Add hooks for external install & svc management

This adds defined anchor points for external modules to hook into the
software install, config and service dependency chain.  This allows
external modules to manage software installation (virtualenv,
containers, etc) and service management (pacemaker) without needing rely
on resources that may change or be renamed.

Change-Id: If0175f5719ec72871febcec04785d63f56fd3d2b

manifests/api.pp

@@ -279,6 +279,7 @@ class barbican::api (
 ) inherits barbican::params {
 
 
+  include ::barbican::deps
   include ::barbican::db
   include ::barbican::api::logging
   include ::barbican::client
@@ -302,8 +303,8 @@ deprecated. Please use barbican::default_transport_url instead.")
     mode    => '0770',
     owner   => 'root',
     group   => 'barbican',
-    require => Package['barbican-api'],
-    notify  => Service[$service_name],
+    require => Anchor['barbican::install::end'],
+    notify  => Anchor['barbican::service::end'],
   }
 
   package { 'barbican-api':
@@ -312,12 +313,6 @@ deprecated. Please use barbican::default_transport_url instead.")
     tag    => ['openstack', 'barbican-package'],
   }
 
-  Package['barbican-api']                ~> Service[$service_name]
-  Barbican_config<||>                    ~> Service[$service_name]
-  Barbican_api_paste_ini<||>             ~> Service[$service_name]
-  Package<| tag == 'barbican-package' |> -> Barbican_config<||>
-  Package<| tag == 'barbican-package' |> -> Barbican_api_paste_ini<||>
-
   # basic service config
   if $host_href == undef {
     $host_href_real = "http://${::fqdn}:${bind_port}"
@@ -461,9 +456,9 @@ deprecated. Please use barbican::default_transport_url instead.")
       path  => '/etc/barbican/gunicorn-config.py',
       line  => "bind = '${bind_host}:${bind_port}'",
       match => '.*bind = .*',
+      tag   => 'modify-bind-port',
     }
 
-    Package<| tag == 'barbican-package' |> -> File_line['Modify bind_port in gunicorn-config.py'] ~> Service[$service_name]
   } elsif $service_name == 'httpd' {
     include ::apache::params
     # Debian/Ubuntu do not have a barbican-api and this will error out on them.

manifests/api/logging.pp

@@ -113,6 +113,8 @@ class barbican::api::logging(
   $log_date_format               = $::os_service_default,
 ) {
 
+  include ::barbican::deps
+
   oslo::log { 'barbican_config':
     debug                         => $debug,
     use_syslog                    => $use_syslog,

manifests/client.pp

@@ -12,6 +12,7 @@ class barbican::client (
   $ensure = 'present',
 ) {
 
+  include ::barbican::deps
   include ::barbican::params
 
   package { 'python-barbicanclient':

manifests/config.pp

@@ -30,6 +30,9 @@ class barbican::config (
   $api_config = {},
   $api_paste_ini_config = {},
 ) {
+
+  include ::barbican::deps
+
   validate_hash($api_config)
   validate_hash($api_paste_ini_config)
 

manifests/db.pp

@@ -60,6 +60,8 @@ class barbican::db (
   $database_db_max_retries = $::os_service_default,
 ) {
 
+  include ::barbican::deps
+
   validate_re($database_connection,
     '^(sqlite|mysql(\+pymysql)?|postgresql):\/\/(\S+:\S+@\S+\/\S+)?')
 

manifests/db/mysql.pp

@@ -53,6 +53,8 @@ class barbican::db::mysql(
   $allowed_hosts = undef
 ) {
 
+  include ::barbican::deps
+
   validate_string($password)
 
   ::openstacklib::db::mysql { 'barbican':
@@ -65,5 +67,7 @@ class barbican::db::mysql(
     allowed_hosts => $allowed_hosts,
   }
 
-  ::Openstacklib::Db::Mysql['barbican'] ~> Exec<| title == 'barbican-db-manage' |>
+  Anchor['barbican::db::begin']
+  ~> Class['barbican::db::mysql']
+  ~> Anchor['barbican::db::end']
 }

manifests/db/postgresql.pp

@@ -40,7 +40,7 @@ class barbican::db::postgresql(
   $privileges = 'ALL',
 ) {
 
-  Class['barbican::db::postgresql'] -> Service<| title == 'barbican' |>
+  include ::barbican::deps
 
   ::openstacklib::db::postgresql { 'barbican':
     password_hash => postgresql_password($user, $password),
@@ -50,6 +50,8 @@ class barbican::db::postgresql(
     privileges    => $privileges,
   }
 
