The puppt-postgresql module does not support CentOS 9 yet and requires
some version parameters to be run on CentOS 9. This change disables
unit tests requiring that module, until the module supports CentOS 9.
Change-Id: I175dfd157fb3be842a3c1ed38cf3325ec9283f69
This change introduces the capability to load clouds.yaml file in
the base Puppet::Provider::Openstack::Auth module, so that each
providers can look up credentials from clouds.yaml instead of rc file.
When SRBAC is enforced, services require appropriate scope for each
operation and this makes it difficult to use rc files which can store
only one credential per file. Usage of clouds.yaml allows us to store
multiple credentials in a single file and switch scopes according to
the API request used.
The new implementation loads the clouds.yaml file for admin user, which
is created by puppet-keystoe. It also allows overriding the credential
by a user-created clouds.file.
We expect clouds.yaml file is created under /etc/openstack, which is
the location openstackclient searches to look up clouds.yaml. To avoid
unexpected conjunction with existing files, the files used by puppet
are located in an independent 'puppet' directory at this moment.
Change-Id: I7587f6e0c2486cbfaf2cbafeb64e9db56a817106
Recent openstack cli supports loading user credentials from clouds.yaml
instead of passing each parameters by environment variables or command
options.
This allows us to manage user credentials more flexibly. The biggest
benefit of the clouds.yaml file is that it supports managing multiple
credentials in a single file. When SRBAC is enforced, each API request
should be made with the proper scope credential, and we need to switch
credentials for different scopes(project, domain and system) according.
Usage of clouds.yaml helps this use case hugely because it allows us to
store credentials for each scope in a single file and switch them by
the single OS_CLOUD environment variable(or the --os-cloud option).
Change-Id: Ie8246aa18d90ba506fe708be13c9a5afa3e5d2fd
This change introduces the new parameter to override
the apache::vhost::request_headers parameter, which is used to define
RequestHeader statements in vhost configuration.
Change-Id: I360b18acdf974bf3cdc9f8e817b66cd85f116afd
This change introduces the base implementation to use system scope
credential or domain scope credential to request OpenStack API in each
provider implementations.
Change-Id: If3781cd2ed828126ef1388553f4b85eed78196e7
There is cases when a command times out or when it fails
that we and Puppet [1] will output the raw command that
was executed.
For a user create command that output contains the
--password argument passed down to openstack CLI which
causes sensitive passwords to be leaked into log files
of the system executing Puppet, these can then be shipped
of from the system into a remote syslog and still be in
plain text.
This tries to use Ruby gsub with a regular expression
matching the two cases and instead output [redacted secret]
the same way we do with config provider.
[1] https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/execution.rb#L286
Change-Id: I4cad8f88fc7b67bb7aa4330832fc47bac41ae9df
Since puppetlabs-stdlib 8.0.0, ensure_packages automatically translates
'ensure => present' to 'ensure => installed' and that translation
breaks existing assertions in unit tests.
Change-Id: I35500af08e39725bab61be036f780c74e38313b9
Currently the unset method only clears attributes defined in the base
Crednetial class and ones specific to CredentialV3 are left set.
This change ensures the method clears all attributes.
Closes-Bug: #1942145
Change-Id: I4bddbf9bb3c6251aa8b68a8bc2ef8799f3c8065e
openstacklib::policy has never been used in any other modules because
it was implemented as a class not reusable for each service.
This change re-implements openstacklib::policy as a defined resource
type so that we can use this implementation from each puppet modules.
The openstacklib::policy resource type provides the purge_config
parameter. When this parameter is set to true, a policy file is cleared
during configuration process. This allows users to remove any existing
rules before applying their own (no) rules.
Change-Id: I9bb486c9191c50c11717dcb9c6af00d17c3aa8f5
The iscsid service is used in sevral components like nova, cinder,
glance and so on to connect to iscsi devices. This change introduces
the new class to manage basic configuration of the iscsid service.
Co-authored-by: Alfredo Moralejo <amoralej@redhat.com>
Change-Id: I3fc6d1192632cc1458d00900508d548f522e9cdb
This change defines manifest_dir and module_path expicitly in unit
tests so that modules installed under fixtures directory is properly
loaded.
Closes-Bug: #1930403
Change-Id: Id2e226593fa9005e8c051bb714e4c341114f640f
Fedora support is never tested, and has been unmaintained for a while.
Because we don't expect any actual user using OpenStack on Fedora, this
change drops support for Fedora directly.
