This will also give us more insights into the leader-set failure
happening in the linked bug.
Also updated project files from latest release-tools templates.
Also blacklisted libjuju 2.8.3 which causes spurious
JujuAPIError's.
Change-Id: I51b890098df6d918c1d84adba272559ef45411bb
Partial-Bug: #1890256
This patch eliminates almost all the manager.py calls when
updating/checking the endpoints from the relation(s) with other charms.
Change-Id: Ibb7999239ec9927e76052b7e45c4545127b5919a
Closes-Bug: #1890602
If a client requests a role then inform them what role was
actually created or already existed.
If a client requests the creation of a role and that role already
exists with a different mix of upper and lower case then the new
role is not created. This is because keystone purports to be case
insensative. However the client may not be case insesative (horizon)
and may assume that the role was created. This change replies to
the client with a new key 'created_roles'. This tells the client
what the case sensative name actually is.
Change-Id: Idc0865a688886a2066dfcdbd15e30118ae5c5bb8
Closes-Bug: #1890437
Fallback to v2 API behaviour for processing endpoints for older
OpenStack releases where the v2 API is still the default.
Change-Id: Ieb9afed0a6442fac48f8e1ccc0f5c34626a3be18
Closes-Bug: 1889180
Depending on the order of hook execution its possible for a charm
requesting notification of endpoint changes via the subscribe_ep_change
relation key will only get a partial set of information based on
services which are registered after their service is registered.
If this situation happens and a subscribed to service already exists
in the endpoint catalog add these to the JSON dict of information
passed to the requesting charm.
Change-Id: Ibac7ea6de013674b570c3de205d95c0a9d1cd8ae
Closes-Bug: 1887394
Sharing the admin password with peers over the 'cluster' relation
was needed in case the leader would die and the next leader would
then need that information. This was implemented years ago when
the leader DB didn't exist.
This led to a race condition described in the mentioned bug and
can now be safely removed.
Validated by deploying several keystone and glance units, then
removing the keystone leader, then adding a glance unit and
checking that this new unit gets its service credentials.
Also added useful traces, made linter happy and increased fernet
token expiration to avoid spurious test failures.
Closes-Bug: #1818113
Change-Id: I004903e50f51e190467d71691982de26518d7149
The checks that keystone was performing before emitting identity
data were applicable to any Openstack api charm so the check
definitions have been moved to charmhelpers so other charms can
use them. The checks as they were are encapsulated in
`check_api_unit_ready` *1
Bug 1818113 was caused by keystone emitting identity data
as soon as the leader was ready but ignoring the state of the
peer units. This is now covered by a new check
`check_api_application_ready` which performs all the local
unit checks and then checks that all peers have reported
as ready too.
In addition `check_api_unit_ready` is now used when
setting the units workload status and `check_api_application_ready`
is used when setting the application workload status.
*1 https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/openstack/utils.py#L2289
*2 https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/openstack/utils.py#L2330
Change-Id: I99830ab2c2482e8beef174424820907ce96fd5d7
Closes-Bug: #1818113
Stop the use of the admin_token and use the bootstrap process
to initialize Keystone instead. Fortunately the implementation
of the bootstrap process is both idempotent when it needs to be
and it can be safely called on an existing deployment.
Subsequently we can migrate by just removing the admin_token
from the configuration and create new credentials for use by
the charm with a call to ``keystone-manage bootstrap``.
Remove configuration templates for versions prior to Mitaka, by
doing this we need to move any configuration initially defined
prior to Miataka forward to the ``templates/mitaka`` folder.
A side effect of this migration is that newly bootstrapped
deployments will get their ``default`` domain created with a
literal ID of ``default``. Prior to this change third party
software making assumptions about that being the case may have
had issues.
Closes-Bug: #1859844
Closes-Bug: #1837113
Related-Bug: #1774733
Closes-Bug: #1648719
Closes-Bug: #1578678
Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/191
Change-Id: I23940720c24527ee34149f035c3bdf9ff54812c9
For keystone v3 deployments, provide the admin user and project ID
over identity-service relations.
This may be used by consuming services to build trust between the
service account and the cloud admin account.
Change-Id: I6166793a497a283e743210d067eb44c14071e61e
When a remote service requests notification about changes to
endpoints, provide the full detail on each endpoint rather than
just a checksum of the internal/admin/public URL's.
This allows consuming services which require explicit configuration
of service endpoint URL's to configure everything via their
relation to keystone rather than directly relating to all required
services.
