diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb index 52c4c780f..385d7662f 100644 --- a/lib/puppet/provider/keystone.rb +++ b/lib/puppet/provider/keystone.rb @@ -175,10 +175,10 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack if url = get_section('DEFAULT', 'admin_endpoint') endpoint = url.chomp('/') else - admin_port = get_section('DEFAULT', 'admin_port') || '5000' + public_port = get_section('DEFAULT', 'public_port') || '5000' host = clean_host(get_section('DEFAULT', 'admin_bind_host')) protocol = ssl? ? 'https' : 'http' - endpoint = "#{protocol}://#{host}:#{admin_port}" + endpoint = "#{protocol}://#{host}:#{public_port}" end end return endpoint diff --git a/manifests/federation/mellon.pp b/manifests/federation/mellon.pp index f6dce51c4..54dadfec0 100644 --- a/manifests/federation/mellon.pp +++ b/manifests/federation/mellon.pp @@ -17,16 +17,6 @@ # The name for your protocol associated with the IdP. # (Required) String value. # -# [*admin_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 35357. -# (Optional) Defaults to false. -# -# [*main_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 5000. -# (Optional) Defaults to true. -# # [*template_order*] # This number indicates the order for the concat::fragment that will apply # the shibboleth configuration to Keystone VirtualHost. The value should @@ -57,17 +47,27 @@ # trusted_dashboards configuration instead of this parameter. # Defaults to undef # +# [*admin_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 35357. +# (Optional) Defaults to undef. +# +# [*main_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 5000. +# (Optional) Defaults to undef. +# class keystone::federation::mellon ( $methods, $idp_name, $protocol_name, - $admin_port = false, - $main_port = true, $template_order = 331, $package_ensure = present, $enable_websso = false, # DEPRECATED $trusted_dashboards = undef, + $admin_port = undef, + $main_port = undef, ) { include ::apache @@ -79,6 +79,10 @@ class keystone::federation::mellon ( in Stein and will be removed in future releases") } + if $admin_port or $main_port { + warning('keystone::federation::mellon::admin_port and main_port are deprecated and have no effect') + } + # Note: if puppet-apache modify these values, this needs to be updated if $template_order <= 330 or $template_order >= 999 { fail('The template order should be greater than 330 and less than 999.') @@ -93,14 +97,8 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even fail('Methods should contain saml2 as one of the auth methods.') } - validate_bool($admin_port) - validate_bool($main_port) validate_bool($enable_websso) - if( !$admin_port and !$main_port){ - fail('No VirtualHost port to configure, please choose at least one.') - } - keystone_config { 'auth/methods': value => join(any2array($methods),','); 'auth/saml2': ensure => absent; @@ -122,20 +120,10 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even tag => 'keystone-support-package', }) - if $admin_port { - concat::fragment { 'configure_mellon_on_port_35357': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf", - content => template('keystone/mellon.conf.erb'), - order => $template_order, - } - } - - if $main_port { - concat::fragment { 'configure_mellon_on_port_5000': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf", - content => template('keystone/mellon.conf.erb'), - order => $template_order, - } + concat::fragment { 'configure_mellon_keystone': + target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", + content => template('keystone/mellon.conf.erb'), + order => $template_order, } } diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp index 35a0da02c..ed7efc047 100644 --- a/manifests/federation/openidc.pp +++ b/manifests/federation/openidc.pp @@ -39,16 +39,6 @@ # (optional) Value to be used to obtain the entity ID of the Identity # Provider from the environment. # -# [*admin_port*] -# A boolean value to ensure that you want to configure openidc Federation -# using Keystone VirtualHost on port 35357. -# (Optional) Defaults to false. -# -# [*main_port*] -# A boolean value to ensure that you want to configure openidc Federation -# using Keystone VirtualHost on port 5000. -# (Optional) Defaults to true. -# # [*template_order*] # This number indicates the order for the concat::fragment that will apply # the shibboleth configuration to Keystone VirtualHost. The value should @@ -64,11 +54,20 @@ # accepts latest or specific versions. # Defaults to present. # -# [*keystone_public_url*] -# (optional) URL to keystone public endpoint. +# [*keystone_url*] +# (optional) URL to keystone endpoint. # -# [*keystone_admin_url*] -# (optional) URL to keystone admin endpoint. +# === DEPRECATED +# +# [*admin_port*] +# A boolean value to ensure that you want to configure openidc Federation +# using Keystone VirtualHost on port 35357. +# (Optional) Defaults to undef. +# +# [*main_port*] +# A boolean value to ensure that you want to configure openidc Federation +# using Keystone VirtualHost on port 5000. +# (Optional) Defaults to undef. # class keystone::federation::openidc ( $methods, @@ -79,20 +78,30 @@ class keystone::federation::openidc ( $openidc_crypto_passphrase = 'openstack', $openidc_response_type = 'id_token', $remote_id_attribute = undef, - $admin_port = false, - $main_port = true, $template_order = 331, $package_ensure = present, - $keystone_public_url = undef, - $keystone_admin_url = undef, + $keystone_url = undef, + # DEPRECATED + $admin_port = undef, + $main_port = undef, ) { include ::apache include ::keystone::deps include ::keystone::params - $_keystone_public_url = pick($keystone_public_url, $::keystone::public_endpoint) - $_keystone_admin_url = pick($keystone_admin_url, $::keystone::admin_endpoint) + # TODO(tobias-urdin): Make keystone_url required when keystone::public_endpoint is removed. + # Dont forget to change the keystone_url_real variable in the templates/openidc.conf.rb file. + # The fail statement below can also be removed since keystone_url will be a required parameter. + $keystone_url_real = pick($keystone_url, $::keystone::public_endpoint) + + if $keystone_url_real == undef or is_service_default($keystone_url_real) { + fail('You must set either keystone_url or keystone::public_endpoint') + } + + if $admin_port or $main_port { + warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect') + } # Note: if puppet-apache modify these values, this needs to be updated if $template_order <= 330 or $template_order >= 999 { @@ -107,16 +116,9 @@ class keystone::federation::openidc ( fail('Methods should contain openid as one of the auth methods.') } - validate_legacy(Boolean, 'validate_bool', $admin_port) - validate_legacy(Boolean, 'validate_bool', $main_port) - - if( !$admin_port and !