openstack
/
cookbook-openstack-identity
Code Issues Proposed changes

Retire openstack-chef: remove repo content 

OpenStack-chef project is retiring
- https://review.opendev.org/c/openstack/governance/+/905279

this commit remove the content of this project repo

Depends-On: https://review.opendev.org/c/openstack/project-config/+/909134
Change-Id: Ida0639315944c8c7852ec37fb10f133e8ab9c455
This commit is contained in:
Ghanshyam Mann 2024-02-15 14:17:05 -08:00
parent f052ede42b
commit 44d13c8c64
31 changed files with 8 additions and 2329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.delivery/project.toml
View File

@ -1,9 +0,0 @@
[local_phases]
unit = 'rspec spec/'
lint = 'cookstyle --display-cop-names --extra-details'
syntax = "berks install -e integration"
provision = "echo skipping"
deploy = "echo skipping"
smoke = "echo skipping"
functional = "echo skipping"
cleanup = "echo skipping"

9
.gitignore vendored
View File

@ -1,9 +0,0 @@
.bundle/
berks-cookbooks/
.kitchen/
.vagrant/
.coverage/
*.swp
Berksfile.lock
Gemfile.lock
Vagrantfile

4
.rubocop.yml
View File

@ -1,4 +0,0 @@
Chef/Modernize/FoodcriticComments:
Enabled: true
Chef/Style/CopyrightCommentFormat:
Enabled: true

3
.zuul.yaml
View File

@ -1,3 +0,0 @@
- project:
templates:
- openstack-chef-jobs

22
Berksfile
View File

@ -1,22 +0,0 @@
source 'https://supermarket.chef.io'
solver :ruby, :required
metadata
[
%w(client dep),
%w(-common dep),
%w(-dns integration),
%w(-image integration),
%w(-integration-test integration),
%w(-network integration),
%w(-ops-database integration),
%w(-ops-messaging integration),
].each do |cookbook, group|
if Dir.exist?("../cookbook-openstack#{cookbook}")
cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}", group: group
else
cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}", group: group
end
end

36
CONTRIBUTING.md
View File

@ -1,36 +0,0 @@
Contributing
============
How To Get Started
------------------
If you would like to contribute to the development of OpenStack Chef Cookbooks,
you must follow the steps in this page:
http://docs.openstack.org/infra/manual/developers.html
Gerrit Workflow
---------------
Once those steps have been completed, changes to OpenStack
should be submitted for review via the Gerrit tool, following
the workflow documented at:
http://docs.openstack.org/infra/manual/developers.html#development-workflow
Pull requests submitted through GitHub will be ignored.
Bugs
----
Bugs should be filed on Launchpad, not GitHub:
https://bugs.launchpad.net/openstack-chef
Contacts
--------
Mailing list: groups.google.com/group/opscode-chef-openstack
IRC: #openstack-chef is our channel on irc.oftc.net
Wiki: https://wiki.openstack.org/wiki/Chef/GettingStarted and https://docs.getchef.com/openstack.html
Twitter: @chefopenstack

176
LICENSE
View File

@ -1,176 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.

175
README.rst
View File

@ -1,169 +1,10 @@
OpenStack Chef Cookbook - identity
==================================
This project is no longer maintained.
.. image:: https://governance.openstack.org/badges/cookbook-openstack-identity.svg
:target: https://governance.openstack.org/reference/tags/index.html
The contents of this repository are still available in the Git
source code management system. To see the contents of this
repository before it reached its end of life, please check out the
previous commit with "git checkout HEAD^1".
Description
===========
This cookbook installs the OpenStack Identity Service **Keystone** as
part of the OpenStack reference deployment Chef for OpenStack. The
`OpenStack chef-repo`_ contains documentation for using this cookbook in
the context of a full OpenStack deployment. Keystone is installed from
packages, creating the default user, tenant, and roles. It also
registers the identity service and identity endpoint.
.. _OpenStack chef-repo: https://opendev.org/openstack/openstack-chef
https://docs.openstack.org/keystone/latest/
Requirements
============
- Chef 16 or higher
- Chef Workstation 21.10.640 for testing (also includes Berkshelf for
cookbook dependency resolution)
Platform
========
- ubuntu
- redhat
- centos
Cookbooks
=========
The following cookbooks are dependencies:
- 'apache2', '~> 8.6'
- 'openstack-common', '>= 20.0.0'
- 'openstackclient'
Attributes
==========
Please see the extensive inline documentation in ``attributes/*.rb`` for
descriptions of all the settable attributes for this cookbook.
Note that all attributes are in the ``default['openstack']`` "namespace"
The usage of attributes to generate the ``keystone.conf`` is described
in the openstack-common cookbook.
Recipes
=======
openstack-identity::cloud_config
--------------------------------
- Manage the cloud config file located at ``/root/clouds.yaml``
openstack-identity::_credential_tokens
--------------------------------------
- Helper recipe to manage credential keys.
If you prefer, you can manually create the keys by doing the following:
.. code-block:: console
$ keystone-manage credential_setup \
--keystone-user keystone --keystone-group keystone
This should create a directory ``/etc/keystone/credential-keys`` with
the keys residing in it.
openstack-identity::_fernet_tokens
----------------------------------
- Helper recipe to manage fernet tokens
openstack-identity::openrc
--------------------------
- Creates a fully usable openrc file to export the needed environment
variables to use the openstack client.
openstack-identity::registration
--------------------------------
- Registers the initial keystone endpoint as well as users, tenants and
roles needed for the initial configuration utilizing the custom
resource provided in the openstackclient cookbook. The recipe is
documented in detail with inline comments inside the recipe.
openstack-identity::server-apache
---------------------------------
- Installs and configures the OpenStack Identity Service running inside
of an apache webserver. The recipe is documented in detail with inline
comments inside the recipe.
License and Author
==================
+------------+-------------------------------------------------+
| **Author** | Justin Shepherd (justin.shepherd@rackspace.com) |
+------------+-------------------------------------------------+
| **Author** | Jason Cannavale (jason.cannavale@rackspace.com) |
+------------+-------------------------------------------------+
| **Author** | Ron Pedde (ron.pedde@rackspace.com) |
+------------+-------------------------------------------------+
| **Author** | Joseph Breu (joseph.breu@rackspace.com) |
+------------+-------------------------------------------------+
| **Author** | William Kelly (william.kelly@rackspace.com) |
+------------+-------------------------------------------------+
| **Author** | Darren Birkett (darren.birkett@rackspace.co.uk) |
+------------+-------------------------------------------------+
| **Author** | Evan Callicoat (evan.callicoat@rackspace.com) |
+------------+-------------------------------------------------+
| **Author** | Matt Ray (matt@opscode.com) |
+------------+-------------------------------------------------+
| **Author** | Jay Pipes (jaypipes@att.com) |
+------------+-------------------------------------------------+
| **Author** | John Dewey (jdewey@att.com) |
+------------+-------------------------------------------------+
| **Author** | Sean Gallagher (sean.gallagher@att.com) |
+------------+-------------------------------------------------+
| **Author** | Ionut Artarisi (iartarisi@suse.cz) |
+------------+-------------------------------------------------+
| **Author** | Chen Zhiwei (zhiwchen@cn.ibm.com) |
+------------+-------------------------------------------------+
| **Author** | Eric Zhou (zyouzhou@cn.ibm.com) |
+------------+-------------------------------------------------+
| **Author** | Jan Klare (j.klare@cloudbau.de) |
+------------+-------------------------------------------------+
| **Author** | Christoph Albers (c.albers@x-ion.de) |
+------------+-------------------------------------------------+
| **Author** | Lance Albertson (lance@osuosl.org) |
+------------+-------------------------------------------------+
+---------------+----------------------------------------------+
| **Copyright** | Copyright 2012, Rackspace US, Inc. |
+---------------+----------------------------------------------+
| **Copyright** | Copyright 2012-2013, Opscode, Inc. |
+---------------+----------------------------------------------+
| **Copyright** | Copyright 2012-2013, AT&T Services, Inc. |
+---------------+----------------------------------------------+
| **Copyright** | Copyright 2013-2014, SUSE Linux |
+---------------+----------------------------------------------+
| **Copyright** | GmbH Copyright 2013-2014, IBM, Corp. |
+---------------+----------------------------------------------+
| **Copyright** | Copyright 2016-2021, Oregon State University |
+---------------+----------------------------------------------+
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
::
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
For any further questions, please email
openstack-discuss@lists.openstack.org or join #openstack-dev on
OFTC.

