From: Jackie Huang Date: Wed, 2 Jun 2021 07:15:39 +0000 (+0800) Subject: puppet-keystone: update for stx 5.0 X-Git-Tag: f-release~102 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F74%2F8174%2F1;p=pti%2Frtp.git puppet-keystone: update for stx 5.0 * inherit stx-metadata to help apply patches from stx 'integ' repo * remove the local copy of stx patches Issue-ID: INF-215 Signed-off-by: Jackie Huang Change-Id: I327b5f67337d090a2290070d5c1b3fcc826823be --- diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch deleted file mode 100644 index 69858ac..0000000 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch +++ /dev/null @@ -1,440 +0,0 @@ -From 2c51d6f4ccf4a473089c08857262e769f7a8fc3a Mon Sep 17 00:00:00 2001 -From: Al Bailey -Date: Thu, 7 Mar 2019 13:43:40 -0600 -Subject: [PATCH 1/4] WRS: Patch1: - 0001-pike-rebase-squash-titanium-patches.patch - ---- - lib/puppet/provider/keystone.rb | 79 ++++++++++++++++++++++- - manifests/db/sync.pp | 3 + - manifests/init.pp | 76 +++++++++++++++++----- - manifests/ldap.pp | 7 ++ - manifests/logging.pp | 2 +- - manifests/resource/service_identity.pp | 7 ++ - manifests/security_compliance.pp | 45 +++++++++++++ - spec/classes/keystone_security_compliance_spec.rb | 19 ++++++ - 8 files changed, 220 insertions(+), 18 deletions(-) - create mode 100644 manifests/security_compliance.pp - create mode 100644 spec/classes/keystone_security_compliance_spec.rb - -diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb -index 3841418..0857ac1 100644 ---- a/lib/puppet/provider/keystone.rb -+++ b/lib/puppet/provider/keystone.rb -@@ -3,6 +3,7 @@ require 'puppet/provider/openstack' - require 'puppet/provider/openstack/auth' - require 'puppet/provider/openstack/credentials' - require File.join(File.dirname(__FILE__), '..','..', 'puppet/provider/keystone/util') -+require 'hiera_puppet' - - class Puppet::Provider::Keystone < Puppet::Provider::Openstack - -@@ -230,12 +231,88 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack - end - end - -+ ### WRS Modifications (Start) ### -+ -+ def self.hiera_lookup(key) -+ HieraPuppet.lookup(key, :undef, self, nil, :priority) -+ end -+ -+ def self.initial_config_primary? -+ return true if ENV['INITIAL_CONFIG_PRIMARY'] == "true" -+ end -+ -+ -+ def self.upgrading? -+ return true if hiera_lookup('platform::params::controller_upgrade') == true -+ end -+ - def self.request(service, action, properties=nil, options={}) - super - rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error -- request_by_service_token(service, action, error, properties, options=options) -+ if initial_config_primary? -+ # admin user account might not have been created -+ request_by_service_token(service, action, error, properties) -+ else -+ if upgrading? -+ # when running the Keystone manifest during an upgrade -+ # (on controller-1), we need to use an AUTH token and -+ # a bypass URL since using the default AUTL URL will -+ # send the Request to the service catalog URL (internalURL), -+ # running on the non-upgraded controller-0 which cannot -+ # service this request -+ request_by_upgrading_token(service, action, error, properties) -+ else -+ request_by_admin_credential(service, action, error, properties) -+ end -+ end - end - -+ def self.request_by_admin_credential(service, action, error, properties=nil) -+ properties ||= [] -+ @credentials.username = hiera_lookup('platform::client::params::admin_username') -+ @credentials.password = hiera_lookup('keystone::admin_password') -+ @credentials.project_name = 'admin' -+ @credentials.auth_url = service_url -+ @credentials.identity_api_version = @credentials.version -+ if @credentials.version == '3' -+ @credentials.user_domain_name = hiera_lookup('platform::client::params::admin_user_domain') -+ @credentials.project_domain_name = hiera_lookup('platform::client::params::admin_project_domain') -+ end -+ raise error unless @credentials.set? -+ Puppet::Provider::Openstack.request(service, action, properties, @credentials) -+ end -+ -+ def self.get_upgrade_token -+ upgrade_token_file = hiera_lookup('openstack::keystone::upgrade::upgrade_token_file') -+ # the upgrade token file may get refreshed by the same Puppet event -+ # that triggered this call, and therefore may not be available -+ # immediately. Try for timeout before quitting with error -+ timeout = 10 # 10 seconds -+ 1.upto(timeout) do |iter| -+ if File.exists?