-  ::Openstacklib::Db::Postgresql['barbican'] ~> Exec<| title == 'barbican-db-manage' |>
+  Anchor['barbican::db::begin']
+  ~> Class['barbican::db::postgresql']
+  ~> Anchor['barbican::db::end']
 
 }

manifests/db/sync.pp

@@ -11,6 +11,9 @@
 class barbican::db::sync(
   $extra_params  = undef,
 ) {
+
+  include ::barbican::deps
+
   exec { 'barbican-db-manage':
     command     => "barbican-manage db upgrade ${extra_params}",
     path        => ['/bin', '/usr/bin', ],
@@ -18,11 +21,12 @@ class barbican::db::sync(
     refreshonly => true,
     try_sleep   => 5,
     tries       => 10,
+    subscribe   => [
+      Anchor['barbican::install::end'],
+      Anchor['barbican::config::end'],
+      Anchor['barbican::dbsync::begin']
+    ],
+    notify      => Anchor['barbican::dbsync::end'],
   }
 
-  Barbican_config <| title == 'database/connection' |> ~> Exec['barbican-db-manage']
-  Barbican_config <| title == 'DEFAULT/sql_connection' |> ~> Exec['barbican-db-manage']
-  Package <| tag == 'barbican-package' |> ~> Exec['barbican-db-manage']
-  Package <| tag == 'openstack' |> -> Exec['barbican-db-manage']
-  Exec['barbican-db-manage'] ~> Service<| title == 'barbican-api' |>
 }

manifests/deps.pp

@@ -0,0 +1,40 @@
+# == Class: barbican::deps
+#
+#  Barbican anchors and dependency management
+#
+class barbican::deps {
+  # Setup anchors for install, config and service phases of the module.  These
+  # anchors allow external modules to hook the begin and end of any of these
+  # phases.  Package or service management can also be replaced by ensuring the
+  # package is absent or turning off service management and having the
+  # replacement depend on the appropriate anchors.  When applicable, end tags
+  # should be notified so that subscribers can determine if installation,
+  # config or service state changed and act on that if needed.
+  anchor { 'barbican::install::begin': }
+  -> Package<| tag == 'barbican-package'|>
+  ~> anchor { 'barbican::install::end': }
+  -> anchor { 'barbican::config::begin': }
+  -> Barbican_config<||>
+  ~> anchor { 'barbican::config::end': }
+  -> anchor { 'barbican::db::begin': }
+  -> anchor { 'barbican::db::end': }
+  ~> anchor { 'barbican::dbsync::begin': }
+  -> anchor { 'barbican::dbsync::end': }
+  ~> anchor { 'barbican::service::begin': }
+  ~> Service<| tag == 'barbican-service' |>
+  ~> anchor { 'barbican::service::end': }
+
+  # policy config should occur in the config block also.
+  Anchor['barbican::config::begin']
+  -> Openstacklib::Policy::Base<||>
+  ~> Anchor['barbican::config::end']
+
+  # Ensure files are modified in the config block
+  Anchor['barbican::config::begin']
+  -> File_line<| tag == 'modify-bind-port' |>
+  ~> Anchor['barbican::config::end']
+
+  # Installation or config changes will always restart services.
+  Anchor['barbican::install::end'] ~> Anchor['barbican::service::begin']
+  Anchor['barbican::config::end']  ~> Anchor['barbican::service::begin']
+}

manifests/keystone/auth.pp

@@ -65,10 +65,12 @@ class barbican::keystone::auth (
   $admin_url           = 'http://127.0.0.1:9311',
 ) {
 
+  include ::barbican::deps
+
   if $configure_user_role {
-    Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barbican-api' |>
+    Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['barbican::service::end']
   }
-  Keystone_endpoint["${region}/${service_name}::${service_type}"]  ~> Service <| name == 'barbican-api' |>
+  Keystone_endpoint["${region}/${service_name}::${service_type}"]  ~> Anchor['barbican::service::end']
 
   keystone::resource::service_identity { 'barbican':
     configure_user      => $configure_user,

manifests/keystone/authtoken.pp

@@ -223,6 +223,8 @@ class barbican::keystone::authtoken(
   $token_cache_time               = $::os_service_default,
 ) {
 
+  include ::barbican::deps
+
   if is_service_default($password) {
     fail('Please set password for barbican service user')
   }

manifests/keystone/notification.pp

@@ -32,6 +32,8 @@ class barbican::keystone::notification (
   $keystone_notification_thread_pool_size = $::os_service_default,
 ) {
 
