Remove port 35357 deployment

The legacy admin and public ports for Keystone has since the
release of the v3 API not been required as keystone moved all
actions to the same API. [1]

This patch removes the deployment of port 35357 and remodels
puppet-keystone and more specifically the keystone::wsgi::apache
class to only deploy keystone on port 5000.

This has already been changed in the installation guides [2]
and is the recommend way to deploy keystone.

We have already prepared all our modules default values to use
port 5000 instead of 35357 a while ago and we also in the Rocky
release informed our users with a release note that this would
be performed [3]

[1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py
[2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html
[3] https://review.openstack.org/#/c/586791/

Closes-Bug: 1804426
Depends-On: https://review.openstack.org/#/c/627793/
Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
changes/57/619257/17
Tobias Urdin 4 years ago
parent dc71b969a3
commit ace7aeb3b7
  1. 4
      lib/puppet/provider/keystone.rb
  2. 52
      manifests/federation/mellon.pp
  3. 72
      manifests/federation/openidc.pp
  4. 11
      manifests/federation/openidc_httpd_configuration.pp
  5. 55
      manifests/federation/shibboleth.pp
  6. 6
      manifests/params.pp
  7. 299
      manifests/wsgi/apache.pp
  8. 64
      releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml
  9. 4
      spec/acceptance/keystone_federation_identity_provider_spec.rb
  10. 4
      spec/acceptance/keystone_federation_shibboleth_spec.rb
  11. 4
      spec/acceptance/keystone_wsgi_apache_spec.rb
  12. 38
      spec/classes/keystone_federation_mellon_spec.rb
  13. 33
      spec/classes/keystone_federation_openidc_spec.rb
  14. 65
      spec/classes/keystone_federation_shibboleth_spec.rb
  15. 546
      spec/classes/keystone_wsgi_apache_spec.rb
  16. 14
      spec/unit/provider/keystone_spec.rb
  17. 4
      templates/openidc.conf.erb

@ -175,10 +175,10 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack
if url = get_section('DEFAULT', 'admin_endpoint')
endpoint = url.chomp('/')
else
admin_port = get_section('DEFAULT', 'admin_port') || '5000'
public_port = get_section('DEFAULT', 'public_port') || '5000'
host = clean_host(get_section('DEFAULT', 'admin_bind_host'))
protocol = ssl? ? 'https' : 'http'
endpoint = "#{protocol}://#{host}:#{admin_port}"
endpoint = "#{protocol}://#{host}:#{public_port}"
end
end
return endpoint

@ -17,16 +17,6 @@
# The name for your protocol associated with the IdP.
# (Required) String value.
#
# [*admin_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 35357.
# (Optional) Defaults to false.
#
# [*main_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 5000.
# (Optional) Defaults to true.
#
# [*template_order*]
# This number indicates the order for the concat::fragment that will apply
# the shibboleth configuration to Keystone VirtualHost. The value should
@ -57,17 +47,27 @@
# trusted_dashboards configuration instead of this parameter.
# Defaults to undef
#
# [*admin_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 35357.
# (Optional) Defaults to undef.
#
# [*main_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 5000.
# (Optional) Defaults to undef.
#
class keystone::federation::mellon (
$methods,
$idp_name,
$protocol_name,
$admin_port = false,
$main_port = true,
$template_order = 331,
$package_ensure = present,
$enable_websso = false,
# DEPRECATED
$trusted_dashboards = undef,
$admin_port = undef,
$main_port = undef,
) {
include ::apache
@ -79,6 +79,10 @@ class keystone::federation::mellon (
in Stein and will be removed in future releases")
}
if $admin_port or $main_port {
warning('keystone::federation::mellon::admin_port and main_port are deprecated and have no effect')
}
# Note: if puppet-apache modify these values, this needs to be updated
if $template_order <= 330 or $template_order >= 999 {
fail('The template order should be greater than 330 and less than 999.')
@ -93,14 +97,8 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
fail('Methods should contain saml2 as one of the auth methods.')
}
validate_bool($admin_port)
validate_bool($main_port)
validate_bool($enable_websso)
if( !$admin_port and !$main_port){
fail('No VirtualHost port to configure, please choose at least one.')
}
keystone_config {
'auth/methods': value => join(any2array($methods),',');
'auth/saml2': ensure => absent;
@ -122,20 +120,10 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
tag => 'keystone-support-package',
})
if $admin_port {
concat::fragment { 'configure_mellon_on_port_35357':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf",
content => template('keystone/mellon.conf.erb'),
order => $template_order,
}
}
if $main_port {
concat::fragment { 'configure_mellon_on_port_5000':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf",
content => template('keystone/mellon.conf.erb'),
order => $template_order,
}
concat::fragment { 'configure_mellon_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
content => template('keystone/mellon.conf.erb'),
order => $template_order,
}
}

