From ace7aeb3b71b39a59f92fbc9e7f676a70c9a797a Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Wed, 21 Nov 2018 15:17:08 +0100 Subject: [PATCH] Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51 --- lib/puppet/provider/keystone.rb | 4 +- manifests/federation/mellon.pp | 52 +- manifests/federation/openidc.pp | 72 ++- .../federation/openidc_httpd_configuration.pp | 11 +- manifests/federation/shibboleth.pp | 55 +- manifests/params.pp | 6 +- manifests/wsgi/apache.pp | 299 +++++----- .../remove-port-35357-ba49d2cf102f8c38.yaml | 64 +++ ...stone_federation_identity_provider_spec.rb | 4 - .../keystone_federation_shibboleth_spec.rb | 4 - spec/acceptance/keystone_wsgi_apache_spec.rb | 4 - .../keystone_federation_mellon_spec.rb | 38 +- .../keystone_federation_openidc_spec.rb | 33 +- .../keystone_federation_shibboleth_spec.rb | 65 +-- spec/classes/keystone_wsgi_apache_spec.rb | 532 ++++-------------- spec/unit/provider/keystone_spec.rb | 14 +- templates/openidc.conf.erb | 4 +- 17 files changed, 423 insertions(+), 838 deletions(-) create mode 100644 releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb index 52c4c780f..385d7662f 100644 --- a/lib/puppet/provider/keystone.rb +++ b/lib/puppet/provider/keystone.rb @@ -175,10 +175,10 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack if url = get_section('DEFAULT', 'admin_endpoint') endpoint = url.chomp('/') else - admin_port = get_section('DEFAULT', 'admin_port') || '5000' + public_port = get_section('DEFAULT', 'public_port') || '5000' host = clean_host(get_section('DEFAULT', 'admin_bind_host')) protocol = ssl? ? 'https' : 'http' - endpoint = "#{protocol}://#{host}:#{admin_port}" + endpoint = "#{protocol}://#{host}:#{public_port}" end end return endpoint diff --git a/manifests/federation/mellon.pp b/manifests/federation/mellon.pp index f6dce51c4..54dadfec0 100644 --- a/manifests/federation/mellon.pp +++ b/manifests/federation/mellon.pp @@ -17,16 +17,6 @@ # The name for your protocol associated with the IdP. # (Required) String value. # -# [*admin_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 35357. -# (Optional) Defaults to false. -# -# [*main_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 5000. -# (Optional) Defaults to true. -# # [*template_order*] # This number indicates the order for the concat::fragment that will apply # the shibboleth configuration to Keystone VirtualHost. The value should @@ -57,17 +47,27 @@ # trusted_dashboards configuration instead of this parameter. # Defaults to undef # +# [*admin_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 35357. +# (Optional) Defaults to undef. +# +# [*main_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 5000. +# (Optional) Defaults to undef. +# class keystone::federation::mellon ( $methods, $idp_name, $protocol_name, - $admin_port = false, - $main_port = true, $template_order = 331, $package_ensure = present, $enable_websso = false, # DEPRECATED $trusted_dashboards = undef, + $admin_port = undef, + $main_port = undef, ) { include ::apache @@ -79,6 +79,10 @@ class keystone::federation::mellon ( in Stein and will be removed in future releases") } + if $admin_port or $main_port { + warning('keystone::federation::mellon::admin_port and main_port are deprecated and have no effect') + } + # Note: if puppet-apache modify these values, this needs to be updated if $template_order <= 330 or $template_order >= 999 { fail('The template order should be greater than 330 and less than 999.') @@ -93,14 +97,8 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even fail('Methods should contain saml2 as one of the auth methods.') } - validate_bool($admin_port) - validate_bool($main_port) validate_bool($enable_websso) - if( !$admin_port and !$main_port){ - fail('No VirtualHost port to configure, please choose at least one.') - } - keystone_config { 'auth/methods': value => join(any2array($methods),','); 'auth/saml2': ensure => absent; @@ -122,20 +120,10 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even tag => 'keystone-support-package', }) - if $admin_port { - concat::fragment { 'configure_mellon_on_port_35357': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf", - content => template('keystone/mellon.conf.erb'), - order => $template_order, - } - } - - if $main_port { - concat::fragment { 'configure_mellon_on_port_5000': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf", - content => template('keystone/mellon.conf.erb'), - order => $template_order, - } + concat::fragment { 'configure_mellon_keystone': + target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", + content => template('keystone/mellon.conf.erb'), + order => $template_order, } } diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp index 35a0da02c..ed7efc047 100644 --- a/manifests/federation/openidc.pp +++ b/manifests/federation/openidc.pp @@ -39,16 +39,6 @@ # (optional) Value to be used to obtain the entity ID of the Identity # Provider from the environment. # -# [*admin_port*] -# A boolean value to ensure that you want to configure openidc Federation -# using Keystone VirtualHost on port 35357. -# (Optional) Defaults to false. -# -# [*main_port*] -# A boolean value to ensure that you want to configure openidc Federation -# using Keystone VirtualHost on port 5000. -# (Optional) Defaults to true. -# # [*template_order*] # This number indicates the order for the concat::fragment that will apply # the shibboleth configuration to Keystone VirtualHost. The value should @@ -64,11 +54,20 @@ # accepts latest or specific versions. # Defaults to present. # -# [*keystone_public_url*] -# (optional) URL to keystone public endpoint. +# [*keystone_url*] +# (optional) URL to keystone endpoint. # -# [*keystone_admin_url*] -# (optional) URL to keystone admin endpoint. +# === DEPRECATED +# +# [*admin_port*] +# A boolean value to ensure that you want to configure openidc Federation +# using Keystone VirtualHost on port 35357. +# (Optional) Defaults to undef. +# +# [*main_port*] +# A boolean value to ensure that you want to configure openidc Federation +# using Keystone VirtualHost on port 5000. +# (Optional) Defaults to undef. # class keystone::federation::openidc ( $methods, @@ -79,20 +78,30 @@ class keystone::federation::openidc ( $openidc_crypto_passphrase = 'openstack', $openidc_response_type = 'id_token', $remote_id_attribute = undef, - $admin_port = false, - $main_port = true, $template_order = 331, $package_ensure = present, - $keystone_public_url = undef, - $keystone_admin_url = undef, + $keystone_url = undef, + # DEPRECATED + $admin_port = undef, + $main_port = undef, ) { include ::apache include ::keystone::deps include ::keystone::params - $_keystone_public_url = pick($keystone_public_url, $::keystone::public_endpoint) - $_keystone_admin_url = pick($keystone_admin_url, $::keystone::admin_endpoint) + # TODO(tobias-urdin): Make keystone_url required when keystone::public_endpoint is removed. + # Dont forget to change the keystone_url_real variable in the templates/openidc.conf.rb file. + # The fail statement below can also be removed since keystone_url will be a required parameter. + $keystone_url_real = pick($keystone_url, $::keystone::public_endpoint) + + if $keystone_url_real == undef or is_service_default($keystone_url_real) { + fail('You must set either keystone_url or keystone::public_endpoint') + } + + if $admin_port or $main_port { + warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect') + } # Note: if puppet-apache modify these values, this needs to be updated if $template_order <= 330 or $template_order >= 999 { @@ -107,16 +116,9 @@ class keystone::federation::openidc ( fail('Methods should contain openid as one of the auth methods.') } - validate_legacy(Boolean, 'validate_bool', $admin_port) - validate_legacy(Boolean, 'validate_bool', $main_port) - - if( !