openstack/puppet-keystone
Code Issues Proposed changes
b8b8dfeb78
puppet-keystone/spec/classes/keystone_init_spec.rb

873 lines
32 KiB
Ruby
Raw Normal View History

saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
require 'spec_helper'
describe 'keystone' do
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
let :global_facts do
{
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'some.host.tld'
}
end
set osfamily
2012-10-14 14:16:47 -07:00
let :facts do
$::os_service_default in db and logging Switch to $::os_service_default all params in logging and db. Changes: logging.pp, db.pp and tests. Related-bug: #1515273 Change-Id: Ib84dceafb032747adc1d8b6e56bd01e89aa802cb
2015-11-21 03:24:54 +00:00
@default_facts.merge(global_facts.merge({
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
:osfamily => 'Debian',
:operatingsystem => 'Debian',
Add admin_workers and public_workers configuration options Juno Keystone adds admin_workers and public_workers configuration options to control the number of admin and public wsgi worker processes. This patch adds support for setting those options. Change-Id: I16d08321aedb7bac502052e1e1fc7fd9728e2168
2015-01-23 11:29:22 -07:00
:operatingsystemrelease => '7.0',
Install python3-keystoneclient in Fedora or RedHat > 7 Fedora repo [1] has python3 packages, start consuming those. [1] http://trunk.rdoproject.org/fedora/puppet-passed-ci/ Change-Id: Id15a40384286a825f65658bdb1ad924a917d9031
2018-10-26 12:08:28 +05:30
:os => { :name => 'Debian', :family => 'Debian', :release => { :major => '7', :minor => '0' } },
$::os_service_default in db and logging Switch to $::os_service_default all params in logging and db. Changes: logging.pp, db.pp and tests. Related-bug: #1515273 Change-Id: Ib84dceafb032747adc1d8b6e56bd01e89aa802cb
2015-11-21 03:24:54 +00:00
}))
set osfamily
2012-10-14 14:16:47 -07:00
end
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
default_params = {
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'package_ensure' => 'present',
'client_package_ensure' => 'present',
'public_bind_host' => '0.0.0.0',
'public_port' => '5000',
'catalog_type' => 'sql',
'catalog_driver' => false,
Make fernet the default token provider Fernet tokens have been the default provider for keystone for some time and we deprecated them in Newton. This change switches to use fernet tokens as the default for the keystone class. Change-Id: I15504f694c0ce5d35907585a8d5d61893cfe95ee
2016-10-20 13:06:12 -06:00
'token_provider' => 'fernet',
Add password hash algorithm and rounds config Adds the password_hash_algorithm and password_hash_rounds configuration options. These can be used to configure the password hash algorithm and the amount of rounds on the hash that keystone should do. Change-Id: I5160e59522b5cf96eb80f83ab7f2ca593b64fe54
2018-09-13 11:23:40 +02:00
'password_hash_algorithm' => '<SERVICE DEFAULT>',
'password_hash_rounds' => '<SERVICE DEFAULT>',
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'revoke_driver' => 'sql',
'revoke_by_id' => true,
'enable_ssl' => false,
'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem',
'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem',
'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
'enabled' => true,
'manage_service' => true,
Deprecate rabbitmq connection parameters The rabbitmq connection parameters have been deprecated in favor of the transport_url setting. Change-Id: I196e089f7081f59360680a8921cde2c84acf0c0e Related-Bug: #1625198
2016-11-08 12:57:39 -07:00
'default_transport_url' => '<SERVICE DEFAULT>',
Add notification transport_url to support dual oslo_messaging backends Change-Id: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40
2017-01-23 14:52:16 -05:00
'notification_transport_url' => '<SERVICE DEFAULT>',
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'rabbit_heartbeat_timeout_threshold' => '<SERVICE DEFAULT>',
'rabbit_heartbeat_rate' => '<SERVICE DEFAULT>',
Introduce the new rabbit_heartbeat_in_pthread option oslo.messaging RabbitMQ driver have now a new option that allow user to run the RabbitMQ heartbeat over a native python thread. These change allow user to use this new option. Change-Id: If5cb4855e20fe9553b4a4a0d787918923a4334ba Closes-Bug: #1840868
2019-08-21 14:21:01 +08:00
'rabbit_heartbeat_in_pthread' => '<SERVICE DEFAULT>',
Add oslo_messaging_rabbit/amqp_durable_queues option Add new parameter "amqp_durable_queues", to indicate whether to use durable queues in AMQP Change-Id: Id7d16fa1958404da4d50b8609bd948e50fff0f77 Closes-Bug: #1786029
2018-08-08 20:53:57 +08:00
'amqp_durable_queues' => '<SERVICE DEFAULT>',
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'member_role_id' => '<SERVICE DEFAULT>',
'member_role_name' => '<SERVICE DEFAULT>',
'sync_db' => true,
'purge_config' => false,
'keystone_user' => 'keystone',
'keystone_group' => 'keystone',
Adding a purge_config option for keystone_config Adding a purge_config option for the keystone config. Adding this option for ease of management and readability. If users wish, they can use this to ensure that only the options they are setting make it into the configs. *Fixing merge conflict Change-Id: I30b0d241d0545b86cf15b2d108c3288a1bdd2631
2016-05-13 13:10:59 -06:00
}
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
override_params = {
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'package_ensure' => 'latest',
'client_package_ensure' => 'latest',
'public_bind_host' => '0.0.0.0',
'public_port' => '5001',
'catalog_type' => 'template',
'token_provider' => 'uuid',
Add password hash algorithm and rounds config Adds the password_hash_algorithm and password_hash_rounds configuration options. These can be used to configure the password hash algorithm and the amount of rounds on the hash that keystone should do. Change-Id: I5160e59522b5cf96eb80f83ab7f2ca593b64fe54
2018-09-13 11:23:40 +02:00
'password_hash_algorithm' => 'pbkdf2_sha512',
'password_hash_rounds' => '29000',
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'revoke_driver' => 'kvs',
'revoke_by_id' => false,
Do not set public_bind_host and public_port in eventlet section Remove public_bind_host and public_port configured under eventlet section as they were alrady deprecated. Set public_endpoint from public_bind_host and public_port so that these information can be refered by provider code to get endpoint even if public_endpoint isn't explicitly given. Change-Id: Ic38e41b31155a7d3a4f1f5fc606421dd525c1025
2019-09-12 19:24:02 +09:00
'public_endpoint' => 'https://localhost:5000',
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'enable_ssl' => true,
'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem',
'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem',
'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
'enabled' => false,
'manage_service' => true,
Deprecate rabbitmq connection parameters The rabbitmq connection parameters have been deprecated in favor of the transport_url setting. Change-Id: I196e089f7081f59360680a8921cde2c84acf0c0e Related-Bug: #1625198
2016-11-08 12:57:39 -07:00
'default_transport_url' => 'rabbit://user:pass@host:1234/virt',
Add notification transport_url to support dual oslo_messaging backends Change-Id: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40
2017-01-23 14:52:16 -05:00
'notification_transport_url' => 'rabbit://user:pass@host:1234/virt',
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'rabbit_heartbeat_timeout_threshold' => '60',
'rabbit_heartbeat_rate' => '10',
Introduce the new rabbit_heartbeat_in_pthread option oslo.messaging RabbitMQ driver have now a new option that allow user to run the RabbitMQ heartbeat over a native python thread. These change allow user to use this new option. Change-Id: If5cb4855e20fe9553b4a4a0d787918923a4334ba Closes-Bug: #1840868
2019-08-21 14:21:01 +08:00
'rabbit_heartbeat_in_pthread' => true,
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'rabbit_ha_queues' => true,
Add oslo_messaging_rabbit/amqp_durable_queues option Add new parameter "amqp_durable_queues", to indicate whether to use durable queues in AMQP Change-Id: Id7d16fa1958404da4d50b8609bd948e50fff0f77 Closes-Bug: #1786029
2018-08-08 20:53:57 +08:00
'amqp_durable_queues' => true,
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'default_domain' => 'other_domain',
'member_role_id' => '123456789',
'member_role_name' => 'othermember',
'using_domain_config' => false,
'keystone_user' => 'test_user',
'keystone_group' => 'test_group',
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
}
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
httpd_params = {'service_name' => 'httpd'}.merge(default_params)
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
shared_examples 'core keystone examples' do |param_hash|
Put all the logging related parameters to the logging class Currently logging configuration is splitted in two distinct classes, the init.pp and the logging.pp classes. This review aims to centralize all logging related parameters in a single class, the logging.pp one. The impacted parameters are : * use_syslog * use_stderr * log_facility * verbose * debug * log_dir * log_file This change remains backward compatible with what is currently in place. Change-Id: I2ad392f8f12be3f3a7d51916e0645531ed1184a2
2015-09-25 15:18:32 +02:00
it { is_expected.to contain_class('keystone::logging') }
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_class('keystone::params') }
include policy class in api.pp Like we do in other modules, include keystone::policy class in ::keystone so users can define policies without taking care of the class. Change-Id: I69da4d70fd3720a01ce1e166a5725a9c76d4c126
2017-06-15 14:16:13 -04:00
it { is_expected.to contain_class('keystone::policy') }
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_package('keystone').with(
Tag packages with 'openstack' Change-Id: Ic2aee83728c3b0b532f9d7fb5a6b0a70bd3910ef Closes-Bug: #1391209
2015-02-05 20:26:43 -07:00
'ensure' => param_hash['package_ensure'],
Add tag to package and service resources In order to be able to take an action after all the packages of the module have been installed/updated or all the services have been started/restarted, we set a 'keystone-package' and 'keyston-service' tag for each package and service of this module. At the moment, there is a generic openstack tag that is not specific enough if one wants to take action upon a single module change. Use case : If an action needs to be taken after all the packages have been installed or updated : Package <| tag == 'keystone-package' |> -> X Change-Id: I2de6880ba14ccd07b5d4c1928ddcde821bc9625d
2015-07-22 15:10:25 +02:00
'tag' => ['openstack', 'keystone-package'],
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
) }
Move openstackclient install to keystone::client Openstackclient should be installed in the client class, not the main class. It should be possible to use keystone as a client without the main class. For example, it may be necessary to create cinder keystone endpoints on a Cinder node, but not require all of Keystone. Change-Id: Ic9e688d698adffb24f99e9d75a8754391940a7b4 Partial-Bug: #1479317