$main_port){ - fail('No VirtualHost port to configure, please choose at least one.') - } - keystone_config { 'auth/methods': value => join(any2array($methods),','); - 'auth/openid': ensure => absent; + 'auth/openid': ensure => absent; } if $remote_id_attribute { @@ -130,15 +132,9 @@ class keystone::federation::openidc ( tag => 'keystone-support-package', }) - if $admin_port and $_keystone_admin_url { - keystone::federation::openidc_httpd_configuration{ 'admin': - keystone_endpoint => $_keystone_admin_url, - } - } - - if $main_port and $_keystone_public_url { - keystone::federation::openidc_httpd_configuration{ 'main': - keystone_endpoint => $_keystone_public_url, - } + concat::fragment { 'configure_openidc_keystone': + target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", + content => template('keystone/openidc.conf.erb'), + order => $template_order, } } diff --git a/manifests/federation/openidc_httpd_configuration.pp b/manifests/federation/openidc_httpd_configuration.pp index eaea7c69d..efb03305a 100644 --- a/manifests/federation/openidc_httpd_configuration.pp +++ b/manifests/federation/openidc_httpd_configuration.pp @@ -1,4 +1,6 @@ -# == define: keystone::federation::openidc_httpd_configuration [70/1473] +# == define: keystone::federation::openidc_httpd_configuration +# +# DEPRECATED! # # == Parameters # @@ -10,9 +12,6 @@ define keystone::federation::openidc_httpd_configuration ( $keystone_endpoint = undef ) { - concat::fragment { "configure_openidc_on_${title}": - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf", - content => template('keystone/openidc.conf.erb'), - order => $keystone::federation::openidc::template_order, - } + + warning('keystone::federation::openidc_httpd_configuration is deprecated') } diff --git a/manifests/federation/shibboleth.pp b/manifests/federation/shibboleth.pp index 7658d1331..6c9deab29 100644 --- a/manifests/federation/shibboleth.pp +++ b/manifests/federation/shibboleth.pp @@ -2,16 +2,6 @@ # # == Parameters # -# [*admin_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 35357. -# (Optional) Defaults to false. -# -# [*main_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 5000. -# (Optional) Defaults to true. -# # [*methods*] # A list of methods used for authentication separated by comma or an array. # The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2' @@ -47,6 +37,18 @@ # require => Anchor['openstack_extras_redhat'] # } # +# === DEPRECATED +# +# [*admin_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 35357. +# (Optional) Defaults to undef +# +# [*main_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 5000. +# (Optional) Defaults to undef +# # == Note about Redhat osfamily # According to puppet-apache we need to enable a new repo, but in puppet-openstack # we won't enable any external third party repo. @@ -55,16 +57,21 @@ # class keystone::federation::shibboleth( $methods, - $admin_port = false, - $main_port = true, $suppress_warning = false, $template_order = 331, $yum_repo_name = 'shibboleth', + # DEPRECATED + $admin_port = undef, + $main_port = undef, ) { include ::apache include ::keystone::deps + if $admin_port or $main_port { + warning('keystone::federation::shibboleth::admin_port and main_port are deprecated and have no effect') + } + # Note: if puppet-apache modify these values, this needs to be updated if $template_order <= 330 or $template_order >= 999 { fail('The template order should be greater than 330 and less than 999.') @@ -79,14 +86,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e fail('Methods should contain saml2 as one of the auth methods.') } - validate_bool($admin_port) - validate_bool($main_port) validate_bool($suppress_warning) - if( !$admin_port and !$main_port){ - fail('No VirtualHost port to configure, please choose at least one.') - } - keystone_config { 'auth/methods': value => join(any2array($methods),','); 'auth/saml2': ensure => absent; @@ -103,20 +104,10 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e class { '::apache::mod::shib': } } - if $admin_port { - concat::fragment { 'configure_shibboleth_on_port_35357': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf", - content => template('keystone/shibboleth.conf.erb'), - order => $template_order, - } - } - - if $main_port { - concat::fragment { 'configure_shibboleth_on_port_5000': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf", - content => template('keystone/shibboleth.conf.erb'), - order => $template_order, - } + concat::fragment { 'configure_shibboleth_keystone': + target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", + content => template('keystone/shibboleth.conf.erb'), + order => $template_order, } } elsif $::osfamily == 'Redhat' { if !$suppress_warning { diff --git a/manifests/params.pp b/manifests/params.pp index f61c79aa9..25a17dea5 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,12 +9,12 @@ class keystone::params { } else { $pyvers = '' } + $client_package_name = "python${pyvers}-keystoneclient" $keystone_user = 'keystone' $keystone_group = 'keystone' - $keystone_wsgi_admin_script_path = '/usr/bin/keystone-wsgi-admin' - $keystone_wsgi_public_script_path = '/usr/bin/keystone-wsgi-public' - $group = 'keystone' + $group = 'keystone' + case $::osfamily { 'Debian': { $package_name = 'keystone' diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index a78598343..149725571 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -14,32 +14,16 @@ # (Optional) The servername for the virtualhost. # Defaults to $::fqdn # -# [*servername_admin*] -# (Optional) The servername for the admin virtualhost. -# Defaults to $servername -# -# [*public_port*] -# (Optional) The public port. -# Defaults to 5000 -# -# [*admin_port*] -# (Optional) The admin port. -# Defaults to 35357 -# # [*bind_host*] # (Optional) The host/ip address Apache will listen on. # Defaults to undef (listen on all ip addresses) # -# [*admin_bind_host*] -# (Optional) The host/ip address Apache will listen on for admin API connections. -# Defaults to undef or bind_host if only that setting is used +# [*api_port*] +# (Optional) The keystone API port. +# Defaults to 5000 # -# [*public_path*] -# (Optional) The prefix for the public endpoint. -# Defaults to '/' -# -# [*admin_path*] -# (Optional) The prefix for the admin endpoint. +# [*path*] +# (Optional) The prefix for the API endpoint. # Defaults to '/' # # [*ssl*] @@ -58,14 +42,6 @@ # (Optional) Path to SSL key # Default to apache::vhost 'ssl_*' defaults # -# [*ssl_cert_admin*] -# (Optional) Path to SSL certificate for the admin endpoint. -# Default to apache::vhost 'ssl_*' defaults -# -# [*ssl_key_admin*] -# (Optional) Path to SSL key for the admin endpoint. -# Default to apache::vhost 'ssl_*' defaults -# # [*ssl_chain*] # (Optional) SSL chain. # Default to apache::vhost 'ssl_*' defaults @@ -103,34 +79,19 @@ # script when the equivalent HTTP request headers are present. # Defaults to 'On' # -# [*wsgi_admin_script_source*] -# (Optional) Wsgi script source for the admin endpoint. If set to undef -# $::keystone::params::keystone_wsgi_admin_script_path is used. This source -# is copied to the apache cgi-bin path as keystone-admin. -# Defaults