puppet-keystone: update for stx 5.0 74/8174/1
authorJackie Huang <jackie.huang@windriver.com>
Wed, 2 Jun 2021 07:15:39 +0000 (15:15 +0800)
committerJackie Huang <jackie.huang@windriver.com>
Fri, 6 May 2022 08:47:27 +0000 (16:47 +0800)
* inherit stx-metadata to help apply patches
  from stx 'integ' repo

* remove the local copy of stx patches

Issue-ID: INF-215

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Change-Id: I327b5f67337d090a2290070d5c1b3fcc826823be

meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch [deleted file]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0002-remove-the-Keystone-admin-app.patch [deleted file]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0003-remove-eventlet_bindhost-from-Keystoneconf.patch [deleted file]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0004-escape-special-characters-in-bootstrap.patch [deleted file]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0005-Add-support-for-fernet-receipts.patch [deleted file]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0006-workaround-Adjust-keystone-naming-to-poky.patch [deleted file]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-params.pp-fix-the-service-name.patch [moved from meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0008-params.pp-fix-the-service-name-of-openstack-keystone.patch with 94% similarity]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-specify-full-path-to-openrc.patch [moved from meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0007-puppet-keystone-specify-full-path-to-openrc.patch with 96% similarity]
meta-starlingx/meta-stx-cloud/recipes-support/puppet/puppet-keystone_git.bbappend

diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch
deleted file mode 100644 (file)
index 69858ac..0000000
+++ /dev/null
@@ -1,440 +0,0 @@
-From 2c51d6f4ccf4a473089c08857262e769f7a8fc3a Mon Sep 17 00:00:00 2001
-From: Al Bailey <Al.Bailey@windriver.com>
-Date: Thu, 7 Mar 2019 13:43:40 -0600
-Subject: [PATCH 1/4] WRS: Patch1:
- 0001-pike-rebase-squash-titanium-patches.patch
-
----
- lib/puppet/provider/keystone.rb                   | 79 ++++++++++++++++++++++-
- manifests/db/sync.pp                              |  3 +
- manifests/init.pp                                 | 76 +++++++++++++++++-----
- manifests/ldap.pp                                 |  7 ++
- manifests/logging.pp                              |  2 +-
- manifests/resource/service_identity.pp            |  7 ++
- manifests/security_compliance.pp                  | 45 +++++++++++++
- spec/classes/keystone_security_compliance_spec.rb | 19 ++++++
- 8 files changed, 220 insertions(+), 18 deletions(-)
- create mode 100644 manifests/security_compliance.pp
- create mode 100644 spec/classes/keystone_security_compliance_spec.rb
-
-diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb
-index 3841418..0857ac1 100644
---- a/lib/puppet/provider/keystone.rb
-+++ b/lib/puppet/provider/keystone.rb
-@@ -3,6 +3,7 @@ require 'puppet/provider/openstack'
- require 'puppet/provider/openstack/auth'
- require 'puppet/provider/openstack/credentials'
- require File.join(File.dirname(__FILE__), '..','..', 'puppet/provider/keystone/util')
-+require 'hiera_puppet'
- class Puppet::Provider::Keystone < Puppet::Provider::Openstack
-@@ -230,12 +231,88 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack
-     end
-   end
-+  ### WRS Modifications (Start) ###
-+
-+  def self.hiera_lookup(key)
-+    HieraPuppet.lookup(key, :undef, self, nil, :priority)
-+  end
-+
-+  def self.initial_config_primary?
-+    return true if ENV['INITIAL_CONFIG_PRIMARY'] == "true"
-+  end
-+
-+
-+  def self.upgrading?
-+    return true if hiera_lookup('platform::params::controller_upgrade') == true 
-+  end
-+
-   def self.request(service, action, properties=nil, options={})
-     super
-   rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
--    request_by_service_token(service, action, error, properties, options=options)
-+    if initial_config_primary?
