- Nov 16, 2017
-
-
David Ames authored
Make default func27-smoke xenial-pike Charm-helpers sync Change-Id: I289d38e4170d204fbf9b0281b28be28c9e847e65
-
- Nov 08, 2017
-
-
David Ames authored
There was a race where the https apache2 site, openstack_https_frontend.conf, would be rendered in one hook, then subsequently the config-changed hook would run and enable that site. However, the subsequent config-changed hook would see the template as having not changed and therefore it would fail to restart apache2. This lead to apache2 failing to listen on the correct ports. This was due to CONFIGS.write_all() being called but a2ensite not being called. This change fixes this race and adds a call to configure_https() to ensure the configuration completes and apache2 is restarted. Change-Id: I229d25c707a0630c9d609fd20a962a0de2e42c77 Closes-Bug: #1723892
-
- Nov 06, 2017
-
-
Alex Barchiesi authored
-
- Nov 01, 2017
-
-
Nobuto Murata authored
ssl_ca is not necessary when ssl_cert is signed by a trusted CA, such as GeoTrust, because a trusted cert chain is in the system already. Users can just provide ssl_cert and ssl_key to enable SSL endpoint in that case. Closes-Bug: #1711354 Change-Id: I4a34df1a2c2bf5705e02b713d968a22f4bbf57cf
-
- Oct 17, 2017
-
-
Liam Young authored
Install and configure memcached on the keystone units and configure keystone to use the cache. This should speed up token access for existing tokens. Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a Closes-Bug: #1722541
-
- Oct 11, 2017
-
-
Edward Hope-Morley authored
The current charm design is to perform a sweep of all units related on the identity-service interface to ensure that they have all the correct setting values applied. If the leader unit is deleted and a new one is elected this will not happen until some event e.g. config-changed occurs. This can result in remote units malfunctioning since they think they are not configured. We resolve this by always doing a sweep when the leader-elected hook fires. Also fixes infinite loop edge case when ssl-cert-master switches as a result of leader switch. Also includes cherry-pick of commit: - ID: a59de539 - Title: Fix issue with haproxy not restarted Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e Closes-Bug: 1721269 (cherry picked from commit 68a0c872)
-
- Oct 05, 2017
-
-
Edward Hope-Morley authored
The current charm design is to perform a sweep of all units related on the identity-service interface to ensure that they have all the correct setting values applied. If the leader unit is deleted and a new one is elected this will not happen until some event e.g. config-changed occurs. This can result in remote units malfunctioning since they think they are not configured. We resolve this by always doing a sweep when the leader-elected hook fires. Also fixes infinite loop edge case when ssl-cert-master switches as a result of leader switch. Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e Closes-Bug: 1721269
-
- Oct 04, 2017
-
-
Edward Hope-Morley authored
Commit 01816c84 forgot to mock out calls to service_start() and service_stop() that were added to the install hook which causes test runs to fail if not run as root. Change-Id: I07e17242356a80e32c43c289b94c650a299e16b3
-
- Sep 28, 2017
-
-
David Ames authored
Install OpenStack using snaps. By setting openstack-origin to snap:track/channel or snap:track the charm will use snaps to install rather than debs. If channel is left off it defaults to stable. For example: snap:ocata/edge will install the edge version of Ocata and snap:pike will install the stable version of Pike. Charm helpers sync for snap related helpers. Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
-
- Sep 26, 2017
-
-
Xav Paice authored
When using Keystone v3, the relation data set by add_credentials_to_keystone now includes a 'domain'. Change-Id: I2a4ff4d7c20d4f274479dfe0615dd00940e64d8b Closes-Bug: 1719751
-
- Sep 13, 2017
-
-
melissaml authored
According to http://docs.python.org/2/library/unittest.html assert(Not)Equals is a deprecated alias of assert(Not)Equal. Change-Id: I90c835b3c7cdae6dceb5da061e5ed42bcfd77f4b Closes-Bug: #1329757
-
- Sep 07, 2017
-
-
James Page authored
Reset the os_release cache during the OpenStack upgrade process, ensuring that any post dist-upgrade operations are made in the context of the new OpenStack release, not the old one. Change-Id: I3d3584dd8e97f85e16c38e1143f627b03fa63bd0 Closes-Bug: 1715624
-
- Aug 18, 2017
-
-
Alex Kavanagh authored
The code relies on a undocumented (and probably unstable) feature of CPython to close a file when the reference is GCed. However, it's pretty poor practice to do so, so this patchset replaces them with "with ..." statements to ensure that the files are closed when no longer being used. Change-Id: I6f24bc042a820ddd0147247267ee159753cfc1fb
-
- Aug 11, 2017
-
-
David Ames authored
Enable dual stack IPv4 and IPv6 VIPs on the same interface. HAProxy always listens on both IPv4 and IPv6 allowing connectivity on either protocol. Update edge cases for is_ssl_cert_master for Bug #1709356. Update amulet tests for keystoneauth1 tests. charm-helpers sync for HAProxy template changes. Closes-Bug: #1709356 Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1
-
- Aug 10, 2017
-
-
Alberto Colla authored
-
- May 12, 2017
-
-
James Page authored