2015-08-06 17:41:01 +03:00
it { is_expected.to contain_class('keystone::client').with(
Add a package ensure for openstackclient This allows someone to ensure latest or a version for openstackclient. Change-Id: I905f3d03878fda139381e9400f2a9b4c40679ec8
2015-02-17 11:02:50 -07:00
'ensure' => param_hash['client_package_ensure'],
) }
Decouple sync_db from enabled We want db_sync to run even though enabled can be set to False. Change-Id: I6eb3d137173d2542a8083bbca3acf3bee10c5919 Closes-Bug: 1452278
2015-05-06 16:32:05 +02:00
it 'should synchronize the db if $sync_db is true' do
if param_hash['sync_db']
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
is_expected.to contain_exec('keystone-manage db_sync').with(
Allow customization of db sync command line Add $extra_params parameter to keystone::db::sync class to allow end-users to add command line parameters to the db_sync command. Change-Id: I3965a4d0d4974e7ee925c99207d4d6d4510a517f Closes-bug: 1472740
2015-07-08 13:38:00 -06:00
:command => 'keystone-manage db_sync',
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
:user => 'keystone',
:refreshonly => true,
Keystone hooks support This code moves all deps to an external class so that Keystone can be installed with mechanisms besides packages (like venv or docker). This also cleans-up the dependency tree by removing false or confusing dependencies. Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8 Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
2016-02-23 18:31:15 -07:00
:subscribe => ['Anchor[keystone::install::end]',
'Anchor[keystone::config::end]',
'Anchor[keystone::dbsync::begin]'],
:notify => 'Anchor[keystone::dbsync::end]',
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
)
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
end
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
Adding a purge_config option for keystone_config Adding a purge_config option for the keystone config. Adding this option for ease of management and readability. If users wish, they can use this to ensure that only the options they are setting make it into the configs. *Fixing merge conflict Change-Id: I30b0d241d0545b86cf15b2d108c3288a1bdd2631
2016-05-13 13:10:59 -06:00
it 'passes purge to resource' do
is_expected.to contain_resources('keystone_config').with({
:purge => false
})
end
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
it 'should contain correct config' do
[
Support member_role_id and member_role_name config options Change-Id: Id934a56e047baefe6f0c9a26c512f43fbdc793ae
2016-06-28 16:36:15 +10:00
'member_role_id',
'member_role_name',
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
].each do |config|
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
is_expected.to contain_keystone_config("DEFAULT/#{config}").with_value(param_hash[config])
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
end
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
it 'should contain correct mysql config' do
Fix database test in keystone class test We were checking for the value of a database setting which is now managed via puppet-olso in the keystone init class. We should not be checking the values set by another class in the unit tests. This change updates the unit tests to just make sure we're including the keystone::db class rather than the values configured by it. Change-Id: I0a1b1adec24ba528b623ad0b17e5bba16e0b279a
2019-04-30 08:13:17 -06:00
is_expected.to contain_class('keystone::db')
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_keystone_config('token/provider').with_value(
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
param_hash['token_provider']
) }
Improve spec test coverage
2012-04-05 16:58:36 -07:00
Enable setting the revoke/token driver. This also sets the default to the non-deprecated back-end for Juno which is 'keystone.contrib.revoke.backends.sql'. Change-Id: I2c92cbd85de58b631a02909c6f5f9b3f1d72fcd6
2015-03-02 09:27:27 -07:00
it 'should contain correct revoke driver' do
Fix rspec 3.x syntax - Convert 'should' keyword to 'is_expected.to' - The old ':should' syntax in rspec 3.x is deprecated in favor of ':expect' syntax. - Operator matchers: '1.should == 1' into 'expect(1).to eq(1)' Change-Id: I84b993065a00f5b5c55bd6834c6d54bc57c249e0 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-07-20 15:57:55 +02:00
is_expected.to contain_keystone_config('revoke/driver').with_value(param_hash['revoke_driver'])
Enable setting the revoke/token driver. This also sets the default to the non-deprecated back-end for Juno which is 'keystone.contrib.revoke.backends.sql'. Change-Id: I2c92cbd85de58b631a02909c6f5f9b3f1d72fcd6
2015-03-02 09:27:27 -07:00
end
Add password hash algorithm and rounds config Adds the password_hash_algorithm and password_hash_rounds configuration options. These can be used to configure the password hash algorithm and the amount of rounds on the hash that keystone should do. Change-Id: I5160e59522b5cf96eb80f83ab7f2ca593b64fe54
2018-09-13 11:23:40 +02:00
it 'should contain password_hash_algorithm' do
is_expected.to contain_keystone_config('identity/password_hash_algorithm').with_value(param_hash['password_hash_algorithm'])
end
it 'should contain password_hash_rounds' do
is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value(param_hash['password_hash_rounds'])
end
Add a new param for fernet tokens config "revoke_id" param was added for fernet tokens configuration. It revokes token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens. Change-Id: I645cd591f1018a9a595d8f738a782f64c0a984a4
2015-10-27 15:48:53 +02:00
it 'should contain default revoke_by_id value ' do
is_expected.to contain_keystone_config('token/revoke_by_id').with_value(param_hash['revoke_by_id'])
end
Deprecate options related to eventlet server The usage of eventlet server in keystone was already depreacted, so we should deprecate parameters related to the feature. Notes: - public_bind_host and public_port still remain as valid parameters, to wait until users migrate to public_endpoint, which should be used instead. - admin_endpoint does not affect keystone configuration, but it is not yet deprecated as it is still used when validate_service is True. Change-Id: Ibc8023caf8ad4ee16ebc08a943bdcc9f188c73c1
2019-08-22 17:03:14 +09:00
it 'should ensure proper setting of public_endpoint' do
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
if param_hash['public_endpoint']
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint'])
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
else
Unset public_endpoint by default When public_endpoint is set but different urls are used for endpoints (especially for admin endpoint and public endpoint), it can cause problem with self-url detection in keystone because it always assumes that the url should be directed to that public_endpoint even when a request comes from admin endpoint. This patch makes public_endpoint unset by default to avoid issues in the deployment where admin endpoint and public endpoint are still separated. Related-bug: #1889017 Change-Id: Ia43e9dcd8085bbb0954b64873504398a85771032
2020-07-22 15:16:15 +09:00
is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('<SERVICE DEFAULT>')
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
end
Deprecate rabbitmq connection parameters The rabbitmq connection parameters have been deprecated in favor of the transport_url setting. Change-Id: I196e089f7081f59360680a8921cde2c84acf0c0e Related-Bug: #1625198
2016-11-08 12:57:39 -07:00
it 'should contain correct default transport url' do
is_expected.to contain_keystone_config('DEFAULT/transport_url').with_value(params['default_transport_url'])
end
Add support for RabbitMQ connection heartbeat Kilo oslo.messaging added heartbeating support for RabbitMQ connections. This patch adds support for this in Puppet modules by managing the oslo_messaging_rabbit/heartbeat_timeout_threshold and oslo_messaging_rabbit/heartbeat_rate settings. Also, update all rabbit-related parameters to move to the oslo_messaging_rabbit section in keystone.conf, from the DEFAULT section. Change-Id: I4d78a3c67396744fe1f643b857d889cb0ee0ca49 Closes-bug: 1467667
2015-06-22 15:41:02 -06:00
it 'should contain correct rabbit heartbeat configuration' do
is_expected.to contain_keystone_config('oslo_messaging_rabbit/heartbeat_timeout_threshold').with_value(param_hash['rabbit_heartbeat_timeout_threshold'])
is_expected.to contain_keystone_config('oslo_messaging_rabbit/heartbeat_rate').with_value(param_hash['rabbit_heartbeat_rate'])
Introduce the new rabbit_heartbeat_in_pthread option oslo.messaging RabbitMQ driver have now a new option that allow user to run the RabbitMQ heartbeat over a native python thread. These change allow user to use this new option. Change-Id: If5cb4855e20fe9553b4a4a0d787918923a4334ba Closes-Bug: #1840868
2019-08-21 14:21:01 +08:00
is_expected.to contain_keystone_config('oslo_messaging_rabbit/heartbeat_in_pthread').with_value(param_hash['rabbit_heartbeat_in_pthread'])
Add oslo_messaging_rabbit/amqp_durable_queues option Add new parameter "amqp_durable_queues", to indicate whether to use durable queues in AMQP Change-Id: Id7d16fa1958404da4d50b8609bd948e50fff0f77 Closes-Bug: #1786029
2018-08-08 20:53:57 +08:00
is_expected.to contain_keystone_config('oslo_messaging_rabbit/amqp_durable_queues').with_value(param_hash['amqp_durable_queues'])
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
Add max_token_size optional parameter This adds a param to set the max_token_size in keystone.conf. The setting allows larger tokens (i.e. PKI and large catalog) to work, in line with other projects that have increased the default from 8k to 16k max. The default setting in Keystone is 8k, the default in this change is undef, which removes the config item from keystone.conf. Change-Id: I1e73cf274c26d1368973207a5823ca7a6197612b
2014-11-24 11:37:52 +13:00
it 'should remove max_token_size param by default' do
Switch Keystone to $::os_service_default This patch switches Keystone params, which have absent ensure, to $::os_service_default fact Change-Id: Ibe91ac643d620543c6f7205a8a1944a56431bf43
2015-11-27 20:29:05 +00:00
is_expected.to contain_keystone_config('DEFAULT/max_token_size').with_value('<SERVICE DEFAULT>')
Add max_token_size optional parameter This adds a param to set the max_token_size in keystone.conf. The setting allows larger tokens (i.e. PKI and large catalog) to work, in line with other projects that have increased the default from 8k to 16k max. The default setting in Keystone is 8k, the default in this change is undef, which removes the config item from keystone.conf. Change-Id: I1e73cf274c26d1368973207a5823ca7a6197612b
2014-11-24 11:37:52 +13:00
end
Add admin_workers and public_workers configuration options Juno Keystone adds admin_workers and public_workers configuration options to control the number of admin and public wsgi worker processes. This patch adds support for setting those options. Change-Id: I16d08321aedb7bac502052e1e1fc7fd9728e2168