to undef +# [*wsgi_script_source*] +# (Optional) The wsgi script source for the API. +# This source is copied to the apache cgi-bin path as keystone-public. +# Defaults to '/usr/bin/keystone-wsgi-public' # -# [*wsgi_public_script_source*] -# (Optional) Wsgi script source for the public endpoint. If set to undef -# $::keystone::params::keystone_wsgi_public_script_path is used. This source -# is copied to the apache cgi-bin path as keystone-main. -# Defaults to undef -# -# [*custom_wsgi_process_options_main*] +# [*custom_wsgi_process_options*] # (Optional) gives you the oportunity to add custom process options or to -# overwrite the default options for the WSGI main process. +# overwrite the default options for the WSGI process. # For example to use a virtual python environment for the WSGI process # you could set it to: # { python-path => '/my/python/virtualenv' } # Defaults to {} # -# [*custom_wsgi_process_options_admin*] -# (Optional) gives you the oportunity to add custom process options or to -# overwrite the default options for the WSGI admin process. -# eg. to use a virtual python environment for the WSGI process -# you could set it to: -# { python-path => '/my/python/virtualenv' } -# Defaults to {} -# # [*access_log_file*] # (Optional) The log file name for the virtualhost. # Defaults to false @@ -172,21 +133,77 @@ # (Optional) apache::vhost wsgi_chunked_request parameter. # Defaults to undef # +## DEPRECATED PARAMS +# +# [*servername_admin*] +# (Optional) The servername for the admin virtualhost. +# Defaults to undef +# +# [*public_port*] +# (Optional) The public port. +# Defaults to undef +# +# [*admin_port*] +# (Optional) The admin port. +# Defaults to undef +# +# [*admin_bind_host*] +# (Optional) The host/ip address Apache will listen on for admin API connections. +# Defaults to undef +# +# [*public_path*] +# (Optional) The prefix for the public endpoint. +# Defaults to undef +# +# [*admin_path*] +# (Optional) The prefix for the admin endpoint. +# Defaults to undef +# +# [*ssl_cert_admin*] +# (Optional) Path to SSL certificate for the admin endpoint. +# Default to undef +# +# [*ssl_key_admin*] +# (Optional) Path to SSL key for the admin endpoint. +# Default to undef +# +# [*wsgi_admin_script_source*] +# (Optional) Wsgi script source for the admin endpoint. If set to undef +# $::keystone::params::keystone_wsgi_admin_script_path is used. This source +# is copied to the apache cgi-bin path as keystone-admin. +# Defaults to undef +# +# [*wsgi_public_script_source*] +# (Optional) Wsgi script source for the public endpoint. If set to undef +# $::keystone::params::keystone_wsgi_public_script_path is used. This source +# is copied to the apache cgi-bin path as keystone-main. +# Defaults to undef +# +# [*custom_wsgi_process_options_main*] +# (Optional) gives you the oportunity to add custom process options or to +# overwrite the default options for the WSGI main process. +# For example to use a virtual python environment for the WSGI process +# you could set it to: +# { python-path => '/my/python/virtualenv' } +# Defaults to undef +# +# [*custom_wsgi_process_options_admin*] +# (Optional) gives you the oportunity to add custom process options or to +# overwrite the default options for the WSGI admin process. +# eg. to use a virtual python environment for the WSGI process +# you could set it to: +# { python-path => '/my/python/virtualenv' } +# Defaults to undef +# class keystone::wsgi::apache ( $servername = $::fqdn, - $servername_admin = undef, - $public_port = 5000, - $admin_port = 35357, $bind_host = undef, - $admin_bind_host = undef, - $public_path = '/', - $admin_path = '/', + $api_port = 5000, + $path = '/', $ssl = true, $workers = $::os_workers, $ssl_cert = undef, $ssl_key = undef, - $ssl_cert_admin = undef, - $ssl_key_admin = undef, $ssl_chain = undef, $ssl_ca = undef, $ssl_crl_path = undef, @@ -197,8 +214,7 @@ class keystone::wsgi::apache ( $wsgi_application_group = '%{GLOBAL}', $wsgi_pass_authorization = 'On', $wsgi_chunked_request = undef, - $wsgi_admin_script_source = $::keystone::params::keystone_wsgi_admin_script_path, - $wsgi_public_script_source = $::keystone::params::keystone_wsgi_public_script_path, + $wsgi_script_source = '/usr/bin/keystone-wsgi-public', $access_log_file = false, $access_log_pipe = false, $access_log_syslog = false, @@ -208,23 +224,51 @@ class keystone::wsgi::apache ( $error_log_syslog = undef, $headers = undef, $vhost_custom_fragment = undef, - $custom_wsgi_process_options_main = {}, - $custom_wsgi_process_options_admin = {}, + $custom_wsgi_process_options = {}, + ## DEPRECATED PARAMS + $servername_admin = undef, + $public_port = undef, + $admin_port = undef, + $admin_bind_host = undef, + $public_path = undef, + $admin_path = undef, + $ssl_cert_admin = undef, + $ssl_key_admin = undef, + $wsgi_admin_script_source = undef, + $wsgi_public_script_source = undef, + $custom_wsgi_process_options_main = undef, + $custom_wsgi_process_options_admin = undef, ) inherits ::keystone::params { include ::keystone::deps - $servername_admin_real = pick_default($servername_admin, $servername) - - if $ssl { - # Attempt to use the admin cert/key, else default to the public one. - # Since it's possible that no cert/key were given, we allow this to be empty with pick_default - $ssl_cert_admin_real = pick_default($ssl_cert_admin, $ssl_cert) - $ssl_key_admin_real = pick_default($ssl_key_admin, $ssl_key) - } else { - $ssl_cert_admin_real = undef - $ssl_key_admin_real = undef + # TODO(tobias-urdin): Remove all deprecated parameters and this warnings in Train release. + if $servername_admin { + warning('keystone::wsgi::apache::servername_admin has no effect, please use servername') } + if $public_port or $admin_port { + warning('keystone::wsgi::apache::public_port and admin_port has no effect, please use api_port') + } + if $admin_bind_host { + warning('keystone::wsgi::apache::admin_bind_host has no effect, please use bind_host') + } + if $public_path or $admin_path { + warning('keystone::wsgi::apache::public_path and admin_path has no effect, please use path') + } + if $ssl_cert_admin or $ssl_key_admin { + warning('keystone::wsgi::apache::ssl_cert_admin and ssl_key_admin has no effect, please use ssl_cert and ssl_key') + } + if $wsgi_admin_script_source or $wsgi_public_script_source { + warning('keystone::wsgi::apache::wsgi_admin_script_source and wsgi_public_script_source has no effect, please use wsgi_script_source') + } + if $custom_wsgi_process_options_main or $custom_wsgi_process_options_admin { + warning('keystone::wsgi::apache::custom_wsgi_process_options_main and custom_wsgi_process_options_admin has no effect, \ +please use custom_wsgi_process_options') + } + + # TODO(tobias-urdin): This dependency chaining can be moved to keystone::deps + # when we have cleaned up some old eventlet code and users are forced to use + # apache even though it's pretty much enforced today. # The httpd package is untagged, but needs to have ordering enforced, # so handle it here rather than in the deps class. @@ -246,61 +290,15 @@ class keystone::wsgi::apache ( Anchor['keystone::config::end'] ~> Service['httpd'] - # Ensure there's no trailing '/' except if this is also the only character - $public_path_real = regsubst($public_path, '(^/.