@ -39,16 +39,6 @@
# (optional) Value to be used to obtain the entity ID of the Identity
# Provider from the environment.
#
# [*admin_port*]
# A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 35357.
# (Optional) Defaults to false.
#
# [*main_port*]
# A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 5000.
# (Optional) Defaults to true.
#
# [*template_order*]
# This number indicates the order for the concat::fragment that will apply
# the shibboleth configuration to Keystone VirtualHost. The value should
@ -64,11 +54,20 @@
# accepts latest or specific versions.
# Defaults to present.
#
# [*keystone_public_url*]
# (optional) URL to keystone public endpoint.
# [*keystone_url*]
# (optional) URL to keystone endpoint.
#
# [*keystone_admin_url*]
# (optional) URL to keystone admin endpoint.
# === DEPRECATED
#
# [*admin_port*]
# A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 35357.
# (Optional) Defaults to undef.
#
# [*main_port*]
# A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 5000.
# (Optional) Defaults to undef.
#
class keystone::federation::openidc (
$methods,
@ -79,20 +78,30 @@ class keystone::federation::openidc (
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$remote_id_attribute = undef,
$admin_port = false,
$main_port = true,
$template_order = 331,
$package_ensure = present,
$keystone_public_url = undef,
$keystone_admin_url = undef,
$keystone_url = undef,
# DEPRECATED
$admin_port = undef,
$main_port = undef,
) {
include ::apache
include ::keystone::deps
include ::keystone::params
$_keystone_public_url = pick($keystone_public_url, $::keystone::public_endpoint)
$_keystone_admin_url = pick($keystone_admin_url, $::keystone::admin_endpoint)
# TODO(tobias-urdin): Make keystone_url required when keystone::public_endpoint is removed.
# Dont forget to change the keystone_url_real variable in the templates/openidc.conf.rb file.
# The fail statement below can also be removed since keystone_url will be a required parameter.
$keystone_url_real = pick($keystone_url, $::keystone::public_endpoint)
if $keystone_url_real == undef or is_service_default($keystone_url_real) {
fail('You must set either keystone_url or keystone::public_endpoint')
}
if $admin_port or $main_port {
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
}
# Note: if puppet-apache modify these values, this needs to be updated
if $template_order <= 330 or $template_order >= 999 {
@ -107,16 +116,9 @@ class keystone::federation::openidc (
fail('Methods should contain openid as one of the auth methods.')
}
validate_legacy(Boolean, 'validate_bool', $admin_port)
validate_legacy(Boolean, 'validate_bool', $main_port)
if( !$admin_port and !$main_port){
fail('No VirtualHost port to configure, please choose at least one.')
}
keystone_config {
'auth/methods': value => join(any2array($methods),',');
'auth/openid': ensure => absent;
'auth/openid': ensure => absent;
}
if $remote_id_attribute {
@ -130,15 +132,9 @@ class keystone::federation::openidc (
tag => 'keystone-support-package',
})
if $admin_port and $_keystone_admin_url {
keystone::federation::openidc_httpd_configuration{ 'admin':
keystone_endpoint => $_keystone_admin_url,
}
}
if $main_port and $_keystone_public_url {
keystone::federation::openidc_httpd_configuration{ 'main':
keystone_endpoint => $_keystone_public_url,
}
concat::fragment { 'configure_openidc_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
content => template('keystone/openidc.conf.erb'),
order => $template_order,
}
}

@ -1,4 +1,6 @@
# == define: keystone::federation::openidc_httpd_configuration [70/1473]
# == define: keystone::federation::openidc_httpd_configuration
#
# DEPRECATED!
#
# == Parameters
#
@ -10,9 +12,6 @@
define keystone::federation::openidc_httpd_configuration (
$keystone_endpoint = undef
) {
concat::fragment { "configure_openidc_on_${title}":
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
content => template('keystone/openidc.conf.erb'),
order => $keystone::federation::openidc::template_order,
}
warning('keystone::federation::openidc_httpd_configuration is deprecated')
}

@ -2,16 +2,6 @@
#
# == Parameters
#
# [*admin_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 35357.
# (Optional) Defaults to false.
#
# [*main_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 5000.
# (Optional) Defaults to true.
#
# [*methods*]
# A list of methods used for authentication separated by comma or an array.
# The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2'
@ -47,6 +37,18 @@
# require => Anchor['openstack_extras_redhat']
# }
#
# === DEPRECATED
#
# [*admin_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 35357.
# (Optional) Defaults to undef
#
# [*main_port*]
# A boolean value to ensure that you want to configure K2K Federation
# using Keystone VirtualHost on port 5000.
# (Optional) Defaults to undef
#
# == Note about Redhat osfamily
# According to puppet-apache we need to enable a new repo, but in puppet-openstack
# we won't enable any external third party repo.
@ -55,16 +57,21 @@
#
class keystone::federation::shibboleth(
$methods,
$admin_port = false,
$main_port = true,
$suppress_warning = false,
$template_order = 331,
$yum_repo_name = 'shibboleth',
# DEPRECATED
$admin_port = undef,
$main_port = undef,
) {
include ::apache
include ::keystone::deps
if $admin_port or $main_port {
warning('keystone::federation::shibboleth::admin_port and main_port are deprecated and have no effect')
}
# Note: if puppet-apache modify these values, this needs to be updated
if $template_order <= 330 or $template_order >= 999 {
fail('The template order should be greater than 330 and less than 999.')
@ -79,14 +86,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
fail('Methods should contain saml2 as one of the auth methods.')
}
validate_bool($admin_port)
validate_bool($main_port)
validate_bool($suppress_warning)
if( !$admin_port and !$main_port){
fail('No VirtualHost port to configure, please choose at least one.')
}
keystone_config {
'auth/methods': value => join(any2array($methods),',');
'auth/saml2': ensure => absent;
@ -103,20 +104,10 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
class { '::apache::mod::shib': }
}
if $admin_port {
concat::fragment { 'configure_shibboleth_on_port_35357':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf",
content => template('keystone/shibboleth.conf.erb'),
order => $template_order,
}
}
if $main_port {
concat::fragment { 'configure_shibboleth_on_port_5000':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf",
content => template('keystone/shibboleth.conf.erb'),
order => $template_order,
}
concat::fragment { 'configure_shibboleth_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
content => template('keystone/shibboleth.conf.erb'),
order => $template_order,
}
} elsif $::osfamily == 'Redhat' {
if !$suppress_warning {