39
Rakefile
View File

@ -1,39 +0,0 @@
task default: ['test']
task test: [:syntax, :lint, :unit]
desc 'Vendor the cookbooks in the Berksfile'
task :berks_prep do
sh %(chef exec berks vendor)
end
desc 'Run FoodCritic (syntax) tests'
task :syntax do
sh %(chef exec foodcritic --exclude spec -f any .)
end
desc 'Run RuboCop (lint) tests'
task :lint do
sh %(chef exec cookstyle)
end
desc 'Run RSpec (unit) tests'
task unit: :berks_prep do
sh %(chef exec rspec --format documentation)
end
desc 'Remove the berks-cookbooks directory and the Berksfile.lock'
task :clean do
rm_rf [
'berks-cookbooks',
'Berksfile.lock',
]
end
desc 'All-in-One Neutron build Infra using Common task'
task :integration do
# Use the common integration task
sh %(wget -nv -t 3 -O Rakefile-Common https://opendev.org/openstack/cookbook-openstack-common/raw/branch/master/Rakefile)
load './Rakefile-Common'
Rake::Task['common_integration'].invoke
end

30
TESTING.md
View File

@ -1,30 +0,0 @@
# Testing the Cookbook #
This cookbook uses [chefdk](https://downloads.chef.io/chef-dk/) and [berkshelf](http://berkshelf.com/) to isolate dependencies. Make sure you have chefdk and the header files for `gecode` installed before continuing. Make sure that you're using gecode version 3. More info [here](https://github.com/opscode/dep-selector-libgecode/tree/0bad63fea305ede624c58506423ced697dd2545e#using-a-system-gecode-instead). For more detailed information on what needs to be installed, you can have a quick look into the bootstrap.sh file in this repository, which does install all the needed things to get going on ubuntu trusty. The tests defined in the Rakefile include lint, style and unit. For integration testing please refere to the [openstack-chef-repo](https://github.com/openstack/openstack-chef-repo).
We have three test suites which you can run either, individually (there are three rake tasks):
$ chef exec rake lint
$ chef exec rake style
$ chef exec rake unit
or altogether:
$ chef exec rake
The `rake` tasks will take care of installing the needed cookbooks with `berkshelf`.
## Rubocop ##
[Rubocop](https://github.com/bbatsov/rubocop) is a static Ruby code analyzer, based on the community [Ruby style guide](https://github.com/bbatsov/ruby-style-guide). We are attempting to adhere to this where applicable, slowly cleaning up the cookbooks until we can turn on Rubocop for gating the commits.
## Foodcritic ##
[Foodcritic](http://acrmp.github.io/foodcritic/) is a lint tool for Chef cookbooks. We ignore the following rules:
* [FC003](http://acrmp.github.io/foodcritic/#FC003) These cookbooks are not intended for Chef Solo.
* [FC023](http://acrmp.github.io/foodcritic/#FC023) Prefer conditional attributes.
## Chefspec
[ChefSpec](https://github.com/sethvargo/chefspec) is a unit testing framework for testing Chef cookbooks. ChefSpec makes it easy to write examples and get fast feedback on cookbook changes without the need for virtual machines or cloud servers.

214
attributes/default.rb
View File

@ -1,214 +0,0 @@
#
# Cookbook:: openstack-identity
# Recipe:: default
#
# Copyright:: 2012-2021, AT&T Services, Inc.
# Copyright:: 2013-2021, Chef Software, Inc.
# Copyright:: 2013-2021, IBM Corp.
# Copyright:: 2017-2021, x-ion GmbH
# Copyright:: 2018-2021, Workday, Inc.
# Copyright:: 2019-2021, x-ion GmbH
# Copyright:: 2016-2021, Oregon State University
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Set to some text value if you want templated config files
# to contain a custom banner at the top of the written file
default['openstack']['identity']['custom_template_banner'] = '
# This file is automatically generated by Chef
# Any changes will be overwritten
'
%w(internal public).each do |ep_type|
# host for openstack internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
# scheme for openstack internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
# port for openstack internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['port'] = 5000
# path for openstack internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3'
end
# address for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1'
# port for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['public']['identity']['port'] = 5000
# identity service token backend for user and service tokens
default['openstack']['identity']['token']['backend'] = 'sql'
# Specify a location to retrieve keystone-paste.ini from
# which can either be a remote url using http:// or a
# local path to a file using file:// which would generally
# be a distribution file - if this option is left nil then
# the templated version distributed with this cookbook
# will be used (keystone-paste.ini.erb)
default['openstack']['identity']['pastefile_url'] = nil
# This specifies the pipeline of the keystone V3 API,
# all Identity V3 API requests will be processed by the order of the pipeline.
# this value will be used in the templated version of keystone-paste.ini
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
default['openstack']['identity']['pipeline']['api_v3'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3'
# region to be used for endpoint registration
default['openstack']['identity']['region'] = node['openstack']['region']
# enable or disable the usage of syslog
default['openstack']['identity']['syslog']['use'] = false
# syslog log facility to log to in case syslog is used
default['openstack']['identity']['syslog']['facility'] = 'LOG_LOCAL2'
# syslog config facility in case syslog is used
default['openstack']['identity']['syslog']['config_facility'] = 'local2'
# endpoint type to be used for creating resources
default['openstack']['identity']['endpoint_type'] = 'internalURL'
# user to be created and used for identity service
default['openstack']['identity']['admin_user'] = 'admin'
# project to be created and used for identity service
default['openstack']['identity']['admin_project'] = 'admin'
# domain to be created and used for identity service project
default['openstack']['identity']['admin_project_domain'] = 'default'
# role to be created and used for identity service
default['openstack']['identity']['admin_role'] = 'admin'
# domain to be created and used for identity service user
default['openstack']['identity']['admin_domain_name'] = 'default'
# specify whether to enable SSL for Keystone API endpoint
default['openstack']['identity']['ssl']['enabled'] = false
# specify server whether to enforce client certificate requirement
default['openstack']['identity']['ssl']['cert_required'] = false
# SSL certificate, keyfile and CA certficate file locations
default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
# Protocol for SSL (Apache)
default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
# Which ciphers to use with the SSL/TLS protocol (Apache)
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
default['openstack']['identity']['ssl']['ciphers'] = nil
# path of the cert file for SSL.
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
# path of the keyfile for SSL.
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
default['openstack']['identity']['ssl']['chainfile'] = nil
# path of the CA cert file for SSL.
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
# path of the CA cert files for SSL (Apache)
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
# (optional) path to certificate-revocation lists (Apache)
default['openstack']['identity']['ssl']['ca_revocation_path'] = nil
# Fernet keys to read from databags/vaults. This should be changed in the
# environment when rotating keys (with the defaults below, the items
# 'fernet_key0' and 'fernet_key1' will be read from the databag/vault
# 'keystone).
# For more information please read:
# https://docs.openstack.org/keystone/queens/admin/identity-fernet-token-faq.html
default['openstack']['identity']['fernet']['keys'] = [0, 1]
default['openstack']['identity']['conf']['fernet_tokens']['key_repository'] =
'/etc/keystone/fernet-tokens'
# Credential keys to read from databags/vaults. This should be changed in the
# environment when rotating keys (with the defaults below, the items
# 'credential_key0' and 'credential_key1' will be read from the databag/vault
# 'keystone).
# For more information please read:
# https://docs.openstack.org/keystone/queens/admin/identity-credential-encryption.html
default['openstack']['identity']['credential']['keys'] = [0, 1]
default['openstack']['identity']['conf']['credential']['key_repository'] =
'/etc/keystone/credential-tokens'
# configuration directory for keystone domain specific options
default['openstack']['identity']['domain_config_dir'] = '/etc/keystone/domains'
# keystone service user name
default['openstack']['identity']['user'] = 'keystone'
# keystone service user group
default['openstack']['identity']['group'] = 'keystone'
# platform defaults
case node['platform_family']
when 'rhel'
# platform specific package and service name options
case node['platform_version'].to_i
when 8
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python3-memcached'],
# TODO(ramereth): python3-urllib3 is here to workaround an issue if
# it's already been installed from the base repository which is
# incompatible with what's shipped with RDO. This should be removed
# once fixed upstream.
'keystone_packages' =>
%w(
openstack-keystone
openstack-selinux
python3-urllib3
),
'keystone_apache2_site' => 'keystone', # currently unused on RHEL
'keystone_service' => 'openstack-keystone',
'keystone_process_name' => 'keystone-all',
'package_options' => '',
}
when 7
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python-memcached'],
# TODO(ramereth): python2-urllib3 is here to workaround an issue if
# it's already been installed from the base repository which is
# incompatible with what's shipped with RDO. This should be removed
# once fixed upstream.
'keystone_packages' =>
%w(
openstack-keystone
openstack-selinux
python2-urllib3
),
'keystone_apache2_site' => 'keystone', # currently unused on RHEL
'keystone_service' => 'openstack-keystone',
'keystone_process_name' => 'keystone-all',
'package_options' => '',
}
end
when 'debian'
# platform specific package and service name options
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python3-memcache'],
'keystone_packages' =>
%w(
keystone
python3-keystone
),
'keystone_apache2_site' => platform?('ubuntu') ? 'keystone' : 'wsgi-keystone',
'keystone_service' => 'keystone',
'keystone_process_name' => 'keystone-all',
'package_overrides' => '',
}
end
# array of bare options for openrc (e.g. 'option=value')
default['openstack']['misc_openrc'] = nil
%w(openrc cloud_config).each do |file_type|
default['openstack']['identity'][file_type]['path'] = '/root'
default['openstack']['identity'][file_type]['path_mode'] = '0700'
default['openstack']['identity'][file_type]['file_mode'] = '0600'
default['openstack']['identity'][file_type]['user'] = 'root'
default['openstack']['identity'][file_type]['group'] = 'root'
end
# openrc file name
default['openstack']['identity']['openrc']['file'] = 'openrc'
# cloud_config file name
default['openstack']['identity']['cloud_config']['file'] = 'clouds.yaml'
# cloud_config cloud name
default['openstack']['identity']['cloud_config']['cloud_name'] = 'default'