-+      # admin user account might not have been created
-+      request_by_service_token(service, action, error, properties)
-+    else
-+      if upgrading?
-+        # when running the Keystone manifest during an upgrade
-+        # (on controller-1), we need to use an AUTH token and
-+        # a bypass URL since using the default AUTL URL will
-+        # send the Request to the service catalog URL (internalURL),
-+        # running on the non-upgraded controller-0 which cannot
-+        # service this request
-+        request_by_upgrading_token(service, action, error, properties)
-+      else
-+        request_by_admin_credential(service, action, error, properties)
-+      end
-+    end
-   end
-+  def self.request_by_admin_credential(service, action, error, properties=nil)
-+    properties ||= []
-+    @credentials.username = hiera_lookup('platform::client::params::admin_username')
-+    @credentials.password = hiera_lookup('keystone::admin_password')
-+    @credentials.project_name = 'admin'
-+    @credentials.auth_url = service_url
-+    @credentials.identity_api_version = @credentials.version
-+    if @credentials.version == '3'
-+      @credentials.user_domain_name = hiera_lookup('platform::client::params::admin_user_domain')
-+      @credentials.project_domain_name = hiera_lookup('platform::client::params::admin_project_domain')
-+    end
-+    raise error unless @credentials.set?
-+    Puppet::Provider::Openstack.request(service, action, properties, @credentials)
-+  end
-+
-+  def self.get_upgrade_token
-+    upgrade_token_file = hiera_lookup('openstack::keystone::upgrade::upgrade_token_file')
-+    # the upgrade token file may get refreshed by the same Puppet event
-+    # that triggered this call, and therefore may not be available 
-+    # immediately. Try for timeout before quitting with error
-+    timeout = 10 # 10 seconds
-+    1.upto(timeout) do |iter|
-+      if File.exists?(upgrade_token_file)
-+        upgrade_token = File.read(upgrade_token_file).strip
-+        notice("Found #{upgrade_token_file} token file and upgrade token #{upgrade_token}.")
-+        return upgrade_token
-+      else
-+        Puppet.debug("#{upgrade_token_file} not found. Retrying for #{iter} more seconds.")
-+        sleep(1)
-+      end
-+    end
-+    raise(Puppet::ExecutionFailure, "Can't retrieve #{upgrade_token_file} in #{timeout}s retry attempts.")
-+  end
-+
-+
-+  def self.request_by_upgrading_token(service, action, error, properties=nil, options={})
-+    properties ||= []
-+    @credentials.token = get_upgrade_token
-+    @credentials.url   = hiera_lookup('openstack::keystone::upgrade::url')
-+    raise error unless @credentials.service_token_set?
-+    Puppet::Provider::Openstack.request(service, action, properties, @credentials, options)
-+  end
-+
-+  ### WRS Additions (End) ###
-+
-+
-   def self.request_by_service_token(service, action, error, properties=nil, options={})
-     properties ||= []
-     @credentials.token = admin_token
-diff --git a/manifests/db/sync.pp b/manifests/db/sync.pp
-index cee869b..cea217c 100644
---- a/manifests/db/sync.pp
-+++ b/manifests/db/sync.pp
-@@ -36,5 +36,8 @@ class keystone::db::sync(
-     ],
-     notify      => Anchor['keystone::dbsync::end'],
-     tag         => 'keystone-exec',
-+    # Only do the db sync if both controllers are running the same software
-+    # version. Avoids impacting mate controller during an upgrade.
-+    onlyif      => "test $::controller_sw_versions_match = true",
-   }
- }
-diff --git a/manifests/init.pp b/manifests/init.pp
-index 2adc685..4d79d30 100644
---- a/manifests/init.pp
-+++ b/manifests/init.pp
-@@ -28,6 +28,15 @@
- #   The admin_token has been deprecated by the Keystone service and this
- #   will be deprecated in a future changeset. Required.