@ -9,12 +9,12 @@ class keystone::params {
} else {
$pyvers = ''
}
$client_package_name = "python${pyvers}-keystoneclient"
$keystone_user = 'keystone'
$keystone_group = 'keystone'
$keystone_wsgi_admin_script_path = '/usr/bin/keystone-wsgi-admin'
$keystone_wsgi_public_script_path = '/usr/bin/keystone-wsgi-public'
$group = 'keystone'
$group = 'keystone'
case $::osfamily {
'Debian': {
$package_name = 'keystone'

@ -14,32 +14,16 @@
# (Optional) The servername for the virtualhost.
# Defaults to $::fqdn
#
# [*servername_admin*]
# (Optional) The servername for the admin virtualhost.
# Defaults to $servername
#
# [*public_port*]
# (Optional) The public port.
# Defaults to 5000
#
# [*admin_port*]
# (Optional) The admin port.
# Defaults to 35357
#
# [*bind_host*]
# (Optional) The host/ip address Apache will listen on.
# Defaults to undef (listen on all ip addresses)
#
# [*admin_bind_host*]
# (Optional) The host/ip address Apache will listen on for admin API connections.
# Defaults to undef or bind_host if only that setting is used
# [*api_port*]
# (Optional) The keystone API port.
# Defaults to 5000
#
# [*public_path*]
# (Optional) The prefix for the public endpoint.
# Defaults to '/'
#
# [*admin_path*]
# (Optional) The prefix for the admin endpoint.
# [*path*]
# (Optional) The prefix for the API endpoint.
# Defaults to '/'
#
# [*ssl*]
@ -58,14 +42,6 @@
# (Optional) Path to SSL key
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_cert_admin*]
# (Optional) Path to SSL certificate for the admin endpoint.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_key_admin*]
# (Optional) Path to SSL key for the admin endpoint.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_chain*]
# (Optional) SSL chain.
# Default to apache::vhost 'ssl_*' defaults
@ -103,34 +79,19 @@
# script when the equivalent HTTP request headers are present.
# Defaults to 'On'
#
# [*wsgi_admin_script_source*]
# (Optional) Wsgi script source for the admin endpoint. If set to undef
# $::keystone::params::keystone_wsgi_admin_script_path is used. This source
# is copied to the apache cgi-bin path as keystone-admin.
# Defaults to undef
# [*wsgi_script_source*]
# (Optional) The wsgi script source for the API.
# This source is copied to the apache cgi-bin path as keystone-public.
# Defaults to '/usr/bin/keystone-wsgi-public'
#
# [*wsgi_public_script_source*]
# (Optional) Wsgi script source for the public endpoint. If set to undef
# $::keystone::params::keystone_wsgi_public_script_path is used. This source
# is copied to the apache cgi-bin path as keystone-main.
# Defaults to undef
#
# [*custom_wsgi_process_options_main*]
# [*custom_wsgi_process_options*]
# (Optional) gives you the oportunity to add custom process options or to
# overwrite the default options for the WSGI main process.
# overwrite the default options for the WSGI process.
# For example to use a virtual python environment for the WSGI process
# you could set it to:
# { python-path => '/my/python/virtualenv' }
# Defaults to {}
#
# [*custom_wsgi_process_options_admin*]
# (Optional) gives you the oportunity to add custom process options or to
# overwrite the default options for the WSGI admin process.
# eg. to use a virtual python environment for the WSGI process
# you could set it to:
# { python-path => '/my/python/virtualenv' }
# Defaults to {}
#
# [*access_log_file*]
# (Optional) The log file name for the virtualhost.
# Defaults to false
@ -172,21 +133,77 @@
# (Optional) apache::vhost wsgi_chunked_request parameter.
# Defaults to undef
#
## DEPRECATED PARAMS
#
# [*servername_admin*]
# (Optional) The servername for the admin virtualhost.
# Defaults to undef
#
# [*public_port*]
# (Optional) The public port.
# Defaults to undef
#
# [*admin_port*]
# (Optional) The admin port.
# Defaults to undef
#
# [*admin_bind_host*]
# (Optional) The host/ip address Apache will listen on for admin API connections.
# Defaults to undef
#
# [*public_path*]
# (Optional) The prefix for the public endpoint.
# Defaults to undef
#
# [*admin_path*]
# (Optional) The prefix for the admin endpoint.
# Defaults to undef
#
# [*ssl_cert_admin*]
# (Optional) Path to SSL certificate for the admin endpoint.
# Default to undef
#
# [*ssl_key_admin*]
# (Optional) Path to SSL key for the admin endpoint.
# Default to undef
#
# [*wsgi_admin_script_source*]
# (Optional) Wsgi script source for the admin endpoint. If set to undef
# $::keystone::params::keystone_wsgi_admin_script_path is used. This source
# is copied to the apache cgi-bin path as keystone-admin.
# Defaults to undef
#
# [*wsgi_public_script_source*]
# (Optional) Wsgi script source for the public endpoint. If set to undef
# $::keystone::params::keystone_wsgi_public_script_path is used. This source
# is copied to the apache cgi-bin path as keystone-main.
# Defaults to undef
#
# [*custom_wsgi_process_options_main*]
# (Optional) gives you the oportunity to add custom process options or to
# overwrite the default options for the WSGI main process.
# For example to use a virtual python environment for the WSGI process
# you could set it to:
# { python-path => '/my/python/virtualenv' }
# Defaults to undef
#
# [*custom_wsgi_process_options_admin*]
# (Optional) gives you the oportunity to add custom process options or to
# overwrite the default options for the WSGI admin process.
# eg. to use a virtual python environment for the WSGI process
# you could set it to:
# { python-path => '/my/python/virtualenv' }
# Defaults to undef
#
class keystone::wsgi::apache (
$servername = $::fqdn,
$servername_admin = undef,
$public_port = 5000,
$admin_port = 35357,
$bind_host = undef,
$admin_bind_host = undef,
$public_path = '/',
$admin_path = '/',
$api_port = 5000,
$path = '/',
$ssl = true,
$workers = $::os_workers,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_cert_admin = undef,
$ssl_key_admin = undef,
$ssl_chain = undef,
$ssl_ca = undef,
$ssl_crl_path = undef,
@ -197,8 +214,7 @@ class keystone::wsgi::apache (
$wsgi_application_group = '%{GLOBAL}',
$wsgi_pass_authorization = 'On',
$wsgi_chunked_request = undef,
$wsgi_admin_script_source = $::keystone::params::keystone_wsgi_admin_script_path,
$wsgi_public_script_source = $::keystone::params::keystone_wsgi_public_script_path,
$wsgi_script_source = '/usr/bin/keystone-wsgi-public',
$access_log_file = false,
$access_log_pipe = false,
$access_log_syslog = false,
@ -208,23 +224,51 @@ class keystone::wsgi::apache (
$error_log_syslog = undef,
$headers = undef,
$vhost_custom_fragment = undef,
$custom_wsgi_process_options_main = {},
$custom_wsgi_process_options_admin = {},
$custom_wsgi_process_options = {},
## DEPRECATED PARAMS
$servername_admin = undef,
$public_port = undef,
$admin_port = undef,
$admin_bind_host = undef,
$public_path = undef,