2015-01-23 11:29:22 -07:00
Fixed issue with rabbit_ha_queues parameter We need to configure rabbit_ha_queues = True only if we have more than 1 RabbitMQ host. In we have one RabbitMQ host we need to set rabbit_ha_queues = False. We also need to use one pattern for configuration of this parameter for different OpenStack components. Change-Id: I6f25905b000494264cacbd13ba74daba538c6cf7 Closes-Bug: #1470054
2015-06-30 14:30:02 +03:00
it 'should ensure rabbit_ha_queues' do
if param_hash['rabbit_ha_queues']
is_expected.to contain_keystone_config('oslo_messaging_rabbit/rabbit_ha_queues').with_value(param_hash['rabbit_ha_queues'])
else
Set oslo options in keystone module through puppet-oslo Key moments: * use oslo::{db,log,cache,policy}, oslo::messaging::{default,notifications,rabbit} * update top-file docs * add new parameters provided by oslo * update tests accordingly * add oslo dependency to "metadata.json" * add release notes Change-Id: I6840b7b9a0cd4832794b1b2a017fc241759aab66
2016-04-06 18:30:13 +03:00
is_expected.to contain_keystone_config('oslo_messaging_rabbit/rabbit_ha_queues').with_value('<SERVICE DEFAULT>')
Fixed issue with rabbit_ha_queues parameter We need to configure rabbit_ha_queues = True only if we have more than 1 RabbitMQ host. In we have one RabbitMQ host we need to set rabbit_ha_queues = False. We also need to use one pattern for configuration of this parameter for different OpenStack components. Change-Id: I6f25905b000494264cacbd13ba74daba538c6cf7 Closes-Bug: #1470054
2015-06-30 14:30:02 +03:00
end
end
support for keystone v3 api - keystone and keystone::roles::admin This patch implements these parts of the blueprint: 1) Allows user to specify the default domain If the user specifies a domain other than 'Default', class keystone will create that domain, and write the id of the domain to the [identity] default_domain_id parameter in keystone.conf, using the keystone_domain { is_default => true } resource. 2) Allows user to specify a separate service domain for service accounts One of the use cases for v3 is the ability to have the service account keystone_user resources (e.g. glance, cinder, etc.) to be in a separate domain from the regular user accounts. keystone::roles::admin allows to specify this domain. Implements: blueprint api-v3-support Change-Id: I3c69ee343e4335f4ce86cd72d6a9e664f7abcf25
2015-04-17 15:21:41 -06:00
if param_hash['default_domain']
it { is_expected.to contain_keystone_domain(param_hash['default_domain']).with(:is_default => true) }
v3: make sure default domain is created before any other resource When using Keystone v3 and domains, we need to make sure the default domain (if its name if not 'Default') is created before any other domain scoped resource. By creating a new anchor, we can add the requirement in Keystone types that need this dependency. If the default domain name is not modified, the Anchor won't be in the catalog but it's not an issue when using 'autorequire' in Puppet types. This patch also change the default domains in acceptance tests, so we can actually test the feature and make sure resources are created after having the default domain created. Change-Id: I2870eaa98f816c92df901ed2fa92e8db89b67656 Closes-bug: #1478037
2015-07-24 14:24:37 -04:00
it { is_expected.to contain_anchor('default_domain_created') }
support for keystone v3 api - keystone and keystone::roles::admin This patch implements these parts of the blueprint: 1) Allows user to specify the default domain If the user specifies a domain other than 'Default', class keystone will create that domain, and write the id of the domain to the [identity] default_domain_id parameter in keystone.conf, using the keystone_domain { is_default => true } resource. 2) Allows user to specify a separate service domain for service accounts One of the use cases for v3 is the ability to have the service account keystone_user resources (e.g. glance, cinder, etc.) to be in a separate domain from the regular user accounts. keystone::roles::admin allows to specify this domain. Implements: blueprint api-v3-support Change-Id: I3c69ee343e4335f4ce86cd72d6a9e664f7abcf25
2015-04-17 15:21:41 -06:00
end
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
[default_params, override_params].each do |param_hash|
describe "when #{param_hash == default_params ? "using default" : "specifying"} class parameters for service" do
let :params do
param_hash
end
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
it_behaves_like 'core keystone examples', param_hash
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_service('keystone').with(
Add manage_service feature puppet-keystone lacks of disabling service managing. This patch adds $manage_service parameter to relevant class. Change-Id: I80a55857442c6cd32387481fbe68b54f52e827a1 Closes-bug: #1359823
2014-08-25 14:52:37 +02:00
'ensure' => (param_hash['manage_service'] && param_hash['enabled']) ? 'running' : 'stopped',
Added enabled parameter to keystone class This commit adds an enabled parameter to the keystone class. This parameter can be used to disable the keystone service and ensure that the database schemas are not created/migrated. This feature has been added for HA support.
2012-06-18 10:46:01 -07:00
'enable' => param_hash['enabled'],
Use boolean instead of string Change-Id: I9d9c3bc1b7ff88f59f7946fa17c6ae0dba0ba9e1
2013-05-09 23:17:08 -04:00
'hasstatus' => true,
Add tag to package and service resources In order to be able to take an action after all the packages of the module have been installed/updated or all the services have been started/restarted, we set a 'keystone-package' and 'keyston-service' tag for each package and service of this module. At the moment, there is a generic openstack tag that is not specific enough if one wants to take action upon a single module change. Use case : If an action needs to be taken after all the packages have been installed or updated : Package <| tag == 'keystone-package' |> -> X Change-Id: I2de6880ba14ccd07b5d4c1928ddcde821bc9625d
2015-07-22 15:10:25 +02:00
'hasrestart' => true,
'tag' => 'keystone-service',
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
) }
Keystone hooks support This code moves all deps to an external class so that Keystone can be installed with mechanisms besides packages (like venv or docker). This also cleans-up the dependency tree by removing false or confusing dependencies. Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8 Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
2016-02-23 18:31:15 -07:00
it { is_expected.to contain_anchor('keystone::service::end') }
Use an Anchor when service is managed Today, Keystone resources (domains, tenants, etc) are created only if 'keystone' service is started. When running Keystone in WSGI, the autorequire is broken for those resources. Adding 'httpd' in autorequire is not enough because it could fail to orchestration issues if running another httpd resource (Horizon) that depends on having Keystone started. This patch is about to create an Anchor (keystone_started) in keystone::service that require Service['keystone'] resource to be created. In resource types, change the autorequire to depend on the new Anchor. With that patch, we are sure Keystone resources won't be created before service is actually managed (running or stopped) and other resources (Horizon, using httpd server) can also depend on this Anchor if needed. Change-Id: Ie72b65b6be224cadc8730e050bec38d2face5dfd Closes-bug: #1474059
2015-07-13 15:09:12 -04:00
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
end
explicitly set token_format the default setting for token_format in grizzly changes from UUID to PKI. This adds explicit configuration to ensure that it is set as UUID to ease the process of upgrades and allow the same puppet code to work with both versions.
2013-03-13 09:18:36 -07:00
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
shared_examples "when using default class parameters for httpd on Debian" do
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
let :params do
httpd_params
end
Adds Support for Managing the Token Driver Backend Previously the keystone class did not manage the token driver. High-Availability deployments of Keystone must use the SQL driver so that all Keystone instances can access the same token from a SQL database cluster. The patch adds the token_driver parameter that is used to manage the selection of the token driver backend in keystone.conf. The parameter defaults to 'keystone.token.backends.kvs.Token' for backwards compatibility and to use the KVS backend driver. Change-Id: I4879052b7e44272c176814d048f916cb77d33581
2013-08-13 19:14:27 +00:00
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
let :pre_condition do
Convert all class usage to relative names Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf
2019-12-08 23:09:22 +01:00
'include keystone::wsgi::apache'
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
end
Don't set keystone endpoint by default In the current version of the keystone::init class, the default values for keystone endpoint URLs are unversioned, which can lead to problems connecting to the endpoint. This patch reverts to the old behavior of not setting them at all by default, and includes sample values with versioned URL's both in the header and tests so that users know to use versioned URL's if they choose to override the defaults. It also updates the documentation in the header accordingly and tidies it up a bit. Change-Id: Ib14edf152c1d208418f101ed48cdc38b18f840a2 Closes-Bug: #1287520
2014-03-03 23:37:36 -05:00
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
it_behaves_like 'core keystone examples', httpd_params
Use secret parameter for rabbit_password Rabbit_password configuration was not using secret parameter so it was visible on the logs. Change-Id: Idad892f0c461fce53eaa81ec8a7f3cfe871a9d00 Closes-Bug: 1328448
2014-06-11 13:26:52 +02:00
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
it do
expect {
Fix rspec 3.x syntax - Convert 'should' keyword to 'is_expected.to' - The old ':should' syntax in rspec 3.x is deprecated in favor of ':expect' syntax. - Operator matchers: '1.should == 1' into 'expect(1).to eq(1)' Change-Id: I84b993065a00f5b5c55bd6834c6d54bc57c249e0 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-07-20 15:57:55 +02:00
is_expected.to contain_service(platform_parameters[:service_name]).with('ensure' => 'running')
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
}.to raise_error(RSpec::Expectations::ExpectationNotMetError, /expected that the catalogue would contain Service\[#{platform_parameters[:service_name]}\]/)
explicitly set token_format the default setting for token_format in grizzly changes from UUID to PKI. This adds explicit configuration to ensure that it is set as UUID to ease the process of upgrades and allow the same puppet code to work with both versions.
