Split keystone endpoint creation into respective tasks

- Refactor ceilometer auth.pp. It's a part of
  https://review.openstack.org/#/c/201565/ though it's required by
  endpoint task separation
- Moved keystone endpoint creations to separate tasks with initial noop
  tests

Misc:
- Created Unified structure in creation tasks. They are separated as
  <task>/db.pp and <task>/keystone.pp
- Removed firewall.pp.dist.
- Removed database requirement in ceilometer/tasks.yaml
- Fixed notification in heat.pp
- many linting fixes

Partial blueprint: detach-components-from-controllers

Co-Authored-By: Bartłomiej Piotrowski <bpiotrowski@mirantis.com>
Co-Authored-By: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
Co-Authored-By: Alex Schultz <aschultz@mirantis.com>
Co-Authored-By: Matthew Mosesohn <mmosesohn@mirantis.com>

Change-Id: I61376f2bbeade23ae1d49a82f4e908be28144e78

deployment/puppet/openstack/manifests/firewall.pp.dist

@@ -1,159 +0,0 @@
-
-class openstack::firewall (
-	$ssh_port = 22,
-	$http_port = 80,
-	$https_port = 443,
-	$mysql_port = 3306,
-	$mysql_backend_port = 3307,
-    $mysql_gcomm_port = 4567,
-        $galera_ist_port = 4568,
-	$keystone_public_port =  5000,
-	$swift_proxy_port =  8080,
-	$swift_object_port =  6000,
-	$swift_container_port =  6001,
-	$swift_account_port =  6002,
-  $keystone_admin_port = 35357,
-	$glance_api_port = 9292,
-	$glance_reg_port = 9191,
-	$glance_nova_api_ec2_port = 8773,
-	$nova_api_compute_port =   8774,
-	$nova_api_metadata_port =  8775,
-	$nova_api_volume_port =  8776,
-	$nova_vncproxy_port =  6080,
-	$erlang_epmd_port  =   4369,
-	$erlang_rabbitmq_port =  5672,
-    $erlang_inet_dist_port = 41055,
-	$memcached_port =  11211,
-  $rsync_port = 873,
-  $iscsi_port = 3260,
-) {
-exec { 'persist-firewall':
-  command     => $operatingsystem ? {
-      'debian'          => '/sbin/iptables-save > /etc/iptables/rules.v4',
-      /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
- },
-#  refreshonly => true,
-}
-
-Firewall {
-  notify  => Exec['persist-firewall'],
-  proto => 'all',
-#  before  => Class['my_fw::post'],
-#  require => Class['my_fw::pre'],
-}
-Firewallchain {
-  notify  => Exec['persist-firewall'],
-}
-
-# Purge unmanaged firewall resources
-#
-# This will clear any existing rules, and make sure that only rules
-# defined in puppet exist on the machine
-resources { "firewall":
-  purge => true
-}
-
-    require("::openstack::firewall::novachains")
-    
-  firewall { '000 accept all icmp':
-    proto   => 'icmp',
-    action  => 'accept',
-  }->
-  firewall { '001 accept all to lo interface':
-    proto   => 'all',
-    iniface => 'lo',
-    action  => 'accept',
-  }->
-  firewall { '002 accept related established rules':
-    proto   => 'all',
-    state   => ['RELATED', 'ESTABLISHED'],
-    action  => 'accept',
-  }->
-    firewall { '003 keepalived multicast':
-    destination => '224.0.0.18/32',
-    pkttype   => 'multicast',
-    action  => 'accept',
-    chain => 'INPUT'
-  }->
-  firewall {'99 nova-api-input':
-  chain => "INPUT",
-  table => 'filter',
-  jump => 'nova-api-INPUT'
-  }->
-  firewall {'98 nova-filter-top-forward':
-  chain => "FORWARD",
-  table => 'filter',
-  jump => 'nova-filter-top'
-  }->
-  firewall {'99 nova-api-forward':
-  chain => "FORWARD",
-  table => 'filter',
-  jump => 'nova-api-FORWARD'
-  }->
-  firewall {'98 nova-api-filter-top-output':
-  chain => "OUTPUT",
-  table => 'filter',
-  jump => 'nova-filter-top'
-  }->
-  firewall {'99 nova-api-output':
-  chain => "OUTPUT",
-  table => 'filter',
-  jump => 'nova-api-OUTPUT'
-  }->
-
-  firewall {'99 nova-api-prerouting':
-  chain => "PREROUTING",
-  table => 'nat',
-  jump => 'nova-api-PREROUTING'
-  }->
-
-  firewall {'98 nova-api-postrouting':
-  chain => "POSTROUTING",
-  table => 'nat',
-  jump => 'nova-api-POSTROUTING'
-  }->
-
-  firewall {'99 nova-api-postrouting-bottom':
-  chain => "POSTROUTING",
-  table => 'nat',
-  jump => 'nova-api-postrouting-bottom'
-  }->
-
-  firewall {'99 nova-api-output-nat':
-  chain => "OUTPUT",
-  table => 'nat',
-  jump => 'nova-api-OUTPUT'
-  }->
-  
-  openstack::firewall::allow {[
-		$ssh_port,
-		$http_port,
-		$https_port,
-		$mysql_port,
-		$mysql_backend_port,
-		$galera_ist_port,
-        $mysql_gcomm_port,
-		$keystone_public_port,
-		$keystone_admin_port, 
-		$glance_api_port,
-		$glance_reg_port,
-		$glance_nova_api_ec2_port,
-		$nova_api_compute_port,
-		$nova_api_metadata_port,
-		$nova_api_volume_port,
-		$nova_vncproxy_port,
-		$erlang_epmd_port,
-		$erlang_rabbitmq_port,
-		$erlang_inet_dist_port,
-		$memcached_port,
-    $rsync_port,
-	$swift_proxy_port,
-	$swift_object_port,
-	$swift_container_port,
-	$swift_account_port,
-  $iscsi_port,
-      ]: }
-
-
-}
-

deployment/puppet/openstack/manifests/heat.pp

@@ -120,50 +120,6 @@ class openstack::heat (
     action => 'accept',
   }
 
-  if ($keystone_auth){
-    # Auth
-    class { 'heat::keystone::auth' :
-      password                       => $keystone_password,
-      auth_name                      => $keystone_user,
-      public_address                 => $external_ip,
-      admin_address                  => $keystone_host,
-      internal_address               => $keystone_host,
-      port                           => '8004',
-      version                        => 'v1',
-      region                         => $region,
-      tenant                         => $keystone_tenant,
-      email                          => "${keystone_user}@localhost",
-      public_protocol                => $public_ssl ? {
-        true    => 'https',
-        default => 'http',
-      },
-      admin_protocol                 => 'http',
-      internal_protocol              => 'http',
-      configure_endpoint             => true,
-      trusts_delegated_roles         => $trusts_delegated_roles,
-    }
-    #todo(bogdando) clarify this new to fuel heat auth cfn patterns
-    class { 'heat::keystone::auth_cfn' :
-      password                       => $keystone_password,
-      auth_name                      => "${keystone_user}-cfn",
-      service_type                   => 'cloudformation',
-      public_address                 => $external_ip,
-      admin_address                  => $keystone_host,
-      internal_address               => $keystone_host,
-      port                           => '8000',
-      version                        => 'v1',
-      region                         => $region,
-      tenant                         => $keystone_tenant,
-      email                          => "${keystone_user}-cfn@localhost",
-      public_protocol                => $public_ssl ? {
-        true    => 'https',
-        default => 'http',
-      },
-      admin_protocol                 => 'http',
-      internal_protocol              => 'http',
-      configure_endpoint             => true,
-    }
-  }
   # Common configuration, logging and RPC
   class { '::heat':
     auth_uri              => $auth_uri,