$admin_path = undef,
$ssl_cert_admin = undef,
$ssl_key_admin = undef,
$wsgi_admin_script_source = undef,
$wsgi_public_script_source = undef,
$custom_wsgi_process_options_main = undef,
$custom_wsgi_process_options_admin = undef,
) inherits ::keystone::params {
include ::keystone::deps
$servername_admin_real = pick_default($servername_admin, $servername)
if $ssl {
# Attempt to use the admin cert/key, else default to the public one.
# Since it's possible that no cert/key were given, we allow this to be empty with pick_default
$ssl_cert_admin_real = pick_default($ssl_cert_admin, $ssl_cert)
$ssl_key_admin_real = pick_default($ssl_key_admin, $ssl_key)
} else {
$ssl_cert_admin_real = undef
$ssl_key_admin_real = undef
# TODO(tobias-urdin): Remove all deprecated parameters and this warnings in Train release.
if $servername_admin {
warning('keystone::wsgi::apache::servername_admin has no effect, please use servername')
}
if $public_port or $admin_port {
warning('keystone::wsgi::apache::public_port and admin_port has no effect, please use api_port')
}
if $admin_bind_host {
warning('keystone::wsgi::apache::admin_bind_host has no effect, please use bind_host')
}
if $public_path or $admin_path {
warning('keystone::wsgi::apache::public_path and admin_path has no effect, please use path')
}
if $ssl_cert_admin or $ssl_key_admin {
warning('keystone::wsgi::apache::ssl_cert_admin and ssl_key_admin has no effect, please use ssl_cert and ssl_key')
}
if $wsgi_admin_script_source or $wsgi_public_script_source {
warning('keystone::wsgi::apache::wsgi_admin_script_source and wsgi_public_script_source has no effect, please use wsgi_script_source')
}
if $custom_wsgi_process_options_main or $custom_wsgi_process_options_admin {
warning('keystone::wsgi::apache::custom_wsgi_process_options_main and custom_wsgi_process_options_admin has no effect, \
please use custom_wsgi_process_options')
}
# TODO(tobias-urdin): This dependency chaining can be moved to keystone::deps
# when we have cleaned up some old eventlet code and users are forced to use
# apache even though it's pretty much enforced today.
# The httpd package is untagged, but needs to have ordering enforced,
# so handle it here rather than in the deps class.
@ -246,61 +290,15 @@ class keystone::wsgi::apache (
Anchor['keystone::config::end']
~> Service['httpd']
# Ensure there's no trailing '/' except if this is also the only character
$public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
$admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1')
if $public_port == $admin_port and $public_path_real == $admin_path_real {
fail('When using the same port for public and admin endpoints, public_path and admin_path should be different.')
}
file { $::keystone::params::keystone_wsgi_script_path:
ensure => directory,
owner => 'keystone',
group => 'keystone',
mode => '0755',
require => Anchor['keystone::install::end'],
}
if $public_port == $admin_port {
$custom_wsgi_script_aliases = { $admin_path_real => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin" }
# NOTE(tobasco): Create this here since openstacklib::wsgi::apache only handles
# the keystone-public file if running public and admin on the same port.
file { 'keystone_wsgi_admin':
ensure => present,
path => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin",
owner => 'keystone',
group => 'keystone',
mode => '0644',
source => $wsgi_admin_script_source,
require => File[$::keystone::params::keystone_wsgi_script_path],
}
$apache_require = [
File['keystone_wsgi_admin'],
]
} else {
$custom_wsgi_script_aliases = undef
$apache_require = []
}
if $admin_bind_host {
$real_admin_bind_host = $admin_bind_host
} else {
# backwards compat before we had admin_bind_host
$real_admin_bind_host = $bind_host
}
::openstacklib::wsgi::apache { 'keystone_wsgi_main':
::openstacklib::wsgi::apache { 'keystone_wsgi':
servername => $servername,
bind_host => $bind_host,
bind_port => $public_port,
group => 'keystone',
path => $public_path_real,
bind_port => $api_port,
group => $::keystone::params::keystone_group,
path => $path,
workers => $workers,
threads => $threads,
user => 'keystone',
user => $::keystone::params::keystone_user,
priority => $priority,
ssl => $ssl,
ssl_cert => $ssl_cert,
@ -310,18 +308,17 @@ class keystone::wsgi::apache (
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
wsgi_daemon_process => 'keystone_main',
wsgi_process_display_name => 'keystone-main',
wsgi_process_group => 'keystone_main',
wsgi_daemon_process => 'keystone',
wsgi_process_display_name => 'keystone',
wsgi_process_group => 'keystone',
wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path,
wsgi_script_file => 'keystone-public',
wsgi_script_source => $wsgi_public_script_source,
wsgi_script_file => 'keystone',
wsgi_script_source => $wsgi_script_source,
wsgi_application_group => $wsgi_application_group,
wsgi_pass_authorization => $wsgi_pass_authorization,
wsgi_chunked_request => $wsgi_chunked_request,
headers => $headers,
custom_wsgi_process_options => $custom_wsgi_process_options_main,
custom_wsgi_script_aliases => $custom_wsgi_script_aliases,
custom_wsgi_process_options => $custom_wsgi_process_options,
vhost_custom_fragment => $vhost_custom_fragment,
access_log_file => $access_log_file,
access_log_pipe => $access_log_pipe,
@ -330,47 +327,5 @@ class keystone::wsgi::apache (
error_log_file => $error_log_file,
error_log_pipe => $error_log_pipe,
error_log_syslog => $error_log_syslog,
require => $apache_require,
}
if $public_port != $admin_port {
::openstacklib::wsgi::apache { 'keystone_wsgi_admin':
servername => $servername_admin_real,
bind_host => $real_admin_bind_host,
bind_port => $admin_port,
group => 'keystone',
path => $admin_path_real,
workers => $workers,
threads => $threads,
user => 'keystone',
priority => $priority,
ssl => $ssl,
ssl_cert => $ssl_cert_admin_real,
ssl_key => $ssl_key_admin_real,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
wsgi_daemon_process => 'keystone_admin',
wsgi_process_display_name => 'keystone-admin',
wsgi_process_group => 'keystone_admin',
wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path,
wsgi_script_file => 'keystone-admin',
wsgi_script_source => $wsgi_admin_script_source,
wsgi_application_group => $wsgi_application_group,
wsgi_pass_authorization => $wsgi_pass_authorization,
custom_wsgi_process_options => $custom_wsgi_process_options_admin,
vhost_custom_fragment => $vhost_custom_fragment,
wsgi_chunked_request => $wsgi_chunked_request,
headers => $headers,
access_log_file => $access_log_file,
access_log_pipe => $access_log_pipe,
access_log_syslog => $access_log_syslog,
access_log_format => $access_log_format,
error_log_file => $error_log_file,
error_log_pipe => $error_log_pipe,
error_log_syslog => $error_log_syslog,
}
}
}

