Update to apache2 ~> 8.0 cookbook
This brings us up to date with the latest apache2 cookbook which included a major refactor in 6.0.0 removing all of the definitions and recipe with proper resources. Instead of using the apache2_default_site resource, directly use a template and then enable the config file using the apache2_site resource. This gives us the most flexibility. - Install mod_wsgi as a package on RHEL since there is no built-in resource for it. - Don't set SELinux to permissive on RHEL (I tested this works properly with it set to enforcing). - Remove hack for restarting apache. - Convert web_app to template and subscribe to restarting apache. - Remove resources to restore SELinux contexts since this taken care of by Chef now automatically. - Remove unused references to log_debug in wsgi template - Add missing WSGISocketPrefix to wsgi template - Additional tests for keystone.conf and identity.conf - Remove unused ldap section tests as we no longer have attributes for it - Include additional cookbooks in Berksfile required for CI Depends-On: https://review.opendev.org/702772 Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
This commit is contained in:
parent
21255e36b4
commit
453ab3bb95
13
Berksfile
13
Berksfile
|
@ -1,8 +1,19 @@
|
|||
source 'https://supermarket.chef.io'
|
||||
|
||||
solver :ruby, :required
|
||||
|
||||
metadata
|
||||
|
||||
%w(-common client).each do |cookbook|
|
||||
%w(
|
||||
client
|
||||
-common
|
||||
-dns
|
||||
-image
|
||||
-integration-test
|
||||
-network
|
||||
-ops-database
|
||||
-ops-messaging
|
||||
).each do |cookbook|
|
||||
if Dir.exist?("../cookbook-openstack#{cookbook}")
|
||||
cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}"
|
||||
else
|
||||
|
|
|
@ -37,7 +37,7 @@ Cookbooks
|
|||
|
||||
The following cookbooks are dependencies:
|
||||
|
||||
- 'apache2', '~> 5.0.1'
|
||||
- 'apache2', '~> 8.0'
|
||||
- 'openstack-common', '>= 18.0.0'
|
||||
- 'openstackclient'
|
||||
|
||||
|
|
|
@ -141,7 +141,17 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
|
|||
# platform specific package and service name options
|
||||
default['openstack']['identity']['platform'] = {
|
||||
'memcache_python_packages' => ['python-memcached'],
|
||||
'keystone_packages' => ['openstack-keystone', 'openstack-selinux', 'python2-urllib3'],
|
||||
# TODO(ramereth): python2-urllib3 is here to workaround an issue if
|
||||
# it's already been installed from the base repository which is
|
||||
# incompatible with what's shipped with RDO. This should be removed
|
||||
# once fixed upstream.
|
||||
'keystone_packages' =>
|
||||
%w(
|
||||
mod_wsgi
|
||||
openstack-keystone
|
||||
openstack-selinux
|
||||
python2-urllib3
|
||||
),
|
||||
'keystone_service' => 'openstack-keystone',
|
||||
'keystone_process_name' => 'keystone-all',
|
||||
'package_options' => '',
|
||||
|
@ -150,7 +160,12 @@ when 'debian'
|
|||
# platform specific package and service name options
|
||||
default['openstack']['identity']['platform'] = {
|
||||
'memcache_python_packages' => ['python3-memcache'],
|
||||
'keystone_packages' => ['libapache2-mod-wsgi-py3', 'python3-keystone', 'keystone'],
|
||||
'keystone_packages' =>
|
||||
%w(
|
||||
keystone
|
||||
libapache2-mod-wsgi-py3
|
||||
python3-keystone
|
||||
),
|
||||
'keystone_service' => 'keystone',
|
||||
'keystone_process_name' => 'keystone-all',
|
||||
'package_overrides' => '',
|
||||
|
|
|
@ -16,9 +16,9 @@ recipe 'server-apache', 'Installs and configures the OpenStack Identity Service
|
|||
supports os
|
||||
end
|
||||
|
||||
depends 'openstack-common', '>= 18.0.0'
|
||||
depends 'apache2', '~> 8.0'
|
||||
depends 'openstackclient'
|
||||
depends 'apache2', '5.0.1'
|
||||
depends 'openstack-common', '>= 18.0.0'
|
||||
|
||||
issues_url 'https://launchpad.net/openstack-chef'
|
||||
source_url 'https://opendev.org/openstack/cookbook-openstack-identity'
|
||||
|
|
|
@ -26,25 +26,7 @@ require 'uri'