27
attributes/keystone_conf.rb
View File

@ -1,27 +0,0 @@
# options to add to the keystone.conf as secrets (will not be saved in node
# attribute)
default['openstack']['identity']['conf_secrets'] = {}
default['openstack']['identity']['conf'].tap do |conf|
# [DEFAULT]
if node['openstack']['identity']['syslog']['use']
# [DEFAULT] option in keystone.conf to read additional logging.conf
conf['DEFAULT']['log_config_append'] = '/etc/openstack/logging.conf'
else
# [DEFAULT] option in keystone.conf to set keystone log dir
conf['DEFAULT']['log_dir'] = '/var/log/keystone'
end
if node['openstack']['identity']['notification_driver'] == 'messaging'
# [DEFAULT] option in keystone.conf to define mq notification topics
conf['DEFAULT']['notification_topics'] = 'notifications'
end
# [assignment] option in keystone.conf to set driver
conf['assignment']['driver'] = 'sql'
# [cache] option in keystone.conf to set oslo backend
conf['cache']['enabled'] = true
conf['cache']['backend'] = 'oslo_cache.memcache_pool'
# [policy] option in keystone.conf to set policy backend driver
conf['policy']['driver'] = 'sql'
end

18
metadata.rb
View File

@ -1,18 +0,0 @@
name 'openstack-identity'
maintainer 'openstack-chef'
maintainer_email 'openstack-discuss@lists.openstack.org'
license 'Apache-2.0'
description 'The OpenStack Identity service Keystone.'
version '20.0.0'
%w(ubuntu redhat centos).each do |os|
supports os
end
depends 'apache2', '~> 8.6'
depends 'openstackclient'
depends 'openstack-common', '>= 20.0.0'
issues_url 'https://launchpad.net/openstack-chef'
source_url 'https://opendev.org/openstack/cookbook-openstack-identity'
chef_version '>= 16.0'

47
recipes/_credential_tokens.rb
View File

@ -1,47 +0,0 @@
#
# Cookbook:: openstack-identity
# Recipe:: _credential_tokens
#
# Copyright:: 2020-2021, Oregon State University
#
# Licensed under the Apache License, Version 2.0 (the 'License');
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an 'AS IS' BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This recipe is automatically included in openstack-identity::service-apache.
# It will add the needed configuration options to the keystone.conf and create
# the needed credential keys from predefined secrets (e.g. encrypted data
# bags or vaults).
class ::Chef::Recipe
include ::Openstack
end
key_repository = node['openstack']['identity']['conf']['credential']['key_repository']
keystone_user = node['openstack']['identity']['user']
keystone_group = node['openstack']['identity']['group']
directory key_repository do
owner keystone_user
group keystone_group
mode '700'
end
node['openstack']['identity']['credential']['keys'].each do |key_index|
key = secret(node['openstack']['secret']['secrets_data_bag'], "credential_key#{key_index}")
file File.join(key_repository, key_index.to_s) do
content key
owner keystone_user
group keystone_group
mode '400'
sensitive true
end
end

51
recipes/_fernet_tokens.rb
View File

@ -1,51 +0,0 @@
#
# Cookbook:: openstack-identity
# Recipe:: _fernet_tokens
#
# Copyright:: 2020-2021, Oregon State University
#
# Licensed under the Apache License, Version 2.0 (the 'License');
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an 'AS IS' BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This recipe is automatically included in openstack-identity::service-apache.
# It will add the needed configuration options to the keystone.conf and create
# the needed fernet keys from predefined secrets (e.g. encrypted data bags or vaults).
class ::Chef::Recipe
include ::Openstack
end
key_repository = node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
keystone_user = node['openstack']['identity']['user']
keystone_group = node['openstack']['identity']['group']
directory key_repository do
owner keystone_user
group keystone_group
mode '700'
end
node['openstack']['identity']['fernet']['keys'].each do |key_index|
key = secret(node['openstack']['secret']['secrets_data_bag'], "fernet_key#{key_index}")
file File.join(key_repository, key_index.to_s) do
content key
owner keystone_user
group keystone_group
mode '400'
sensitive true
end
end
execute 'keystone-manage fernet_setup' do
command "keystone-manage fernet_setup --keystone-user #{keystone_user} --keystone-group #{keystone_group}"
creates '/etc/keystone/fernet-keys'
end

60
recipes/cloud_config.rb
View File

@ -1,60 +0,0 @@
#
# Cookbook:: openstack-identity
# recipe:: cloud_config
#
# Copyright:: 2019-2021, x-ion GmbH
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This recipe creates a fully usable cloud config file to be used directly
# by the openstack client or sdk.
class ::Chef::Recipe
include ::Openstack
end
ksadmin_project = node['openstack']['identity']['admin_project']
project_domain_name = node['openstack']['identity']['admin_project_domain']
ksadmin_user = node['openstack']['identity']['admin_user']
admin_domain_name = node['openstack']['identity']['admin_domain_name']
ksadmin_pass = get_password 'user', ksadmin_user
identity_endpoint = public_endpoint 'identity'
auth_url = identity_endpoint.to_s
cloud_config = node['openstack']['identity']['cloud_config']
directory cloud_config['path'] do
owner cloud_config['user']
group cloud_config['group']
mode cloud_config['path_mode']
recursive true
end
template "#{cloud_config['path']}/#{cloud_config['file']}" do
source 'cloud_config.erb'
owner cloud_config['user']
group cloud_config['group']
mode cloud_config['file_mode']
sensitive true
variables(
cloud_name: cloud_config['cloud_name'],
user: ksadmin_user,
user_domain_name: admin_domain_name,
project: ksadmin_project,
project_domain_name: project_domain_name,
password: ksadmin_pass,
identity_endpoint: auth_url
)
end