*)/$', '\1') - $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1') - - if $public_port == $admin_port and $public_path_real == $admin_path_real { - fail('When using the same port for public and admin endpoints, public_path and admin_path should be different.') - } - - file { $::keystone::params::keystone_wsgi_script_path: - ensure => directory, - owner => 'keystone', - group => 'keystone', - mode => '0755', - require => Anchor['keystone::install::end'], - } - - if $public_port == $admin_port { - $custom_wsgi_script_aliases = { $admin_path_real => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin" } - - # NOTE(tobasco): Create this here since openstacklib::wsgi::apache only handles - # the keystone-public file if running public and admin on the same port. - file { 'keystone_wsgi_admin': - ensure => present, - path => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin", - owner => 'keystone', - group => 'keystone', - mode => '0644', - source => $wsgi_admin_script_source, - require => File[$::keystone::params::keystone_wsgi_script_path], - } - - $apache_require = [ - File['keystone_wsgi_admin'], - ] - } else { - $custom_wsgi_script_aliases = undef - $apache_require = [] - } - - if $admin_bind_host { - $real_admin_bind_host = $admin_bind_host - } else { - # backwards compat before we had admin_bind_host - $real_admin_bind_host = $bind_host - } - - ::openstacklib::wsgi::apache { 'keystone_wsgi_main': + ::openstacklib::wsgi::apache { 'keystone_wsgi': servername => $servername, bind_host => $bind_host, - bind_port => $public_port, - group => 'keystone', - path => $public_path_real, + bind_port => $api_port, + group => $::keystone::params::keystone_group, + path => $path, workers => $workers, threads => $threads, - user => 'keystone', + user => $::keystone::params::keystone_user, priority => $priority, ssl => $ssl, ssl_cert => $ssl_cert, @@ -310,18 +308,17 @@ class keystone::wsgi::apache ( ssl_crl_path => $ssl_crl_path, ssl_crl => $ssl_crl, ssl_certs_dir => $ssl_certs_dir, - wsgi_daemon_process => 'keystone_main', - wsgi_process_display_name => 'keystone-main', - wsgi_process_group => 'keystone_main', + wsgi_daemon_process => 'keystone', + wsgi_process_display_name => 'keystone', + wsgi_process_group => 'keystone', wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path, - wsgi_script_file => 'keystone-public', - wsgi_script_source => $wsgi_public_script_source, + wsgi_script_file => 'keystone', + wsgi_script_source => $wsgi_script_source, wsgi_application_group => $wsgi_application_group, wsgi_pass_authorization => $wsgi_pass_authorization, wsgi_chunked_request => $wsgi_chunked_request, headers => $headers, - custom_wsgi_process_options => $custom_wsgi_process_options_main, - custom_wsgi_script_aliases => $custom_wsgi_script_aliases, + custom_wsgi_process_options => $custom_wsgi_process_options, vhost_custom_fragment => $vhost_custom_fragment, access_log_file => $access_log_file, access_log_pipe => $access_log_pipe, @@ -330,47 +327,5 @@ class keystone::wsgi::apache ( error_log_file => $error_log_file, error_log_pipe => $error_log_pipe, error_log_syslog => $error_log_syslog, - require => $apache_require, - } - - if $public_port != $admin_port { - ::openstacklib::wsgi::apache { 'keystone_wsgi_admin': - servername => $servername_admin_real, - bind_host => $real_admin_bind_host, - bind_port => $admin_port, - group => 'keystone', - path => $admin_path_real, - workers => $workers, - threads => $threads, - user => 'keystone', - priority => $priority, - ssl => $ssl, - ssl_cert => $ssl_cert_admin_real, - ssl_key => $ssl_key_admin_real, - ssl_chain => $ssl_chain, - ssl_ca => $ssl_ca, - ssl_crl_path => $ssl_crl_path, - ssl_crl => $ssl_crl, - ssl_certs_dir => $ssl_certs_dir, - wsgi_daemon_process => 'keystone_admin', - wsgi_process_display_name => 'keystone-admin', - wsgi_process_group => 'keystone_admin', - wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path, - wsgi_script_file => 'keystone-admin', - wsgi_script_source => $wsgi_admin_script_source, - wsgi_application_group => $wsgi_application_group, - wsgi_pass_authorization => $wsgi_pass_authorization, - custom_wsgi_process_options => $custom_wsgi_process_options_admin, - vhost_custom_fragment => $vhost_custom_fragment, - wsgi_chunked_request => $wsgi_chunked_request, - headers => $headers, - access_log_file => $access_log_file, - access_log_pipe => $access_log_pipe, - access_log_syslog => $access_log_syslog, - access_log_format => $access_log_format, - error_log_file => $error_log_file, - error_log_pipe => $error_log_pipe, - error_log_syslog => $error_log_syslog, - } } } diff --git a/releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml b/releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml new file mode 100644 index 000000000..77329853b --- /dev/null +++ b/releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml @@ -0,0 +1,64 @@ +--- +prelude: > + This release puppet-keystone no longer deploys keystone with separated + ports (admin and public as they were called in v2.0). By default keystone + will only listen to port 5000, you need to make sure all your services are + configured to use the correct port to talk to keystone. +features: + - | + Added new parameter keystone::federation::openidc::keystone_url that can be + used to set the keystone url for federation, if not provided it will use + keystone::public_endpoint. +upgrade: + - | + Keystone is now deployed with only port 5000, you can change this with + keystone::wsgi::apache::api_port, you need to make sure all your services are + configured to talk to keystone on this port. If you want to keep backward + compatibility with port 35357 you should pass an array to api_port with + both port 35357 and 5000. + - | + The providers has been updated to read DEFAULT/public_port which defaults + to 5000 and use that port to talk to Keystone when managing resources. + You need to make sure that keystone::public_port and keystone::wsgi::apache::api_port + is set to the same value if you are deploying keystone with Apache WSGI. + - | + keystone::federation::mellon is now added to Keystone WSGI for port 5000 by + default and admin_port and main_port parameters does not do anything and is + deprecated. + - | + keystone::federation::shibboleth is now added to Keystone WSGI for port 5000 + by default and admin_port and main_port parameters does not do anything and is + deprecated. + - | + keystone::federation::openidc is now added to Keystone WSGI for port 5000 + by default and admin_port and main_port parameters does not do anything and is + deprecated. + - | + keystone::federation::openidc::keystone_url parameter