We are psyched to announce the release of: puppet-keystone 10.0.0: Puppet module for OpenStack Keystone This release is part of the ocata release series. Download the package from: https://tarballs.openstack.org/puppet-keystone/ For more details, please see below. 10.0.0 ^^^^^^ New Features ************ * keystone-manage can be used to setup Keystone Fernet Keys. Disabled by default as long as the proper version of keystone is not in UCA. Upstream Keystone is moving to Fernet token support as the default provider. With recent issues witj PKI, Fernet is the only viable token format for multisite. Note, if fernet_keys parameter is set to a valid hash, keystone-manage won't be used to generate credential keys but Puppet will manage file resources for each key in the hash. It allows ensures that a the keys are synchronized in a multinode environment. Known Issues ************ * Python memcache package install when memcache servers are specified. This solves the issue where a dependency on the package was missed for components using memcache. Deprecation Notes ***************** * user_allow_* options for ldap are deprecated in Keystone. Setting these will now have no effect and these will be removed as parameters in a future release. * keystone::rabbit_host, keystone::rabbit_hosts, keystone::rabbit_password, keystone::rabbit_port, keystone::rabbit_userid and keystone::rabbit_virtual_host are deprecated. keystone::default_transport_url should be used instead. Security Issues *************** * Make the fernet key directory, fernet keys, credential folder, and credentials have mode 0600. This ensures that only the keystone user can read the keys. Bug Fixes ********* * Fixed documentation for log_dir parameter Other Notes *********** * Parameters that control the number of spawned child processes for distributing processing have had their default value changed from ::processorcount to ::os_workers. * The verbose option was marked to be removed in Ocata, in Newton the option was deprecated. Changes in puppet-keystone 9.4.0..10.0.0 ---------------------------------------- d131cdc Prepare 10.0.0 release 0f8ef09 Deprecate rabbitmq connection parameters 92696d8 Fix puppet version for requirements in metadata dfd9690 Revert "Make fernet the default token provider" ef836e2 Make fernet the default token provider 4b7c000 Fix the test file name of init.pp eb8acb8 Remove verbose 5ceee03 set 0600 permissions on fernet keys & folder 60a1147 Fix documentation for log_dir parameter ed61f3f Change worker defaults to ::os_workers 714d8ef Enable release notes translation eb7a9fa user_allow_* options for ldap are deprecated 348a7bf Fix boolean typo in documentation c97d3a4 Changed the home-page to point Openstack Puppet Homepage 78ab9aa Move rspec-puppet-facts to spec helper 057b176 Install python memcache package 28c0429 Added retries for db_sync cf5a131 Allow the management of the Fernet Keys 2704d1f Update reno for stable/newton d5a1b27 Resolve OpenID Connect Integration issues Diffstat (except docs and test files) ------------------------------------- README.md | 4 +- manifests/db/sync.pp | 2 + manifests/federation/openidc.pp | 6 + .../federation/openidc_httpd_configuration.pp | 1 - manifests/init.pp | 141 ++- manifests/ldap.pp | 39 +- manifests/logging.pp | 15 +- manifests/resource/authtoken.pp | 12 + manifests/wsgi/apache.pp | 4 +- metadata.json | 10 +- ...uthtoken_memcache_package-3b459c97a205cdf1.yaml | 3 + ...te-user_allow_ldap-params-0b8b6d2a53d7d818.yaml | 5 + ...fix_log_dir_documentation-0ecb8eb4c98c5cbf.yaml | 3 + .../keystone-fernet-setup-227ef6d380519cce.yaml | 12 + ..._workers_for_worker_count-50c1f496bf4dc954.yaml | 5 + ...issions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml | 5 + ...ection-params-deprecation-c6e990b4f788505d.yaml | 6 + .../notes/remove_verbose-6cbdd66294362090.yaml | 4 + releasenotes/source/conf.py | 7 +- releasenotes/source/index.rst | 3 +- releasenotes/source/newton.rst | 6 + setup.cfg | 2 +- spec/classes/keystone_db_postgresql_spec.rb | 2 +- spec/classes/keystone_init_spec.rb | 1228 ++++++++++++++++++++ spec/classes/keystone_ldap_spec.rb | 6 - spec/classes/keystone_roles_admin_spec.rb | 2 +- spec/classes/keystone_spec.rb | 1190 ------------------- spec/classes/keystone_wsgi_apache_spec.rb | 2 +- spec/defines/keystone_resource_authtoken_spec.rb | 5 + spec/spec_helper.rb | 10 +- templates/openidc.conf.erb | 15 +- 31 files changed, 1445 insertions(+), 1310 deletions(-)