|
|||
# load the methods defined in cookbook-openstack-common libraries
|
||||
class ::Chef::Recipe
|
||||
include ::Openstack
|
||||
end
|
||||
|
||||
# Workaround lifted from openstack-dashboard::apache2-server to install apache2
|
||||
# on a RHEL-ish machine with SELinux set to enforcing.
|
||||
#
|
||||
# TODO(sc): once apache2 is in a place to allow for subscribes to web_app,
|
||||
# this workaround should go away
|
||||
#
|
||||
execute 'set-selinux-permissive' do
|
||||
command '/sbin/setenforce Permissive'
|
||||
action :run
|
||||
|
||||
only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]"
|
||||
end
|
||||
|
||||
# Clear lock file when notified
|
||||
execute 'Clear Keystone apache restart' do
|
||||
command "rm -f #{Chef::Config[:file_cache_path]}/keystone-apache-restarted"
|
||||
action :nothing
|
||||
include Apache2::Cookbook::Helpers
|
||||
end
|
||||
|
||||
# include the logging recipe from openstack-common if syslog usage is enbaled
|
||||
|
@ -110,8 +92,8 @@ service 'keystone' do
|
|||
end
|
||||
|
||||
# disable default keystone config file from UCA package
|
||||
apache_site 'keystone' do
|
||||
enable false
|
||||
apache2_site 'keystone' do
|
||||
action :disable
|
||||
only_if { platform_family?('debian') }
|
||||
end
|
||||
|
||||
|
@ -198,7 +180,7 @@ template '/etc/keystone/keystone.conf' do
|
|||
variables(
|
||||
service_config: keystone_conf_options
|
||||
)
|
||||
notifies :run, 'execute[Clear Keystone apache restart]', :immediately
|
||||
notifies :restart, 'service[apache2]'
|
||||
end
|
||||
|
||||
# delete all secrets saved in the attribute
|
||||
|
@ -232,81 +214,48 @@ end
|
|||
|
||||
#### Start of Apache specific work
|
||||
|
||||
# configure attributes for apache2 cookbook to align with openstack settings
|
||||
apache_listen = Array(node['apache']['listen']) # include already defined listen attributes
|
||||
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
|
||||
# a different address syntax. *:80 vs 0.0.0.0:80
|
||||
apache_listen -= ['*:80']
|
||||
apache_listen += ["#{bind_address}:#{bind_service['port']}"]
|
||||
node.normal['apache']['listen'] = apache_listen.uniq
|
||||
|
||||
# include the apache2 default recipe and the recipes for mod_wsgi
|
||||
include_recipe 'apache2'
|
||||
# TODO(jh): hardcoded to include py2 mod-wsgi package
|
||||
# include_recipe 'apache2::mod_wsgi'
|
||||
case node['platform_family']
|
||||
when 'debian'
|
||||
apache_module 'wsgi'
|
||||
when 'rhel', 'fedora', 'arch', 'amazon'
|
||||
include_recipe 'apache2::mod_wsgi'
|
||||
# service['apache2'] is defined in the apache2_default_install resource
|
||||
# but other resources are currently unable to reference it. To work
|
||||
# around this issue, define the following helper in your cookbook:
|
||||
service 'apache2' do
|
||||
extend Apache2::Cookbook::Helpers
|
||||
service_name lazy { apache_platform_service_name }
|
||||
supports restart: true, status: true, reload: true
|
||||
action :nothing
|
||||
end
|
||||
|
||||
# include the apache2 mod_ssl recipe if ssl is enabled for identity
|
||||
include_recipe 'apache2::mod_ssl' if node['openstack']['identity']['ssl']['enabled']
|
||||
apache2_install 'openstack' do
|
||||
listen "#{bind_address}:#{bind_service['port']}"
|
||||
end
|
||||
|
||||
apache2_module 'wsgi'
|
||||
apache2_module 'ssl' if node['openstack']['identity']['ssl']['enabled']
|
||||
|
||||
# create the keystone apache directory
|
||||
keystone_apache_dir = "#{node['apache']['docroot_dir']}/keystone"
|
||||
keystone_apache_dir = "#{default_docroot_dir}/keystone"
|
||||
directory keystone_apache_dir do
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode 0o0755
|
||||
end
|
||||
|
||||
# create the keystone apache config using the web_app resource from the apache2
|
||||
# cookbook
|
||||
web_app 'identity' do
|
||||
template 'wsgi-keystone.conf.erb'
|
||||
server_host bind_address
