1. 14 May, 2018 1 commit
  2. 11 May, 2018 4 commits
    • Zuul's avatar
      Merge "Sync charm-helpers" · dc5ccac4
      Zuul authored
    • Dmitrii Shcherbakov's avatar
      add support for Federated IDentity (FID) and WebSSO · 6f3751cc
      Dmitrii Shcherbakov authored
      * add support for relating with subordinate charms providing Service
      Provider functionality via apache2 authentication modules;
      * enable additional authentication methods on the keystone side to
      accept parsed assertion data provided via apache2 authentication module
      variables exported to WSGI environment;
      * move https frontend and WSGI API apache config files to keystone
      instead of relying on charm-helpers as modifications are needed there to
      add IncludeOptional directives. openstack_https_frontend.conf is added
      on purpose as ServerName cannot be correctly determined after ProxyPass
      which results in TLS errors during SAML exchange process;
      * add an additional relation to openstack-dashboard to provide URL
      information necessary to trust 'origin' parameter in WebSSO URLs used by
      horizon during the authentication process. Also add a context to render
      the federation section that is used to render this information in
      Subordinates can choose to use different apache2 authentication modules.
      If those modules support vhost-level variables then multiple
      subordinates for the same module can be used. For example,
      mod_auth_mellon can be used multiple times in different vhosts to
      protect federated token endpoints related to different identity provider
      and protocol combinations).
      Trusted dashboard relation could be used to provide dashboard origin URL
      from a different site via cross-model relations.
      NOTE: this functionality will be triggered only on Ocata+ (inclusive)
      Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561
    • Felipe Reyes's avatar
      Sync charm-helpers · 0e9020bd
      Felipe Reyes authored
      Retry keystone_wait_for_propagation() on exception.
      Closes-Bug: #1668954
      Change-Id: I5e5689dbd5cd974b11e017b6d0f06575cabcceb2
    • Zuul's avatar
  3. 10 May, 2018 3 commits
    • David Ames's avatar
      Re sync charm-helpers · 97e21855
      David Ames authored
      There was a mid-air collision with charm helpers syncs. The critical
      piece is the removal of a second stats socket line from the haproxy
      templates which breaks on trusty.
      All other amulet tests that include keystone will fail on trusty until
      this is landed.
      Change-Id: Ide3b7cbda238b9a7b93f0625c21d43335bc10e81
    • Neiloy Mukerjee's avatar
      Document archive key usage for openstack-origin · 329c2c88
      Neiloy Mukerjee authored
      An arbitarary repository can currently be specified, but it was not yet
      made clear in the documentation that a corresponding public key for
      accessing this repository could be added. This change specifies that
      under the description for the openstack-origin option. Public key can
      be added by appending to the deb url, so the below example would work:
      juju set openstack-origin nova-compute openstack-origin="deb http://ppa
      .launchpad.net/billy-olsen/testfix-kilo/ubuntu vivid main|FA0FD8E1"
      Change-Id: I262a2164d4f7b37b4185bdee650371de7be50a55
      Closes-Bug: 1503440
    • Zuul's avatar
      Merge "Enable Bionic as a gate test" · 46981577
      Zuul authored
  4. 09 May, 2018 1 commit
  5. 08 May, 2018 1 commit
  6. 18 Apr, 2018 1 commit
  7. 13 Apr, 2018 2 commits
    • Zuul's avatar
    • David Ames's avatar
      Run identity client relations when db is complete · a240c520
      David Ames authored
      When keystone is deployed with multiple units but without hacluster one
      off scenarios occur where one non-leader unit will fail to update its
      client relations.
      This change runs all identity client relations when the database
      relation is complete thus guaranteeing all keystone units update there
      identity relation data with clients.
      Small timing fix to amulet tests.
      Closes-Bug: #1761562
      Change-Id: I338e500dbc155b75c75b9261a9b5b471bd73088a
  8. 12 Apr, 2018 1 commit
    • Alex Kavanagh's avatar
      Change permissions on SSL keys to 640 · 6470d6dd
      Alex Kavanagh authored
      This tightens up the security on the SSL keys stored in
      /etc/apache2/ssl/<service> to be no longer world readable.
