656ef48775
* Update cookbook-openstack-identity from branch 'master'
- Improve ChefSpec test speed by enabling caching
This updates all references of let(:chef_run) to cached(:chef_run) to
speed up tests. By doing this, we have to create a new cached(:chef_run)
block whenever we need to adjust node attributes for testing.
In addition:
- Add missing ChefSpec tests for cloud_config and _credential_tokens
recipes
Change-Id: I9f3b86de8f7aa97a5954b2e0f564452e1897a6e3
* Update cookbook-openstack-identity from branch 'master'
- Updates for rocky
- Replace git.openstack.org with opendev.org
- Update some documentation
- Move README.md to README.rst for better rendering
- Drop obsolete bootstrap.sh script
- Drop obsolete default recipe
Change-Id: I7894951c9ac0bbd00007da5face15e9418880bc4
* Update cookbook-openstack-identity from branch 'master'
- Use python3 packages on Ubuntu
Python2.7 is going EOL soon, let us deploy python3 for Rocky from the
start, so we avoid having to switch later.
Also update Berksfile to allow dependency testing and require chef >= 14 now.
Change-Id: Id4c06c8fc136ae3cde97e751373049db989de21e
* Update cookbook-openstack-identity from branch 'master'
- Merge "Add a cloud_config recipe"
- Add a cloud_config recipe
Using a cloud config file when accessing a cloud is the modern variant
of setting lots of environment variables, so we add a new recipe that
produces a cloud config matching what we are deploying.
Clean up the old openrc template a bit.
Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
* Update cookbook-openstack-identity from branch 'master'
- Properly notify apache restarts on keystone configuration updates
This uses edit_resource to add a notification in the identity apache
configuration when it gets updated. This is a workaround due to the fact
we are using a version of the apache2 cookbook that is still using
definitions and cannot add notifications with definitions.
This is intended to ensure we only restart apache when the configuration
is updated. Otherwise, the old behaviour was to restart apache on every
run which is problematic in production environments. I have been using
this in our production wrapper cookbook for the past year or so without
any issue.
This will be removed in the Stein release when we migrate to the newer
apache2 cookbook which uses proper resources.
Change-Id: I13de063d1e7ffd356d754eb0f2d8286a3c694836
Signed-off-by: Lance Albertson <lance@osuosl.org>
* Update cookbook-openstack-identity from branch 'master'
- Merge "Fixes to support fog-openstack-1.x"
- Fixes to support fog-openstack-1.x
fog-openstack-1.x already appends "auth/tokens" so we no longer need to
do that. In addition, comment out endpoint type until this PR [1] gets
merged and released.
[1] https://github.com/fog/fog-openstack/pull/494
Depends-On: https://review.opendev.org/666176
Change-Id: I2a73e87648bff58180c6ee2355a733a8e030fa4b
Signed-off-by: Lance Albertson <lance@osuosl.org>
* Update cookbook-openstack-identity from branch 'master'
- Disable UCA keystone apache2 site early
If the chef-client fails between keystone package installation and the
disabling of the default keystone config file from UCA package, then
apache2 may end up with conflicting site configurations trying to bind
to the same port.
backport: stable/queens
Change-Id: Ib52a4d5195f9ef8d7caa8478c8293fe894624ee5
* Update cookbook-openstack-identity from branch 'master'
- Add endpoint_type attribute defaulting to internalURL
This is in preparation of dropping the admin endpoint, we need this
attribute in place first so we can reference it in other cookbooks.
Change-Id: Idee227f26fcc74412873c5afd02dfcce32145ea7
* Update cookbook-openstack-identity from branch 'master'
- Drop support for a templated catalog
This was only half-working anyway since we moved to keystone V3, so we
should just drop it. If someone wants to configure their deployment with
it, they can easily set up a wrapper for it.
Change-Id: Ifdf96502d18895e3b79dfa235fd102b42a0f4bc3
* Update cookbook-openstack-identity from branch 'master'
- Stop overriding auth methods
Setting the keystone option [auth]/methods by default blocks additions
like application_credential that was newly added to Keystone in Queens.
Let's stick to Keystone's defaults instead, deployments can override
these settings if they need to.
Also drop some even older version of these attributes that haven't been
used at all anymore for some time.
Change-Id: I10b31efe1e94fc69cda65e2f7fb7a669afb166ba