(upgrade_token_file) -+ upgrade_token = File.read(upgrade_token_file).strip -+ notice("Found #{upgrade_token_file} token file and upgrade token #{upgrade_token}.") -+ return upgrade_token -+ else -+ Puppet.debug("#{upgrade_token_file} not found. Retrying for #{iter} more seconds.") -+ sleep(1) -+ end -+ end -+ raise(Puppet::ExecutionFailure, "Can't retrieve #{upgrade_token_file} in #{timeout}s retry attempts.") -+ end -+ -+ -+ def self.request_by_upgrading_token(service, action, error, properties=nil, options={}) -+ properties ||= [] -+ @credentials.token = get_upgrade_token -+ @credentials.url = hiera_lookup('openstack::keystone::upgrade::url') -+ raise error unless @credentials.service_token_set? -+ Puppet::Provider::Openstack.request(service, action, properties, @credentials, options) -+ end -+ -+ ### WRS Additions (End) ### -+ -+ - def self.request_by_service_token(service, action, error, properties=nil, options={}) - properties ||= [] - @credentials.token = admin_token -diff --git a/manifests/db/sync.pp b/manifests/db/sync.pp -index cee869b..cea217c 100644 ---- a/manifests/db/sync.pp -+++ b/manifests/db/sync.pp -@@ -36,5 +36,8 @@ class keystone::db::sync( - ], - notify => Anchor['keystone::dbsync::end'], - tag => 'keystone-exec', -+ # Only do the db sync if both controllers are running the same software -+ # version. Avoids impacting mate controller during an upgrade. -+ onlyif => "test $::controller_sw_versions_match = true", - } - } -diff --git a/manifests/init.pp b/manifests/init.pp -index 2adc685..4d79d30 100644 ---- a/manifests/init.pp -+++ b/manifests/init.pp -@@ -28,6 +28,15 @@ - # The admin_token has been deprecated by the Keystone service and this - # will be deprecated in a future changeset. Required. - # -+# [*upgrade_token_cmd*] -+# (optional) WRS - if we are in an upgrade scenario, an upgrade token -+# will be required to bypass authentication. -+# Defaults to undef -+# -+# [*upgrade_token_file*] -+# (optional) WRS - the file where the upgrade token will be stowed -+# Defaults to undef -+# - # [*admin_password*] - # Keystone password for the admin user. This is not the admin_token. - # This is the password that the admin user signs into keystone with. -@@ -663,6 +672,8 @@ - # - class keystone( - $admin_token, -+ $upgrade_token_cmd = undef, -+ $upgrade_token_file = undef, - $admin_password = undef, - $package_ensure = 'present', - $client_package_ensure = 'present', -@@ -857,10 +868,13 @@ admin_token will be removed in a later release") - - keystone_config { - 'DEFAULT/admin_token': value => $admin_token, secret => true; -+ # WRS: the following options are deprecated for removal -+ # however public_bind_host and admin_bind_host are still required as long as -+ # keystone is running under eventlet - 'DEFAULT/public_bind_host': value => $public_bind_host; - 'DEFAULT/admin_bind_host': value => $admin_bind_host; -- 'DEFAULT/public_port': value => $public_port; -- 'DEFAULT/admin_port': value => $admin_port; -+ #'DEFAULT/public_port': value => $public_port; -+ #'DEFAULT/admin_port': value => $admin_port; - 'DEFAULT/member_role_id': value => $member_role_id; - 'DEFAULT/member_role_name': value => $member_role_name; - 'paste_deploy/config_file': value => $paste_config; -@@ -897,18 +911,21 @@ admin_token will be removed in a later release") - # ssl config - if ($enable_ssl) { - keystone_config { -- 'ssl/enable': value => true; -+ # WRS ssl/enable is deprecated for removal -+ #'ssl/enable': value => true; - 'ssl/certfile': value => $ssl_certfile; - 'ssl/keyfile': value => $ssl_keyfile; - 'ssl/ca_certs': value => $ssl_ca_certs; - 'ssl/ca_key': value => $ssl_ca_key; - 'ssl/cert_subject': value => $ssl_cert_subject; - } -- } else { -- keystone_config { -- 'ssl/enable': value => false; -- } - } -+ # WRS ssl/enable is deprecated for removal -+ # else { -+ # keystone_config { -+ # 'ssl/enable': value => false; -+ # } -+ #} - - if !is_service_default($memcache_servers) or !is_service_default($cache_memcache_servers) { - Service<| title == 'memcached' |> -> Anchor['keystone::service::begin'] -@@ -1016,14 +1033,15 @@ Fernet or UUID tokens are