      Change-Id: I0951deff4ec95b1fc7f4389dc083c8957f8db6f0
      Closes-Bug: #1761305
  9. 11 Apr, 2018 1 commit
    • David Ames's avatar
      Charm-helpers sync to fix CA cert comparison · 92f5248a
      David Ames authored
      The comparison of bytes vs string of the CA certificate produces a
      false negative. This leads to rewriting certificates and affecting
      connectivity to services.
      Read in the certificate as bytes as well for a bytes vs bytes
      Closes-Bug: #1762431
      Change-Id: Ic226149cc124ac5b84ab30d95a590f08489c67f2
  10. 05 Apr, 2018 2 commits
    • Neiloy Mukerjee's avatar
      Remove unnecessary apostrophe · f5eff0e0
      Neiloy Mukerjee authored
      No-impact (besides satisfying my inner grammarian) change to exercise
      gerrit workflow.
      Change-Id: I962b9f202d650084d31e8f2258a8f0cdc5a8596a
    • sfeole's avatar
      Don't ensure pki permissions for releases <= Pike · a189c3da
      sfeole authored
      Openstack PKI token support was dropped in the Pike release.
      The following update ensures that PKI token validation is
      only run if the release is supported when the sync leader
      broadcasts any service credentials to its peers.
      In this case; if the release is <= pike. then we can sync
      token certs and ensure the pki permissions are valid.
      Otherwise this action will be skipped.
      Closes-Bug: 1759403
      Change-Id: I3d8ba6d3cac3a3505a3722a5082c3a6933a9ef67
  11. 04 Apr, 2018 1 commit
    • Ryan Beisner's avatar
      Update amulet tests · 570be19c
      Ryan Beisner authored
      Remove soon-to-be deprecated release combos from amulet tests
      Change-Id: I425410a41a86138b9e6d77e9273a2b10d541e8cc
  12. 03 Apr, 2018 1 commit
    • Ryan Beisner's avatar
      Update tox.ini to stop using unverified package · 0c6bfe96
      Ryan Beisner authored
      As of pip 10.0, --allow-unverified is not permitted.
      Use of the flag in this repo was previously used to force
      installation of python-apt to accommodate certain unit tests.
      The unverified package, python-apt, is no longer necessary
      for test execution.
      Related-Bug: #1760720
      Change-Id: Ieca3f4978e947ce52d645ddab0f4523c90d03c75
  13. 12 Mar, 2018 1 commit
    • Corey Bryant's avatar
      Update SSL/https documentation · 3384ddcb
      Corey Bryant authored
      The README documentation implies that use-https and
      https-service-endpoints are required when enabling SSL/https
      with your own CA, SSL cert, and key. Update the README and
      config.yaml to explain that config options use-https and
      https-service-endpoints should not be set when using ssl_*
      config options.
      Change-Id: I2e0140f909ef2c57182895f37cf191b6bc80157b
      Closes-Bug: #1754682
  14. 27 Feb, 2018 1 commit
    • James Page's avatar
      Provide service domain id for v3 deployments · bd299914
      James Page authored
      The glance swift store configuration requires use of the domain
      id for the service domain; update data set for identity-service
      relation to include service_domain_id.
      Change-Id: Ie6e2733f34de10a4d34b18dbf1fd9ba623af0e18
      Closes-Bug: 1752027
  15. 23 Feb, 2018 1 commit
  16. 21 Feb, 2018 1 commit
  17. 20 Feb, 2018 1 commit
    • David Ames's avatar
      Create Keystone V3 Deployment Class · 7dd36238
      David Ames authored
      For Queens keystone v2 has been dropped. V3 is the only valid API
      version. The charm has already made this change. This change is to
      bring the amulet test up to match by creating a separate class.
      Charm-helpers sync
      Enlarging the amulet timeout value.