Resync charmhelpers for pike version support. Add pike tests but leave disabled until all charms support pike. Add support for volumev3 service type for Cinder. Skip execution of PKI setup for >= pike as its been dropped from keystone. Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d
-
- May 04, 2017
-
-
David Ames authored
Use the get_relation_ip function for selecting addresses for the cluster relationship. Including overrides for the admin, internal, and public config settings or extra bindings. Change-Id: I6d92523be1707549751d7153cd395f7bae217952 Partial-Bug: #1687439
-
- Apr 27, 2017
-
-
Alex Kavanagh authored
- sync charmhelpers with fix-alpha helpers - fix up code where the alpha comparisons are done - fix tests which assumed mocks would just work on os_release() Change-Id: I9f4a3b15e53c757c2ae5ffb2eb45b6cdaecf4c8e Related-Bug: #1659575
-
- Apr 26, 2017
-
-
David Ames authored
When the percona-cluster charm sets an access-network but the default unit-get address is not on that network extra shared-db relations get executed. This is specifically a problem when running upgrades and trying to avoid API downtime. The root cause is that the access-network is not checked until the SharedDBContext is consulted. But then db_joined function will change it back to the wrong ip on subsequent runs. This change adds a check for access-network on the relation during the db_joined function and pushes IP selection off to get_relation_ip. Charm helpers sync to pull in changes to get_relation_ip. Change-Id: If1246bbe68d231df0aefea45598dc8c7cd904b87 Partial-bug: #1677647
-
James Page authored
Resync charm-helpers to pickup the latest code for calculation of worker process configuration, creating better default worker configuration when deploying in LXD containers. Switch the skew between public and admin processes to favour public 0.75/0.25 as the public API endpoints of a service will typically get a larger number of hits. Fixup unit test for minor behavioural change in charm-helpers. Change-Id: I4ab1d28f907ce29d5602b48ba7a438fc3690277c Closes-Bug: 1665270 Closes-Bug: 1686049
-
- Apr 06, 2017
-
-
Edward Hope-Morley authored
This ensures that if the config changes and for example os-admin-network is set/changed then that info will be propagated to the cluster relation as required by things like HAProxyContext to properly configure backends. Change-Id: Ia820b7dc86ba081b6737007f63e5c1a7789fba0c Closes-Bug: 1641870
-
- Feb 16, 2017
-
-
David Ames authored
Check if VIP or dns-ha is set to determine if the unit expects to be in HA. This is less racey that just checking for the ha relation. Wait until clustered to run the client relation hooks. This fixes bugs where client charms receive the private-address rather than the VIP on initial client relations. Charmhelper sync. Change-Id: I48b15113360ef892e38235ec4518173ec78ad143 Partial-bug: #1661392
-
- Feb 15, 2017
-
-
David Ames authored
When the keystone charm is upgraded the apache mod_wisgi configuration file name has changed. With duplicate configuration files apache fails to start up. Generalize the function disable_unused_apache_sites to handle any sites we may need cleaned up now or in the future. Change-Id: I13111bf9788ba3bfbef3efedb7b027323c84a6b8 Closes-bug: #1665044
-
- Feb 01, 2017
-
-
James Page authored
Support configuration of domains via suboridnate charms that implement the new 'keystone-domain-backend' relation type; these charms will create domain specific configuration files in /etc/keystone/domains, and will notify the keystone charm when configuration is complete, and the domain is ready for creation in the keystone database. Subordinate charms can also request a restart of keystone by setting or changing the value of the 'restart-nonce' key in the relation. Change-Id: Ia2b171e910d7f3a5e6e09ba5b18dddc0a734e57a Partial-Bug: 1645803
-
- Jan 18, 2017
-
-
Corey Bryant authored
The WSGI template and context code has been moved to charm-helpers. This change updates the charm to use the common code from charm-helpers. Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716
-
- Jan 12, 2017
-
-
Edward Hope-Morley authored
Avoid calling update_password() if the password has not changed since it will actually change the db value regardless resulting in a revocation event and all current tokens being invalidated. Change-Id: Icb901b5e87d9cd716fa1a0d146e2252339e5678b Closes-Bug: 1648677
-
Frode Nordahl authored
More work is needed on policy changes before we can have fine grained RBAC for service accounts. Add service project to cloud_admin rule to maintain service access to admin-only calls. Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123 Closes-Bug: 1655028
-
- Dec 09, 2016
-
-
Frode Nordahl authored
Currently the Keystone leader charm creates new domains and stores the UUIDs locally on disk. This approach predates charm relation-/ leader- storage, is error prone, and causes problems in HA setups. Move to leader storage and remove old interfaces. There is no need to migrate the on-disk stored data as it is read from the deployment and stored as a part of the upgrade process. Do not set default values for service_tenant_id, admin_domain_id and default_domain_id. This will cause context to be incomplete on peer units until the values are actually available. Change functional tests to run on Keystone cluster to verify contents of configuration and operation of services in clustered environment. Closes-Bug: 1637453 Change-Id: Id0eaf7bfceead627cc691e9b52dd889d60c05fa9
-