deployment/puppet/openstack/manifests/keystone.pp

@@ -8,8 +8,6 @@
 # [db_host] Host where DB resides. Required.
 # [keystone_db_password] Password for keystone DB. Required.
 # [keystone_admin_token]. Auth token for keystone admin. Required.
-# [glance_user_password] Auth password for glance user. Required.
-# [nova_user_password] Auth password for nova user. Required.
 # [public_address] Public address where keystone can be accessed. Required.
 # [db_type] Type of DB used. Currently only supports mysql. Optional. Defaults to  'mysql'
 # [keystone_db_user] Name of keystone db user. Optional. Defaults to  'keystone'
@@ -21,8 +19,6 @@
 # [admin_bind_host] Address that keystone binds to. Optional. Defaults to  '0.0.0.0'
 # [internal_address] Internal address for keystone. Optional. Defaults to  $public_address
 # [admin_address] Keystone admin address. Optional. Defaults to  $internal_address
-# [glance] Set up glance endpoints and auth. Optional. Defaults to  true
-# [nova] Set up nova endpoints and auth. Optional. Defaults to  true
 # [enabled] If the service is active (true) or passive (false).
 #   Optional. Defaults to  true
 # [use_syslog] Rather or not service should log to syslog. Optional. Default to false.
@@ -48,11 +44,6 @@ class openstack::keystone (
   $db_host,
   $db_password,
   $admin_token,
-  $glance_user_password,
-  $nova_user_password,
-  $cinder_user_password,
-  $ceilometer_user_password,
-  $neutron_user_password,
   $public_address,
   $public_ssl                  = false,
   $public_hostname             = false,
@@ -68,26 +59,6 @@ class openstack::keystone (
   $memcache_servers            = false,
   $memcache_server_port        = false,
   $memcache_pool_maxsize       = false,
-  $glance_public_address       = false,
-  $glance_internal_address     = false,
-  $glance_admin_address        = false,
-  $nova_public_address         = false,
-  $nova_internal_address       = false,
-  $nova_admin_address          = false,
-  $cinder_public_address       = false,
-  $cinder_internal_address     = false,
-  $cinder_admin_address        = false,
-  $neutron_public_address      = false,
-  $neutron_internal_address    = false,
-  $neutron_admin_address       = false,
-  $ceilometer_public_address   = false,
-  $ceilometer_internal_address = false,
-  $ceilometer_admin_address    = false,
-  $glance                      = true,
-  $nova                        = true,
-  $cinder                      = true,
-  $ceilometer                  = true,
-  $neutron                     = true,
   $enabled                     = true,
   $package_ensure              = present,
   $use_syslog                  = false,
@@ -115,92 +86,18 @@ class openstack::keystone (
 
   # I have to do all of this crazy munging b/c parameters are not
   # set procedurally in Pupet
-  if($internal_address) {
+  if $internal_address {
     $internal_real = $internal_address
   } else {
     $internal_real = $public_address
   }
-  if($admin_address) {
+  if $admin_address {
     $admin_real = $admin_address
   } else {
     $admin_real = $internal_real
   }
-  if($glance_public_address) {
+
-    $glance_public_real = $glance_public_address
+  if $ceilometer {
-  } else {
-    $glance_public_real = $public_address
-  }
-  if($glance_internal_address) {
-    $glance_internal_real = $glance_internal_address
-  } else {
-    $glance_internal_real = $internal_real
-  }
-  if($glance_admin_address) {
-    $glance_admin_real = $glance_admin_address
-  } else {
-    $glance_admin_real = $admin_real
-  }
-  if($nova_public_address) {
-    $nova_public_real = $nova_public_address
-  } else {
-    $nova_public_real = $public_address
-  }
-  if($nova_internal_address) {
-    $nova_internal_real = $nova_internal_address
-  } else {
-    $nova_internal_real = $internal_real
-  }
-  if($nova_admin_address) {
-    $nova_admin_real = $nova_admin_address
-  } else {
-    $nova_admin_real = $admin_real
-  }
-  if($cinder_public_address) {
-    $cinder_public_real = $cinder_public_address
-  } else {
-    $cinder_public_real = $public_address
-  }
-  if($cinder_internal_address) {
-    $cinder_internal_real = $cinder_internal_address
-  } else {
-    $cinder_internal_real = $internal_real
-  }
-  if($cinder_admin_address) {
-    $cinder_admin_real = $cinder_admin_address
-  } else {
-    $cinder_admin_real = $admin_real
-  }
-  if($neutron_public_address) {
-    $neutron_public_real = $neutron_public_address
-  } else {
-    $neutron_public_real = $public_address
-  }
-  if($neutron_internal_address) {
-    $neutron_internal_real = $neutron_internal_address
-  } else {
-    $neutron_internal_real = $internal_real
-  }
-  if($neutron_admin_address) {
-    $neutron_admin_real = $neutron_admin_address
-  } else {
-    $neutron_admin_real = $admin_real
-  }
-  if($ceilometer_public_address) {
-    $ceilometer_public_real = $ceilometer_public_address
-  } else {
-    $ceilometer_public_real = $public_address
-  }
-  if($ceilometer_internal_address) {
-    $ceilometer_internal_real = $ceilometer_internal_address
-  } else {
-    $ceilometer_internal_real = $internal_real
-  }
-  if($ceilometer_admin_address) {
-    $ceilometer_admin_real = $ceilometer_admin_address
-  } else {
-    $ceilometer_admin_real = $admin_real
-  }
-  if($ceilometer) {
     $notification_driver = 'messaging'
     $notification_topics = 'notifications'
   } else {
@@ -209,7 +106,7 @@ class openstack::keystone (
   }
 
   if $memcache_servers {
-    $memcache_servers_real = suffix($memcache_servers, inline_template(":<%= @memcache_server_port %>"))
+    $memcache_servers_real = suffix($memcache_servers, inline_template(':<%= @memcache_server_port %>'))
     $token_driver = 'keystone.token.persistence.backends.memcache_pool.Token'
   } else {
     $memcache_servers_real = false
@@ -219,10 +116,11 @@ class openstack::keystone (
   if $public_ssl {
     $public_endpoint = $public_hostname ? {
       false => false,
-      default => "https://$public_hostname:5000",
+      default => "https://${public_hostname}:5000",
     }
   }
 