- #
-+# [*upgrade_token_cmd*]
-+#   (optional) WRS - if we are in an upgrade scenario, an upgrade token
-+#   will be required to bypass authentication.
-+#   Defaults to undef
-+# 
-+# [*upgrade_token_file*]
-+#   (optional) WRS - the file where the upgrade token will be stowed
-+#   Defaults to undef
-+#
- # [*admin_password*]
- #   Keystone password for the admin user. This is not the admin_token.
- #   This is the password that the admin user signs into keystone with.
-@@ -663,6 +672,8 @@
- #
- class keystone(
-   $admin_token,
-+  $upgrade_token_cmd                    = undef,
-+  $upgrade_token_file                   = undef,
-   $admin_password                       = undef,
-   $package_ensure                       = 'present',
-   $client_package_ensure                = 'present',
-@@ -857,10 +868,13 @@ admin_token will be removed in a later release")
-   keystone_config {
-     'DEFAULT/admin_token':      value => $admin_token, secret => true;
-+    # WRS: the following options are deprecated for removal
-+    # however public_bind_host and admin_bind_host are still required as long as
-+    # keystone is running under eventlet
-     'DEFAULT/public_bind_host': value => $public_bind_host;
-     'DEFAULT/admin_bind_host':  value => $admin_bind_host;
--    'DEFAULT/public_port':      value => $public_port;
--    'DEFAULT/admin_port':       value => $admin_port;
-+    #'DEFAULT/public_port':      value => $public_port;
-+    #'DEFAULT/admin_port':       value => $admin_port;
-     'DEFAULT/member_role_id':   value => $member_role_id;
-     'DEFAULT/member_role_name': value => $member_role_name;
-     'paste_deploy/config_file': value => $paste_config;
-@@ -897,18 +911,21 @@ admin_token will be removed in a later release")
-   # ssl config
-   if ($enable_ssl) {
-     keystone_config {
--      'ssl/enable':              value  => true;
-+      # WRS ssl/enable is deprecated for removal
-+      #'ssl/enable':              value  => true;
-       'ssl/certfile':            value  => $ssl_certfile;
-       'ssl/keyfile':             value  => $ssl_keyfile;
-       'ssl/ca_certs':            value  => $ssl_ca_certs;
-       'ssl/ca_key':              value  => $ssl_ca_key;
-       'ssl/cert_subject':        value  => $ssl_cert_subject;
-     }
--  } else {
--    keystone_config {
--      'ssl/enable':              value  => false;
--    }
-   }
-+  # WRS ssl/enable is deprecated for removal
-+  # else {
-+  #  keystone_config {
-+  #    'ssl/enable':              value  => false;
-+  #  }
-+  #}
-   if !is_service_default($memcache_servers) or !is_service_default($cache_memcache_servers) {
-     Service<| title == 'memcached' |> -> Anchor['keystone::service::begin']
-@@ -1016,14 +1033,15 @@ Fernet or UUID tokens are recommended.")
- Fernet or UUID tokens are recommended.")
-   }
--  keystone_config {
--    'signing/certfile':     value => $signing_certfile;
--    'signing/keyfile':      value => $signing_keyfile;
--    'signing/ca_certs':     value => $signing_ca_certs;
--    'signing/ca_key':       value => $signing_ca_key;
--    'signing/cert_subject': value => $signing_cert_subject;
--    'signing/key_size':     value => $signing_key_size;
--  }
-+  # WRS: the following signing options are deprecated for removal
-+  #keystone_config {
-+  #  'signing/certfile':     value => $signing_certfile;
-+  #  'signing/keyfile':      value => $signing_keyfile;
-+  #  'signing/ca_certs':     value => $signing_ca_certs;
-+  #  'signing/ca_key':       value => $signing_ca_key;
-+  #  'signing/cert_subject': value => $signing_cert_subject;
-+  #  'signing/key_size':     value => $signing_key_size;
-+  #}
-   # Only do pki_setup if we were asked to do so.  This is needed
-   # regardless of the token provider since token revocation lists
-@@ -1089,6 +1107,9 @@ Fernet or UUID tokens are recommended.")
