We are amped to announce the release of: puppet-keystone 9.0.0: Puppet module for OpenStack Keystone This release is part of the newton release series. For more details, please see below. 9.0.0 ^^^^^ This is the first Mitaka release for puppet-keystone module. Support for multi-domain has been added. You can configure LDAP identity drivers along with the sql, and have multi-domain working. New Features ************ * Add keystone::disable_admin_token_auth class Allow to disable admin_token (highly recommended by Keystone team) after an initial bootstrap. * Federation support for Mellon. * Run keystone-manage bootstrap Per upstream Keystone Mitaka commit 7b7fea7a3fe7677981fbf9bac5121bc15601163 keystone no longer creates the default domain during the db_sync. This feature enables by default the usage of keystone-manage bootstrap. * moves all dependencies to an external class. This allows keystone to be installed and managed via external mechanisms like venvs or docker. * Resource keystone_identity_provider for Keystone, used for Identity Federation. The remote-id parameter is missing from openstack client Kilo release on most distributions so this provider will work starting with Liberty. * Add the ability to manage LDAP support packages or not. In some instances you may not want this module installing the LDAP support packages even if you are using LDAP with keystone. The default behavior will be no change from before. * Add keystone domain specific configuration. Adds a provider able to configure multiple domains and two parameters in keystone class to setup a working multi-domains configuration. * Support for multiple ldap backend. It enables users to inject multiple ldap backend configurations into keystone. * Add policy driver option for Keystone. This option allows to configure the policy backend driver in the keystone.policy namespace. New parameter is policy/driver, using Keystone default value. * Provides bool to determine if policy-rc.d should be managed for keystone eventlet service. * The module no longer manages POSIX users/groups, file and directory, that are already managed by packaging. * Support for multi-domain; * Remove prefetch in keystone_user/keystone_user_role * Switch to puppet-oslo resource usage (instead of manual configuration file editing). Known Issues ************ * Keystone eventlet service is auto-started on debian based systems on package install. Upgrade Notes ************* * Usage of $::os_service_default function in init, db and logging classes. It will make sure that some Keystone parameters are using OpenStack default values. * The prefetch and associated instances class function removal could impact users that somehow use the command *puppet resource keystone_user* or *puppet resource keystone_user_role* in production. Those commands won't work anymore. Directly use the associated *openstack* commands to get the same effect. Deprecation Notes ***************** * Deprecate PKI signing related parameters. * Remove deprecated tenant LDAP parameters. * The single wsgi script for both the keystone admin and public endpoints have been deprecated upstream. As such, our support of a single wsgi script for keystone is also deprecated. * keystone::python class is deprecated, please use keystone::client. * Remove unused and broken keystone::dev::install class. * service_provider parameter is deprecated, does nothing and will be removed in a future release. The parameter has no effect. The Service provider will be found by Puppet itself. If you really need to override this value, please use a Puppet resource collector, using keystone-service resource tag. * verbose option is now deprecated for removal, the parameter has no effect. Bug Fixes ********* * Fixes bug 1533913 so admin user role is applied in admin_project_domain and admin_user_domain. * Fixes bug 1535939 so endpoint provider take the regions in account. * Fixes bug 1522541 so when /root/openrc is present and has a v2 auth_url, the Keystone_user resource will not fail to check credentials. * Hash