It looks like os.execl does not support an empty second argument
under py3. This change fixes the call for py3.
Change-Id: Iffcd2c68b03013384ad3f1d2b5e8805b84b3972a
Closes-Bug: 1802274
When checking goal state, only look for one unit to be available
when examining container scoped relations as a principle unit only
ever has a relation with a single unit of a given subordinate
application.
Change-Id: I02f34358060c98c0702d3d7b58d52427c2a0445a
Closes-Bug: #1801754
In case there are containers with Apache running on the same
host, the charm will only watch PIDs within the same namespace.
Change-Id: I9cdd7d5b1f53fce748e7fafab538676e4e55dd54
Closes-Bug: #1795918
Switch package install to Python 3 for OpenStack Rocky or later.
When upgrading, remove any python-* packages that were explicitly
installated and then autoremove --purge any dependencies that are
no longer required.
Also drop the python2 shebang from hooks/manager.py in favor of
specifying the interpreter on the subprocess call. The python
interpreter version must match the python version of the OpenStack
payload due to the keystoneclient library imports.
Depends-On: I18996e15d2d08b1dacf0533132eae880cbb9aa32
Change-Id: If973ebc2be3b32ee3ff2122b5874dad96cda9fec
At present the Keystone charm frequently initiates updates to its
relations before it has reached a stable state.
Make use information from ``juju goal-state`` to predict scale and gate
initial update of relations on having reached expected scale.
Depends-On: https://github.com/juju/charm-helpers/pull/226
Change-Id: I96d4aff7c4ec9fb9ea160c7e294581bab3103df8
When hooks/keystone_utils.py:get_admin_passwd is called without the user
parameter, the parameter should default to config('admin-user')
Also changed the log, to use the parameter for consistency with facts.
Don't assume 'admin' is always the username for admin, when setting the
admin password.
Added unittests to check the various options, either specifying the
username via function arguments, or use setting from
config('admin-user').
Change-Id: I02726c07ee4ed1e78ea1bfaa93adc2564a1a8236
Closes-Bug: 1794893
Major changes:
* decoupling the hooks/manager.py file from the charm. It is now a
script that is called from hooks/keystone_utils.py as it has to use
the same Python version/libraries as the installed keystone payload
software. keystone_utils.py and manager.py communicate via a Unix
Domain Socket using json, encoded to base64.
* As Python3 requires absolute imports, the charmhelpers symlink has
been removed from hooks, and the hooks and charmhelpers symlinks have
been removed from the actions directory. Instead, the path is
adjusted so that the modules can be found.
Change-Id: I18996e15d2d08b1dacf0533132eae880cbb9aa32
The test/code was using localtime; this changes it to UTC so that DST
changes don't affect rotations.
Change-Id: I1c8247c08103833a842c422e19b5cd121515c054
This patchset adds more Fernet token implementation:
1. Adds a cron job to rotate / sync keys to other units.
2. Adds additional tests around gating on config.
3. Adds rotation / syncing with more robust key handling.
Change-Id: Ied021ad83c241f241dbb5f9acdede9045e43a8a3
There are no relation-level concerns for these values.
Any pre-existing deployments with recent charms (as in released
2015 or later) will have already migrated the peer storage to
leader storage, so this change can build on that work directly.
Ref: https://github.com/juju/charm-helpers/blame/master/charmhelpers/contrib/peerstorage/__init__.py
Change-Id: I85d1746bdf3e9d3e1ff514e6dd2b4c565dee4dfc
Closes-Bug: #1783943
There are no relation-level concerns for this flag.
Any pre-existing deployments with recent charms (as in released
2015 or later) will have already migrated the peer storage to
leader storage, so this change can build on that work directly.
Ref: https://github.com/juju/charm-helpers/blame/master/charmhelpers/contrib/peerstorage/__init__.py
Change-Id: Ia7362d257428b102c452d0e91bcf9b3378a1e6e9
Closes-bug: #1783747
Starting OpenStack Rocky the currently used `uuid` token format
is no longer supported and we need to change to use `fernet` tokens.
This change provides basic functionalty to initialize fernet token
repository and distribute keys to non-leader units.
A configuration option is also added allowing change of token format
in a controlled manner prior to upgrading to OpenStack Rocky.
Further work is required to implement key rotation, actions etc. and
these topics will be addressed in separate commits.
The commit also fixes a instance of missing release check for writing
of `policy.json`, and a few places where writing of `policy.json`
previously was omitted.
Change-Id: I1d0ff22a5f091b02f5700412745572c246103e9e
These features are disabled by default, a majority of our
users provide certificates through configuration.
At present the cluster relation carries information required
for these features even when they are not enabled. This makes
processing of cluster relation changes unnecessarily heavy
and vulnerable to bugs.
Notice of deprecation and removal in next release was given
as part of the 18.05 release notes.
Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986
Closes-Bug: #1755897
Related-Bug: #1744990
* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* enable additional authentication methods on the keystone side to
accept parsed assertion data provided via apache2 authentication module
variables exported to WSGI environment;
* move https frontend and WSGI API apache config files to keystone
instead of relying on charm-helpers as modifications are needed there to
add IncludeOptional directives. openstack_https_frontend.conf is added
on purpose as ServerName cannot be correctly determined after ProxyPass
which results in TLS errors during SAML exchange process;
* add an additional relation to openstack-dashboard to provide URL
information necessary to trust 'origin' parameter in WebSSO URLs used by
horizon during the authentication process. Also add a context to render
the federation section that is used to render this information in
keystone.conf;
Subordinates can choose to use different apache2 authentication modules.