recommended.") - Fernet or UUID tokens are recommended.") - } - -- keystone_config { -- 'signing/certfile': value => $signing_certfile; -- 'signing/keyfile': value => $signing_keyfile; -- 'signing/ca_certs': value => $signing_ca_certs; -- 'signing/ca_key': value => $signing_ca_key; -- 'signing/cert_subject': value => $signing_cert_subject; -- 'signing/key_size': value => $signing_key_size; -- } -+ # WRS: the following signing options are deprecated for removal -+ #keystone_config { -+ # 'signing/certfile': value => $signing_certfile; -+ # 'signing/keyfile': value => $signing_keyfile; -+ # 'signing/ca_certs': value => $signing_ca_certs; -+ # 'signing/ca_key': value => $signing_ca_key; -+ # 'signing/cert_subject': value => $signing_cert_subject; -+ # 'signing/key_size': value => $signing_key_size; -+ #} - - # Only do pki_setup if we were asked to do so. This is needed - # regardless of the token provider since token revocation lists -@@ -1089,6 +1107,9 @@ Fernet or UUID tokens are recommended.") - heartbeat_rate => $rabbit_heartbeat_rate, - } - -+ # WRS: The following options are deprecated for removal -+ # however they are still required as long as keystone -+ # is running under eventlet - keystone_config { - 'eventlet_server/admin_workers': value => $admin_workers; - 'eventlet_server/public_workers': value => $public_workers; -@@ -1135,7 +1156,8 @@ Fernet or UUID tokens are recommended.") - validate => false, - } - } -- warning("Keystone under Eventlet has been deprecated during the Kilo cycle. \ -+ # Drop this to info. -+ info("Keystone under Eventlet has been deprecated during the Kilo cycle. \ - Support for deploying under eventlet will be dropped as of the M-release of OpenStack.") - } elsif $service_name == 'httpd' { - include ::apache::params -@@ -1280,6 +1302,27 @@ running as a standalone service, or httpd for being run by a httpd server") - } - } - -+ # WRS: Now that the keystone service has started, -+ # check if we are in an Upgrade scenario, and generate -+ # an upgrade token which will be used to bypass Keystone -+ # authentication (specifically the service catalog) for -+ # all operations during upgrades. -+ # This operation is similar to the keystone bootstrap -+ # operation (above) which would generate an admin -+ # token, and therefore also requires the database to -+ # be up and running and configured and is only run once, -+ # so we don't need to notify the service -+ if $upgrade_token_cmd and $upgrade_token_file { -+ exec { 'upgrade token issue': -+ command => "${upgrade_token_cmd} > ${upgrade_token_file}", -+ path => '/usr/bin', -+ creates => $upgrade_token_file, -+ subscribe => Service[$service_name], -+ notify => Anchor['keystone::service::end'], -+ tag => 'keystone-exec', -+ } -+ } -+ - if $using_domain_config { - validate_absolute_path($domain_config_directory) - # Better than ensure resource. We don't want to conflict with any -@@ -1311,4 +1354,5 @@ running as a standalone service, or httpd for being run by a httpd server") - {'value' => $domain_config_directory} - ) - } -+ - } -diff --git a/manifests/ldap.pp b/manifests/ldap.pp -index 11620bf..728ca40 100644 ---- a/manifests/ldap.pp -+++ b/manifests/ldap.pp -@@ -4,6 +4,11 @@ - # - # === parameters: - # -+# [*debug_level*] -+# LDAP debugging level for LDAP calls; a value of zero("0") disables -+# debugging. (integer value) -+# Defaults to 'undef' -+# - # [*url*] - # URL for connecting to the LDAP server. (string value) - # Defaults to 'undef' -@@ -384,6 +389,7 @@ - # Copyright 2012 Puppetlabs Inc, unless otherwise noted. - # - class keystone::ldap( -+ $debug_level = undef, - $url = undef, - $user = undef, - $password = undef, -@@ -494,6 +500,7 @@ class keystone::ldap( - } - - keystone_config { -+ 'ldap/debug_level': value => $debug_level; - 'ldap/url': value => $url; - 'ldap/user': value => $user; - 'ldap/password': value => $password, secret => true; -diff --git a/manifests/logging.pp b/manifests/logging.pp -index e737c4f..3d8df63 100644 ---- a/manifests/logging.pp -+++ b/manifests/logging.pp -@@ -110,7 +110,7 @@ class keystone::logging( - $log_file = $::os_service_default, - $debug = $::os_service_default, - $logging_context_format_string = $::os_service_default, -- $logging_default_format_string = $::os_service_default, -+ $logging_default_format_string = 'keystone:log %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s', - $logging_debug_format_suffix = $::os_service_default, - $logging_exception_prefix = $::os_service_default, - $logging_user_identity_format = $::os_service_default, -diff --git a/manifests/resource/service_identity.pp b/manifests/resource/service_identity.pp -index 09e7d94..243c9ec 100644 ---- a/manifests/resource/service_identity.pp -+++ b/manifests/resource/service_identity.pp -@@ -187,6 +187,8 @@ define keystone::resource::service_identity( - if $service_type { - ensure_resource('keystone_service', "${service_name_real}::${service_type}", { - 'ensure' => $ensure, -+ 'name' => $service_name_real, -+ 'type' => $service_type, - 'description' => $service_description, - }) - } else { -@@ -199,6 +201,9 @@ define keystone::resource::service_identity( - if $public_url and $admin_url and $internal_url { - ensure_resource('keystone_endpoint', "${region}/${service_name_real}::${service_type}", { - 'ensure' => $ensure, -+ 'name' => $service_name_real, -+ 'type' => $service_type, -+ 'region' => $region, - 'public_url' => $public_url, - 'admin_url' => $admin_url, - 'internal_url' => $internal_url, -@@ -210,6 +215,8 @@ define keystone::resource::service_identity( - if $public_url and $admin_url and $internal_url { - ensure_resource('keystone_endpoint', "${region}/${service_name_real}", { - 'ensure' => $ensure, -+ 'name' => $service_name_real, -+ 'region' => $region, - 'public_url' => $public_url, - 'admin_url' => $admin_url, - 'internal_url' => $internal_url, -diff --git a/manifests/security_compliance.pp b/manifests/security_compliance.pp -new file mode 100644 -index 0000000..64830ec ---- /dev/null -+++ b/manifests/security_compliance.pp -@@ -0,0 +1,45 @@ -+# == class: keystone::security_compliance -+# -+# Implements security compliance configuration for keystone. -+# -+# === parameters: -+# -+# [*unique_last_password_count*] -+# This controls the number of previous user password iterations -+# to keep in history, in order to enforce that newly created passwords -+# are unique. Setting the value to 1 (the default) disables this feature. -+# (integer value) -+# Defaults to 'undef' -+# -+# [*password_regex*] -+# The regular expression used to validate password strength -+# requirements. By default, the regular expression will match -+# any password. (string value) -+# Defaults to 'undef' -+# -+# [*password_regex_description*] -+# If a password fails to match the regular expression (*password_regex*), -+# the contents of this configuration will be returned to users to explain -+# why their requested password was insufficient. (string value) -+# Defaults to 'undef' -+# -+# === DEPRECATED group/name -+# -+# == Copyright -+# -+# Copyright 2017 Wind River Systems, unless otherwise noted. -+# -+class keystone::security_compliance( -+ $unique_last_password_count = undef, -+ $password_regex = undef, -+ $password_regex_description = undef, -+) { -+ -+ include ::keystone::deps -+ -+ keystone_config { -+ 'security_compliance/unique_last_password_count': value => $unique_last_password_count; -+ 'security_compliance/password_regex': value => $password_regex; -+ 'security_compliance/password_regex_description': value => $password_regex_description; -+ } -+} -diff --git a/spec/classes/keystone_security_compliance_spec.rb b/spec/classes/keystone_security_compliance_spec.rb -new file mode 100644 -index 0000000..d0d4724 ---- /dev/null -+++ b/spec/classes/keystone_security_compliance_spec.rb -@@ -0,0 +1,19 @@ -+require 'spec_helper' -+ -+describe 'keystone::security_compliance' do -+ describe 'with basic params' do -+ let :params do -+ { -+ :unique_last_password_count => 2, -+ :password_regex => '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$', -+ :password_regex_description => 'password must be at least 7 characters long and contain 1 digit', -+ } -+ end -+ it 'should have basic params' do -+ # basic params -+ is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value('2') -+ is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('^(?=.*\d)(?=.*[a-zA-Z]).