+  if $enabled {
     class { '::keystone':
       verbose               => $verbose,
       debug                 => $debug,
@@ -231,7 +129,6 @@ class openstack::keystone (
       enabled               => $enabled,
       database_connection   => $database_connection,
       public_bind_host      => $public_bind_host,
-    public_endpoint       => $public_endpoint,
       admin_bind_host       => $admin_bind_host,
       package_ensure        => $package_ensure,
       use_syslog            => $use_syslog,
@@ -250,19 +147,6 @@ class openstack::keystone (
       revoke_driver         => $revoke_driver,
     }
 
-  if $::operatingsystem == 'Ubuntu' {
-   if $service_provider == 'pacemaker' {
-      tweaks::ubuntu_service_override { 'keystone':
-        package_name => 'keystone',
-      }
-      exec { 'remove-keystone-bootblockr':
-        command => 'rm -rf /etc/init/keystone.override',
-        path    => ['/bin', '/usr/bin'],
-        require => Package['keystone']
-      }
-    }
-  }
-
     if $memcache_servers {
       Service<| title == 'memcached' |> -> Service<| title == 'keystone'|>
       keystone_config {
@@ -292,131 +176,45 @@ class openstack::keystone (
       'DATABASE/max_pool_size':                          value => $max_pool_size;
       'DATABASE/max_retries':                            value => $max_retries;
       'DATABASE/max_overflow':                           value => $max_overflow;
-    'identity/driver':                                 value =>"keystone.identity.backends.sql.Identity";
+      'identity/driver':                                 value =>'keystone.identity.backends.sql.Identity';
-    'policy/driver':                                   value =>"keystone.policy.backends.sql.Policy";
+      'policy/driver':                                   value =>'keystone.policy.backends.sql.Policy';
-    'ec2/driver':                                      value =>"keystone.contrib.ec2.backends.sql.Ec2";
+      'ec2/driver':                                      value =>'keystone.contrib.ec2.backends.sql.Ec2';
-    'filter:debug/paste.filter_factory':               value =>"keystone.common.wsgi:Debug.factory";
+      'filter:debug/paste.filter_factory':               value =>'keystone.common.wsgi:Debug.factory';
-    'filter:token_auth/paste.filter_factory':          value =>"keystone.middleware:TokenAuthMiddleware.factory";
+      'filter:token_auth/paste.filter_factory':          value =>'keystone.middleware:TokenAuthMiddleware.factory';
-    'filter:admin_token_auth/paste.filter_factory':    value =>"keystone.middleware:AdminTokenAuthMiddleware.factory";
+      'filter:admin_token_auth/paste.filter_factory':    value =>'keystone.middleware:AdminTokenAuthMiddleware.factory';
-    'filter:xml_body/paste.filter_factory':            value =>"keystone.middleware:XmlBodyMiddleware.factory";
+      'filter:xml_body/paste.filter_factory':            value =>'keystone.middleware:XmlBodyMiddleware.factory';
-    'filter:json_body/paste.filter_factory':           value =>"keystone.middleware:JsonBodyMiddleware.factory";
+      'filter:json_body/paste.filter_factory':           value =>'keystone.middleware:JsonBodyMiddleware.factory';
-    'filter:user_crud_extension/paste.filter_factory': value =>"keystone.contrib.user_crud:CrudExtension.factory";
+      'filter:user_crud_extension/paste.filter_factory': value =>'keystone.contrib.user_crud:CrudExtension.factory';
-    'filter:crud_extension/paste.filter_factory':      value =>"keystone.contrib.admin_crud:CrudExtension.factory";
+      'filter:crud_extension/paste.filter_factory':      value =>'keystone.contrib.admin_crud:CrudExtension.factory';
-    'filter:ec2_extension/paste.filter_factory':       value =>"keystone.contrib.ec2:Ec2Extension.factory";
+      'filter:ec2_extension/paste.filter_factory':       value =>'keystone.contrib.ec2:Ec2Extension.factory';
-    'filter:s3_extension/paste.filter_factory':        value =>"keystone.contrib.s3:S3Extension.factory";
+      'filter:s3_extension/paste.filter_factory':        value =>'keystone.contrib.s3:S3Extension.factory';
-    'filter:url_normalize/paste.filter_factory':       value =>"keystone.middleware:NormalizingFilter.factory";
+      'filter:url_normalize/paste.filter_factory':       value =>'keystone.middleware:NormalizingFilter.factory';
-    'filter:stats_monitoring/paste.filter_factory':    value =>"keystone.contrib.stats:StatsMiddleware.factory";
+      'filter:stats_monitoring/paste.filter_factory':    value =>'keystone.contrib.stats:StatsMiddleware.factory';
-    'filter:stats_reporting/paste.filter_factory':     value =>"keystone.contrib.stats:StatsExtension.factory";
+      'filter:stats_reporting/paste.filter_factory':     value =>'keystone.contrib.stats:StatsExtension.factory';
-    'app:public_service/paste.app_factory':            value =>"keystone.service:public_app_factory";
+      'app:public_service/paste.app_factory':            value =>'keystone.service:public_app_factory';
-    'app:admin_service/paste.app_factory':             value =>"keystone.service:admin_app_factory";
+      'app:admin_service/paste.app_factory':             value =>'keystone.service:admin_app_factory';
-    'pipeline:public_api/pipeline':                    value =>"stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service";
+      'pipeline:public_api/pipeline':                    value =>'stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service';
-    'pipeline:admin_api/pipeline':                     value =>"stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service";
+      'pipeline:admin_api/pipeline':                     value =>'stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service';
-    'app:public_version_service/paste.app_factory':    value =>"keystone.service:public_version_app_factory";
+      'app:public_version_service/paste.app_factory':    value =>'keystone.service:public_version_app_factory';
-    'app:admin_version_service/paste.app_factory':     value =>"keystone.service:admin_version_app_factory";
+      'app:admin_version_service/paste.app_factory':     value =>'keystone.service:admin_version_app_factory';
-    'pipeline:public_version_api/pipeline':            value =>"stats_monitoring url_normalize xml_body public_version_service";
+      'pipeline:public_version_api/pipeline':            value =>'stats_monitoring url_normalize xml_body public_version_service';
-    'pipeline:admin_version_api/pipeline':             value =>"stats_monitoring url_normalize xml_body admin_version_service";
+      'pipeline:admin_version_api/pipeline':             value =>'stats_monitoring url_normalize xml_body admin_version_service';
-    'composite:main/use':                              value =>"egg:Paste#urlmap";
+      'composite:main/use':                              value =>'egg:Paste#urlmap';
-    'composite:main//v2.0':                            value =>"public_api";
+      'composite:main//v2.0':                            value =>'public_api';
-    'composite:main//':                                value =>"public_version_api";
+      'composite:main//':                                value =>'public_version_api';
-    'composite:admin/use':                             value =>"egg:Paste#urlmap";
+      'composite:admin/use':                             value =>'egg:Paste#urlmap';
-    'composite:admin//v2.0':                           value =>"admin_api";
+      'composite:admin//v2.0':                           value =>'admin_api';
-    'composite:admin//':                               value =>"admin_version_api";
+      'composite:admin//':                               value =>'admin_version_api';
     }
 