-     heartbeat_rate              => $rabbit_heartbeat_rate,
-   }
-+  # WRS: The following options are deprecated for removal
-+  # however they are still required as long as keystone
-+  # is running under eventlet
-   keystone_config {
-     'eventlet_server/admin_workers':  value => $admin_workers;
-     'eventlet_server/public_workers': value => $public_workers;
-@@ -1135,7 +1156,8 @@ Fernet or UUID tokens are recommended.")
-         validate     => false,
-       }
-     }
--    warning("Keystone under Eventlet has been deprecated during the Kilo cycle. \
-+    # Drop this to info.
-+    info("Keystone under Eventlet has been deprecated during the Kilo cycle. \
- Support for deploying under eventlet will be dropped as of the M-release of OpenStack.")
-   } elsif $service_name == 'httpd' {
-     include ::apache::params
-@@ -1280,6 +1302,27 @@ running as a standalone service, or httpd for being run by a httpd server")
-     }
-   }
-+  # WRS: Now that the keystone service has started,
-+  # check if we are in an Upgrade scenario, and generate
-+  # an upgrade token which will be used to bypass Keystone
-+  # authentication (specifically the service catalog) for
-+  # all operations during upgrades.
-+  # This operation is similar to the keystone bootstrap
-+  # operation (above) which would generate an admin
-+  # token, and therefore also requires the database to
-+  # be up and running and configured and is only run once,
-+  # so we don't need to notify the service
-+  if $upgrade_token_cmd and $upgrade_token_file {
-+    exec { 'upgrade token issue':
-+      command     => "${upgrade_token_cmd} > ${upgrade_token_file}",
-+      path        => '/usr/bin',
-+      creates     => $upgrade_token_file,
-+      subscribe   => Service[$service_name],
-+      notify      => Anchor['keystone::service::end'],
-+      tag         => 'keystone-exec',
-+    }
-+  }
-+
-   if $using_domain_config {
-     validate_absolute_path($domain_config_directory)
-     # Better than ensure resource.  We don't want to conflict with any
-@@ -1311,4 +1354,5 @@ running as a standalone service, or httpd for being run by a httpd server")
-       {'value' => $domain_config_directory}
-     )
-   }
-+
- }
-diff --git a/manifests/ldap.pp b/manifests/ldap.pp
-index 11620bf..728ca40 100644
---- a/manifests/ldap.pp
-+++ b/manifests/ldap.pp
-@@ -4,6 +4,11 @@
- #
- # === parameters:
- #
-+# [*debug_level*]
-+#   LDAP debugging level for LDAP calls; a value of zero("0") disables
-+#   debugging. (integer value)
-+#  Defaults to 'undef'
-+#
- # [*url*]
- #   URL for connecting to the LDAP server. (string value)
- #   Defaults to 'undef'
-@@ -384,6 +389,7 @@
- # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
- #
- class keystone::ldap(
-+  $debug_level                          = undef,
-   $url                                  = undef,
-   $user                                 = undef,
-   $password                             = undef,
-@@ -494,6 +500,7 @@ class keystone::ldap(
-   }
-   keystone_config {
-+    'ldap/debug_level':                          value => $debug_level; 
-     'ldap/url':                                  value => $url;
-     'ldap/user':                                 value => $user;
-     'ldap/password':                             value => $password, secret => true;
-diff --git a/manifests/logging.pp b/manifests/logging.pp
-index e737c4f..3d8df63 100644
---- a/manifests/logging.pp