$admin_port and !$main_port){ - fail('No VirtualHost port to configure, please choose at least one.') - } - keystone_config { 'auth/methods': value => join(any2array($methods),','); - 'auth/openid': ensure => absent; + 'auth/openid': ensure => absent; } if $remote_id_attribute { @@ -130,15 +132,9 @@ class keystone::federation::openidc ( tag => 'keystone-support-package', }) - if $admin_port and $_keystone_admin_url { - keystone::federation::openidc_httpd_configuration{ 'admin': - keystone_endpoint => $_keystone_admin_url, - } - } - - if $main_port and $_keystone_public_url { - keystone::federation::openidc_httpd_configuration{ 'main': - keystone_endpoint => $_keystone_public_url, - } + concat::fragment { 'configure_openidc_keystone': + target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", + content => template('keystone/openidc.conf.erb'), + order => $template_order, } } diff --git a/manifests/federation/openidc_httpd_configuration.pp b/manifests/federation/openidc_httpd_configuration.pp index eaea7c69d..efb03305a 100644 --- a/manifests/federation/openidc_httpd_configuration.pp +++ b/manifests/federation/openidc_httpd_configuration.pp @@ -1,4 +1,6 @@ -# == define: keystone::federation::openidc_httpd_configuration [70/1473] +# == define: keystone::federation::openidc_httpd_configuration +# +# DEPRECATED! # # == Parameters # @@ -10,9 +12,6 @@ define keystone::federation::openidc_httpd_configuration ( $keystone_endpoint = undef ) { - concat::fragment { "configure_openidc_on_${title}": - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf", - content => template('keystone/openidc.conf.erb'), - order => $keystone::federation::openidc::template_order, - } + + warning('keystone::federation::openidc_httpd_configuration is deprecated') } diff --git a/manifests/federation/shibboleth.pp b/manifests/federation/shibboleth.pp index 7658d1331..6c9deab29 100644 --- a/manifests/federation/shibboleth.pp +++ b/manifests/federation/shibboleth.pp @@ -2,16 +2,6 @@ # # == Parameters # -# [*admin_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 35357. -# (Optional) Defaults to false. -# -# [*main_port*] -# A boolean value to ensure that you want to configure K2K Federation -# using Keystone VirtualHost on port 5000. -# (Optional) Defaults to true. -# # [*methods*] # A list of methods used for authentication separated by comma or an array. # The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2' @@ -47,6 +37,18 @@ # require => Anchor['openstack_extras_redhat'] # } # +# === DEPRECATED +# +# [*admin_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 35357. +# (Optional) Defaults to undef +# +# [*main_port*] +# A boolean value to ensure that you want to configure K2K Federation +# using Keystone VirtualHost on port 5000. +# (Optional) Defaults to undef +# # == Note about Redhat osfamily # According to puppet-apache we need to enable a new repo, but in puppet-openstack # we won't enable any external third party repo. @@ -55,16 +57,21 @@ # class keystone::federation::shibboleth( $methods, - $admin_port = false, - $main_port = true, $suppress_warning = false, $template_order = 331, $yum_repo_name = 'shibboleth', + # DEPRECATED + $admin_port = undef, + $main_port = undef, ) { include ::apache include ::keystone::deps + if $admin_port or $main_port { + warning('keystone::federation::shibboleth::admin_port and main_port are deprecated and have no effect') + } + # Note: if puppet-apache modify these values, this needs to be updated if $template_order <= 330 or $template_order >= 999 { fail('The template order should be greater than 330 and less than 999.') @@ -79,14 +86,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e fail('Methods should contain saml2 as one of the auth methods.') } - validate_bool($admin_port) - validate_bool($main_port) validate_bool($suppress_warning) - if( !$admin_port and !$main_port){ - fail('No VirtualHost port to configure, please choose at least one.') - } - keystone_config { 'auth/methods': value => join(any2array($methods),','); 'auth/saml2': ensure => absent; @@ -103,20 +104,10 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e class { '::apache::mod::shib': } } - if $admin_port { - concat::fragment { 'configure_shibboleth_on_port_35357': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_admin.conf", - content => template('keystone/shibboleth.conf.erb'), - order => $template_order, - } - } - - if $main_port { - concat::fragment { 'configure_shibboleth_on_port_5000': - target => "${keystone::wsgi::apache::priority}-keystone_wsgi_main.conf", - content => template('keystone/shibboleth.conf.erb'), - order => $template_order, - } + concat::fragment { 'configure_shibboleth_keystone': + target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", + content => template('keystone/shibboleth.conf.erb'), + order => $template_order, } } elsif $::osfamily == 'Redhat' { if !$suppress_warning { diff --git a/manifests/params.pp b/manifests/params.pp index f61c79aa9..25a17dea5 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,12 +9,12 @@ class keystone::params { } else { $pyvers = '' } + $client_package_name = "python${pyvers}-keystoneclient" $keystone_user = 'keystone' $keystone_group = 'keystone' - $keystone_wsgi_admin_script_path = '/usr/bin/keystone-wsgi-admin' - $keystone_wsgi_public_script_path = '/usr/bin/keystone-wsgi-public' - $group = 'keystone' + $group = 'keystone' + case $::osfamily { 'Debian': { $package_name = 'keystone' diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index a78598343..149725571 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -14,32 +14,16 @@ # (Optional) The servername for the virtualhost. # Defaults to $::fqdn # -# [*servername_admin*] -# (Optional) The servername for the admin virtualhost. -# Defaults to $servername -# -# [*public_port*] -# (Optional) The public port. -# Defaults to 5000 -# -# [*admin_port*] -# (Optional) The admin port. -# Defaults to 35357 -# # [*bind_host*] # (Optional) The host/ip address Apache will listen on. # Defaults to undef (listen on all ip addresses) # -# [*admin_bind_host*] -# (Optional) The host/ip address Apache will listen on for admin API connections. -# Defaults to undef or bind_host if only that setting is used +# [*api_port*] +# (Optional) The keystone API port. +# Defaults to 5000 # -# [*public_path*] -# (Optional) The prefix for the public endpoint. -# Defaults to '/' -# -# [*admin_path*] -# (Optional) The prefix for the admin endpoint. +# [*path*] +# (Optional) The prefix for the API endpoint. # Defaults to '/' # # [*ssl*] @@ -58,14 +42,6 @@ # (Optional) Path to SSL key # Default to apache::vhost 'ssl_*' defaults # -# [*ssl_cert_admin*] -# (Optional) Path to SSL certificate for the admin endpoint. -# Default to apache::vhost 'ssl_*' defaults -# -# [*ssl_key_admin*] -# (Optional) Path to SSL key for the admin endpoint. -# Default to apache::vhost 'ssl_*' defaults -# # [*ssl_chain*] # (Optional) SSL chain. # Default to apache::vhost 'ssl_*' defaults @@ -103,34 +79,19 @@ # script when the equivalent HTTP request headers are present. # Defaults to 'On' # -# [*wsgi_admin_script_source*] -# (Optional) Wsgi script source for the admin endpoint. If set to undef -# $::keystone::params::keystone_wsgi_admin_script_path is used. This source -# is copied to the apache cgi-bin path as keystone-admin. -# Defaults to undef +# [*wsgi_script_source*] +# (Optional) The wsgi script source for the API. +# This source is copied to the apache cgi-bin path as keystone-public. +# Defaults to '/usr/bin/keystone-wsgi-public' # -# [*wsgi_public_script_source*] -# (Optional) Wsgi script source for the public endpoint. If set to undef -# $::keystone::params::keystone_wsgi_public_script_path is used. This source -# is copied to the apache cgi-bin path as keystone-main. -# Defaults to undef -# -# [*custom_wsgi_process_options_main*] +# [*custom_wsgi_process_options*] # (Optional) gives you the oportunity to add custom process options or to -# overwrite the default options for the WSGI main process. +# overwrite the default options for the WSGI process. # For example to use a virtual python environment for the WSGI process # you could set it to: # { python-path => '/my/python/virtualenv' } # Defaults to {} # -# [*custom_wsgi_process_options_admin*] -# (Optional) gives you the oportunity to add custom process options or to -# overwrite the default options for the WSGI admin process. -# eg. to use a virtual python environment for the WSGI process -# you could set it to: -# { python-path => '/my/python/virtualenv' } -# Defaults to {} -# # [*access_log_file*] # (Optional) The log file name for the virtualhost. # Defaults to false @@ -172,21 +133,77 @@ # (Optional) apache::vhost wsgi_chunked_request parameter. # Defaults to undef # +## DEPRECATED PARAMS +# +# [*servername_admin*] +# (Optional) The servername for the admin virtualhost. +# Defaults to undef +# +# [*public_port*] +# (Optional) The public port. +# Defaults to undef +# +# [*admin_port*] +# (Optional) The admin port. +# Defaults to undef +# +# [*admin_bind_host*] +# (Optional) The host/ip address Apache will listen on for admin API connections. +# Defaults to undef +# +# [*public_path*] +# (Optional) The prefix for the public endpoint. +# Defaults to undef +# +# [*admin_path*] +# (Optional) The prefix for the admin endpoint. +# Defaults to undef +# +# [*ssl_cert_admin*] +# (Optional) Path to SSL certificate for the admin endpoint. +# Default to undef +# +# [*ssl_key_admin*] +# (Optional) Path to SSL key for the admin endpoint. +# Default to undef +# +# [*wsgi_admin_script_source*] +# (Optional) Wsgi script source for the admin endpoint. If set to undef +# $::keystone::params::keystone_wsgi_admin_script_path is used. This source +# is copied to the apache cgi-bin path as keystone-admin. +# Defaults to undef +# +# [*wsgi_public_script_source*] +# (Optional) Wsgi script source for the public endpoint. If set to undef +# $::keystone::params::keystone_wsgi_public_script_path is used. This source +# is copied to the apache cgi-bin path as keystone-main. +# Defaults to undef +# +# [*custom_wsgi_process_options_main*] +# (Optional) gives you the oportunity to add custom process options or to +# overwrite the default options for the WSGI main process. +# For example to use a virtual python environment for the WSGI process +# you could set it to: +# { python-path => '/my/python/virtualenv' } +# Defaults to undef +# +# [*custom_wsgi_process_options_admin*] +# (Optional) gives you the oportunity to add custom process options or to +# overwrite the default options for the WSGI admin process. +# eg. to use a virtual python environment for the WSGI process +# you could set it to: +# { python-path => '/my/python/virtualenv' } +# Defaults to undef +# class keystone::wsgi::apache ( $servername = $::fqdn, - $servername_admin = undef, - $public_port = 5000, - $admin_port = 35357, $bind_host = undef, - $admin_bind_host = undef, - $public_path = '/', - $admin_path = '/', + $api_port = 5000, + $path = '/', $ssl = true, $workers = $::os_workers, $ssl_cert = undef, $ssl_key = undef, - $ssl_cert_admin = undef, - $ssl_key_admin = undef, $ssl_chain = undef, $ssl_ca = undef, $ssl_crl_path = undef, @@ -197,8 +214,7 @@ class keystone::wsgi::apache ( $wsgi_application_group = '%{GLOBAL}', $wsgi_pass_authorization = 'On', $wsgi_chunked_request = undef, - $wsgi_admin_script_source = $::keystone::params::keystone_wsgi_admin_script_path, - $wsgi_public_script_source = $::keystone::params::keystone_wsgi_public_script_path, + $wsgi_script_source = '/usr/bin/keystone-wsgi-public', $access_log_file = false, $access_log_pipe = false, $access_log_syslog = false, @@ -208,23 +224,51 @@ class keystone::wsgi::apache ( $error_log_syslog = undef, $headers = undef, $vhost_custom_fragment = undef, - $custom_wsgi_process_options_main = {}, - $custom_wsgi_process_options_admin = {}, + $custom_wsgi_process_options = {}, + ## DEPRECATED PARAMS + $servername_admin = undef, + $public_port = undef, + $admin_port = undef, + $admin_bind_host = undef, + $public_path = undef, + $admin_path = undef, + $ssl_cert_admin = undef, + $ssl_key_admin = undef, + $wsgi_admin_script_source = undef, + $wsgi_public_script_source = undef, + $custom_wsgi_process_options_main = undef, + $custom_wsgi_process_options_admin = undef, ) inherits ::keystone::params { include ::keystone::deps - $servername_admin_real = pick_default($servername_admin, $servername) - - if $ssl { - # Attempt to use the admin cert/key, else default to the public one. - # Since it's possible that no cert/key were given, we allow this to be empty with pick_default - $ssl_cert_admin_real = pick_default($ssl_cert_admin, $ssl_cert) - $ssl_key_admin_real = pick_default($ssl_key_admin, $ssl_key) - } else { - $ssl_cert_admin_real = undef - $ssl_key_admin_real = undef + # TODO(tobias-urdin): Remove all deprecated parameters and this warnings in Train release. + if $servername_admin { + warning('keystone::wsgi::apache::servername_admin has no effect, please use servername') } + if $public_port or $admin_port { + warning('keystone::wsgi::apache::public_port and admin_port has no effect, please use api_port') + } + if $admin_bind_host { + warning('keystone::wsgi::apache::admin_bind_host has no effect, please use bind_host') + } + if $public_path or $admin_path { + warning('keystone::wsgi::apache::public_path and admin_path has no effect, please use path') + } + if $ssl_cert_admin or $ssl_key_admin { + warning('keystone::wsgi::apache::ssl_cert_admin and ssl_key_admin has no effect, please use ssl_cert and ssl_key') + } + if $wsgi_admin_script_source or $wsgi_public_script_source { + warning('keystone::wsgi::apache::wsgi_admin_script_source and wsgi_public_script_source has no effect, please use wsgi_script_source') + } + if $custom_wsgi_process_options_main or $custom_wsgi_process_options_admin { + warning('keystone::wsgi::apache::custom_wsgi_process_options_main and custom_wsgi_process_options_admin has no effect, \ +please use custom_wsgi_process_options') + } + + # TODO(tobias-urdin): This dependency chaining can be moved to keystone::deps + # when we have cleaned up some old eventlet code and users are forced to use + # apache even though it's pretty much enforced today. # The httpd package is untagged, but needs to have ordering enforced, # so handle it here rather than in the deps class. @@ -246,61 +290,15 @@ class keystone::wsgi::apache ( Anchor['keystone::config::end'] ~> Service['httpd'] - # Ensure there's no trailing '/' except if this is also the only character - $public_path_real = regsubst($public_path, '(^/.