From a8d9b7214c28fcff20eeff202c4f483d5ef98f35 Mon Sep 17 00:00:00 2001
From: Sergiy Markin <smarkin@mirantis.com>
Date: Fri, 28 Apr 2023 18:56:40 +0000
Subject: [PATCH] Armada updates

This PS delivers the following updates:
- fixed sample config and policy files generation process

Change-Id: I6393abc6aac0d79539820dc5768a7094147190a6
---
 etc/armada/armada.conf.sample | 177 ++++++++++++++++++++++++++--------
 etc/armada/policy.yaml.sample |  32 ++++++
 requirements-direct.txt       |   2 +
 requirements-frozen.txt       |   9 ++
 tox.ini                       |   2 +
 5 files changed, 182 insertions(+), 40 deletions(-)
 create mode 100644 etc/armada/policy.yaml.sample

diff --git a/etc/armada/armada.conf.sample b/etc/armada/armada.conf.sample
index 362f155e..cbe347c0 100644
--- a/etc/armada/armada.conf.sample
+++ b/etc/armada/armada.conf.sample
@@ -31,6 +31,27 @@
 # includes the name of the key itself. (string value)
 #ssh_key_path = /home/user/.ssh/
 
+# Time in seconds of how long armada will attempt to         acquire a lock
+# before an exception is raised (integer value)
+# Minimum value: 0
+#lock_acquire_timeout = 60
+
+# Time in seconds of how long to wait between attempts     to acquire a lock
+# (integer value)
+# Minimum value: 0
+#lock_acquire_delay = 5
+
+# Time in seconds of how often armada will update the         lock while it is
+# continuing to do work (integer value)
+# Minimum value: 0
+#lock_update_interval = 60
+
+# Time in seconds of how much time needs to pass since         the last update
+# of an existing lock before armada forcibly removes it         and tries to
+# acquire its own lock (integer value)
+# Minimum value: 0
+#lock_expiration = 600
+
 #
 # From oslo.log
 #
@@ -45,7 +66,7 @@
 # files, see the Python logging module documentation. Note that when logging
 # configuration files are used then all logging configuration is set in the
 # configuration file and other logging configuration options are ignored (for
-# example, logging_context_format_string). (string value)
+# example, log-date-format). (string value)
 # Note: This option can be changed without restarting.
 # Deprecated group/name - [DEFAULT]/log_config
 #log_config_append = <None>
@@ -96,27 +117,63 @@
 # set. (boolean value)
 #use_stderr = false
 
-# Format string to use for log messages with context. (string value)
+# Log output to Windows Event Log. (boolean value)
+#use_eventlog = false
+
+# The amount of time before the log files are rotated. This option is ignored
+# unless log_rotation_type is set to "interval". (integer value)
+#log_rotate_interval = 1
+
+# Rotation interval type. The time of the last file change (or the time when
+# the service was started) is used when scheduling the next rotation. (string
+# value)
+# Possible values:
+# Seconds - <No description provided>
+# Minutes - <No description provided>
+# Hours - <No description provided>
+# Days - <No description provided>
+# Weekday - <No description provided>
+# Midnight - <No description provided>
+#log_rotate_interval_type = days
+
+# Maximum number of rotated log files. (integer value)
+#max_logfile_count = 30
+
+# Log file maximum size in MB. This option is ignored if "log_rotation_type" is
+# not set to "size". (integer value)
+#max_logfile_size_mb = 200
+
+# Log rotation type. (string value)
+# Possible values:
+# interval - Rotate logs at predefined time intervals.
+# size - Rotate logs once they reach a predefined size.
+# none - Do not rotate log files.
+#log_rotation_type = none
+
+# Format string to use for log messages with context. Used by
+# oslo_log.formatters.ContextFormatter (string value)
 #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
 
-# Format string to use for log messages when context is undefined. (string
-# value)
+# Format string to use for log messages when context is undefined. Used by
+# oslo_log.formatters.ContextFormatter (string value)
 #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
 
 # Additional data to append to log message when logging level for the message
-# is DEBUG. (string value)
+# is DEBUG. Used by oslo_log.formatters.ContextFormatter (string value)
 #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
 