2013-03-13 09:18:36 -07:00
end
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
Add keystone::disable_admin_token_auth class The keystone documentation highly recommends disabling the admin_token authentication after the initial bootstrap because it exposes a major attack vector. This patch adds a new class, keystone::disable_admin_token_auth, which uses ini_subsetting to remove the admin_token_auth keyword from the pipeline lists. After the first puppet run, users who use this class with the default values will need to provide some other way for puppet to authenticate to keystone. The keystone providers can all read from /root/openrc or from OS_* environment variables. The openstack_extras::auth_file class can be used to create the openrc file. This class must be declared after the main keystone class because it uses the restart_keystone exec from the main class. This patch moves this exec out of the $default_domain conditional so that it is available to reference from the keystone::pipeline class. This is safe to do because it is a refreshonly exec, so even though it is unconditionally declared, it will only be activated if the default domain resource activates it, or the keystone::disable_admin_token_auth class activates it, or both. It will only restart keystone once no matter how many times it is activated. Change-Id: If8a7e1639189f46e16fc996fd7919eb784d24971 Depends-On: Idc3b938e37b792636ec7c2702bf8429467b78d66
2015-12-10 22:46:17 -08:00
it { is_expected.to contain_exec('restart_keystone').with(
'command' => "service #{platform_parameters[:httpd_service_name]} restart",
) }
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
end
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
shared_examples "when using default class parameters for httpd on RedHat" do
stop managing eventlet service on RedHat RedHat packaging dropped the eventlet service (openstack-keystone) so we no longer need to manage it (we used to stop the service before starting httpd to make sure apache can start without binding issue). So we still maintain the service stop for Debian & Ubuntu, since they sitll provide the scripts. Once they'll drop it, we'll drop the Service resource and deprecate keystone::service class that will be useless. Change-Id: Iecef6f2829ef4bf9162e77ef024d53eedf485726
2016-05-12 16:48:01 -04:00
let :params do
httpd_params
end
let :pre_condition do
Convert all class usage to relative names Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf
2019-12-08 23:09:22 +01:00
'include keystone::wsgi::apache'
stop managing eventlet service on RedHat RedHat packaging dropped the eventlet service (openstack-keystone) so we no longer need to manage it (we used to stop the service before starting httpd to make sure apache can start without binding issue). So we still maintain the service stop for Debian & Ubuntu, since they sitll provide the scripts. Once they'll drop it, we'll drop the Service resource and deprecate keystone::service class that will be useless. Change-Id: Iecef6f2829ef4bf9162e77ef024d53eedf485726
2016-05-12 16:48:01 -04:00
end
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
it_behaves_like 'core keystone examples', httpd_params
stop managing eventlet service on RedHat RedHat packaging dropped the eventlet service (openstack-keystone) so we no longer need to manage it (we used to stop the service before starting httpd to make sure apache can start without binding issue). So we still maintain the service stop for Debian & Ubuntu, since they sitll provide the scripts. Once they'll drop it, we'll drop the Service resource and deprecate keystone::service class that will be useless. Change-Id: Iecef6f2829ef4bf9162e77ef024d53eedf485726
2016-05-12 16:48:01 -04:00
it do
expect {
is_expected.to contain_service(platform_parameters[:service_name]).with('ensure' => 'running')
}.to raise_error(RSpec::Expectations::ExpectationNotMetError, /expected that the catalogue would contain Service\[#{platform_parameters[:service_name]}\]/)
end
it { is_expected.to contain_service('httpd').with_before(/Anchor\[keystone::service::end\]/) }
it { is_expected.to contain_exec('restart_keystone').with(
'command' => "service #{platform_parameters[:httpd_service_name]} restart",
) }
end
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
describe 'when using invalid service name for keystone' do
let (:params) { {'service_name' => 'foo'}.merge(default_params) }
it_raises 'a Puppet::Error', /Invalid service_name/
explicitly set token_format the default setting for token_format in grizzly changes from UUID to PKI. This adds explicit configuration to ensure that it is set as UUID to ease the process of upgrades and allow the same puppet code to work with both versions.
2013-03-13 09:18:36 -07:00
end
Add ability to disable pki_setup The enable_pki_setup parameter adds the ability to disable pki_setup, allowing the user to manage the signing certificate himself. Change-Id: Icb84e01adecdd3287ceb22defb9882f03ae8d96f Closes-bug: #1278546
2014-02-10 14:26:27 -05:00
Add manage_service feature puppet-keystone lacks of disabling service managing. This patch adds $manage_service parameter to relevant class. Change-Id: I80a55857442c6cd32387481fbe68b54f52e827a1 Closes-bug: #1359823
2014-08-25 14:52:37 +02:00
describe 'with disabled service managing' do
let :params do
Add keystone::bootstrap class This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
2019-11-02 12:32:24 +01:00
{ :manage_service => false,
Add manage_service feature puppet-keystone lacks of disabling service managing. This patch adds $manage_service parameter to relevant class. Change-Id: I80a55857442c6cd32387481fbe68b54f52e827a1 Closes-bug: #1359823
2014-08-25 14:52:37 +02:00
:enabled => false }
end
it { is_expected.to contain_service('keystone').with(
'ensure' => nil,
'enable' => false,
'hasstatus' => true,
'hasrestart' => true
) }
Keystone hooks support This code moves all deps to an external class so that Keystone can be installed with mechanisms besides packages (like venv or docker). This also cleans-up the dependency tree by removing false or confusing dependencies. Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8 Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
2016-02-23 18:31:15 -07:00
it { is_expected.to contain_anchor('keystone::service::end') }
Add manage_service feature puppet-keystone lacks of disabling service managing. This patch adds $manage_service parameter to relevant class. Change-Id: I80a55857442c6cd32387481fbe68b54f52e827a1 Closes-bug: #1359823
2014-08-25 14:52:37 +02:00
end
Revert "Remove PKI signing related parameters" This reverts commit c479c0eb8621b101effd808b66daf938389fbe73. Technically this functionality is still needed if you are using PKI for the revocation lists. The PKI token support has been removed in Icf1ebced44a675c88fb66a6c0431208ff5181574 but the PKI setup is still valid if using PKI for revocation lists (see ceph rgw) Change-Id: Ib6ac9d1d0c4f17ae657254a8847862572ba09839
2017-01-20 16:09:47 +00:00
describe 'when configuring signing token provider' do
describe 'when configuring as UUID' do
let :params do
{
'token_provider' => 'keystone.token.providers.uuid.Provider'
}
end
end
describe 'with invalid catalog_type' do
let :params do
Add keystone::bootstrap class This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
2019-11-02 12:32:24 +01:00
{ :catalog_type => 'invalid' }
Revert "Remove PKI signing related parameters" This reverts commit c479c0eb8621b101effd808b66daf938389fbe73. Technically this functionality is still needed if you are using PKI for the revocation lists. The PKI token support has been removed in Icf1ebced44a675c88fb66a6c0431208ff5181574 but the PKI setup is still valid if using PKI for revocation lists (see ceph rgw) Change-Id: Ib6ac9d1d0c4f17ae657254a8847862572ba09839
2017-01-20 16:09:47 +00:00
end
Use validate_legacy This changes all the puppet 3 validate_* functions to use the validate_legacy function. The validate_legacy function has been available since about three years but require Puppet >= 4.4.0 and since there is Puppet 4.10.12 as latest we should assume people are running a fairly new Puppet 4 version. This is the first step to then remove all validate function calls and use proper types for parameter as described in spec [1]. [1] https://review.openstack.org/#/c/568929/ Depends-On: https://review.openstack.org/#/c/639215/ Change-Id: Idd720f18893bea0ec1d26859e0a6907a5daa8980
2019-02-23 12:32:35 +01:00
it { should raise_error(Puppet::Error) }
Revert "Remove PKI signing related parameters" This reverts commit c479c0eb8621b101effd808b66daf938389fbe73. Technically this functionality is still needed if you are using PKI for the revocation lists. The PKI token support has been removed in Icf1ebced44a675c88fb66a6c0431208ff5181574 but the PKI setup is still valid if using PKI for revocation lists (see ceph rgw) Change-Id: Ib6ac9d1d0c4f17ae657254a8847862572ba09839
2017-01-20 16:09:47 +00:00
end
describe 'when configuring catalog driver' do
let :params do
Add keystone::bootstrap class This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
2019-11-02 12:32:24 +01:00
{ :catalog_driver => 'alien' }
Revert "Remove PKI signing related parameters" This reverts commit c479c0eb8621b101effd808b66daf938389fbe73. Technically this functionality is still needed if you are using PKI for the revocation lists. The PKI token support has been removed in Icf1ebced44a675c88fb66a6c0431208ff5181574 but the PKI setup is still valid if using PKI for revocation lists (see ceph rgw) Change-Id: Ib6ac9d1d0c4f17ae657254a8847862572ba09839
2017-01-20 16:09:47 +00:00
end
it { is_expected.to contain_keystone_config('catalog/driver').with_value(params[:catalog_driver]) }
end
end
Creating token_expiration parameter Sets keystone token lifetime (default 86400 seconds). Change-Id: I9f8df93049865a9d67941e5e7d45b89d2aa5131b
2013-12-10 10:12:43 -06:00
describe 'when configuring token expiration' do
let :params do
{
'token_expiration' => '42',
}
end
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_keystone_config("token/expiration").with_value('42') }
Creating token_expiration parameter Sets keystone token lifetime (default 86400 seconds). Change-Id: I9f8df93049865a9d67941e5e7d45b89d2aa5131b
2013-12-10 10:12:43 -06:00
end
describe 'when not configuring token expiration' do
let :params do
Add keystone::bootstrap class This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