@ -0,0 +1,64 @@
---
prelude: >
This release puppet-keystone no longer deploys keystone with separated
ports (admin and public as they were called in v2.0). By default keystone
will only listen to port 5000, you need to make sure all your services are
configured to use the correct port to talk to keystone.
features:
- |
Added new parameter keystone::federation::openidc::keystone_url that can be
used to set the keystone url for federation, if not provided it will use
keystone::public_endpoint.
upgrade:
- |
Keystone is now deployed with only port 5000, you can change this with
keystone::wsgi::apache::api_port, you need to make sure all your services are
configured to talk to keystone on this port. If you want to keep backward
compatibility with port 35357 you should pass an array to api_port with
both port 35357 and 5000.
- |
The providers has been updated to read DEFAULT/public_port which defaults
to 5000 and use that port to talk to Keystone when managing resources.
You need to make sure that keystone::public_port and keystone::wsgi::apache::api_port
is set to the same value if you are deploying keystone with Apache WSGI.
- |
keystone::federation::mellon is now added to Keystone WSGI for port 5000 by
default and admin_port and main_port parameters does not do anything and is
deprecated.
- |
keystone::federation::shibboleth is now added to Keystone WSGI for port 5000
by default and admin_port and main_port parameters does not do anything and is
deprecated.
- |
keystone::federation::openidc is now added to Keystone WSGI for port 5000
by default and admin_port and main_port parameters does not do anything and is
deprecated.
- |
keystone::federation::openidc::keystone_url parameter has been added to give the
keystone endpoint, if it's not provided keystone::public_endpoint will be used.
We recommend that you set this since keystone::public_endpoint might be deprecated
in a future release.
deprecations:
- |
As of the removal of port 35357 the following parameters are deprecated
in the keystone::wsgi::apache class and has no effect:
- ``servername_admin`` please use ``servername``
- ``public_port`` and ``admin_port`` please use ``api_port``
- ``admin_bind_host`` please use ``bind_host``
- ``public_path`` and ``admin_path`` please use ``path``
- ``ssl_cert_admin`` and ``ssl_key_admin`` please use ``ssl_cert`` and ``ssl_key``
- ``wsgi_admin_script_source`` and ``wsgi_public_script_source`` please use ``wsgi_script_source``
- ``custom_wsgi_process_options_main`` and ``custom_wsgi_process_options_admin`` please use ``custom_wsgi_process_options``
- |
keystone::federation::mellon::admin_port and main_port is deprecated and has no effect
and will be removed in a future release.
- |
keystone::federation::shibboleth::admin_port and main_port is deprecated and has no effect
and will be removed in a future release.
- |
keystone::federation::openidc::admin_port and main_port is deprecated and has no effect
and will be removed in a future release.
- |
keystone::federation::openidc_httpd_configuration is deprecated and will be removed in
a future release.