-# Prefix each line of exception output with this format. (string value)
+# Prefix each line of exception output with this format. Used by
+# oslo_log.formatters.ContextFormatter (string value)
 #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
 
 # Defines the format string for %(user_identity)s that is used in
-# logging_context_format_string. (string value)
+# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter
+# (string value)
 #logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
 
 # List of package logging levels in logger=LEVEL pairs. This option is ignored
 # if log_config_append is set. (list value)
-#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO
 
 # Enables or disables publication of error events. (boolean value)
 #publish_errors = false
@@ -185,7 +242,10 @@
 # Its value may be silently ignored in the future.
 #path = /healthcheck
 
-# Show more detailed information as part of the response (boolean value)
+# Show more detailed information as part of the response. Security note:
+# Enabling this option may expose sensitive details about the service being
+# monitored. Be sure to verify that it will not violate your security policies.
+# (boolean value)
 #detailed = false
 
 # Additional backends that can perform health checks and report that
@@ -224,6 +284,12 @@
 # Timeout value for http requests (integer value)
 #timeout = <None>
 
+# Collect per-API call timing information. (boolean value)
+#collect_timing = false
+
+# Log requests to multiple loggers. (boolean value)
+#split_loggers = false
+
 # Authentication type to load (string value)
 # Deprecated group/name - [keystone_authtoken]/auth_plugin
 #auth_type = <None>
@@ -234,6 +300,9 @@
 # Authentication URL (string value)
 #auth_url = <None>
 
+# Scope for system operations (string value)
+#system_scope = <None>
+
 # Domain ID to scope to (string value)
 #domain_id = <None>
 
@@ -252,7 +321,7 @@
 # Domain name containing project (string value)
 #project_domain_name = <None>
 
-# Trust ID (string value)
+# ID of the trust to use as a trustee use (string value)
 #trust_id = <None>
 
 # Optional domain ID to use with v3 and v2 parameters. It will be used for both
@@ -288,16 +357,36 @@
 # Complete "public" Identity API endpoint. This endpoint should not be an
 # "admin" endpoint, as it should be accessible by all end users.
 # Unauthenticated clients are redirected to this endpoint to authenticate.
-# Although this endpoint should  ideally be unversioned, client support in the
-# wild varies.  If you're using a versioned v2 endpoint here, then this  should
-# *not* be the same endpoint the service user utilizes  for validating tokens,
-# because normal end users may not be  able to reach that endpoint. (string
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. (string
 # value)
+# Deprecated group/name - [keystone_authtoken]/auth_uri
+#www_authenticate_uri = <None>
+
+# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
+# be an "admin" endpoint, as it should be accessible by all end users.
+# Unauthenticated clients are redirected to this endpoint to authenticate.
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. This option
+# is deprecated in favor of www_authenticate_uri and will be removed in the S
+# release. (string value)
+# This option is deprecated for removal since Queens.
+# Its value may be silently ignored in the future.
+# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri
+# and will be removed in the S  release.
 #auth_uri = <None>
 
-# API version of the admin Identity API endpoint. (string value)
+# API version of the Identity API endpoint. (string value)
 #auth_version = <None>
 
+# Interface to use for the Identity API endpoint. Valid values are "public",
+# "internal" (default) or "admin". (string value)
+#interface = internal
+
 # Do not handle authorization requests within the middleware, but delegate the
 # authorization decision to downstream WSGI components. (boolean value)
 #delay_auth_decision = false
@@ -332,9 +421,6 @@
 # The region in which the identity server can be found. (string value)
 #region_name = <None>
 
-# Directory used to cache files related to PKI tokens. (string value)
-#signing_dir = <None>
-
 # Optionally specify a list of memcached server(s) to use for caching. If left
 # undefined, tokens will instead be cached in-process. (list value)
 # Deprecated group/name - [keystone_authtoken]/memcache_servers
@@ -345,12 +431,6 @@
 # to -1 to disable caching completely. (integer value)
 #token_cache_time = 300
 