If those modules support vhost-level variables then multiple
subordinates for the same module can be used. For example,
mod_auth_mellon can be used multiple times in different vhosts to
protect federated token endpoints related to different identity provider
and protocol combinations).
Trusted dashboard relation could be used to provide dashboard origin URL
from a different site via cross-model relations.
NOTE: this functionality will be triggered only on Ocata+ (inclusive)
Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
Openstack PKI token support was dropped in the Pike release.
The following update ensures that PKI token validation is
only run if the release is supported when the sync leader
broadcasts any service credentials to its peers.
In this case; if the release is <= pike. then we can sync
token certs and ensure the pki permissions are valid.
Otherwise this action will be skipped.
Closes-Bug: 1759403
Change-Id: I3d8ba6d3cac3a3505a3722a5082c3a6933a9ef67
The glance swift store configuration requires use of the domain
id for the service domain; update data set for identity-service
relation to include service_domain_id.
Change-Id: Ie6e2733f34de10a4d34b18dbf1fd9ba623af0e18
Closes-Bug: 1752027
Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release. This feature is unmaintained and has
no known users.
Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a
Whenm generating a username associated with multiple charm the
username was derived from the keys of an unordered dict making the
username liable to change. This patch sorts the keys and makes the
username stable.
Change-Id: I0f857d7c2d5c4abf4843bc3fe1a9848164048fe2
Closes-Bug: #1739409
Remove postgresql DB support; This feature is untested as part
of the charms, is not in use and was deprecated as part of
the 1708 charms release.
Change-Id: Ia57a7358fd3567fe0250c45f3e00c07fa83f329c
Keystone@Queens removes support for the v2 API; switch default
to v3 API from Queens onwards and ensure that charm users can
only provide 3 as via the preferred-api-version for >= Queens.
Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b
Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.
Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541
The current charm design is to perform a sweep of all units
related on the identity-service interface to ensure that
they have all the correct setting values applied. If the
leader unit is deleted and a new one is elected this will
not happen until some event e.g. config-changed occurs. This
can result in remote units malfunctioning since they think they
are not configured. We resolve this by always doing a sweep when
the leader-elected hook fires.
Also fixes infinite loop edge case when ssl-cert-master switches
as a result of leader switch.
Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e
Closes-Bug: 1721269
Install OpenStack using snaps. By setting openstack-origin to
snap:track/channel or snap:track the charm will use snaps to
install rather than debs. If channel is left off it defaults to
stable. For example: snap:ocata/edge will install the edge version of
Ocata and snap:pike will install the stable version of Pike.
Charm helpers sync for snap related helpers.
Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
When using Keystone v3, the relation data set by
add_credentials_to_keystone now includes a 'domain'.
Change-Id: I2a4ff4d7c20d4f274479dfe0615dd00940e64d8b
Closes-Bug: 1719751
Reset the os_release cache during the OpenStack upgrade process,
ensuring that any post dist-upgrade operations are made in the
context of the new OpenStack release, not the old one.
Change-Id: I3d3584dd8e97f85e16c38e1143f627b03fa63bd0
Closes-Bug: 1715624
Enable dual stack IPv4 and IPv6 VIPs on the same interface.
HAProxy always listens on both IPv4 and IPv6 allowing connectivity
on either protocol.
Update edge cases for is_ssl_cert_master for Bug #1709356.
Update amulet tests for keystoneauth1 tests.
charm-helpers sync for HAProxy template changes.
Closes-Bug: #1709356
Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1
Resync charmhelpers for pike version support.
Add pike tests but leave disabled until all charms support pike.
Add support for volumev3 service type for Cinder.
Skip execution of PKI setup for >= pike as its been dropped from
keystone.
Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d
- sync charmhelpers with fix-alpha helpers
- fix up code where the alpha comparisons are done
- fix tests which assumed mocks would just work on os_release()
Change-Id: I9f4a3b15e53c757c2ae5ffb2eb45b6cdaecf4c8e
Related-Bug: #1659575
It is possible for the keystone charm to poll identity-relation
before their remote unit has set values. This patch fixes a
corner cases that cause a hook exception under this
circumstance.
Change-Id: I3339870b87adcd712a341ae5074b4af1e924f64a
Closes-Bug: 1674786
When the keystone charm is upgraded the apache mod_wisgi
configuration file name has changed. With duplicate configuration
files apache fails to start up. Generalize the function
disable_unused_apache_sites to handle any sites we may need cleaned
up now or in the future.
Change-Id: I13111bf9788ba3bfbef3efedb7b027323c84a6b8
Closes-bug: #1665044
The lack of zaqar in the valid_services dict leads to an error if
it tries to establish a relationship with keystone.
Change-Id: I8dcf14c103bf4d8a70d2f580e7743f3374f4327b
Enable support for domain specific drivers, managed via
configuration files (instead of directly using the API and
database).
Using multiple domains means that calls to users.list must
be scoped to a specific domain; ensure that v3 calls to this
method are appropriately scoped.
Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
Partial-Bug: 1645803
The WSGI template and context code has been moved to charm-helpers.
This change updates the charm to use the common code from charm-helpers.
Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716
Update the identity admin relation to support passing api-version
keystone is using and the extra credential information needed for
authenticating a v3 client
Change-Id: Ied2d8641096fa5ccf90878d8d7fca81835d844c3
