This patch changes to use barbican plugin for devstack.
Change-Id: I7d2620888bef3ae6bcc34c333ef3a935245195cf
Partial-Implements: blueprint barbican-support
Update the doc to mention it clearly that DB Migration
does not work for SQLite Backend.
Change-Id: I7d2682f6b4af37fb0cc2d640b02fd598baf42625
Closes-Bug: #1487257
Nova uses a map of hashes for important parts of versioned objects. It
keeps a static mapping of previous objects, and generates a map of the
current objects. If these differ, a test fails, enforcing that the hash
of the object needs to be updated. Along with this, it usually means
that the version of the object itself needs to be updated because the
RPC contract of that object is now broken.
oslo_versionedobjects contains a fixture for helping generate and test
these hashes, so this fixture is used to test Magnum's object hashes.
Change-Id: I586f73570dc7b65c83b216d09d11e8dba3c63b2c
Closes-Bug: #1491855
This patch will proxy values to swarm-agent
services which would other wise give error
if you are not under proxy.
Change-Id: I63a0340a6806794e6f22a761cc1510697b3011bb
Closes-Bug: #1493952
Documentation for the o.vo fixture for checking object versions is being
added in Ie21746f6c2bab447a187b0b7507acdcea3d88c14.
This adds more documentation for how Magnum uses o.vo, and also how the
tests work for checking the object version.
(Related change: I586f73570dc7b65c83b216d09d11e8dba3c63b2c)
Change-Id: Ic490671b9e529bc2aed4ae385cd73dcb78fed397
Related-Bug: #1491855
In commit 6a264b6f, we involved template_def as a member of HeatPoller,
so this helper function _update_stack_outputs will be useless since
we don't need to call get_template_definition again.
Besides, adjuest the testcases.
Closes-Bug: #1493192
Change-Id: Ie2ff8bf6f7e29092b8b11f663b70fe1cc4e93814
If you're going to install software using pip, then it means you're
willing to use pip to install software. If you are willing to do that,
then installing the latest pip via pip is completely reasonable. The
distro pip will often be too old or broken to work properly.
Closes-Bug: #1481085
Change-Id: If161c04aac30f489162cd72a329f71ddbe5635d6
Delete python bytecode before every test run.
Because python creates pyc files during tox runs, certain
changes in the tree, like deletes of files, or switching
branches, can create spurious errors.
Closes-Bug: #1368661
Change-Id: I7e563875848acc7ec767f97b31fc8a95b23ee880
The Certificate controller has 2 operations:
1. POST
Generate X509 certificate using bay's CA cert.
Below is an example of Certificate POST API request using magnum command:
Example Request:
curl -X POST -H 'Content-Type: application/json' \
-d '{"bay_uuid": "<bay_uuid>", "csr": "<csr>"}' \
http://localhost:9511/v1/certificates
This creates a X509 certificate signed by the given bay's CA and returns
it. No database information is stored in Magnum against it. For each POST
request, a new certificate is generated.
Example Response:
{"bay_uuid": "<bay_uuid>", "csr": "<csr>",
"pem": "<pem encoded certifiacte>"}
2. GET
Fetches the CA cert associated with a bay. Below is an example of CA GET
API request using magnum command:
Example Request:
curl -X GET http://localhost:9511/v1/certificates/<bay_uuid>
This fetches stored CA cert for the given Bay, which can be used to validate
any client and node certificates signed by the Bay's CA. The value for each
is fetched from Barbican or Magnum db based on the different configuration
for storage of certificates.
Example Response:
{"bay_uuid": "<bay_uuid>", "pem": "<pem encoded certifiacte>"}
Co-Authored-By: Andrew Melton <andrew.melton@rackspace.com>
Change-Id: I4b72cc1e1bddc7a7c7eeb0ab22d3769a666ccb2b
Partially-Implements: bp secure-kubernetes
Bay needs two certificates for CA and magnum conductor to support TLS
between Kubernetes API server to Magnum. This patch generates these
certs while creating bay.
