Commit Graph

830 Commits

Author SHA1 Message Date
Zuul aacacdc154 Merge "Allow omitting admin/internal endpoint" 2024-03-18 16:19:17 +00:00
Takashi Kajinami 274ecb90d4 Allow omitting admin/internal endpoint
Keystone v3 API does not require that all the three endpoint types are
given and allows using only specific endpoint types(eg. only public, or
public and internal). This allows users to omit specific endpoint types
by setting endpoint url options to ''.

Change-Id: Ifef2070ad25cadf961466ca9f384965d03c08f81
2024-03-18 16:18:14 +09:00
Takashi Kajinami da2bc869a3 Expose rabbit_transient_quorum_queue
Depends-on: https://review.opendev.org/911021
Change-Id: Ibe989d7a9bb10d6dff72b001c0e689bb029960b5
2024-03-14 09:34:06 +09:00
Zuul 50b5260cc6 Merge "openidc: Support more redis cache options" 2024-03-08 15:03:28 +00:00
Zuul fc0d8d4afb Merge "Fix broken rendering of OIDC Options" 2024-03-08 15:03:26 +00:00
Takashi Kajinami 3e8788c94e cache: Support new redis options
The oslo.cache 3.7.0 release introduced some options for redis backend
and redis sentinel backend. This introduces for these parameters.

Depneds-on: https://review.opendev.org/910629
Change-Id: Ie5e6e7b8dfa0753ccca1094f06a745fdb0acb5bc
2024-03-07 22:53:04 +09:00
Takashi Kajinami 6469c223f8 openidc: Support more redis cache options
Change-Id: I70cc5c2d0ecf10b4aa4e07e4af91609d1ad7cee3
2024-03-05 17:55:46 +09:00
Takashi Kajinami 30f50ce8fd Fix broken rendering of OIDC Options
... and also fix a typo in redis password option.

Closes-Bug: #2054308
Change-Id: I41d3efd265305e80c453e7f042797881319c5047
2024-03-05 17:54:15 +09:00
Zuul 26d0bf2218 Merge "Refactor resource dependencies" 2024-03-04 16:27:14 +00:00
Takashi Kajinami 9fb48f7526 Refactor resource dependencies
This refactors resource dependencies to improve the following points.

 - Avoid unnecessary dependencies across services. For example aodh
   service does not require cinder db.

 - Restart keystone on change in uwsgi only when a standalone service
   is used. uwsgi config is not used when keystone is run by apache.

Change-Id: Ic4f43215ea90c6b71fe4225e2dfa6a6a3abf6869
2024-03-01 10:29:13 +09:00
Takashi Kajinami 76422b5a30 cache: Support options for SASL mechanism in memcached
Depends-on: https://review.opendev.org/910122
Change-Id: Icdee612d5680ff4f0c1f04d236809a423e2817c2
2024-02-29 23:56:48 +09:00
Zuul ea0074dc78 Merge "service_identity: Allow omitting internal/admin endpoints" 2024-02-26 16:54:22 +00:00
Takashi Kajinami 2cc59127e4 service_identity: Allow omitting internal/admin endpoints
Keystone v3 API no longer requires all the three endpoint types are
created and some deployments may use only public endpoints (or public
and internal endpoints).

This looses the validation to allow such deployment architecture.

Change-Id: I3873352dd3ea8556fbaa4ce3c558a912cc5f52e7
2024-02-26 20:15:56 +09:00
Takashi Kajinami 5886b4fe23 healthcheck: Expose ignore_proxied_requests parameter
Depends-on: https://review.opendev.org/909807
Change-Id: I36065f01f7e945596b5d23cd8078381c0dccedf3
2024-02-26 01:21:58 +09:00
Zuul f83e6bc6d2 Merge "keystone_endpoint: Fix id generate with only partial types" 2024-02-22 15:27:23 +00:00
Takashi Kajinami 96cb8d7744 keystone_endpoint: Fix id generate with only partial types
This fixes how the id property is generated in case some endpoint types
do not exist, which is allowed in Keystone v3 API.

Closes-Bug: #1713814
Change-Id: I2bbc831a78595e2f7cf3fc5d7d601281665fcc05
2024-02-20 17:37:52 +09:00
Zuul 9fa166a3cc Merge "Drop redundant default of send_service_user_token" 2024-01-23 16:32:41 +00:00
Takashi Kajinami 4261de3feb Drop redundant default of send_service_user_token
The option defaults to False, so we don't need the explicit default and
can replace it by os_service_default fact.

