Merge "Remove port 35357 deployment"
This commit is contained in:
commit
d60e02998a
|
@ -175,10 +175,10 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack
|
|||
if url = get_section('DEFAULT', 'admin_endpoint')
|
||||
endpoint = url.chomp('/')
|
||||
else
|
||||
admin_port = get_section('DEFAULT', 'admin_port') || '5000'
|
||||
public_port = get_section('DEFAULT', 'public_port') || '5000'
|
||||
host = clean_host(get_section('DEFAULT', 'admin_bind_host'))
|
||||
protocol = ssl? ? 'https' : 'http'
|
||||
endpoint = "#{protocol}://#{host}:#{admin_port}"
|
||||
endpoint = "#{protocol}://#{host}:#{public_port}"
|
||||
end
|
||||
end
|
||||
return endpoint
|
||||
|
|
|
@ -17,16 +17,6 @@
|
|||
# The name for your protocol associated with the IdP.
|
||||
# (Required) String value.
|
||||
#
|
||||
# [*admin_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 35357.
|
||||
# (Optional) Defaults to false.
|
||||
#
|
||||
# [*main_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 5000.
|
||||
# (Optional) Defaults to true.
|
||||
#
|
||||
# [*template_order*]
|
||||
# This number indicates the order for the concat::fragment that will apply
|
||||
# the shibboleth configuration to Keystone VirtualHost. The value should
|
||||
|
@ -57,17 +47,27 @@
|
|||
# trusted_dashboards configuration instead of this parameter.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*admin_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 35357.
|
||||
# (Optional) Defaults to undef.
|
||||
#
|
||||
# [*main_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 5000.
|
||||
# (Optional) Defaults to undef.
|
||||
#
|
||||
class keystone::federation::mellon (
|
||||
$methods,
|
||||
$idp_name,
|
||||
$protocol_name,
|
||||
$admin_port = false,
|
||||
$main_port = true,
|
||||
$template_order = 331,
|
||||
$package_ensure = present,
|
||||
$enable_websso = false,
|
||||
# DEPRECATED
|
||||
$trusted_dashboards = undef,
|
||||
$admin_port = undef,
|
||||
$main_port = undef,
|
||||
) {
|
||||
|
||||
include ::apache
|
||||
|
@ -79,6 +79,10 @@ class keystone::federation::mellon (
|
|||
in Stein and will be removed in future releases")
|
||||
}
|
||||
|
||||
if $admin_port or $main_port {
|
||||
warning('keystone::federation::mellon::admin_port and main_port are deprecated and have no effect')
|
||||
}
|
||||
|
||||
# Note: if puppet-apache modify these values, this needs to be updated
|
||||
if $template_order <= 330 or $template_order >= 999 {
|
||||
fail('The template order should be greater than 330 and less than 999.')
|
||||
|
@ -93,14 +97,8 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
|
|||
fail('Methods should contain saml2 as one of the auth methods.')
|
||||
}
|
||||
|
||||
validate_bool($admin_port)
|
||||
validate_bool($main_port)
|
||||
validate_bool($enable_websso)
|
||||
|
||||
if( !$admin_port and !$main_port){
|
||||
fail('No VirtualHost port to configure, please choose at least one.')
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
'auth/methods': value => join(any2array($methods),',');
|
||||
'auth/saml2': ensure => absent;
|
||||
|
@ -122,20 +120,10 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
|
|||
tag => 'keystone-support-package',
|
||||
})
|
||||
|
||||
if $admin_port {
|
||||
concat::fragment { 'configure_mellon_on_port_35357':
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf",
|
||||
content => template('keystone/mellon.conf.erb'),
|
||||
order => $template_order,
|
||||
}
|
||||
}
|
||||
|
||||
if $main_port {
|
||||
concat::fragment { 'configure_mellon_on_port_5000':
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf",
|
||||
content => template('keystone/mellon.conf.erb'),
|
||||
order => $template_order,
|
||||
}
|
||||
concat::fragment { 'configure_mellon_keystone':
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
|
||||
content => template('keystone/mellon.conf.erb'),
|
||||
order => $template_order,
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -39,16 +39,6 @@
|
|||
# (optional) Value to be used to obtain the entity ID of the Identity
|
||||
# Provider from the environment.
|
||||
#
|
||||
# [*admin_port*]
|
||||
# A boolean value to ensure that you want to configure openidc Federation
|
||||
# using Keystone VirtualHost on port 35357.
|
||||
# (Optional) Defaults to false.
|
||||
#
|
||||
# [*main_port*]
|
||||
# A boolean value to ensure that you want to configure openidc Federation
|
||||
# using Keystone VirtualHost on port 5000.
|
||||
# (Optional) Defaults to true.
|
||||
#
|
||||
# [*template_order*]
|
||||
# This number indicates the order for the concat::fragment that will apply
|
||||
# the shibboleth configuration to Keystone VirtualHost. The value should
|
||||
|
@ -64,11 +54,20 @@
|
|||
# accepts latest or specific versions.
|
||||
# Defaults to present.
|
||||
#
|
||||
# [*keystone_public_url*]
|
||||
# (optional) URL to keystone public endpoint.
|
||||
# [*keystone_url*]
|
||||
# (optional) URL to keystone endpoint.
|
||||
#
|
||||
# [*keystone_admin_url*]
|
||||
# (optional) URL to keystone admin endpoint.
|
||||
# === DEPRECATED
|
||||
#
|
||||
# [*admin_port*]
|
||||
# A boolean value to ensure that you want to configure openidc Federation
|
||||
# using Keystone VirtualHost on port 35357.
|
||||
# (Optional) Defaults to undef.
|
||||
#
|
||||
# [*main_port*]
|
||||
# A boolean value to ensure that you want to configure openidc Federation
|
||||
# using Keystone VirtualHost on port 5000.
|
||||
# (Optional) Defaults to undef.
|
||||
#
|
||||
class keystone::federation::openidc (
|
||||
$methods,
|
||||
|
@ -79,20 +78,30 @@ class keystone::federation::openidc (
|
|||
$openidc_crypto_passphrase = 'openstack',
|
||||
$openidc_response_type = 'id_token',
|
||||
$remote_id_attribute = undef,
|
||||
$admin_port = false,
|
||||
$main_port = true,
|
||||
$template_order = 331,
|
||||
$package_ensure = present,
|
||||
$keystone_public_url = undef,
|
||||
$keystone_admin_url = undef,
|
||||
$keystone_url = undef,
|
||||
# DEPRECATED
|
||||
$admin_port = undef,
|
||||
$main_port = undef,
|
||||
) {
|
||||
|
||||
include ::apache
|
||||
include ::keystone::deps
|
||||
include ::keystone::params
|
||||
|
||||
$_keystone_public_url = pick($keystone_public_url, $::keystone::public_endpoint)
|
||||
$_keystone_admin_url = pick($keystone_admin_url, $::keystone::admin_endpoint)
|
||||
# TODO(tobias-urdin): Make keystone_url required when keystone::public_endpoint is removed.
|
||||
# Dont forget to change the keystone_url_real variable in the templates/openidc.conf.rb file.
|
||||
# The fail statement below can also be removed since keystone_url will be a required parameter.
|
||||
$keystone_url_real = pick($keystone_url, $::keystone::public_endpoint)
|
||||
|
||||
if $keystone_url_real == undef or is_service_default($keystone_url_real) {
|
||||
fail('You must set either keystone_url or keystone::public_endpoint')
|
||||
}
|
||||
|
||||
if $admin_port or $main_port {
|
||||
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
|
||||
}
|
||||
|
||||
# Note: if puppet-apache modify these values, this needs to be updated
|
||||
if $template_order <= 330 or $template_order >= 999 {
|
||||
|
@ -107,16 +116,9 @@ class keystone::federation::openidc (
|
|||
fail('Methods should contain openid as one of the auth methods.')
|
||||
}
|
||||
|
||||
validate_legacy(Boolean, 'validate_bool', $admin_port)
|
||||
validate_legacy(Boolean, 'validate_bool', $main_port)
|
||||
|
||||
if( !$admin_port and !$main_port){
|
||||
fail('No VirtualHost port to configure, please choose at least one.')