*)/$', '\1') - $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1') - - if $public_port == $admin_port and $public_path_real == $admin_path_real { - fail('When using the same port for public and admin endpoints, public_path and admin_path should be different.') - } - - file { $::keystone::params::keystone_wsgi_script_path: - ensure => directory, - owner => 'keystone', - group => 'keystone', - mode => '0755', - require => Anchor['keystone::install::end'], - } - - if $public_port == $admin_port { - $custom_wsgi_script_aliases = { $admin_path_real => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin" } - - # NOTE(tobasco): Create this here since openstacklib::wsgi::apache only handles - # the keystone-public file if running public and admin on the same port. - file { 'keystone_wsgi_admin': - ensure => present, - path => "${::keystone::params::keystone_wsgi_script_path}/keystone-admin", - owner => 'keystone', - group => 'keystone', - mode => '0644', - source => $wsgi_admin_script_source, - require => File[$::keystone::params::keystone_wsgi_script_path], - } - - $apache_require = [ - File['keystone_wsgi_admin'], - ] - } else { - $custom_wsgi_script_aliases = undef - $apache_require = [] - } - - if $admin_bind_host { - $real_admin_bind_host = $admin_bind_host - } else { - # backwards compat before we had admin_bind_host - $real_admin_bind_host = $bind_host - } - - ::openstacklib::wsgi::apache { 'keystone_wsgi_main': + ::openstacklib::wsgi::apache { 'keystone_wsgi': servername => $servername, bind_host => $bind_host, - bind_port => $public_port, - group => 'keystone', - path => $public_path_real, + bind_port => $api_port, + group => $::keystone::params::keystone_group, + path => $path, workers => $workers, threads => $threads, - user => 'keystone', + user => $::keystone::params::keystone_user, priority => $priority, ssl => $ssl, ssl_cert => $ssl_cert, @@ -310,18 +308,17 @@ class keystone::wsgi::apache ( ssl_crl_path => $ssl_crl_path, ssl_crl => $ssl_crl, ssl_certs_dir => $ssl_certs_dir, - wsgi_daemon_process => 'keystone_main', - wsgi_process_display_name => 'keystone-main', - wsgi_process_group => 'keystone_main', + wsgi_daemon_process => 'keystone', + wsgi_process_display_name => 'keystone', + wsgi_process_group => 'keystone', wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path, - wsgi_script_file => 'keystone-public', - wsgi_script_source => $wsgi_public_script_source, + wsgi_script_file => 'keystone', + wsgi_script_source => $wsgi_script_source, wsgi_application_group => $wsgi_application_group, wsgi_pass_authorization => $wsgi_pass_authorization, wsgi_chunked_request => $wsgi_chunked_request, headers => $headers, - custom_wsgi_process_options => $custom_wsgi_process_options_main, - custom_wsgi_script_aliases => $custom_wsgi_script_aliases, + custom_wsgi_process_options => $custom_wsgi_process_options, vhost_custom_fragment => $vhost_custom_fragment, access_log_file => $access_log_file, access_log_pipe => $access_log_pipe, @@ -330,47 +327,5 @@ class keystone::wsgi::apache ( error_log_file => $error_log_file, error_log_pipe => $error_log_pipe, error_log_syslog => $error_log_syslog, - require => $apache_require, - } - - if $public_port != $admin_port { - ::openstacklib::wsgi::apache { 'keystone_wsgi_admin': - servername => $servername_admin_real, - bind_host => $real_admin_bind_host, - bind_port => $admin_port, - group => 'keystone', - path => $admin_path_real, - workers => $workers, - threads => $threads, - user => 'keystone', - priority => $priority, - ssl => $ssl, - ssl_cert => $ssl_cert_admin_real, - ssl_key => $ssl_key_admin_real, - ssl_chain => $ssl_chain, - ssl_ca => $ssl_ca, - ssl_crl_path => $ssl_crl_path, - ssl_crl => $ssl_crl, - ssl_certs_dir => $ssl_certs_dir, - wsgi_daemon_process => 'keystone_admin', - wsgi_process_display_name => 'keystone-admin', - wsgi_process_group => 'keystone_admin', - wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path, - wsgi_script_file => 'keystone-admin', - wsgi_script_source => $wsgi_admin_script_source, - wsgi_application_group => $wsgi_application_group, - wsgi_pass_authorization => $wsgi_pass_authorization, - custom_wsgi_process_options => $custom_wsgi_process_options_admin, - vhost_custom_fragment => $vhost_custom_fragment, - wsgi_chunked_request => $wsgi_chunked_request, - headers => $headers, - access_log_file => $access_log_file, - access_log_pipe => $access_log_pipe, - access_log_syslog => $access_log_syslog, - access_log_format => $access_log_format, - error_log_file => $error_log_file, - error_log_pipe => $error_log_pipe, - error_log_syslog => $error_log_syslog, - } } } diff --git a/releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml b/releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml new file mode 100644 index 000000000..77329853b --- /dev/null +++ b/releasenotes/notes/remove-port-35357-ba49d2cf102f8c38.yaml @@ -0,0 +1,64 @@ +--- +prelude: > + This release puppet-keystone no longer deploys keystone with separated + ports (admin and public as they were called in v2.0). By default keystone + will only listen to port 5000, you need to make sure all your services are + configured to use the correct port to talk to keystone. +features: + - | + Added new parameter keystone::federation::openidc::keystone_url that can be + used to set the keystone url for federation, if not provided it will use + keystone::public_endpoint. +upgrade: + - | + Keystone is now deployed with only port 5000, you can change this with + keystone::wsgi::apache::api_port, you need to make sure all your services are + configured to talk to keystone on this port. If you want to keep backward + compatibility with port 35357 you should pass an array to api_port with + both port 35357 and 5000. + - | + The providers has been updated to read DEFAULT/public_port which defaults + to 5000 and use that port to talk to Keystone when managing resources. + You need to make sure that keystone::public_port and keystone::wsgi::apache::api_port + is set to the same value if you are deploying keystone with Apache WSGI. + - | + keystone::federation::mellon is now added to Keystone WSGI for port 5000 by + default and admin_port and main_port parameters does not do anything and is + deprecated. + - | + keystone::federation::shibboleth is now added to Keystone WSGI for port 5000 + by default and admin_port and main_port parameters does not do anything and is + deprecated. + - | + keystone::federation::openidc is now added to Keystone WSGI for port 5000 + by default and admin_port and main_port parameters does not do anything and is + deprecated. + - | + keystone::federation::openidc::keystone_url parameter has been added to give the + keystone endpoint, if it's not provided