has been added to give the + keystone endpoint, if it's not provided keystone::public_endpoint will be used. + We recommend that you set this since keystone::public_endpoint might be deprecated + in a future release. +deprecations: + - | + As of the removal of port 35357 the following parameters are deprecated + in the keystone::wsgi::apache class and has no effect: + + - ``servername_admin`` please use ``servername`` + - ``public_port`` and ``admin_port`` please use ``api_port`` + - ``admin_bind_host`` please use ``bind_host`` + - ``public_path`` and ``admin_path`` please use ``path`` + - ``ssl_cert_admin`` and ``ssl_key_admin`` please use ``ssl_cert`` and ``ssl_key`` + - ``wsgi_admin_script_source`` and ``wsgi_public_script_source`` please use ``wsgi_script_source`` + - ``custom_wsgi_process_options_main`` and ``custom_wsgi_process_options_admin`` please use ``custom_wsgi_process_options`` + - | + keystone::federation::mellon::admin_port and main_port is deprecated and has no effect + and will be removed in a future release. + - | + keystone::federation::shibboleth::admin_port and main_port is deprecated and has no effect + and will be removed in a future release. + - | + keystone::federation::openidc::admin_port and main_port is deprecated and has no effect + and will be removed in a future release. + - | + keystone::federation::openidc_httpd_configuration is deprecated and will be removed in + a future release. diff --git a/spec/acceptance/keystone_federation_identity_provider_spec.rb b/spec/acceptance/keystone_federation_identity_provider_spec.rb index c2936770e..e2ff358a5 100644 --- a/spec/acceptance/keystone_federation_identity_provider_spec.rb +++ b/spec/acceptance/keystone_federation_identity_provider_spec.rb @@ -83,10 +83,6 @@ describe 'keystone server running with Apache/WSGI as Identity Provider' do it { is_expected.to be_listening } end - describe port(35357) do - it { is_expected.to be_listening } - end - describe cron do it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') } end diff --git a/spec/acceptance/keystone_federation_shibboleth_spec.rb b/spec/acceptance/keystone_federation_shibboleth_spec.rb index 05f9fa50a..bc0bba00f 100644 --- a/spec/acceptance/keystone_federation_shibboleth_spec.rb +++ b/spec/acceptance/keystone_federation_shibboleth_spec.rb @@ -81,10 +81,6 @@ describe 'keystone server running with Apache/WSGI as Service Provider with Shib it { is_expected.to be_listening } end - describe port(35357) do - it { is_expected.to be_listening } - end - describe cron do it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') } end diff --git a/spec/acceptance/keystone_wsgi_apache_spec.rb b/spec/acceptance/keystone_wsgi_apache_spec.rb index 007f9afb4..d85c1037e 100644 --- a/spec/acceptance/keystone_wsgi_apache_spec.rb +++ b/spec/acceptance/keystone_wsgi_apache_spec.rb @@ -77,10 +77,6 @@ describe 'keystone server running with Apache/WSGI with resources' do it { is_expected.to be_listening } end - describe port(35357) do - it { is_expected.to be_listening } - end - describe cron do it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') } end diff --git a/spec/classes/keystone_federation_mellon_spec.rb b/spec/classes/keystone_federation_mellon_spec.rb index 4b8050cb5..7e814fcfd 100644 --- a/spec/classes/keystone_federation_mellon_spec.rb +++ b/spec/classes/keystone_federation_mellon_spec.rb @@ -29,12 +29,6 @@ describe 'keystone::federation::mellon' do it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./ end - before do - params.merge!({:admin_port => false, - :main_port => false}) - it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./ - end - before do params.merge!({:template_port => 330}) it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./ @@ -53,33 +47,9 @@ describe 'keystone::federation::mellon' do is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') end - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ + it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({ # This need to change if priority is changed in keystone::wsgi::apache - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - end - - context 'with override default parameters' do - before do - params.merge!({ - :admin_port => true }) - end - - it 'should have basic params for mellon in Keystone configuration' do - is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') - is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') - end - - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ - # This need to change if priority is changed in keystone::wsgi::apache - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_35357').with({ - # This need to change if priority is changed in keystone::wsgi::apache - :target => "10-keystone_wsgi_admin.conf", + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end @@ -105,8 +75,8 @@ describe 'keystone::federation::mellon' do is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/') end - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb index 47e1d7cae..fc2b904e6 100644 --- a/spec/classes/keystone_federation_openidc_spec.rb +++ b/spec/classes/keystone_federation_openidc_spec.rb @@ -35,12 +35,6 @@ describe 'keystone::federation::openidc' do it_raises 'a Puppet::Error', /Methods should contain openid as one of the auth methods./ end - before do - params.merge!(:admin_port => false, - :main_port => false) - it_raises 'a Puppet:Error', /No VirtualHost port to configure, please choose at least one./ - end - before do params.merge!(:template_port => 330) it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./ @@ -77,31 +71,8 @@ describe 'keystone::federation::openidc' do is_expected.to contain_keystone_config('auth/openid').with_ensure('absent') end - it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({ - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - end - - context 'with override default parameters' do - before do - params.merge!({ - :admin_port => true, - }) - end - - it 'should have basic params for openidc in Keystone configuration' do - is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openid') - is_expected.to contain_keystone_config('auth/openid').with_ensure('absent') - end - - it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({ - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - - it { is_expected.to contain_concat__fragment('configure_openidc_on_admin').with({ - :target => "10-keystone_wsgi_admin.conf", + it { is_expected.to contain_concat__fragment('configure_openidc_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end diff --git a/spec/classes/keystone_federation_shibboleth_spec.rb b/spec/classes/keystone_federation_shibboleth_spec.rb index 9dcfa36fc..aee1da6d3 100644 --- a/spec/classes/keystone_federation_shibboleth_spec.rb +++ b/spec/classes/keystone_federation_shibboleth_spec.rb @@ -27,12 +27,6 @@ describe 'keystone::federation::shibboleth' do it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./ end - context 'no ports' do - let (:params) { default_params.merge(:admin_port => false, - :main_port => false) } - it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./ - end - context 'template port too low' do let(:params) { default_params.merge(:template_order => 330) } it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./ @@ -85,30 +79,16 @@ describe 'keystone::federation::shibboleth' do end context 'with defaults' do - let (:params) { default_params } it { is_expected.to contain_apache__mod('shib2') } - it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } + it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } + it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end - context 'with overrides' do - let (:params) { default_params.merge({ - :admin_port => true, - :template_order => 332 - }) } - - it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } - it {is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } - it { - is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({ - :target => "10-keystone_wsgi_admin.conf", - :order => params[:template_order], - }) - } - end end @@ -126,45 +106,22 @@ describe 'keystone::federation::shibboleth' do let (:params) { default_params } it { is_expected.to contain_apache__mod('shib2') } - it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } + it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } + it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end - context 'with overrides' do - let (:params) { default_params.merge({ - :admin_port => true, - :template_order => 332 - }) } - - it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } - it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } - it { - is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({ - :target => "10-keystone_wsgi_admin.conf", - :order => params[:template_order], - }) - } - end - end context 'without repo or package' do context 'with defaults' do let (:params) { default_params } it { is_expected.to_not contain_apache__mod('shib2') } - it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_5000') } - end - - context 'with overrides' do - let (:params) { default_params.merge({ - :admin_port => true, - :template_order => 332 - }) } - it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } - it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_35357') } + it { is_expected.to_not contain_concat__fragment('configure_shibboleth_keystone') } end end end @@ -174,8 +131,8 @@ describe 'keystone::federation::shibboleth' do let (:params) { default_params } it { is_expected.to contain_apache__mod('shib2') } - it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} diff --git a/spec/classes/keystone_wsgi_apache_spec.rb b/spec/classes/keystone_wsgi_apache_spec.rb index 84ee98054..647e6b81e 100644 --- a/spec/classes/keystone_wsgi_apache_spec.rb +++ b/spec/classes/keystone_wsgi_apache_spec.rb @@ -2,87 +2,24 @@ require 'spec_helper' describe 'keystone::wsgi::apache' do - let :global_facts do - { - :os_workers => 8, - :concat_basedir => '/var/lib/puppet/concat', - :fqdn => 'some.host.tld' - } - end - let :pre_condition do - [ - 'class { keystone: admin_token => "dummy", service_name => "httpd", enable_ssl => true }' - ] + "class { '::keystone': + admin_token => 'dummy', + service_name => 'httpd', + enable_ssl => true, + }" end - shared_examples_for 'apache serving keystone with mod_wsgi' do - it { is_expected.to contain_service('httpd').with_name(platform_params[:httpd_service_name]) } - it { is_expected.to contain_class('keystone::params') } - it { is_expected.to contain_class('apache') } - it { is_expected.to contain_class('apache::mod::wsgi') } - it { is_expected.to contain_class('apache::mod::ssl') } - it { is_expected.to contain_class('keystone::db::sync') } + shared_examples 'keystone::wsgi::apache' do + context 'with default parameters' do + it { + should contain_class('keystone::params') + should contain_class('keystone::deps') + } - describe 'with default parameters' do - - it { is_expected.to contain_file("#{platform_params[:wsgi_script_path]}").with( - :ensure => 'directory', - :owner => 'keystone', - :group => 'keystone', - :require => 'Anchor[keystone::install::end]', - )} - - it { is_expected.to contain_file('keystone_wsgi_admin').with( - :ensure => 'file', - :path => "#{platform_params[:wsgi_script_path]}/keystone-admin", - :source => platform_params[:wsgi_admin_script_source], - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", - )} - - it { is_expected.to contain_file('keystone_wsgi_main').with( - :ensure => 'file', - :path => "#{platform_params[:wsgi_script_path]}/keystone-public", - :source => platform_params[:wsgi_public_script_source], - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'some.host.tld', - :bind_port => 35357, - :group => 'keystone', - :workers => facts[:os_workers], - :threads => 1, - :user => 'keystone', - :priority => '10', - :ssl => true, - :wsgi_daemon_process => 'keystone_main', - :wsgi_process_display_name => 'keystone-main', - :wsgi_process_group => 'keystone_main', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-public', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_main]', - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( :servername => 'some.host.tld', + :bind_host => nil, :bind_port => 5000, :group => 'keystone', :workers => facts[:os_workers], @@ -90,12 +27,13 @@ describe 'keystone::wsgi::apache' do :user => 'keystone', :priority => '10', :ssl => true, - :wsgi_daemon_process => 'keystone_admin', - :wsgi_process_display_name => 'keystone-admin', - :wsgi_process_group => 'keystone_admin', + :wsgi_daemon_process => 'keystone', + :wsgi_process_display_name => 'keystone', + :wsgi_process_group => 'keystone', :wsgi_application_group => '%{GLOBAL}', :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-admin', + :wsgi_script_file => 'keystone', + :wsgi_script_source => '/usr/bin/keystone-wsgi-public', :wsgi_pass_authorization => 'On', :headers => nil, :custom_wsgi_process_options => {}, @@ -106,402 +44,170 @@ describe 'keystone::wsgi::apache' do :error_log_file => nil, :error_log_pipe => nil, :error_log_syslog => nil, - :require => 'File[keystone_wsgi_admin]', )} - - it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") } end - describe 'when overriding parameters using different ports' do + context 'when overriding parameters' do let :params do { - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :admin_bind_host => '10.42.51.2', - :public_port => 12345, - :admin_port => 4142, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' + :servername => 'dummy.host', + :bind_host => '127.0.0.1', + :api_port => 1234, + :path => '/keystone', + :ssl => false, + :workers => 10, + :ssl_cert => 'ssl cert', + :ssl_key => 'ssl key', + :ssl_chain => 'ssl chain', + :ssl_ca => 'ssl ca', + :ssl_crl_path => '/etc/ssl', + :ssl_crl => 'crl', + :ssl_certs_dir => '/etc/ssl/certs', + :threads => 10, + :priority => '20', + :wsgi_application_group => 'group', + :wsgi_pass_authorization => 'Off', + :wsgi_chunked_request => 'On', + :wsgi_script_source => '/path/to/my/script.py', + :headers => 'set X-Frame-Options "DENY"', + :vhost_custom_fragment => 'custom', + :custom_wsgi_process_options => { 'python-path' => '/my/python/virtualenv' }, } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 12345, - :user => 'keystone', - :group => 'keystone', - :workers => 37, - :threads => 1, - :priority => '10', - :ssl => false, - :wsgi_daemon_process => 'keystone_main', - :wsgi_process_display_name => 'keystone-main', - :wsgi_process_group => 'keystone_main', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-public', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900', - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_main]', + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :servername => params[:servername], + :bind_host => params[:bind_host], + :bind_port => params[:api_port], + :path => params[:path], + :workers => params[:workers], + :threads => params[:threads], + :priority => params[:priority], + :ssl => params[:ssl], + :ssl_cert => params[:ssl_cert], + :ssl_key => params[:ssl_key], + :ssl_chain => params[:ssl_chain], + :ssl_ca => params[:ssl_ca], + :ssl_crl_path => params[:ssl_crl_path], + :ssl_crl => params[:ssl_crl], + :ssl_certs_dir => params[:ssl_certs_dir], + :wsgi_application_group => params[:wsgi_application_group], + :wsgi_pass_authorization => params[:wsgi_pass_authorization], + :wsgi_chunked_request => params[:wsgi_chunked_request], + :wsgi_script_source => params[:wsgi_script_source], + :headers => params[:headers], + :vhost_custom_fragment => params[:vhost_custom_fragment], + :custom_wsgi_process_options => params[:custom_wsgi_process_options], )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 4142, - :group => 'keystone', - :workers => 37, - :threads => 1, - :user => 'keystone', - :priority => '10', - :ssl => false, - :wsgi_daemon_process => 'keystone_admin', - :wsgi_process_display_name => 'keystone-admin', - :wsgi_process_group => 'keystone_admin', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-admin', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900', - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_admin]', - )} - - it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") } end - describe 'when admin_bind_host is not set default to bind_host' do + context 'with backward compatible ports' do let :params do { - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :public_port => 12345, - :admin_port => 4142, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' + :api_port => [35357, 5000], } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 12345, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 4142, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' - )} - - it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") } - end - - describe 'when servername_admin is overridden' do - let :params do - { - :servername => 'dummy1.host', - :servername_admin => 'dummy2.host', - } - end - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy1.host', - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :servername => 'dummy2.host', - )} - - end - - describe 'when wsgi_daemon_process_options are overridden' do - let :params do - { - :custom_wsgi_process_options_main => { - python_path => '/my/python/main/path', - }, - :custom_wsgi_process_options_admin => { - python_path => '/my/python/admin/path', - }, - } - end - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :custom_wsgi_process_options => { 'python-path' => '/my/python/main/path' }, - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :custom_wsgi_process_options => { 'python-path' => '/my/python/admin/path' }, - )} - - end - - describe 'when overriding parameters using same port' do - let :params do - { - :servername => 'dummy.host', - :public_port => 4242, - :admin_port => 4242, - :public_path => '/main/endpoint/', - :admin_path => '/admin/endpoint/', - :ssl => true, - :workers => 37, - } - end - - it { is_expected.to_not contain_openstacklib__wsgi__apache('keystone_wsgi_admin') } - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :bind_port => 4242, - :user => 'keystone', - :group => 'keystone', - :workers => 37, - :threads => 1, - :priority => '10', - :ssl => true, - :wsgi_daemon_process => 'keystone_main', - :wsgi_process_display_name => 'keystone-main', - :wsgi_process_group => 'keystone_main', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-public', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :custom_wsgi_script_aliases => { '/admin/endpoint' => "#{platform_parameters[:wsgi_script_path]}/keystone-admin" }, - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_main]' + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :bind_port => [35357, 5000], )} end - describe 'when overriding parameters using same port and same path' do + context 'with custom access logging' do let :params do { - :servername => 'dummy.host', - :public_port => 4242, - :admin_port => 4242, - :public_path => '/endpoint/', - :admin_path => '/endpoint/', - :ssl => true, - :workers => 37, - } - end - - it_raises 'a Puppet::Error', /When using the same port for public and admin endpoints, public_path and admin_path should be different\./ - end - - describe 'when overriding default apache logging' do - let :params do - { - :servername => 'dummy.host', :access_log_format => 'foo', :access_log_syslog => 'syslog:local0', - } - end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :access_log_format => 'foo', - :access_log_syslog => 'syslog:local0', - )} - end - - describe 'when overriding parameters using symlink and custom file source' do - let :params do - { - :wsgi_script_source => '/opt/keystone/httpd/keystone.py', + :error_log_syslog => 'syslog:local1', } end - it { is_expected.to contain_file('keystone_wsgi_admin').with( - :ensure => 'link', - :path => "#{platform_params[:wsgi_script_path]}/keystone-admin", - :target => '/opt/keystone/httpd/keystone.py', - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", - )} - - it { is_expected.to contain_file('keystone_wsgi_main').with( - :ensure => 'link', - :path => "#{platform_params[:wsgi_script_path]}/keystone-public", - :target => '/opt/keystone/httpd/keystone.py', - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :access_log_format => params[:access_log_format], + :access_log_syslog => params[:access_log_syslog], + :error_log_syslog => params[:error_log_syslog], )} end - describe 'when setting ssl cert and key' do + context 'with access_log_file' do let :params do { - :ssl_cert => 'some cert', - :ssl_key => 'some key', - } - end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :ssl_cert => 'some cert', - :ssl_key => 'some key', - )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :ssl_cert => 'some cert', - :ssl_key => 'some key', - )} - end - - describe 'when setting different ssl cert and key for admin' do - let :params do - { - :ssl_cert => 'some