@ -83,10 +83,6 @@ describe 'keystone server running with Apache/WSGI as Identity Provider' do
it { is_expected.to be_listening }
end
describe port(35357) do
it { is_expected.to be_listening }
end
describe cron do
it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
end

@ -81,10 +81,6 @@ describe 'keystone server running with Apache/WSGI as Service Provider with Shib
it { is_expected.to be_listening }
end
describe port(35357) do
it { is_expected.to be_listening }
end
describe cron do
it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
end

@ -77,10 +77,6 @@ describe 'keystone server running with Apache/WSGI with resources' do
it { is_expected.to be_listening }
end
describe port(35357) do
it { is_expected.to be_listening }
end
describe cron do
it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') }
end

@ -29,12 +29,6 @@ describe 'keystone::federation::mellon' do
it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
end
before do
params.merge!({:admin_port => false,
:main_port => false})
it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./
end
before do
params.merge!({:template_port => 330})
it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./
@ -53,33 +47,9 @@ describe 'keystone::federation::mellon' do
is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
end
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
# This need to change if priority is changed in keystone::wsgi::apache
:target => "10-keystone_wsgi_main.conf",
:order => params[:template_order],
})}
end
context 'with override default parameters' do
before do
params.merge!({
:admin_port => true })
end
it 'should have basic params for mellon in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
end
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
# This need to change if priority is changed in keystone::wsgi::apache
:target => "10-keystone_wsgi_main.conf",
:order => params[:template_order],
})}
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_35357').with({
it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({
# This need to change if priority is changed in keystone::wsgi::apache
:target => "10-keystone_wsgi_admin.conf",
:target => "10-keystone_wsgi.conf",
:order => params[:template_order],
})}
end
@ -105,8 +75,8 @@ describe 'keystone::federation::mellon' do
is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/')
end
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
:target => "10-keystone_wsgi_main.conf",
it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({
:target => "10-keystone_wsgi.conf",
:order => params[:template_order],
})}
end

@ -35,12 +35,6 @@ describe 'keystone::federation::openidc' do
it_raises 'a Puppet::Error', /Methods should contain openid as one of the auth methods./
end
before do
params.merge!(:admin_port => false,
:main_port => false)
it_raises 'a Puppet:Error', /No VirtualHost port to configure, please choose at least one./
end
before do
params.merge!(:template_port => 330)
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
@ -77,31 +71,8 @@ describe 'keystone::federation::openidc' do
is_expected.to contain_keystone_config('auth/openid').with_ensure('absent')
end
it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({
:target => "10-keystone_wsgi_main.conf",
:order => params[:template_order],
})}
end
context 'with override default parameters' do
before do
params.merge!({
:admin_port => true,
})
end
it 'should have basic params for openidc in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openid')
is_expected.to contain_keystone_config('auth/openid').with_ensure('absent')
end
it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({
:target => "10-keystone_wsgi_main.conf",
:order => params[:template_order],
})}
it { is_expected.to contain_concat__fragment('configure_openidc_on_admin').with({
:target => "10-keystone_wsgi_admin.conf",
it { is_expected.to contain_concat__fragment('configure_openidc_keystone').with({
:target => "10-keystone_wsgi.conf",
:order => params[:template_order],
})}
end

