The existing pause/resume functionality is enhanced with
changed charm-helpers support to chech that the services
really are stopped and that paused units really stay
paused. The restart_on_change decorator is gated
such that if the unit is 'paused' then the service
is not accidentally started.
Change-Id: Ie0c5e0249bde0839345ad66f7400522754aa91ca
This changes enables the Keystone v3 api. It can be toggled on and off via the
preferred-api-version option.
When services join the identity-service relation they will be presented with a
new parameter api_version which is the maximum api version the keystone charm
supports and matches what was set via preferred-api-version.
If preferred-api-version is set to 3 then the charm will render a new
policy.json which adds support for domains etc when keystone is checking
authorisation. The new policy.json requires an admin domain to be created and
specifies that a user is classed as an admin of the whole cloud if they have
the admin role against that admin domain.
The admin domain, called admin_domain, is created by the charm. The name of
this domain is currently not user configurable. The role that enables a user to
be classed as an admin is specified by the old charm option admin-role. The
charm grants admin-role to the admin-user against the admin_domain.
Switching a deployed cloud from preferred-api-version 2 to
preferred-api-version 3 is supported. Switching from preferred-api-version 3 to
preferred-api-version 2 should work from the charm point of view but may cause
problems if there are duplicate users between domains or may have unintended
consequences like escalating the privilege of some users so is not recommended.
Change-Id: I8eec2a90e0acbf56ee72cb5036a0a21f4a77a2c3
Implemented new is_paused() and assess_status() functions, and changed
the pause and resume actions to use them. Changed existing and added new
tests to verify functionality.
Adds in the config option for overriding public endpoint addresses
and introduces a unit tests to ensure that the override for the
public address is functioning correctly.
Closes-Bug: #1398182
A previous commit had removed auth_host and service_host from
the peer relation due to races with resolve_address(). If
we do not place this data on the peer relation we actually
break endpoints that use openstack.context.IdentityServiceContext
which expects *any* keystone relation unit to be able to provide
a complete set of valid settings...which are propagated by the
peer relation and re-propagated to the keystone relations.
Fixes disable ssl. Allows disable of use-https and https-service-endpoints.
Use '__null__' value to flush out peer relation settings that need to be unset
when forwared to other relations. This will fix ssl disable by ensuring that
peer settings are correctly forwarded to endpoint relations.
Closes-Bug: 1427906