Change-Id: I63c96cd92bad210c0a9527c59f8e1347967172a3
We have replaced policy.yaml with policy.json following the community
goal[1], but it might be possible that users are not aware of that
migration and still expect json files.
This change ensures that users are not expecting json file based on
the given file path.
[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: Ie2e5a6798e8603585c20b947eb91bbad5453934b
This change fixes support for policy.yaml, which was broken because
of the following problems.
- The default content was still formatted in json
- Augeas doesn't support flat yaml contents required
Change-Id: Ie308a481eb70d5f930633b18d8044f9542a142af
This patch adds a 'file_format' field to the policies definition to
allow overriding the default file format which is currently json.
Change-Id: Iec610053a9250cb78c2a17bfc2c197bf55d9df86
Related-Bug: #1885602
because apache::vhost::wsgi_daemon_process_options has been deprecated
in puppetlabs-apache[1].
[1] 0d5e0bef88
Change-Id: I0a233190d2a1c9d96128d99e1ac1a612161a7446
Currently openstacklib only accepts password_hash instead of password
for db credentials, thus we should implement hashing process in each
modules, with including puppet-mysql and puppet-postgresql.
This patch migrates that hash generation to puppet-openstacklib, so
that all logics related to db is gathered in one module.
In addition, because postgresql_password function was deprecated in
favor of postgresql::postgresql_password in puppet-postgresql
6.5.0[1], this patch also deals with that deprecation.
[1] 700d2c5bb5
Change-Id: I898d31e88188bfd3476412a37f48fc918122a98a
MySQL users can be configured to require a specific authentication
method when connecting to the MySQL server, e.g. GSSAPI, SHA-256
or ed25519.
Expose a new attribute $plugin, that is passed to puppetlabs-mysql
When creating/updating a user in the MySQL database.
Change-Id: I1c7b40d110190eba861ed466d2644c2f1abbf7b0
Related-Bug: #1866093
Since we have merged 2 keystone services(public and admin) into one,
we need to double keystone workers so that we have the same number of
workers, which is necessory to avoid performance degradation.
This patch introduced new facter, os_workers_keystone, which returns
2 x os_workers .
Change-Id: I737fb14739a69ac12c39c7faf6dd2be1f772daa6
By default, puppetlabs-apache module enables Indexes option, which can
lead in data/structure leak.
The following patch disable that option on a global base, since we
shouldn't need such a feature.
Closes-Bug: #1854442
Change-Id: Icba53f4e32237556608f4cb6dcd9da1a71705c19
This should prevent slow loading on the first request, especially
annoying when this first request is done by a healthcheck launched by an
inflight validation.
This patch is a reaction to the whole issue raised by the new nova
inflight validations[1], followed by some discussions in order to get a
faster application loading.
[1] https://review.opendev.org/#/q/status:merged+project:openstack/tripleo-heat-templates+branch:master+topic:bug/1842687
Related-Bug: #1843555
Change-Id: I27e37e30823c4312d9d7a93f18fe0f930ce70c49
python-openstackclient has removed the --os-url option in [1]. This
commit is part of the upcoming 4.0.0 release.
The openstack provider relies on that for Keystone initial configuration,
so we need to fix this or puppet-keystone will be broken.
[1] - https://review.opendev.org/677795
Change-Id: I50830450efe7a13be801a31f4ef0333684c7837b
Extend the unit tests of the inet6_prefix() function to
test input including the prefix ('inet6:[2001::01]:80').
Change-Id: I68ead773868bd418f10a480f2b7b7fc08084374e
Utility to handle prefixing IPv6 address with `inet6:`.
This is useful for services relying on python-memcached
which require the inet6:[<ip_address]:<port> format.
Change-Id: Ibd280929f62bae61f34b2984af7710fbd422264b
And change the upper constraint to be the latest
8.0.0 release. See all other patches on this topic.
Change-Id: I30f0367c9eeafe7e8b45c348c3df5630f29fa6a2
Adds simple spec test for multiple ports in
the bind_port. The change in puppet-keystone
will need to support multiple ports so we
ensure nobody breaks this.
Change-Id: Ie2ab4641b0829b872fee0dea3aab236455eb3266
When the system-wide umask setting is more restrictive than the
default setting, the wsgi script directory permissions may not allow
the apache process to access them, resulting in errors.
A similar fix was applied to Keystone some time ago, see [1].
[1] - 4f15fb64b1
Change-Id: Ie9769657dc530bc895a3119b3e458864a8b5f293