{7,}$') -+ is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('password must be at least 7 characters long and contain 1 digit') -+ end -+ end -+end --- -1.8.3.1 - diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0002-remove-the-Keystone-admin-app.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0002-remove-the-Keystone-admin-app.patch deleted file mode 100644 index 7499a8c..0000000 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0002-remove-the-Keystone-admin-app.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0fb9013aa056db642457e93a20499fd9b46ba436 Mon Sep 17 00:00:00 2001 -From: Kam Nasim -Date: Mon, 22 Jan 2018 11:18:08 -0500 -Subject: [PATCH] CGTS-8701: Remove the Keystone-admin app - -Following the Pike rebase, no services are using Identity V2 and -therefore we can shut off the Keystone admin port / app, as in Identity -V3 the public endpoint and admin endpoints both offer identical services ---- - lib/puppet/provider/keystone.rb | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb -index 8eb171d..3c310dc 100644 ---- a/lib/puppet/provider/keystone.rb -+++ b/lib/puppet/provider/keystone.rb -@@ -171,12 +171,16 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack - end - - def self.get_admin_endpoint -+ # NOTE (knasim-wrs): As of the Pike rebase, the public port(5000) -+ # provides the same functionality as the admin port(35357). We -+ # shall therefore not deploy the keystone-admin app and return -+ # the public port - endpoint = nil - if keystone_file - if url = get_section('DEFAULT', 'admin_endpoint') - endpoint = url.chomp('/') - else -- admin_port = get_section('DEFAULT', 'admin_port') || '35357' -+ admin_port = get_section('DEFAULT', 'public_port') || '5000' - host = clean_host(get_section('DEFAULT', 'admin_bind_host')) - protocol = ssl? ? 'https' : 'http' - endpoint = "#{protocol}://#{host}:#{admin_port}" --- -1.8.3.1 - diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0003-remove-eventlet_bindhost-from-Keystoneconf.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0003-remove-eventlet_bindhost-from-Keystoneconf.patch deleted file mode 100644 index 905118c..0000000 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0003-remove-eventlet_bindhost-from-Keystoneconf.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit bb91ab26622a5ec695c6564af5a9e5e54fdc903c -Author: Shoaib Nasir -Date: Thu Feb 15 15:04:55 2018 -0500 - - WRS: Patch3: 0003-remove-eventlet_bindhost-from-Keystoneconf.patch - -diff --git a/manifests/init.pp b/manifests/init.pp -index 4d79d30..d64638c 100644 ---- a/manifests/init.pp -+++ b/manifests/init.pp -@@ -871,8 +871,9 @@ admin_token will be removed in a later release") - # WRS: the following options are deprecated for removal - # however public_bind_host and admin_bind_host are still required as long as - # keystone is running under eventlet -- 'DEFAULT/public_bind_host': value => $public_bind_host; -- 'DEFAULT/admin_bind_host': value => $admin_bind_host; -+ # WRS: bind_host options removed from keystone.conf [DEFAULT] -+ #'DEFAULT/public_bind_host': value => $public_bind_host; -+ #'DEFAULT/admin_bind_host': value => $admin_bind_host; - #'DEFAULT/public_port': value => $public_port; - #'DEFAULT/admin_port': value => $admin_port; - 'DEFAULT/member_role_id': value => $member_role_id; -@@ -1110,10 +1111,12 @@ Fernet or UUID tokens are recommended.") - # WRS: The following options are deprecated for removal - # however they are still required as long as keystone - # is running under eventlet -- keystone_config { -- 'eventlet_server/admin_workers': value => $admin_workers; -- 'eventlet_server/public_workers': value => $public_workers; -- } -+ # WRS(snasir): Removing these options from keystone.conf -+ # since they are now populated in keystone-api.conf -+ #keystone_config { -+ # 'eventlet_server/admin_workers': value => $admin_workers; -+ # 'eventlet_server/public_workers': value => $public_workers; -+ #} - - if $manage_service { - if $enabled { diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0004-escape-special-characters-in-bootstrap.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0004-escape-special-characters-in-bootstrap.patch deleted file mode 100644 index edb5243..0000000 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0004-escape-special-characters-in-bootstrap.