      Change-Id: I822624bdf45bfb060dd75ba3b10e71984bc10e48
  18. 08 Feb, 2018 1 commit
  19. 19 Jan, 2018 1 commit
  20. 12 Jan, 2018 2 commits
  21. 03 Jan, 2018 2 commits
  22. 22 Dec, 2017 1 commit
    • Liam Young's avatar
      Make usernames predictable for multi-endpoints · ee6db34c
      Liam Young authored
      Whenm generating a username associated with multiple charm the
      username was derived from the keys of an unordered dict making the
      username liable to change. This patch sorts the keys and makes the
      username stable.
      Change-Id: I0f857d7c2d5c4abf4843bc3fe1a9848164048fe2
      Closes-Bug: #1739409
  23. 21 Dec, 2017 1 commit
    • James Page's avatar
      Drop postgresql support · 6b5bb0da
      James Page authored
      Remove postgresql DB support; This feature is untested as part
      of the charms, is not in use and was deprecated as part of
      the 1708 charms release.
      Change-Id: Ia57a7358fd3567fe0250c45f3e00c07fa83f329c
  24. 18 Dec, 2017 1 commit
    • James Page's avatar
      Add OpenStack Queens support · 1db0949c
      James Page authored
      Keystone@Queens removes support for the v2 API; switch default
      to v3 API from Queens onwards and ensure that charm users can
      only provide 3 as via the preferred-api-version for >= Queens.
      Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b
  25. 11 Dec, 2017 1 commit
    • David Ames's avatar
      Update HAProxy default timeout values · e1ac46f3
      David Ames authored
      The default HAProxy timeout values are fairly strict. On a busy cloud
      it is common to exceed one or more of these timeouts. The only
      indication that HAProxy has exceeded a timeout and dropped the
      connection is errors such as "BadStatusLine" or "EOF." These can be
      very difficult to diagnose when intermittent.
      This charm-helpers sync pulls in the change to update the default
      timeout values to more real world settings. These values have been
      extensively tested in ServerStack. Configured values will not be
      Partial Bug: #1736171
      Change-Id: I973962a5c1538b0d9afbebea8cebf50d938ecfb5
  26. 05 Dec, 2017 1 commit
    • Ryan Beisner's avatar
      Add Bionic and remove Zesty series and tests · 0f24b1f3
      Ryan Beisner authored
      Bionic, being the next LTS, is important to enable for dev
      and test as early as possible ahead of 18.02.
      Zesty goes EOL in Jan 2018. The next stable charms release (18.02)
      will not provide Zesty series support, as it was an interim
      (non-LTS) release.
      Change-Id: I02e8eb5c3c2f7fb08a0b6556db12e09b300f3a95
  27. 27 Nov, 2017 1 commit
  28. 16 Nov, 2017 1 commit
  29. 08 Nov, 2017 1 commit
    • David Ames's avatar
      Ensure HTTPS configuration completes · 7c065062
      David Ames authored
      There was a race where the https apache2 site,
      openstack_https_frontend.conf, would be rendered in one hook, then
      subsequently the config-changed hook would run and enable that site.
      However, the subsequent config-changed hook would see the template as
      having not changed and therefore it would fail to restart apache2.
      This lead to apache2 failing to listen on the correct ports.
      This was due to CONFIGS.write_all() being called but a2ensite not
      being called. This change fixes this race and adds a call to
      configure_https() to ensure the configuration completes and apache2
      is restarted.
      Change-Id: I229d25c707a0630c9d609fd20a962a0de2e42c77
      Closes-Bug: #1723892
  30. 01 Nov, 2017 1 commit
    • Nobuto Murata's avatar
      Make ssl_ca optional if ssl_cert+ssl_key provided · 9a0563bf
      Nobuto Murata authored
      ssl_ca is not necessary when ssl_cert is signed by
      a trusted CA, such as GeoTrust, because a trusted
      cert chain is in the system already. Users can just
      provide ssl_cert and ssl_key to enable SSL endpoint
      in that case.
      Closes-Bug: #1711354
      Change-Id: I4a34df1a2c2bf5705e02b713d968a22f4bbf57cf
  31. 23 Oct, 2017 1 commit