32 Commits

Author SHA1 Message Date
Takashi Kajinami
5df142a1a9 Use relative name for class inclusion
This patch replces the remaining usage of absolute name in 'require',
and makes all class inclusion depend on relative name.

Change-Id: Id4e75f6fcff47170ea624c1b5943086ceac5a678
2020-07-09 15:53:14 +09:00
Takashi Kajinami
78fca7cade Use common auth parameters for novajoin auth
- Deprecate service_username and service_password so that we can use
  more simple parameter names like username.
- Deprecate user_domain_id because we use user_domain_name generally.
- Change the defaut value of project_domain_name because Default
  instead of default is now used generally for default domain name.

Change-Id: I69565d6888d778a109b0e39108d660a871a8202d
2020-04-20 00:04:10 +09:00
Takashi Kajinami
5a01b0b4dc Strictly test nova::params::novajoin_package_name
This is a follow-up of 0aac4291bda4b4d46f2a03a3beac730cfb78cd9e, and
make sure we test whether nova::params::nova_join_package_name is
undef, to avoid unexpected matching with false for example.

Change-Id: Ic3cebbaf73adbfb30b88a93c0bc4dbc516ba3664
2020-04-03 09:19:51 +09:00
Takashi Kajinami
0aac4291bd Select correct novajoin package in CentOS8/Fedora
In CentOS8 and Fedora, python3-novajoin should be used instead of
pythonn-novajoin.

Change-Id: Ief89725c730a8e1e6b8a4d8552cc080be63ce59e
2020-04-02 09:30:42 +09:00
Tobias Urdin
7deecfbdf2 Convert all class usage to relative names
Change-Id: Ibe5a433cb67c38c0c9b05a50bffa2eda7391f241
2019-12-08 23:13:08 +01:00
Steve Baker
adc83318c9 New class nova::metadata::novajoin::policy
This allows novajoin policy overrides to be written to
/etc/novajoin/policy.json, just as nova::policy does for
/etc/nova/policy.json.

Change-Id: I8b2b60164314ce92b0df1a648f1356290576047a
Blueprint: nova-less-deploy
2019-09-30 23:31:52 +00:00
ZhongShengping
13b4ac6418 Remove deprecated pki related options
The deprecated pki related options check_revocations_for_cached and
hash_algorithms option has been removed.

Change-Id: Ia0324cac87fbaf64ca5b1ec2b0dfa60b655569b4
2019-08-15 20:27:51 +00:00
Tobias Urdin
215624858a Consistent project name
Change-Id: Ib007f1f647c80e79fee2b01bbf6c3dd66e4d1139
2019-05-25 01:21:55 +02:00
Tobias Urdin
54f25f2abf Deprecate PKI parameters in novajoin
In nova::metadata::novajoin::authtoken there is also
PKI parameters that needs to be deprecated or else
rspec testing fails since it's removed in puppet-oslo.

Change-Id: I489f10502ccaec40e72d08f5449965ad68b673aa
2018-12-18 00:19:52 +01:00
Tobias Urdin
64f5875a97 Remove auth_uri
Change-Id: I3c488705668f8d29663cdd901a068c345da19c68
2018-12-02 02:50:26 +01:00
Tobias Urdin
f2ab2d4783 Convert some spec testing to rspec-puppet-facts
Still some to do but these are causing issues right now.

Change-Id: I667be66f75069d078ea8c6cd8ca34add2297d335
2018-11-01 18:35:06 +01:00
zhulingjie
8b5f5dfb4e Replace port 35357 with 5000
Now that the v2.0 API has been removed, we don't have a reason to
include deployment instructions for two separate applications on
different ports.

Change-Id: Ib78b6826d1a98baeebf7455a3778555973e789bc
2018-05-29 10:15:46 -04:00
Tobias Urdin
c3e5c7480f Remove deprecated parameters and classes
Remove all the deprecated parameters and classes
which has been deprecated for one cycle or more.

Change-Id: I2624b92871f4cba5a7361a5d006d985946493e83
2018-05-19 23:19:10 +02:00
zhubingbing
0486a25b1d neat: missing : in $::os_service_default
Change-Id: Ib3f4bdba0a7363e70c74305dfcdda68f907f6a70
2018-05-11 14:02:40 +08:00
Zuul
e6a762a213 Merge "Deprecate auth_uri option" 2018-05-02 19:31:15 +00:00
Juan Antonio Osorio Robles
150bff424f Fix novajoin FreeIPA server parameter
We need the FreeIPA server hostname in order to request the kerberos
keytab for the novajoin process. For the containerized case, we
assume that the node is enrolled to FreeIPA before puppet is ran.
This, however, is not the case for the baremetal case, since puppet
calls the FreeIPA enrollment. Thus, we need to handle this case.

Change-Id: If73a7b674536df33c32507977941be784f82e8f4
Closes-Bug: #1761786
2018-04-09 16:26:31 +03:00
ZhongShengping
20d93c4148 Deprecate auth_uri option
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/

Change-Id: I0dd36ef1f1f5dcdc57413736ecb8f2555712c36d
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
2018-04-05 10:50:06 +08:00
Juan Antonio Osorio Robles
277c4c9fdf novajoin: Optionally configure kerberos
This enables the puppet module to optionally create a minimal kerberos
configuration. This is specially useful when running novajoin inside a
container, since when running with SELinux enabled, we sometimes cannot
load the the kerberos configuration from the host due to some includes
pointing to /var/lib.