keystone::public_endpoint will be used. + We recommend that you set this since keystone::public_endpoint might be deprecated + in a future release. +deprecations: + - | + As of the removal of port 35357 the following parameters are deprecated + in the keystone::wsgi::apache class and has no effect: + + - ``servername_admin`` please use ``servername`` + - ``public_port`` and ``admin_port`` please use ``api_port`` + - ``admin_bind_host`` please use ``bind_host`` + - ``public_path`` and ``admin_path`` please use ``path`` + - ``ssl_cert_admin`` and ``ssl_key_admin`` please use ``ssl_cert`` and ``ssl_key`` + - ``wsgi_admin_script_source`` and ``wsgi_public_script_source`` please use ``wsgi_script_source`` + - ``custom_wsgi_process_options_main`` and ``custom_wsgi_process_options_admin`` please use ``custom_wsgi_process_options`` + - | + keystone::federation::mellon::admin_port and main_port is deprecated and has no effect + and will be removed in a future release. + - | + keystone::federation::shibboleth::admin_port and main_port is deprecated and has no effect + and will be removed in a future release. + - | + keystone::federation::openidc::admin_port and main_port is deprecated and has no effect + and will be removed in a future release. + - | + keystone::federation::openidc_httpd_configuration is deprecated and will be removed in + a future release. diff --git a/spec/acceptance/keystone_federation_identity_provider_spec.rb b/spec/acceptance/keystone_federation_identity_provider_spec.rb index c2936770e..e2ff358a5 100644 --- a/spec/acceptance/keystone_federation_identity_provider_spec.rb +++ b/spec/acceptance/keystone_federation_identity_provider_spec.rb @@ -83,10 +83,6 @@ describe 'keystone server running with Apache/WSGI as Identity Provider' do it { is_expected.to be_listening } end - describe port(35357) do - it { is_expected.to be_listening } - end - describe cron do it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') } end diff --git a/spec/acceptance/keystone_federation_shibboleth_spec.rb b/spec/acceptance/keystone_federation_shibboleth_spec.rb index 05f9fa50a..bc0bba00f 100644 --- a/spec/acceptance/keystone_federation_shibboleth_spec.rb +++ b/spec/acceptance/keystone_federation_shibboleth_spec.rb @@ -81,10 +81,6 @@ describe 'keystone server running with Apache/WSGI as Service Provider with Shib it { is_expected.to be_listening } end - describe port(35357) do - it { is_expected.to be_listening } - end - describe cron do it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') } end diff --git a/spec/acceptance/keystone_wsgi_apache_spec.rb b/spec/acceptance/keystone_wsgi_apache_spec.rb index 007f9afb4..d85c1037e 100644 --- a/spec/acceptance/keystone_wsgi_apache_spec.rb +++ b/spec/acceptance/keystone_wsgi_apache_spec.rb @@ -77,10 +77,6 @@ describe 'keystone server running with Apache/WSGI with resources' do it { is_expected.to be_listening } end - describe port(35357) do - it { is_expected.to be_listening } - end - describe cron do it { is_expected.to have_entry('1 * * * * keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1').with_user('keystone') } end diff --git a/spec/classes/keystone_federation_mellon_spec.rb b/spec/classes/keystone_federation_mellon_spec.rb index 4b8050cb5..7e814fcfd 100644 --- a/spec/classes/keystone_federation_mellon_spec.rb +++ b/spec/classes/keystone_federation_mellon_spec.rb @@ -29,12 +29,6 @@ describe 'keystone::federation::mellon' do it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./ end - before do - params.merge!({:admin_port => false, - :main_port => false}) - it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./ - end - before do params.merge!({:template_port => 330}) it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./ @@ -53,33 +47,9 @@ describe 'keystone::federation::mellon' do is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') end - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ + it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({ # This need to change if priority is changed in keystone::wsgi::apache - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - end - - context 'with override default parameters' do - before do - params.merge!({ - :admin_port => true }) - end - - it 'should have basic params for mellon in Keystone configuration' do - is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') - is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') - end - - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ - # This need to change if priority is changed in keystone::wsgi::apache - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_35357').with({ - # This need to change if priority is changed in keystone::wsgi::apache - :target => "10-keystone_wsgi_admin.conf", + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end @@ -105,8 +75,8 @@ describe 'keystone::federation::mellon' do is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/') end - it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb index 47e1d7cae..fc2b904e6 100644 --- a/spec/classes/keystone_federation_openidc_spec.rb +++ b/spec/classes/keystone_federation_openidc_spec.rb @@ -35,12 +35,6 @@ describe 'keystone::federation::openidc' do it_raises 'a Puppet::Error', /Methods should contain openid as one of the auth methods./ end - before do - params.merge!(:admin_port => false, - :main_port => false) - it_raises 'a Puppet:Error', /No VirtualHost port to configure, please choose at least one./ - end - before do params.merge!(:template_port => 330) it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./ @@ -77,31 +71,8 @@ describe 'keystone::federation::openidc' do is_expected.to contain_keystone_config('auth/openid').with_ensure('absent') end - it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({ - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - end - - context 'with override default parameters' do - before do - params.merge!({ - :admin_port => true, - }) - end - - it 'should have basic params for openidc in Keystone configuration' do - is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openid') - is_expected.to contain_keystone_config('auth/openid').with_ensure('absent') - end - - it { is_expected.to contain_concat__fragment('configure_openidc_on_main').with({ - :target => "10-keystone_wsgi_main.conf", - :order => params[:template_order], - })} - - it { is_expected.to contain_concat__fragment('configure_openidc_on_admin').with({ - :target => "10-keystone_wsgi_admin.conf", + it { is_expected.to contain_concat__fragment('configure_openidc_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end diff --git a/spec/classes/keystone_federation_shibboleth_spec.rb b/spec/classes/keystone_federation_shibboleth_spec.rb index 9dcfa36fc..aee1da6d3 100644 --- a/spec/classes/keystone_federation_shibboleth_spec.rb +++ b/spec/classes/keystone_federation_shibboleth_spec.rb @@ -27,12 +27,6 @@ describe 'keystone::federation::shibboleth' do it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./ end - context 'no ports' do - let (:params) { default_params.merge(:admin_port => false, - :main_port => false) } - it_raises 'a Puppet::Error', /No VirtualHost port to configure, please choose at least one./ - end - context 'template port too low' do let(:params) { default_params.merge(:template_order => 