... because the parameter is almost duplicate of catalog_driver which
more "natively" corresponds to the keystone parameter.
Change-Id: Id80495a191e3cd05507f732335b33b9a493c6d10
This class combines the keystone-manage bootstrap command
from init, the keystone::endpoint functionality that manages
the keystone endpoints and the keystone::roles::admin class
that manages users and projects.
This is one of the steps to make sure we only have a single
point of entry for bootstrapping (keystone-manage bootstrap)
and then only managing resources after that.
This is especially required since we are getting rid of the
admin token and cannot manage resources before keystone-manage
bootstrap has created the user, project, service and endpoints
for us.
These resources should always be in the default domain and
deployments should manage domain specific configuration themselves
using the provider resources.
This class uses the default values from the keystone-manage
bootstrap command.
In the past puppet-keystone has always created a openstack project
that is assumed as a admin project even though the bootstrap command
creates the admin project. Since this uses the default values from
the bootstrap command we should move away from having an openstack
project, if we need that in testing it should be created there and
not in the default deployment.
Depends-On: https://review.opendev.org/#/c/698528/
Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
Use git.openstack.org instead of github.com since git.openstack.org is
the reference for OpenStack
Change-Id: Iec779dd118c8303b5e7d366a56d754074348b364
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: Ifb06f5f66db45312c87b07aa77195c77d9a2668c
In puppet you need to use 'true' not 'True'. In newer versions of puppet
this actually causes failures. So this change fixes the documentation to
use the correct form of true.
Change-Id: Id777c8528f2056725be58f7b0438fe6deedc7e21
Option "verbose" from group "DEFAULT" is deprecated for removal.
The parameter has no effect.
-Deprecated verbose for logging and init
-Remove verbose in examples and README
-Remove verbose from tests.
If this option is not set explicitly, there is no such warning.
Change-Id: I2f554c07f71458894aaa5d8079285ac92d0f04a3
The keystone documentation highly recommends disabling the admin_token
authentication after the initial bootstrap because it exposes a major
attack vector. This patch adds a new class,
keystone::disable_admin_token_auth, which uses ini_subsetting to remove
the admin_token_auth keyword from the pipeline lists.
After the first puppet run, users who use this class with the default
values will need to provide some other way for puppet to authenticate
to keystone. The keystone providers can all read from /root/openrc or
from OS_* environment variables. The openstack_extras::auth_file class
can be used to create the openrc file.
This class must be declared after the main keystone class because it
uses the restart_keystone exec from the main class. This patch moves
this exec out of the $default_domain conditional so that it is
available to reference from the keystone::pipeline class. This is safe
to do because it is a refreshonly exec, so even though it is
unconditionally declared, it will only be activated if the default
domain resource activates it, or the keystone::disable_admin_token_auth
class activates it, or both. It will only restart keystone once no
matter how many times it is activated.
Change-Id: If8a7e1639189f46e16fc996fd7919eb784d24971
Depends-On: Idc3b938e37b792636ec7c2702bf8429467b78d66
The README references to the retired puppet-openstack module
should be removed, as they link to the empty github page.
This patch also cleans up a few other parts of the README,
such as adding a link to the keystone wiki and removing
'%example' from the installation command to match the
other projects.
Change-Id: Ie74ca8a1914cbb2d3de199001b33ced181501a45
Closes-bug: #1518589
This enable keystone_endpoint to specify the type of the service
matched. This way one can match services which are different only by
type and not only by name, like services nova/compute and nova/computev3
for instance. It does so by fetching the _id_ of the service when it
has the type information instead of just using the name.
This should be required, and deprecation has been added, as the current
code work only because of a convention.
Change-Id: I9ea20fbad274d583485bc09a52b9df8000eb1af5
Closes-Bug: #1506996
After the move to composite namevar a problem could occur if another
module was using indirection to find resource by name.
If the manifest didn't have any
keystone_user/keystone_tenant/keystone_user_role definition, then, the
'Default' domain would be appended to the name.
This patch, fix that by simplifying the rule for calculating the default
domain.