@ -27,12 +27,6 @@ describe 'keystone::federation::shibboleth' do
it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
end
context 'no ports' do
let (:params) { default_params.merge(:admin_port => false,
:main_port => false) }
it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./
end
context 'template port too low' do
let(:params) { default_params.merge(:template_order => 330) }
it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./
@ -85,30 +79,16 @@ describe 'keystone::federation::shibboleth' do
end
context 'with defaults' do
let (:params) { default_params }
it { is_expected.to contain_apache__mod('shib2') }
it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({
:target => "10-keystone_wsgi_main.conf",
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({
:target => "10-keystone_wsgi.conf",
:order => params[:template_order],
})}
end
context 'with overrides' do
let (:params) { default_params.merge({
:admin_port => true,
:template_order => 332
}) }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it {is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
it {
is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
:target => "10-keystone_wsgi_admin.conf",
:order => params[:template_order],
})
}
end
end
@ -126,45 +106,22 @@ describe 'keystone::federation::shibboleth' do
let (:params) { default_params }
it { is_expected.to contain_apache__mod('shib2') }
it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({
:target => "10-keystone_wsgi_main.conf",
:order => params[:template_order],
})}
end
context 'with overrides' do
let (:params) { default_params.merge({
:admin_port => true,
:template_order => 332
}) }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
it {
is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
:target => "10-keystone_wsgi_admin.conf",
:order => params[:template_order],
})
}
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({
:target => "10-keystone_wsgi.conf",
:order => params[:template_order],
})}
end
end
context 'without repo or package' do
context 'with defaults' do
let (:params) { default_params }
it { is_expected.to_not contain_apache__mod('shib2') }
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_5000') }
end
context 'with overrides' do
let (:params) { default_params.merge({
:admin_port => true,
:template_order => 332
}) }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_35357') }
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_keystone') }
end
end
end
@ -174,8 +131,8 @@ describe 'keystone::federation::shibboleth' do
let (:params) { default_params }
it { is_expected.to contain_apache__mod('shib2') }
it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({
:target => "10-keystone_wsgi_main.conf",
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({
:target => "10-keystone_wsgi.conf",
:order => params[:template_order],
})}