330) } it_raises 'a Puppet::Error', /The template order should be greater than 330 and less than 999./ @@ -85,30 +79,16 @@ describe 'keystone::federation::shibboleth' do end context 'with defaults' do - let (:params) { default_params } it { is_expected.to contain_apache__mod('shib2') } - it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } + it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } + it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end - context 'with overrides' do - let (:params) { default_params.merge({ - :admin_port => true, - :template_order => 332 - }) } - - it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } - it {is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } - it { - is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({ - :target => "10-keystone_wsgi_admin.conf", - :order => params[:template_order], - }) - } - end end @@ -126,45 +106,22 @@ describe 'keystone::federation::shibboleth' do let (:params) { default_params } it { is_expected.to contain_apache__mod('shib2') } - it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } + it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } + it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} end - context 'with overrides' do - let (:params) { default_params.merge({ - :admin_port => true, - :template_order => 332 - }) } - - it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } - it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } - it { - is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({ - :target => "10-keystone_wsgi_admin.conf", - :order => params[:template_order], - }) - } - end - end context 'without repo or package' do context 'with defaults' do let (:params) { default_params } it { is_expected.to_not contain_apache__mod('shib2') } - it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_5000') } - end - - context 'with overrides' do - let (:params) { default_params.merge({ - :admin_port => true, - :template_order => 332 - }) } - it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') } - it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_35357') } + it { is_expected.to_not contain_concat__fragment('configure_shibboleth_keystone') } end end end @@ -174,8 +131,8 @@ describe 'keystone::federation::shibboleth' do let (:params) { default_params } it { is_expected.to contain_apache__mod('shib2') } - it { is_expected.to contain_concat__fragment('configure_shibboleth_on_port_5000').with({ - :target => "10-keystone_wsgi_main.conf", + it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ + :target => "10-keystone_wsgi.conf", :order => params[:template_order], })} diff --git a/spec/classes/keystone_wsgi_apache_spec.rb b/spec/classes/keystone_wsgi_apache_spec.rb index 84ee98054..647e6b81e 100644 --- a/spec/classes/keystone_wsgi_apache_spec.rb +++ b/spec/classes/keystone_wsgi_apache_spec.rb @@ -2,87 +2,24 @@ require 'spec_helper' describe 'keystone::wsgi::apache' do - let :global_facts do - { - :os_workers => 8, - :concat_basedir => '/var/lib/puppet/concat', - :fqdn => 'some.host.tld' - } - end - let :pre_condition do - [ - 'class { keystone: admin_token => "dummy", service_name => "httpd", enable_ssl => true }' - ] + "class { '::keystone': + admin_token => 'dummy', + service_name => 'httpd', + enable_ssl => true, + }" end - shared_examples_for 'apache serving keystone with mod_wsgi' do - it { is_expected.to contain_service('httpd').with_name(platform_params[:httpd_service_name]) } - it { is_expected.to contain_class('keystone::params') } - it { is_expected.to contain_class('apache') } - it { is_expected.to contain_class('apache::mod::wsgi') } - it { is_expected.to contain_class('apache::mod::ssl') } - it { is_expected.to contain_class('keystone::db::sync') } + shared_examples 'keystone::wsgi::apache' do + context 'with default parameters' do + it { + should contain_class('keystone::params') + should contain_class('keystone::deps') + } - describe 'with default parameters' do - - it { is_expected.to contain_file("#{platform_params[:wsgi_script_path]}").with( - :ensure => 'directory', - :owner => 'keystone', - :group => 'keystone', - :require => 'Anchor[keystone::install::end]', - )} - - it { is_expected.to contain_file('keystone_wsgi_admin').with( - :ensure => 'file', - :path => "#{platform_params[:wsgi_script_path]}/keystone-admin", - :source => platform_params[:wsgi_admin_script_source], - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", - )} - - it { is_expected.to contain_file('keystone_wsgi_main').with( - :ensure => 'file', - :path => "#{platform_params[:wsgi_script_path]}/keystone-public", - :source => platform_params[:wsgi_public_script_source], - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'some.host.tld', - :bind_port => 35357, - :group => 'keystone', - :workers => facts[:os_workers], - :threads => 1, - :user => 'keystone', - :priority => '10', - :ssl => true, - :wsgi_daemon_process => 'keystone_main', - :wsgi_process_display_name => 'keystone-main', - :wsgi_process_group => 'keystone_main', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-public', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_main]', - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( :servername => 'some.host.tld', + :bind_host => nil, :bind_port => 5000, :group => 'keystone', :workers => facts[:os_workers], @@ -90,12 +27,13 @@ describe 'keystone::wsgi::apache' do :user => 'keystone', :priority => '10', :ssl => true, - :wsgi_daemon_process => 'keystone_admin', - :wsgi_process_display_name => 'keystone-admin', - :wsgi_process_group => 'keystone_admin', + :wsgi_daemon_process => 'keystone', + :wsgi_process_display_name => 'keystone', + :wsgi_process_group => 'keystone', :wsgi_application_group => '%{GLOBAL}', :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-admin', + :wsgi_script_file => 'keystone', + :wsgi_script_source => '/usr/bin/keystone-wsgi-public', :wsgi_pass_authorization => 'On', :headers => nil, :custom_wsgi_process_options => {}, @@ -106,402 +44,170 @@ describe 'keystone::wsgi::apache' do :error_log_file => nil, :error_log_pipe => nil, :error_log_syslog => nil, - :require => 'File[keystone_wsgi_admin]', )} - - it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") } end - describe 'when overriding parameters using different ports' do + context 'when overriding parameters' do let :params do { - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :admin_bind_host => '10.42.51.2', - :public_port => 12345, - :admin_port => 4142, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' + :servername => 'dummy.host', + :bind_host => '127.0.0.1', + :api_port => 1234, + :path => '/keystone', + :ssl => false, + :workers => 10, + :ssl_cert => 'ssl cert', + :ssl_key => 'ssl key', + :ssl_chain => 'ssl chain', + :ssl_ca => 'ssl ca', + :ssl_crl_path => '/etc/ssl', + :ssl_crl => 'crl', + :ssl_certs_dir => '/etc/ssl/certs', + :threads => 10, + :priority => '20', + :wsgi_application_group => 'group', + :wsgi_pass_authorization => 'Off', + :wsgi_chunked_request => 'On', + :wsgi_script_source => '/path/to/my/script.py', + :headers => 'set X-Frame-Options "DENY"', + :vhost_custom_fragment => 'custom', + :custom_wsgi_process_options => { 'python-path' => '/my/python/virtualenv' }, } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 