The default of 'domain_config_dir' in keystone is '/etc/keystone/domains'.
This patch adds the missing slash.
Change-Id: I30523ec3fd3144811a76b9078e915eff4ffa2b66
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This patch set fixes an issue with where the keystone chart's
domain-manage job/pod always restart once due to a calculation
logic error.
Change-Id: I801d04559a526d3a7339cd5102f2e738af9f72e0
Signed-off-by: Tin Lam <tin@irrational.io>
In case of keystone-fernet-setup job rerun (delete and create),
fernet tokens are recreated. Which leads to ongoing openstack request
fail.
keystone-manage fernet_setup is idempotent, let's make the
keystone-fernet-setup job idempotent as well.
Change-Id: I62e741fe5192b7a0018bc84ccdac1ea5311a1e03
This patch set is one of many to migrate existing code/script to be
python-3 compatible as python-2 is sunsetting in January of 2020.
Change-Id: I337069203a3273e9aba6a37294ee3c25e5b4870a
Signed-off-by: Tin Lam <tin@irrational.io>
Python 3 renamed ConfigParser module to configparser.
This patch fixes compatibility with Python 3 for the
keystone-credential-cleanup job.
Change-Id: I6e34ba995d7a02f94b12162f0e5f8f326dfa8108
This change adds a conditional to the _fernet_setup to avoid
overwriting credential-keys when keystone-manage credential-setup
is ran and there are already existing credential keys. This will
mitigate issues where encrypted credential blobs in keystone were
becoming un-decryptable when the credential keys were being
overridden or lost upon upgrading.
Change-Id: Iac2b080d5d44bdf07534126419a1d5dd86055d6b
This change creates a pre-delete hook to clean out all entries
in the credential table of the keystone database when the
keystone service is deleted. Note that these are not
the typical username/password.[0]
This fixes the issue of leftover credential blobs being saved
in the database that are unable to be decrypted since the
original encryption keys are removed upon deletion of the
keystone service
[0] https://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/credential-encryption.html
Change-Id: I8adf0878af2f3b880e9194a6cb8d97b58d6895a5
With this patch we allow for a more easy way of overriding some
of the values that may be used in other distros while maintainting
the default values if those values are not overriden.
The following values are introduced to be overriden:
conf:
security:
software:
apache2:
conf_dir:
site_dir:
mods_dir:
binary:
start_flags:
a2enmod:
a2dismod:
On which:
* conf_dir: directory where to drop the config files
* site_dir: directory where to drop the enabled virtualhosts
* mods_dir: directory where to drop any mod configuration
* binary: the binary to use for launching apache
* start_flags: any flags that will be passed to the apache binary call
* a2enmod: mods to enable
* a2dismod: mods to disable
* security: security configuration for apache
Notice that if there is no overrides given, it should not affect anything
and the templates will not be changed as the default values are set to what
they used to be as to not disrupt existing deployments.
Change-Id: I7622325cf23e5afb26a5f5e887458fd58af2fab8
fernet-manage:
- filter used to return a list on python2 but on python3 it returns
an iterator which has no len method
- Coherce the keys var into a list so we can run len on it on both
versions
update-endpoint:
- ConfigParser is called configparser on python3
- try/catch and import the proper configparser
Change-Id: I8296074f4d20e47afe0c7aea41bf21999685aecd
This change adds a zuul check job to export any templated python
contained in the helm charts and scan it with bandit for any
potential security flaws.
This also adds two nosec comments on the instances of subprocess
used as they currently do not appear to be malicious, as well
as changing the endpoint_update python code to prevent sql
injection, which satisfies bandit code B608.
Change-Id: I2212d26514c3510353d16a4592893dd2e85cb369
This PS disables the v2 keystone API, and finishes the migration to
full v3 support.
Change-Id: I3021ebe0bee668db9f28e7fb18e2d4b26172f209
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds a script to update the keystone catalog endpoints
for keystone itself, as the keystone-bootstrap will not update
these once created.
Change-Id: Ie48c71bbdc9bbd14cebcee46285b3bf51bd28065
Signed-off-by: Pete Birley <pete@port.direct>
This patch set addresses the comments left in [0] by fixing the header
information in the python template file and adding logic to query the
domain specific logic.