cert', - :ssl_key => 'some key', - :ssl_cert_admin => 'some cert admin', - :ssl_key_admin => 'some key admin', - } - end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :ssl_cert => 'some cert', - :ssl_key => 'some key', - )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :ssl_cert => 'some cert admin', - :ssl_key => 'some key admin', - )} - end - - describe 'when overriding parameters using wsgi chunked request' do - let :params do - { - :wsgi_chunked_request => 'On' + :access_log_file => '/path/to/file', } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :wsgi_chunked_request => 'On' + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :access_log_file => params[:access_log_file], )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :wsgi_chunked_request => 'On' - )} - end - describe 'when overriding parameters using additional headers' do + context 'with access_log_pipe' do let :params do { - :headers => 'set X-Frame-Options "DENY"' + :access_log_pipe => 'pipe', } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :headers => 'set X-Frame-Options "DENY"' + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :access_log_pipe => params[:access_log_pipe], )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :headers => 'set X-Frame-Options "DENY"' - )} - end - describe 'when overriding script paths with link' do + context 'with error_log_file' do let :params do { - :wsgi_file_target => 'link', - :wsgi_admin_script_source => '/home/foo/admin-script', - :wsgi_public_script_source => '/home/foo/public-script', + :error_log_file => '/path/to/file', } end - it 'should contain correct files' do - is_expected.to contain_file('keystone_wsgi_main').with( - :path => "#{facts[:wsgi_script_path]}/keystone-public", - :target => params[:wsgi_public_script_source] - ) - is_expected.to contain_file('keystone_wsgi_admin').with( - :path => "#{facts[:wsgi_script_path]}/keystone-admin", - :target => params[:wsgi_admin_script_source] - ) - end + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :error_log_file => params[:error_log_file], + )} end - describe 'when overriding script paths with source' do + context 'with error_log_pipe' do let :params do { - :wsgi_admin_script_source => '/home/foo/admin-script', - :wsgi_public_script_source => '/home/foo/public-script', + :error_log_pipe => 'pipe', } end - it 'should contain correct files' do - is_expected.to contain_file('keystone_wsgi_main').with( - :path => "#{facts[:wsgi_script_path]}/keystone-public", - :source => params[:wsgi_public_script_source] - ) - is_expected.to contain_file('keystone_wsgi_admin').with( - :path => "#{facts[:wsgi_script_path]}/keystone-admin", - :source => params[:wsgi_admin_script_source] - ) - end + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :error_log_pipe => params[:error_log_pipe], + )} end end on_supported_os({ + :supported_os => OSDefaults.get_supported_os }).each do |os,facts| - let (:facts) do - facts.merge!(OSDefaults.get_facts({})) - end - - let(:platform_params) do - case facts[:osfamily] - when 'Debian' - { - :httpd_service_name => 'apache2', - :httpd_ports_file => '/etc/apache2/ports.conf', - :wsgi_script_path => '/usr/lib/cgi-bin/keystone', - :wsgi_admin_script_source => '/usr/bin/keystone-wsgi-admin', - :wsgi_public_script_source => '/usr/bin/keystone-wsgi-public' - } - when 'RedHat' - { - :httpd_service_name => 'httpd', - :httpd_ports_file => '/etc/httpd/conf/ports.conf', - :wsgi_script_path => '/var/www/cgi-bin/keystone', - :wsgi_admin_script_source => '/usr/bin/keystone-wsgi-admin', - :wsgi_public_script_source => '/usr/bin/keystone-wsgi-public' - } + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts({ + :os_workers => 8, + :concat_basedir => '/var/lib/puppet/concat', + :fqdn => 'some.host.tld', + })) end + + let(:platform_params) do + case facts[:osfamily] + when 'Debian' + { + :httpd_service_name => 'apache2', + :httpd_ports_file => '/etc/apache2/ports.conf', + :wsgi_script_path => '/usr/lib/cgi-bin/keystone', + } + when 'RedHat' + { + :httpd_service_name => 'httpd', + :httpd_ports_file => '/etc/httpd/conf/ports.conf', + :wsgi_script_path => '/var/www/cgi-bin/keystone', + } + end + end + + it_behaves_like 'keystone::wsgi::apache' end end end diff --git a/spec/unit/provider/keystone_spec.rb b/spec/unit/provider/keystone_spec.rb index 6eb95c445..2da45288e 100644 --- a/spec/unit/provider/keystone_spec.rb +++ b/spec/unit/provider/keystone_spec.rb @@ -171,7 +171,7 @@ id="the_user_id" end it 'should use the specified bind_host in the admin endpoint' do - mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }} + mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -179,7 +179,7 @@ id="the_user_id" end it 'should use localhost in the admin endpoint if bind_host is 0.0.0.0' do - mock = {'DEFAULT' => { 'admin_bind_host' => '0.0.0.0', 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'admin_bind_host' => '0.0.0.0', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -187,7 +187,7 @@ id="the_user_id" end it 'should use [::1] in the admin endpoint if bind_host is ::0' do - mock = {'DEFAULT' => { 'admin_bind_host' => '::0', 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'admin_bind_host' => '::0', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -195,7 +195,7 @@ id="the_user_id" end it 'should use [2620:52:0:23a9::25] in the admin endpoint if bind_host is 2620:52:0:23a9::25' do - mock = {'DEFAULT' => { 'admin_bind_host' => '2620:52:0:23a9::25', 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'admin_bind_host' => '2620:52:0:23a9::25', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -203,7 +203,7 @@ id="the_user_id" end it 'should use localhost in the admin endpoint if bind_host is unspecified' do - mock = {'DEFAULT' => { 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -211,7 +211,7 @@ id="the_user_id" end it 'should use https if ssl is enabled' do - mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }, 'ssl' => {'enable' => 'True'}} + mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }, 'ssl' => {'enable' => 'True'}} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -219,7 +219,7 @@ id="the_user_id" end it 'should use http if ssl is disabled' do - mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }, 'ssl' => {'enable' => 'False'}} + mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }, 'ssl' => {'enable' => 'False'}} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb index c30cea158..6272e7899 100644 --- a/templates/openidc.conf.erb +++ b/templates/openidc.conf.erb @@ -16,8 +16,8 @@ # The following directives are necessary to support websso from Horizon # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html) - OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso" - OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/websso/openid" + OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso" + OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/websso/openid" AuthType "openid-connect"