Skip to content
Snippets Groups Projects
  1. Nov 16, 2017
  2. Nov 08, 2017
    • David Ames's avatar
      Ensure HTTPS configuration completes · 7c065062
      David Ames authored
      There was a race where the https apache2 site,
      openstack_https_frontend.conf, would be rendered in one hook, then
      subsequently the config-changed hook would run and enable that site.
      However, the subsequent config-changed hook would see the template as
      having not changed and therefore it would fail to restart apache2.
      This lead to apache2 failing to listen on the correct ports.
      
      This was due to CONFIGS.write_all() being called but a2ensite not
      being called. This change fixes this race and adds a call to
      configure_https() to ensure the configuration completes and apache2
      is restarted.
      
      Change-Id: I229d25c707a0630c9d609fd20a962a0de2e42c77
      Closes-Bug: #1723892
      7c065062
  3. Nov 06, 2017
  4. Nov 01, 2017
    • Nobuto Murata's avatar
      Make ssl_ca optional if ssl_cert+ssl_key provided · 9a0563bf
      Nobuto Murata authored
      ssl_ca is not necessary when ssl_cert is signed by
      a trusted CA, such as GeoTrust, because a trusted
      cert chain is in the system already. Users can just
      provide ssl_cert and ssl_key to enable SSL endpoint
      in that case.
      
      Closes-Bug: #1711354
      Change-Id: I4a34df1a2c2bf5705e02b713d968a22f4bbf57cf
      9a0563bf
  5. Oct 17, 2017
    • Liam Young's avatar
      Add memcache backend · 4b00281b
      Liam Young authored
      Install and configure memcached on the keystone units and configure
      keystone to use the cache. This should speed up token access for
      existing tokens.
      
      Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
      Closes-Bug: #1722541
      4b00281b
  6. Oct 11, 2017
    • Edward Hope-Morley's avatar
      Do relation consistency sweep on leader change · 9953530f
      Edward Hope-Morley authored
      The current charm design is to perform a sweep of all units
      related on the identity-service interface to ensure that
      they have all the correct setting values applied. If the
      leader unit is deleted and a new one is elected this will
      not happen until some event e.g. config-changed occurs. This
      can result in remote units malfunctioning since they think they
      are not configured. We resolve this by always doing a sweep when
      the leader-elected hook fires.
      
      Also fixes infinite loop edge case when ssl-cert-master switches
      as a result of leader switch.
      
      Also includes cherry-pick of commit:
      - ID: a59de539
      - Title: Fix issue with haproxy not restarted
      
      Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e
      Closes-Bug: 1721269
      (cherry picked from commit 68a0c872)
      9953530f
  7. Oct 05, 2017
    • Edward Hope-Morley's avatar
      Do relation consistency sweep on leader change · 68a0c872
      Edward Hope-Morley authored
      The current charm design is to perform a sweep of all units
      related on the identity-service interface to ensure that
      they have all the correct setting values applied. If the
      leader unit is deleted and a new one is elected this will
      not happen until some event e.g. config-changed occurs. This
      can result in remote units malfunctioning since they think they
      are not configured. We resolve this by always doing a sweep when
      the leader-elected hook fires.
      
      Also fixes infinite loop edge case when ssl-cert-master switches
      as a result of leader switch.
      
      Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e
      Closes-Bug: 1721269
      68a0c872
  8. Oct 04, 2017
    • Edward Hope-Morley's avatar
      Mock out calls to service_stop|start · ca2f49f2
      Edward Hope-Morley authored
      Commit 01816c84 forgot to mock out calls to
      service_start() and service_stop() that were
      added to the install hook which causes test runs
      to fail if not run as root.
      
      Change-Id: I07e17242356a80e32c43c289b94c650a299e16b3
      ca2f49f2
  9. Sep 28, 2017
    • David Ames's avatar
      Snap install OpenStack in Charms · 8da85834
      David Ames authored
      Install OpenStack using snaps. By setting openstack-origin to
      snap:track/channel or snap:track the charm will use snaps to
      install rather than debs. If channel is left off it defaults to
      stable. For example: snap:ocata/edge will install the edge version of
      Ocata and snap:pike will install the stable version of Pike.
      
      Charm helpers sync for snap related helpers.
      
      Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac
      8da85834
  10. Sep 26, 2017
    • Xav Paice's avatar
      Add domain info to relation data · cc54352d
      Xav Paice authored
      When using Keystone v3, the relation data set by
      add_credentials_to_keystone now includes a 'domain'.
      
      Change-Id: I2a4ff4d7c20d4f274479dfe0615dd00940e64d8b
      Closes-Bug: 1719751
      cc54352d
  11. Sep 13, 2017
  12. Sep 07, 2017
    • James Page's avatar
      Ensure os_release is reset during upgrades · 7fb7ff90
      James Page authored
      Reset the os_release cache during the OpenStack upgrade process,
      ensuring that any post dist-upgrade operations are made in the
      context of the new OpenStack release, not the old one.
      
