This patch replces the remaining usage of absolute name in 'require',
and makes all class inclusion depend on relative name.
Change-Id: Id4e75f6fcff47170ea624c1b5943086ceac5a678
- Deprecate service_username and service_password so that we can use
more simple parameter names like username.
- Deprecate user_domain_id because we use user_domain_name generally.
- Change the defaut value of project_domain_name because Default
instead of default is now used generally for default domain name.
Change-Id: I69565d6888d778a109b0e39108d660a871a8202d
This is a follow-up of 0aac4291bda4b4d46f2a03a3beac730cfb78cd9e, and
make sure we test whether nova::params::nova_join_package_name is
undef, to avoid unexpected matching with false for example.
Change-Id: Ic3cebbaf73adbfb30b88a93c0bc4dbc516ba3664
This allows novajoin policy overrides to be written to
/etc/novajoin/policy.json, just as nova::policy does for
/etc/nova/policy.json.
Change-Id: I8b2b60164314ce92b0df1a648f1356290576047a
Blueprint: nova-less-deploy
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.
Change-Id: Ia0324cac87fbaf64ca5b1ec2b0dfa60b655569b4
In nova::metadata::novajoin::authtoken there is also
PKI parameters that needs to be deprecated or else
rspec testing fails since it's removed in puppet-oslo.
Change-Id: I489f10502ccaec40e72d08f5449965ad68b673aa
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.
Change-Id: Ib78b6826d1a98baeebf7455a3778555973e789bc
We need the FreeIPA server hostname in order to request the kerberos
keytab for the novajoin process. For the containerized case, we
assume that the node is enrolled to FreeIPA before puppet is ran.
This, however, is not the case for the baremetal case, since puppet
calls the FreeIPA enrollment. Thus, we need to handle this case.
Change-Id: If73a7b674536df33c32507977941be784f82e8f4
Closes-Bug: #1761786
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I0dd36ef1f1f5dcdc57413736ecb8f2555712c36d
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
This enables the puppet module to optionally create a minimal kerberos
configuration. This is specially useful when running novajoin inside a
container, since when running with SELinux enabled, we sometimes cannot
load the the kerberos configuration from the host due to some includes
pointing to /var/lib.
Change-Id: I554125fd6b48e620370f9e3a6061bbdc1d55b0ae
Keystone v2.0 API was removed so we have no choice but configuring
user_domain_name and project_domain_name otherwise it fallbacks to
Keystone v2.0 and it fails. This patch sets the default value so we make
sure Keystone v3 will be used out of the box for our users.
Change-Id: I372928fca38664ac0638212386d1d7c7cb7666c8
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.
Change-Id: I3c031b1fb99f493c7c116c75014503915670a81c
Closes-Bug: #1717144
From ocata to pike, the log ownership changed. So here we make sure that
it changes on update via puppet.
Change-Id: I767b53801bc40a22a403c3e89498c3aa099bc162
Closes-Bug: #1714991
Running the unit tests under the latest puppet fails because of
undefined resources. This change updates the references to use
collectors if they are optional or change the definitions in the files
for resources that are defined in the existing class.
Change-Id: I5506a563c459baf9d34246a1d517e07a82e0f36b
Closes-Bug: #1702964
This uses novajoin's user and directory for the novajoin service instead
of relying on the nova service user and /etc/nova. It also removes some
nova-specific parameters related to auth, to replace them with more
generic names.
Change-Id: I5e02164854542ad08b1b517f52334187913ee4e8
novajoin has usually just used the nova user for running and even file
permissions; however, as nova now supports passing the keystone token
for the vendordata plugin, and as novajoin should support being run in a
node (or container) where nova is not available, it makes sense to start
having an own user for this vendordata plugin service.
Thus, this commit adds that.
Change-Id: I190a84a5aaf1fcc301f0605931b24d5de6999a8b
They used to be hardcoded to only use the defaults that come with the
service's configuration. This should make them configurable.
Change-Id: If8e240f175f4ce67469bf26ae10c53df5bd16359
Nova user's keytab is now owned by root, making it impossible
for the nova user to read when contacting IPA through novajoin.
Change-Id: I3ee7cb9b396301ec8714a3cf0c8ab169750c1857
The puppet-ipaclient package is available in delorean.
Therefore, we can enable the requires directive that will
perform the ipa-client-install.
Depends-On: I8e9bd4ed859cc438a309d9a00dd278c65dbb822d
Change-Id: I6732af38d0f815d29cf4fa65149a54c8fb2c6527
In this commit, we add the puppet module for a new
nova metadata micro-service (novajoin) that allows nova
instances to be registered to a FreeIPA server as IPA clients.
Implements: blueprint novajoin
Change-Id: I5ffa45bdc400e123079c79e15776ebacdcb24de9