-  if ($enabled) {
-    # Setup the admin user
-
-    # Setup the Keystone Identity Endpoint
     class { 'keystone::endpoint':
       public_url   => $public_url,
       admin_url    => $admin_url,
       internal_url => $internal_url,
       region       => $region,
     }
+
     Exec <| title == 'keystone-manage db_sync' |> -> Class['keystone::endpoint']
     Haproxy_backend_status<||> -> Class['keystone::endpoint']
-
-    # Configure Glance endpoint in Keystone
-    if $glance {
-      class { 'glance::keystone::auth':
-        password         => $glance_user_password,
-        public_address   => $glance_public_real,
-        admin_address    => $glance_admin_real,
-        internal_address => $glance_internal_real,
-        region           => $region,
-        public_protocol  => $public_ssl ? {
-          true    => 'https',
-          default => 'http',
-        },
   }
-      Exec <| title == 'keystone-manage db_sync' |> -> Class['glance::keystone::auth']
-      Haproxy_backend_status<||> -> Class['glance::keystone::auth']
-    }
-
-    # Configure Nova endpoint in Keystone
-    if $nova {
-      class { 'nova::keystone::auth':
-        password              => $nova_user_password,
-        public_address        => $nova_public_real,
-        admin_address         => $nova_admin_real,
-        internal_address      => $nova_internal_real,
-        region                => $region,
-        public_protocol       => $public_ssl ? {
-          true    => 'https',
-          default => 'http',
-        },
-        configure_endpoint_v3 => false,
-      }
-      Exec <| title == 'keystone-manage db_sync' |> -> Class['nova::keystone::auth']
-      Haproxy_backend_status<||> -> Class['nova::keystone::auth']
-    }
-
-    # Configure Cinder endpoint in Keystone
-    if $cinder {
-      class { 'cinder::keystone::auth':
-        password         => $cinder_user_password,
-        public_address   => $cinder_public_real,
-        admin_address    => $cinder_admin_real,
-        internal_address => $cinder_internal_real,
-        region           => $region,
-        public_protocol  => $public_ssl ? {
-          true    => 'https',
-          default => 'http',
-        },
-      }
-     Exec <| title == 'keystone-manage db_sync' |> -> Class['cinder::keystone::auth']
-     Haproxy_backend_status<||> -> Class['cinder::keystone::auth']
-    }
-    if $neutron {
-      class { 'neutron::keystone::auth':
-        password         => $neutron_user_password,
-        public_address   => $neutron_public_real,
-        admin_address    => $neutron_admin_real,
-        internal_address => $neutron_internal_real,
-        region           => $region,
-        public_protocol  => $public_ssl ? {
-          true    => 'https',
-          default => 'http',
-        },
-      }
-      Exec <| title == 'keystone-manage db_sync' |> -> Class['neutron::keystone::auth']
-      Haproxy_backend_status<||> -> Class['neutron::keystone::auth']
-    }
-    if $ceilometer {
-      class { 'ceilometer::keystone::auth':
-        password         => $ceilometer_user_password,
-        public_address   => $ceilometer_public_real,
-        admin_address    => $ceilometer_admin_real,
-        internal_address => $ceilometer_internal_real,
-        region           => $region,
-        public_protocol  => $public_ssl ? {
-          true    => 'https',
-          default => 'http',
-        },
-      }
-      Exec <| title == 'keystone-manage db_sync' |> -> Class['ceilometer::keystone::auth']
-      Haproxy_backend_status<||> -> Class['ceilometer::keystone::auth']
-    }
-  }
-
 }

deployment/puppet/osnailyfacter/modular/astute/upload_cirros.rb

@@ -11,7 +11,7 @@ auth_addr = hiera.lookup 'service_endpoint', "#{management_vip}", {}
 tenant_name = glanced['tenant'].nil? ? "services" : glanced['tenant']
 user_name = glanced['user'].nil? ? "glance" : glanced['user']
 endpoint_type = glanced['endpoint_type'].nil? ? "internalURL" : glanced['endpoint_type']
-region_name = hiera.lookup 'region', nil, {}
+region_name = hiera.lookup 'region', 'RegionOne', {}
 
 ENV['OS_TENANT_NAME']="#{tenant_name}"
 ENV['OS_USERNAME']="#{user_name}"

deployment/puppet/osnailyfacter/modular/ceilometer/keystone.pp

@@ -0,0 +1,30 @@
+notice('MODULAR: ceilometer/keystone.pp')
+
+$ceilometer_hash  = hiera_hash('ceilometer', {})
+$public_address   = hiera('public_vip')
+$internal_address = hiera('management_vip', $public_address)
+$region           = pick($ceilometer_hash['region'], 'RegionOne')
+
+$password            = $ceilometer_hash['user_password']
+$auth_name           = pick($ceilometer_hash['auth_name'], 'ceilometer')
+$configure_endpoint  = pick($ceilometer_hash['configure_endpoint'], true)
+$configure_user      = pick($ceilometer_hash['configure_user'], true)
+$configure_user_role = pick($ceilometer_hash['configure_user_role'], true)
+$service_name        = pick($ceilometer_hash['service_name'], 'ceilometer')
+$tenant              = pick($ceilometer_hash['tenant'], 'services')
+
+validate_string($public_address)
+validate_string($password)
+
+class { '::ceilometer::keystone::auth':
+  password            => $password,
+  auth_name           => $auth_name,
+  configure_endpoint  => $configure_endpoint,
+  configure_user      => $configure_user,
+  configure_user_role => $configure_user_role,
+  service_name        => $service_name,
+  public_address      => $public_address,
+  admin_address       => $internal_address,
+  internal_address    => $internal_address,
+  region              => $region,
+}

deployment/puppet/osnailyfacter/modular/ceilometer/tasks.yaml

@@ -2,7 +2,7 @@
   type: puppet
   groups: [primary-controller, controller]
   required_for: [openstack-controller, swift]
-  requires: [mongo, primary-mongo, openstack-haproxy, database]
+  requires: [mongo, primary-mongo, openstack-haproxy]
   parameters:
     puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/ceilometer/controller.pp
     puppet_modules: /etc/puppet/modules
@@ -25,3 +25,13 @@
     cmd: ruby /etc/puppet/modules/osnailyfacter/modular/ceilometer/compute_pre.rb
   test_post:
     cmd: ruby /etc/puppet/modules/osnailyfacter/modular/ceilometer/compute_post.rb
+
+- id: ceilometer-keystone
+  type: puppet
+  groups: [primary-controller]
+  required_for: [ceilometer-controller]
+  requires: [keystone]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/ceilometer/keystone.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/glance/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: glance_db.pp')
+notice('MODULAR: glance/db.pp')
 