- Dec 07, 2016
-
-
Frode Nordahl authored
Current version of function does not scope its search for users to a domain. Change-Id: I435b7edf61adbe7196b00b2e58b08d5c4de7ed5c Closes-Bug: 1644606
-
- Nov 24, 2016
-
-
Frode Nordahl authored
Cleanup code that references users, projects or domains without necessary scoping or filtering throughout the charm. Add logging of domain name in contexts where this is relevant. Tighten rule:service_role to require role:service and token scoped to project config('service-tenant') created in SERVICE_DOMAIN. This ensures that if you have a deployment with end-user access to assign roles within their own domains they will not gain privileged access simply by assigning the service role to one of their own users. Allow users authorized by rule:service_role to perform identity:list_projects. This is required to allow Ceilometer to operate without Admin privileges. Services are given a user in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka Keystone v3 policy the 'service' role is sufficient for services to validate tokens. Services are also given a user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. This will allow us to transition from v2.0 based authentication / authorization and existing services and charms will continue to operate as before. This will also allow the end-user to roll their deployment up to api_version 3 and back to api_version 2 as needed. Services and charms that has made the transition to fully use the v3 API for authentication and authorization will gain full access to domains and projects across the deployment. The first charm to make use of this is charm-ceilometer. Closes-Bug: 1636098 Change-Id: If1518029c43476a5e14bf94596197eabe663499c
-
- Sep 27, 2016
-
-
Liam Young authored
The default_domain_id is used to specify a domain when the client hasn't explicitly set one. It defaults to 'default' which is fine for liberty and previous because the id of the default domain is, oddly, 'default' rather than a uuid. On Mitaka and higher it is a uuid so when keystone assumes the default domains id is 'default' it fails. Change-Id: Iaa5e6a07a229815cf2281858cb68a4e120aa2af3 Closes-Bug: 1626889
-
- Sep 20, 2016
-
-
James Page authored
Juju 2.0 provides support for display of the version of an application deployed by a charm in juju status. Insert the os_application_version_set function into the existing assess_status function - this gets called after all hook executions, and periodically after that, so any changes in package versions due to normal system updates will also be reflected in the status output. This review also includes a resync of charm-helpers to pickup hookenv and contrib.openstack support for this feature. Change-Id: I5734e87d39e62c1fb791b0b79ff216e30a784d1f
-
- Jul 13, 2016
-
-
Corey Bryant authored
The keystone charm runs the keystone API under apache2 for liberty and above. This patch enables the keystone API to run under apache2 when deployed from source for liberty and above. Change-Id: I5eccf38aad9668248f4f94523d61f7bd40ed5c30
-
- Jul 03, 2016
-
-
James Page authored
All contributors to this charm have agreed to the switch from GPL v3 to Apache 2.0; switch to Apache-2.0 license as agreed so we can move forward with official project status. Change-Id: Iaee75f59fe51f01da18aa2703a46c3885ade73c0
-
- Jun 28, 2016
-
-
Liam Young authored
Add the admin domain id (not name) to the data passed to clients down the identity-service relation. Some clients (eg Horizon) require the admin domain id for local configuration. Change-Id: Idfbd09fa62e628958139f77b9d06f602783e3619 Partial-Bug: 1595685
-
- Jun 23, 2016
-
-
David Ames authored
Implement DNS high availability. Pass the correct information to hacluster to register a DNS entry with MAAS 2.0 or greater rather than using a virtual IP. Charm-helpers sync to bring in DNS HA helpers Change-Id: I62bb49fbaebdd3c787f96f4b6ad107f8e3e368a7
-
- Jun 15, 2016
-
-
Alex Kavanagh authored
This change fixes the obvious race for a status_set() between check_optional_interfaces() and assess_status() as the later calls the former which calls status_set(), returns the status, which is then potentially set again by the assess_status() function. This cleans up the code so that only a single status_set() is performed when calling assess_status(). Change-Id: I928f60967e4a7588df2b25136525391c283cda14 Related-Bug:#1588462
-
- Jun 08, 2016
-
-
James Page authored
The newton packages for keystone ship an apache2 site named keystone, with conflicts with the charm provided wsgi-keystone site. Ensure that the packaging provided configuration is disabled, both on initial install and on upgrade from Mitaka->Newton. Change-Id: I5f6c67057a32d46529510ba6e4c0f5514f1a2d9e
-
- May 25, 2016
-
-
Andrey Pavlov authored
In the case where the keystone service is exposed, Juju needs to know which ports should be opened. Ensure that the service port is opened so that remote access can be made in providers that implement machine fire-walling such as ec2. Change-Id: I15a1e613f6b049e7c7e2c89d5bb94bdfb5da39ac Closes-Bug: #1585109
-
- May 09, 2016
-
-
Edward Hope-Morley authored
Currently if a failure occurs during the shared-db hook intialisation sequence after db is inited but before admin creds have been setup, there is no way to re-run ensure_admin_credentials. This patch resolves that issue. Change-Id: Iad80a0eeae6f94dc89ff994f8e5794c60c272e16 Closes-Bug: 1578351
-