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
'auth/methods': value => join(any2array($methods),',');
|
||||
'auth/openid': ensure => absent;
|
||||
'auth/openid': ensure => absent;
|
||||
}
|
||||
|
||||
if $remote_id_attribute {
|
||||
|
@ -130,15 +132,9 @@ class keystone::federation::openidc (
|
|||
tag => 'keystone-support-package',
|
||||
})
|
||||
|
||||
if $admin_port and $_keystone_admin_url {
|
||||
keystone::federation::openidc_httpd_configuration{ 'admin':
|
||||
keystone_endpoint => $_keystone_admin_url,
|
||||
}
|
||||
}
|
||||
|
||||
if $main_port and $_keystone_public_url {
|
||||
keystone::federation::openidc_httpd_configuration{ 'main':
|
||||
keystone_endpoint => $_keystone_public_url,
|
||||
}
|
||||
concat::fragment { 'configure_openidc_keystone':
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
|
||||
content => template('keystone/openidc.conf.erb'),
|
||||
order => $template_order,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
# == define: keystone::federation::openidc_httpd_configuration [70/1473]
|
||||
# == define: keystone::federation::openidc_httpd_configuration
|
||||
#
|
||||
# DEPRECATED!
|
||||
#
|
||||
# == Parameters
|
||||
#
|
||||
|
@ -10,9 +12,6 @@
|
|||
define keystone::federation::openidc_httpd_configuration (
|
||||
$keystone_endpoint = undef
|
||||
) {
|
||||
concat::fragment { "configure_openidc_on_${title}":
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
|
||||
content => template('keystone/openidc.conf.erb'),
|
||||
order => $keystone::federation::openidc::template_order,
|
||||
}
|
||||
|
||||
warning('keystone::federation::openidc_httpd_configuration is deprecated')
|
||||
}
|
||||
|
|
|
@ -2,16 +2,6 @@
|
|||
#
|
||||
# == Parameters
|
||||
#
|
||||
# [*admin_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 35357.
|
||||
# (Optional) Defaults to false.
|
||||
#
|
||||
# [*main_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 5000.
|
||||
# (Optional) Defaults to true.
|
||||
#
|
||||
# [*methods*]
|
||||
# A list of methods used for authentication separated by comma or an array.
|
||||
# The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2'
|
||||
|
@ -47,6 +37,18 @@
|
|||
# require => Anchor['openstack_extras_redhat']
|
||||
# }
|
||||
#
|
||||
# === DEPRECATED
|
||||
#
|
||||
# [*admin_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 35357.
|
||||
# (Optional) Defaults to undef
|
||||
#
|
||||
# [*main_port*]
|
||||
# A boolean value to ensure that you want to configure K2K Federation
|
||||
# using Keystone VirtualHost on port 5000.
|
||||
# (Optional) Defaults to undef
|
||||
#
|
||||
# == Note about Redhat osfamily
|
||||
# According to puppet-apache we need to enable a new repo, but in puppet-openstack
|
||||
# we won't enable any external third party repo.
|
||||
|
@ -55,16 +57,21 @@
|
|||
#
|
||||
class keystone::federation::shibboleth(
|
||||
$methods,
|
||||
$admin_port = false,
|
||||
$main_port = true,
|
||||
$suppress_warning = false,
|
||||
$template_order = 331,
|
||||
$yum_repo_name = 'shibboleth',
|
||||
# DEPRECATED
|
||||
$admin_port = undef,
|
||||
$main_port = undef,
|
||||
) {
|
||||
|
||||
include ::apache
|
||||
include ::keystone::deps
|
||||
|
||||
if $admin_port or $main_port {
|
||||
warning('keystone::federation::shibboleth::admin_port and main_port are deprecated and have no effect')
|
||||
}
|
||||
|
||||
# Note: if puppet-apache modify these values, this needs to be updated
|
||||
if $template_order <= 330 or $template_order >= 999 {
|
||||
fail('The template order should be greater than 330 and less than 999.')
|
||||
|
@ -79,14 +86,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
|
|||
fail('Methods should contain saml2 as one of the auth methods.')
|
||||
}
|
||||
|
||||
validate_bool($admin_port)
|
||||
validate_bool($main_port)
|
||||
validate_bool($suppress_warning)
|
||||
|
||||
if( !$admin_port and !$main_port){
|
||||
fail('No VirtualHost port to configure, please choose at least one.')
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
'auth/methods': value => join(any2array($methods),',');
|
||||
'auth/saml2': ensure => absent;
|
||||
|
@ -103,20 +104,10 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
|
|||
class { '::apache::mod::shib': }
|
||||
}
|
||||
|
||||
if $admin_port {
|
||||
concat::fragment { 'configure_shibboleth_on_port_35357':
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf",
|
||||
content => template('keystone/shibboleth.conf.erb'),
|
||||
order => $template_order,
|
||||
}
|
||||
}
|
||||
|
||||
if $main_port {
|
||||
concat::fragment { 'configure_shibboleth_on_port_5000':
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf",
|
||||
content => template('keystone/shibboleth.conf.erb'),
|
||||
order => $template_order,
|
||||
}
|
||||
concat::fragment { 'configure_shibboleth_keystone':
|
||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
|
||||
content => template('keystone/shibboleth.conf.erb'),
|
||||
order => $template_order,
|
||||
}
|
||||
} elsif $::osfamily == 'Redhat' {
|
||||
if !$suppress_warning {
|
||||
|
|
|
@ -9,12 +9,12 @@ class keystone::params {
|
|||
} else {
|
||||
$pyvers = ''
|
||||
}
|
||||
|
||||
$client_package_name = "python${pyvers}-keystoneclient"
|
||||
$keystone_user = 'keystone'
|
||||
$keystone_group = 'keystone'
|
||||
$keystone_wsgi_admin_script_path = '/usr/bin/keystone-wsgi-admin'
|
||||
$keystone_wsgi_public_script_path = '/usr/bin/keystone-wsgi-public'
|
||||
$group = 'keystone'
|
||||
$group = 'keystone'
|
||||
|
||||
case $::osfamily {
|
||||
'Debian': {
|
||||
$package_name = 'keystone'
|
||||
|
|
|
@ -14,32 +14,16 @@
|
|||
# (Optional) The servername for the virtualhost.
|
||||
# Defaults to $::fqdn
|
||||
#
|
||||
# [*servername_admin*]
|
||||
# (Optional) The servername for the admin virtualhost.
|
||||
# Defaults to $servername
|
||||
#
|
||||
# [*public_port*]
|
||||
# (Optional) The public port.
|
||||
# Defaults to 5000
|
||||
#
|
||||
# [*admin_port*]
|
||||
# (Optional) The admin port.
|
||||
# Defaults to 35357
|
||||
#
|
||||
# [*bind_host*]
|
||||
# (Optional) The host/ip address Apache will listen on.
|
||||
# Defaults to undef (listen on all ip addresses)
|
||||
#
|
||||
# [*admin_bind_host*]
|
||||
# (Optional) The host/ip address Apache will listen on for admin API connections.
|
||||
# Defaults to undef or bind_host if only that setting is used
|
||||
# [*api_port*]
|
||||
# (Optional) The keystone API port.
|
||||
# Defaults to 5000
|
||||
#
|
||||
# [*public_path*]
|
||||
# (Optional) The prefix for the public endpoint.
|
||||
# Defaults to '/'
|
||||
#
|
||||
# [*admin_path*]
|
||||
# (Optional) The prefix for the admin endpoint.
|
||||
# [*path*]
|
||||
# (Optional) The prefix for the API endpoint.
|
||||
# Defaults to '/'
|
||||
#
|
||||
# [*ssl*]
|
||||
|
@ -58,14 +42,6 @@
|
|||
# (Optional) Path to SSL key
|
||||
# Default to apache::vhost 'ssl_*' defaults
|
||||
#
|
||||
# [*ssl_cert_admin*]
|
||||
# (Optional) Path to SSL certificate for the admin endpoint.
|
||||
# Default to apache::vhost 'ssl_*' defaults
|
||||
#
|
||||
# [*ssl_key_admin*]
|
||||
# (Optional) Path to SSL key for the admin endpoint.
|
||||
# Default to apache::vhost 'ssl_*' defaults
|
||||
#
|
||||
# [*ssl_chain*]
|
||||
# (Optional) SSL chain.
|
||||
# Default to apache::vhost 'ssl_*' defaults
|
||||
|
@ -103,34 +79,19 @@
|
|||
# script when the equivalent HTTP request headers are present.
|
||||
# Defaults to 'On'
|
||||
#
|
||||
# [*wsgi_admin_script_source*]
|
||||
# (Optional) Wsgi script source for the admin endpoint. If set to undef
|
||||
# $::keystone::params::keystone_wsgi_admin_script_path is used. This source
|
||||
# is copied to the apache cgi-bin path as keystone-admin.
|
||||
# Defaults to undef
|
||||
# [*wsgi_script_source*]
|
||||
# (Optional) The wsgi script source for the API.
|
||||
# This source is copied to the apache cgi-bin path as keystone-public.
|
||||
# Defaults to '/usr/bin/keystone-wsgi-public'
|
||||
#
|
||||
# [*wsgi_public_script_source*]
|
||||
# (Optional) Wsgi script source for the public endpoint. If set to undef
|
||||
# $::keystone::params::keystone_wsgi_public_script_path is used. This source
|
||||
# is copied to the apache cgi-bin path as keystone-main.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*custom_wsgi_process_options_main*]
