From 7657e34edadfccf0d85081f6507f6591119eec4f Mon Sep 17 00:00:00 2001 From: Samuel Cassiba Date: Tue, 12 Jun 2018 21:38:44 -0700 Subject: [PATCH] Simplify identity endpoint Per the Keystone Install Guide[1] the admin endpoint is superseded in favor of a single public endpoint. As a result, the admin endpoint is no longer deployed by default. [1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components Depends-On: I7e1ee2fa32e5d9b816bd3624524e6680a278ed5d Depends-On: I833cc80421be375aed202c208cf93a0165761226 Depends-On: Ife7bb6d09eafd137c6858f6ae18d4d34508928a6 Depends-On: Ic70e3adc4615b3a79a49f8cd739d7505efee91ef Depends-On: Ic2733d94e776eaa50ad8e4a39e6d2a8c18a45d89 Depends-On: Iafb0db54b3589eea0402c0f18687344667d0208a Depends-On: I70775929dc49ed8c00a23bc7e354ebf9e9feb7f0 Depends-On: I06d0f98e641a041ddc864f524858edc0cffbbbba Depends-On: Ied0fb46ae8c10273fde31691b910dc2748845faf Change-Id: I01d44e48053cad7aeb92636f4b41649204006c93 Implements: blueprint simplify-identity-endpoint --- attributes/default.rb | 12 +- recipes/openrc.rb | 7 +- recipes/registration.rb | 20 +-- recipes/server-apache.rb | 92 ++++-------- spec/registration_spec.rb | 60 +------- spec/server-apache_spec.rb | 171 ++++++++++------------- spec/spec_helper.rb | 11 +- templates/default/wsgi-keystone.conf.erb | 8 +- 8 files changed, 129 insertions(+), 252 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 1f339b2..ec84fb2 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -29,11 +29,11 @@ default['openstack']['identity']['custom_template_banner'] = ' ' %w(admin internal public).each do |ep_type| - # host for openstack admin/internal/public identity endpoint + # host for openstack identity endpoint default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1' - # scheme for openstack admin/internal/public identity endpoint + # scheme for openstack identity endpoint default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http' - # path for openstack admin/internal/public identity endpoint + # path for openstack identity endpoint default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3' end @@ -41,17 +41,11 @@ end default['openstack']['endpoints']['public']['identity']['port'] = 5000 # port for openstack internal identity endpoint default['openstack']['endpoints']['internal']['identity']['port'] = 5000 -# port for openstack admin identity endpoint -default['openstack']['endpoints']['admin']['identity']['port'] = 35357 # address for openstack identity service main endpoint to bind to default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1' # port for openstack identity service main endpoint to bind to default['openstack']['bind_service']['public']['identity']['port'] = 5000 -# address for openstack identity service admin endpoint to bind to -default['openstack']['bind_service']['admin']['identity']['host'] = '127.0.0.1' -# port for openstack identity service admin endpoint to bind to -default['openstack']['bind_service']['admin']['identity']['port'] = 35357 # identity service catalog backend for service endpoints default['openstack']['identity']['catalog']['backend'] = 'sql' diff --git a/recipes/openrc.rb b/recipes/openrc.rb index 9c7c8aa..dd05f61 100644 --- a/recipes/openrc.rb +++ b/recipes/openrc.rb @@ -29,10 +29,11 @@ project_domain_name = node['openstack']['identity']['admin_project_domain'] ksadmin_user = node['openstack']['identity']['admin_user'] admin_domain_name = node['openstack']['identity']['admin_domain_name'] -auth_api_version = node['openstack']['api']['auth']['version'] +# auth_api_version = node['openstack']['api']['auth']['version'] ksadmin_pass = get_password 'user', ksadmin_user -identity_public_endpoint = public_endpoint 'identity' -auth_url = auth_uri_transform identity_public_endpoint.to_s, auth_api_version + +identity_endpoint = public_endpoint 'identity' +auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version'] directory node['openstack']['openrc']['path'] do owner node['openstack']['openrc']['user'] diff --git a/recipes/registration.rb b/recipes/registration.rb index 9f2aa00..51f17ac 100644 --- a/recipes/registration.rb +++ b/recipes/registration.rb @@ -30,10 +30,8 @@ class ::Chef::Recipe include ::Openstack end -identity_admin_endpoint = admin_endpoint 'identity' -identity_internal_endpoint = internal_endpoint 'identity' -identity_public_endpoint = public_endpoint 'identity' -auth_url = ::URI.decode identity_admin_endpoint.to_s +identity_endpoint = public_endpoint 'identity' +auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version'] # define the credentials to use for the initial admin user admin_project = node['openstack']['identity']['admin_project'] @@ -50,17 +48,17 @@ connection_params = { openstack_domain_name: admin_domain, } -ruby_block 'wait for identity admin endpoint' do +ruby_block 'wait for identity endpoint' do block do begin Timeout.timeout(60) do until Net::HTTP.get_response(URI(auth_url)).message == 'OK' - Chef::Log.info 'waiting for identity admin endpoint to be up...' + Chef::Log.info 'waiting for identity endpoint to be up...' sleep 1 end end rescue Timeout::Error - raise 'Waited 60 seconds for identity admin endpoint to become ready'\ + raise 'Waited 60 seconds for identity endpoint to become ready'\ ' and will not wait any longer' end end @@ -87,10 +85,6 @@ openstack_role '_member_' do connection_params connection_params end -node.normal['openstack']['identity']['adminURL'] = identity_admin_endpoint.to_s -node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s -node.normal['openstack']['identity']['publicURL'] = identity_public_endpoint.to_s +node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s -Chef::Log.info "Keystone AdminURL: #{identity_admin_endpoint}" -Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}" -Chef::Log.info "Keystone PublicURL: #{identity_public_endpoint}" +Chef::Log.info "Keystone PublicURL: #{identity_endpoint}" diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb index 9ecc172..cb263ee 100644 --- a/recipes/server-apache.rb +++ b/recipes/server-apache.rb @@ -48,9 +48,7 @@ end platform_options = node['openstack']['identity']['platform'] -identity_admin_endpoint = admin_endpoint 'identity' -identity_internal_endpoint = internal_endpoint 'identity' -identity_public_endpoint = public_endpoint 'identity' +identity_endpoint = public_endpoint 'identity' # define the credentials to use for the initial admin user admin_project = node['openstack']['identity']['admin_project'] @@ -144,14 +142,8 @@ execute 'credential setup' do end # define the address to bind the keystone apache public service to -public_bind_service = node['openstack']['bind_service']['public']['identity'] -public_bind_address = bind_address public_bind_service -# define the address to bind the keystone apache admin service to -admin_bind_service = node['openstack']['bind_service']['admin']['identity'] -admin_bind_address = bind_address admin_bind_service - -# define the address where the keystone admin endpoint will be reachable -identity_admin_endpoint = admin_endpoint 'identity' +bind_service = node['openstack']['bind_service']['public']['identity'] +bind_address = bind_address bind_service # set the keystone database credentials db_user = node['openstack']['db']['identity']['username'] @@ -164,13 +156,9 @@ node.default['openstack']['identity']['conf_secrets'] memcache_servers = memcached_servers.join ',' # define the address where the keystone public endpoint will be reachable -identity_public_endpoint = public_endpoint 'identity' -ie = identity_public_endpoint +ie = identity_endpoint # define the keystone public endpoint full path -api_public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/" -ae = identity_admin_endpoint -# define the keystone admin endpoint full path -api_admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/" +api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/" # If a keystone-paste.ini is specified use it. # If platform_family is RHEL and we do not specify keystone-paste.ini, @@ -200,8 +188,7 @@ end # set keystone config parameters for admin_token, endpoints and memcache node.default['openstack']['identity']['conf'].tap do |conf| - conf['DEFAULT']['public_endpoint'] = api_public_endpoint - conf['DEFAULT']['admin_endpoint'] = api_admin_endpoint + conf['DEFAULT']['public_endpoint'] = api_endpoint conf['memcache']['servers'] = memcache_servers if memcache_servers end @@ -246,8 +233,7 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated' # populate the templated catlog # TODO: (jklare) this should be done in a helper method uris = { - 'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'), - 'identity' => identity_public_endpoint.to_s.gsub('%25', '%'), + 'identity' => identity_endpoint.to_s.gsub('%25', '%'), 'image' => image_public_endpoint.to_s.gsub('%25', '%'), 'compute' => compute_public_endpoint.to_s.gsub('%25', '%'), 'ec2' => ec2_public_endpoint.to_s.gsub('%25', '%'), @@ -281,9 +267,9 @@ execute 'bootstrap_keystone' do --bootstrap-role-name #{admin_role} \\ --bootstrap-service-name keystone \\ --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{identity_admin_endpoint} \\ - --bootstrap-public-url #{identity_public_endpoint} \\ - --bootstrap-internal-url #{identity_internal_endpoint}" + --bootstrap-admin-url #{identity_endpoint} \\ + --bootstrap-public-url #{identity_endpoint} \\ + --bootstrap-internal-url #{identity_endpoint}" end #### Start of Apache specific work @@ -293,8 +279,7 @@ apache_listen = Array(node['apache']['listen']) # include already defined listen # Remove the default apache2 cookbook port, as that is also the default for horizon, but with # a different address syntax. *:80 vs 0.0.0.0:80 apache_listen -= ['*:80'] -apache_listen += ["#{public_bind_address}:#{public_bind_service['port']}"] -apache_listen += ["#{admin_bind_address}:#{admin_bind_service['port']}"] +apache_listen += ["#{bind_address}:#{bind_service['port']}"] node.normal['apache']['listen'] = apache_listen.uniq # include the apache2 default recipe and the recipes for mod_wsgi @@ -311,44 +296,27 @@ directory keystone_apache_dir do mode 0o0755 end -wsgi_apps = { - 'public' => { - server_host: public_bind_address, - server_port: public_bind_service['port'], - server_entry: '/usr/bin/keystone-wsgi-public', - server_alias: 'identity', - }, - 'admin' => { - server_host: admin_bind_address, - server_port: admin_bind_service['port'], - server_entry: '/usr/bin/keystone-wsgi-admin', - server_alias: 'identity_admin', - }, -} - # create the keystone apache config using the web_app resource from the apache2 # cookbook -wsgi_apps.each do |app, opt| - web_app "keystone-#{app}" do - template 'wsgi-keystone.conf.erb' - server_host opt[:server_host] - server_port opt[:server_port] - server_entry opt[:server_entry] - server_alias opt[:server_alias] - server_suffix app - log_dir node['apache']['log_dir'] - log_debug node['openstack']['identity']['debug'] - user keystone_user - group keystone_group - use_ssl node['openstack']['identity']['ssl']['enabled'] - cert_file node['openstack']['identity']['ssl']['certfile'] - chain_file node['openstack']['identity']['ssl']['chainfile'] - key_file node['openstack']['identity']['ssl']['keyfile'] - ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path'] - cert_required node['openstack']['identity']['ssl']['cert_required'] - protocol node['openstack']['identity']['ssl']['protocol'] - ciphers node['openstack']['identity']['ssl']['ciphers'] - end +web_app 'identity' do + template 'wsgi-keystone.conf.erb' + server_host bind_address + server_port bind_service['port'] + server_entry '/usr/bin/keystone-wsgi-public' + server_alias 'identity' + server_suffix app + log_dir node['apache']['log_dir'] + log_debug node['openstack']['identity']['debug'] + user keystone_user + group keystone_group + use_ssl node['openstack']['identity']['ssl']['enabled'] + cert_file node['openstack']['identity']['ssl']['certfile'] + chain_file node['openstack']['identity']['ssl']['chainfile'] + key_file node['openstack']['identity']['ssl']['keyfile'] + ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path'] + cert_required node['openstack']['identity']['ssl']['cert_required'] + protocol node['openstack']['identity']['ssl']['protocol'] + ciphers node['openstack']['identity']['ssl']['ciphers'] end # disable default keystone config file from UCA package diff --git a/spec/registration_spec.rb b/spec/registration_spec.rb index 4bc5aca..e3e6359 100644 --- a/spec/registration_spec.rb +++ b/spec/registration_spec.rb @@ -12,7 +12,7 @@ describe 'openstack-identity::registration' do include_context 'identity_stubs' connection_params = { - openstack_auth_url: 'http://127.0.0.1:35357/v3/auth/tokens', + openstack_auth_url: 'http://127.0.0.1:5000/v3/auth/tokens', openstack_username: 'admin', openstack_api_key: 'admin', openstack_project_name: 'admin', @@ -25,7 +25,7 @@ describe 'openstack-identity::registration' do describe 'keystone bootstrap' do context 'default values' do it do - expect(chef_run).to run_ruby_block('wait for identity admin endpoint') + expect(chef_run).to run_ruby_block('wait for identity endpoint') end it "registers #{domain_name} domain" do @@ -62,62 +62,6 @@ describe 'openstack-identity::registration' do ) end end - context 'all different values' do - connection_params_other = { - openstack_auth_url: 'https://admin.identity:1234/v3/auth/tokens', - openstack_username: 'identity_admin', - openstack_api_key: 'identity_admin_pass', - openstack_project_name: 'admin_project', - openstack_domain_name: 'identity_domain', - } - before do - node.set['openstack']['endpoints']['admin']['identity']['uri'] = - 'https://admin.identity:1234/v3' - node.set['openstack']['endpoints']['internal']['identity']['uri'] = - 'https://internal.identity:5678/v3' - node.set['openstack']['endpoints']['public']['identity']['uri'] = - 'https://public.identity:9753/v3' - node.set['openstack']['region'] = 'otherRegion' - node.set['openstack']['identity']['admin_project'] = 'admin_project' - node.set['openstack']['identity']['admin_user'] = 'identity_admin' - node.set['openstack']['identity']['admin_role'] = 'identity_role' - node.set['openstack']['identity']['admin_domain_name'] = - 'identity_domain' - end - - it 'registers identity_domain domain' do - expect(chef_run).to create_openstack_domain( - 'identity_domain' - ).with( - connection_params: connection_params_other - ) - end - - it 'grants identity_admin user to identity_domain domain' do - expect(chef_run).to grant_domain_openstack_user( - 'identity_admin' - ).with( - domain_name: 'identity_domain', - role_name: 'identity_role', - connection_params: connection_params_other - ) - end - - it 'create service role' do - expect(chef_run).to create_openstack_role( - 'service' - ).with( - connection_params: connection_params_other - ) - end - it 'create service role' do - expect(chef_run).to create_openstack_role( - '_member_' - ).with( - connection_params: connection_params_other - ) - end - end end end end diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb index f8072a6..fb3ead5 100644 --- a/spec/server-apache_spec.rb +++ b/spec/server-apache_spec.rb @@ -20,7 +20,6 @@ describe 'openstack-identity::server-apache' do project_name = 'admin' role_name = 'admin' password = 'admin' - admin_url = 'http://127.0.0.1:35357/v3' public_url = 'http://127.0.0.1:5000/v3' internal_url = 'http://127.0.0.1:5000/v3' @@ -53,7 +52,7 @@ describe 'openstack-identity::server-apache' do --bootstrap-role-name #{role_name} \\ --bootstrap-service-name #{service_name} \\ --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{admin_url} \\ + --bootstrap-admin-url #{public_url} \\ --bootstrap-public-url #{public_url} \\ --bootstrap-internal-url #{internal_url}") end @@ -140,10 +139,8 @@ describe 'openstack-identity::server-apache' do it 'has correct endpoints' do # values correspond to node attrs set in chef_run above pub = line_regexp('public_endpoint = http://127.0.0.1:5000/') - adm = line_regexp('admin_endpoint = http://127.0.0.1:35357/') expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', pub) - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', adm) end end @@ -293,16 +290,11 @@ describe 'openstack-identity::server-apache' do end it 'template api pipeline set correct' do node.set['openstack']['identity']['pipeline']['public_api'] = 'public_service' - node.set['openstack']['identity']['pipeline']['admin_api'] = 'admin_service' node.set['openstack']['identity']['pipeline']['api_v3'] = 'service_v3' expect(chef_run).to render_config_file(path).with_section_content( 'pipeline:public_api', /^pipeline = public_service$/ ) - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:admin_api', - /^pipeline = admin_service$/ - ) expect(chef_run).to render_config_file(path).with_section_content( 'pipeline:api_v3', /^pipeline = service_v3$/ @@ -335,9 +327,7 @@ describe 'openstack-identity::server-apache' do describe 'apache setup' do it 'set apache addresses and ports' do - expect(chef_run.node['apache']['listen']).to eq( - %w(127.0.0.1:5000 127.0.0.1:35357) - ) + expect(chef_run.node['apache']['listen']).to eq(%w(127.0.0.1:5000)) end describe 'apache recipes' do @@ -354,102 +344,85 @@ describe 'openstack-identity::server-apache' do end describe 'apache wsgi' do - ['/etc/apache2/sites-available/keystone-public.conf', - '/etc/apache2/sites-available/keystone-admin.conf'].each do |file| - it "creates #{file}" do - expect(chef_run).to create_template(file).with( - user: 'root', - group: 'root', - mode: '0644' - ) - end + let(:file) { '/etc/apache2/sites-available/identity.conf' } - it 'configures keystone-admin.conf lines' do - node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value' - [/^custom_template_banner_value$/, - /user=keystone/, - /group=keystone/, - %r{^ ErrorLog /var/log/apache2/keystone-admin.log$}, - %r{^ CustomLog /var/log/apache2/keystone-admin_access.log combined$}].each do |line| - expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-admin.conf').with_content(line) + it 'creates identity.conf' do + expect(chef_run).to create_template(file).with( + user: 'root', + group: 'root', + mode: '0644' + ) + end + + it 'does not configure keystone-admin.conf' do + expect(chef_run).not_to render_file('/etc/apache2/sites-available/keystone-admin.conf') + end + + it 'configures identity.conf lines' do + node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value' + [/^custom_template_banner_value$/, + /user=keystone/, + /group=keystone/, + %r{^ ErrorLog /var/log/apache2/identity.log$}, + %r{^ CustomLog /var/log/apache2/identity_access.log combined$}].each do |line| + expect(chef_run).to render_file(file).with_content(line) + end + end + + it 'does not configure identity.conf triggered common lines' do + [/^ LogLevel/, + /^ SSL/].each do |line| + expect(chef_run).not_to render_file(file).with_content(line) + end + end + + context 'Enable SSL' do + let(:file) { '/etc/apache2/sites-available/identity.conf' } + before do + node.set['openstack']['identity']['ssl']['enabled'] = true + end + it 'configures identity.conf common ssl lines' do + [/^ SSLEngine On$/, + %r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$}, + %r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$}, + %r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$}, + /^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line| + expect(chef_run).to render_file(file).with_content(line) end end - - it 'configures keystone-public.conf lines' do - node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value' - [/^custom_template_banner_value$/, - /user=keystone/, - /group=keystone/, - %r{^ ErrorLog /var/log/apache2/keystone-public.log$}, - %r{^ CustomLog /var/log/apache2/keystone-public_access.log combined$}].each do |line| - expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-public.conf').with_content(line) - end - end - - it "does not configure #{file} triggered common lines" do - [/^ LogLevel/, - /^ SSL/].each do |line| + it 'does not configure identity.conf common ssl lines' do + [/^ SSLCertificateChainFile/, + /^ SSLCipherSuite/, + /^ SSLVerifyClient require/].each do |line| expect(chef_run).not_to render_file(file).with_content(line) end end - - context 'Enable SSL' do - before do - node.set['openstack']['identity']['ssl']['enabled'] = true - end - it "configures #{file} common ssl lines" do - [/^ SSLEngine On$/, - %r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$}, - %r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$}, - %r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$}, - /^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line| - expect(chef_run).to render_file(file).with_content(line) - end - end - it "does not configure #{file} common ssl lines" do - [/^ SSLCertificateChainFile/, - /^ SSLCipherSuite/, - /^ SSLVerifyClient require/].each do |line| - expect(chef_run).not_to render_file(file).with_content(line) - end - end - it "configures #{file} chainfile when set" do - node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem' - expect(chef_run).to render_file(file) - .with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$}) - end - it "configures #{file} ciphers when set" do - node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value' - expect(chef_run).to render_file(file) - .with_content(/^ SSLCipherSuite ciphers_value$/) - end - it "configures #{file} cert_required set" do - node.set['openstack']['identity']['ssl']['cert_required'] = true - expect(chef_run).to render_file(file) - .with_content(/^ SSLVerifyClient require$/) - end + it 'configures identity.conf chainfile when set' do + node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem' + expect(chef_run).to render_file(file) + .with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$}) + end + it 'configures identity.conf ciphers when set' do + node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value' + expect(chef_run).to render_file(file) + .with_content(/^ SSLCipherSuite ciphers_value$/) + end + it 'configures identity.conf cert_required set' do + node.set['openstack']['identity']['ssl']['cert_required'] = true + expect(chef_run).to render_file(file) + .with_content(/^ SSLVerifyClient require$/) end end + end - describe 'keystone-public.conf' do - it 'configures required lines' do - [/^$/, - /^ WSGIDaemonProcess keystone-public/, - /^ WSGIProcessGroup keystone-public$/, - %r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line| - expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-public.conf').with_content(line) - end - end - end - - describe 'keystone-admin.conf' do - it 'configures required lines' do - [/^$/, - /^ WSGIDaemonProcess keystone-admin/, - /^ WSGIProcessGroup keystone-admin$/, - %r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-admin$}].each do |line| - expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-admin.conf').with_content(line) - end + describe 'identity.conf' do + let(:file) { '/etc/apache2/sites-available/identity.conf' } + it 'configures required lines' do + [/^$/, + /^ WSGIDaemonProcess identity/, + /^ WSGIProcessGroup identity$/, + %r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line| + expect(chef_run).to render_file(file).with_content(line) end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 4424c66..71a3ac3 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -4,16 +4,19 @@ require 'chefspec/berkshelf' ChefSpec::Coverage.start! { add_filter 'openstack-identity' } -LOG_LEVEL = :fatal +RSpec.configure do |config| + config.color = true + config.formatter = :documentation + config.log_level = :fatal +end + REDHAT_OPTS = { platform: 'redhat', - version: '7.3', - log_level: LOG_LEVEL, + version: '7.4', }.freeze UBUNTU_OPTS = { platform: 'ubuntu', version: '16.04', - log_level: LOG_LEVEL, }.freeze # Helper methods diff --git a/templates/default/wsgi-keystone.conf.erb b/templates/default/wsgi-keystone.conf.erb index 363d2d0..6b23d59 100644 --- a/templates/default/wsgi-keystone.conf.erb +++ b/templates/default/wsgi-keystone.conf.erb @@ -1,15 +1,15 @@ <%= node['openstack']['identity']['custom_template_banner'] %> :<%= @params[:server_port] %>> - WSGIDaemonProcess keystone-<%= @params[:server_suffix] %> processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP} - WSGIProcessGroup keystone-<%= @params[:server_suffix] %> + WSGIDaemonProcess identity processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP} + WSGIProcessGroup identity WSGIScriptAlias / <%= @params[:server_entry] %> WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" - ErrorLog <%= @params[:log_dir] %>/keystone-<%= @params[:server_suffix] %>.log - CustomLog <%= @params[:log_dir] %>/keystone-<%= @params[:server_suffix] %>_access.log combined + ErrorLog <%= @params[:log_dir] %>/identity.log + CustomLog <%= @params[:log_dir] %>/identity_access.log combined <% if [true, 'true', 'True'].include?(@params[:log_debug]) -%> LogLevel debug <% end -%>