2019-11-02 12:32:24 +01:00
{}
Creating token_expiration parameter Sets keystone token lifetime (default 86400 seconds). Change-Id: I9f8df93049865a9d67941e5e7d45b89d2aa5131b
2013-12-10 10:12:43 -06:00
end
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_keystone_config("token/expiration").with_value('3600') }
Creating token_expiration parameter Sets keystone token lifetime (default 86400 seconds). Change-Id: I9f8df93049865a9d67941e5e7d45b89d2aa5131b
2013-12-10 10:12:43 -06:00
end
Create a sync_db boolean for Keystone. Other components offer the option to decide whether or not to run the db sync command. Keystone was missing this feature. This commit add this feature for Keystone. Change-Id: Ic21be35eba2aa310b1234c83912f36ed2411d206
2015-04-07 14:51:00 +02:00
describe 'when sync_db is set to false' do
let :params do
{
Add keystone::bootstrap class This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
2019-11-02 12:32:24 +01:00
'sync_db' => false,
Create a sync_db boolean for Keystone. Other components offer the option to decide whether or not to run the db sync command. Keystone was missing this feature. This commit add this feature for Keystone. Change-Id: Ic21be35eba2aa310b1234c83912f36ed2411d206
2015-04-07 14:51:00 +02:00
}
end
it { is_expected.not_to contain_exec('keystone-manage db_sync') }
end
Add support to enable ssl keystone config Currently there is no easy way to pass in enable ssl and set the ssl options in keystone config. This should expose the options to be set as part of the ssl config in keystone. Change-Id: Idb63406a90d8b1072e6781f820e62633aeb3bac7
2014-02-11 10:11:43 -05:00
describe 'when enabling SSL' do
let :params do
{
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
'enable_ssl' => true,
Add support to enable ssl keystone config Currently there is no easy way to pass in enable ssl and set the ssl options in keystone config. This should expose the options to be set as part of the ssl config in keystone. Change-Id: Idb63406a90d8b1072e6781f820e62633aeb3bac7
2014-02-11 10:11:43 -05:00
}
end
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it {is_expected.to contain_keystone_config('ssl/enable').with_value(true)}
it {is_expected.to contain_keystone_config('ssl/certfile').with_value('/etc/keystone/ssl/certs/keystone.pem')}
it {is_expected.to contain_keystone_config('ssl/keyfile').with_value('/etc/keystone/ssl/private/keystonekey.pem')}
it {is_expected.to contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
it {is_expected.to contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
it {is_expected.to contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
Add support to enable ssl keystone config Currently there is no easy way to pass in enable ssl and set the ssl options in keystone config. This should expose the options to be set as part of the ssl config in keystone. Change-Id: Idb63406a90d8b1072e6781f820e62633aeb3bac7
2014-02-11 10:11:43 -05:00
end
Do not set public_bind_host and public_port in eventlet section Remove public_bind_host and public_port configured under eventlet section as they were alrady deprecated. Set public_endpoint from public_bind_host and public_port so that these information can be refered by provider code to get endpoint even if public_endpoint isn't explicitly given. Change-Id: Ic38e41b31155a7d3a4f1f5fc606421dd525c1025
2019-09-12 19:24:02 +09:00
Add support to enable ssl keystone config Currently there is no easy way to pass in enable ssl and set the ssl options in keystone config. This should expose the options to be set as part of the ssl config in keystone. Change-Id: Idb63406a90d8b1072e6781f820e62633aeb3bac7
2014-02-11 10:11:43 -05:00
describe 'when disabling SSL' do
let :params do
{
Add keystone::bootstrap class This class combines the keystone-manage bootstrap command from init, the keystone::endpoint functionality that manages the keystone endpoints and the keystone::roles::admin class that manages users and projects. This is one of the steps to make sure we only have a single point of entry for bootstrapping (keystone-manage bootstrap) and then only managing resources after that. This is especially required since we are getting rid of the admin token and cannot manage resources before keystone-manage bootstrap has created the user, project, service and endpoints for us. These resources should always be in the default domain and deployments should manage domain specific configuration themselves using the provider resources. This class uses the default values from the keystone-manage bootstrap command. In the past puppet-keystone has always created a openstack project that is assumed as a admin project even though the bootstrap command creates the admin project. Since this uses the default values from the bootstrap command we should move away from having an openstack project, if we need that in testing it should be created there and not in the default deployment. Depends-On: https://review.opendev.org/#/c/698528/ Change-Id: I683fcdd743bddf6d4e989dd7e7c553db745934db
2019-11-02 12:32:24 +01:00
'enable_ssl'=> false,
Add support to enable ssl keystone config Currently there is no easy way to pass in enable ssl and set the ssl options in keystone config. This should expose the options to be set as part of the ssl config in keystone. Change-Id: Idb63406a90d8b1072e6781f820e62633aeb3bac7
2014-02-11 10:11:43 -05:00
}
end
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it {is_expected.to contain_keystone_config('ssl/enable').with_value(false)}
Add support to enable ssl keystone config Currently there is no easy way to pass in enable ssl and set the ssl options in keystone config. This should expose the options to be set as part of the ssl config in keystone. Change-Id: Idb63406a90d8b1072e6781f820e62633aeb3bac7
2014-02-11 10:11:43 -05:00
end
Do not set public_bind_host and public_port in eventlet section Remove public_bind_host and public_port configured under eventlet section as they were alrady deprecated. Set public_endpoint from public_bind_host and public_port so that these information can be refered by provider code to get endpoint even if public_endpoint isn't explicitly given. Change-Id: Ic38e41b31155a7d3a4f1f5fc606421dd525c1025
2019-09-12 19:24:02 +09:00
Add notification related params This patch is aim to add notification and rabbit related params in keystone class to manage configuration of notification options in keystone. Closes-bug: #1280071 Change-Id: I8a999a85666c905571f5d8d2b9262e03d38adff0
2014-02-12 15:25:21 +08:00
describe 'not setting notification settings by default' do
let :params do
default_params
end
Add notification transport_url to support dual oslo_messaging backends Change-Id: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40
2017-01-23 14:52:16 -05:00
it { is_expected.to contain_keystone_config('oslo_messaging_notifications/transport_url').with_value('<SERVICE DEFAULT>') }
Set oslo options in keystone module through puppet-oslo Key moments: * use oslo::{db,log,cache,policy}, oslo::messaging::{default,notifications,rabbit} * update top-file docs * add new parameters provided by oslo * update tests accordingly * add oslo dependency to "metadata.json" * add release notes Change-Id: I6840b7b9a0cd4832794b1b2a017fc241759aab66
2016-04-06 18:30:13 +03:00
it { is_expected.to contain_keystone_config('oslo_messaging_notifications/driver').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_keystone_config('oslo_messaging_notifications/topics').with_value('<SERVICE DEFAULT>') }
Switch Keystone to $::os_service_default This patch switches Keystone params, which have absent ensure, to $::os_service_default fact Change-Id: Ibe91ac643d620543c6f7205a8a1944a56431bf43
2015-11-27 20:29:05 +00:00
it { is_expected.to contain_keystone_config('DEFAULT/notification_format').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_keystone_config('DEFAULT/control_exchange').with_value('<SERVICE DEFAULT>') }
Add rpc_response_timeout option Add rpc_response_timeout to configure seconds time for waiting for a response from a call. Change-Id: Ibb64a1d6faeeb0bc74426e70dbfdf726313d36f7
2017-03-01 10:12:09 +08:00
it { is_expected.to contain_keystone_config('DEFAULT/rpc_response_timeout').with_value('<SERVICE DEFAULT>') }
Add notification related params This patch is aim to add notification and rabbit related params in keystone class to manage configuration of notification options in keystone. Closes-bug: #1280071 Change-Id: I8a999a85666c905571f5d8d2b9262e03d38adff0
2014-02-12 15:25:21 +08:00
end
SSL for communication between keystone and rabbitmq Currently, Keystone can not be configured via Puppet to communicate with rabbitmq using SSL. Most other puppet component already have this feature. This commit enable this feature for Keystone. Change-Id: Idd207a58a71c001e581d17c5b97965189e20869f
2014-06-10 12:36:43 -04:00
describe 'with RabbitMQ communication SSLed' do
let :params do
default_params.merge!({
:rabbit_use_ssl => true,
:kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
:kombu_ssl_certfile => '/path/to/ssl/cert/file',
:kombu_ssl_keyfile => '/path/to/ssl/keyfile',
Switch to TLSv1 as SSLv3 is considered insecure and is disabled by default Rabbitmq won't talk to us anymore if we try to use SSLv3 as it disabled support for SSLv3. Openstack components use python's openssl implementation which does not support TLSv1.1 and TLSv1.2 yet so we just switch to TLSv1. Support for newer TLS should come with python 2.7.9+ Closes-Bug: #1409667 Change-Id: I852cf4d68de6d6b40056b9928971e63fc1b76a3b
2015-01-02 20:48:44 +01:00
:kombu_ssl_version => 'TLSv1'
SSL for communication between keystone and rabbitmq Currently, Keystone can not be configured via Puppet to communicate with rabbitmq using SSL. Most other puppet component already have this feature. This commit enable this feature for Keystone. Change-Id: Idd207a58a71c001e581d17c5b97965189e20869f
2014-06-10 12:36:43 -04:00
})
end
rabbitmq SSL: check puppet resource instead of actual config The configuration is done via the oslo::messaging::rabbit resource from puppet-oslo. We should be checking for the resource that we're using instead of the underlying configuration file. Change-Id: I7d69466479cc689d251665ff4a9affcd6503379a
2017-03-10 13:47:48 +02:00
it { is_expected.to contain_oslo__messaging__rabbit('keystone_config').with(
:rabbit_use_ssl => true,
:kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