-# Determines the frequency at which the list of revoked tokens is retrieved
-# from the Identity service (in seconds). A high number of revocation events
-# combined with a low cache duration may significantly reduce performance. Only
-# valid for PKI tokens. (integer value)
-#revocation_cache_time = 10
-
 # (Optional) If defined, indicate whether token data should be authenticated or
 # authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
 # in the cache. If ENCRYPT, token data is encrypted and authenticated in the
@@ -386,9 +466,9 @@
 # client connection from the pool. (integer value)
 #memcache_pool_conn_get_timeout = 10
 
-# (Optional) Use the advanced (eventlet safe) memcached client pool. The
-# advanced pool will only work under python 2.x. (boolean value)
-#memcache_use_advanced_pool = false
+# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean
+# value)
+#memcache_use_advanced_pool = true
 
 # (Optional) Indicate whether to set the X-Service-Catalog header. If False,
 # middleware will not ask for service catalog on token validation and will not
@@ -404,19 +484,23 @@
 # (string value)
 #enforce_token_bind = permissive
 
-# If true, the revocation list will be checked for cached tokens. This requires
-# that PKI tokens are configured on the identity server. (boolean value)
-#check_revocations_for_cached = false
+# A choice of roles that must be present in a service token. Service tokens are
+# allowed to request that an expired token can be used and so this check should
+# tightly control that only actual services should be sending this token. Roles
+# here are applied as an ANY check so any role in this list must be present.
+# For backwards compatibility reasons this currently only affects the
+# allow_expired check. (list value)
+#service_token_roles = service
 
-# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm
-# or multiple. The algorithms are those supported by Python standard
-# hashlib.new(). The hashes will be tried in the order given, so put the
-# preferred one first for performance. The result of the first hash will be
-# stored in the cache. This will typically be set to multiple values only while
-# migrating from a less secure algorithm to a more secure one. Once all the old
-# tokens are expired this option should be set to a single value for better
-# performance. (list value)
-#hash_algorithms = md5
+# For backwards compatibility reasons we must let valid service tokens pass
+# that don't pass the service_token_roles check as valid. Setting this true
+# will become the default in a future release and should be enabled if
+# possible. (boolean value)
+#service_token_roles_required = false
+
+# The name or type of the service as it appears in the service catalog. This is
+# used to validate tokens that have restricted access rules. (string value)
+#service_type = <None>
 
 # Authentication type to load (string value)
 # Deprecated group/name - [keystone_authtoken]/auth_plugin
@@ -463,7 +547,20 @@
 # mismatching scope. (boolean value)
 #enforce_scope = false
 
-# The file that defines policies. (string value)
+# This option controls whether or not to use old deprecated defaults when
+# evaluating policies. If ``True``, the old deprecated defaults are not going
+# to be evaluated. This means if any existing token is allowed for old defaults
+# but is disallowed for new defaults, it will be disallowed. It is encouraged
+# to enable this flag along with the ``enforce_scope`` flag so that you can get
+# the benefits of new defaults and ``scope_type`` together. If ``False``, the
+# deprecated policy check string is logically OR'd with the new policy check
+# string, allowing for a graceful upgrade experience between releases with new
+# policies, which is the default behavior. (boolean value)
+#enforce_new_defaults = false
+
+# The relative or absolute path of a file that maps roles to permissions for a
+# given service. Relative paths must be specified in relation to the
+# configuration file setting this option. (string value)
 #policy_file = policy.json
 