|
||||
# [*custom_wsgi_process_options*]
|
||||
# (Optional) gives you the oportunity to add custom process options or to
|
||||
# overwrite the default options for the WSGI main process.
|
||||
# overwrite the default options for the WSGI process.
|
||||
# For example to use a virtual python environment for the WSGI process
|
||||
# you could set it to:
|
||||
# { python-path => '/my/python/virtualenv' }
|
||||
# Defaults to {}
|
||||
#
|
||||
# [*custom_wsgi_process_options_admin*]
|
||||
# (Optional) gives you the oportunity to add custom process options or to
|
||||
# overwrite the default options for the WSGI admin process.
|
||||
# eg. to use a virtual python environment for the WSGI process
|
||||
# you could set it to:
|
||||
# { python-path => '/my/python/virtualenv' }
|
||||
# Defaults to {}
|
||||
#
|
||||
# [*access_log_file*]
|
||||
# (Optional) The log file name for the virtualhost.
|
||||
# Defaults to false
|
||||
|
@ -172,21 +133,77 @@
|
|||
# (Optional) apache::vhost wsgi_chunked_request parameter.
|
||||
# Defaults to undef
|
||||
#
|
||||
## DEPRECATED PARAMS
|
||||
#
|
||||
# [*servername_admin*]
|
||||
# (Optional) The servername for the admin virtualhost.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*public_port*]
|
||||
# (Optional) The public port.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*admin_port*]
|
||||
# (Optional) The admin port.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*admin_bind_host*]
|
||||
# (Optional) The host/ip address Apache will listen on for admin API connections.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*public_path*]
|
||||
# (Optional) The prefix for the public endpoint.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*admin_path*]
|
||||
# (Optional) The prefix for the admin endpoint.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*ssl_cert_admin*]
|
||||
# (Optional) Path to SSL certificate for the admin endpoint.
|
||||
# Default to undef
|
||||
#
|
||||
# [*ssl_key_admin*]
|
||||
# (Optional) Path to SSL key for the admin endpoint.
|
||||
# Default to undef
|
||||
#
|
||||
# [*wsgi_admin_script_source*]
|
||||
# (Optional) Wsgi script source for the admin endpoint. If set to undef
|
||||
# $::keystone::params::keystone_wsgi_admin_script_path is used. This source
|
||||
# is copied to the apache cgi-bin path as keystone-admin.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*wsgi_public_script_source*]
|
||||
# (Optional) Wsgi script source for the public endpoint. If set to undef
|
||||
# $::keystone::params::keystone_wsgi_public_script_path is used. This source
|
||||
# is copied to the apache cgi-bin path as keystone-main.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*custom_wsgi_process_options_main*]
|
||||
# (Optional) gives you the oportunity to add custom process options or to
|
||||
# overwrite the default options for the WSGI main process.
|
||||
# For example to use a virtual python environment for the WSGI process
|
||||
# you could set it to:
|
||||
# { python-path => '/my/python/virtualenv' }
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*custom_wsgi_process_options_admin*]
|
||||
# (Optional) gives you the oportunity to add custom process options or to
|
||||
# overwrite the default options for the WSGI admin process.
|
||||
# eg. to use a virtual python environment for the WSGI process
|
||||
# you could set it to:
|
||||
# { python-path => '/my/python/virtualenv' }
|
||||
# Defaults to undef
|
||||
#
|
||||
class keystone::wsgi::apache (
|
||||
$servername = $::fqdn,
|
||||
$servername_admin = undef,
|
||||
$public_port = 5000,
|
||||
$admin_port = 35357,
|
||||
$bind_host = undef,
|
||||
$admin_bind_host = undef,
|
||||
$public_path = '/',
|
||||
$admin_path = '/',
|
||||
$api_port = 5000,
|
||||
$path = '/',
|
||||
$ssl = true,
|
||||
$workers = $::os_workers,
|
||||
$ssl_cert = undef,
|
||||
$ssl_key = undef,
|
||||
$ssl_cert_admin = undef,
|
||||
$ssl_key_admin = undef,
|
||||
$ssl_chain = undef,
|
||||
$ssl_ca = undef,
|
||||
$ssl_crl_path = undef,
|
||||
|
@ -197,8 +214,7 @@ class keystone::wsgi::apache (
|
|||
$wsgi_application_group = '%{GLOBAL}',
|
||||
$wsgi_pass_authorization = 'On',
|
||||
$wsgi_chunked_request = undef,
|
||||
$wsgi_admin_script_source = $::keystone::params::keystone_wsgi_admin_script_path,
|
||||
$wsgi_public_script_source = $::keystone::params::keystone_wsgi_public_script_path,
|
||||
$wsgi_script_source = '/usr/bin/keystone-wsgi-public',
|
||||
$access_log_file = false,
|
||||
$access_log_pipe = false,
|
||||
$access_log_syslog = false,
|
||||
|
@ -208,23 +224,51 @@ class keystone::wsgi::apache (
|
|||
$error_log_syslog = undef,
|
||||
$headers = undef,
|
||||
$vhost_custom_fragment = undef,
|
||||
$custom_wsgi_process_options_main = {},
|
||||
$custom_wsgi_process_options_admin = {},
|
||||
$custom_wsgi_process_options = {},
|
||||
## DEPRECATED PARAMS
|
||||
$servername_admin = undef,
|
||||
$public_port = undef,
|
||||
$admin_port = undef,
|
||||
$admin_bind_host = undef,
|
||||
$public_path = undef,
|
||||
$admin_path = undef,
|
||||
$ssl_cert_admin = undef,
|
||||
$ssl_key_admin = undef,
|
||||
$wsgi_admin_script_source = undef,
|
||||
$wsgi_public_script_source = undef,
|
||||
$custom_wsgi_process_options_main = undef,
|
||||
$custom_wsgi_process_options_admin = undef,
|
||||
) inherits ::keystone::params {
|
||||
|
||||
include ::keystone::deps
|
||||
|
||||
$servername_admin_real = pick_default($servername_admin, $servername)
|
||||
|
||||
if $ssl {
|
||||
# Attempt to use the admin cert/key, else default to the public one.
|
||||
# Since it's possible that no cert/key were given, we allow this to be empty with pick_default
|
||||
$ssl_cert_admin_real = pick_default($ssl_cert_admin, $ssl_cert)
|
||||
$ssl_key_admin_real = pick_default($ssl_key_admin, $ssl_key)
|
||||
} else {
|
||||
$ssl_cert_admin_real = undef
|
||||
$ssl_key_admin_real = undef
|
||||
# TODO(tobias-urdin): Remove all deprecated parameters and this warnings in Train release.
|
||||
if $servername_admin {
|
||||
warning('keystone::wsgi::apache::servername_admin has no effect, please use servername')
|
||||
}
|
||||
if $public_port or $admin_port {
|
||||
warning('keystone::wsgi::apache::public_port and admin_port has no effect, please use api_port')
|
||||
}
|
||||
if $admin_bind_host {
|
||||
warning('keystone::wsgi::apache::admin_bind_host has no effect, please use bind_host')
|
||||
}
|
||||
if $public_path or $admin_path {
|
||||
warning('keystone::wsgi::apache::public_path and admin_path has no effect, please use path')
|
||||
}
|
||||
if $ssl_cert_admin or $ssl_key_admin {
|
||||
warning('keystone::wsgi::apache::ssl_cert_admin and ssl_key_admin has no effect, please use ssl_cert and ssl_key')
|
||||
}
|
||||
if $wsgi_admin_script_source or $wsgi_public_script_source {
|
||||
warning('keystone::wsgi::apache::wsgi_admin_script_source and wsgi_public_script_source has no effect, please use wsgi_script_source')
|
||||
}
|
||||
if $custom_wsgi_process_options_main or $custom_wsgi_process_options_admin {
|
||||
warning('keystone::wsgi::apache::custom_wsgi_process_options_main and custom_wsgi_process_options_admin has no effect, \
|
||||
please use custom_wsgi_process_options')
|
||||
}
|
||||
|
||||
# TODO(tobias-urdin): This dependency chaining can be moved to keystone::deps
|
||||
# when we have cleaned up some old eventlet code and users are forced to use
|
||||
# apache even though it's pretty much enforced today.
|
||||
|
||||
# The httpd package is untagged, but needs to have ordering enforced,
|
||||
# so handle it here rather than in the deps class.
|
||||
|
@ -246,61 +290,15 @@ class keystone::wsgi::apache (
|
|||
Anchor['keystone::config::end']
|
||||
~> Service['httpd']
|
||||
|
||||
# Ensure there's no trailing '/' except if this is also the only character
|
||||
$public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
|
||||
$admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1')
|
||||
|
||||
if $public_port == $admin_port and $public_path_real == $admin_path_real {
|
||||
fail('When using the same port for public and admin endpoints, public_path and admin_path should be different.')