59
recipes/openrc.rb
View File

@ -1,59 +0,0 @@
#
# Cookbook:: openstack-identity
# recipe:: openrc
#
# Copyright:: 2014-2021, IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This recipe create a fully usable openrc file to export the needed environment
# variables to use the openstack client.
class ::Chef::Recipe
include ::Openstack
end
ksadmin_project = node['openstack']['identity']['admin_project']
project_domain_name = node['openstack']['identity']['admin_project_domain']
ksadmin_user = node['openstack']['identity']['admin_user']
admin_domain_name = node['openstack']['identity']['admin_domain_name']
ksadmin_pass = get_password 'user', ksadmin_user
identity_endpoint = public_endpoint 'identity'
auth_url = identity_endpoint.to_s
openrc_config = node['openstack']['identity']['openrc']
directory openrc_config['path'] do
owner openrc_config['user']
group openrc_config['group']
mode openrc_config['path_mode']
recursive true
end
template "#{openrc_config['path']}/#{openrc_config['file']}" do
source 'openrc.erb'
owner openrc_config['user']
group openrc_config['group']
mode openrc_config['file_mode']
sensitive true
variables(
user: ksadmin_user,
user_domain_name: admin_domain_name,
project: ksadmin_project,
project_domain_name: project_domain_name,
password: ksadmin_pass,
identity_endpoint: auth_url
)
end

83
recipes/registration.rb
View File

@ -1,83 +0,0 @@
#
# Cookbook:: openstack-identity
# Recipe:: setup
#
# Copyright:: 2012-2021, Rackspace US, Inc.
# Copyright:: 2012-2021, Chef Software, Inc.
# Copyright:: 2020-2021, Oregon State University
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This recipe registers the initial keystone endpoint as well as users, tenants
# and roles needed for the initial configuration utilizing the LWRP provided
# inside of this cookbook. The recipe is documented in detail with inline
# comments inside the recipe.
require 'chef/mixin/shell_out'
class ::Chef::Recipe
include ::Openstack
end
identity_endpoint = public_endpoint 'identity'
identity_internal_endpoint = internal_endpoint 'identity'
auth_url = identity_internal_endpoint.to_s
# define the credentials to use for the initial admin user
admin_project = node['openstack']['identity']['admin_project']
admin_user = node['openstack']['identity']['admin_user']
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
admin_domain = node['openstack']['identity']['admin_domain_name']
# endpoint type to use when creating resources
# NOTE(frickler): fog-openstack defaults to the 'admin' endpoint for
# Identity operations, so we need to override this after we dropped that one
# TODO(ramereth): commenting this out until
# https://github.com/fog/fog-openstack/pull/494 gets merged and released.
# endpoint_type = node['openstack']['identity']['endpoint_type']
connection_params = {
openstack_auth_url: auth_url,
openstack_username: admin_user,
openstack_api_key: admin_pass,
openstack_project_name: admin_project,
openstack_domain_id: admin_domain,
# openstack_endpoint_type: endpoint_type,
}
ruby_block 'wait for identity endpoint' do
block do
begin
Timeout.timeout(60) do
until Net::HTTP.get_response(URI(auth_url)).message == 'OK'
Chef::Log.info 'waiting for identity endpoint to be up...'
sleep 1
end
end
rescue Timeout::Error
raise 'Waited 60 seconds for identity endpoint to become ready'\
' and will not wait any longer'
end
end
end
# create default service role
openstack_role 'service' do
connection_params connection_params
end
node.default['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
node.default['openstack']['identity']['publicURL'] = identity_endpoint.to_s
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"

261
recipes/server-apache.rb
View File

@ -1,261 +0,0 @@
#
# Cookbook:: openstack-identity
# Recipe:: server-apache
#
# Copyright:: 2015-2021, IBM Corp. Inc.
# Copyright:: 2016-2021, Oregon State University
#
# Licensed under the Apache License, Version 2.0 (the 'License');
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an 'AS IS' BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This recipe installs and configures the OpenStack Identity Service running
# inside of an apache webserver. The recipe is documented in detail with inline
# comments inside the recipe.
# load the methods defined in cookbook-openstack-common libraries
class ::Chef::Recipe
include ::Openstack
include Apache2::Cookbook::Helpers
end
# include the logging recipe from openstack-common if syslog usage is enbaled
if node['openstack']['identity']['syslog']['use']
include_recipe 'openstack-common::logging'
end
platform_options = node['openstack']['identity']['platform']
identity_internal_endpoint = internal_endpoint 'identity'
identity_endpoint = public_endpoint 'identity'
# define the address where the keystone public endpoint will be reachable
ie = identity_endpoint
# define the keystone public endpoint full path
api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
# define the credentials to use for the initial admin user
admin_project = node['openstack']['identity']['admin_project']
admin_user = node['openstack']['identity']['admin_user']
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
admin_role = node['openstack']['identity']['admin_role']
region = node['openstack']['identity']['region']
keystone_user = node['openstack']['identity']['user']
keystone_group = node['openstack']['identity']['group']
# install the database python adapter packages for the selected database
# service_type
db_type = node['openstack']['db']['identity']['service_type']
unless db_type == 'sqlite'
node['openstack']['db']['python_packages'][db_type].each do |pkg|
package "identity cookbook package #{pkg}" do
package_name pkg
options platform_options['package_options']
action :upgrade
end
end
end
# install the python memcache adapter packages
platform_options['memcache_python_packages'].each do |pkg|
package "identity cookbook package #{pkg}" do
package_name pkg
options platform_options['package_options']
action :upgrade
end
end
# install the keystone packages
platform_options['keystone_packages'].each do |pkg|
package "identity cookbook package #{pkg}" do
package_name pkg
options platform_options['package_options']
action :upgrade
end
end
# stop and disable the service keystone itself, since it should be run inside
# of apache
service 'keystone' do
service_name platform_options['keystone_service']
action [:stop, :disable]
end
# disable default keystone config file from UCA package
apache2_site platform_options['keystone_apache2_site'] do
action :disable
only_if { platform_family?('debian') }
end
# create the keystone config directory and set correct permissions
directory '/etc/keystone' do
owner keystone_user
group keystone_group
mode '700'
end
# create keystone domain config dir if needed
directory node['openstack']['identity']['domain_config_dir'] do
owner keystone_user
group keystone_group
mode '700'
only_if { node['openstack']['identity']['domain_specific_drivers_enabled'] }
end
# delete the keystone.db sqlite file if another db backend is used
file '/var/lib/keystone/keystone.db' do
action :delete
not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' }
end
# include the recipes to setup tokens
include_recipe 'openstack-identity::_fernet_tokens'
include_recipe 'openstack-identity::_credential_tokens'
# define the address to bind the keystone apache public service to
bind_service = node['openstack']['bind_service']['public']['identity']
bind_address = bind_address bind_service
# set the keystone database credentials
db_user = node['openstack']['db']['identity']['username']
db_pass = get_password 'db', 'keystone'
node.default['openstack']['identity']['conf_secrets']
.[]('database')['connection'] =
db_uri('identity', db_user, db_pass)
# search for memcache servers using the method from cookbook-openstack-common
memcache_servers = memcached_servers.join ','
# If a keystone-paste.ini is specified use it.
# TODO(jh): Starting with Rocky keystone-paste.ini is no longer being used
# and this block can be removed
if node['openstack']['identity']['pastefile_url']
remote_file '/etc/keystone/keystone-paste.ini' do
action :create_if_missing
source node['openstack']['identity']['pastefile_url']
owner keystone_user
group keystone_group
mode '644'
end
else
template '/etc/keystone/keystone-paste.ini' do
source 'keystone-paste.ini.erb'
owner keystone_user
group keystone_group
mode '644'
end
end
# set keystone config parameter for rabbitmq if rabbit is the rpc_backend
if node['openstack']['mq']['service_type'] == 'rabbit'
node.default['openstack']['identity']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'identity'
end
# set keystone config parameters for endpoints, memcache
node.default['openstack']['identity']['conf'].tap do |conf|
conf['DEFAULT']['public_endpoint'] = api_endpoint
conf['memcache']['servers'] = memcache_servers if memcache_servers
end
# merge all config options and secrets to be used in the keystone.conf.erb
keystone_conf_options = merge_config_options 'identity'
# create the keystone.conf from attributes
template '/etc/keystone/keystone.conf' do
source 'openstack-service.conf.erb'
cookbook 'openstack-common'
owner keystone_user
group keystone_group
mode '640'
sensitive true
variables(
service_config: keystone_conf_options
)
notifies :restart, 'service[apache2]'
end
# delete all secrets saved in the attribute
# node['openstack']['identity']['conf_secrets'] after creating the keystone.conf
ruby_block "delete all attributes in node['openstack']['identity']['conf_secrets']" do
block do
node.rm(:openstack, :identity, :conf_secrets)
end
end
# sync db after keystone.conf is generated
execute 'keystone-manage db_sync' do
user 'root'
only_if { node['openstack']['db']['identity']['migrate'] }
end
# bootstrap keystone after keystone.conf is generated
# TODO(frickler): drop admin endpoint once keystonemiddleware is fixed
execute 'bootstrap_keystone' do
command "keystone-manage bootstrap \\
--bootstrap-password #{admin_pass} \\
--bootstrap-username #{admin_user} \\
--bootstrap-project-name #{admin_project} \\
--bootstrap-role-name #{admin_role} \\
--bootstrap-service-name keystone \\
--bootstrap-region-id #{region} \\
--bootstrap-admin-url #{identity_internal_endpoint} \\
--bootstrap-public-url #{identity_endpoint} \\
--bootstrap-internal-url #{identity_internal_endpoint}"
sensitive true
end
#### Start of Apache specific work
# service['apache2'] is defined in the apache2_default_install resource
# but other resources are currently unable to reference it. To work
# around this issue, define the following helper in your cookbook:
service 'apache2' do
extend Apache2::Cookbook::Helpers
service_name lazy { apache_platform_service_name }
supports restart: true, status: true, reload: true
action :nothing
end
apache2_install 'openstack' do
listen "#{bind_address}:#{bind_service['port']}"
end
apache2_mod_wsgi 'openstack'
apache2_module 'ssl' if node['openstack']['identity']['ssl']['enabled']
# create the keystone apache directory
keystone_apache_dir = "#{default_docroot_dir}/keystone"
directory keystone_apache_dir do
owner 'root'
group 'root'
mode '755'
end
# create the keystone apache config using template
template "#{apache_dir}/sites-available/identity.conf" do
extend Apache2::Cookbook::Helpers
source 'wsgi-keystone.conf.erb'
variables(
server_host: bind_address,
server_port: bind_service['port'],
server_entry: '/usr/bin/keystone-wsgi-public',
server_alias: 'identity',
log_dir: default_log_dir,
run_dir: lock_dir,
user: keystone_user,
group: keystone_group
)
notifies :restart, 'service[apache2]'
end
apache2_site 'identity' do
notifies :restart, 'service[apache2]', :immediately
end