Change-Id: I39b6e3df17e44c801f5f6bb122407623cbf1c937
Add support for registration of the Trilio Workload Manager
service into the keystone service catalog.
Change-Id: If46e007700bfa95585c65364a80710b25d42c562
Services can optionally request notifications of other services endpoint
changes. They do this by sending a space seperated list of service names
that they wish to be notified of down the identity-service relation e.g
subscribe_ep_change="placement neutron"
If the endpoints change for any service in the list then a notification is
sent back with a nonce. e.g. if the neutron ep changes the charm will
recieve a json encoded dict of changes:
'ep_changed': '{"neutron": "1c261658"}'
This removes the need for charms to have two relations for ep notification
changes and allows applications to specify which endpoints they are
interested in.
Closes-Bug: #1862974
Change-Id: I03667af35022c352ea1cf817d97a6a50c2fb5c5d
This feature adds a "password-security-compliance" option to the
charm to enable setting of keys in the "[security_compliance]" section
of the keystone.conf file. This section was added in the Newton
release, and so this feature supports this from the Newton release.
It also protects the service accounts from two of the PCI-DSS options
but setting the user options 'ignore_password_expiry' and
'ignore_change_password_upon_first_use' to True to prevent the cloud
from being broken.
Change-Id: If7c54fae73188284bd9b03a53626cdf52158b994
Closes-Bug: #1776688
Currently, Apache ports.conf file is not being configured by this
charm. This patch changes the ports.conf default file with another one
that does not open port 80 on SSL environments.
Change-Id: I35ba6bb31af6d795d02d90d0d127ac5c6c129d0f
Closes-bug: #1845665
Switch to using get_managed_services_and_ports from charmhelpers.
Charmhelper sync included to bring in required
get_managed_services_and_ports method.
Change-Id: Ib2b1f3dead1dbb613591bdf3903ed56e8c14f45c
When resuming services exclude those managed by hacluster, in
this case haproxy. If pacemaker lacks quorum it may shut haproxy
down which will cause this charm to error.
Change-Id: I9ac10807e853f2e83ea9ea9b780f83a79c17be10
Services that expose multiple endpoints use a prefix in their keys, this
patch refactors that code to put it in their own function to be reused
by the notifications functionality and make it notificate for changes in
those endpoints (e.g. neutron-api and nova-cloud-controller).
Change-Id: Ieecfc4ef7c85c7f716ceef0c2938ae0c7787953d
Closes-Bug: #1856419
Watcher needs to be added to the keystone service catalog for
functionality of the upcoming watcher charms.
Change-Id: Ie800c9030c94ff92f38b3502113e8875a4dcba11
Signed-off-by: Stamatis Katsaounis <skatsaounis@admin.grnet.gr>
Change os.remove to shutil.rmtree to delete unused key directory
even it has subdirectories somehow
Change-Id: I4743b2e9650721966df40a7dd542f85833c4f4c6
Closes-Bug: #1840756
Rather than use hard coded auth methods, use the protocal named passed
over the keystone-fid-service-provider relation.
Also, when using federation do not allow the "external" method as they
are mutually exclusive.
Change-Id: I08f0632630d7f0e8d2d7ddb057e02f9febf9ad6f
Closes-Bug: #1828015
Closes-Bug: #1828018
If the certificates that Apache is using change then Apache needs to
be restarted. This change adds the SSL directory to the restart map
to ensure any certificate changes trigger a restart.
Change-Id: I1fd46865350e6a9cb35f4209fcf8dd201e6f1441
Closes-Bug: 1828530
When running an upgrade of the keystone charm in a large environment,
the upgrade process can take more than 30 minutes.
Prior to this change, the user would only see 'Installing apt packages'
during most of the process.
This change adds status_set and log messages to the upgrade charm hook
so that end users can see what is the status of the upgrade.
Change-Id: I1eade73fad551310ceec0bb8dcbccb777737faeb
Closes-Bug: #1782004
This patch works around a bug during upgrades where (it is believed)
that the manager.py script can hold a 'stale' connection to the apache2
hosted keystone, which then returns a 500 HTTP error when next used.
Change-Id: Id9c9b967742467f30270f52c2a8b6634f6480324
Related-Bug: #1823743
This patch ensures that any running manager.py script is stopped if the
keystone service (either standalone, or run via apache2) is restarted.
The ManagerServer will automatically (re)start the manager.py script
when it is needed.