 $glance_hash    = hiera_hash('glance', {})
 $mysql_hash     = hiera_hash('mysql', {})

deployment/puppet/osnailyfacter/modular/glance/keystone.pp

@@ -0,0 +1,30 @@
+notice('MODULAR: glance/keystone.pp')
+
+$glance_hash      = hiera_hash('glance', {})
+$public_address   = hiera('public_vip')
+$internal_address = hiera('management_vip', $public_address)
+$region           = pick($glance_hash['region'], 'RegionOne')
+
+$password            = $glance_hash['user_password']
+$auth_name           = pick($glance_hash['auth_name'], 'glance')
+$configure_endpoint  = pick($glance_hash['configure_endpoint'], true)
+$configure_user      = pick($glance_hash['configure_user'], true)
+$configure_user_role = pick($glance_hash['configure_user_role'], true)
+$service_name        = pick($glance_hash['service_name'], 'glance')
+$tenant              = pick($glance_hash['tenant'], 'services')
+
+validate_string($public_address)
+validate_string($password)
+
+class { '::glance::keystone::auth':
+  password            => $password,
+  auth_name           => $auth_name,
+  configure_endpoint  => $configure_endpoint,
+  configure_user      => $configure_user,
+  configure_user_role => $configure_user_role,
+  service_name        => $service_name,
+  public_address      => $public_address,
+  admin_address       => $internal_address,
+  internal_address    => $internal_address,
+  region              => $region,
+}

deployment/puppet/osnailyfacter/modular/glance/tasks.yaml

@@ -2,7 +2,7 @@
   type: puppet
   groups: [primary-controller, controller]
   required_for: [openstack-controller]
-  requires: [openstack-haproxy, keystone, database]
+  requires: [openstack-haproxy, database]
   parameters:
     puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/glance/glance.pp
     puppet_modules: /etc/puppet/modules
@@ -18,7 +18,16 @@
   required_for: [glance]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/glance/glance_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/glance/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 3600
+    timeout: 1800
 
+- id: glance-keystone
+  type: puppet
+  groups: [primary-controller]
+  required_for: [glance]
+  requires: [keystone]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/glance/keystone.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/heat/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: heat_db.pp')
+notice('MODULAR: heat/db.pp')
 
 $heat_hash      = hiera_hash('heat', {})
 $mysql_hash     = hiera_hash('mysql', {})

deployment/puppet/osnailyfacter/modular/heat/heat.pp

@@ -42,15 +42,14 @@ if $::operatingsystem == 'Ubuntu' {
     package_name => 'heat-engine',
   }
 
-  tweaks::ubuntu_service_override['heat-api']            -> Service['heat-api']
+  Tweaks::Ubuntu_service_override['heat-api']            -> Service['heat-api']
-  tweaks::ubuntu_service_override['heat-api-cfn']        -> Service['heat-api-cfn']
+  Tweaks::Ubuntu_service_override['heat-api-cfn']        -> Service['heat-api-cfn']
-  tweaks::ubuntu_service_override['heat-api-cloudwatch'] -> Service['heat-api-cloudwatch']
+  Tweaks::Ubuntu_service_override['heat-api-cloudwatch'] -> Service['heat-api-cloudwatch']
-  tweaks::ubuntu_service_override['heat-engine']         -> Service['heat-engine']
+  Tweaks::Ubuntu_service_override['heat-engine']         -> Service['heat-engine']
 }
 
-class { 'openstack::heat' :
+class { '::openstack::heat' :
   external_ip              => $controller_node_public,
-  keystone_auth            => pick($heat_hash['keystone_auth'], true),
   api_bind_host            => $internal_address,
   api_cfn_bind_host        => $internal_address,
   api_cloudwatch_bind_host => $internal_address,
@@ -86,7 +85,7 @@ class { 'openstack::heat' :
 
 if hiera('heat_ha_engine', true){
   if ($deployment_mode == 'ha') or ($deployment_mode == 'ha_compact') {
-    include heat_ha::engine
+    include ::heat_ha::engine
   }
 }
 

deployment/puppet/osnailyfacter/modular/heat/keystone.pp

@@ -0,0 +1,58 @@
+notice('MODULAR: heat/keystone.pp')
+
+$heat_hash         = hiera_hash('heat', {})
+$public_address    = hiera('public_vip')
+$internal_address  = hiera('management_vip', $public_address)
+$region            = pick($heat_hash['region'], 'RegionOne')
+$public_ssl_hash   = hiera('public_ssl')
+$public_protocol   = $public_ssl_hash['services'] ? {
+  true    => 'https',
+  default => 'http',
+}
+
+$password            = $heat_hash['user_password']
+$auth_name           = pick($heat_hash['auth_name'], 'heat')
+$configure_endpoint  = pick($heat_hash['configure_endpoint'], true)
+$configure_user      = pick($heat_hash['configure_user'], true)
+$configure_user_role = pick($heat_hash['configure_user_role'], true)
+$service_name        = pick($heat_hash['service_name'], 'heat')
+$tenant              = pick($heat_hash['tenant'], 'services')
+
+validate_string($public_address)
+validate_string($password)
+
+class { '::heat::keystone::auth' :
+  password               => $password,
+  auth_name              => $auth_name,
+  public_address         => $public_address,
+  admin_address          => $internal_address,
+  internal_address       => $internal_address,
+  port                   => '8004',
+  version                => 'v1',
+  region                 => $region,
+  tenant                 => $keystone_tenant,
+  email                  => "${auth_name}@localhost",
+  public_protocol        => $public_protocol,
+  admin_protocol         => 'http',
+  internal_protocol      => 'http',
+  configure_endpoint     => true,
+  trusts_delegated_roles => $trusts_delegated_roles,
+}
+
+class { '::heat::keystone::auth_cfn' :
+  password           => $password,
+  auth_name          => "${auth_name}-cfn",
+  service_type       => 'cloudformation',
+  public_address     => $public_address,
+  admin_address      => $internal_address,
+  internal_address   => $internal_address,
+  port               => '8000',
+  version            => 'v1',
+  region             => $region,
+  tenant             => $keystone_tenant,
+  email              => "${auth_name}-cfn@localhost",
+  public_protocol    => $public_protocol,
+  admin_protocol     => 'http',
+  internal_protocol  => 'http',
+  configure_endpoint => true,
+}

deployment/puppet/osnailyfacter/modular/heat/tasks.yaml

@@ -18,6 +18,16 @@
   required_for: [heat]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/heat/heat_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/heat/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 3600
+    timeout: 1800
+
+- id: heat-keystone
+  type: puppet
+  groups: [primary-controller]
+  required_for: [heat]
+  requires: [keystone]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/heat/keystone.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/keystone/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: keystone_db.pp')
+notice('MODULAR: keystone/db.pp')
 