|
||||
}
|
||||
|
||||
file { $::keystone::params::keystone_wsgi_script_path:
|
||||
ensure => directory,
|
||||
owner => 'keystone',
|
||||
group => 'keystone',
|
||||
mode => '0755',
|
||||
require => Anchor['keystone::install::end'],
|
||||
}
|
||||
|
||||
if $public_port == $admin_port {
|
||||
$custom_wsgi_script_aliases = { $admin_path_real => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin" }
|
||||
|
||||
# NOTE(tobasco): Create this here since openstacklib::wsgi::apache only handles
|
||||
# the keystone-public file if running public and admin on the same port.
|
||||
file { 'keystone_wsgi_admin':
|
||||
ensure => present,
|
||||
path => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin",
|
||||
owner => 'keystone',
|
||||
group => 'keystone',
|
||||
mode => '0644',
|
||||
source => $wsgi_admin_script_source,
|
||||
require => File[$::keystone::params::keystone_wsgi_script_path],
|
||||
}
|
||||
|
||||
$apache_require = [
|
||||
File['keystone_wsgi_admin'],
|
||||
]
|
||||
} else {
|
||||
$custom_wsgi_script_aliases = undef
|
||||
$apache_require = []
|
||||
}
|
||||
|
||||
if $admin_bind_host {
|
||||
$real_admin_bind_host = $admin_bind_host
|
||||
} else {
|
||||
# backwards compat before we had admin_bind_host
|
||||
$real_admin_bind_host = $bind_host
|
||||
}
|
||||
|
||||
::openstacklib::wsgi::apache { 'keystone_wsgi_main':
|
||||
::openstacklib::wsgi::apache { 'keystone_wsgi':
|
||||
servername => $servername,
|
||||
bind_host => $bind_host,
|
||||
bind_port => $public_port,
|
||||
group => 'keystone',
|
||||
path => $public_path_real,
|
||||
bind_port => $api_port,
|
||||
group => $::keystone::params::keystone_group,
|
||||
path => $path,
|
||||
workers => $workers,
|
||||
threads => $threads,
|
||||
user => 'keystone',
|
||||
user => $::keystone::params::keystone_user,
|
||||
priority => $priority,
|
||||
ssl => $ssl,
|
||||
ssl_cert => $ssl_cert,
|
||||
|
@ -310,18 +308,17 @@ class keystone::wsgi::apache (
|
|||
ssl_crl_path => $ssl_crl_path,
|
||||
ssl_crl => $ssl_crl,
|
||||
ssl_certs_dir => $ssl_certs_dir,
|
||||
wsgi_daemon_process => 'keystone_main',
|
||||
wsgi_process_display_name => 'keystone-main',
|
||||
wsgi_process_group => 'keystone_main',
|
||||
wsgi_daemon_process => 'keystone',
|
||||
wsgi_process_display_name => 'keystone',
|
||||
wsgi_process_group => 'keystone',
|
||||
wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path,
|
||||
wsgi_script_file => 'keystone-public',
|
||||
wsgi_script_source => $wsgi_public_script_source,
|
||||
wsgi_script_file => 'keystone',
|
||||
wsgi_script_source => $wsgi_script_source,
|
||||
wsgi_application_group => $wsgi_application_group,
|
||||
wsgi_pass_authorization => $wsgi_pass_authorization,
|
||||
wsgi_chunked_request => $wsgi_chunked_request,
|
||||
headers => $headers,
|
||||
custom_wsgi_process_options => $custom_wsgi_process_options_main,
|
||||
custom_wsgi_script_aliases => $custom_wsgi_script_aliases,
|
||||
custom_wsgi_process_options => $custom_wsgi_process_options,
|
||||
vhost_custom_fragment => $vhost_custom_fragment,
|
||||
access_log_file => $access_log_file,
|
||||
access_log_pipe => $access_log_pipe,
|
||||
|
@ -330,47 +327,5 @@ class keystone::wsgi::apache (
|
|||
error_log_file => $error_log_file,
|
||||
error_log_pipe => $error_log_pipe,
|
||||
error_log_syslog => $error_log_syslog,
|
||||
require => $apache_require,
|
||||
}
|
||||
|
||||
if $public_port != $admin_port {
|
||||
::openstacklib::wsgi::apache { 'keystone_wsgi_admin':
|
||||
servername => $servername_admin_real,
|
||||
bind_host => $real_admin_bind_host,
|
||||
bind_port => $admin_port,
|
||||
group => 'keystone',
|
||||
path => $admin_path_real,
|
||||
workers => $workers,
|
||||
threads => $threads,
|
||||
user => 'keystone',
|
||||
priority => $priority,
|
||||
ssl => $ssl,
|
||||
ssl_cert => $ssl_cert_admin_real,
|
||||
ssl_key => $ssl_key_admin_real,
|
||||
ssl_chain => $ssl_chain,
|
||||
ssl_ca => $ssl_ca,
|
||||
ssl_crl_path => $ssl_crl_path,
|
||||
ssl_crl => $ssl_crl,
|
||||
ssl_certs_dir => $ssl_certs_dir,
|
||||
wsgi_daemon_process => 'keystone_admin',
|
||||
wsgi_process_display_name => 'keystone-admin',
|
||||
wsgi_process_group => 'keystone_admin',
|
||||
wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path,
|
||||
wsgi_script_file => 'keystone-admin',
|
||||
wsgi_script_source => $wsgi_admin_script_source,
|
||||
wsgi_application_group => $wsgi_application_group,
|
||||
wsgi_pass_authorization => $wsgi_pass_authorization,
|
||||
custom_wsgi_process_options => $custom_wsgi_process_options_admin,
|
||||
vhost_custom_fragment => $vhost_custom_fragment,
|
||||
wsgi_chunked_request => $wsgi_chunked_request,
|
||||
headers => $headers,
|
||||
access_log_file => $access_log_file,
|
||||
access_log_pipe => $access_log_pipe,
|
||||
access_log_syslog => $access_log_syslog,
|
||||
access_log_format => $access_log_format,
|
||||
error_log_file => $error_log_file,
|
||||
error_log_pipe => $error_log_pipe,
|
||||
error_log_syslog => $error_log_syslog,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
---
|
||||
prelude: >
|
||||
This release puppet-keystone no longer deploys keystone with separated
|
||||
ports (admin and public as they were called in v2.0). By default keystone
|
||||
will only listen to port 5000, you need to make sure all your services are
|
||||
configured to use the correct port to talk to keystone.
|
||||
features:
|
||||
- |
|
||||
Added new parameter keystone::federation::openidc::keystone_url that can be
|
||||
used to set the keystone url for federation, if not provided it will use
|
||||
keystone::public_endpoint.
|
||||
upgrade:
|
||||
- |
|
||||
Keystone is now deployed with only port 5000, you can change this with
|
||||
keystone::wsgi::apache::api_port, you need to make sure all your services are
|
||||
configured to talk to keystone on this port. If you want to keep backward
|
||||
compatibility with port 35357 you should pass an array to api_port with
|
||||
both port 35357 and 5000.
|
||||
- |
|
||||
The providers has been updated to read DEFAULT/public_port which defaults
|
||||
to 5000 and use that port to talk to Keystone when managing resources.
|
||||
You need to make sure that keystone::public_port and keystone::wsgi::apache::api_port
|
||||
is set to the same value if you are deploying keystone with Apache WSGI.
|
||||
- |
|
||||
keystone::federation::mellon is now added to Keystone WSGI for port 5000 by
|
||||
default and admin_port and main_port parameters does not do anything and is
|
||||
deprecated.
|
||||
- |
|
||||
keystone::federation::shibboleth is now added to Keystone WSGI for port 5000
|
||||
by default and admin_port and main_port parameters does not do anything and is
|
||||
deprecated.
|
||||
- |
|
||||
keystone::federation::openidc is now added to Keystone WSGI for port 5000
|
||||
by default and admin_port and main_port parameters does not do anything and is
|
||||
deprecated.
|
||||
- |
|
||||
keystone::federation::openidc::keystone_url parameter has been added to give the
|
||||
keystone endpoint, if it's not provided keystone::public_endpoint will be used.
|
||||
We recommend that you set this since keystone::public_endpoint might be deprecated
|
||||
in a future release.
