Merge "Add support for test mode to keystone_policy"
diff --git a/README.rst b/README.rst
index a171ab2..4ef4bbe 100644
--- a/README.rst
+++ b/README.rst
@@ -845,6 +845,89 @@
Currently the default fernet rotation driver is a shared filesystem
+Enable x509 and ssl communication between Keystone and Galera cluster.
+---------------------
+By default communication between Keystone and Galera is unsecure.
+
+keystone:
+ server:
+ database:
+ x509:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+keystone:
+ server:
+ database:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
+Upgrades
+========
+
+Each openstack formula provide set of phases (logical bloks) that will help to
+build flexible upgrade orchestration logic for particular components. The list
+of phases and theirs descriptions are listed in table below:
+
++-------------------------------+------------------------------------------------------+
+| State | Description |
++===============================+======================================================+
+| <app>.upgrade.service_running | Ensure that all services for particular application |
+| | are enabled for autostart and running |
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.service_stopped | Ensure that all services for particular application |
+| | disabled for autostart and dead |
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
+| | are installed to latest available version. |
+| | This will not upgrade data plane packages like qemu |
+| | and openvswitch as usually minimal required version |
+| | in openstack services is really old. The data plane |
+| | packages should be upgraded separately by `apt-get |
+| | upgrade` or `apt-get dist-upgrade` |
+| | Applying this state will not autostart service. |
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
+| | cloud before running upgrade. |
+| | Only non destructive actions will be applied during |
+| | this phase. Perform service built in service check |
+| | like (keystone-manage doctor and nova-status upgrade)|
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
+| | phase resources will be gracefully removed from |
+| | current node if it is allowed. Services for upgraded |
+| | application will be set to admin disabled state to |
+| | make sure node will not participate in resources |
+| | scheduling. For example on gtw nodes this will set |
+| | all agents to admin disable state and will move all |
+| | routers to other agents. |
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.upgrade | This state will basically upgrade application on |
+| | particular target. Stop services, render |
+| | configuration, install new packages, run offline |
+| | dbsync (for ctl), start services. Data plane should |
+| | not be affected, only OpenStack python services. |
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.upgrade.post | Add services back to scheduling. |
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.post | This phase should be launched only when upgrade of |
+| | the cloud is completed. Cleanup temporary files, |
+| | perform other post upgrade tasks. |
++-------------------------------+------------------------------------------------------+
+| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
+| | operations, verify do not have dead network |
+| | agents/compute services) |
++-------------------------------+------------------------------------------------------+
+
+
Documentation and Bugs
======================
diff --git a/keystone/_ssl/mysql.sls b/keystone/_ssl/mysql.sls
new file mode 100644
index 0000000..215a3da
--- /dev/null
+++ b/keystone/_ssl/mysql.sls
@@ -0,0 +1,77 @@
+{%- from "keystone/map.jinja" import server with context %}
+
+keystone_ssl_mysql:
+ test.show_notification:
+ - text: "Running keystone._ssl.mysql"
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_keystone_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: keystone:server:database:x509:cacert
+ - mode: 444
+ - user: keystone
+ - group: keystone
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_keystone_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: keystone:server:database:x509:cert
+ - mode: 440
+ - user: keystone
+ - group: keystone
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_keystone_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: keystone:server:database:x509:key
+ - mode: 400
+ - user: keystone
+ - group: keystone
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_keystone_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: keystone
+ - group: keystone
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_keystone:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: keystone:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/keystone/files/pike/keystone.conf.Debian b/keystone/files/pike/keystone.conf.Debian
index c0447e4..29f69d9 100644
--- a/keystone/files/pike/keystone.conf.Debian
+++ b/keystone/files/pike/keystone.conf.Debian
@@ -1,6 +1,13 @@
{% from "keystone/map.jinja" import server with context %}
-[DEFAULT]
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
+[DEFAULT]
#
# From keystone
#
@@ -779,7 +786,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/keystone/server.sls b/keystone/server.sls