Change-Id: Ide13a0a5dbb43f2acc085283859edf6373106d7f
Partial-Implements: blueprint magnum-as-a-ca
Magnum should manage x509 objects,
* To generate CA key and cert for each bay
* To generate client key for magnum-conductor
* To sign a public key for kube-apiserver
* To sign a public key for end user
This patch adds these abilities to Magnum.
Change-Id: Ib5d7180a230dad635b3b570122c5af88cd1ac7a7
Partial-Implements: blueprint magnum-as-a-ca
To implement TLS support, we should store CA and client cert for each
bay. This patch adds common library to store cert to Barbican.
Magnum uses service admin privilege to store the cert, this means that
end user can't retrieve CA cert and private key from Barbican
directly.
This patch is copied from neutron-lbaas project.
* I435189b2637e32803a13ebd4951e61fac4ab234d
Change-Id: I519228d9749ad610db3e0c698caa1144813f9d52
Partial-Implements: blueprint magnum-as-a-ca
In magnum.common.clients, barbican client uses
`keystone()._client` directly, but `keystone().client`
is better. Because, keystone()._client is None is it
is not loaded.
This fixes it.
Closes-Bug: #1491257
Change-Id: I3771ebef9c2a1d3756ea4ed2f964751d1c2da43f
get_discovery_url should never return an empty
URL. Added check and exception for this situation.
Co-Authored-By: Vilobh Meshram <vilobhmm@yahoo-inc.com>
DocImpact
Closes-Bug: #1491178
Change-Id: I2d5b3996c0ee53f40399ca3fd0d6b987daa26f79
By default the key to get node count is "number_of_minions"
which is not true for baymodels other than kubernetes
and it raises "KeyError" so that status of bay will not
be updated.
Closes-Bug: #1489725
Change-Id: I9f6a8ebbc26f501d54ef97937329845a12002d6c
Currently, external-network-id can accept network name,
so we can set external-network name to baymodel.
Previously change `I0d2be33723817c604c6cab704d2efcbd1e4cc79f`
already removed the same for kubernates baymodel.
This patch remove from mesos/swarm baymodel.
Change-Id: Ia9276c75932483b244efe4c8f2eef5c9684128e8
Closes-Bug: #1491273
We don't have unit test for genconfig, so sometimes this feature
is broken because of missing options or moving options.
This patch adds checking test for config parameters.
Change-Id: I67a44ef02704f66740a6bda2b6502b6b1636a08b
Closes-Bug: #1490825
`tox -egenconfig` doesn't work, because
`magnum.db.sqlalchemy.models.sql_opts` is moved to
`magnum.db.sql_opts`.
This fixes it.
Change-Id: Ia617ee0ceae5bff7d745a9b48bfcdf9dfc00e336
Closes-Bug: #1490817
In before, the etcd cluster size was hard-coded to 1, since HA mode
hadn't been implemented at that time. Now, we fix it. The etcd
cluster size is set to the number of master nodes.
Change-Id: I198ca604401bc805f31e8187f5245177761edf56
Closes-Bug: #1491602
Seems jenkins default image API version is 2, image v2 version
not support use name as image-show. I tried latest devstack, it
calls v2 API. So in jenkins jobs let's use v1 version now.
In addition, specify the mountpoint parameter on VolumeAttachment
resource. Heat used to allow missing of this parameter but it is
not the case anymore.
Change-Id: I1ae1eb20b9552444f0242a72e958c139209bf1f6
Closes-Bug: #1491314
This patch will replace use of manager with
master in nova instances because as we will
support more masters in future and master word
is appropriate for nova instances.
Change-Id: I543010796f0cac9bcfed8387656d801aea9dc13a
Implements: blueprint manager-to-master
The link given to Docker API getting error as it
is old version. So I removed the version extension
and also named it as "Docker Remote API"
Change-Id: If3d6ce2c74455a2d8c2c9fff51af1f5cbe330e76
Closes-Bug: #1488708
We decided to use barbican to store certs, and uuid of certs are
stored to bay. But Barbican doesn't return uuid, it returns URI. So
we should modify db table to store uri.
Change-Id: I5c6baf43b35df9a1134fce4fbc581d7642fa8e84
Closes-Bug: #1489707
Partial-Implements: blueprint magnum-as-a-ca