94
spec/cloud_config_spec.rb
View File

@ -1,94 +0,0 @@
require_relative 'spec_helper'
require 'yaml'
describe 'openstack-identity::cloud_config' do
describe 'ubuntu' do
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
let(:node) { runner.node }
cached(:chef_run) do
runner.converge(described_recipe)
end
include_context 'identity_stubs'
describe '/root/clouds.yaml' do
let(:file) { chef_run.template('/root/clouds.yaml') }
it 'creates the /root/clouds.yaml file' do
expect(chef_run).to create_directory('/root').with(
owner: 'root',
group: 'root',
mode: '0700',
recursive: true
)
expect(chef_run).to create_template(file.name).with(
sensitive: true,
user: 'root',
group: 'root',
mode: '0600',
variables: {
cloud_name: 'default',
identity_endpoint: 'http://127.0.0.1:5000/v3',
password: 'admin',
project: 'admin',
project_domain_name: 'default',
user_domain_name: 'default',
user: 'admin',
}
)
end
cloud_yaml = {
'clouds' => {
'default' => {
'auth' => {
'username' => 'admin',
'user_domain_name' => 'default',
'password' => 'admin',
'project_name' => 'admin',
'project_domain_name' => 'default',
'auth_url' => 'http://127.0.0.1:5000/v3',
},
'identity_api_version' => 3,
'region_name' => 'RegionOne',
},
},
}
it 'contains auth environment variables' do
expect(chef_run).to render_file(file.name).with_content(YAML.dump(cloud_yaml))
end
context 'override auth environment variables' do
cloud_yaml_override = {
'clouds' => {
'cloud-config-override' => {
'auth' => {
'username' => 'identity_admin',
'user_domain_name' => 'admin-domain-override',
'password' => 'identity_admin_pass',
'project_name' => 'admin-project-name-override',
'project_domain_name' => 'admin-domain-name-override',
'auth_url' => 'https://public.identity:1234/',
},
'identity_api_version' => 3,
'region_name' => 'RegionOne',
},
},
}
cached(:chef_run) do
node.override['openstack']['identity']['cloud_config']['cloud_name'] = 'cloud-config-override'
node.override['openstack']['identity']['admin_user'] = 'identity_admin'
node.override['openstack']['identity']['admin_project_domain'] = 'admin-domain-name-override'
node.override['openstack']['identity']['admin_project'] = 'admin-project-name-override'
node.override['openstack']['identity']['admin_domain_name'] = 'admin-domain-override'
node.override['openstack']['endpoints']['public']['identity']['uri'] = 'https://public.identity:1234/'
runner.converge(described_recipe)
end
it 'contains overridden auth environment variables' do
expect(chef_run).to render_file(file.name).with_content(YAML.dump(cloud_yaml_override))
end
end
end
end
end

29
spec/credential_tokens_spec.rb
View File

@ -1,29 +0,0 @@
require_relative 'spec_helper'
describe 'openstack-identity::_credential_tokens' do
describe 'ubuntu' do
include_context 'identity_stubs'
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
let(:node) { runner.node }
cached(:chef_run) { runner.converge(described_recipe) }
it do
expect(chef_run).to create_directory('/etc/keystone/credential-tokens')
.with(owner: 'keystone', user: 'keystone', mode: '700')
end
[0, 1].each do |key_index|
it do
expect(chef_run).to create_file("/etc/keystone/credential-tokens/#{key_index}")
.with(
content: "thisiscredentialkey#{key_index}",
owner: 'keystone',
group: 'keystone',
mode: '400'
)
end
end
end
end

34
spec/fernet_tokens_spec.rb
View File

@ -1,34 +0,0 @@
require_relative 'spec_helper'
describe 'openstack-identity::_fernet_tokens' do
describe 'ubuntu' do
include_context 'identity_stubs'
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
let(:node) { runner.node }
cached(:chef_run) { runner.converge(described_recipe) }
it do
expect(chef_run).to create_directory('/etc/keystone/fernet-tokens')
.with(owner: 'keystone', user: 'keystone', mode: '700')
end
[0, 1].each do |key_index|
it do
expect(chef_run).to create_file("/etc/keystone/fernet-tokens/#{key_index}")
.with(
content: "thisisfernetkey#{key_index}",
owner: 'keystone',
group: 'keystone',
mode: '400'
)
end
end
it do
expect(chef_run).to run_execute('keystone-manage fernet_setup').with(
command: 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone'
)
end
end
end