      Change-Id: I3d3584dd8e97f85e16c38e1143f627b03fa63bd0
      Closes-Bug: 1715624
      7fb7ff90
  13. Aug 18, 2017
    • Alex Kavanagh's avatar
      Fix dangling file open() commands with no corresponding close · b3a6fdf5
      Alex Kavanagh authored
      The code relies on a undocumented (and probably unstable) feature
      of CPython to close a file when the reference is GCed.  However,
      it's pretty poor practice to do so, so this patchset replaces them
      with "with ..." statements to ensure that the files are closed
      when no longer being used.
      
      Change-Id: I6f24bc042a820ddd0147247267ee159753cfc1fb
      b3a6fdf5
  14. Aug 11, 2017
    • David Ames's avatar
      Dual Stack VIPs · 1328ce58
      David Ames authored
      Enable dual stack IPv4 and IPv6 VIPs on the same interface.
      HAProxy always listens on both IPv4 and IPv6 allowing connectivity
      on either protocol.
      
      Update edge cases for is_ssl_cert_master for Bug #1709356.
      
      Update amulet tests for keystoneauth1 tests.
      
      charm-helpers sync for HAProxy template changes.
      
      Closes-Bug: #1709356
      
      Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1
      1328ce58
  15. Aug 10, 2017
  16. May 12, 2017
    • James Page's avatar
      Updates for pike b1 · d36af554
      James Page authored
      Resync charmhelpers for pike version support.
      
      Add pike tests but leave disabled until all charms support pike.
      
      Add support for volumev3 service type for Cinder.
      
      Skip execution of PKI setup for >= pike as its been dropped from
      keystone.
      
      Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d
      d36af554
  17. May 04, 2017
    • David Ames's avatar
      Network space aware address for cluster relation · d62a2e75
      David Ames authored
      Use the get_relation_ip function for selecting addresses for the
      cluster relationship. Including overrides for the admin, internal,
      and public config settings or extra bindings.
      
      Change-Id: I6d92523be1707549751d7153cd395f7bae217952
      Partial-Bug: #1687439
      d62a2e75
  18. Apr 27, 2017
  19. Apr 26, 2017
    • David Ames's avatar
      Avoid shared-db change when using access-network · d1685a73
      David Ames authored
      When the percona-cluster charm sets an access-network but the default
      unit-get address is not on that network extra shared-db relations get
      executed. This is specifically a problem when running upgrades and
      trying to avoid API downtime.
      
      The root cause is that the access-network is not checked until the
      SharedDBContext is consulted. But then db_joined function will
      change it back to the wrong ip on subsequent runs.
      
      This change adds a check for access-network on the relation during
      the db_joined function and pushes IP selection off to
      get_relation_ip.
      
      Charm helpers sync to pull in changes to get_relation_ip.
      
      Change-Id: If1246bbe68d231df0aefea45598dc8c7cd904b87
      Partial-bug: #1677647
      d1685a73
    • James Page's avatar
      Cap workers in containers, fix admin/pubic skew · 21a4e5be
      James Page authored
      Resync charm-helpers to pickup the latest code for calculation
      of worker process configuration, creating better default
      worker configuration when deploying in LXD containers.
      
      Switch the skew between public and admin processes to favour
      public 0.75/0.25 as the public API endpoints of a service will
      typically get a larger number of hits.
      
      Fixup unit test for minor behavioural change in charm-helpers.
      
      Change-Id: I4ab1d28f907ce29d5602b48ba7a438fc3690277c
      Closes-Bug: 1665270
      Closes-Bug: 1686049
      21a4e5be
  20. Apr 06, 2017
    • Edward Hope-Morley's avatar
      Ensure cluster settings updated if config changes · 7188af87
      Edward Hope-Morley authored
      This ensures that if the config changes and for example
      os-admin-network is set/changed then that info will be
      propagated to the cluster relation as required by things
      like HAProxyContext to properly configure backends.
      
      Change-Id: Ia820b7dc86ba081b6737007f63e5c1a7789fba0c
      Closes-Bug: 1641870
      7188af87
  21. Feb 16, 2017
    • David Ames's avatar
      Do not run client relation until clustered if HA · b14c107d
      David Ames authored
      Check if VIP or dns-ha is set to determine if the unit expects to be
      in HA. This is less racey that just checking for the ha relation.
      Wait until clustered to run the client relation hooks.
      
      This fixes bugs where client charms receive the private-address
      rather than the VIP on initial client relations.
      
      Charmhelper sync.
      
