It was kept for backword compatibility but now returns the same value
as `is_service_enabled tls_proxy`[1].
[1] f3b2f4c85307b14f115a020f5eaf6c92026b55b4
Change-Id: I245b0ba9a81c934c808c0043a010f1ef82eee703
The Magnum service allow enables policies (RBAC) new defaults and scope by
default. The Default value of config options ``[oslo_policy] enforce_scope``
and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both to
``False``, but will change to ``True`` in following cycles.
To enable them then modify the below config options value in
``magnum.conf`` file::
[oslo_policy]
enforce_new_defaults=True
enforce_scope=True
reference tc goal for more detail:
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Related blueprint secure-rbac
Change-Id: I249942a355577c4f1ef51b3988f0cc4979959d0b
This patch brings Magnum in line with other services
by using uwsgi for the api service and replaces the use
of a custom api port with /container-infra.
- Switch to using uwsgi for functional tests.
- Use /container-infra instead of a custom api port.
Change-Id: Iab5b23b3874a46ccb5c942e64dc167258712bd31
The token end-point --os-url argument was removed in openstackclient
with I1b9fbb96e447889a41b705324725a2ffc8ecfd9f.
The plugin should be running as admin, I think we can remove all the
authentication arguments and just let it do it's thing.
Change-Id: I9b1dbc541c9fd6c0e3a894dd3a5dd9f2011f1e2a
Fedora Atomic 27 has end of life for a while, it's time to replace it
with Fedora Atomic 29 now.
Task: 36356
Story: 2006441
Change-Id: Iab131745854b0b908be17bd17c7510cd54dde1f5
With the new config option `keystone_auth_default_policy`, cloud admin
can set a default keystone auth policy for k8s cluster when the
keystone auth is enabled. As a result, user can use their current
keystone user to access k8s cluster as long as they're assigned
correct roles, and they will get the pre-defined permissions
set by the cloud provider.
The default policy now is based on the v2 format recently introduced
in k8s-keystone-auth which is getting more useful now. For example,
in v1 it doesn't support a policy for user to access resources from
all namespaces but kube-system, but v2 can do that.
NOTE: Now we're using openstackmagnum dockerhub repo until CPO
team fixing their image release issue.
Task: 30069
Story: 1755770
Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
The admin_* variables are a relic of the Keystone V2 api and
should no longer be used at all.
It's important to keep the devstack config clean, as it is often
used as a reference for configuring services.
* Removed deprecated admin_user, admin_password and admin_tenant.
Story: 2004272
Task: 27821
Change-Id: I132e670f446e5172dc4f1847be7779645060ca4d
Switch to systemd logging to take advantage of some of the newer
logging features.
Story: 2004272
Task: 27820
Change-Id: I475bf26e24b3a725f68c7da355807374bf1e189b
We do currently not support www_authentication_uri at all, which
is the new standard, as auth_uri has long been deprecated.
* Make sure we support both auth_uri and www_authenticate_uri.
* Switched to www_authenticate_uri for devstack.
* Fixed a bug where a bad exception would be thrown if auth_uri
was not set.
Story: 2004271
Task: 27819
Change-Id: Ibc932d35f3d6ba2ac7ffb6193aa37bd4a3d4422e
We are currently hitting this error with the gate.
> NOT_ALLOWED - access to vhost 'None' refused for user 'stackrabbit'
This patch fixes this by using the inbuilt devstack construct
to create an appropriate transport_url.
Change-Id: I9aae96094b7bd8bc148ae3e42c118ba160eff8ae
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.
Closes-Bug: #1659545
Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
Added configuration parameter, send_cluster_metrics, to magnum.conf
with default value of True. If set to True, periodic tasks will pull
COE data and send to ceilometer. This parameter can be set to False to
disable periodic collection of data to avoid unnecessary load from the
cluster.
Closes-Bug: #1668330
Related-Bug: #1746510
Change-Id: I9945293e7b2b52731f6e220d0925c1f6ad097caa
Until [1] is in kubernetes we need to redirect from /v2 to
/identity/v2 for the cloud provider to work.
[1] https://github.com/gophercloud/gophercloud/pull/423
Change-Id: I5206e75e9528ceb8428c70df67e6ba26d01c4772
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.
Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.
Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2
Add doc in troubleshooting-guide.
Add release notes.
Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
Fix wrongly used start_tls_proxy function and correctly set api port
when tls-proxy is enabled.
Also remove start_tls_proxy for ec2 which is not required.
Co-Authored-By: yatin <ykarel@redhat.com>
Change-Id: I71b85b5cb018dd790e13aaa1eeefcbb8ac0b3b85
Closes-Bug: #1727613
This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
* add docker_volume_type for the cinder volumes which are
used for docker storage.