-+++ b/manifests/logging.pp
-@@ -110,7 +110,7 @@ class keystone::logging(
-   $log_file                      = $::os_service_default,
-   $debug                         = $::os_service_default,
-   $logging_context_format_string = $::os_service_default,
--  $logging_default_format_string = $::os_service_default,
-+  $logging_default_format_string = 'keystone:log %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s',
-   $logging_debug_format_suffix   = $::os_service_default,
-   $logging_exception_prefix      = $::os_service_default,
-   $logging_user_identity_format  = $::os_service_default,
-diff --git a/manifests/resource/service_identity.pp b/manifests/resource/service_identity.pp
-index 09e7d94..243c9ec 100644
---- a/manifests/resource/service_identity.pp
-+++ b/manifests/resource/service_identity.pp
-@@ -187,6 +187,8 @@ define keystone::resource::service_identity(
-     if $service_type {
-       ensure_resource('keystone_service', "${service_name_real}::${service_type}", {
-         'ensure'      => $ensure,
-+        'name'        => $service_name_real,
-+        'type'        => $service_type,
-         'description' => $service_description,
-       })
-     } else {
-@@ -199,6 +201,9 @@ define keystone::resource::service_identity(
-       if $public_url and $admin_url and $internal_url {
-         ensure_resource('keystone_endpoint', "${region}/${service_name_real}::${service_type}", {
-           'ensure'       => $ensure,
-+          'name'         => $service_name_real,
-+          'type'         => $service_type,
-+          'region'       => $region,
-           'public_url'   => $public_url,
-           'admin_url'    => $admin_url,
-           'internal_url' => $internal_url,
-@@ -210,6 +215,8 @@ define keystone::resource::service_identity(
-       if $public_url and $admin_url and $internal_url {
-         ensure_resource('keystone_endpoint', "${region}/${service_name_real}", {
-           'ensure'       => $ensure,
-+          'name'         => $service_name_real,
-+          'region'       => $region,
-           'public_url'   => $public_url,
-           'admin_url'    => $admin_url,
-           'internal_url' => $internal_url,
-diff --git a/manifests/security_compliance.pp b/manifests/security_compliance.pp
-new file mode 100644
-index 0000000..64830ec
---- /dev/null
-+++ b/manifests/security_compliance.pp
-@@ -0,0 +1,45 @@
-+# == class: keystone::security_compliance
-+#
-+# Implements security compliance configuration for keystone.
-+#
-+# === parameters:
-+#
-+# [*unique_last_password_count*]
-+#   This controls the number of previous user password iterations
-+#   to keep in history, in order to enforce that newly created passwords
-+#   are unique. Setting the value to 1 (the default) disables this feature.
-+#   (integer value)
-+#   Defaults to 'undef'
-+#
-+# [*password_regex*]
-+#   The regular expression used to validate password strength 
-+#   requirements. By default, the regular expression will match
-+#   any password. (string value)
-+#   Defaults to 'undef'
-+#
-+# [*password_regex_description*]
-+#   If a password fails to match the regular expression (*password_regex*),
-+#   the contents of this configuration will be returned to users to explain
-+#   why their requested password was insufficient. (string value)
-+#   Defaults to 'undef'
-+#
-+# === DEPRECATED group/name
-+#
-+# == Copyright
-+#
-+# Copyright 2017 Wind River Systems, unless otherwise noted.