|
||||
server_port bind_service['port']
|
||||
server_entry '/usr/bin/keystone-wsgi-public'
|
||||
server_alias 'identity'
|
||||
server_suffix app
|
||||
log_dir node['apache']['log_dir']
|
||||
log_debug node['openstack']['identity']['debug']
|
||||
user keystone_user
|
||||
group keystone_group
|
||||
use_ssl node['openstack']['identity']['ssl']['enabled']
|
||||
cert_file node['openstack']['identity']['ssl']['certfile']
|
||||
chain_file node['openstack']['identity']['ssl']['chainfile']
|
||||
key_file node['openstack']['identity']['ssl']['keyfile']
|
||||
ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
|
||||
cert_required node['openstack']['identity']['ssl']['cert_required']
|
||||
protocol node['openstack']['identity']['ssl']['protocol']
|
||||
ciphers node['openstack']['identity']['ssl']['ciphers']
|
||||
# create the keystone apache config using template
|
||||
template "#{apache_dir}/sites-available/identity.conf" do
|
||||
extend Apache2::Cookbook::Helpers
|
||||
source 'wsgi-keystone.conf.erb'
|
||||
variables(
|
||||
server_host: bind_address,
|
||||
server_port: bind_service['port'],
|
||||
server_entry: '/usr/bin/keystone-wsgi-public',
|
||||
server_alias: 'identity',
|
||||
log_dir: default_log_dir,
|
||||
run_dir: lock_dir,
|
||||
user: keystone_user,
|
||||
group: keystone_group
|
||||
)
|
||||
notifies :restart, 'service[apache2]'
|
||||
end
|
||||
|
||||
# Hack until Apache cookbook has lwrp's for proper use of notify restart
|
||||
# apache2 after keystone if completely configured. Whenever a keystone
|
||||
# config is updated, have it notify the resource which clears the lock
|
||||
# so the service can be restarted.
|
||||
# TODO(ramereth): This should be removed once this cookbook is updated
|
||||
# to use the newer apache2 cookbook which uses proper resources.
|
||||
edit_resource(:template, "#{node['apache']['dir']}/sites-available/identity.conf") do
|
||||
notifies :run, 'execute[Clear Keystone apache restart]', :immediately
|
||||
end
|
||||
|
||||
# Only restart Keystone apache during the initial install. This causes
|
||||
# monitoring and service issues while the service is restarted so we
|
||||
# should minimize the amount of times we restart apache.
|
||||
execute 'Keystone apache restart' do
|
||||
command "touch #{Chef::Config[:file_cache_path]}/keystone-apache-restarted"
|
||||
creates "#{Chef::Config[:file_cache_path]}/keystone-apache-restarted"
|
||||
notifies :run, 'execute[restore-selinux-context]', :immediately
|
||||
apache2_site 'identity' do
|
||||
notifies :restart, 'service[apache2]', :immediately
|
||||
end
|
||||
|
||||
execute 'restore-selinux-context' do
|
||||
command 'restorecon -Rv /etc/httpd /etc/pki || :'
|
||||
action :nothing
|
||||
only_if { platform_family?('rhel') }
|
||||
end
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
# encoding: UTF-8
|
||||
#
|
||||
|
||||
require_relative 'spec_helper'
|
||||
|
||||
describe 'openstack-identity::server-apache' do
|
||||
describe 'redhat' do
|
||||
let(:runner) { ChefSpec::SoloRunner.new(REDHAT_OPTS) }
|
||||
let(:node) { runner.node }
|
||||
cached(:chef_run) do
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
|
||||
include_context 'identity_stubs'
|
||||
|
||||
it 'upgrades memcache python packages' do
|
||||
expect(chef_run).to upgrade_package('identity cookbook package python-memcached')
|
||||
end
|
||||
|
||||
it 'upgrades keystone packages' do
|
||||
expect(chef_run).to upgrade_package('identity cookbook package openstack-keystone')
|
||||
expect(chef_run).to upgrade_package('identity cookbook package openstack-selinux')
|
||||
expect(chef_run).to upgrade_package('identity cookbook package mod_wsgi')
|
||||
end
|
||||
end
|
||||
end
|
|
@ -49,6 +49,10 @@ describe 'openstack-identity::server-apache' do
|
|||
expect(chef_run).to upgrade_package('identity cookbook package keystone')
|
||||
end
