openstack/puppet-keystone
Code Issues Proposed changes

Remove deprecated keystone::federation::openidc params

Browse Source 
These params has been deprecated. Also removes the keystone_url
behavior where it doesn't fallback on keystone::public_endpoint
anymore.

Change-Id: I52b4c2a2911007b516a6ea20229a3579bc9dd945
This commit is contained in:
Tobias Urdin 2019-05-10 17:11:07 +02:00
parent a4ff243d8a
commit b081ee8e25
4 changed files with 19 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
manifests/federation/openidc.pp
View File

@ -2,6 +2,9 @@
# #
# == Parameters # == Parameters
# #
# [*keystone_url*]
# (Required) URL to keystone endpoint.
#
# [*methods*] # [*methods*]
# A list of methods used for authentication separated by comma or an array. # A list of methods used for authentication separated by comma or an array.
# The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2', # The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2',
@ -89,26 +92,12 @@
# (Optional) Defaults to 331. # (Optional) Defaults to 331.
# #
# [*package_ensure*] # [*package_ensure*]
# (Optional) Desired ensure state of packages. # (Optional) Desired ensure state of packages.
# accepts latest or specific versions. # accepts latest or specific versions.
# Defaults to present. # Defaults to present.
#
# [*keystone_url*]
# (optional) URL to keystone endpoint.
#
# === DEPRECATED
#
# [*admin_port*]
# A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 35357.
# (Optional) Defaults to undef.
#
# [*main_port*]
# A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 5000.
# (Optional) Defaults to undef.
# #
class keystone::federation::openidc ( class keystone::federation::openidc (
$keystone_url,
$methods, $methods,
$idp_name, $idp_name,
$openidc_provider_metadata_url, $openidc_provider_metadata_url,
@ -129,29 +118,12 @@ class keystone::federation::openidc (
$remote_id_attribute = undef, $remote_id_attribute = undef,
$template_order = 331, $template_order = 331,
$package_ensure = present, $package_ensure = present,
$keystone_url = undef,
# DEPRECATED
$admin_port = undef,
$main_port = undef,
) { ) {
include ::apache include ::apache
include ::keystone::deps include ::keystone::deps
include ::keystone::params include ::keystone::params
# TODO(tobias-urdin): Make keystone_url required when keystone::public_endpoint is removed.
# Dont forget to change the keystone_url_real variable in the templates/openidc.conf.rb file.
# The fail statement below can also be removed since keystone_url will be a required parameter.
$keystone_url_real = pick($keystone_url, $::keystone::public_endpoint)
if $keystone_url_real == undef or is_service_default($keystone_url_real) {
fail('You must set either keystone_url or keystone::public_endpoint')
}
if $admin_port or $main_port {
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
}
if $openidc_enable_oauth and !$openidc_introspection_endpoint { if $openidc_enable_oauth and !$openidc_introspection_endpoint {
fail('You must set openidc_introspection_endpoint when enabling oauth support') fail('You must set openidc_introspection_endpoint when enabling oauth support')
} }

8
releasenotes/notes/remove-deprecated-openidc-845cea167976f90e.yaml Normal file
View File

@ -0,0 +1,8 @@
---
upgrade:
- |
The deprecated parameters main_port and admin_port in keystone::federation::openidc
is now removed.
- |
The keystone::federation::openidc::keystone_url parameter is now mandatory and does
not fallback on the keystone::public_endpoint value.

5
spec/classes/keystone_federation_openidc_spec.rb
View File

@ -10,8 +10,6 @@ describe 'keystone::federation::openidc' do
<<-EOS <<-EOS
class { 'keystone': class { 'keystone':
admin_token => 'service_token', admin_token => 'service_token',
public_endpoint => 'http://os.example.com:5000',
admin_endpoint => 'http://os.example.com:35357',
} }
include keystone::wsgi::apache include keystone::wsgi::apache
@ -19,7 +17,8 @@ describe 'keystone::federation::openidc' do
end end
let :params do let :params do
{ :methods => 'password, token, openid', { :keystone_url => 'http://localhost:5000',
:methods => 'password, token, openid',
:idp_name => 'myidp', :idp_name => 'myidp',
:openidc_provider_metadata_url => 'https://accounts.google.com/.well-known/openid-configuration', :openidc_provider_metadata_url => 'https://accounts.google.com/.well-known/openid-configuration',
:openidc_client_id => 'openid_client_id', :openidc_client_id => 'openid_client_id',

4
templates/openidc.conf.erb
View File

@ -34,8 +34,8 @@
# The following directives are necessary to support websso from Horizon # The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html) # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso" OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/websso/openid" OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/websso/openid"
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid"> <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect" AuthType "openid-connect"