This commit adds Keystone audit middleware API logging to the Cinder
charm in versions Yoga and newer to allow users to configure their
environment for CADF compliance. This feature can be enabled/disabled
and is set to 'disabled' by default to avoid bloat in log files.
The logging output is configured to /var/log/apache2/cinder_error.log.
This commit builds on previous discussions: https://github.com/juju/charm-helpers/pull/808.
Closes-Bug: 1856555
Change-Id: Ia7dbd6af2305e92eaa9a65890644c4a324ab2c65
(cherry picked from commit e25b5d38fbb0692e5fab6e7f562c974316d61abe)
Bug LP 1863232 introduced a new Apache configuration option called
WSGISocketRotation which allows users to disable wsgi socket
rotation. This patch makes this configurable with a new
wsgi-socket-rotation config option that defaults to the Apache
default and can optionally be set to False.
[2023.1] Ensure get_requests_for_local_unit doesn't fail on incomplete relation
This is a rebuild/make sync for charms to pickup the fix in charmhelpers to fix
any inadvertant accesses of ['ca'] in the relation data before it is available
from vault in the certificates relation. Fix in charmhelpers is in [1].
Sync from charm-helpers to update [service_user] config to use the
service domain.
The keystone charm currently creates two service users, one for the
service domain (for v3 authentication), and the other for the default
domain (for v2 authentication). The [service_user] config needs to
use the service domain.
Render [service_user] only for identity-service relation
The service token section [service_user] is not required when
cinder-volume is deployed as a separate service. In other words
it is not required for the identity-credentials relation.
The [service_user] section is nearly the same as the
[keystone_authtoken] section, and the keystone_authtoken data
is only produced for the IdentityServiceContext, therefore this
change will not render [service_user] for the
IdentityCredentialsContext.
Closes-Bug: #2024676
Change-Id: Iaecae3c22db1f4f2309f73f8c6836e6c072b848b
(cherry picked from commit ebbedcbf58660ce13823152d6943fee036af7e11)
Sync to the latest revision available in the stable/antelope branch, among the
most relevant patches are:
837a8b58 Support legacy cert requests (#799)
580c7764 Update Makefile to be consistent with CI (#777) (#795)
a2468260 Run CI on stable branches (#786) (#787)
ed014373 Update method for checking endpoint protocol (#769) (#775)
This patch configures Cinder to send a service token along with the
received user token on requests to other services. This can allow those
other services to accept the request even if the user token has been
invalidated since received by Cinder. Also with this patch Cinder will
accept request from other services with invalid user tokens but valid
service tokens. Service tokens exist since Openstack Queens.