|
||||
|
||||
it do
|
||||
expect(chef_run).to disable_apache2_site('keystone')
|
||||
end
|
||||
|
||||
it 'bootstrap with keystone-manage' do
|
||||
expect(chef_run).to run_execute('bootstrap_keystone').with(command: "keystone-manage bootstrap \\
|
||||
--bootstrap-password #{password} \\
|
||||
|
@ -127,19 +131,22 @@ describe 'openstack-identity::server-apache' do
|
|||
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', /^list_limit = /)
|
||||
end
|
||||
|
||||
it 'has default transport_url/AMQP options set' do
|
||||
[%r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$}].each do |line|
|
||||
expect(chef_run).to render_file(path).with_content(line)
|
||||
end
|
||||
end
|
||||
|
||||
describe '[DEFAULT] section' do
|
||||
[
|
||||
%r{^log_dir = /var/log/keystone$},
|
||||
%r{^public_endpoint = http://127.0.0.1:5000/$},
|
||||
%r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$},
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', line)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'syslog configuration' do
|
||||
log_file = %r{^log_dir = /var/log/keystone$}
|
||||
log_conf = %r{^log_config_append = /\w+}
|
||||
|
||||
it 'renders log_file correctly' do
|
||||
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_file)
|
||||
it do
|
||||
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_conf)
|
||||
end
|
||||
|
||||
|
@ -148,19 +155,12 @@ describe 'openstack-identity::server-apache' do
|
|||
node.override['openstack']['identity']['syslog']['use'] = true
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it 'renders log_config correctly' do
|
||||
it do
|
||||
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_conf)
|
||||
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_file)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
it 'has correct endpoints' do
|
||||
# values correspond to node attrs set in chef_run above
|
||||
pub = line_regexp('public_endpoint = http://127.0.0.1:5000/')
|
||||
|
||||
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', pub)
|
||||
end
|
||||
end
|
||||
|
||||
describe '[memcache] section' do
|
||||
|
@ -180,8 +180,7 @@ describe 'openstack-identity::server-apache' do
|
|||
hosts = ['host1:111', 'host2:222']
|
||||
r = line_regexp("servers = #{hosts.join(',')}")
|
||||
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers)
|
||||
.and_return(hosts)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers).and_return(hosts)
|
||||
expect(chef_run).to render_config_file(path).with_section_content('memcache', r)
|
||||
end
|
||||
end
|
||||
|
@ -189,52 +188,46 @@ describe 'openstack-identity::server-apache' do
|
|||
|
||||
describe '[sql] section' do
|
||||
it 'has a connection' do
|
||||
r = /^connection = \w+/
|
||||
r = %r{^connection = mysql\+pymysql://keystone:@127.0.0.1:3306/keystone\?charset=utf8$}
|
||||
expect(chef_run).to render_config_file(path).with_section_content('database', r)
|
||||
end
|
||||
end
|
||||
|
||||
describe '[ldap] section' do
|
||||
describe 'optional nil attributes' do
|
||||
optional_attrs = %w(group_tree_dn group_filter user_filter
|
||||
user_tree_dn user_enabled_emulation_dn
|
||||
group_attribute_ignore role_attribute_ignore
|
||||
role_tree_dn role_filter project_tree_dn
|
||||
project_enabled_emulation_dn project_filter
|
||||
project_attribute_ignore)
|
||||
|
||||
it 'does not configure attributes' do
|
||||
optional_attrs.each do |a|
|
||||
r = /^#{Regexp.quote(a)} = $/
|
||||
expect(chef_run).not_to render_config_file(path).with_section_content('ldap', r)
|
||||
end
|
||||
end
|
||||
|
||||
context 'ssl settings' do
|
||||
context 'when use_tls disabled' do
|
||||
it 'does not set tls_ options if use_tls is disabled' do
|
||||
[/^tls_cacertfile = /, /^tls_cacertdir = /, /^tls_req_cert = /].each do |setting|
|
||||
expect(chef_run).not_to render_config_file(path).with_section_content('ldap', setting)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '[assignment] section' do