:kombu_ssl_certfile => '/path/to/ssl/cert/file',
:kombu_ssl_keyfile => '/path/to/ssl/keyfile',
:kombu_ssl_version => 'TLSv1'
)}
SSL for communication between keystone and rabbitmq Currently, Keystone can not be configured via Puppet to communicate with rabbitmq using SSL. Most other puppet component already have this feature. This commit enable this feature for Keystone. Change-Id: Idd207a58a71c001e581d17c5b97965189e20869f
2014-06-10 12:36:43 -04:00
end
describe 'with RabbitMQ communication not SSLed' do
let :params do
default_params.merge!({
Switch Keystone to $::os_service_default This patch switches Keystone params, which have absent ensure, to $::os_service_default fact Change-Id: Ibe91ac643d620543c6f7205a8a1944a56431bf43
2015-11-27 20:29:05 +00:00
:rabbit_use_ssl => '<SERVICE DEFAULT>',
:kombu_ssl_ca_certs => '<SERVICE DEFAULT>',
:kombu_ssl_certfile => '<SERVICE DEFAULT>',
:kombu_ssl_keyfile => '<SERVICE DEFAULT>',
:kombu_ssl_version => '<SERVICE DEFAULT>'
SSL for communication between keystone and rabbitmq Currently, Keystone can not be configured via Puppet to communicate with rabbitmq using SSL. Most other puppet component already have this feature. This commit enable this feature for Keystone. Change-Id: Idd207a58a71c001e581d17c5b97965189e20869f
2014-06-10 12:36:43 -04:00
})
end
rabbitmq SSL: check puppet resource instead of actual config The configuration is done via the oslo::messaging::rabbit resource from puppet-oslo. We should be checking for the resource that we're using instead of the underlying configuration file. Change-Id: I7d69466479cc689d251665ff4a9affcd6503379a
2017-03-10 13:47:48 +02:00
it { is_expected.to contain_oslo__messaging__rabbit('keystone_config').with(
:rabbit_use_ssl => '<SERVICE DEFAULT>',
:kombu_ssl_ca_certs => '<SERVICE DEFAULT>',
:kombu_ssl_certfile => '<SERVICE DEFAULT>',
:kombu_ssl_keyfile => '<SERVICE DEFAULT>',
:kombu_ssl_version => '<SERVICE DEFAULT>'
)}
SSL for communication between keystone and rabbitmq Currently, Keystone can not be configured via Puppet to communicate with rabbitmq using SSL. Most other puppet component already have this feature. This commit enable this feature for Keystone. Change-Id: Idd207a58a71c001e581d17c5b97965189e20869f
2014-06-10 12:36:43 -04:00
end
Add max_token_size optional parameter This adds a param to set the max_token_size in keystone.conf. The setting allows larger tokens (i.e. PKI and large catalog) to work, in line with other projects that have increased the default from 8k to 16k max. The default setting in Keystone is 8k, the default in this change is undef, which removes the config item from keystone.conf. Change-Id: I1e73cf274c26d1368973207a5823ca7a6197612b
2014-11-24 11:37:52 +13:00
describe 'when configuring max_token_size' do
let :params do
default_params.merge({:max_token_size => '16384' })
end
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_keystone_config('DEFAULT/max_token_size').with_value(params[:max_token_size]) }
Add max_token_size optional parameter This adds a param to set the max_token_size in keystone.conf. The setting allows larger tokens (i.e. PKI and large catalog) to work, in line with other projects that have increased the default from 8k to 16k max. The default setting in Keystone is 8k, the default in this change is undef, which removes the config item from keystone.conf. Change-Id: I1e73cf274c26d1368973207a5823ca7a6197612b
2014-11-24 11:37:52 +13:00
end
Add notification related params This patch is aim to add notification and rabbit related params in keystone class to manage configuration of notification options in keystone. Closes-bug: #1280071 Change-Id: I8a999a85666c905571f5d8d2b9262e03d38adff0
2014-02-12 15:25:21 +08:00
describe 'setting notification settings' do
let :params do
default_params.merge({
Add rpc_response_timeout option Add rpc_response_timeout to configure seconds time for waiting for a response from a call. Change-Id: Ibb64a1d6faeeb0bc74426e70dbfdf726313d36f7
2017-03-01 10:12:09 +08:00
:notification_driver => ['keystone.openstack.common.notifier.rpc_notifier'],
:notification_topics => ['notifications'],
:notification_format => 'cadf',
:control_exchange => 'keystone',
:rpc_response_timeout => '120'
Add notification related params This patch is aim to add notification and rabbit related params in keystone class to manage configuration of notification options in keystone. Closes-bug: #1280071 Change-Id: I8a999a85666c905571f5d8d2b9262e03d38adff0
2014-02-12 15:25:21 +08:00
})
end
Fix broken unit tests because of list in notification drivers Because the value for oslo_messaging_notifications/driver is now a list[1], we should expect that a list is set when multiple drivers are given. [1] c7b0cc82fac79b47c3dd9a625cbd5a1eb192ed00 Change-Id: I7f8c3c9ab72e7962e96464842b45f5b7946ea439
2020-04-26 23:11:53 +09:00
it { is_expected.to contain_keystone_config('oslo_messaging_notifications/driver').with_value(['keystone.openstack.common.notifier.rpc_notifier']) }
Set oslo options in keystone module through puppet-oslo Key moments: * use oslo::{db,log,cache,policy}, oslo::messaging::{default,notifications,rabbit} * update top-file docs * add new parameters provided by oslo * update tests accordingly * add oslo dependency to "metadata.json" * add release notes Change-Id: I6840b7b9a0cd4832794b1b2a017fc241759aab66
2016-04-06 18:30:13 +03:00
it { is_expected.to contain_keystone_config('oslo_messaging_notifications/topics').with_value('notifications') }
Support notification_format Add support for the notification_format option Change-Id: I2a66ee24aa05d686adcd396aceb75ba838c2eb55
2015-04-16 09:18:42 -06:00
it { is_expected.to contain_keystone_config('DEFAULT/notification_format').with_value('cadf') }
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_keystone_config('DEFAULT/control_exchange').with_value('keystone') }
Add rpc_response_timeout option Add rpc_response_timeout to configure seconds time for waiting for a response from a call. Change-Id: Ibb64a1d6faeeb0bc74426e70dbfdf726313d36f7
2017-03-01 10:12:09 +08:00
it { is_expected.to contain_keystone_config('DEFAULT/rpc_response_timeout').with_value('120') }
Add notification related params This patch is aim to add notification and rabbit related params in keystone class to manage configuration of notification options in keystone. Closes-bug: #1280071 Change-Id: I8a999a85666c905571f5d8d2b9262e03d38adff0
2014-02-12 15:25:21 +08:00
end
Add some kombu options Add kombu_reconnect_delay, kombu_failover_strategy and kombu_compression for keystone. Change-Id: I9b8991e56ccc0d215273372350a8db98ed0f2f22
2016-05-11 20:03:52 +03:00
describe 'setting kombu settings' do
let :params do
default_params.merge({
:kombu_reconnect_delay => '1.0',
:kombu_compression => 'gzip',
})
end
it { is_expected.to contain_keystone_config('oslo_messaging_rabbit/kombu_reconnect_delay').with_value('1.0') }
it { is_expected.to contain_keystone_config('oslo_messaging_rabbit/kombu_compression').with_value('gzip') }
it { is_expected.to contain_keystone_config('oslo_messaging_rabbit/kombu_failover_strategy').with_value('<SERVICE DEFAULT>') }
end
Add option to enable Keystone's SSL middleware Keystone is now using the HTTPProxyToWSGI middleware from oslo.middlware in its default api-paste configuration [1]. This commit gives us the ability to enable/disable that middlware. [1] Iad628a863e55cbf20c89ef23ebc7527ba8e1a835 Change-Id: I0fec98a6e1d9c8be4d8b8df382b78ba2815790f9
2016-07-13 10:50:20 +03:00
describe 'setting enable_proxy_headers_parsing' do
let :params do
default_params.merge({:enable_proxy_headers_parsing => true })
end
oslo middleware: check puppet resource instead of actual config in spec Change-Id: I7ec115a55fdc19e16dfb02e570725899e2852ca7
2018-03-21 11:24:02 +08:00
it { is_expected.to contain_oslo__middleware('keystone_config').with(
:enable_proxy_headers_parsing => true,
)}
Add option to enable Keystone's SSL middleware Keystone is now using the HTTPProxyToWSGI middleware from oslo.middlware in its default api-paste configuration [1]. This commit gives us the ability to enable/disable that middlware. [1] Iad628a863e55cbf20c89ef23ebc7527ba8e1a835 Change-Id: I0fec98a6e1d9c8be4d8b8df382b78ba2815790f9
2016-07-13 10:50:20 +03:00
end
Manage oslo_middleware/max_request_body_size So that we can increase it from the default 114688 Useful in case for example the OS-Federation mapping is too large. If this limit is breached keystone will return a 413 Entity Too Large and not log anything to keystone.log. Closes-Bug: #1835161 Change-Id: If9fc5c0bb5d6216b8656ee1673e1812c543de305 Signed-off-by: Johan Guldmyr <johan.guldmyr@csc.fi>
2019-07-03 09:52:44 +03:00
describe 'setting max_request_body_size' do
let :params do
default_params.merge({:max_request_body_size => '1146880' })
end
oslo middleware: check puppet resource instead of actual config in spec Change-Id: Ib1d2378a2d0b0c54fec50bd50190dac20bbd8f42
2019-07-04 13:35:31 +08:00
it { is_expected.to contain_oslo__middleware('keystone_config').with(
:max_request_body_size => '1146880',
)}
Manage oslo_middleware/max_request_body_size So that we can increase it from the default 114688 Useful in case for example the OS-Federation mapping is too large. If this limit is breached keystone will return a 413 Entity Too Large and not log anything to keystone.log. Closes-Bug: #1835161 Change-Id: If9fc5c0bb5d6216b8656ee1673e1812c543de305 Signed-off-by: Johan Guldmyr <johan.guldmyr@csc.fi>
2019-07-03 09:52:44 +03:00
end
Add policy driver option for keystone This option is entrypoint for the policy backend driver in the keystone.policy namespace. Adding below parameter: policy/driver Change-Id: Ie1b957f18517591a7ecd4635f907d6f56750beb7
2015-11-02 18:49:28 +02:00
describe 'setting sql policy driver' do
let :params do
default_params.merge({:policy_driver => 'sql' })
end
it { is_expected.to contain_keystone_config('policy/driver').with_value('sql') }
end
add template_file parameter to specify catalog this lets you set the catalog to use when catalog_type is set to 'template'. Also added some tests according to catalog settings. Change-Id: I48c3b903ceafe94f2ec31b49d617e5a9951de7f9
2014-03-27 12:49:41 +01:00
describe 'setting sql (default) catalog' do
let :params do
default_params
end