+  include ::barbican::deps
+
   barbican_config {
     'keystone_notifications/enable':           value => $enable_keystone_notification;
     'keystone_notifications/control_exchange': value => $keystone_notification_control_exchange;

manifests/plugins/dogtag.pp

@@ -52,6 +52,7 @@ class barbican::plugins::dogtag (
   $dogtag_plugin_plugin_working_dir = $::os_service_default,
 ) {
 
+  include ::barbican::deps
   include ::barbican::params
 
   if $dogtag_plugin_nss_password == undef {
@@ -75,5 +76,4 @@ class barbican::plugins::dogtag (
     'dogtag_plugin/plugin_working_dir': value => $dogtag_plugin_plugin_working_dir;
   }
 
-  Package['dogtag-client'] -> Barbican_config<||>
 }

manifests/plugins/kmip.pp

@@ -44,6 +44,8 @@ class barbican::plugins::kmip (
   $kmip_plugin_ca_certs = undef,
 ) {
 
+  include ::barbican::deps
+
   if $kmip_plugin_host == undef {
     fail('kmip_plugin_host must be defined')
   }

manifests/plugins/p11_crypto.pp

@@ -42,6 +42,8 @@ class barbican::plugins::p11_crypto (
   $p11_crypto_plugin_slot_id      = undef,
 ) {
 
+  include ::barbican::deps
+
   if $p11_crypto_plugin_login == undef {
       fail('p11_crypto_plugin_login must be defined')
   }

manifests/plugins/simple_crypto.pp

@@ -12,6 +12,8 @@ class barbican::plugins::simple_crypto (
   $simple_crypto_plugin_kek = $::os_service_default,
 ) {
 
+  include ::barbican::deps
+
   barbican_config {
     'simple_crypto_plugin/kek':  value => $simple_crypto_plugin_kek;
   }

manifests/policy.pp

@@ -28,6 +28,8 @@ class barbican::policy (
   $policy_path = '/etc/barbican/policy.json',
 ) {
 
+  include ::barbican::deps
+
   validate_hash($policies)
 
   Openstacklib::Policy::Base {

manifests/quota.pp

@@ -32,6 +32,8 @@ class barbican::quota (
   $quota_cas         = $::os_service_default,
 ) {
 
+  include ::barbican::deps
+
   barbican_config {
     'quotas/quota_secrets':      value => $quota_secrets;
     'quotas/quota_orders':       value => $quota_orders;

manifests/wsgi/apache.pp

@@ -105,6 +105,7 @@ class barbican::wsgi::apache (
   $priority      = '10',
 ) {
 
+  include ::barbican::deps
   include ::barbican::params
   include ::apache
   include ::apache::mod::wsgi

releasenotes/notes/external_install_mgmt_hook-8715781a2fe9134f.yaml

@@ -0,0 +1,10 @@
+---
+prelude: >
+    Add hooks for external install & svc management.
+features:
+  - This adds defined anchor points for external modules to
+    hook into the software install, config and service dependency
+    chain. This allows external modules to manage software
+    installation (virtualenv, containers, etc) and service management
+    (pacemaker) without needing rely on resources that may change or
+    be renamed.

spec/classes/barbican_api_spec.rb

@@ -123,8 +123,9 @@ describe 'barbican::api' do
           "http://${::fqdn}:$param_hash[:bind_port]"
         end
 
-        it { is_expected.to contain_class 'barbican::api::logging' }
-        it { is_expected.to contain_class 'barbican::db' }
+        it { is_expected.to contain_class('barbican::deps') }
+        it { is_expected.to contain_class('barbican::api::logging') }
+        it { is_expected.to contain_class('barbican::db') }
 
         it { is_expected.to contain_package('barbican-api').with(
             :tag => ['openstack', 'barbican-package'],

spec/classes/barbican_wsgi_apache_spec.rb

@@ -23,6 +23,7 @@ describe 'barbican::wsgi::apache' do
 
   shared_examples_for 'apache serving barbican with mod_wsgi' do
     it { is_expected.to contain_service('httpd').with_name(platform_parameters[:httpd_service_name]) }
+    it { is_expected.to contain_class('barbican::deps') }
     it { is_expected.to contain_class('barbican::params') }
     it { is_expected.to contain_class('apache') }
     it { is_expected.to contain_class('apache::mod::wsgi') }