Change-Id: I4e3dff340cce73b2de7d697f3685d602defb5179
Related-Bug: #1823743
The manager.py helper is launched with either py2 or py3 depending on
the version of the payload. However, it was using openstack-origin
rather than actually picking up the actual version of the installed
software. This patch ensures that the manager.py is run with the
python version of the installed payload, which resolves a bug when
upgrading to rocky (which is the py2 to py3 transition of the payload).
Also fixes an os.execl() bug which changed behaviour from python2 to
python3.
Change-Id: I17255b84ca067886f866a5f8311dcab57fba6f14
Closes-bug: #1818988
Some projects, like masakari, require the project and user domain
id when authenticating with keystone. This change adds the domain
information to the relation information.
Given the user and projects can be in different domains expose
the domain names and ids as individual config options.
Change-Id: I228ddfbef23ab77885b093c8d5f359eec13d210c
Masakari for instance HA needs to be added to the keystone service
catalog for functionality of the upcoming masakari charms
Change-Id: Ic48767df7dc0408679c7dd9a6d7547b744778894
This patch creates a new middleware context to retrieve data
from subordinate charm and update the kesytone configuration file.
It also allows integration with keystone-middleware interface:
https://github.com/openstack-charmers/interface-keystone-middleware
This patch uses the subordinate configuration approach
to retrieve data from the subordinate charm.
Every changes required for paste.ini file will be handled by
the subordinate charm. The latter should deal with keystone upgrades.
Closes-Bug: #1808597
Change-Id: I4897011fbc791abc97e34e75826579820e80a4f1
On charm upgrade the charm may switch to py3 packages. If so, ensure
the old py2 packages are purged after any new packages have been
installed. If packages where removed during the upgrade, then
restart all services to pickup any py2->py3 switches.
Change-Id: I8a17f679e85448680ab0b1f5ae362ef7a65b035c
Closes-Bug: 1803451
It looks like os.execl does not support an empty second argument
under py3. This change fixes the call for py3.
Change-Id: Iffcd2c68b03013384ad3f1d2b5e8805b84b3972a
Closes-Bug: 1802274
When checking goal state, only look for one unit to be available
when examining container scoped relations as a principle unit only
ever has a relation with a single unit of a given subordinate
application.
Change-Id: I02f34358060c98c0702d3d7b58d52427c2a0445a
Closes-Bug: #1801754
In case there are containers with Apache running on the same
host, the charm will only watch PIDs within the same namespace.
Change-Id: I9cdd7d5b1f53fce748e7fafab538676e4e55dd54
Closes-Bug: #1795918
Switch package install to Python 3 for OpenStack Rocky or later.
When upgrading, remove any python-* packages that were explicitly
installated and then autoremove --purge any dependencies that are
no longer required.
Also drop the python2 shebang from hooks/manager.py in favor of
specifying the interpreter on the subprocess call. The python
interpreter version must match the python version of the OpenStack
payload due to the keystoneclient library imports.
Depends-On: I18996e15d2d08b1dacf0533132eae880cbb9aa32
Change-Id: If973ebc2be3b32ee3ff2122b5874dad96cda9fec
At present the Keystone charm frequently initiates updates to its
relations before it has reached a stable state.
Make use information from ``juju goal-state`` to predict scale and gate
initial update of relations on having reached expected scale.
Depends-On: https://github.com/juju/charm-helpers/pull/226
Change-Id: I96d4aff7c4ec9fb9ea160c7e294581bab3103df8
When hooks/keystone_utils.py:get_admin_passwd is called without the user
parameter, the parameter should default to config('admin-user')
Also changed the log, to use the parameter for consistency with facts.
Don't assume 'admin' is always the username for admin, when setting the
admin password.
Added unittests to check the various options, either specifying the
username via function arguments, or use setting from
config('admin-user').
Change-Id: I02726c07ee4ed1e78ea1bfaa93adc2564a1a8236
Closes-Bug: 1794893
Major changes:
* decoupling the hooks/manager.py file from the charm. It is now a
script that is called from hooks/keystone_utils.py as it has to use
the same Python version/libraries as the installed keystone payload
software. keystone_utils.py and manager.py communicate via a Unix
Domain Socket using json, encoded to base64.
* As Python3 requires absolute imports, the charmhelpers symlink has
been removed from hooks, and the hooks and charmhelpers symlinks have
been removed from the actions directory. Instead, the path is
adjusted so that the modules can be found.
Change-Id: I18996e15d2d08b1dacf0533132eae880cbb9aa32
The test/code was using localtime; this changes it to UTC so that DST
changes don't affect rotations.
Change-Id: I1c8247c08103833a842c422e19b5cd121515c054