|
||||
deprecations:
|
||||
- |
|
||||
As of the removal of port 35357 the following parameters are deprecated
|
||||
in the keystone::wsgi::apache class and has no effect:
|
||||
|
||||
- ``servername_admin`` please use ``servername``
|
||||
- ``public_port`` and ``admin_port`` please use ``api_port``
|
||||
- ``admin_bind_host`` please use ``bind_host``
|
||||
- ``public_path`` and ``admin_path`` please use ``path``
|
||||
- ``ssl_cert_admin`` and ``ssl_key_admin`` please use ``ssl_cert`` and ``ssl_key``
|
||||
- ``wsgi_admin_script_source`` and ``wsgi_public_script_source`` please use ``wsgi_script_source``
|
||||
- ``custom_wsgi_process_options_main`` and ``custom_wsgi_process_options_admin`` please use ``custom_wsgi_process_options``
|
||||
- |
|
||||
keystone::federation::mellon::admin_port and main_port is deprecated and has no effect
|
||||
and will be removed in a future release.
|
||||
- |
|
||||
keystone::federation::shibboleth::admin_port and main_port is deprecated and has no effect
|
||||
and will be removed in a future release.
|
||||
- |
|
||||
keystone::federation::openidc::admin_port and main_port is deprecated and has no effect
|
||||
and will be removed in a future release.
|
||||
- |
|
||||
keystone::federation::openidc_httpd_configuration is deprecated and will be removed in
|
||||
a future release.
|
|
@ -83,10 +83,6 @@ describe 'keystone server running with Apache/WSGI as Identity Provider' do
|
|||
it { is_expected.to be_listening }
|
||||
end
|
||||
|
||||
describe port(35357) do
|
||||
it { is_expected.to be_listening }
|
||||
end
|
||||
|
||||
describe cron do
|
||||
it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
|
||||
end
|
||||
|
|
|
@ -81,10 +81,6 @@ describe 'keystone server running with Apache/WSGI as Service Provider with Shib
|
|||
it { is_expected.to be_listening }
|
||||
end
|
||||
|
||||
describe port(35357) do
|
||||
it { is_expected.to be_listening }
|
||||
end
|
||||
|
||||
describe cron do
|
||||
it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
|
||||
end
|
||||
|
|
|
@ -77,10 +77,6 @@ describe 'keystone server running with Apache/WSGI with resources' do
|
|||
it { is_expected.to be_listening }
|
||||
end
|
||||
|
||||
describe port(35357) do
|
||||
it { is_expected.to be_listening }
|
||||
end
|
||||
|
||||
describe cron do
|
||||
it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
|
||||
end
|
||||
|
|
|
@ -29,12 +29,6 @@ describe 'keystone::federation::mellon' do
|
|||
it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
|
||||
end
|
||||
|
||||
before do
|
||||
params.merge!({:admin_port => false,
|
||||
:main_port => false})
|
||||
it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./
|
||||
end
|
||||
|
||||
before do
|
||||
params.merge!({:template_port => 330})
|
||||
it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./
|
||||
|
@ -53,33 +47,9 @@ describe 'keystone::federation::mellon' do
|
|||
is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
|
||||
end
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
|
||||
it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({
|
||||
# This need to change if priority is changed in keystone::wsgi::apache
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
|
||||
context 'with override default parameters' do
|
||||
before do
|
||||
params.merge!({
|
||||
:admin_port => true })
|
||||
end
|
||||
|
||||
it 'should have basic params for mellon in Keystone configuration' do
|
||||
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
|
||||
is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
|
||||
end
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
|
||||
# This need to change if priority is changed in keystone::wsgi::apache
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_35357').with({
|
||||
# This need to change if priority is changed in keystone::wsgi::apache
|
||||
:target => "10-keystone_wsgi_admin.conf",
|
||||
:target => "10-keystone_wsgi.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
|
@ -105,8 +75,8 @@ describe 'keystone::federation::mellon' do
|
|||
is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/')
|
||||
end
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({
|
||||
:target => "10-keystone_wsgi.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
|
|
|
@ -35,12 +35,6 @@ describe 'keystone::federation::openidc' do
|
|||
it_raises 'a Puppet::Error', /Methods should contain openid as one of the auth methods./
|
||||
end
|
||||
|
||||
before do
|
||||
params.merge!(:admin_port => false,
|
||||
:main_port => false)
|
||||
it_raises 'a Puppet:Error', /No VirtualHost port to configure, please choose at least one./
|
||||
end
|
||||
|
||||
before do
|
||||
params.merge!(:template_port => 330)
|
||||
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
|
||||
|
@ -77,31 +71,8 @@ describe 'keystone::federation::openidc' do
|
|||
is_expected.to contain_keystone_config('auth/openid').with_ensure('absent')
|
||||
end
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
|
||||
context 'with override default parameters' do
|
||||
before do
|
||||
params.merge!({
|
||||
:admin_port => true,
|
||||
})
|
||||
end
|
||||
|
||||
it 'should have basic params for openidc in Keystone configuration' do
|
||||
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openid')
|
||||
is_expected.to contain_keystone_config('auth/openid').with_ensure('absent')
|
||||
end
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_openidc_on_admin').with({
|
||||
:target => "10-keystone_wsgi_admin.conf",
|
||||
it { is_expected.to contain_concat__fragment('configure_openidc_keystone').with({
|
||||
:target => "10-keystone_wsgi.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
|
|
|
@ -27,12 +27,6 @@ describe 'keystone::federation::shibboleth' do
|
|||
it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
|
||||
end
|
||||
|
||||
context 'no ports' do
|
||||
let (:params) { default_params.merge(:admin_port => false,
|
||||
:main_port => false) }
|
||||
it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./
|
||||
end
|
||||
|
||||
context 'template port too low' do
|
||||
let(:params) { default_params.merge(:template_order => 330) }
|
||||
it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./
|
||||
|
@ -85,30 +79,16 @@ describe 'keystone::federation::shibboleth' do
|
|||
end
|
||||
|
||||
context 'with defaults' do
|
||||
|
||||
let (:params) { default_params }
|
||||
|
||||
it { is_expected.to contain_apache__mod('shib2') }
|
||||
it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
|
||||
it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
|
||||
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({
|
||||
:target => "10-keystone_wsgi.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
context 'with overrides' do
|
||||
let (:params) { default_params.merge({
|
||||
:admin_port => true,
|
||||
:template_order => 332
|
||||
}) }
|
||||
|
||||
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
|
||||
it {is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
|
||||
it {
|
||||
is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
|
||||
:target => "10-keystone_wsgi_admin.conf",
|
||||
:order => params[:template_order],
|
||||
})
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
@ -126,45 +106,22 @@ describe 'keystone::federation::shibboleth' do
|
|||
let (:params) { default_params }
|
||||
|
||||
it { is_expected.to contain_apache__mod('shib2') }
|
||||
it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
|
||||
it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
|
||||
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({
|
||||
:target => "10-keystone_wsgi.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
context 'with overrides' do
|
||||
let (:params) { default_params.merge({
|
||||
:admin_port => true,
|
||||
:template_order => 332
|
||||
}) }
|
||||
|
||||
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
|
||||
it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
|
||||
it {
|
||||
is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
|
||||
:target => "10-keystone_wsgi_admin.conf",
|
||||
:order => params[:template_order],
|
||||
})
|
||||
}
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context 'without repo or package' do
|
||||
context 'with defaults' do
|
||||
let (:params) { default_params }
|
||||
it { is_expected.to_not contain_apache__mod('shib2') }
|
||||