-+#
-+class keystone::security_compliance(
-+  $unique_last_password_count          = undef,
-+  $password_regex                      = undef,
-+  $password_regex_description          = undef,
-+) {
-+  
-+  include ::keystone::deps
-+
-+  keystone_config {
-+    'security_compliance/unique_last_password_count':  value => $unique_last_password_count;
-+    'security_compliance/password_regex':              value => $password_regex;
-+    'security_compliance/password_regex_description':  value => $password_regex_description;
-+  } 
-+}
-diff --git a/spec/classes/keystone_security_compliance_spec.rb b/spec/classes/keystone_security_compliance_spec.rb
-new file mode 100644
-index 0000000..d0d4724
---- /dev/null
-+++ b/spec/classes/keystone_security_compliance_spec.rb
-@@ -0,0 +1,19 @@
-+require 'spec_helper'
-+
-+describe 'keystone::security_compliance' do
-+  describe 'with basic params' do
-+    let :params do
-+      {
-+        :unique_last_password_count => 2,
-+        :password_regex => '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$',
-+        :password_regex_description => 'password must be at least 7 characters long and contain 1 digit',
-+      }
-+    end
-+    it 'should have basic params' do
-+      # basic params
-+      is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value('2')
-+      is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
-+      is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('password must be at least 7 characters long and contain 1 digit')
-+    end
-+  end
-+end
--- 
-1.8.3.1
-
diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0002-remove-the-Keystone-admin-app.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0002-remove-the-Keystone-admin-app.patch
deleted file mode 100644 (file)
index 7499a8c..0000000
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0fb9013aa056db642457e93a20499fd9b46ba436 Mon Sep 17 00:00:00 2001
-From: Kam Nasim <kam.nasim@windriver.com>
-Date: Mon, 22 Jan 2018 11:18:08 -0500
-Subject: [PATCH] CGTS-8701: Remove the Keystone-admin app
-
-Following the Pike rebase, no services are using Identity V2 and
-therefore we can shut off the Keystone admin port / app, as in Identity
-V3 the public endpoint and admin endpoints both offer identical services
----
- lib/puppet/provider/keystone.rb | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb
-index 8eb171d..3c310dc 100644
---- a/lib/puppet/provider/keystone.rb
-+++ b/lib/puppet/provider/keystone.rb
-@@ -171,12 +171,16 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack
-   end
-   def self.get_admin_endpoint
-+    # NOTE (knasim-wrs): As of the Pike rebase, the public port(5000)
-+    # provides the same functionality as the admin port(35357). We
-+    # shall therefore not deploy the keystone-admin app and return
-+    # the public port
-     endpoint = nil
-     if keystone_file
-       if url = get_section('DEFAULT', 'admin_endpoint')
-         endpoint = url.chomp('/')
-       else
--        admin_port = get_section('DEFAULT', 'admin_port') || '35357'
-+        admin_port = get_section('DEFAULT', 'public_port') || '5000'
-         host = clean_host(get_section('DEFAULT', 'admin_bind_host'))
-         protocol = ssl? ? 'https' : 'http'
-         endpoint = "#{protocol}://#{host}:#{admin_port}"
--- 
-1.8.3.1
-
diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0003-remove-eventlet_bindhost-from-Keystoneconf.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0003-remove-eventlet_bindhost-from-Keystoneconf.patch
deleted file mode 100644 (file)
index 905118c..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-commit bb91ab26622a5ec695c6564af5a9e5e54fdc903c
-Author: Shoaib Nasir <shoaib.nasir@windriver.com>
-Date:   Thu Feb 15 15:04:55 2018 -0500
-
-    WRS: Patch3: 0003-remove-eventlet_bindhost-from-Keystoneconf.patch
-
-diff --git a/manifests/init.pp b/manifests/init.pp
-index 4d79d30..d64638c 100644
---- a/manifests/init.pp
-+++ b/manifests/init.pp
-@@ -871,8 +871,9 @@ admin_token will be removed in a later release")
-     # WRS: the following options are deprecated for removal
-     # however public_bind_host and admin_bind_host are still required as long as
-     # keystone is running under eventlet
--    'DEFAULT/public_bind_host': value => $public_bind_host;
--    'DEFAULT/admin_bind_host':  value => $admin_bind_host;
-+    # WRS: bind_host options removed from keystone.conf [DEFAULT]
-+    #'DEFAULT/public_bind_host': value => $public_bind_host;
-+    #'DEFAULT/admin_bind_host':  value => $admin_bind_host;
-     #'DEFAULT/public_port':      value => $public_port;
-     #'DEFAULT/admin_port':       value => $admin_port;
-     'DEFAULT/member_role_id':   value => $member_role_id;
-@@ -1110,10 +1111,12 @@ Fernet or UUID tokens are recommended.")