12345, - :user => 'keystone', - :group => 'keystone', - :workers => 37, - :threads => 1, - :priority => '10', - :ssl => false, - :wsgi_daemon_process => 'keystone_main', - :wsgi_process_display_name => 'keystone-main', - :wsgi_process_group => 'keystone_main', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-public', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900', - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_main]', + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :servername => params[:servername], + :bind_host => params[:bind_host], + :bind_port => params[:api_port], + :path => params[:path], + :workers => params[:workers], + :threads => params[:threads], + :priority => params[:priority], + :ssl => params[:ssl], + :ssl_cert => params[:ssl_cert], + :ssl_key => params[:ssl_key], + :ssl_chain => params[:ssl_chain], + :ssl_ca => params[:ssl_ca], + :ssl_crl_path => params[:ssl_crl_path], + :ssl_crl => params[:ssl_crl], + :ssl_certs_dir => params[:ssl_certs_dir], + :wsgi_application_group => params[:wsgi_application_group], + :wsgi_pass_authorization => params[:wsgi_pass_authorization], + :wsgi_chunked_request => params[:wsgi_chunked_request], + :wsgi_script_source => params[:wsgi_script_source], + :headers => params[:headers], + :vhost_custom_fragment => params[:vhost_custom_fragment], + :custom_wsgi_process_options => params[:custom_wsgi_process_options], )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 4142, - :group => 'keystone', - :workers => 37, - :threads => 1, - :user => 'keystone', - :priority => '10', - :ssl => false, - :wsgi_daemon_process => 'keystone_admin', - :wsgi_process_display_name => 'keystone-admin', - :wsgi_process_group => 'keystone_admin', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-admin', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900', - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_admin]', - )} - - it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") } end - describe 'when admin_bind_host is not set default to bind_host' do + context 'with backward compatible ports' do let :params do { - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :public_port => 12345, - :admin_port => 4142, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' + :api_port => [35357, 5000], } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 12345, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :servername => 'dummy.host', - :bind_host => '10.42.51.1', - :bind_port => 4142, - :ssl => false, - :workers => 37, - :vhost_custom_fragment => 'LimitRequestFieldSize 81900' - )} - - it { is_expected.to contain_concat("#{platform_params[:httpd_ports_file]}") } - end - - describe 'when servername_admin is overridden' do - let :params do - { - :servername => 'dummy1.host', - :servername_admin => 'dummy2.host', - } - end - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy1.host', - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :servername => 'dummy2.host', - )} - - end - - describe 'when wsgi_daemon_process_options are overridden' do - let :params do - { - :custom_wsgi_process_options_main => { - python_path => '/my/python/main/path', - }, - :custom_wsgi_process_options_admin => { - python_path => '/my/python/admin/path', - }, - } - end - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :custom_wsgi_process_options => { 'python-path' => '/my/python/main/path' }, - )} - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :custom_wsgi_process_options => { 'python-path' => '/my/python/admin/path' }, - )} - - end - - describe 'when overriding parameters using same port' do - let :params do - { - :servername => 'dummy.host', - :public_port => 4242, - :admin_port => 4242, - :public_path => '/main/endpoint/', - :admin_path => '/admin/endpoint/', - :ssl => true, - :workers => 37, - } - end - - it { is_expected.to_not contain_openstacklib__wsgi__apache('keystone_wsgi_admin') } - - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :bind_port => 4242, - :user => 'keystone', - :group => 'keystone', - :workers => 37, - :threads => 1, - :priority => '10', - :ssl => true, - :wsgi_daemon_process => 'keystone_main', - :wsgi_process_display_name => 'keystone-main', - :wsgi_process_group => 'keystone_main', - :wsgi_application_group => '%{GLOBAL}', - :wsgi_script_dir => platform_params[:wsgi_script_path], - :wsgi_script_file => 'keystone-public', - :wsgi_pass_authorization => 'On', - :headers => nil, - :custom_wsgi_process_options => {}, - :custom_wsgi_script_aliases => { '/admin/endpoint' => "#{platform_parameters[:wsgi_script_path]}/keystone-admin" }, - :access_log_file => false, - :access_log_pipe => false, - :access_log_syslog => false, - :access_log_format => false, - :error_log_file => nil, - :error_log_pipe => nil, - :error_log_syslog => nil, - :require => 'File[keystone_wsgi_main]' + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :bind_port => [35357, 5000], )} end - describe 'when overriding parameters using same port and same path' do + context 'with custom access logging' do let :params do { - :servername => 'dummy.host', - :public_port => 4242, - :admin_port => 4242, - :public_path => '/endpoint/', - :admin_path => '/endpoint/', - :ssl => true, - :workers => 37, - } - end - - it_raises 'a Puppet::Error', /When using the same port for public and admin endpoints, public_path and admin_path should be different\./ - end - - describe 'when overriding default apache logging' do - let :params do - { - :servername => 'dummy.host', :access_log_format => 'foo', :access_log_syslog => 'syslog:local0', - } - end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :servername => 'dummy.host', - :access_log_format => 'foo', - :access_log_syslog => 'syslog:local0', - )} - end - - describe 'when overriding parameters using symlink and custom file source' do - let :params do - { - :wsgi_script_source => '/opt/keystone/httpd/keystone.py', + :error_log_syslog => 'syslog:local1', } end - it { is_expected.to contain_file('keystone_wsgi_admin').with( - :ensure => 'link', - :path => "#{platform_params[:wsgi_script_path]}/keystone-admin", - :target => '/opt/keystone/httpd/keystone.py', - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", - )} - - it { is_expected.to contain_file('keystone_wsgi_main').with( - :ensure => 'link', - :path => "#{platform_params[:wsgi_script_path]}/keystone-public", - :target => '/opt/keystone/httpd/keystone.py', - :owner => 'keystone', - :group => 'keystone', - :mode => '0644', - :require => "File[#{platform_params[:wsgi_script_path]}]", + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :access_log_format => params[:access_log_format], + :access_log_syslog => params[:access_log_syslog], + :error_log_syslog => params[:error_log_syslog], )} end - describe 'when setting ssl cert and key' do + context 'with access_log_file' do let :params do { - :ssl_cert => 'some cert', - :ssl_key => 'some key', - } - end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :ssl_cert => 'some cert', - :ssl_key => 'some key', - )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :ssl_cert => 'some cert', - :ssl_key => 'some key', - )} - end - - describe 'when setting different ssl cert and key for admin' do - let :params do - { - :ssl_cert => 'some cert', - :ssl_key => 'some key', - :ssl_cert_admin => 'some cert admin', - :ssl_key_admin => 'some key admin', - } - end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :ssl_cert => 'some cert', - :ssl_key => 'some key', - )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :ssl_cert => 'some cert admin', - :ssl_key => 'some key admin', - )} - end - - describe 'when overriding parameters using wsgi chunked request' do - let :params do - { - :wsgi_chunked_request => 'On' + :access_log_file => '/path/to/file', } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :wsgi_chunked_request => 'On' + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :access_log_file => params[:access_log_file], )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :wsgi_chunked_request => 'On' - )} - end - describe 'when overriding parameters using additional headers' do + context 'with access_log_pipe' do let :params do { - :headers => 'set X-Frame-Options "DENY"' + :access_log_pipe => 'pipe', } end - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_main').with( - :headers => 'set X-Frame-Options "DENY"' + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :access_log_pipe => params[:access_log_pipe], )} - it { is_expected.to contain_openstacklib__wsgi__apache('keystone_wsgi_admin').with( - :headers => 'set X-Frame-Options "DENY"' - )} - end - describe 'when overriding script paths with link' do + context 'with error_log_file' do let :params do { - :wsgi_file_target => 'link', - :wsgi_admin_script_source => '/home/foo/admin-script', - :wsgi_public_script_source => '/home/foo/public-script', + :error_log_file => '/path/to/file', } end - it 'should contain correct files' do - is_expected.to contain_file('keystone_wsgi_main').with( - :path => "#{facts[:wsgi_script_path]}/keystone-public", - :target => params[:wsgi_public_script_source] - ) - is_expected.to contain_file('keystone_wsgi_admin').with( - :path => "#{facts[:wsgi_script_path]}/keystone-admin", - :target => params[:wsgi_admin_script_source] - ) - end + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :error_log_file => params[:error_log_file], + )} end - describe 'when overriding script paths with source' do + context 'with error_log_pipe' do let :params do { - :wsgi_admin_script_source => '/home/foo/admin-script', - :wsgi_public_script_source => '/home/foo/public-script', + :error_log_pipe => 'pipe', } end - it 'should contain correct files' do - is_expected.to contain_file('keystone_wsgi_main').with( - :path => "#{facts[:wsgi_script_path]}/keystone-public", - :source => params[:wsgi_public_script_source] - ) - is_expected.to contain_file('keystone_wsgi_admin').with( - :path => "#{facts[:wsgi_script_path]}/keystone-admin", - :source => params[:wsgi_admin_script_source] - ) - end + it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with( + :error_log_pipe => params[:error_log_pipe], + )} end end on_supported_os({ + :supported_os => OSDefaults.get_supported_os }).each do |os,facts| - let (:facts) do - facts.merge!(OSDefaults.get_facts({})) - end - - let(:platform_params) do - case facts[:osfamily] - when 'Debian' - { - :httpd_service_name => 'apache2', - :httpd_ports_file => '/etc/apache2/ports.conf', - :wsgi_script_path => '/usr/lib/cgi-bin/keystone', - :wsgi_admin_script_source => '/usr/bin/keystone-wsgi-admin', - :wsgi_public_script_source => '/usr/bin/keystone-wsgi-public' - } - when 'RedHat' - { - :httpd_service_name => 'httpd', - :httpd_ports_file => '/etc/httpd/conf/ports.conf', - :wsgi_script_path => '/var/www/cgi-bin/keystone', - :wsgi_admin_script_source => '/usr/bin/keystone-wsgi-admin', - :wsgi_public_script_source => '/usr/bin/keystone-wsgi-public' - } + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts({ + :os_workers => 8, + :concat_basedir => '/var/lib/puppet/concat', + :fqdn => 'some.host.tld', + })) end + + let(:platform_params) do + case facts[:osfamily] + when 'Debian' + { + :httpd_service_name => 'apache2', + :httpd_ports_file => '/etc/apache2/ports.conf', + :wsgi_script_path => '/usr/lib/cgi-bin/keystone', + } + when 'RedHat' + { + :httpd_service_name => 'httpd', + :httpd_ports_file => '/etc/httpd/conf/ports.conf', + :wsgi_script_path => '/var/www/cgi-bin/keystone', + } + end + end + + it_behaves_like 'keystone::wsgi::apache' end end end diff --git a/spec/unit/provider/keystone_spec.rb b/spec/unit/provider/keystone_spec.rb index 6eb95c445..2da45288e 100644 --- a/spec/unit/provider/keystone_spec.rb +++ b/spec/unit/provider/keystone_spec.rb @@ -171,7 +171,7 @@ id="the_user_id" end it 'should use the specified bind_host in the admin endpoint' do - mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }} + mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -179,7 +179,7 @@ id="the_user_id" end it 'should use localhost in the admin endpoint if bind_host is 0.0.0.0' do - mock = {'DEFAULT' => { 'admin_bind_host' => '0.0.0.0', 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'admin_bind_host' => '0.0.0.0', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -187,7 +187,7 @@ id="the_user_id" end it 'should use [::1] in the admin endpoint if bind_host is ::0' do - mock = {'DEFAULT' => { 'admin_bind_host' => '::0', 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'admin_bind_host' => '::0', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -195,7 +195,7 @@ id="the_user_id" end it 'should use [2620:52:0:23a9::25] in the admin endpoint if bind_host is 2620:52:0:23a9::25' do - mock = {'DEFAULT' => { 'admin_bind_host' => '2620:52:0:23a9::25', 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'admin_bind_host' => '2620:52:0:23a9::25', 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -203,7 +203,7 @@ id="the_user_id" end it 'should use localhost in the admin endpoint if bind_host is unspecified' do - mock = {'DEFAULT' => { 'admin_port' => '5001' }} + mock = {'DEFAULT' => { 'public_port' => '5001' }} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -211,7 +211,7 @@ id="the_user_id" end it 'should use https if ssl is enabled' do - mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }, 'ssl' => {'enable' => 'True'}} + mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }, 'ssl' => {'enable' => 'True'}} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') @@ -219,7 +219,7 @@ id="the_user_id" end it 'should use http if ssl is disabled' do - mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '5001' }, 'ssl' => {'enable' => 'False'}} + mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'public_port' => '5001' }, 'ssl' => {'enable' => 'False'}} File.expects(:exists?).with("/etc/keystone/keystone.conf").returns(true) Puppet::Util::IniConfig::File.expects(:new).returns(mock) mock.expects(:read).with('/etc/keystone/keystone.conf') diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb index c30cea158..6272e7899 100644 --- a/templates/openidc.conf.erb +++ b/templates/openidc.conf.erb @@ -16,8 +16,8 @@ # The following directives are necessary to support websso from Horizon # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html) - OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso" - OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/websso/openid" + OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso" + OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/websso/openid" AuthType "openid-connect"