use stevedore names when possible and cleanup ldap testing Instead of using long backend/drivers name, use short name and stevedore will load plugins for us. It will prevent this kind of message in logs: Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore: No 'keystone.catalog' driver found, Also cleanup unit and functional tests that were setting wrong credential & assignment drivers. Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
2016-02-26 10:03:15 -05:00
it { is_expected.to contain_keystone_config('catalog/driver').with_value('sql') }
add template_file parameter to specify catalog this lets you set the catalog to use when catalog_type is set to 'template'. Also added some tests according to catalog settings. Change-Id: I48c3b903ceafe94f2ec31b49d617e5a9951de7f9
2014-03-27 12:49:41 +01:00
end
describe 'setting default template catalog' do
let :params do
{
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
:catalog_type => 'template'
add template_file parameter to specify catalog this lets you set the catalog to use when catalog_type is set to 'template'. Also added some tests according to catalog settings. Change-Id: I48c3b903ceafe94f2ec31b49d617e5a9951de7f9
2014-03-27 12:49:41 +01:00
}
end
use stevedore names when possible and cleanup ldap testing Instead of using long backend/drivers name, use short name and stevedore will load plugins for us. It will prevent this kind of message in logs: Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore: No 'keystone.catalog' driver found, Also cleanup unit and functional tests that were setting wrong credential & assignment drivers. Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
2016-02-26 10:03:15 -05:00
it { is_expected.to contain_keystone_config('catalog/driver').with_value('templated') }
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_keystone_config('catalog/template_file').with_value('/etc/keystone/default_catalog.templates') }
add template_file parameter to specify catalog this lets you set the catalog to use when catalog_type is set to 'template'. Also added some tests according to catalog settings. Change-Id: I48c3b903ceafe94f2ec31b49d617e5a9951de7f9
2014-03-27 12:49:41 +01:00
end
describe 'setting another template catalog' do
let :params do
{
Fix the test file name of init.pp Change-Id: I19e905703605faf191b9beec6250cf9ae50fb902
2016-10-30 00:40:51 +08:00
:catalog_type => 'template',
:catalog_template_file => '/some/template_file'
add template_file parameter to specify catalog this lets you set the catalog to use when catalog_type is set to 'template'. Also added some tests according to catalog settings. Change-Id: I48c3b903ceafe94f2ec31b49d617e5a9951de7f9
2014-03-27 12:49:41 +01:00
}
end
use stevedore names when possible and cleanup ldap testing Instead of using long backend/drivers name, use short name and stevedore will load plugins for us. It will prevent this kind of message in logs: Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore: No 'keystone.catalog' driver found, Also cleanup unit and functional tests that were setting wrong credential & assignment drivers. Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
2016-02-26 10:03:15 -05:00
it { is_expected.to contain_keystone_config('catalog/driver').with_value('templated') }
spec: updates for rspec-puppet 2.x and rspec 3.x This patch aim to update our specs test in order to work with the rspec-puppet release 2.0.0, in the mean time, we update rspec syntax in order to be prepared for rspec 3.x move. In details: * Use shared_examples "a Puppet::Error" for puppet::error tests * Convert 'should' keyword to 'is_expected.to' (prepare rspec 3.x) * Fix spec tests for rspec-puppet 2.0.0 * Upgrade and pin rspec-puppet from 1.0.1 to 2.0.0 * Clean Gemfile (remove over-specificication of runtime deps of puppetlabs_spec_helper) * Standardize gemfile (add json, webmock) Change-Id: I35a39d4f3919d56c9448f0a0602cfe284ebc2e9c Card: https://trello.com/c/eHXc1Ryd/4-investigate-the-necessary-change-to-be-rspec-puppet-2-0-0-compliant
2015-03-15 16:32:35 +01:00
it { is_expected.to contain_keystone_config('catalog/template_file').with_value('/some/template_file') }
add template_file parameter to specify catalog this lets you set the catalog to use when catalog_type is set to 'template'. Also added some tests according to catalog settings. Change-Id: I48c3b903ceafe94f2ec31b49d617e5a9951de7f9
2014-03-27 12:49:41 +01:00
end
Make service provider as changeble incoming parameter. This change need for using Keystone with alternative service systems. For example -- a corosync/pacemaker clustering solution. or another. Change-Id: I4b7fe3e1a25d1017c53726cf8ce69338d060beb7
2014-04-10 14:34:35 +04:00
Add support for credential_setup Allow and enable by default the setup of Keystone credentials with keystone-manage. It has been a requirement in Keystone upstream so puppet-keystone will support the management of credential directory, keystone-manage credential_setup execution (can be disabled with enable_credential_setup boolean) and the configuration of credential/key_repository in keystone.conf. Note: the feature is now disabled by default because UCA doesn't have latest keystone. Once it has it, the value will be switched to True. Change-Id: I364f65c7009e400f2851e37999e1d8c0b6f5fd5a
2016-09-02 15:18:07 -04:00
describe 'when using credentials' do
describe 'when enabling credential_setup' do
let :params do
default_params.merge({
'enable_credential_setup' => true,
'credential_key_repository' => '/etc/keystone/credential-keys',
})
end
it { is_expected.to contain_file(params['credential_key_repository']).with(
:ensure => 'directory',
:owner => params['keystone_user'],
:group => params['keystone_group'],
set 0600 permissions on fernet keys & folder Fernet keys and the fernet key folder should be managed with permissions 0600 for more security on the keys. Same for the credentials folder and credentials. Change-Id: I42b868d27582d1edec22fd93cb1c86f489e144a2
2016-10-04 22:29:02 -06:00
'mode' => '0600',
Add support for credential_setup Allow and enable by default the setup of Keystone credentials with keystone-manage. It has been a requirement in Keystone upstream so puppet-keystone will support the management of credential directory, keystone-manage credential_setup execution (can be disabled with enable_credential_setup boolean) and the configuration of credential/key_repository in keystone.conf. Note: the feature is now disabled by default because UCA doesn't have latest keystone. Once it has it, the value will be switched to True. Change-Id: I364f65c7009e400f2851e37999e1d8c0b6f5fd5a
2016-09-02 15:18:07 -04:00
) }
it { is_expected.to contain_exec('keystone-manage credential_setup').with(
:command => "keystone-manage credential_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
:user => params['keystone_user'],
:creates => '/etc/keystone/credential-keys/0',
:require => 'File[/etc/keystone/credential-keys]',
) }
it { is_expected.to contain_keystone_config('credential/key_repository').with_value('/etc/keystone/credential-keys')}
end
describe 'when overriding the credential key directory' do
let :params do
default_params.merge({
'enable_credential_setup' => true,
'credential_key_repository' => '/var/lib/credential-keys',
})
end
it { is_expected.to contain_exec('keystone-manage credential_setup').with(
:creates => '/var/lib/credential-keys/0'
) }
end
describe 'when overriding the keystone group and user' do
let :params do
default_params.merge({
'enable_credential_setup' => true,
'keystone_user' => 'test_user',
'keystone_group' => 'test_group',
})
end
it { is_expected.to contain_exec('keystone-manage credential_setup').with(
:command => "keystone-manage credential_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
:user => params['keystone_user'],
:creates => '/etc/keystone/credential-keys/0',
:require => 'File[/etc/keystone/credential-keys]',
) }
end
Allow to manage credential files contents Running keystone-manage credential_setup has not been designed for multinode environment. Keystone team suggests to run this command on one node, to export the keys and collect them on every Keystone server. Most of people don't have this mechanism when deploying OpenStack. This patch aims to allow to use puppet-keystone to manage credential files using Puppet file resource. All credentials would be defined in a hash where file path and content is defined. Here is an example: credential_keys: /etc/keystone/credential-keys/0: content: t-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI= /etc/keystone/credential-keys/1: content: GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8= To enable this feature, you'll need to set enable_credential_setup to True and configure credential_keys with a valid hash. Change-Id: Ic335ea201b58c99e9fd8a0a2c0865b461ff8f672
2016-09-06 18:13:32 -04:00
describe 'when setting credential_keys parameter' do
let :params do
default_params.merge({
'enable_credential_setup' => true,
'credential_keys' => {
'/etc/keystone/credential-keys/0' => {
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
},
'/etc/keystone/credential-keys/1' => {
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
},
}
})
end
it { is_expected.to_not contain_exec('keystone-manage credential_setup') }
it { is_expected.to contain_file('/etc/keystone/credential-keys/0').with(
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
'owner' => 'keystone',
'subscribe' => 'Anchor[keystone::install::end]',
)}
it { is_expected.to contain_file('/etc/keystone/credential-keys/1').with(
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
'owner' => 'keystone',
'subscribe' => 'Anchor[keystone::install::end]',
)}
end
Add support for credential_setup Allow and enable by default the setup of Keystone credentials with keystone-manage. It has been a requirement in Keystone upstream so puppet-keystone will support the management of credential directory, keystone-manage credential_setup execution (can be disabled with enable_credential_setup boolean) and the configuration of credential/key_repository in keystone.conf. Note: the feature is now disabled by default because UCA doesn't have latest keystone. Once it has it, the value will be switched to True. Change-Id: I364f65c7009e400f2851e37999e1d8c0b6f5fd5a
2016-09-02 15:18:07 -04:00
describe 'when disabling credential_setup' do
let :params do
default_params.merge({
'enable_credential_setup' => false,
'credential_key_repository' => '/etc/keystone/credential-keys',
})
end
it { is_expected.to_not contain_file(params['credential_key_repository']) }