-   # WRS: The following options are deprecated for removal
-   # however they are still required as long as keystone
-   # is running under eventlet
--  keystone_config {
--    'eventlet_server/admin_workers':  value => $admin_workers;
--    'eventlet_server/public_workers': value => $public_workers;
--  }
-+  # WRS(snasir): Removing these options from keystone.conf 
-+  # since they are now populated in keystone-api.conf
-+  #keystone_config {
-+  #  'eventlet_server/admin_workers':  value => $admin_workers;
-+  #  'eventlet_server/public_workers': value => $public_workers;
-+  #}
-   if $manage_service {
-     if $enabled {
diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0004-escape-special-characters-in-bootstrap.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0004-escape-special-characters-in-bootstrap.patch
deleted file mode 100644 (file)
index edb5243..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-From 70d22113cc8d58b6546cb4917c27f9aae51787c5 Mon Sep 17 00:00:00 2001
-From: Kam Nasim <kam.nasim@windriver.com>
-Date: Mon, 2 Apr 2018 16:13:31 -0400
-Subject: [PATCH] CGTS-9320: config_controller fails when admin pw containing $
-
-Escape special characters when executing the keystone-manage bootstrap
-command since the keystone CLI argparse will parse "Madawa$ka1" as
-"Madawa" which will cause the Keystone ADMIN acct to be created with an
-incorrect password. Puppet will detect this and attempt to course
-correct by sending an UPDATE User request to Keystone, which does set
-the right password but causes other failures in config_controller
----
- manifests/init.pp | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/manifests/init.pp b/manifests/init.pp
-index d64638c..89af303 100644
---- a/manifests/init.pp
-+++ b/manifests/init.pp
-@@ -1292,10 +1292,15 @@ running as a standalone service, or httpd for being run by a httpd server")
-   }
-   if $enable_bootstrap {
-+    #(NOTE: knasim-wrs): escape special characters in the password otherwise the
-+    # keyword-manage bootstrap CLI may parse the password incorrectly, causing
-+    # the admin account to be created with an incorrect password
-+    $admin_password_escaped = shell_escape($admin_password_real)
-+
-     # this requires the database to be up and running and configured
-     # and is only run once, so we don't need to notify the service
-     exec { 'keystone-manage bootstrap':
--      command     => "keystone-manage bootstrap --bootstrap-password ${admin_password_real}",
-+      command     => "keystone-manage bootstrap --bootstrap-password ${admin_password_escaped}",
-       user        => $keystone_user,
-       path        => '/usr/bin',
-       refreshonly => true,
--- 
-1.8.3.1
-
diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0005-Add-support-for-fernet-receipts.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0005-Add-support-for-fernet-receipts.patch
deleted file mode 100644 (file)
index 5ba045d..0000000
+++ /dev/null
@@ -1,43 +0,0 @@
-From 65de0c6615e2e94a4fd234fc1826e3eb403bb575 Mon Sep 17 00:00:00 2001
-From: Tyler Smith <tyler.smith@windriver.com>
-Date: Wed, 10 Apr 2019 15:37:25 -0400
-Subject: [PATCH 1/1] Add support for fernet receipts
-
----
- manifests/init.pp | 15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-
-diff --git a/manifests/init.pp b/manifests/init.pp
-index 89af303..a6d5cc3 100644
---- a/manifests/init.pp
-+++ b/manifests/init.pp
-@@ -1247,18 +1247,21 @@ running as a standalone service, or httpd for being run by a httpd server")
-   if $fernet_key_repository {
-     keystone_config {
--      'fernet_tokens/key_repository': value => $fernet_key_repository;
-+      'fernet_tokens/key_repository':   value => $fernet_key_repository;
-+      'fernet_receipts/key_repository': value => $fernet_key_repository;
-     }
-   } else {
-     keystone_config {
--      'fernet_tokens/key_repository': ensure => absent;
-+      'fernet_tokens/key_repository':   ensure => absent;
-+      'fernet_receipts/key_repository': ensure => absent;
-     }
-   }
-   keystone_config {
--    'token/revoke_by_id':            value => $revoke_by_id;
--    'fernet_tokens/max_active_keys': value => $fernet_max_active_keys;
--    'credential/key_repository':     value => $credential_key_repository;
-+    'token/revoke_by_id':              value => $revoke_by_id;
-+    'fernet_tokens/max_active_keys':   value => $fernet_max_active_keys;
-+    'fernet_receipts/max_active_keys': value => $fernet_max_active_keys;
-+    'credential/key_repository':       value => $credential_key_repository;
-   }
-   # Update this code when https://bugs.launchpad.net/keystone/+bug/1472285 is addressed.