* add default_docker_volume_type configuration option
Related-Bug: #1678153
Change-Id: Ie18096acf24873ef91a904df4f1a84694a2bb644
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public is introduced.
Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
Post [1] we cannot use auth_uri/auth_url containing :5000, :35357.
Update keystone auth_uri and auth_url in magnum.conf to connect
with keystone using /identity/v3 and /identity_admin/v3.
[1] https://review.openstack.org/#/c/456344/
Change-Id: I5d69e7454cf8a5e8c92ff23b6c932184d82e8a98
devstack: Allow access to ports 80 and 443
So far, we were allowing access to port 5000 for keystone.
When devstack siwtched to uwsgi we couldn't access keystone
anymore.
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Change-Id: I4d3d482889fd9f6119ceec81757abac9d1251a97
With this patch we will use glance v2 api's for interacting
with glance.
[1] I7f962a07317cdad917ee896d79e49ee18938d074
Closes-Bug: 1672535
Change-Id: Iedc25b55ad2751e14d3794b1cb80f724f1a735c4
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Copy magnum.bash_completion script to /etc/bash_completion.d
so that users/developers can take advantage of auto completion
of magnum commands.
Change-Id: I8d0ba953e7eb963be1d9e459c4015e882231e2c8
Closes-Bug: #1657004
Patch: https://review.openstack.org/#/c/352806 has
set host=None and we don't change this parameter
neither in devstack installation nor in manual installation.
With this patch value of [DEFAULT]/host is set to
hostname of the host on which magnum is setup.
Also, updated manual installation step to set [DEFAULT]/host
to hostname.
Depends-on: I51feb6ccdc0fab91a591568866e6801f2bbb319b
Change-Id: Id43bfcc792b28c98c9bf1d888dd7ddcc167e8ea5
Closes-Bug: #1630190
"rabbit_userid", "rabbit_password", "rabbit_host" are deprecated for removal.
This patch changes these options to "transport_url" in DEFAULT group.
Change-Id: I0c33a1f84103d07e371e11229276c8cecdc485c4
Related-Bug: #1451226
Now that heat is available as a devstack plugin, we should
use it. In-tree devstack code for heat is planned to be
removed soon[1].
And also, this patch remove `update_heat_policy` function
in devstack plugin. Because fetching global stack list is
already option to use in Magnum.
[1] https://review.openstack.org/#/c/317618/
Change-Id: Iab675da5ea8d02b3f7e71f6169c81724a0066858
Co-Authored-By: OTSUKA, Yuanying <yuanying@fraction.jp>
Rule "context_is_admin" is defined in heat for admin role
and heat uses this rule to authorize admin operations.
Since default admin context can be updated by heat, we
should use the rule: context_is_admin.
In newton, heat updated the admin context to admin role
with admin tenant in following patch:-
https://review.openstack.org/#/c/316627/
Change-Id: Iea6f3a6124e0c4d29801641aff51e385f0399488
Closes-Bug: #1499302
To setup magnum easier, name based configuration is important.
This patch makes config file support trustee_domain_name and
trustee_domain_admin_name in trust section.
If name and id of trustee domain are provided by user, both
values are passed through into keystone.
Closes-Bug: #1581372
Change-Id: Ia691aca7c29a471f6ba36a1a371ec1edf830b365
After this patch [1], Magnum is no longer the "Container Service", it
became the "Container Infrastructure Management Service". This commit
updates the service name and description accordingly:
* Change service name from "container" to "container-infra"
* Update service description to reflect its mission
[1] https://review.openstack.org/#/c/311476/
Depends-On: I55205ff2b304678d2b53bbd4d66403078c6baac8
Closes-Bug: #1584251
Change-Id: I5c271bf3fc4d6ccecaf2918aca28ce946bcc6b22
* Add a CoreOS test class TestCoreosKubernetesAPIs
* Add a CoreOS test environment in tox.ini
* Create a base class BaseK8sTest and move OS-agnostic k8s testing
code to that class.
* Increase the disk size from 8G to 10G for m1.magnum and s1.magnum,
since CoreOS image requires more disk space to boot.
* Set os-distro property for CoreOS image.
Partial-Bug: #1546101
Change-Id: Ie56a9442ecebe05f39c7669bc950f5a6ca11df33
"m-api" is already used by Manila so switch to "magnum-api"
and "magnum-cond" for devstack.
Change-Id: I0f5e57dd263164652813088fe624f62cda664727
Closes-Bug: #1569879