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 70d22113cc8d58b6546cb4917c27f9aae51787c5 Mon Sep 17 00:00:00 2001 -From: Kam Nasim -Date: Mon, 2 Apr 2018 16:13:31 -0400 -Subject: [PATCH] CGTS-9320: config_controller fails when admin pw containing $ - -Escape special characters when executing the keystone-manage bootstrap -command since the keystone CLI argparse will parse "Madawa$ka1" as -"Madawa" which will cause the Keystone ADMIN acct to be created with an -incorrect password. Puppet will detect this and attempt to course -correct by sending an UPDATE User request to Keystone, which does set -the right password but causes other failures in config_controller ---- - manifests/init.pp | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/manifests/init.pp b/manifests/init.pp -index d64638c..89af303 100644 ---- a/manifests/init.pp -+++ b/manifests/init.pp -@@ -1292,10 +1292,15 @@ running as a standalone service, or httpd for being run by a httpd server") - } - - if $enable_bootstrap { -+ #(NOTE: knasim-wrs): escape special characters in the password otherwise the -+ # keyword-manage bootstrap CLI may parse the password incorrectly, causing -+ # the admin account to be created with an incorrect password -+ $admin_password_escaped = shell_escape($admin_password_real) -+ - # this requires the database to be up and running and configured - # and is only run once, so we don't need to notify the service - exec { 'keystone-manage bootstrap': -- command => "keystone-manage bootstrap --bootstrap-password ${admin_password_real}", -+ command => "keystone-manage bootstrap --bootstrap-password ${admin_password_escaped}", - user => $keystone_user, - path => '/usr/bin', - refreshonly => true, --- -1.8.3.1 - diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0005-Add-support-for-fernet-receipts.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0005-Add-support-for-fernet-receipts.patch deleted file mode 100644 index 5ba045d..0000000 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0005-Add-support-for-fernet-receipts.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 65de0c6615e2e94a4fd234fc1826e3eb403bb575 Mon Sep 17 00:00:00 2001 -From: Tyler Smith -Date: Wed, 10 Apr 2019 15:37:25 -0400 -Subject: [PATCH 1/1] Add support for fernet receipts - ---- - manifests/init.pp | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/manifests/init.pp b/manifests/init.pp -index 89af303..a6d5cc3 100644 ---- a/manifests/init.pp -+++ b/manifests/init.pp -@@ -1247,18 +1247,21 @@ running as a standalone service, or httpd for being run by a httpd server") - - if $fernet_key_repository { - keystone_config { -- 'fernet_tokens/key_repository': value => $fernet_key_repository; -+ 'fernet_tokens/key_repository': value => $fernet_key_repository; -+ 'fernet_receipts/key_repository': value => $fernet_key_repository; - } - } else { - keystone_config { -- 'fernet_tokens/key_repository': ensure => absent; -+ 'fernet_tokens/key_repository': ensure => absent; -+ 'fernet_receipts/key_repository': ensure => absent; - } - } - - keystone_config { -- 'token/revoke_by_id': value => $revoke_by_id; -- 'fernet_tokens/max_active_keys': value => $fernet_max_active_keys; -- 'credential/key_repository': value => $credential_key_repository; -+ 'token/revoke_by_id': value => $revoke_by_id; -+ 'fernet_tokens/max_active_keys': value => $fernet_max_active_keys; -+ 'fernet_receipts/max_active_keys': value => $fernet_max_active_keys; -+ 'credential/key_repository': value => $credential_key_repository; - } - - # Update this code when https://bugs.launchpad.net/keystone/+bug/1472285 is addressed. --- -1.8.3.1 - diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0006-workaround-Adjust-keystone-naming-to-poky.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0006-workaround-Adjust-keystone-naming-to-poky.patch deleted file mode 100644 index 13d05c6..0000000 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0006-workaround-Adjust-keystone-naming-to-poky.