82
spec/openrc_spec.rb
View File

@ -1,82 +0,0 @@
require_relative 'spec_helper'
describe 'openstack-identity::openrc' do
describe 'ubuntu' do
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
let(:node) { runner.node }
cached(:chef_run) do
runner.converge(described_recipe)
end
include_context 'identity_stubs'
describe '/root/openrc' do
let(:file) { chef_run.template('/root/openrc') }
it 'creates the /root/openrc file' do
expect(chef_run).to create_directory('/root').with(
owner: 'root',
group: 'root',
mode: '0700',
recursive: true
)
expect(chef_run).to create_template(file.name).with(
sensitive: true,
user: 'root',
group: 'root',
mode: '0600'
)
end
it 'contains auth environment variables' do
[
/^export OS_USERNAME=admin$/,
/^export OS_USER_DOMAIN_NAME=default$/,
/^export OS_PASSWORD=admin$/,
/^export OS_PROJECT_NAME=admin$/,
/^export OS_PROJECT_DOMAIN_NAME=default$/,
/^export OS_IDENTITY_API_VERSION=3$/,
%r{^export OS_AUTH_URL=http://127.0.0.1:5000/v3$},
/^export OS_REGION_NAME=RegionOne$/,
].each do |line|
expect(chef_run).to render_file(file.name).with_content(line)
end
end
context 'misc_openrc array' do
cached(:chef_run) do
node.override['openstack']['misc_openrc'] = ['export MISC1=OPTION1', 'export MISC2=OPTION2']
runner.converge(described_recipe)
end
it 'templates misc_openrc array correctly' do
expect(chef_run).to render_file(file.name).with_content(
/^export MISC1=OPTION1$/
)
expect(chef_run).to render_file(file.name).with_content(
/^export MISC2=OPTION2$/
)
end
end
context 'override auth environment variables' do
cached(:chef_run) do
node.override['openstack']['identity']['admin_project'] = 'admin-project-name-override'
node.override['openstack']['identity']['admin_user'] = 'identity_admin'
node.override['openstack']['identity']['admin_domain_id'] = 'admin-domain-override'
node.override['openstack']['endpoints']['public']['identity']['uri'] = 'https://public.identity:1234/'
runner.converge(described_recipe)
end
it 'contains overridden auth environment variables' do
[
/^export OS_USERNAME=identity_admin$/,
/^export OS_PROJECT_NAME=admin-project-name-override$/,
/^export OS_PASSWORD=identity_admin_pass$/,
%r{^export OS_AUTH_URL=https://public.identity:1234/$},
].each do |line|
expect(chef_run).to render_file(file.name).with_content(line)
end
end
end
end
end
end

37
spec/registration_spec.rb
View File

@ -1,37 +0,0 @@
require_relative 'spec_helper'
describe 'openstack-identity::registration' do
describe 'ubuntu' do
let(:node) { runner.node }
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
cached(:chef_run) { runner.converge(described_recipe) }
include_context 'identity_stubs'
connection_params = {
openstack_auth_url: 'http://127.0.0.1:5000/v3',
openstack_username: 'admin',
openstack_api_key: 'admin',
openstack_project_name: 'admin',
openstack_domain_id: 'default',
# openstack_endpoint_type: 'internalURL',
}
describe 'keystone bootstrap' do
context 'default values' do
it do
expect(chef_run).to run_ruby_block('wait for identity endpoint')
end
it 'create service role' do
expect(chef_run).to create_openstack_role(
'service'
).with(
connection_params: connection_params
)
end
end
end
end
end

35
spec/server-apache-redhat_spec.rb
View File

@ -1,35 +0,0 @@
require_relative 'spec_helper'
describe 'openstack-identity::server-apache' do
ALL_RHEL.each do |p|
context "redhat #{p[:version]}" do
let(:runner) { ChefSpec::SoloRunner.new(p) }
let(:node) { runner.node }
cached(:chef_run) do
runner.converge(described_recipe)
end
include_context 'identity_stubs'
it 'upgrades keystone packages' do
expect(chef_run).to upgrade_package('identity cookbook package openstack-keystone')
expect(chef_run).to upgrade_package('identity cookbook package openstack-selinux')
end
case p
when REDHAT_7
it 'upgrades python packages' do
expect(chef_run).to upgrade_package('identity cookbook package python-memcached')
expect(chef_run).to upgrade_package('identity cookbook package python2-urllib3')
end
when REDHAT_8
it 'upgrades python packages' do
expect(chef_run).to upgrade_package('identity cookbook package python3-memcached')
expect(chef_run).to upgrade_package('identity cookbook package python3-urllib3')
end
end
end
end
end