 $node_name = hiera('node_name')
 $network_metadata = hiera_hash('network_metadata', {})

deployment/puppet/osnailyfacter/modular/keystone/keystone.pp

@@ -13,7 +13,7 @@ $use_syslog            = hiera('use_syslog', true)
 $keystone_hash         = hiera_hash('keystone', {})
 $access_hash           = hiera_hash('access',{})
 $management_vip        = hiera('management_vip')
-$database_vip          = hiera('database_vip')
+$database_vip          = hiera('database_vip', $management_vip)
 $public_vip            = hiera('public_vip')
 $glance_hash           = hiera_hash('glance', {})
 $nova_hash             = hiera_hash('nova', {})
@@ -38,11 +38,11 @@ $admin_password = $access_hash['password']
 $region         = hiera('region', 'RegionOne')
 
 $public_ssl_hash = hiera('public_ssl')
-
 $public_address  = $public_ssl_hash['services'] ? {
   true    => $public_ssl_hash['hostname'],
   default => $public_vip,
 }
+
 $admin_address          = $management_vip
 $local_address_for_bind = get_network_role_property('keystone/api', 'ipaddr')
 
@@ -50,7 +50,6 @@ $memcache_server_port  = hiera('memcache_server_port', '11211')
 $memcache_pool_maxsize = '100'
 $memcache_address_map  = get_node_to_ipaddr_map_by_network_role(hiera_hash('memcache_nodes'), 'mgmt/memcache')
 
-
 $public_port     = '5000'
 $admin_port      = '35357'
 $internal_port   = '5000'
@@ -65,13 +64,6 @@ $internal_url = "http://${management_vip}:${internal_port}"
 
 $revoke_driver = 'keystone.contrib.revoke.backends.sql.Revoke'
 
-$glance_user_password     = $glance_hash['user_password']
-$nova_user_password       = $nova_hash['user_password']
-$cinder_user_password     = $cinder_hash['user_password']
-$ceilometer_user_password = $ceilometer_hash['user_password']
-
-$cinder = true
-$ceilometer = $ceilometer_hash['enabled']
 $enabled = true
 $ssl = false
 
@@ -107,16 +99,8 @@ class { 'openstack::keystone':
   public_address           => $public_address,
   public_ssl               => $public_ssl_hash['services'],
   public_hostname          => $public_ssl_hash['hostname'],
-  internal_address         => $management_vip, # send traffic through HAProxy
+  internal_address         => $management_vip,
   admin_address            => $admin_address,
-  glance_user_password     => $glance_user_password,
-  nova_user_password       => $nova_user_password,
-  cinder                   => $cinder,
-  cinder_user_password     => $cinder_user_password,
-  neutron                  => $use_neutron,
-  neutron_user_password    => $neutron_user_password,
-  ceilometer               => $ceilometer,
-  ceilometer_user_password => $ceilometer_user_password,
   public_bind_host         => $local_address_for_bind,
   admin_bind_host          => $local_address_for_bind,
   enabled                  => $enabled,
@@ -217,7 +201,7 @@ Service<| title == 'httpd' |> -> Haproxy_backend_status<||>
 Haproxy_backend_status<||> -> Class['keystone::roles::admin']
 
 ####### Disable upstart startup on install #######
-if($::operatingsystem == 'Ubuntu') {
+if ($::operatingsystem == 'Ubuntu') {
   tweaks::ubuntu_service_override { 'keystone':
     package_name => 'keystone',
   }

deployment/puppet/osnailyfacter/modular/keystone/tasks.yaml

@@ -18,6 +18,6 @@
   required_for: [keystone]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/keystone/keystone_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/keystone/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 3600
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/murano/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: murano_db.pp')
+notice('MODULAR: murano/db.pp')
 
 $murano_hash    = hiera_hash('murano', {})
 $murano_enabled = pick($murano_hash['enabled'], false)

deployment/puppet/osnailyfacter/modular/murano/tasks.yaml

@@ -18,6 +18,6 @@
   required_for: [murano]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/murano/murano_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/murano/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 3600
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/openstack-cinder/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: cinder_db.pp')
+notice('MODULAR: cinder/db.pp')
 
 $cinder_hash    = hiera_hash('cinder', {})
 $mysql_hash     = hiera_hash('mysql', {})

deployment/puppet/osnailyfacter/modular/openstack-cinder/keystone.pp

@@ -0,0 +1,30 @@
+notice('MODULAR: cinder/keystone.pp')
+
+$cinder_hash      = hiera_hash('cinder', {})
+$public_address   = hiera('public_vip')
+$internal_address = hiera('internal_address', $public_address)
+$region           = pick($cinder_hash['region'], 'RegionOne')
+
+$password            = $cinder_hash['user_password']
+$auth_name           = pick($cinder_hash['auth_name'], 'cinder')
+$configure_endpoint  = pick($cinder_hash['configure_endpoint'], true)
+$configure_user      = pick($cinder_hash['configure_user'], true)
+$configure_user_role = pick($cinder_hash['configure_user_role'], true)
+$service_name        = pick($cinder_hash['service_name'], 'cinder')
+$tenant              = pick($cinder_hash['tenant'], 'services')
+
+validate_string($public_address)
+validate_string($password)
+
+class { '::cinder::keystone::auth':
+  password            => $password,
+  auth_name           => $auth_name,
+  configure_endpoint  => $configure_endpoint,
+  configure_user      => $configure_user,
+  configure_user_role => $configure_user_role,
+  service_name        => $service_name,
+  public_address      => $public_address,
+  admin_address       => $internal_address,
+  internal_address    => $internal_address,
+  region              => $region,
+}

deployment/puppet/osnailyfacter/modular/openstack-cinder/tasks.yaml

@@ -8,12 +8,22 @@
     puppet_modules: /etc/puppet/modules
     timeout: 1200
 
-- id: cinder_db
+- id: cinder-db
   type: puppet
   groups: [primary-controller]
   required_for: [openstack-cinder]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-cinder/cinder_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-cinder/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 1200
+    timeout: 1800
+
+- id: cinder-keystone
+  type: puppet
+  groups: [primary-controller]
+  required_for: [openstack-cinder]
+  requires: [keystone]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-cinder/keystone.pp
+    puppet_modules: /etc/puppet/modules/
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/openstack-controller/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: nova_db.pp')
+notice('MODULAR: openstack-controller/db.pp')
 