Change-Id: I554125fd6b48e620370f9e3a6061bbdc1d55b0ae
2018-03-13 20:31:41 +02:00
Jenkins
c7ddfe7bf4 Merge "Configure *_domain_name to Default by default" 2017-10-07 21:54:33 +00:00
Emilien Macchi
4c8a34e6ba Configure *_domain_name to Default by default
Keystone v2.0 API was removed so we have no choice but configuring
user_domain_name and project_domain_name otherwise it fallbacks to
Keystone v2.0 and it fails. This patch sets the default value so we make
sure Keystone v3 will be used out of the box for our users.

Change-Id: I372928fca38664ac0638212386d1d7c7cb7666c8
2017-10-07 00:53:54 +00:00
zhangyangyang
1d4911be48 Remove revocation_cache_time parameter
revocation_cache_time parameter is deprecated,
has no effect and will be removed in the future.

Change-Id: I279c2fbba52be1e3860544f8b8b3738bddf5e72d
2017-10-06 13:26:58 +08:00
ZhongShengping
a10a509179 Deprecate revocation_cache_time option
The revocation_cache_time is deprecated for removel because of PKI
token format is no longer supported.
Update warning message and add a release note.

Change-Id: I3c031b1fb99f493c7c116c75014503915670a81c
Closes-Bug: #1717144
2017-09-14 11:47:41 +08:00
Juan Antonio Osorio Robles
0a71535c4e Ensure novajoin's log directory ownership is correct
From ocata to pike, the log ownership changed. So here we make sure that
it changes on update via puppet.

Change-Id: I767b53801bc40a22a403c3e89498c3aa099bc162
Closes-Bug: #1714991
2017-09-05 09:58:09 +03:00
ZhongShengping
08661e0fef Fix resources for latest puppet
Running the unit tests under the latest puppet fails because of
undefined resources. This change updates the references to use
collectors if they are optional or change the definitions in the files
for resources that are defined in the existing class.

Change-Id: I5506a563c459baf9d34246a1d517e07a82e0f36b
Closes-Bug: #1702964
2017-08-03 10:05:39 +08:00
Juan Antonio Osorio Robles
db49f73ef9 Use novajoin-specific user and directory
This uses novajoin's user and directory for the novajoin service instead
of relying on the nova service user and /etc/nova. It also removes some
nova-specific parameters related to auth, to replace them with more
generic names.

Change-Id: I5e02164854542ad08b1b517f52334187913ee4e8
2017-05-23 18:03:53 +03:00
Juan Antonio Osorio Robles
3601c5f59e Refresh novajoin services on novajoin_config changes
It was previously refreshing nova-api and not the novajoin services.

Change-Id: I92bd66cbd2bcaade9b8818533432a279f2c97830
2017-04-03 09:34:28 +00:00
Juan Antonio Osorio Robles
bb6c415893 Add auth/authtoken manifests for novajoin
novajoin has usually just used the nova user for running and even file
permissions; however, as nova now supports passing the keystone token
for the vendordata plugin, and as novajoin should support being run in a
node (or container) where nova is not available, it makes sense to start
having an own user for this vendordata plugin service.

Thus, this commit adds that.

Change-Id: I190a84a5aaf1fcc301f0605931b24d5de6999a8b
2017-03-22 09:36:03 +02:00
Juan Antonio Osorio Robles
07e878479f Make novajoin bind address configurable
They used to be hardcoded to only use the defaults that come with the
service's configuration. This should make them configurable.

Change-Id: If8e240f175f4ce67469bf26ae10c53df5bd16359
2017-01-30 17:20:35 +00:00
Ade Lee
861cf4fd57 Set correct ownership for nova keytab
Nova user's keytab is now owned by root, making it impossible
for the nova user to read when contacting IPA through novajoin.

Change-Id: I3ee7cb9b396301ec8714a3cf0c8ab169750c1857
2017-01-18 18:09:25 -05:00
Ade Lee
aa493b34c8 Enable IPA client install
The puppet-ipaclient package is available in delorean.
Therefore, we can enable the requires directive that will
perform the ipa-client-install.

Depends-On: I8e9bd4ed859cc438a309d9a00dd278c65dbb822d
Change-Id: I6732af38d0f815d29cf4fa65149a54c8fb2c6527
2017-01-11 15:37:46 -05:00
Ade Lee
d662695456 Allow transport_url to be configured for novajoin
Change-Id: I7b0d31c6de59bbad56c3731a2cabbc64c19b4956
2017-01-09 17:08:32 -05:00
Ade Lee
57e3f661ff Add novajoin class
In this commit, we add the puppet module for a new
nova metadata micro-service (novajoin) that allows nova
instances to be registered to a FreeIPA server as IPA clients.

Implements: blueprint novajoin
Change-Id: I5ffa45bdc400e123079c79e15776ebacdcb24de9
2017-01-06 12:12:16 -05:00