It now strictly follows what is described there https://review.openstack.org/#/c/219127/
Change-Id: Ic2efb51fe76d055307c8c27fa79015764417160b
Closes-Bug: #1517187
With the creation of the new openstack_config provider, some processing
that was done in keystone_config has been centralized in
openstack_config.
Impacted methods are :
* section
* setting
* separator
Also, this commit adds the fact that, when passing a specific string
(ensure_absent_val) the provider will behave as if ensure => absent was
specified. '<SERVICE DEFAULT>' is the default value for
ensure_absent_val.
The use case is the following :
keystone_config { 'DEFAULT/foo' : value => 'bar' } # will work as usual
keystone_config { 'DEFAULT/foo' : value => '<SERVICE DEFAULT>' } # will mean absent
That means that all the current :
if $myvar {
keystone_config { 'DEFAULT/foo' : value => $myvar }
} else {
keystone_config { 'DEFAULT/foo' : ensure => absent }
}
can be removed in favor of :
keystone_config { 'DEFAULT/foo' : value => $myvar }
If for any reason '<SERVICE DEFAULT>' turns out to be a valid value for
a specific parameter. One could by pass that doing the following :
keystone_config { 'DEFAULT/foo' : value => '<SERVICE DEFAULT>',
ensure_absent_val => 'foo' }
Change-Id: I7c880518f0323e44e7c72f0ff5548482a0b1413c
Depends-On: I0eeebde3aac2662cc7e69bfad7f8d2481463a218
The actual README.md file contains two invalid urls:
1- Section Module Description, wrong url in openstack module
2- Section Setup/Beginning with keystone, wrong url in first openstack module
Change-Id: Ica703f33eba159472dca2aecb0f8b486aa2b5233
This patch splits out release notes into a separate dedicated file for
consistency with the puppetlabs puppet modules. Additionally, this
patch improves the release notes by:
- Fixing the tense to be consistent with commit message standards ("Add
new feature" instead of "Added new feature" or "Adds new feature")
- Breaking up changes into categories to make it easier for operators
to know what happened in the change: backwards-incompatible changes,
features, bugfixes, and maintenance commits
- Linewrapping to 80 chars
- Adding release dates, formatted according to ISO-8601
- Removed bugfixes notes related to added features in that release
Change-Id: If4a566c1638e4fbeec9129f3b340706ad132b9c0
The *_address parameters were removed in 29b687 to the
keystone::endpoint example in the README is now invalid. This patch
updates it to use equivalent URL parameters.
Change-Id: I5d1a7aa52848a0eda0b3be90f50b2e2bc74e2481
Changes in this release:
* Updated token driver, logging, and ldap config parameters for Juno
* Changed admin_roles parameter to accept an array in order to configure multiple admin roles
* Installs python-ldappool package for ldap
* Added new parameters to keystone class to configure pki signing
* Changed keystone class to inherit from keystone::params
* Changed pki_setup to run regardless of token provider
* Made UUID the default token provider
* Made keystone_user_role idempotent
* Added parameters to control whether to configure users
* Stopped managing _member_ role since it is created automatically
* Stopped overriding token_flush log file
* Changed the usage of admin_endpoint to not include the API version
* Allowed keystone_user_role to accept email as username
* Added ability to set up keystone using Apache mod_wsgi
* Migrated the keystone::db::mysql class to use openstacklib::db::mysql and deprecated the mysql_module parameter
* Installs python-memcache when using token driver memcache
* Enabled setting cert and key paths for PKI token signing
* Added parameters for SSL communication between keystone and rabbitmq
* Added parameter ignore_default_tenant to keystone::role::admin
* Added parameter service_provider to keystone class
* Added parameters for service validation to keystone class
Change-Id: Ib280f684c8babf40df51d62bb21497c88ba3fd29
Before this update the Modulefile was not following semver in
relation to stable/havana, and the README files were not in sync.
This update introduces proper semver and consistency.
Keystone in fixtures tracks master. Fix modulefile to match
this dependency and be consistent with Horizon dependency
Change-Id: I622ef84b5c50abd1da96a75e9935265cd947ca6a