diff --git a/src/README.md b/src/README.md index 4ec4fcd..181b70d 100644 --- a/src/README.md +++ b/src/README.md @@ -4,22 +4,17 @@ This subordinate charm provides a way to authenticate in Openstack for a specific domain with a Kerberos ticket. This provides an additional security layer. An external Kerberos server is necessary. -The following documentation is useful to understand better the charm -implementation: - -* https://www.objectif-libre.com/fr/blog/2018/02/26/kerberos-authentication-for-keystone/ -* https://jaosorior.dev/2018/keberos-for-keystone-with-mod_auth_gssapi/ +This kerberos subordinate charm is supported on Ubuntu Bionic (18.04 LTS) with +the Openstack versions Queens and later. # Usage -Use this charm with the Keystone and Keystone-LDAP charms: +Use this charm with the Keystone charm: juju deploy keystone - juju deploy keystone-ldap juju deploy openstack-dashboard juju deploy keystone-kerberos - juju add-relation keystone keystone-ldap juju add-relation keystone openstack-dashboard juju add-relation keystone keystone-kerberos @@ -47,8 +42,7 @@ In a bundle: To authenticate against Keystone and Kerberos from a host, the following librairies need to be installed : -- sudo apt install krb5-user gcc python-dev libkrb5-dev python-pip -- pip install keystoneauth1[kerberos] +- sudo apt install krb5-user python3-openstackclient python3-requests-kerberos # Configuration diff --git a/src/metadata.yaml b/src/metadata.yaml index 5a6adc2..05a32b3 100644 --- a/src/metadata.yaml +++ b/src/metadata.yaml @@ -11,7 +11,7 @@ tags: - ldap series: - bionic - - eoan + - focal subordinate: true provides: keystone-fid-service-provider: diff --git a/src/test-requirements.txt b/src/test-requirements.txt index f62563a..d3c9be8 100644 --- a/src/test-requirements.txt +++ b/src/test-requirements.txt @@ -5,4 +5,4 @@ # # Functional Test Requirements (let Zaza's dependencies solve all dependencies here!) git+https://github.com/openstack-charmers/zaza.git#egg=zaza -git+https://github.com/openstack-charmers/zaza-openstack-tests.git#egg=zaza.openstack \ No newline at end of file +git+https://github.com/openstack-charmers/zaza-openstack-tests.git#egg=zaza.openstack diff --git a/src/tests/bundles/bionic-queens.yaml b/src/tests/bundles/bionic-queens.yaml new file mode 100644 index 0000000..573f70e --- /dev/null +++ b/src/tests/bundles/bionic-queens.yaml @@ -0,0 +1,47 @@ +series: bionic +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + '2': + '3': +relations: +- - keystone:shared-db + - mysql:shared-db +- - keystone + - keystone-kerberos +applications: + mysql: + charm: cs:~openstack-charmers-next/percona-cluster + num_units: 1 + to: + - '0' + keystone: + charm: cs:~openstack-charmers-next/keystone + num_units: 1 + options: + token-provider: 'fernet' + token-expiration: 60 + to: + - '1' + keystone-kerberos: + charm: ../../../keystone-kerberos + options: + kerberos-realm: 'TESTUBUNTU.COM' + kerberos-server: 'kerberos.testubuntu.com' + kerberos-domain: 'k8s' + resource: + keystone_keytab: keystone.keytab + + kerberos-server: + charm: cs:~openstack-charmers-next/kerberos-test-fixture + num_units: 1 + to: + - '2' + ubuntu-test-host: + charm: cs:ubuntu + num_units: 1 + to: + - '3' diff --git a/src/tests/bundles/bionic-rocky.yaml b/src/tests/bundles/bionic-rocky.yaml new file mode 100644 index 0000000..573f70e --- /dev/null +++ b/src/tests/bundles/bionic-rocky.yaml @@ -0,0 +1,47 @@ +series: bionic +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + '2': + '3': +relations: +- - keystone:shared-db + - mysql:shared-db +- - keystone + - keystone-kerberos +applications: + mysql: + charm: cs:~openstack-charmers-next/percona-cluster + num_units: 1 + to: + - '0' + keystone: + charm: cs:~openstack-charmers-next/keystone + num_units: 1 + options: + token-provider: 'fernet' + token-expiration: 60 + to: + - '1' + keystone-kerberos: + charm: ../../../keystone-kerberos + options: + kerberos-realm: 'TESTUBUNTU.COM' + kerberos-server: 'kerberos.testubuntu.com' + kerberos-domain: 'k8s' + resource: + keystone_keytab: keystone.keytab + + kerberos-server: + charm: cs:~openstack-charmers-next/kerberos-test-fixture + num_units: 1 + to: + - '2' + ubuntu-test-host: + charm: cs:ubuntu + num_units: 1 + to: + - '3' diff --git a/src/tests/bundles/bionic-stein.yaml b/src/tests/bundles/bionic-stein.yaml new file mode 100644 index 0000000..573f70e --- /dev/null +++ b/src/tests/bundles/bionic-stein.yaml @@ -0,0 +1,47 @@ +series: bionic +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + '2': + '3': +relations: +- - keystone:shared-db + - mysql:shared-db +- - keystone + - keystone-kerberos +applications: + mysql: + charm: cs:~openstack-charmers-next/percona-cluster + num_units: 1 + to: + - '0' + keystone: + charm: cs:~openstack-charmers-next/keystone + num_units: 1 + options: + token-provider: 'fernet' + token-expiration: 60 + to: + - '1' + keystone-kerberos: + charm: ../../../keystone-kerberos + options: + kerberos-realm: 'TESTUBUNTU.COM' + kerberos-server: 'kerberos.testubuntu.com' + kerberos-domain: 'k8s' + resource: + keystone_keytab: keystone.keytab + + kerberos-server: + charm: cs:~openstack-charmers-next/kerberos-test-fixture + num_units: 1 + to: + - '2' + ubuntu-test-host: + charm: cs:ubuntu + num_units: 1 + to: + - '3' diff --git a/src/tests/bundles/bionic-train.yaml b/src/tests/bundles/bionic-train.yaml new file mode 100644 index 0000000..573f70e --- /dev/null +++ b/src/tests/bundles/bionic-train.yaml @@ -0,0 +1,47 @@ +series: bionic +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + '2': + '3': +relations: +- - keystone:shared-db + - mysql:shared-db +- - keystone + - keystone-kerberos +applications: + mysql: + charm: cs:~openstack-charmers-next/percona-cluster + num_units: 1 + to: + - '0' + keystone: + charm: cs:~openstack-charmers-next/keystone + num_units: 1 + options: + token-provider: 'fernet' + token-expiration: 60 + to: + - '1' + keystone-kerberos: + charm: ../../../keystone-kerberos + options: + kerberos-realm: 'TESTUBUNTU.COM' + kerberos-server: 'kerberos.testubuntu.com' + kerberos-domain: 'k8s' + resource: + keystone_keytab: keystone.keytab + + kerberos-server: + charm: cs:~openstack-charmers-next/kerberos-test-fixture + num_units: 1 + to: + - '2' + ubuntu-test-host: + charm: cs:ubuntu + num_units: 1 + to: + - '3' diff --git a/src/tests/bundles/bionic-ussuri.yaml b/src/tests/bundles/bionic-ussuri.yaml new file mode 100644 index 0000000..573f70e --- /dev/null +++ b/src/tests/bundles/bionic-ussuri.yaml @@ -0,0 +1,47 @@ +series: bionic +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + '2': + '3': +relations: +- - keystone:shared-db + - mysql:shared-db +- - keystone + - keystone-kerberos +applications: + mysql: + charm: cs:~openstack-charmers-next/percona-cluster + num_units: 1 + to: + - '0' + keystone: + charm: cs:~openstack-charmers-next/keystone + num_units: 1 + options: + token-provider: 'fernet' + token-expiration: 60 + to: + - '1' + keystone-kerberos: + charm: ../../../keystone-kerberos + options: + kerberos-realm: 'TESTUBUNTU.COM' + kerberos-server: 'kerberos.testubuntu.com' + kerberos-domain: 'k8s' + resource: + keystone_keytab: keystone.keytab + + kerberos-server: + charm: cs:~openstack-charmers-next/kerberos-test-fixture + num_units: 1 + to: + - '2' + ubuntu-test-host: + charm: cs:ubuntu + num_units: 1 + to: + - '3' diff --git a/src/tests/bundles/focal-ussuri.yaml b/src/tests/bundles/focal-ussuri.yaml new file mode 100644 index 0000000..fe77e17 --- /dev/null +++ b/src/tests/bundles/focal-ussuri.yaml @@ -0,0 +1,47 @@ +series: focal +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + '2': + '3': +relations: +- - keystone:shared-db + - mysql:shared-db +- - keystone + - keystone-kerberos +applications: + mysql: + charm: cs:~openstack-charmers-next/percona-cluster + num_units: 1 + to: + - '0' + keystone: + charm: cs:~openstack-charmers-next/keystone + num_units: 1 + options: + token-provider: 'fernet' + token-expiration: 60 + to: + - '1' + keystone-kerberos: + charm: ../../../keystone-kerberos + options: + kerberos-realm: 'TESTUBUNTU.COM' + kerberos-server: 'kerberos.testubuntu.com' + kerberos-domain: 'k8s' + resource: + keystone_keytab: keystone.keytab + + kerberos-server: + charm: cs:~openstack-charmers-next/kerberos-test-fixture + num_units: 1 + to: + - '2' + ubuntu-test-host: + charm: cs:ubuntu + num_units: 1 + to: + - '3' diff --git a/src/tests/tests.yaml b/src/tests/tests.yaml new file mode 100644 index 0000000..57a0760 --- /dev/null +++ b/src/tests/tests.yaml @@ -0,0 +1,22 @@ +charm_name: keystone-kerberos +smoke_bundles: + - bionic-train +gate_bundles: + - bionic-queens + - bionic-rocky + - bionic-stein + - bionic-train +dev_bundles: + - bionic-ussuri + - focal-ussuri +configure: + - zaza.openstack.charm_tests.kerberos.setup.run_all_configuration_steps +tests: + - zaza.openstack.charm_tests.kerberos.tests.CharmKeystoneKerberosTest +tests_options: + force_deploy: + - focal-ussuri +target_deploy_status: + keystone-kerberos: + workload-status: blocked + workload-status-message: "Kerberos configuration incomplete"