 $nova_hash      = hiera_hash('nova', {})
 $mysql_hash     = hiera_hash('mysql', {})

deployment/puppet/osnailyfacter/modular/openstack-controller/keystone.pp

@@ -0,0 +1,30 @@
+notice('MODULAR: openstack-controller/keystone.pp')
+
+$nova_hash        = hiera_hash('nova', {})
+$public_address   = hiera('public_vip')
+$internal_address = hiera('internal_address', $public_address)
+$region           = pick($nova_hash['region'], 'RegionOne')
+
+$password            = $nova_hash['user_password']
+$auth_name           = pick($nova_hash['auth_name'], 'nova')
+$configure_endpoint  = pick($nova_hash['configure_endpoint'], true)
+$configure_user      = pick($nova_hash['configure_user'], true)
+$configure_user_role = pick($nova_hash['configure_user_role'], true)
+$service_name        = pick($nova_hash['service_name'], 'nova')
+$tenant              = pick($nova_hash['tenant'], 'services')
+
+validate_string($public_address)
+validate_string($password)
+
+class { '::nova::keystone::auth':
+  password            => $password,
+  auth_name           => $auth_name,
+  configure_endpoint  => $configure_endpoint,
+  configure_user      => $configure_user,
+  configure_user_role => $configure_user_role,
+  service_name        => $service_name,
+  public_address      => $public_address,
+  admin_address       => $internal_address,
+  internal_address    => $internal_address,
+  region              => $region,
+}

deployment/puppet/osnailyfacter/modular/openstack-controller/tasks.yaml

@@ -14,6 +14,16 @@
   required_for: [openstack-controller]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-controller/nova_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-controller/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 3600
+    timeout: 1800
+
+- id: nova-keystone
+  type: puppet
+  groups: [primary-controller]
+  required_for: [openstack-controller]
+  requires: [keystone]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-controller/keystone.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/openstack-network/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: neutron_db.pp')
+notice('MODULAR: openstack-network/db.pp')
 
 $use_neutron    = hiera('use_neutron', false)
 $neutron_hash   = hiera_hash('quantum_settings', {})

deployment/puppet/osnailyfacter/modular/openstack-network/keystone.pp

@@ -0,0 +1,30 @@
+notice('MODULAR: openstack-network/keystone.pp')
+
+$neutron_hash     = hiera_hash('quantum_settings', {})
+$public_address   = hiera('public_vip')
+$internal_address = hiera('management_vip', $public_address)
+$region           = pick($neutron_hash['region'], 'RegionOne')
+
+$password            = $neutron_hash['keystone']['admin_password']
+$auth_name           = pick($neutron_hash['auth_name'], 'neutron')
+$configure_endpoint  = pick($neutron_hash['configure_endpoint'], true)
+$configure_user      = pick($neutron_hash['configure_user'], true)
+$configure_user_role = pick($neutron_hash['configure_user_role'], true)
+$service_name        = pick($neutron_hash['service_name'], 'neutron')
+$tenant              = pick($neutron_hash['tenant'], 'services')
+
+validate_string($public_address)
+validate_string($password)
+
+class { '::neutron::keystone::auth':
+  password            => $password,
+  auth_name           => $auth_name,
+  configure_endpoint  => $configure_endpoint,
+  configure_user      => $configure_user,
+  configure_user_role => $configure_user_role,
+  service_name        => $service_name,
+  public_address      => $public_address,
+  admin_address       => $internal_address,
+  internal_address    => $internal_address,
+  region              => $region,
+}

deployment/puppet/osnailyfacter/modular/openstack-network/tasks.yaml

@@ -32,6 +32,16 @@
   required_for: [openstack-network]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-network/neutron_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-network/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 3600
+    timeout: 1800
+
+- id: neutron-keystone
+  type: puppet
+  groups: [primary-controller]
+  required_for: [openstack-network]
+  requires: [keystone]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-network/keystone.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/sahara/db.pp

@@ -1,4 +1,4 @@
-notice('MODULAR: sahara_db.pp')
+notice('MODULAR: sahara/db.pp')
 
 $sahara_hash    = hiera_hash('sahara', {})
 $sahara_enabled = pick($sahara_hash['enabled'], false)

deployment/puppet/osnailyfacter/modular/sahara/tasks.yaml

@@ -18,6 +18,6 @@
   required_for: [sahara]
   requires: [database]
   parameters:
-    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/sahara/sahara_db.pp
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/sahara/db.pp
     puppet_modules: /etc/puppet/modules
-    timeout: 3600
+    timeout: 1800

deployment/puppet/osnailyfacter/modular/swift/keystone.pp

@@ -0,0 +1,32 @@
+notice('MODULAR: swift/keystone.pp')
+
+$swift_hash       = hiera_hash('swift', {})
+$public_address   = hiera('public_vip')
+$internal_address = hiera('management_vip', $public_address)
+$region           = pick($swift_hash['region'], 'RegionOne')
+$public_ssl_hash  = hiera('public_ssl')
+$public_protocol  = $public_ssl_hash['services'] ? {
+  true    => 'https',
+  default => 'http',
+}
+
+$password            = $swift_hash['user_password']
+$auth_name           = pick($swift_hash['auth_name'], 'swift')
+$configure_endpoint  = pick($swift_hash['configure_endpoint'], true)
+$service_name        = pick($swift_hash['service_name'], 'swift')
+$tenant              = pick($swift_hash['tenant'], 'services')
+
+validate_string($public_address)
+validate_string($password)
+
+class { '::swift::keystone::auth':
+  password           => $password,
+  auth_name          => $auth_name,
+  configure_endpoint => $configure_endpoint,
+  service_name       => $service_name,
+  public_address     => $public_address,
+  public_protocol    => $public_protocol,
+  admin_address      => $internal_address,
+  internal_address   => $internal_address,
+  region             => $region,
+}

deployment/puppet/osnailyfacter/modular/swift/swift.pp

@@ -31,7 +31,6 @@ $keystone_password       = pick($swift_hash['user_password'], 'passsword')
 $keystone_tenant         = pick($swift_hash['tenant'], 'services')
 $keystone_protocol       = pick($swift_hash['auth_protocol'], 'http')
 $region                  = hiera('region', 'RegionOne')
-$public_ssl_hash         = hiera('public_ssl')
 
 # Use Swift if it isn't replaced by vCenter, Ceph for BOTH images and objects
 if !($storage_hash['images_ceph'] and $storage_hash['objects_ceph']) and !$storage_hash['images_vcenter'] {
@@ -64,7 +63,7 @@ if !($storage_hash['images_ceph'] and $storage_hash['objects_ceph']) and !$stora
     }
   }
 
-  if ($deploy_swift_proxy){
+  if $deploy_swift_proxy {
     $resize_value = pick($swift_hash['resize_value'], 2)
     $ring_part_power = calc_ring_part_power($swift_nodes,$resize_value)
     $sto_net = get_network_role_property('swift/replication', 'network')
@@ -98,19 +97,6 @@ if !($storage_hash['images_ceph'] and $storage_hash['objects_ceph']) and !$stora
       con_timeout => 5
     }
 