464
spec/server-apache_spec.rb
View File

@ -1,464 +0,0 @@
require_relative 'spec_helper'
describe 'openstack-identity::server-apache' do
describe 'ubuntu' do
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
let(:node) { runner.node }
cached(:chef_run) do
runner.converge(described_recipe)
end
include Helpers
include_context 'identity_stubs'
service_name = 'keystone'
service_user = 'admin'
region = 'RegionOne'
project_name = 'admin'
role_name = 'admin'
password = 'admin'
public_url = 'http://127.0.0.1:5000/v3'
context 'syslog true' do
cached(:chef_run) do
node.override['openstack']['identity']['syslog']['use'] = true
runner.converge(described_recipe)
end
it 'runs logging recipe if node attributes say to' do
expect(chef_run).to include_recipe('openstack-common::logging')
end
end
it 'does not run logging recipe' do
expect(chef_run).not_to include_recipe('openstack-common::logging')
end
it 'upgrades mysql python packages' do
expect(chef_run).to upgrade_package('identity cookbook package python3-mysqldb')
end
it 'upgrades memcache python packages' do
expect(chef_run).to upgrade_package('identity cookbook package python3-memcache')
end
it 'upgrades keystone packages' do
expect(chef_run).to upgrade_package('identity cookbook package python3-keystone')
expect(chef_run).to upgrade_package('identity cookbook package keystone')
end
it do
expect(chef_run).to disable_apache2_site('keystone')
end
it 'bootstrap with keystone-manage' do
expect(chef_run).to run_execute('bootstrap_keystone').with(
command: "keystone-manage bootstrap \\
--bootstrap-password #{password} \\
--bootstrap-username #{service_user} \\
--bootstrap-project-name #{project_name} \\
--bootstrap-role-name #{role_name} \\
--bootstrap-service-name #{service_name} \\
--bootstrap-region-id #{region} \\
--bootstrap-admin-url #{public_url} \\
--bootstrap-public-url #{public_url} \\
--bootstrap-internal-url #{public_url}",
sensitive: true
)
end
describe '/etc/keystone' do
let(:dir) { chef_run.directory('/etc/keystone') }
it 'creates directory /etc/keystone' do
expect(chef_run).to create_directory(dir.name).with(
user: 'keystone',
group: 'keystone',
mode: '700'
)
end
end
describe '/etc/keystone/domains' do
let(:dir) { '/etc/keystone/domains' }
it 'does not create /etc/keystone/domains by default' do
expect(chef_run).not_to create_directory(dir)
end
context 'domain_specific_drivers_enabled true' do
cached(:chef_run) do
node.override['openstack']['identity']['domain_specific_drivers_enabled'] = true
runner.converge(described_recipe)
end
it 'creates /etc/keystone/domains when domain_specific_drivers_enabled enabled' do
expect(chef_run).to create_directory(dir).with(
user: 'keystone',
group: 'keystone',
mode: '700'
)
end
end
end
it 'deletes keystone.db' do
expect(chef_run).to delete_file('/var/lib/keystone/keystone.db')
end
context 'service_type sqlite' do
cached(:chef_run) do
node.override['openstack']['db']['identity']['service_type'] = 'sqlite'
runner.converge(described_recipe)
end
it 'does not delete keystone.db when configured to use sqlite' do
expect(chef_run).not_to delete_file('/var/lib/keystone/keystone.db')
end
end
describe 'keystone.conf' do
let(:path) { '/etc/keystone/keystone.conf' }
let(:resource) { chef_run.template(path) }
describe 'file properties' do
it 'creates /etc/keystone/keystone.conf' do
expect(chef_run).to create_template(resource.name).with(
user: 'keystone',
group: 'keystone',
mode: '640',
sensitive: true
)
end
end
it 'has no list_limits by default' do
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', /^list_limit = /)
end
describe '[DEFAULT] section' do
[
%r{^log_dir = /var/log/keystone$},
%r{^public_endpoint = http://127.0.0.1:5000/$},
%r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$},
].each do |line|
it do
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', line)
end
end
describe 'syslog configuration' do
log_file = %r{^log_dir = /var/log/keystone$}
log_conf = %r{^log_config_append = /\w+}
it do
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_conf)
end
context 'syslog true' do
cached(:chef_run) do
node.override['openstack']['identity']['syslog']['use'] = true
runner.converge(described_recipe)
end
it do
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_conf)
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_file)
end
end
end
end
describe '[memcache] section' do
it 'has no servers by default' do
# `Openstack#memcached_servers' is stubbed in spec_helper.rb to
# return an empty array, so we expect an empty `servers' list.
r = line_regexp('servers = ')
expect(chef_run).to render_config_file(path).with_section_content('memcache', r)
end
context 'hostnames are configured' do
cached(:chef_run) do
runner.converge(described_recipe)
end
it 'has servers when hostnames are configured' do
# Re-stub `Openstack#memcached_servers' here
hosts = ['host1:111', 'host2:222']
r = line_regexp("servers = #{hosts.join(',')}")
allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers).and_return(hosts)
expect(chef_run).to render_config_file(path).with_section_content('memcache', r)
end
end
end
describe '[sql] section' do
it 'has a connection' do
r = %r{^connection = mysql\+pymysql://keystone:@127.0.0.1:3306/keystone\?charset=utf8$}
expect(chef_run).to render_config_file(path).with_section_content('database', r)
end
end
describe '[assignment] section' do
it 'configures driver' do
r = /^driver = sql$/
expect(chef_run).to render_config_file(path).with_section_content('assignment', r)
end
end
describe '[policy] section' do
it 'configures driver' do
r = /^driver = sql$/
expect(chef_run).to render_config_file(path).with_section_content('policy', r)
end
end
describe '[fernet_tokens] section' do
it 'key_repository = /etc/keystone/fernet-tokens' do
r = %r{^key_repository = /etc/keystone/fernet-tokens$}
expect(chef_run).to render_config_file(path).with_section_content('fernet_tokens', r)
end
end
describe '[credential] section' do
it 'key_repository = /etc/keystone/credential-tokens' do
r = %r{^key_repository = /etc/keystone/credential-tokens$}
expect(chef_run).to render_config_file(path).with_section_content('credential', r)
end
end
describe '[cache] section' do
[
/^enabled = true$/,
/^backend = oslo_cache.memcache_pool$/,
].each do |line|
it do
expect(chef_run).to render_config_file(path).with_section_content('cache', line)
end
end
end
end
describe 'db_sync' do
let(:cmd) { 'keystone-manage db_sync' }
it 'runs migrations' do
expect(chef_run).to run_execute(cmd).with(
user: 'root'
)
end
context 'migrate false' do
cached(:chef_run) do
node.override['openstack']['db']['identity']['migrate'] = false
runner.converge(described_recipe)
end
it 'does not run migrations' do
expect(chef_run).not_to run_execute(cmd).with(
user: 'root'
)
end
end
end
describe 'keystone-paste.ini as template' do
let(:path) { '/etc/keystone/keystone-paste.ini' }
it 'has default api pipeline values' do
expect(chef_run).to render_config_file(path).with_section_content(
'pipeline:api_v3',
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
)
end
context 'api_v3 service_v3' do
cached(:chef_run) do
node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3'
runner.converge(described_recipe)
end
it 'template api pipeline set correct' do
expect(chef_run).to render_config_file(path).with_section_content(
'pipeline:api_v3',
/^pipeline = service_v3$/
)
end
end
context 'misc_paste set' do
cached(:chef_run) do
node.override['openstack']['identity']['misc_paste'] = ['MISC1 = OPTION1', 'MISC2 = OPTION2']
runner.converge(described_recipe)
end
it 'template misc_paste array correctly' do
expect(chef_run).to render_file(path).with_content(
/^MISC1 = OPTION1$/
)
expect(chef_run).to render_file(path).with_content(
/^MISC2 = OPTION2$/
)
end
end
end
context 'keystone-paste.ini as remote file' do
cached(:chef_run) do
node.override['openstack']['identity']['pastefile_url'] = 'http://server/mykeystone-paste.ini'
runner.converge(described_recipe)
end
let(:remote_paste) { chef_run.remote_file('/etc/keystone/keystone-paste.ini') }
it 'uses a remote file if pastefile_url is specified' do
expect(chef_run).to create_remote_file_if_missing('/etc/keystone/keystone-paste.ini').with(
source: 'http://server/mykeystone-paste.ini',
user: 'keystone',
group: 'keystone',
mode: '644'
)
end
end
describe 'apache setup' do
it do
expect(chef_run.template('/etc/keystone/keystone.conf')).to notify('service[apache2]').to(:restart)
end
it do
expect(chef_run.template('/etc/apache2/sites-available/identity.conf')).to \
notify('service[apache2]').to(:restart)
end
it do
expect(chef_run).to install_apache2_install('openstack').with(listen: %w(127.0.0.1:5000))
end
it do
expect(chef_run).to create_apache2_mod_wsgi('openstack')
end
it do
expect(chef_run).to_not enable_apache2_module('ssl')
end
context 'ssl enabled' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
runner.converge(described_recipe)
end
it do
expect(chef_run).to enable_apache2_module('ssl')
end
end
describe 'apache wsgi' do
let(:file) { '/etc/apache2/sites-available/identity.conf' }
it 'creates identity.conf' do
expect(chef_run).to create_template(file).with(
source: 'wsgi-keystone.conf.erb',
variables: {
group: 'keystone',
log_dir: '/var/log/apache2',
run_dir: '/var/lock',
server_alias: 'identity',
server_entry: '/usr/bin/keystone-wsgi-public',
server_host: '127.0.0.1',
server_port: 5000,
user: 'keystone',
}
)
end
it 'does not configure keystone-admin.conf' do
expect(chef_run).not_to render_file('/etc/apache2/sites-available/keystone-admin.conf')
end
[
/^<VirtualHost 127.0.0.1:5000>$/,
/WSGIDaemonProcess identity processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}$/,
/WSGIProcessGroup identity$/,
%r{WSGIScriptAlias / /usr/bin/keystone-wsgi-public$},
%r{ErrorLog /var/log/apache2/identity.log$},
%r{CustomLog /var/log/apache2/identity_access.log combined$},
%r{WSGISocketPrefix /var/lock$},
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
context 'custom_template_banner' do
cached(:chef_run) do
node.override['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
runner.converge(described_recipe)
end
[
/^custom_template_banner_value$/,
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
end
[
/SSLEngine On$/,
/SSLCertificateFile/,
/SSLCertificateKeyFile/,
/SSLCACertificatePath/,
/SSLCARevocationPath/,
/SSLCARevocationCheck/,
/SSLCertificateChainFile/,
/SSLProtocol/,
/SSLCipherSuite/,
/SSLVerifyClient/,
].each do |line|
it do
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'Enable SSL' do
let(:file) { '/etc/apache2/sites-available/identity.conf' }
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
runner.converge(described_recipe)
end
[
/SSLEngine On$/,
%r{SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
%r{SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
%r{SSLCACertificatePath /etc/keystone/ssl/certs/$},
/SSLProtocol All -SSLv2 -SSLv3$/,
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
[
/SSLCARevocationPath/,
/SSLCARevocationCheck/,
/SSLCertificateChainFile/,
/SSLCipherSuite/,
/SSLVerifyClient require/,
].each do |line|
it do
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'Enable ca_revocation_path, chainfile, ciphers & cert_required' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
node.override['openstack']['identity']['ssl']['ca_revocation_path'] = '/etc/keystone/ssl/crl.d'
node.override['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
node.override['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
node.override['openstack']['identity']['ssl']['cert_required'] = true
runner.converge(described_recipe)
end
[
%r{SSLCARevocationPath /etc/keystone/ssl/crl.d$},
/SSLCARevocationCheck chain$/,
%r{SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$},
/SSLCipherSuite ciphers_value$/,
/SSLVerifyClient require$/,
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
end
end
end
end
end
end