@ -2,87 +2,24 @@ require 'spec_helper'
describe 'keystone::wsgi::apache' do
let :global_facts do
{
:os_workers => 8,
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'some.host.tld'
}
end
let :pre_condition do
[
'class { keystone: admin_token => "dummy", service_name => "httpd", enable_ssl => true }'
]
"class { '::keystone':
admin_token => 'dummy',
service_name => 'httpd',
enable_ssl => true,
}"
end
shared_examples_for 'apache serving keystone with mod_wsgi' do
it { is_expected.to contain_service('httpd').with_name(platform_params[:httpd_service_name]) }
it { is_expected.to contain_class('keystone::params') }
it { is_expected.to contain_class('apache') }
it { is_expected.to contain_class('apache::mod::wsgi') }
it { is_expected.to contain_class('apache::mod::ssl') }
it { is_expected.to contain_class('keystone::db::sync') }
describe 'with default parameters' do
it { is_expected.to contain_file("#{platform_params[:wsgi_script_path]}").with(
:ensure => 'directory',
:owner => 'keystone',
:group => 'keystone',
:require => 'Anchor[keystone::install::end]',
)}
it { is_expected.to contain_file('keystone_wsgi_admin').with(
:ensure => 'file',
:path => "#{platform_params[:wsgi_script_path]}/keystone-admin",
:source => platform_params[:wsgi_admin_script_source],
:owner => 'keystone',
:group => 'keystone',
:mode => '0644',
:require => "File[#{platform_params[:wsgi_script_path]}]",
)}
it { is_expected.to contain_file('keystone_wsgi_main').with(
:ensure => 'file',
:path => "#{platform_params[:wsgi_script_path]}/keystone-public",
:source => platform_params[:wsgi_public_script_source],
:owner => 'keystone',
:group => 'keystone',
:mode => '0644',
:require => "File[#{platform_params[:wsgi_script_path]}]",
)}
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
:servername => 'some.host.tld',
:bind_port => 35357,
:group => 'keystone',
:workers => facts[:os_workers],
:threads => 1,
:user => 'keystone',
:priority => '10',
:ssl => true,
:wsgi_daemon_process => 'keystone_main',
:wsgi_process_display_name => 'keystone-main',
:wsgi_process_group => 'keystone_main',
:wsgi_application_group => '%{GLOBAL}',
:wsgi_script_dir => platform_params[:wsgi_script_path],
:wsgi_script_file => 'keystone-public',
:wsgi_pass_authorization => 'On',
:headers => nil,
:custom_wsgi_process_options => {},
:access_log_file => false,
:access_log_pipe => false,
:access_log_syslog => false,
:access_log_format => false,
:error_log_file => nil,
:error_log_pipe => nil,
:error_log_syslog => nil,
:require => 'File[keystone_wsgi_main]',
)}
shared_examples 'keystone::wsgi::apache' do
context 'with default parameters' do
it {
should contain_class('keystone::params')
should contain_class('keystone::deps')
}
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
:servername => 'some.host.tld',
:bind_host => nil,
:bind_port => 5000,
:group => 'keystone',
:workers => facts[:os_workers],
@ -90,12 +27,13 @@ describe 'keystone::wsgi::apache' do
:user => 'keystone',
:priority => '10',
:ssl => true,
:wsgi_daemon_process => 'keystone_admin',
:wsgi_process_display_name => 'keystone-admin',
:wsgi_process_group => 'keystone_admin',
:wsgi_daemon_process => 'keystone',
:wsgi_process_display_name => 'keystone',
:wsgi_process_group => 'keystone',
:wsgi_application_group => '%{GLOBAL}',
:wsgi_script_dir => platform_params[:wsgi_script_path],
:wsgi_script_file => 'keystone-admin',
:wsgi_script_file => 'keystone',
:wsgi_script_source => '/usr/bin/keystone-wsgi-public',
:wsgi_pass_authorization => 'On',
:headers => nil,
:custom_wsgi_process_options => {},
@ -106,402 +44,170 @@ describe 'keystone::wsgi::apache' do
:error_log_file => nil,
:error_log_pipe => nil,
:error_log_syslog => nil,
:require => 'File[keystone_wsgi_admin]',
)}
it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") }
end
describe 'when overriding parameters using different ports' do
context 'when overriding parameters' do
let :params do
{
:servername => 'dummy.host',
:bind_host => '10.42.51.1',
:admin_bind_host => '10.42.51.2',
:public_port => 12345,
:admin_port => 4142,
:ssl => false,
:workers => 37,
:vhost_custom_fragment => 'LimitRequestFieldSize 81900'
}
end
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with(
:servername => 'dummy.host',
:bind_host => '10.42.51.1',
:bind_port => 12345,
:user => 'keystone',
:group => 'keystone',
:workers => 37,
:threads => 1,
:priority => '10',
:ssl => false,
:wsgi_daemon_process => 'keystone_main',
:wsgi_process_display_name => 'keystone-main',
:wsgi_process_group => 'keystone_main',
:wsgi_application_group => '%{GLOBAL}',
:wsgi_script_dir => platform_params[:wsgi_script_path],
:wsgi_script_file => 'keystone-public',
:wsgi_pass_authorization => 'On',
:headers => nil,
:custom_wsgi_process_options => {},
:vhost_custom_fragment => 'LimitRequestFieldSize 81900',
:access_log_file => false,
:access_log_pipe => false,
:access_log_syslog => false,
:access_log_format => false,
:error_log_file => nil,
:error_log_pipe => nil,
:error_log_syslog => nil,
:require => 'File[keystone_wsgi_main]',
)}
it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with(
:servername => 'dummy.host',
:bind_host => '10.42.51.1',
:bind_port => 4142,
:group => 'keystone',
:workers => 37,
:threads => 1,
:user => 'keystone',
:priority => '10',
:ssl => false,
:wsgi_daemon_process => 'keystone_admin',
:wsgi_process_display_name => 'keystone-admin',
:wsgi_process_group => 'keystone_admin',
:wsgi_application_group => '%{GLOBAL}',
:wsgi_script_dir => platform_params[:wsgi_script_path],
:wsgi_script_file => 'keystone-admin',
:wsgi_pass_authorization => 'On',
:headers => nil,
:custom_wsgi_process_options => {},
:vhost_custom_fragment => 'LimitRequestFieldSize 81900',
:access_log_file => false,
:access_log_pipe => false,
:access_log_syslog => false,
:access_log_format => false,
:error_log_file => nil,
:error_log_pipe => nil,
:error_log_syslog => nil,
:require => 'File[keystone_wsgi_admin]',
)}
it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") }
end
describe 'when admin_bind_host is not set default to bind_host' do
:servername => 'dummy.host',
:bind_host => '127.0.0.1',
:api_port => 1234,
:path => '/keystone',
:ssl => false,
:workers => 10,
:ssl_cert => 'ssl cert',
:ssl_key => 'ssl key',
:ssl_chain => 'ssl chain',
:ssl_ca => 'ssl ca',
:ssl_crl_path => '/etc/ssl',
:ssl_crl => 'crl',
:ssl_certs_dir => '/etc/ssl/certs',
:threads => 10,
:priority => '20',
:wsgi_application_group => 'group',
:wsgi_pass_authorization => 'Off',
:wsgi_chunked_request => 'On',
:wsgi_script_source => '/path/to/my/script.py',
:headers => 'set X-Frame-Options "DENY"',
:vhost_custom_fragment => 'custom',
:custom_wsgi_process_options => { 'python-path' => '/my/python/virtualenv' },
}
end
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
:servername => params[:servername],
:bind_host => params[:bind_host],
:bind_port => params[:api_port],
:path => params[:path],
:workers => params[:workers],
:threads => params[:threads],
:priority => params[:priority],
:ssl => params[:ssl],
:ssl_cert => params[:ssl_cert],
:ssl_key => params[:ssl_key],
:ssl_chain => params[:ssl_chain],
:ssl_ca => params[:ssl_ca],
:ssl_crl_path => params[:ssl_crl_path],
:ssl_crl => params[:ssl_crl],
:ssl_certs_dir => params[:ssl_certs_dir],
:wsgi_application_group => params[:wsgi_application_group],
:wsgi_pass_authorization => params[:wsgi_pass_authorization],
:wsgi_chunked_request => params[:wsgi_chunked_request],
:wsgi_script_source => params[:wsgi_script_source],
:headers => params[:headers],
:vhost_custom_fragment => params[:vhost_custom_fragment],
:custom_wsgi_process_options => params[:custom_wsgi_process_options],