      Change-Id: I48b15113360ef892e38235ec4518173ec78ad143
      Partial-bug: #1661392
      b14c107d
  22. Feb 15, 2017
    • David Ames's avatar
      Cleanup unused apache site configurations · 3cfc297f
      David Ames authored
      When the keystone charm is upgraded the apache mod_wisgi
      configuration file name has changed. With duplicate configuration
      files apache fails to start up. Generalize the function
      disable_unused_apache_sites to handle any sites we may need cleaned
      up now or in the future.
      
      Change-Id: I13111bf9788ba3bfbef3efedb7b027323c84a6b8
      Closes-bug: #1665044
      3cfc297f
  23. Feb 01, 2017
    • James Page's avatar
      Add new subordinate relation for domain backends · 27b84f5b
      James Page authored
      Support configuration of domains via suboridnate charms that
      implement the new 'keystone-domain-backend' relation type; these
      charms will create domain specific configuration files in
      /etc/keystone/domains, and will notify the keystone charm when
      configuration is complete, and the domain is ready for creation
      in the keystone database.
      
      Subordinate charms can also request a restart of keystone by
      setting or changing the value of the 'restart-nonce' key in the
      relation.
      
      Change-Id: Ia2b171e910d7f3a5e6e09ba5b18dddc0a734e57a
      Partial-Bug: 1645803
      27b84f5b
  24. Jan 18, 2017
    • Corey Bryant's avatar
      Use common WSGI code from charm-helpers · b4ccea72
      Corey Bryant authored
      The WSGI template and context code has been moved to charm-helpers.
      This change updates the charm to use the common code from charm-helpers.
      
      Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716
      b4ccea72
  25. Jan 12, 2017
    • Edward Hope-Morley's avatar
      Avoid keystone password update if unchanged · f9670295
      Edward Hope-Morley authored
      Avoid calling update_password() if the password has not
      changed since it will actually change the db value
      regardless resulting in a revocation event and all current
      tokens being invalidated.
      
      Change-Id: Icb901b5e87d9cd716fa1a0d146e2252339e5678b
      Closes-Bug: 1648677
      f9670295
    • Frode Nordahl's avatar
      Revert change of role for v3 service accounts · dd65408d
      Frode Nordahl authored
      More work is needed on policy changes before we can have fine
      grained RBAC for service accounts.
      
      Add service project to cloud_admin rule to maintain service access
      to admin-only calls.
      
      Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123
      Closes-Bug: 1655028
      dd65408d
  26. Dec 09, 2016
    • Frode Nordahl's avatar
      Replace local storage of domain UUIDs with leader storage · 4d2ab666
      Frode Nordahl authored
      Currently the Keystone leader charm creates new domains and stores
      the UUIDs locally on disk. This approach predates charm relation-/
      leader- storage, is error prone, and causes problems in HA setups.
      
      Move to leader storage and remove old interfaces. There is no need
      to migrate the on-disk stored data as it is read from the deployment
      and stored as a part of the upgrade process.
      
      Do not set default values for service_tenant_id, admin_domain_id and
      default_domain_id. This will cause context to be incomplete on peer
      units until the values are actually available.
      
      Change functional tests to run on Keystone cluster to verify contents of
      configuration and operation of services in clustered environment.
      
      Closes-Bug: 1637453
      Change-Id: Id0eaf7bfceead627cc691e9b52dd889d60c05fa9
      4d2ab666
  27. Dec 07, 2016
  28. Nov 24, 2016
    • Frode Nordahl's avatar
      Create service credentials in SERVICE_DOMAIN · 5de17709
      Frode Nordahl authored
      Cleanup code that references users, projects or domains without
      necessary scoping or filtering throughout the charm.  Add logging
      of domain name in contexts where this is relevant.
      
      Tighten rule:service_role to require role:service and token scoped
      to project config('service-tenant') created in SERVICE_DOMAIN. This
      ensures that if you have a deployment with end-user access to assign
      roles within their own domains they will not gain privileged access
      simply by assigning the service role to one of their own users.
      
      Allow users authorized by rule:service_role to perform
      identity:list_projects. This is required to allow Ceilometer
      to operate without Admin privileges.
      
      Services are given a user in project config('service-tenant') in
      SERVICE_DOMAIN for v3 authentication / authorization.  As of Mitaka
      Keystone v3 policy the 'service' role is sufficient for services to
      validate tokens.
      
      Services are also given a user in project config('service-tenant') in
      DEFAULT_DOMAIN to support services still configured with v2.0
      authentication / authorization.
      
      This will allow us to transition from v2.0 based authentication /
      authorization and existing services and charms will continue to
      operate as before.  This will also allow the end-user to roll their
      deployment up to api_version 3 and back to api_version 2 as needed.
      
      Services and charms that has made the transition to fully use the
      v3 API for authentication and authorization will gain full access to
      domains and projects across the deployment.  The first charm to make
      use of this is charm-ceilometer.
      