index c2a9eba..b28d8a6 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -1,19 +1,21 @@
{%- from "keystone/map.jinja" import server with context %}
+
{%- if server.enabled %}
include:
-{%- if server.service_name in ['apache2', 'httpd'] %}
-- apache
-{%- endif %}
-- keystone.db.offline_sync
+ {%- if server.service_name in ['apache2', 'httpd'] %}
+ - apache
+ {%- endif %}
+ - keystone.db.offline_sync
+ - keystone._ssl.mysql
keystone_packages:
pkg.installed:
- names: {{ server.pkgs }}
- require_in:
- sls: keystone.db.offline_sync
+ - sls: keystone._ssl.mysql
{%- if server.service_name in ['apache2', 'httpd'] %}
- - require_in:
- pkg: apache_packages
{%- endif %}
@@ -74,7 +76,7 @@
- home: /var/lib/keystone
- uid: 301
- gid: 301
- - shell: /bin/false
+ - shell: /bin/bash
- system: True
- require_in:
- pkg: keystone_packages
@@ -98,6 +100,9 @@
- group: keystone
- require:
- pkg: keystone_packages
+ - sls: keystone._ssl.mysql
+ - require_in:
+ - sls: keystone.db.offline_sync
- watch_in:
- service: {{ keystone_service }}
@@ -124,6 +129,9 @@
- template: jinja
- require:
- pkg: keystone_packages
+ - sls: keystone._ssl.mysql
+ - require_in:
+ - sls: keystone.db.offline_sync
- watch_in:
- service: {{ keystone_service }}
@@ -145,8 +153,11 @@
- defaults:
service_name: keystone
_data: {{ server.logging }}
+ - require_in:
+ - sls: keystone.db.offline_sync
- require:
- pkg: keystone_packages
+ - sls: keystone._ssl.mysql
{%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
- pkg: keystone_fluentd_logger_package
{%- endif %}
@@ -554,25 +565,6 @@
{%- endfor %}
{%- endif %} {# end noservices #}
-{%- if server.database.get('ssl',{}).get('enabled',False) %}
-mysql_ca_keystone_server:
-{%- if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: keystone:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
- - require_in:
- - file: /etc/keystone/keystone.conf
-{%- else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
- - require_in:
- - file: /etc/keystone/keystone.conf
-{% endif %}
-{% endif %}
-
-
{%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbitmq_ca_keystone_server:
{%- if server.message_queue.ssl.cacert is defined %}
diff --git a/keystone/upgrade/post/init.sls b/keystone/upgrade/post/init.sls
index 1e6fdbf..70f9bf1 100644
--- a/keystone/upgrade/post/init.sls
+++ b/keystone/upgrade/post/init.sls
@@ -1,4 +1,4 @@
-{%- from "keystone/map.jinja" import server with context %}
+{%- from "keystone/map.jinja" import server,client with context %}
keystone_post:
test.show_notification:
@@ -13,3 +13,14 @@
- onlyif: /bin/false
{%- endif %}
{%- endif %}
+
+{%- if client.get('os_client_config', {}).get('enabled') %}
+keystone_delete_os_client_config:
+ module.run:
+ - name: mine.delete
+ - m_fun: keystone_os_client_config
+{%- else %}
+keystone_os_client_config_absent:
+ file.absent:
+ - name: /etc/openstack/clouds.yml
+{%- endif %}
diff --git a/keystone/upgrade/pre/init.sls b/keystone/upgrade/pre/init.sls
index 2ad6ad2..b9c09c3 100644
--- a/keystone/upgrade/pre/init.sls
+++ b/keystone/upgrade/pre/init.sls
@@ -1,12 +1,9 @@
-{%- from "keystone/map.jinja" import server with context %}
+{%- from "keystone/map.jinja" import server,client with context %}
keystone_pre:
test.show_notification:
- text: "Running keystone.upgrade.pre"
-include:
- - keystone.upgrade.verify.api
-
{%- if server.enabled %}
keystone_doctor:
@@ -16,3 +13,25 @@
- onlyif: /bin/false
{%- endif %}
{%- endif %}
+
+{%- if client.get('os_client_config', {}).get('enabled') %}
+keystone_send_os_client_config:
+ module.run:
+ - name: mine.send
+ - func: keystone_os_client_config
+ - kwargs:
+ mine_function: pillar.get
+ - args:
+ - 'keystone:client:os_client_config:cfgs:root:content'
+{%- else %}
+ {%- set os_content = salt['mine.get']('I@keystone:client:os_client_config:enabled:true', 'keystone_os_client_config', 'compound').values()[0] %}
+keystone_os_client_config:
+ file.managed:
+ - name: /etc/openstack/clouds.yml
+ - contents: |
+ {{ os_content |yaml(False)|indent(8) }}
+ - user: 'root'
+ - group: 'root'
+ - makedirs: True
+ - unless: /etc/openstack/clouds.yml
+{%- endif %}
diff --git a/keystone/upgrade/upgrade/post.sls b/keystone/upgrade/upgrade/post.sls
new file mode 100644
index 0000000..84258c7
--- /dev/null
+++ b/keystone/upgrade/upgrade/post.sls
@@ -0,0 +1,3 @@
+keystone_upgrade_uprade_post:
+ test.show_notification:
+ - text: "Running keystone.upgrade.upgrade.post"
diff --git a/keystone/upgrade/upgrade/pre.sls b/keystone/upgrade/upgrade/pre.sls
new file mode 100644
index 0000000..64796cb
--- /dev/null
+++ b/keystone/upgrade/upgrade/pre.sls
@@ -0,0 +1,3 @@
+keystone_upgrade_upgrade_pre:
+ test.show_notification:
+ - text: "Running keystone.upgrade.upgrade.pre"
diff --git a/keystone/upgrade/verify/api.sls b/keystone/upgrade/verify/_api.sls
similarity index 100%
rename from keystone/upgrade/verify/api.sls
rename to keystone/upgrade/verify/_api.sls
diff --git a/keystone/upgrade/verify/init.sls b/keystone/upgrade/verify/init.sls
new file mode 100644
index 0000000..ebdb0b2
--- /dev/null
+++ b/keystone/upgrade/verify/init.sls
@@ -0,0 +1,2 @@
+include:
+ - keystone.upgrade.verify._api