--- 
-1.8.3.1
-
diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0006-workaround-Adjust-keystone-naming-to-poky.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0006-workaround-Adjust-keystone-naming-to-poky.patch
deleted file mode 100644 (file)
index 13d05c6..0000000
+++ /dev/null
@@ -1,28 +0,0 @@
-From 5b6e47a7b1eb8c286e7c40479ba19131a2f696d7 Mon Sep 17 00:00:00 2001
-From: "Sar Ashki, Babak" <Babak.SarAshki@windriver.com>
-Date: Thu, 26 Dec 2019 12:00:31 -0800
-Subject: [PATCH] workaround: Adjust keystone naming to poky
-
-Issue 43:
-In the puppet apply, openstack-keystone is used as the keystone package
-name, but in yocto, the package name is 'keystone'.
----
- manifests/params.pp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/manifests/params.pp b/manifests/params.pp
-index 0d61acfb..b2bc44b1 100644
---- a/manifests/params.pp
-+++ b/manifests/params.pp
-@@ -18,7 +18,7 @@ class keystone::params {
-       $openidc_package_name         = 'libapache2-mod-auth-openidc'
-     }
-     'RedHat': {
--      $package_name                 = 'openstack-keystone'
-+      $package_name                 = 'keystone'
-       $service_name                 = 'openstack-keystone'
-       $keystone_wsgi_script_path    = '/var/www/cgi-bin/keystone'
-       $python_memcache_package_name = 'python-memcached'
--- 
-2.23.0
-
index 09fe50c..b24014f 100644 (file)
@@ -1,13 +1,21 @@
+inherit stx-metadata
+
+STX_REPO = "integ"
+STX_SUBPATH = "config/puppet-modules/openstack/${BP}/centos"
+
+SRC_URI_STX += " \
+       file://patches/0001-pike-rebase-squash-titanium-patches.patch \
+       file://patches/0002-remove-the-Keystone-admin-app.patch \
+       file://patches/0003-remove-eventlet_bindhost-from-Keystoneconf.patch \
+       file://patches/0004-escape-special-characters-in-bootstrap.patch \
+       file://patches/0005-Add-support-for-fernet-receipts.patch \
+       file://patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch \
+       file://patches/0007-update-for-openstackclient-Train-upgrade.patch \
+       "
 
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 SRC_URI += " \
-       file://${PN}/0001-pike-rebase-squash-titanium-patches.patch \
-       file://${PN}/0002-remove-the-Keystone-admin-app.patch \
-       file://${PN}/0003-remove-eventlet_bindhost-from-Keystoneconf.patch \
-       file://${PN}/0004-escape-special-characters-in-bootstrap.patch \
-       file://${PN}/0005-Add-support-for-fernet-receipts.patch \
-       file://${PN}/0007-puppet-keystone-specify-full-path-to-openrc.patch \
-       file://${PN}/0008-params.pp-fix-the-service-name-of-openstack-keystone.patch \
+       file://${BPN}/puppet-keystone-specify-full-path-to-openrc.patch \
+       file://${BPN}/puppet-keystone-params.pp-fix-the-service-name.patch \
        "
 
 do_install_append () {