-    if ($create_keystone_auth){
-      class { 'swift::keystone::auth':
-        password         => $swift_hash['user_password'],
-        public_address   => $public_vip,
-        region           => $region,
-        public_protocol  => $public_ssl_hash['services'] ? {
-          true    => 'https',
-          default => 'http',
-        },
-        internal_address => $management_vip,
-        admin_address    => $management_vip,
-      }
-    }
   }
 }
 

deployment/puppet/osnailyfacter/modular/swift/tasks.yaml

@@ -25,3 +25,13 @@
     cmd: ruby /etc/puppet/modules/osnailyfacter/modular/swift/swift_post.rb
   test_post:
     cmd: ruby /etc/puppet/modules/osnailyfacter/modular/swift/rebalance_cronjob_post.rb
+
+- id: swift-keystone
+  type: puppet
+  groups: [primary-controller]
+  required_for: [swift]
+  requires: [keystone]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/swift/keystone.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 1800

tests/noop/spec/hosts/ceilometer/keystone_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'ceilometer/keystone.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    it 'should set empty trusts_delegated_roles for ceilometer auth' do
+      contain_class('ceilometer::keystone::auth')
+    end
+  end
+
+  test_ubuntu_and_centos manifest
+end

tests/noop/spec/hosts/glance/db_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 require 'shared-examples'
-manifest = 'glance/glance_db.pp'
+manifest = 'glance/db.pp'
 
 describe manifest do
   shared_examples 'catalog' do
@@ -25,4 +25,3 @@ describe manifest do
   end
   test_ubuntu_and_centos manifest
 end
-

tests/noop/spec/hosts/glance/keystone_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'glance/keystone.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    it 'should set empty trusts_delegated_roles for glance auth' do
+      contain_class('glance::keystone::auth')
+    end
+  end
+
+  test_ubuntu_and_centos manifest
+end

tests/noop/spec/hosts/heat/db_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'heat/db.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    heat_db_user = 'heat'
+    heat_db_dbname = 'heat'
+    heat_db_password = Noop.hiera_structure 'heat/db_password'
+    allowed_hosts = [Noop.hostname,'localhost','127.0.0.1','%']
+
+    it 'should declare heat::db::mysql class with user,password,dbname' do
+      should contain_class('heat::db::mysql').with(
+        'user' => heat_db_user,
+        'password' => heat_db_password,
+        'dbname' => heat_db_dbname,
+        'allowed_hosts' => allowed_hosts,
+      )
+    end
+    allowed_hosts.each do |host|
+      it "should define openstacklib::db::mysql::host_access for #{heat_db_dbname} DB for #{host}" do
+        should contain_openstacklib__db__mysql__host_access("#{heat_db_dbname}_#{host}")
+      end
+    end
+  end
+  test_ubuntu_and_centos manifest
+end

tests/noop/spec/hosts/heat/heat_db_spec.rb

@@ -1,17 +0,0 @@
-require 'spec_helper'
-require 'shared-examples'
-manifest = 'heat/heat_db.pp'
-
-describe manifest do
-  shared_examples 'catalog' do
-
-    it 'should contain openstack::heat class with db_allowed_hosts parameter' do
-      hostname = Noop.hostname
-      db_allowed_hosts = [ hostname, 'localhost', '127.0.0.1', '%' ]
-      should contain_class('heat::db::mysql').with('allowed_hosts' => db_allowed_hosts)
-    end
-
-  end # end of shared_examples
-  test_ubuntu_and_centos manifest
-end
-

tests/noop/spec/hosts/heat/heat_spec.rb

@@ -7,10 +7,7 @@ describe manifest do
 
     use_syslog = Noop.hiera 'use_syslog'
 
-    it 'should set empty trusts_delegated_roles for heat authentication and engine' do
+    it 'should set empty trusts_delegated_roles for heat engine' do
-      should contain_class('heat::keystone::auth').with(
-        'trusts_delegated_roles' => [],
-      )
       should contain_class('heat::engine').with(
         'trusts_delegated_roles' => [],
       )

tests/noop/spec/hosts/heat/keystone_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'heat/keystone.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    it 'should set empty trusts_delegated_roles for heat auth' do
+      contain_class('heat::keystone::auth').with(
+        'trusts_delegated_roles' => [],
+      )
+    end
+  end
+
+  test_ubuntu_and_centos manifest
+end

tests/noop/spec/hosts/keystone/db_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'shared-examples'
-manifest = 'keystone/keystone_db.pp'
+manifest = 'keystone/db.pp'
+
 describe manifest do
   shared_examples 'catalog' do
     keystone_db_user = 'keystone'

tests/noop/spec/hosts/murano/db_spec.rb

@@ -1,8 +1,9 @@
 require 'spec_helper'
 require 'shared-examples'
-manifest = 'murano/murano_db.pp'
+manifest = 'murano/db.pp'
 
 describe manifest do
+
   test_ubuntu_and_centos manifest
 end
 

tests/noop/spec/hosts/openstack-cinder/db_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 require 'shared-examples'
-manifest = 'openstack-cinder/cinder_db.pp'
+manifest = 'openstack-cinder/db.pp'
 
 describe manifest do
   shared_examples 'catalog' do

tests/noop/spec/hosts/openstack-cinder/keystone_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'openstack-cinder/keystone.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    it 'should set empty trusts_delegated_roles for cinder auth' do
+      contain_class('cinder::keystone::auth')
+    end
+  end
+
+  test_ubuntu_and_centos manifest
+end

tests/noop/spec/hosts/openstack-controller/db_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 require 'shared-examples'
-manifest = 'openstack-controller/nova_db.pp'
+manifest = 'openstack-controller/db.pp'
 
 describe manifest do
   shared_examples 'catalog' do

tests/noop/spec/hosts/openstack-controller/keystone_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'openstack-controller/keystone.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    it 'should set empty trusts_delegated_roles for nova auth' do
+      contain_class('nova::keystone::auth')
+    end
+  end
+
+  test_ubuntu_and_centos manifest
+end

tests/noop/spec/hosts/openstack-network/db_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 require 'shared-examples'
-manifest = 'openstack-network/neutron_db.pp'
+manifest = 'openstack-network/db.pp'
 
 describe manifest do
   #TODO: uncomment in neutron module adaptation patch

tests/noop/spec/hosts/openstack-network/keystone_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'openstack-network/keystone.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    it 'should set empty trusts_delegated_roles for neutron auth' do
+      contain_class('neutron::keystone::auth')
+    end
+  end
+
+  test_ubuntu_and_centos manifest
+end

tests/noop/spec/hosts/sahara/db_spec.rb

@@ -1,8 +1,7 @@
 require 'spec_helper'
 require 'shared-examples'
-manifest = 'sahara/sahara_db.pp'
+manifest = 'sahara/db.pp'
 
 describe manifest do
   test_ubuntu_and_centos manifest
 end
-

tests/noop/spec/hosts/swift/keystone_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'swift/keystone.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+    it 'should set empty trusts_delegated_roles for swift auth' do
+      contain_class('swift::keystone::auth')
+    end
+  end
+
+  test_ubuntu_and_centos manifest
+end