 # Default rule. Enforced when a requested rule is not found. (string value)
diff --git a/etc/armada/policy.yaml.sample b/etc/armada/policy.yaml.sample
new file mode 100644
index 00000000..a28f2b24
--- /dev/null
+++ b/etc/armada/policy.yaml.sample
@@ -0,0 +1,32 @@
+#"admin_required": "role:admin or role:admin_ucp"
+
+#"service_or_admin": "rule:admin_required or rule:service_role"
+
+#"service_role": "role:service"
+
+#"admin_viewer": "role:admin_ucp_viewer or rule:service_or_admin"
+
+# Install manifest charts
+# POST  /api/v1.0/apply/
+#"armada:create_endpoints": "rule:admin_required"
+
+# Validate manifest
+# POST  /api/v1.0/validatedesign/
+#"armada:validate_manifest": "rule:admin_viewer"
+
+# Test release
+# GET  /api/v1.0/test/{release}
+#"armada:test_release": "rule:admin_required"
+
+# Test manifest
+# POST  /api/v1.0/tests/
+#"armada:test_manifest": "rule:admin_required"
+
+# Get helm releases
+# GET  /api/v1.0/releases/
+#"armada:get_release": "rule:admin_viewer"
+
+# Get Tiller status
+# GET  /api/v1.0/status/
+#"tiller:get_status": "rule:admin_viewer"
+
diff --git a/requirements-direct.txt b/requirements-direct.txt
index 1d00022f..76682c3f 100644
--- a/requirements-direct.txt
+++ b/requirements-direct.txt
@@ -15,6 +15,8 @@ oslo.config<=8.7.1
 oslo.i18n
 oslo.log<=4.6.0
 oslo.policy<=3.10.1
+oslo.middleware<=4.4.0
+keystonemiddleware<=10.2.0
 oslo.utils<=4.12.3
 prometheus-client==0.8.0
 pylibyaml==0.1.0
diff --git a/requirements-frozen.txt b/requirements-frozen.txt
index 908b2d0c..2abe0edc 100644
--- a/requirements-frozen.txt
+++ b/requirements-frozen.txt
@@ -1,6 +1,7 @@
 alabaster==0.7.13
 attrs==23.1.0
 Babel==2.12.1
+bcrypt==4.0.1
 cachetools==5.3.0
 certifi==2022.12.7
 chardet==3.0.4
@@ -10,6 +11,7 @@ debtcollector==2.5.0
 decorator==5.1.1
 deepdiff==5.8.1
 docutils==0.17
+dogpile.cache==1.2.0
 dulwich==0.21.3
 falcon==3.1.1
 gitdb==4.0.10
@@ -22,6 +24,7 @@ iso8601==1.1.0
 Jinja2==3.0.3
 jsonschema==3.2.0
 keystoneauth1==5.1.1
+keystonemiddleware==10.2.0
 kubernetes==26.1.0
 MarkupSafe==2.0.1
 msgpack==1.0.5
@@ -31,10 +34,12 @@ nose==1.3.7
 oauthlib==3.2.2
 ordered-set==4.1.0
 os-service-types==1.7.0
+oslo.cache==3.3.1
 oslo.config==8.7.1
 oslo.context==5.1.1
 oslo.i18n==6.0.0
 oslo.log==4.6.0
+oslo.middleware==4.4.0
 oslo.policy==3.10.1
 oslo.serialization==5.1.1
 oslo.utils==4.12.3
@@ -45,11 +50,13 @@ prometheus-client==0.8.0
 py==1.11.0
 pyasn1==0.5.0
 pyasn1-modules==0.3.0
+pycadf==3.1.1
 Pygments==2.15.1
 pylibyaml==0.1.0
 pyparsing==3.0.9
 pyrsistent==0.19.3
 python-dateutil==2.8.1
+python-keystoneclient==5.1.0
 pytz==2023.3
 PyYAML==5.4.1
 reno==4.0.0
@@ -70,9 +77,11 @@ sphinxcontrib-htmlhelp==2.0.1
 sphinxcontrib-jsmath==1.0.1
 sphinxcontrib-qthelp==1.0.3
 sphinxcontrib-serializinghtml==1.1.5
+statsd==4.0.1
 stevedore==5.0.0
 urllib3==1.25.11
 uWSGI==2.0.21
+WebOb==1.8.7
 websocket-client==1.5.1
 wheel==0.40.0
 wrapt==1.15.0
diff --git a/tox.ini b/tox.ini
index eb910f3b..ca96cd66 100644
--- a/tox.ini
+++ b/tox.ini
@@ -61,10 +61,12 @@ commands =
 
 [testenv:genconfig]
 commands =
+    pip install . --use-pep517
     oslo-config-generator --config-file=etc/armada/config-generator.conf
 
 [testenv:genpolicy]
 commands =
+    pip install . --use-pep517
     oslopolicy-sample-generator --config-file=etc/armada/policy-generator.conf
 
 [testenv:releasenotes]