Change-Id: Iba52032d02c70258f79f0aae84a5b6059a0c1281
2024-01-23 14:38:22 +09:00
Zuul 68ae4c5e3d Merge "healthcheck: Expose allowed_source_ranges" 2024-01-18 16:48:30 +00:00
Takashi Kajinami b370f83843 healthcheck: Expose allowed_source_ranges
... which was added to puppet-oslo recently.

Depends-on: https://review.opendev.org/905557
Change-Id: I7a239c556c9e5615ed7668ae2d5ad6c0bf73b624
2024-01-17 15:23:54 +09:00
Takashi Kajinami 30e759b35e Support [cache] memcache_pool_flush_on_reconnect
Depends-on: https://review.opendev.org/902861
Change-Id: Ib488afff91a994791b911d7c2cf79cad9aa99d85
2023-12-14 17:54:57 +09:00
Zuul 63e48863a6 Merge "Stop calling 'reset' function in test cleanup" 2023-11-17 15:29:35 +00:00
Takashi Kajinami f7f12f6abe Stop calling 'reset' function in test cleanup
... because the function is not implemented.

Change-Id: Ia0a7b4fd9bad43b45f329f40d3c5cdb969f86f61
2023-11-16 16:05:33 +09:00
Zuul 9836fa69f0 Merge "Add resource to manage implied roles" 2023-11-08 03:43:42 +00:00
Takashi Kajinami 01ffd0e4c3 Add resource to manage implied roles
Keystone supports implied roles, and some of the default roles imply
different roles. (eg. admin implies manager)

This introduces a resource type to manage implied roles, and also
ensures the implied roles are created in bootstrap.

Depends-on: https://review.opendev.org/900138
Change-Id: I36ef3ddfcb2f60bdca8674ea8055b6f57a149512
2023-11-06 14:38:08 +09:00
Takashi Kajinami 80a1953d7d Use openstack cli to resolve project/user id
The openstack command can resolve project id or user id from name and
domain name/id given. We can use that feature instead of maintaining
our own logic.

Change-Id: I3d4fbb082cf228ef4a75c0761fb21fdebf664cf4
2023-11-06 01:37:17 +09:00
Takashi Kajinami 1e03ec19f8 Remove usage of deleted manifest_dir
Recent update in rspec-puppet removed some of the config interfaces for
old puppet versions[1]. This drops usage of these interfaces to resolve
the following error in unit tests.

```
An error occurred while loading ./spec/unit/provider/manila_spec.rb.
Failure/Error: c.manifest_dir = File.join(fixture_path, 'manifests')

NoMethodError:
  undefined method `manifest_dir='...
```

This also removes explicit setting of mock module. The definition is
no longer required since we bumped puppetlabs_spec_helper to v 5.0.0.

[1] 316d95923c

Change-Id: I2e0ef1f97ba69df80e255be6a7718fd7dafc7e71
2023-10-11 12:01:32 +09:00
Takashi Kajinami 7f4b153200 Revert "spec: Enable webmock connect to IPv4 link-local"
This reverts commit e485f3956f.

Reason for revert:
This module does not use compile method in unit tests.

Change-Id: Icea1d0482a98fcc54c023b6eb7116ae4612617b4
2023-10-02 23:15:01 +09:00
Takashi Kajinami 7a84c30fd1 RabbitMQ: Add support for quorum queue options
Depends-on: https://review.opendev.org/894866
Change-Id: Ia52ed95999a66efdf3eaa0f645d93595392426ac
2023-09-15 11:25:30 +09:00
Takashi Kajinami d1989af67d Ensure [mapped] remote_id_attribute is purged
... otherwise the option can be left even after websso is disabled.

Change-Id: I53afdc8ba16596c80cd6dcd25a1a531fe45ae03d
2023-08-15 17:14:12 +09:00
Takashi Kajinami 581f52dfc0 Ensure [openid] remote_id_attribute is purged
... so that an old value is not left.

Change-Id: Ife69c518416f523e2d8b8c07455e1f1d9d65defc
2023-08-15 15:27:36 +09:00
Takashi Kajinami bd55eb81ba Remove cleanup of module plugin options
These cleanups were added by [1] a while ago so we can assume the old
option has been purged during upgrade.

[1] 73f863e21c

Change-Id: I3b278c7969ca1764aeb4d0e0271d742ed3fea3b2
2023-08-15 15:24:42 +09:00
Takashi Kajinami 5256e19c38 Deploy memcached in acceptance tests
... so that we can enable caching using memcached.

Change-Id: Ic1d095cc9e2363ade62afc3ed6546ff5b8559539
2023-08-03 22:57:43 +09:00
Takashi Kajinami 7e8c3de8ed service_identity: Fix incomplete usage of domain parameters
This fixes the ignored project_domain parameter, and also ensures
the user_domain parameter is used when creating a role assignment.