|
||||
it 'configures driver' do
|
||||
r = line_regexp('driver = sql')
|
||||
r = /^driver = sql$/
|
||||
expect(chef_run).to render_config_file(path).with_section_content('assignment', r)
|
||||
end
|
||||
end
|
||||
|
||||
describe '[policy] section' do
|
||||
it 'configures driver' do
|
||||
r = line_regexp('driver = sql')
|
||||
r = /^driver = sql$/
|
||||
expect(chef_run).to render_config_file(path).with_section_content('policy', r)
|
||||
end
|
||||
end
|
||||
describe '[fernet_tokens] section' do
|
||||
it do
|
||||
r = %r{^key_repository = /etc/keystone/fernet-tokens$}
|
||||
expect(chef_run).to render_config_file(path).with_section_content('fernet_tokens', r)
|
||||
end
|
||||
end
|
||||
describe '[credential] section' do
|
||||
it do
|
||||
r = %r{^key_repository = /etc/keystone/credential-tokens$}
|
||||
expect(chef_run).to render_config_file(path).with_section_content('credential', r)
|
||||
end
|
||||
end
|
||||
describe '[cache] section' do
|
||||
[
|
||||
/^enabled = true$/,
|
||||
/^backend = oslo_cache.memcache_pool$/,
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).to render_config_file(path).with_section_content('cache', line)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'db_sync' do
|
||||
|
@ -314,25 +307,34 @@ describe 'openstack-identity::server-apache' do
|
|||
end
|
||||
|
||||
describe 'apache setup' do
|
||||
it 'set apache addresses and ports' do
|
||||
expect(chef_run.node['apache']['listen']).to eq(%w(127.0.0.1:5000))
|
||||
it do
|
||||
expect(chef_run.template('/etc/keystone/keystone.conf')).to notify('service[apache2]').to(:restart)
|
||||
end
|
||||
|
||||
describe 'apache recipes' do
|
||||
it 'include apache recipes' do
|
||||
expect(chef_run).to include_recipe('apache2')
|
||||
expect(chef_run).not_to include_recipe('apache2::mod_wsgi')
|
||||
expect(chef_run).not_to include_recipe('apache2::mod_ssl')
|
||||
end
|
||||
it do
|
||||
expect(chef_run.template('/etc/apache2/sites-available/identity.conf')).to \
|
||||
notify('service[apache2]').to(:restart)
|
||||
end
|
||||
|
||||
context 'ssl enabled' do
|
||||
cached(:chef_run) do
|
||||
node.override['openstack']['identity']['ssl']['enabled'] = true
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it 'include apache recipes' do
|
||||
expect(chef_run).to include_recipe('apache2::mod_ssl')
|
||||
end
|
||||
it do
|
||||
expect(chef_run).to install_apache2_install('openstack').with(listen: '127.0.0.1:5000')
|
||||
end
|
||||
|
||||
it do
|
||||
expect(chef_run).to enable_apache2_module('wsgi')
|
||||
end
|
||||
|
||||
it do
|
||||
expect(chef_run).to_not enable_apache2_module('ssl')
|
||||
end
|
||||
|
||||
context 'ssl enabled' do
|
||||
cached(:chef_run) do
|
||||
node.override['openstack']['identity']['ssl']['enabled'] = true
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it do
|
||||
expect(chef_run).to enable_apache2_module('ssl')
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -341,9 +343,17 @@ describe 'openstack-identity::server-apache' do
|
|||
|
||||
it 'creates identity.conf' do
|
||||
expect(chef_run).to create_template(file).with(
|
||||
user: 'root',
|
||||
group: 'root',
|
||||
mode: '0644'
|
||||
source: 'wsgi-keystone.conf.erb',
|
||||
variables: {
|
||||
group: 'keystone',
|
||||
log_dir: '/var/log/apache2',
|
||||
run_dir: '/var/lock/apache2',
|
||||
server_alias: 'identity',
|
||||
server_entry: '/usr/bin/keystone-wsgi-public',
|
||||
server_host: '127.0.0.1',
|
||||
server_port: 5000,
|
||||
user: 'keystone',
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
|
@ -351,25 +361,45 @@ describe 'openstack-identity::server-apache' do
|
|||
expect(chef_run).not_to render_file('/etc/apache2/sites-available/keystone-admin.conf')
|
||||
end
|
||||
|
||||
[
|
||||
/^<VirtualHost 127.0.0.1:5000>$/,
|
||||