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5b6e47a7b1eb8c286e7c40479ba19131a2f696d7 Mon Sep 17 00:00:00 2001 -From: "Sar Ashki, Babak" -Date: Thu, 26 Dec 2019 12:00:31 -0800 -Subject: [PATCH] workaround: Adjust keystone naming to poky - -Issue 43: -In the puppet apply, openstack-keystone is used as the keystone package -name, but in yocto, the package name is 'keystone'. ---- - manifests/params.pp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/manifests/params.pp b/manifests/params.pp -index 0d61acfb..b2bc44b1 100644 ---- a/manifests/params.pp -+++ b/manifests/params.pp -@@ -18,7 +18,7 @@ class keystone::params { - $openidc_package_name = 'libapache2-mod-auth-openidc' - } - 'RedHat': { -- $package_name = 'openstack-keystone' -+ $package_name = 'keystone' - $service_name = 'openstack-keystone' - $keystone_wsgi_script_path = '/var/www/cgi-bin/keystone' - $python_memcache_package_name = 'python-memcached' --- -2.23.0 - diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0008-params.pp-fix-the-service-name-of-openstack-keystone.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-params.pp-fix-the-service-name.patch similarity index 94% rename from meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0008-params.pp-fix-the-service-name-of-openstack-keystone.patch rename to meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-params.pp-fix-the-service-name.patch index da652f2..3fb0325 100644 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0008-params.pp-fix-the-service-name-of-openstack-keystone.patch +++ b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-params.pp-fix-the-service-name.patch @@ -3,6 +3,8 @@ From: Jackie Huang Date: Wed, 11 Mar 2020 11:12:34 +0800 Subject: [PATCH] params.pp: fix the service name of openstack-keystone +Upstream-Status: Inappropriate [poky-stx specific] + Signed-off-by: Jackie Huang --- manifests/params.pp | 2 +- diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0007-puppet-keystone-specify-full-path-to-openrc.patch b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-specify-full-path-to-openrc.patch similarity index 96% rename from meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0007-puppet-keystone-specify-full-path-to-openrc.patch rename to meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-specify-full-path-to-openrc.patch index d61c158..3073a33 100644 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/0007-puppet-keystone-specify-full-path-to-openrc.patch +++ b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/files/puppet-keystone/puppet-keystone-specify-full-path-to-openrc.patch @@ -4,6 +4,9 @@ Date: Wed, 8 Jan 2020 15:54:44 -0800 Subject: [PATCH] puppet-keystone: specify full path to openrc issue 48: keystone endpoints cannot be populated properly + +Upstream-Status: Inappropriate [poky-stx specific] + --- manifests/deps.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/puppet-keystone_git.bbappend b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/puppet-keystone_git.bbappend index 09fe50c..b24014f 100644 --- a/meta-starlingx/meta-stx-cloud/recipes-support/puppet/puppet-keystone_git.bbappend +++ b/meta-starlingx/meta-stx-cloud/recipes-support/puppet/puppet-keystone_git.bbappend @@ -1,13 +1,21 @@ +inherit stx-metadata + +STX_REPO = "integ" +STX_SUBPATH = "config/puppet-modules/openstack/${BP}/centos" + +SRC_URI_STX += " \ + file://patches/0001-pike-rebase-squash-titanium-patches.patch \ + file://patches/0002-remove-the-Keystone-admin-app.patch \ + file://patches/0003-remove-eventlet_bindhost-from-Keystoneconf.patch \ + file://patches/0004-escape-special-characters-in-bootstrap.patch \ + file://patches/0005-Add-support-for-fernet-receipts.patch \ + file://patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch \ + file://patches/0007-update-for-openstackclient-Train-upgrade.patch \ + " -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" SRC_URI += " \ - file://${PN}/0001-pike-rebase-squash-titanium-patches.patch \ - file://${PN}/0002-remove-the-Keystone-admin-app.patch \ - file://${PN}/0003-remove-eventlet_bindhost-from-Keystoneconf.patch \ - file://${PN}/0004-escape-special-characters-in-bootstrap.patch \ - file://${PN}/0005-Add-support-for-fernet-receipts.patch \ - file://${PN}/0007-puppet-keystone-specify-full-path-to-openrc.patch \ - file://${PN}/0008-params.pp-fix-the-service-name-of-openstack-keystone.patch \ + file://${BPN}/puppet-keystone-specify-full-path-to-openrc.patch \ + file://${BPN}/puppet-keystone-params.pp-fix-the-service-name.patch \ " do_install_append () {