96
spec/spec_helper.rb
View File

@ -1,96 +0,0 @@
require 'chefspec'
require 'chefspec/berkshelf'
RSpec.configure do |config|
config.color = true
config.formatter = :documentation
config.log_level = :warn
config.file_cache_path = '/var/chef/cache'
end
REDHAT_7 = {
platform: 'redhat',
version: '7',
}.freeze
REDHAT_8 = {
platform: 'redhat',
version: '8',
}.freeze
ALL_RHEL = [
REDHAT_7,
REDHAT_8,
].freeze
UBUNTU_OPTS = {
platform: 'ubuntu',
version: '18.04',
}.freeze
# Helper methods
module Helpers
# Create an anchored regex to exactly match the entire line
# (name borrowed from grep --line-regexp)
#
# @param [String] str The whole line to match
# @return [Regexp] The anchored/escaped regular expression
def line_regexp(str)
/^#{Regexp.quote(str)}$/
end
end
shared_context 'identity_stubs' do
before do
allow_any_instance_of(Chef::Recipe).to receive(:rabbit_servers)
.and_return('rabbit_servers_value')
allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers)
.and_return([])
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('db', anything)
.and_return('')
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', anything)
.and_return('')
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'guest')
.and_return('guest')
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'user1')
.and_return('secret1')
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'identity_admin')
.and_return('identity_admin_pass')
stub_command('/usr/sbin/apache2 -t')
allow_any_instance_of(Chef::Recipe).to receive(:search_for)
.with('os-identity').and_return(
[{
'openstack' => {
'identity' => {
'admin_tenant_name' => 'admin',
'admin_user' => 'admin',
},
},
}]
)
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'admin')
.and_return('admin')
allow_any_instance_of(Chef::Recipe).to receive(:secret)
.with('secrets', 'credential_key0')
.and_return('thisiscredentialkey0')
allow_any_instance_of(Chef::Recipe).to receive(:secret)
.with('secrets', 'credential_key1')
.and_return('thisiscredentialkey1')
allow_any_instance_of(Chef::Recipe).to receive(:secret)
.with('secrets', 'fernet_key0')
.and_return('thisisfernetkey0')
allow_any_instance_of(Chef::Recipe).to receive(:secret)
.with('secrets', 'fernet_key1')
.and_return('thisisfernetkey1')
allow_any_instance_of(Chef::Recipe).to receive(:rabbit_transport_url)
.with('identity')
.and_return('rabbit://openstack:mypass@127.0.0.1:5672')
stub_command("[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]").and_return(true)
end
end

12
templates/default/cloud_config.erb
View File

@ -1,12 +0,0 @@
---
clouds:
<%= @cloud_name %>:
auth:
username: <%= @user %>
user_domain_name: <%= @user_domain_name %>
password: <%= @password %>
project_name: <%= @project %>
project_domain_name: <%= @project_domain_name %>
auth_url: <%= @identity_endpoint %>
identity_api_version: 3
region_name: <%= node['openstack']['region'] %>

73
templates/default/keystone-paste.ini.erb
View File

@ -1,73 +0,0 @@
<%= node['openstack']['identity']['custom_template_banner'] %>
# Keystone PasteDeploy configuration file.
[filter:debug]
use = egg:oslo.middleware#debug
[filter:request_id]
use = egg:oslo.middleware#request_id
[filter:build_auth_context]
use = egg:keystone#build_auth_context
[filter:token_auth]
use = egg:keystone#token_auth
[filter:json_body]
use = egg:keystone#json_body
[filter:cors]
use = egg:oslo.middleware#cors
oslo_config_project = keystone
[filter:http_proxy_to_wsgi]
use = egg:oslo.middleware#http_proxy_to_wsgi
[filter:healthcheck]
use = egg:oslo.middleware#healthcheck
[filter:ec2_extension]
use = egg:keystone#ec2_extension
[filter:ec2_extension_v3]
use = egg:keystone#ec2_extension_v3
[filter:s3_extension]
use = egg:keystone#s3_extension
[filter:url_normalize]
use = egg:keystone#url_normalize
[filter:sizelimit]
use = egg:oslo.middleware#sizelimit
[filter:osprofiler]
use = egg:osprofiler#osprofiler
[app:public_service]
use = egg:keystone#public_service
[app:service_v3]
use = egg:keystone#service_v3
[pipeline:api_v3]
pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %>
[app:public_version_service]
use = egg:keystone#public_version_service
[pipeline:public_version_api]
pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
[composite:main]
use = egg:Paste#urlmap
/v3 = api_v3
/ = public_version_api
<% if node['openstack']['identity']['misc_paste'] %>
<% node['openstack']['identity']['misc_paste'].each do |m| %>
<%= m %>
<% end %>
<% end %>

18
templates/default/openrc.erb
View File

@ -1,18 +0,0 @@
<%= node['openstack']['identity']['custom_template_banner'] %>
# COMMON OPENSTACK ENVS
export OS_USERNAME=<%= @user %>
export OS_USER_DOMAIN_NAME=<%= @user_domain_name %>
export OS_PASSWORD=<%= @password %>
export OS_PROJECT_NAME=<%= @project %>
export OS_PROJECT_DOMAIN_NAME=<%= @project_domain_name %>
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=<%= @identity_endpoint %>
export OS_REGION_NAME=<%= node['openstack']['region'] %>
<% if node['openstack']['misc_openrc'] %>
# Misc options
<% node['openstack']['misc_openrc'].each do |m| %>
<%= m %>
<% end %>
<% end %>

40
templates/default/wsgi-keystone.conf.erb
View File

@ -1,40 +0,0 @@
<%= node['openstack']['identity']['custom_template_banner'] %>
<VirtualHost <%= @server_host %>:<%= @server_port %>>
WSGIDaemonProcess identity processes=5 threads=1 user=<%= @user %> group=<%= @group %> display-name=%{GROUP}
WSGIProcessGroup identity
WSGIScriptAlias / <%= @server_entry %>
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog <%= @log_dir %>/identity.log
CustomLog <%= @log_dir %>/identity_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
<% if node['openstack']['identity']['ssl']['enabled'] -%>
SSLEngine On
SSLCertificateFile <%= node['openstack']['identity']['ssl']['certfile'] %>
SSLCertificateKeyFile <%= node['openstack']['identity']['ssl']['keyfile'] %>
SSLCACertificatePath <%= node['openstack']['identity']['ssl']['ca_certs_path'] %>
<% if node['openstack']['identity']['ssl']['ca_revocation_path'] %>
SSLCARevocationPath <%= node['openstack']['identity']['ssl']['ca_revocation_path'] %>
SSLCARevocationCheck chain
<% end -%>
<% if node['openstack']['identity']['ssl']['chainfile'] %>
SSLCertificateChainFile <%= node['openstack']['identity']['ssl']['chainfile'] %>
<% end -%>
SSLProtocol <%= node['openstack']['identity']['ssl']['protocol'] %>
<% if node['openstack']['identity']['ssl']['ciphers'] -%>
SSLCipherSuite <%= node['openstack']['identity']['ssl']['ciphers'] %>
<% end -%>
<% if node['openstack']['identity']['ssl']['cert_required'] -%>
SSLVerifyClient require
<% end -%>
<% end -%>
</VirtualHost>
WSGISocketPrefix <%= @run_dir %>