/WSGIDaemonProcess identity processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}$/,
|
||||
/WSGIProcessGroup identity$/,
|
||||
%r{WSGIScriptAlias / /usr/bin/keystone-wsgi-public$},
|
||||
%r{ErrorLog /var/log/apache2/identity.log$},
|
||||
%r{CustomLog /var/log/apache2/identity_access.log combined$},
|
||||
%r{WSGISocketPrefix /var/lock/apache2$},
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
|
||||
context 'custom_template_banner' do
|
||||
cached(:chef_run) do
|
||||
node.override['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it 'configures identity.conf lines' do
|
||||
[/^custom_template_banner_value$/,
|
||||
/user=keystone/,
|
||||
/group=keystone/,
|
||||
%r{^ ErrorLog /var/log/apache2/identity.log$},
|
||||
%r{^ CustomLog /var/log/apache2/identity_access.log combined$}].each do |line|
|
||||
[
|
||||
/^custom_template_banner_value$/,
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not configure identity.conf triggered common lines' do
|
||||
[/^ LogLevel/,
|
||||
/^ SSL/].each do |line|
|
||||
[
|
||||
/SSLEngine On$/,
|
||||
/SSLCertificateFile/,
|
||||
/SSLCertificateKeyFile/,
|
||||
/SSLCACertificatePath/,
|
||||
/SSLCertificateChainFile/,
|
||||
/SSLProtocol/,
|
||||
/SSLCipherSuite/,
|
||||
/SSLVerifyClient/,
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
|
@ -380,99 +410,46 @@ describe 'openstack-identity::server-apache' do
|
|||
node.override['openstack']['identity']['ssl']['enabled'] = true
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it 'configures identity.conf common ssl lines' do
|
||||
[/^ SSLEngine On$/,
|
||||
%r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
|
||||
%r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
|
||||
%r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$},
|
||||
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
|
||||
[
|
||||
/SSLEngine On$/,
|
||||
%r{SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
|
||||
%r{SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
|
||||
%r{SSLCACertificatePath /etc/keystone/ssl/certs/$},
|
||||
/SSLProtocol All -SSLv2 -SSLv3$/,
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
it 'does not configure identity.conf common ssl lines' do
|
||||
[/^ SSLCertificateChainFile/,
|
||||
/^ SSLCipherSuite/,
|
||||
/^ SSLVerifyClient require/].each do |line|
|
||||
[
|
||||
/SSLCertificateChainFile/,
|
||||
/SSLCipherSuite/,
|
||||
/SSLVerifyClient require/,
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
context 'chainfile' do
|
||||
context 'Enable chainfile, ciphers & cert_required' do
|
||||
cached(:chef_run) do
|
||||
node.override['openstack']['identity']['ssl']['enabled'] = true
|
||||
node.override['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it 'configures identity.conf chainfile when set' do
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
|
||||
end
|
||||
end
|
||||
context 'ciphers' do
|
||||
cached(:chef_run) do
|
||||
node.override['openstack']['identity']['ssl']['enabled'] = true
|
||||
node.override['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it 'configures identity.conf ciphers when set' do
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLCipherSuite ciphers_value$/)
|
||||
end
|
||||
end
|
||||
context 'cert_required' do
|
||||
cached(:chef_run) do
|
||||
node.override['openstack']['identity']['ssl']['enabled'] = true
|
||||
node.override['openstack']['identity']['ssl']['cert_required'] = true
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
it 'configures identity.conf cert_required set' do
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLVerifyClient require$/)
|
||||
[
|
||||
%r{SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$},
|
||||
/SSLCipherSuite ciphers_value$/,
|
||||
/SSLVerifyClient require$/,
|
||||
].each do |line|
|
||||
it do
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'identity.conf' do
|
||||