[0]https://review.openstack.org/#/c/559191/
Change-Id: I656d7ac8158f9b40246ac739e4dc4fc88e1e43da
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set provides PATCH capability for ldap-backed domain config,
and prevents silent failure if the configuration contains erroneous
setting. This also moves from loading .conf files into DB directly,
and uses the API endpoints.
Change-Id: I17a19046fa96e0f3e8fb029c156ba79c924a0097
Signed-off-by: Tin Lam <tin@irrational.io>
This PS removes the licence header from rendered output from tiller,
significantly reducing the configmap size of charts deployed to the
cluster.
Change-Id: I5d1b246f2068f3b83bf59ba79fe8b88bbc9a6161
Keystone is using keys to encrypt credentials saved into the database.
The mechanism is very similar to fernet tokens. This commit implements a
job setting key repository up and rotate job for those keys. All is
based on implementation of fernet tokens.
Change-Id: I88faf1d02d2b317563e8603cebba542f8b133c6a
Closes-Bug: 1693807
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
This PS moves keystone credentials to the endpoints section within
the values.yaml, and also adds a 'secrets' key, allowing standardiation
of secrets and credential management across OpenStack-Helm.
Change-Id: I86a21e625afd822379ac11351603b2c606a3769f
This PS helps improve the Image agnosticism of the Keystone chart.
This is achieved by removing the presumed locations of the Keystone
WSGI scripts, enabling support for images that either do not use a venv
or the same venv location that Kolla uses.
Change-Id: Id04f5e485d6a421b6ac7464cbb14f0e3819b778d
This PS add Barbican support, and moves all potentially container
specific logic into the service start script from the api manifests.
Also fixes a permissions issue with the nova-api, which incorrectly
had the NET_ADMIN capability.
Change-Id: I18fc1ea5d7aa70ea7dabb829361a3da57e905100
This PS updates the way helm-toolkit functions are named to
reference the full path they are loacted at. This should make
development and debugging easier. Addtionally unused functions
have been pruned as well.
Change-Id: I03c553f1d01bccc70c86768b416b147c90d9b2f0
This commit introduces several new paradigms:
* .Values driven mounts in service containers as well as jobs.
These can be overriden at runtime by manipulating .Values.mounts.*
* Authenticated Endpoint Resolution methods in helm-toolkit
to allow the database and rabbit type endpoints to be moved
under the endpoints section. Now endpoint lookup functions exist
for openstack endpoints as well as infrastructure elements such as
the database, rabbitmq, and memcache.
* Importing of upstream "out of the box" policy.json
and keystone-paste.ini files for better or worse.
* A rendering of the keystone.conf oslo generated config
using a new helm based Values generator. This provides "known"
paths to all configuration elements in the form of
"<section>.<oslo_namespace>.<element>" so that any of these can
be targeted for override via --set or values.yaml files loaded at
run time.
* Support for appending arbitrary string data to the policy.json,
keystone-paste.ini, or keystone.conf files via --set conf.keystone.append="#
some comment", or --set conf.policy.append="\"identity:list_projects\":
\"role:fake\""
* Support for complete verbatim overrides of these three
files via --set conf.keystone.override="full file contents",
or --set conf.policy.override="full file contents" for example
* Rename common chart to helm-toolkit
* Update useage of helpers to include reference to chart they come from.
* Update helm-toolkit function naming
Also catches several functions missed in previous PS
* Update remaining requirements.yaml to use helm-toolbox
* Dep Check container fix for common -> helm-toolbox renaming
This PS loads all the required keystone configuration files into a container for an apache based deployment.
It allows OpenStack-Helm to be image agnosic, meaning operators can use any Apache based Keystone image they want.
This introduces changes across several charts, for consistent
endpoint lookup routines. Today, only the internal endpoints
are defined (and copied to admin and public). This can later
be expanded to handle unique public and admin endpoints.
This ensures the catalog is populated with consistent URLs
for all services.
* start.sh was added back, which had requiring sourcing
* the naming convention for charts is finalized with this example
landing on configmap-*.yaml to satisfy those of us with OCD
* imagePullPolicies added for init-containers, required by
helm 2.1.0 which does not supply them by default