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_5000') }
|
||||
end
|
||||
|
||||
context 'with overrides' do
|
||||
let (:params) { default_params.merge({
|
||||
:admin_port => true,
|
||||
:template_order => 332
|
||||
}) }
|
||||
|
||||
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
|
||||
it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
|
||||
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_35357') }
|
||||
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_keystone') }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -174,8 +131,8 @@ describe 'keystone::federation::shibboleth' do
|
|||
let (:params) { default_params }
|
||||
|
||||
it { is_expected.to contain_apache__mod('shib2') }
|
||||
it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({
|
||||
:target => "10-keystone_wsgi.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
|
||||
|
|
|
@ -2,87 +2,24 @@ require 'spec_helper'
|
|||
|
||||
describe 'keystone::wsgi::apache' do
|
||||
|
||||
let :global_facts do
|
||||
{
|
||||
:os_workers => 8,
|
||||
:concat_basedir => '/var/lib/puppet/concat',
|
||||
:fqdn => 'some.host.tld'
|
||||
}
|
||||
end
|
||||
|
||||
let :pre_condition do
|
||||
[
|
||||
'class { keystone: admin_token => "dummy", service_name => "httpd", enable_ssl => true }'
|
||||
]
|
||||
"class { '::keystone':
|
||||
admin_token => 'dummy',
|
||||
service_name => 'httpd',
|
||||
enable_ssl => true,
|
||||
}"
|
||||
end
|
||||
|
||||
shared_examples_for 'apache serving keystone with mod_wsgi' do
|
||||
it { is_expected.to contain_service('httpd').with_name(platform_params[:httpd_service_name]) }
|
||||
it { is_expected.to contain_class('keystone::params') }
|
||||
it { is_expected.to contain_class('apache') }
|
||||
it { is_expected.to contain_class('apache::mod::wsgi') }
|
||||
it { is_expected.to contain_class('apache::mod::ssl') }
|
||||
it { is_expected.to contain_class('keystone::db::sync') }
|
||||
shared_examples 'keystone::wsgi::apache' do
|
||||
context 'with default parameters' do
|
||||
it {
|
||||
should contain_class('keystone::params')
|
||||
should contain_class('keystone::deps')
|
||||
}
|
||||
|
||||
describe 'with default parameters' do
|
||||
|
||||
it { is_expected.to contain_file("#{platform_params[:wsgi_script_path]}").with(
|
||||
:ensure => 'directory',
|
||||
:owner => 'keystone',
|
||||
:group => 'keystone',
|
||||
:require => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_file('keystone_wsgi_admin').with(
|
||||
:ensure => 'file',
|
||||
:path => "#{platform_params[:wsgi_script_path]}/keystone-admin",
|
||||
:source => platform_params[:wsgi_admin_script_source],
|
||||
:owner => 'keystone',
|
||||
:group => 'keystone',
|
||||
:mode => '0644',
|
||||
:require => "File[#{platform_params[:wsgi_script_path]}]",
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_file('keystone_wsgi_main').with(
|
||||
:ensure => 'file',
|
||||
:path => "#{platform_params[:wsgi_script_path]}/keystone-public",
|
||||
:source => platform_params[:wsgi_public_script_source],
|
||||
:owner => 'keystone',
|
||||
:group => 'keystone',
|
||||
:mode => '0644',
|
||||
:require => "File[#{platform_params[:wsgi_script_path]}]",
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:servername => 'some.host.tld',
|
||||
:bind_port => 35357,
|
||||
:group => 'keystone',
|
||||
:workers => facts[:os_workers],
|
||||
:threads => 1,
|
||||
:user => 'keystone',
|
||||
:priority => '10',
|
||||
:ssl => true,
|
||||
:wsgi_daemon_process => 'keystone_main',
|
||||
:wsgi_process_display_name => 'keystone-main',
|
||||
:wsgi_process_group => 'keystone_main',
|
||||
:wsgi_application_group => '%{GLOBAL}',
|
||||
:wsgi_script_dir => platform_params[:wsgi_script_path],
|
||||
:wsgi_script_file => 'keystone-public',
|
||||
:wsgi_pass_authorization => 'On',
|
||||
:headers => nil,
|
||||
:custom_wsgi_process_options => {},
|
||||
:access_log_file => false,
|
||||
:access_log_pipe => false,
|
||||
:access_log_syslog => false,
|
||||
:access_log_format => false,
|
||||
:error_log_file => nil,
|
||||
:error_log_pipe => nil,
|
||||
:error_log_syslog => nil,
|
||||
:require => 'File[keystone_wsgi_main]',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:servername => 'some.host.tld',
|
||||
:bind_host => nil,
|
||||
:bind_port => 5000,
|
||||
:group => 'keystone',
|
||||
:workers => facts[:os_workers],
|
||||
|
@ -90,12 +27,13 @@ describe 'keystone::wsgi::apache' do
|
|||
:user => 'keystone',
|
||||
:priority => '10',
|
||||
:ssl => true,
|
||||
:wsgi_daemon_process => 'keystone_admin',
|
||||
:wsgi_process_display_name => 'keystone-admin',
|
||||
:wsgi_process_group => 'keystone_admin',
|
||||
:wsgi_daemon_process => 'keystone',
|
||||
:wsgi_process_display_name => 'keystone',
|
||||
:wsgi_process_group => 'keystone',
|
||||
:wsgi_application_group => '%{GLOBAL}',
|
||||
:wsgi_script_dir => platform_params[:wsgi_script_path],
|
||||
:wsgi_script_file => 'keystone-admin',
|
||||
:wsgi_script_file => 'keystone',
|
||||
:wsgi_script_source => '/usr/bin/keystone-wsgi-public',
|
||||
:wsgi_pass_authorization => 'On',
|
||||
:headers => nil,
|
||||
:custom_wsgi_process_options => {},
|
||||
|
@ -106,402 +44,170 @@ describe 'keystone::wsgi::apache' do
|
|||
:error_log_file => nil,
|
||||
:error_log_pipe => nil,
|
||||
:error_log_syslog => nil,
|
||||
:require => 'File[keystone_wsgi_admin]',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") }
|
||||
end
|
||||
|
||||
describe 'when overriding parameters using different ports' do
|
||||
context 'when overriding parameters' do
|
||||
let :params do
|
||||
{
|
||||
:servername => 'dummy.host',
|
||||
:bind_host => '10.42.51.1',
|
||||
:admin_bind_host => '10.42.51.2',
|
||||
:public_port => 12345,
|
||||
:admin_port => 4142,
|
||||
:ssl => false,
|
||||
:workers => 37,
|
||||
:vhost_custom_fragment => 'LimitRequestFieldSize 81900'
|
||||
:servername => 'dummy.host',
|
||||
:bind_host => '127.0.0.1',
|
||||
:api_port => 1234,
|
||||
:path => '/keystone',
|
||||
:ssl => false,
|
||||
:workers => 10,
|
||||
:ssl_cert => 'ssl cert',
|
||||
:ssl_key => 'ssl key',
|
||||
:ssl_chain => 'ssl chain',
|
||||
:ssl_ca => 'ssl ca',
|
||||
:ssl_crl_path => '/etc/ssl',
|
||||
:ssl_crl => 'crl',
|
||||
:ssl_certs_dir => '/etc/ssl/certs',
|
||||
:threads => 10,
|
||||
:priority => '20',
|
||||
:wsgi_application_group => 'group',
|
||||
:wsgi_pass_authorization => 'Off',
|
||||
:wsgi_chunked_request => 'On',
|
||||
:wsgi_script_source => '/path/to/my/script.py',
|
||||
:headers => 'set X-Frame-Options "DENY"',
|
||||
:vhost_custom_fragment => 'custom',
|
||||
:custom_wsgi_process_options => { 'python-path' => '/my/python/virtualenv' },
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:servername => 'dummy.host',
|
||||
:bind_host => '10.42.51.1',
|
||||
:bind_port => 12345,
|
||||
:user => 'keystone',
|
||||
:group => 'keystone',
|
||||
:workers => 37,
|
||||
:threads => 1,
|
||||
:priority => '10',
|
||||
:ssl => false,
|
||||
:wsgi_daemon_process => 'keystone_main',
|
||||
:wsgi_process_display_name => 'keystone-main',
|
||||
:wsgi_process_group => 'keystone_main',
|
||||
:wsgi_application_group => '%{GLOBAL}',
|
||||
:wsgi_script_dir => platform_params[:wsgi_script_path],
|
||||
:wsgi_script_file => 'keystone-public',
|
||||
:wsgi_pass_authorization => 'On',
|
||||
:headers => nil,
|
||||
:custom_wsgi_process_options => {},
|
||||
:vhost_custom_fragment => 'LimitRequestFieldSize 81900',
|
||||
:access_log_file => false,
|
||||
:access_log_pipe => false,
|
||||
:access_log_syslog => false,
|
||||
:access_log_format => false,
|
||||
:error_log_file => nil,
|
||||
:error_log_pipe => nil,
|
||||
:error_log_syslog => nil,
|
||||
:require => 'File[keystone_wsgi_main]',
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:servername => params[:servername],
|
||||
:bind_host => params[:bind_host],
|
||||
:bind_port => params[:api_port],
|
||||
:path => params[:path],
|
||||
:workers => params[:workers],
|
||||
:threads => params[:threads],
|
||||
:priority => params[:priority],
|
||||
:ssl => params[:ssl],
|
||||
:ssl_cert => params[:ssl_cert],
|
||||
:ssl_key => params[:ssl_key],
|
||||
:ssl_chain => params[:ssl_chain],
|
||||
:ssl_ca => params[:ssl_ca],
|
||||
:ssl_crl_path => params[:ssl_crl_path],
|
||||
:ssl_crl => params[:ssl_crl],
|
||||
:ssl_certs_dir => params[:ssl_certs_dir],
|
||||
:wsgi_application_group => params[:wsgi_application_group],
|
||||
:wsgi_pass_authorization => params[:wsgi_pass_authorization],