      Closes-Bug: 1636098
      Change-Id: If1518029c43476a5e14bf94596197eabe663499c
      5de17709
  29. Sep 27, 2016
    • Liam Young's avatar
      Add default_domain_id for Keystone v3 deploys · ccf15398
      Liam Young authored
      The default_domain_id is used to specify a domain when the client
      hasn't explicitly set one. It defaults to 'default' which is fine
      for liberty and previous because the id of the default domain is,
       oddly, 'default' rather than a uuid. On Mitaka and higher it is
      a uuid so when keystone assumes the default domains id is 'default'
      it fails.
      
      Change-Id: Iaa5e6a07a229815cf2281858cb68a4e120aa2af3
      Closes-Bug: 1626889
      ccf15398
  30. Sep 20, 2016
    • James Page's avatar
      Add support for application version · 22c10316
      James Page authored
      Juju 2.0 provides support for display of the version of
      an application deployed by a charm in juju status.
      
      Insert the os_application_version_set function into the
      existing assess_status function - this gets called after
      all hook executions, and periodically after that, so any
      changes in package versions due to normal system updates
      will also be reflected in the status output.
      
      This review also includes a resync of charm-helpers to
      pickup hookenv and contrib.openstack support for this
      feature.
      
      Change-Id: I5734e87d39e62c1fb791b0b79ff216e30a784d1f
      22c10316
  31. Jul 13, 2016
  32. Jul 03, 2016
    • James Page's avatar
      Re-license charm as Apache-2.0 · d1fd1326
      James Page authored
      All contributors to this charm have agreed to the switch
      from GPL v3 to Apache 2.0; switch to Apache-2.0 license
      as agreed so we can move forward with official project status.
      
      Change-Id: Iaee75f59fe51f01da18aa2703a46c3885ade73c0
      d1fd1326
  33. Jun 28, 2016
    • Liam Young's avatar
      Add admin domain id to identity relation · 3c1bcdce
      Liam Young authored
      Add the admin domain id (not name) to the data passed to clients
      down the identity-service relation. Some clients (eg Horizon) require
      the admin domain id for local configuration.
      
      Change-Id: Idfbd09fa62e628958139f77b9d06f602783e3619
      Partial-Bug: 1595685
      3c1bcdce
  34. Jun 23, 2016
    • David Ames's avatar
      DNS HA · b032915c
      David Ames authored
      Implement DNS high availability. Pass the correct information to
      hacluster to register a DNS entry with MAAS 2.0 or greater rather
      than using a virtual IP.
      
      Charm-helpers sync to bring in DNS HA helpers
      
      Change-Id: I62bb49fbaebdd3c787f96f4b6ad107f8e3e368a7
      b032915c
  35. Jun 15, 2016
    • Alex Kavanagh's avatar
      Fix for multiple status-set - related to bug 1588462 · 61047ac0
      Alex Kavanagh authored
      This change fixes the obvious race for a status_set() between
      check_optional_interfaces() and assess_status() as the later calls the former
      which calls status_set(), returns the status, which is then potentially set
      again by the assess_status() function.  This cleans up the code so that only a
      single status_set() is performed when calling assess_status().
      
      Change-Id: I928f60967e4a7588df2b25136525391c283cda14
      Related-Bug:#1588462
      61047ac0
  36. Jun 08, 2016
    • James Page's avatar
      Ensure package provided apache conf is disabled · 49d2599c
      James Page authored
      The newton packages for keystone ship an apache2 site named
      keystone, with conflicts with the charm provided wsgi-keystone
      site.
      
      Ensure that the packaging provided configuration is disabled,
      both on initial install and on upgrade from Mitaka->Newton.
      
      Change-Id: I5f6c67057a32d46529510ba6e4c0f5514f1a2d9e
      49d2599c
  37. May 25, 2016
    • Andrey Pavlov's avatar
      Ensure service port is opened for access. · e40f8ea5
      Andrey Pavlov authored
      In the case where the keystone service is exposed, Juju needs
      to know which ports should be opened. Ensure that the service
      port is opened so that remote access can be made in providers
      that implement machine fire-walling such as ec2.
      
      Change-Id: I15a1e613f6b049e7c7e2c89d5bb94bdfb5da39ac
      Closes-Bug: #1585109
      e40f8ea5
  38. May 09, 2016
    • Edward Hope-Morley's avatar
      Ensure we can recover from error during db init · 216a5c9e
      Edward Hope-Morley authored
      Currently if a failure occurs during the shared-db
      hook intialisation sequence after db is inited but
      before admin creds have been setup, there is no way
      to re-run ensure_admin_credentials. This patch
      resolves that issue.
      
      Change-Id: Iad80a0eeae6f94dc89ff994f8e5794c60c272e16
      Closes-Bug: 1578351
      216a5c9e
Loading