Closes-Bug: #2029035
Change-Id: I2a2d9c648fff1b940952700b492af6a09974ee5c
2023-07-31 00:43:52 +09:00
Zuul 835dcc82a4 Merge "Remove support for creating endpoints without service type" 2023-07-17 06:55:44 +00:00
Zuul 3be4016460 Merge "Add per module policy service refresh" 2023-07-12 09:27:40 +00:00
Takashi Kajinami 42add12c9e Remove support for creating endpoints without service type
Creating endpoint without service type was deprecated multiple cycles
ago. This removes the logic to support that old usage.

Change-Id: Ifaebb3658254bb91130807153624480df78443aa
2023-06-26 09:50:16 +09:00
Takashi Kajinami f3326f5508 replace validate_legacy with proper data types
the validate_legacy function is marked for deprecation in
v9.0.0 from puppetlabs-stdlib.

This also adds validations about the parameters used for file resources
and ensures the given values are absolute paths.

Depends-on: https://review.opendev.org/885996
Change-Id: Ic49abcccffab5a3504e3a3060c0fac7a01bef69b
2023-06-26 09:44:39 +09:00
Tobias Urdin 9fee3031a3 Add per module policy service refresh
Updating the policies for this project should only
refresh the services that reads it.

Change-Id: I80117d1c7ab1bd9642a6c3d416c6683ae024894a
2023-06-26 00:05:05 +02:00
Takashi Kajinami b50bfe61d0 Remove deprecated catalog_type parameter
... because it was deprecated a few cycles ago[1].

This also removes the hard-coded default of [catalog] driver because
the value currently hard-coded is same as the service default.

[1] cd9f931c45

Change-Id: Ifeadb331d118e2c6e61048b6ace6d6b3d8afcf3e
2023-06-20 15:54:32 +09:00
Takashi Kajinami f271472b48 Deprecate client class
The python-keystoneclient package removed CLI long ago so installing
the package is now useless. It provides only library implementations
and should be installed by package dependencies.

Change-Id: I46b09092847eeb821f97172e1a912ad8a1b8a2e3
2023-05-30 01:02:18 +00:00
Zuul 4fcb7548aa Merge "Ensure options for domain specific drivers are purged by default" 2023-05-18 07:12:21 +00:00
Zuul 54160148bb Merge "Simplify validations of domain specific backends" 2023-05-17 16:06:00 +00:00
Takashi Kajinami c39fca315c Ensure options for domain specific drivers are purged by default
... to avoid leaving these options unmaintained.

Change-Id: Ib00e93663c2fd90bf5befbd71ad896343652f027
2023-05-17 12:30:36 +09:00
Takashi Kajinami c478a37776 Simplify validations of domain specific backends
Currently we assert raw resources but this is redundant because these
resources are created by the keystone class. We can assert the required
definition at the class interface layer.

Also creationg of domain config directory is duplicate and can be
handled in a single place.

Change-Id: I1c3c977dd4ac7439eec8e7278b857d606f1a25f3
2023-05-17 12:26:18 +09:00
Takashi Kajinami 3c86a14ddb Remove redundant installation of python3-pysaml2
The python3-pysaml2 package is required by the python3-keystone package
so we don't have to install it explicitly.

Change-Id: I1ed978e55774637abcddaec91f36c6b5d3c473eb
2023-05-15 19:32:20 +09:00
Takashi Kajinami eab0404ff3 Expose executor_thread_pool_size
This option has been supported by puppet-oslo but has not been
configurable.

Change-Id: Iadb2308d8a7f6c32e01395ca17861b172217f3d6
2023-03-13 11:47:42 +09:00
Takashi Kajinami 486d7f1435 Replace legacy facts and use fact hash
... because the latest lint no longer allows usage of legacy facts and
top scope fact.

Change-Id: Ie757167eedce6fa1c99d08f96be1173871f21817
2023-03-02 12:24:38 +09:00
Takashi Kajinami fe95db4cb0 Use puppetlabs-apache to load auth modules.
... so that we don't have to maintain the required logics to enable
the module in our modules.

Related-Bug: #2006924
Change-Id: Ia46deea226a58638e74eee0c0172f0c3c5fa62e7
2023-02-13 16:55:39 +09:00
Takashi Kajinami 6c52159c7b OIDC: Make sure the dependent auth modules are loaded
The following two modules are required to use auth_openidc.
 - authn_core
 - authz_user

This ensures these modules are loaded.

Closes-Bug: #2006924
Change-Id: I13c36b10d80e9518d1d4af44c0b8a69fcfe911d3
2023-02-10 16:17:50 +00:00