|
||||
:wsgi_chunked_request => params[:wsgi_chunked_request],
|
||||
:wsgi_script_source => params[:wsgi_script_source],
|
||||
:headers => params[:headers],
|
||||
:vhost_custom_fragment => params[:vhost_custom_fragment],
|
||||
:custom_wsgi_process_options => params[:custom_wsgi_process_options],
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:servername => 'dummy.host',
|
||||
:bind_host => '10.42.51.1',
|
||||
:bind_port => 4142,
|
||||
:group => 'keystone',
|
||||
:workers => 37,
|
||||
:threads => 1,
|
||||
:user => 'keystone',
|
||||
:priority => '10',
|
||||
:ssl => false,
|
||||
:wsgi_daemon_process => 'keystone_admin',
|
||||
:wsgi_process_display_name => 'keystone-admin',
|
||||
:wsgi_process_group => 'keystone_admin',
|
||||
:wsgi_application_group => '%{GLOBAL}',
|
||||
:wsgi_script_dir => platform_params[:wsgi_script_path],
|
||||
:wsgi_script_file => 'keystone-admin',
|
||||
:wsgi_pass_authorization => 'On',
|
||||
:headers => nil,
|
||||
:custom_wsgi_process_options => {},
|
||||
:vhost_custom_fragment => 'LimitRequestFieldSize 81900',
|
||||
:access_log_file => false,
|
||||
:access_log_pipe => false,
|
||||
:access_log_syslog => false,
|
||||
:access_log_format => false,
|
||||
:error_log_file => nil,
|
||||
:error_log_pipe => nil,
|
||||
:error_log_syslog => nil,
|
||||
:require => 'File[keystone_wsgi_admin]',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") }
|
||||
end
|
||||
|
||||
describe 'when admin_bind_host is not set default to bind_host' do
|
||||
context 'with backward compatible ports' do
|
||||
let :params do
|
||||
{
|
||||
:servername => 'dummy.host',
|
||||
:bind_host => '10.42.51.1',
|
||||
:public_port => 12345,
|
||||
:admin_port => 4142,
|
||||
:ssl => false,
|
||||
:workers => 37,
|
||||
:vhost_custom_fragment => 'LimitRequestFieldSize 81900'
|
||||
:api_port => [35357, 5000],
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:servername => 'dummy.host',
|
||||
:bind_host => '10.42.51.1',
|
||||
:bind_port => 12345,
|
||||
:ssl => false,
|
||||
:workers => 37,
|
||||
:vhost_custom_fragment => 'LimitRequestFieldSize 81900'
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:servername => 'dummy.host',
|
||||
:bind_host => '10.42.51.1',
|
||||
:bind_port => 4142,
|
||||
:ssl => false,
|
||||
:workers => 37,
|
||||
:vhost_custom_fragment => 'LimitRequestFieldSize 81900'
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") }
|
||||
end
|
||||
|
||||
describe 'when servername_admin is overridden' do
|
||||
let :params do
|
||||
{
|
||||
:servername => 'dummy1.host',
|
||||
:servername_admin => 'dummy2.host',
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:servername => 'dummy1.host',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:servername => 'dummy2.host',
|
||||
)}
|
||||
|
||||
end
|
||||
|
||||
describe 'when wsgi_daemon_process_options are overridden' do
|
||||
let :params do
|
||||
{
|
||||
:custom_wsgi_process_options_main => {
|
||||
python_path => '/my/python/main/path',
|
||||
},
|
||||
:custom_wsgi_process_options_admin => {
|
||||
python_path => '/my/python/admin/path',
|
||||
},
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:custom_wsgi_process_options => { 'python-path' => '/my/python/main/path' },
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:custom_wsgi_process_options => { 'python-path' => '/my/python/admin/path' },
|
||||
)}
|
||||
|
||||
end
|
||||
|
||||
describe 'when overriding parameters using same port' do
|
||||
let :params do
|
||||
{
|
||||
:servername => 'dummy.host',
|
||||
:public_port => 4242,
|
||||
:admin_port => 4242,
|
||||
:public_path => '/main/endpoint/',
|
||||
:admin_path => '/admin/endpoint/',
|
||||
:ssl => true,
|
||||
:workers => 37,
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to_not contain_openstacklib__wsgi__apache('keystone_wsgi_admin') }
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:servername => 'dummy.host',
|
||||
:bind_port => 4242,
|
||||
:user => 'keystone',
|
||||
:group => 'keystone',
|
||||
:workers => 37,
|
||||
:threads => 1,
|
||||
:priority => '10',
|
||||
:ssl => true,
|
||||
:wsgi_daemon_process => 'keystone_main',
|
||||
:wsgi_process_display_name => 'keystone-main',
|
||||
:wsgi_process_group => 'keystone_main',
|
||||
:wsgi_application_group => '%{GLOBAL}',
|
||||
:wsgi_script_dir => platform_params[:wsgi_script_path],
|
||||
:wsgi_script_file => 'keystone-public',
|
||||
:wsgi_pass_authorization => 'On',
|
||||
:headers => nil,
|
||||
:custom_wsgi_process_options => {},
|
||||
:custom_wsgi_script_aliases => { '/admin/endpoint' => "#{platform_parameters[:wsgi_script_path]}/keystone-admin" },
|
||||
:access_log_file => false,
|
||||
:access_log_pipe => false,
|
||||
:access_log_syslog => false,
|
||||
:access_log_format => false,
|
||||
:error_log_file => nil,
|
||||
:error_log_pipe => nil,
|
||||
:error_log_syslog => nil,
|
||||
:require => 'File[keystone_wsgi_main]'
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:bind_port => [35357, 5000],
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when overriding parameters using same port and same path' do
|
||||
context 'with custom access logging' do
|
||||
let :params do
|
||||
{
|
||||
:servername => 'dummy.host',
|
||||
:public_port => 4242,
|
||||
:admin_port => 4242,
|
||||
:public_path => '/endpoint/',
|
||||
:admin_path => '/endpoint/',
|
||||
:ssl => true,
|
||||
:workers => 37,
|
||||
}
|
||||
end
|
||||
|
||||
it_raises 'a Puppet::Error', /When using the same port for public and admin endpoints, public_path and admin_path should be different\./
|
||||
end
|
||||
|
||||
describe 'when overriding default apache logging' do
|
||||
let :params do
|
||||
{
|
||||
:servername => 'dummy.host',
|
||||
:access_log_format => 'foo',
|
||||
:access_log_syslog => 'syslog:local0',
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:servername => 'dummy.host',
|
||||
:access_log_format => 'foo',
|
||||
:access_log_syslog => 'syslog:local0',
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when overriding parameters using symlink and custom file source' do
|
||||
let :params do
|
||||
{
|
||||
:wsgi_script_source => '/opt/keystone/httpd/keystone.py',
|
||||
:error_log_syslog => 'syslog:local1',
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to contain_file('keystone_wsgi_admin').with(
|
||||
:ensure => 'link',
|
||||
:path => "#{platform_params[:wsgi_script_path]}/keystone-admin",
|
||||
:target => '/opt/keystone/httpd/keystone.py',
|
||||
:owner => 'keystone',
|
||||
:group => 'keystone',
|
||||
:mode => '0644',
|
||||
:require => "File[#{platform_params[:wsgi_script_path]}]",
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_file('keystone_wsgi_main').with(
|
||||
:ensure => 'link',
|
||||
:path => "#{platform_params[:wsgi_script_path]}/keystone-public",
|
||||
:target => '/opt/keystone/httpd/keystone.py',
|
||||
:owner => 'keystone',
|
||||
:group => 'keystone',
|
||||
:mode => '0644',
|
||||
:require => "File[#{platform_params[:wsgi_script_path]}]",
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:access_log_format => params[:access_log_format],
|
||||
:access_log_syslog => params[:access_log_syslog],
|
||||
:error_log_syslog => params[:error_log_syslog],
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when setting ssl cert and key' do
|
||||
context 'with access_log_file' do
|
||||
let :params do
|
||||
{
|
||||
:ssl_cert => 'some cert',
|
||||
:ssl_key => 'some key',
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:ssl_cert => 'some cert',
|
||||
:ssl_key => 'some key',
|
||||
)}
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:ssl_cert => 'some cert',
|
||||
:ssl_key => 'some key',
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when setting different ssl cert and key for admin' do
|
||||
let :params do
|
||||
{
|
||||
:ssl_cert => 'some cert',
|
||||
:ssl_key => 'some key',
|
||||
:ssl_cert_admin => 'some cert admin',
|
||||
:ssl_key_admin => 'some key admin',
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:ssl_cert => 'some cert',
|
||||
:ssl_key => 'some key',
|
||||
)}
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:ssl_cert => 'some cert admin',
|
||||
:ssl_key => 'some key admin',
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when overriding parameters using wsgi chunked request' do
|
||||
let :params do
|
||||
{
|
||||
:wsgi_chunked_request => 'On'
|
||||
:access_log_file => '/path/to/file',