domains by name. Improving performances of providers when managing lot of resources in the same domain (users and projects). * Sanitize providers for IPv6 by making sure the IP has brackets when needed. * Fixes bug 1563261 so when using LDAP backend, identity_driver, credential_driver and assignment_driver parameters will be configured in the Domain section, with other LDAP parameters. * Fixes bug 1554555 so openstack cli provider needs to pass domain in v3 calls * Fixes bug 1485508 so when domain_specific_drivers_enabled=True keystone_user provider fails. Other Notes *********** * Drop all Qpid support, it was removed from Oslo in Mitaka. * Add support for the newer admin and public wsgi scripts for keystone. Also added is the ability to provide a custom script for each of these. By default, the module will leverage scripts provided by the keystone package. Changes in puppet-keystone 8.0.0b1..9.0.0 ----------------------------------------- c9d6777 Cleanup README 0cab2c7 Change wiki to docs b9412d9 Prepare 9.0.0 release 255725d Revert "Deprecate use_syslog" a1a3205 Add oslo::db to dependency chain b057920 Add oslo::cache to dependency chain 9aab781 reno: show mitaka release notes eb12a28 Deprecate use_syslog 0dc65b8 Use ensure_packages instead of package 092d303 Adapt keystone tests for a new concat version e812075 Update keystone wsgi scripts 617fa98 Deprecate PKI signing related parameter 8b7b81b Add other-requirements.txt for bindep e5824b0 Adding a purge_config option for keystone_config 6f9d029 Fixed require statements for puppet 4 dbde71b Deprecate verbose option in logging 8832518 Add unit test for keystone::config cb1ed62 stop managing eventlet service on RedHat be3cae0 Add some kombu options 13c27ec Fix markdown format typo 15890b4 Add support for db_max_retries param f8ea995 Test multiple operating systems for keystone::db::postgresql 1bb09e8 metadata.json: fix oslo module name a90175e Prevent keystone eventlet from starting a5dbb53 Deprecate service_provider ff3c84d Add Unit Tests for keystone_config type fef6467 Add missing bit to the user prefetch removal. 46ced68 Totally drop Qpid support 64100bb Remove user/role prefetch to support multi-domain. 030820a Set oslo options in keystone module through puppet-oslo 96ba3fa Make the SSL apache module happens at correct time 055aab7 Add release note for https://review.openstack.org/298672 37b684d Gemfile: rely on puppet-openstack_spec_helper for dependencies 8594336 domain backend drivers set in domain config 04d4969 Ensure endpoints created before admin_token_auth 170c85d Fix for pki_setup 90b2be3 Release 8.0.0 c11b324 Add the ability to control LDAP package mgmt ec8e045 Ensure keystone service is created before openrc abca05e Release notes for Keystone external deps 71c6bac Remove matcher definition. a5da52e Keystone hooks support fd328e0 CHANGELOG: update for 8.0.0 515c3a4 Prepare release notes for Mitaka 8.0.0 3640727 Missing dependency for domain config. 66d83a4 admin role: make sure openrc is created after cd4f7d8 Fix issue with fernet_setup exec 6fbae75 Improve keystone::wsgi spec for testing headers parameter b8ae179 Make apache::vhost::headers configuration possible Diffstat (except docs and test files) ------------------------------------- CHANGELOG.md | 11 + Gemfile | 24 +- README.md | 15 +- examples/apache_dropin.pp | 1 - examples/apache_with_paths.pp | 1 - examples/k2k_sp_shib.pp | 1 - examples/ldap_backend.pp | 1 - examples/v3_basic.pp | 1 - examples/v3_domain_configuration.pp | 1 - lib/puppet/provider/keystone.rb | 24 +- lib/puppet/provider/keystone_domain/openstack.rb | 2 +- lib/puppet/provider/keystone_endpoint/openstack.rb | 2 +- .../keystone_identity_provider/openstack.rb | 2 +- lib/puppet/provider/keystone_role/openstack.rb | 2 +- lib/puppet/provider/keystone_service/openstack.rb | 2 +- lib/puppet/provider/keystone_tenant/openstack.rb | 2 +- lib/puppet/provider/keystone_user/openstack.rb | 59 +-- .../provider/keystone_user_role/openstack.rb | 108 +--- lib/puppet/type/keystone_domain.rb | 2 +- lib/puppet/type/keystone_endpoint.rb | 2 +- lib/puppet/type/keystone_identity_provider.rb | 2 +- lib/puppet/type/keystone_role.rb | 2 +- lib/puppet/type/keystone_service.rb | 2 +- lib/puppet/type/keystone_tenant.rb | 2 +- lib/puppet/type/keystone_user.rb | 2 +- lib/puppet/type/keystone_user_role.rb | 2 +- manifests/client.pp | 2 + manifests/config.pp | 2 + manifests/cron/token_flush.pp | 2 + manifests/db.pp | 55 +- manifests/db/mysql.pp | 6 +- manifests/db/postgresql.pp | 7 +- manifests/db/sync.pp | 15 +- manifests/deps.pp | 82 +++ manifests/disable_admin_token_auth.pp | 3 + manifests/endpoint.pp | 3 + manifests/federation/identity_provider.pp | 26 +- manifests/federation/mellon.pp | 10 +- manifests/federation/shibboleth.pp | 1 + manifests/init.pp | 587 ++++++++++++--------- manifests/ldap.pp | 21 +- manifests/ldap_backend.pp | 37 +- manifests/logging.pp | 79 +-- manifests/params.pp | 23 +- manifests/policy.pp | 4 +- manifests/resource/authtoken.pp | 2 + manifests/resource/service_identity.pp | 3 + manifests/roles/admin.pp | 5 + manifests/service.pp | 17 +- manifests/wsgi/apache.pp | 168 +++--- metadata.json | 5 +- other-requirements.txt | 0 .../deprecate_pki_signing-ae35fe25182735ab.yaml | 3 + .../notes/deprecated_ldap-02957eb56827ead5.yaml | 3 + .../disable_admin_token_auth-b82d0aca80d1f091.yaml | 6 + releasenotes/notes/drop_qpid-50eb89c1bec84504.yaml | 3 + .../federation_with_mellon-2f8229c1464b2e0e.yaml | 3 + releasenotes/notes/fix_admin-fee6e76089c07a42.yaml | 5 + .../fix_endpoint_region-0fa0d89061ebaf12.yaml | 5 + .../notes/fix_openrc_v2-64049769daf57b65.yaml | 6 + .../notes/hash_domains-d6a867466bcf324b.yaml | 4 + .../notes/ipv6_provider-796b60badd356e59.yaml | 3 + .../keystone-wsgi-scripts-0d772d1f9f2d6c57.yaml | 11 + .../notes/keystone_bootstrap-4bf00198001d3350.yaml | 6 + .../keystone_hooks_support-2c9e8b09bdbd1b5b.yaml | 5 + ...eystone_identity_provider-9b6f6b3ad70c60f3.yaml | 6 + .../keystone_python_depr-80fa804d9cd242c5.yaml | 3 + .../ldap_backend_domain-37839afb8b1d26e4.yaml | 6 + .../manage_ldap_packages-3b739e338f3e59c2.yaml | 7 + releasenotes/notes/mitaka-dece9d43a565e6cb.yaml | 3 + ...ulti_domain_configuration-32dc8cbef450f1d6.yaml | 5 + .../notes/multi_ldap-975858a46dd622a6.yaml | 5 + .../notes/os_service_default-9caeeb340d4bb303.yaml | 5 + .../notes/policy_driver-c991dd693d2336fc.yaml | 6 + ...cy_rc_d_keystone_eventlet-2dc65eb3d27f8969.yaml | 7 + .../remove_unused_class-0615d6744896ad97.yaml | 3 + ...vice_provider_deprecation-50421064c823f3ee.yaml | 6 + .../stop_posix_and_files-930ee921d0ebead2.yaml | 4 + .../support_multi_domain-bd04f18aa7913eaa.yaml | 21 + .../notes/switch_to_oslo-b7caf6d5906e29dc.yaml | 4 + releasenotes/notes/use-reno-1caaec4ba5aa4285.yaml | 2 - .../verbose-deprecation-38d9b7667fcf381d.yaml | 4 + releasenotes/source/conf.py | 4 +- releasenotes/source/index.rst | 19 +- releasenotes/source/mitaka.rst | 6 + spec/acceptance/default_domain_spec.rb | 20 +- spec/classes/keystone_client_spec.rb | 4 + spec/classes/keystone_config_spec.rb | 48 ++ spec/classes/keystone_db_postgresql_spec.rb | 48 +- spec/classes/keystone_db_spec.rb | 11 +- spec/classes/keystone_db_sync_spec.rb | 12 +- spec/classes/keystone_deps_spec.rb | 17 + spec/classes/keystone_ldap_spec.rb | 8 + spec/classes/keystone_logging_spec.rb | 8 +- spec/classes/keystone_policy_spec.rb | 1 + spec/classes/keystone_service_spec.rb | 4 + spec/classes/keystone_spec.rb | 143 ++--- spec/classes/keystone_wsgi_apache_spec.rb | 106 ++-- spec/defines/keystone_ldap_backend_spec.rb | 2 +- spec/spec_helper.rb | 2 + spec/spec_helper_acceptance.rb | 2 - .../matchers/have_array_of_instances_hash.rb | 17 - spec/support/matchers/include_regexp.rb | 20 - spec/unit/provider/keystone_user/openstack_spec.rb | 88 +-- .../provider/keystone_user_role/openstack_spec.rb | 36 -- spec/unit/type/keystone_config_spec.rb | 45 ++ 107 files changed, 1312 insertions(+), 962 deletions(-) Requirements updates -------------------- diff --git a/other-requirements.txt b/other-requirements.txt new file mode 100644 index 0000000..e69de29