let(:file) { '/etc/apache2/sites-available/identity.conf' }
|
||||
it 'configures required lines' do
|
||||
[/^<VirtualHost 127.0.0.1:5000>$/,
|
||||
/^ WSGIDaemonProcess identity/,
|
||||
/^ WSGIProcessGroup identity$/,
|
||||
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line|
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'restart apache' do
|
||||
it do
|
||||
expect(chef_run).to nothing_execute('Clear Keystone apache restart')
|
||||
.with(
|
||||
command: 'rm -f /var/chef/cache/keystone-apache-restarted'
|
||||
)
|
||||
end
|
||||
%w(
|
||||
/etc/keystone/keystone.conf
|
||||
/etc/apache2/sites-available/identity.conf
|
||||
).each do |f|
|
||||
it "#{f} notifies execute[Clear Keystone apache restart]" do
|
||||
expect(chef_run.template(f)).to notify('execute[Clear Keystone apache restart]').to(:run).immediately
|
||||
end
|
||||
end
|
||||
it do
|
||||
expect(chef_run).to run_execute('Keystone apache restart')
|
||||
.with(
|
||||
command: 'touch /var/chef/cache/keystone-apache-restarted',
|
||||
creates: '/var/chef/cache/keystone-apache-restarted'
|
||||
)
|
||||
end
|
||||
it do
|
||||
expect(chef_run.execute('Keystone apache restart')).to notify('execute[restore-selinux-context]').to(:run).immediately
|
||||
end
|
||||
it do
|
||||
expect(chef_run.execute('Keystone apache restart')).to notify('service[apache2]').to(:restart).immediately
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,37 +1,36 @@
|
|||
<%= node['openstack']['identity']['custom_template_banner'] %>
|
||||
|
||||
<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
|
||||
WSGIDaemonProcess identity processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
|
||||
<VirtualHost <%= @server_host %>:<%= @server_port %>>
|
||||
WSGIDaemonProcess identity processes=5 threads=1 user=<%= @user %> group=<%= @group %> display-name=%{GROUP}
|
||||
WSGIProcessGroup identity
|
||||
WSGIScriptAlias / <%= @params[:server_entry] %>
|
||||
WSGIScriptAlias / <%= @server_entry %>
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
ErrorLog <%= @params[:log_dir] %>/identity.log
|
||||
CustomLog <%= @params[:log_dir] %>/identity_access.log combined
|
||||
<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
|
||||
LogLevel debug
|
||||
<% end -%>
|
||||
ErrorLog <%= @log_dir %>/identity.log
|
||||
CustomLog <%= @log_dir %>/identity_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
Require all granted
|
||||
</Directory>
|
||||
<% if node['openstack']['identity']['ssl']['enabled'] -%>
|
||||
|
||||
<% if @params[:use_ssl] -%>
|
||||
SSLEngine On
|
||||
SSLCertificateFile <%= @params[:cert_file] %>
|
||||
SSLCertificateKeyFile <%= @params[:key_file] %>
|
||||
SSLCACertificatePath <%= @params[:ca_certs_path] %>
|
||||
<% if @params[:chain_file] %>
|
||||
SSLCertificateChainFile <%= @params[:chain_file] %>
|
||||
SSLCertificateFile <%= node['openstack']['identity']['ssl']['certfile'] %>
|
||||
SSLCertificateKeyFile <%= node['openstack']['identity']['ssl']['keyfile'] %>
|
||||
SSLCACertificatePath <%= node['openstack']['identity']['ssl']['ca_certs_path'] %>
|
||||
<% if node['openstack']['identity']['ssl']['chainfile'] %>
|
||||
SSLCertificateChainFile <%= node['openstack']['identity']['ssl']['chainfile'] %>
|
||||
<% end -%>
|
||||
SSLProtocol <%= @params[:protocol] %>
|
||||
<% if @params[:ciphers] -%>
|
||||
SSLCipherSuite <%= @params[:ciphers] %>
|
||||
SSLProtocol <%= node['openstack']['identity']['ssl']['protocol'] %>
|
||||
<% if node['openstack']['identity']['ssl']['ciphers'] -%>
|
||||
SSLCipherSuite <%= node['openstack']['identity']['ssl']['ciphers'] %>
|
||||
<% end -%>
|
||||
<% if @params[:cert_required] -%>
|
||||
<% if node['openstack']['identity']['ssl']['cert_required'] -%>
|
||||
SSLVerifyClient require
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
</VirtualHost>
|
||||
|
||||
WSGISocketPrefix <%= @run_dir %>
|
||||
|
|
Loading…
Reference in New Issue