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:wsgi_chunked_request => 'On'
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:access_log_file => params[:access_log_file],
|
||||
)}
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:wsgi_chunked_request => 'On'
|
||||
)}
|
||||
|
||||
end
|
||||
|
||||
describe 'when overriding parameters using additional headers' do
|
||||
context 'with access_log_pipe' do
|
||||
let :params do
|
||||
{
|
||||
:headers => 'set X-Frame-Options "DENY"'
|
||||
:access_log_pipe => 'pipe',
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
|
||||
:headers => 'set X-Frame-Options "DENY"'
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:access_log_pipe => params[:access_log_pipe],
|
||||
)}
|
||||
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
|
||||
:headers => 'set X-Frame-Options "DENY"'
|
||||
)}
|
||||
|
||||
end
|
||||
|
||||
describe 'when overriding script paths with link' do
|
||||
context 'with error_log_file' do
|
||||
let :params do
|
||||
{
|
||||
:wsgi_file_target => 'link',
|
||||
:wsgi_admin_script_source => '/home/foo/admin-script',
|
||||
:wsgi_public_script_source => '/home/foo/public-script',
|
||||
:error_log_file => '/path/to/file',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should contain correct files' do
|
||||
is_expected.to contain_file('keystone_wsgi_main').with(
|
||||
:path => "#{facts[:wsgi_script_path]}/keystone-public",
|
||||
:target => params[:wsgi_public_script_source]
|
||||
)
|
||||
is_expected.to contain_file('keystone_wsgi_admin').with(
|
||||
:path => "#{facts[:wsgi_script_path]}/keystone-admin",
|
||||
:target => params[:wsgi_admin_script_source]
|
||||
)
|
||||
end
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:error_log_file => params[:error_log_file],
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when overriding script paths with source' do
|
||||
context 'with error_log_pipe' do
|
||||
let :params do
|
||||
{
|
||||
:wsgi_admin_script_source => '/home/foo/admin-script',
|
||||
:wsgi_public_script_source => '/home/foo/public-script',
|
||||
:error_log_pipe => 'pipe',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should contain correct files' do
|
||||
is_expected.to contain_file('keystone_wsgi_main').with(
|
||||
:path => "#{facts[:wsgi_script_path]}/keystone-public",
|
||||
:source => params[:wsgi_public_script_source]
|
||||
)
|
||||
is_expected.to contain_file('keystone_wsgi_admin').with(
|
||||
:path => "#{facts[:wsgi_script_path]}/keystone-admin",
|
||||
:source => params[:wsgi_admin_script_source]
|
||||
)
|
||||
end
|
||||
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
|
||||
:error_log_pipe => params[:error_log_pipe],
|
||||
)}
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
let (:facts) do
|
||||
facts.merge!(OSDefaults.get_facts({}))
|
||||
end
|
||||
|
||||
let(:platform_params) do
|
||||
case facts[:osfamily]
|
||||
when 'Debian'
|
||||
{
|
||||
:httpd_service_name => 'apache2',
|
||||
:httpd_ports_file => '/etc/apache2/ports.conf',
|
||||
:wsgi_script_path => '/usr/lib/cgi-bin/keystone',
|
||||
:wsgi_admin_script_source => '/usr/bin/keystone-wsgi-admin',
|
||||
:wsgi_public_script_source => '/usr/bin/keystone-wsgi-public'
|
||||
}
|
||||
when 'RedHat'
|
||||
{
|
||||
:httpd_service_name => 'httpd',
|
||||
:httpd_ports_file => '/etc/httpd/conf/ports.conf',
|
||||
:wsgi_script_path => '/var/www/cgi-bin/keystone',
|
||||
:wsgi_admin_script_source => '/usr/bin/keystone-wsgi-admin',
|
||||
:wsgi_public_script_source => '/usr/bin/keystone-wsgi-public'
|
||||
}
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge!(OSDefaults.get_facts({
|
||||
:os_workers => 8,
|
||||
:concat_basedir => '/var/lib/puppet/concat',
|
||||
:fqdn => 'some.host.tld',
|
||||
}))
|
||||
end
|
||||
|
||||
let(:platform_params) do
|
||||
case facts[:osfamily]
|
||||
when 'Debian'
|
||||
{
|
||||
:httpd_service_name => 'apache2',
|
||||
:httpd_ports_file => '/etc/apache2/ports.conf',
|
||||
:wsgi_script_path => '/usr/lib/cgi-bin/keystone',
|
||||
}
|
||||
when 'RedHat'
|
||||
{
|
||||
:httpd_service_name => 'httpd',
|
||||
:httpd_ports_file => '/etc/httpd/conf/ports.conf',
|
||||
:wsgi_script_path => '/var/www/cgi-bin/keystone',
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
it_behaves_like 'keystone::wsgi::apache'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -171,7 +171,7 @@ id="the_user_id"
|
|||
end
|
||||
|
||||
it 'should use the specified bind_host in the admin endpoint' do
|
||||
mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }}
|
||||
mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }}
|
||||
File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true)
|
||||
Puppet::Util::IniConfig::File.expects(:new).returns(mock)
|
||||
mock.expects(:read).with('/etc/keystone/keystone.conf')
|
||||
|
@ -179,7 +179,7 @@ id="the_user_id"
|
|||
end
|
||||
|
||||
it 'should use localhost in the admin endpoint if bind_host is 0.0.0.0' do
|
||||
mock = {'DEFAULT' => { 'admin_bind_host' => '0.0.0.0', 'admin_port' => '5001' }}
|
||||
mock = {'DEFAULT' => { 'admin_bind_host' => '0.0.0.0', 'public_port' => '5001' }}
|
||||
File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true)
|
||||
Puppet::Util::IniConfig::File.expects(:new).returns(mock)
|
||||
mock.expects(:read).with('/etc/keystone/keystone.conf')
|
||||
|
@ -187,7 +187,7 @@ id="the_user_id"
|
|||
end
|
||||
|
||||
it 'should use [::1] in the admin endpoint if bind_host is ::0' do
|
||||
mock = {'DEFAULT' => { 'admin_bind_host' => '::0', 'admin_port' => '5001' }}
|
||||
mock = {'DEFAULT' => { 'admin_bind_host' => '::0', 'public_port' => '5001' }}
|
||||
File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true)
|
||||
Puppet::Util::IniConfig::File.expects(:new).returns(mock)
|
||||
mock.expects(:read).with('/etc/keystone/keystone.conf')
|
||||
|
@ -195,7 +195,7 @@ id="the_user_id"
|
|||
end
|
||||
|
||||
it 'should use [2620:52:0:23a9::25] in the admin endpoint if bind_host is 2620:52:0:23a9::25' do
|
||||
mock = {'DEFAULT' => { 'admin_bind_host' => '2620:52:0:23a9::25', 'admin_port' => '5001' }}
|
||||
mock = {'DEFAULT' => { 'admin_bind_host' => '2620:52:0:23a9::25', 'public_port' => '5001' }}
|
||||
File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true)
|
||||
Puppet::Util::IniConfig::File.expects(:new).returns(mock)
|
||||
mock.expects(:read).with('/etc/keystone/keystone.conf')
|
||||
|
@ -203,7 +203,7 @@ id="the_user_id"
|
|||
end
|
||||
|
||||
it 'should use localhost in the admin endpoint if bind_host is unspecified' do
|
||||
mock = {'DEFAULT' => { 'admin_port' => '5001' }}
|
||||
mock = {'DEFAULT' => { 'public_port' => '5001' }}
|
||||
File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true)
|
||||
Puppet::Util::IniConfig::File.expects(:new).returns(mock)
|
||||
mock.expects(:read).with('/etc/keystone/keystone.conf')
|
||||
|
@ -211,7 +211,7 @@ id="the_user_id"
|
|||
end
|
||||
|
||||
it 'should use https if ssl is enabled' do
|
||||
mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }, 'ssl' => {'enable' => 'True'}}
|
||||
mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }, 'ssl' => {'enable' => 'True'}}
|
||||
File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true)
|
||||
Puppet::Util::IniConfig::File.expects(:new).returns(mock)
|
||||
mock.expects(:read).with('/etc/keystone/keystone.conf')
|
||||
|
@ -219,7 +219,7 @@ id="the_user_id"
|
|||
end
|
||||
|
||||
it 'should use http if ssl is disabled' do
|
||||
mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }, 'ssl' => {'enable' => 'False'}}
|
||||
mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }, 'ssl' => {'enable' => 'False'}}
|
||||
File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true)
|
||||
Puppet::Util::IniConfig::File.expects(:new).returns(mock)
|
||||
mock.expects(:read).with('/etc/keystone/keystone.conf')
|
||||
|
|
|
@ -16,8 +16,8 @@
|
|||
|
||||
# The following directives are necessary to support websso from Horizon
|
||||
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
|
||||
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
|
||||
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/websso/openid"
|
||||
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
|
||||
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/websso/openid"
|
||||
|
||||
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
|
||||
AuthType "openid-connect"
|
||||
|
|
Loading…
Reference in New Issue