it { is_expected.to_not contain_exec('keystone-manage credential_setup') }
end
end
Add support for Fernet Tokens This adds support for Fernet token creation during the installation and config options for Fernet tokens. Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
2015-05-25 12:47:09 -06:00
describe 'when using fernet tokens' do
describe 'when enabling fernet_setup' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_max_active_keys' => 5,
Add a new param for fernet tokens config "revoke_id" param was added for fernet tokens configuration. It revokes token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens. Change-Id: I645cd591f1018a9a595d8f738a782f64c0a984a4
2015-10-27 15:48:53 +02:00
'revoke_by_id' => false,
Changes around keystone-manage commands * perform all keystone-manage commands only as keystone user * as it possible to override keystone user in init class we should also have an ability to override it in db::sync class * ensure that fernet key directory is created before fernet setup command and it's owned by keystone user Closes-bug: #1604884 Change-Id: Ib90d8e2259b9a650a2edb5f0baf0e68451b9abf6
2016-06-28 00:40:54 +03:00
'fernet_key_repository' => '/etc/keystone/fernet-keys',
Add support for Fernet Tokens This adds support for Fernet token creation during the installation and config options for Fernet tokens. Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
2015-05-25 12:47:09 -06:00
})
end
Changes around keystone-manage commands * perform all keystone-manage commands only as keystone user * as it possible to override keystone user in init class we should also have an ability to override it in db::sync class * ensure that fernet key directory is created before fernet setup command and it's owned by keystone user Closes-bug: #1604884 Change-Id: Ib90d8e2259b9a650a2edb5f0baf0e68451b9abf6
2016-06-28 00:40:54 +03:00
it { is_expected.to contain_file(params['fernet_key_repository']).with(
:ensure => 'directory',
:owner => params['keystone_user'],
:group => params['keystone_group'],
set 0600 permissions on fernet keys & folder Fernet keys and the fernet key folder should be managed with permissions 0600 for more security on the keys. Same for the credentials folder and credentials. Change-Id: I42b868d27582d1edec22fd93cb1c86f489e144a2
2016-10-04 22:29:02 -06:00
:mode => '0600',
Changes around keystone-manage commands * perform all keystone-manage commands only as keystone user * as it possible to override keystone user in init class we should also have an ability to override it in db::sync class * ensure that fernet key directory is created before fernet setup command and it's owned by keystone user Closes-bug: #1604884 Change-Id: Ib90d8e2259b9a650a2edb5f0baf0e68451b9abf6
2016-06-28 00:40:54 +03:00
) }
Add support for Fernet Tokens This adds support for Fernet token creation during the installation and config options for Fernet tokens. Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
2015-05-25 12:47:09 -06:00
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
Changes around keystone-manage commands * perform all keystone-manage commands only as keystone user * as it possible to override keystone user in init class we should also have an ability to override it in db::sync class * ensure that fernet key directory is created before fernet setup command and it's owned by keystone user Closes-bug: #1604884 Change-Id: Ib90d8e2259b9a650a2edb5f0baf0e68451b9abf6
2016-06-28 00:40:54 +03:00
:command => "keystone-manage fernet_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
:user => params['keystone_user'],
:creates => '/etc/keystone/fernet-keys/0',
:require => 'File[/etc/keystone/fernet-keys]',
Add support for Fernet Tokens This adds support for Fernet token creation during the installation and config options for Fernet tokens. Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
2015-05-25 12:47:09 -06:00
) }
it { is_expected.to contain_keystone_config('fernet_tokens/max_active_keys').with_value(5)}
Add a new param for fernet tokens config "revoke_id" param was added for fernet tokens configuration. It revokes token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens. Change-Id: I645cd591f1018a9a595d8f738a782f64c0a984a4
2015-10-27 15:48:53 +02:00
it { is_expected.to contain_keystone_config('token/revoke_by_id').with_value(false)}
Add support for Fernet Tokens This adds support for Fernet token creation during the installation and config options for Fernet tokens. Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
2015-05-25 12:47:09 -06:00
end
describe 'when overriding the fernet key directory' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_key_repository' => '/var/lib/fernet-keys',
})
end
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
:creates => '/var/lib/fernet-keys/0'
) }
end
Changes around keystone-manage commands * perform all keystone-manage commands only as keystone user * as it possible to override keystone user in init class we should also have an ability to override it in db::sync class * ensure that fernet key directory is created before fernet setup command and it's owned by keystone user Closes-bug: #1604884 Change-Id: Ib90d8e2259b9a650a2edb5f0baf0e68451b9abf6
2016-06-28 00:40:54 +03:00
describe 'when overriding the keystone group and user' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_key_repository' => '/etc/keystone/fernet-keys',
'keystone_user' => 'test_user',
'keystone_group' => 'test_group',
})
end
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
:command => "keystone-manage fernet_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
:user => params['keystone_user'],
:creates => '/etc/keystone/fernet-keys/0',
:require => 'File[/etc/keystone/fernet-keys]',
) }
end
Add support for Fernet Tokens This adds support for Fernet token creation during the installation and config options for Fernet tokens. Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
2015-05-25 12:47:09 -06:00
end
Allow the management of the Fernet Keys When keystone uses Fernet tokens in a multi node environment, each of the nodes needs to have a copy of the keys used by other nodes. While the upstream suggestion is to run the command on one node and then copy the keys to the others, deployments using a central configuration server do not usually follow workflows like this. Instead the keys are generated off server, and managed in a central data store. This change follows the pattern set for credentials key management. Change-Id: Ibd2a7692c247d0367c5fd331bb88790f882c2c91
2016-09-15 22:54:16 -04:00
describe 'when setting fernet_keys parameter' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_keys' => {
'/etc/keystone/fernet-keys/0' => {
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
},
'/etc/keystone/fernet-keys/1' => {
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
},
}
})
end
it { is_expected.to_not contain_exec('keystone-manage fernet_setup') }
it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
'owner' => 'keystone',
set 0600 permissions on fernet keys & folder Fernet keys and the fernet key folder should be managed with permissions 0600 for more security on the keys. Same for the credentials folder and credentials. Change-Id: I42b868d27582d1edec22fd93cb1c86f489e144a2
2016-10-04 22:29:02 -06:00
'mode' => '0600',
Make replacing fernet keys if they already exist configurable When setting up fernet keys, the file resource will replace the contents of the keys (if they exist already) by default. This is not necessarily what all deployments want, since some might do the key-rotation out of band. So this makes the replacing of these keys configurable, so it won't affect already existing deployments if the keys were already set, rotation happened at some point and one runs puppet again. Change-Id: I8a56d1154dae1c7c53e3b9a997505156859b2826
2017-03-15 15:54:50 +02:00
'replace' => true,
Allow the management of the Fernet Keys When keystone uses Fernet tokens in a multi node environment, each of the nodes needs to have a copy of the keys used by other nodes. While the upstream suggestion is to run the command on one node and then copy the keys to the others, deployments using a central configuration server do not usually follow workflows like this. Instead the keys are generated off server, and managed in a central data store. This change follows the pattern set for credentials key management. Change-Id: Ibd2a7692c247d0367c5fd331bb88790f882c2c91
2016-09-15 22:54:16 -04:00
'subscribe' => 'Anchor[keystone::install::end]',
Ensure fernet keys are created before bootstrap The bootstrap command will fail if the fernet keys has not been created/generated or it will fail. See [1] this output. [1] http://paste.openstack.org/show/794949/ Change-Id: I560438a9bd402feba425656ba5213a087ab9e663
2020-06-18 16:15:07 +02:00
'tag' => 'keystone-fernet-key',
Allow the management of the Fernet Keys When keystone uses Fernet tokens in a multi node environment, each of the nodes needs to have a copy of the keys used by other nodes. While the upstream suggestion is to run the command on one node and then copy the keys to the others, deployments using a central configuration server do not usually follow workflows like this. Instead the keys are generated off server, and managed in a central data store. This change follows the pattern set for credentials key management. Change-Id: Ibd2a7692c247d0367c5fd331bb88790f882c2c91
2016-09-15 22:54:16 -04:00
)}
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
'owner' => 'keystone',
Make replacing fernet keys if they already exist configurable When setting up fernet keys, the file resource will replace the contents of the keys (if they exist already) by default. This is not necessarily what all deployments want, since some might do the key-rotation out of band. So this makes the replacing of these keys configurable, so it won't affect already existing deployments if the keys were already set, rotation happened at some point and one runs puppet again. Change-Id: I8a56d1154dae1c7c53e3b9a997505156859b2826
2017-03-15 15:54:50 +02:00
'mode' => '0600',
'replace' => true,
'subscribe' => 'Anchor[keystone::install::end]',
Ensure fernet keys are created before bootstrap The bootstrap command will fail if the fernet keys has not been created/generated or it will fail. See [1] this output. [1] http://paste.openstack.org/show/794949/ Change-Id: I560438a9bd402feba425656ba5213a087ab9e663
2020-06-18 16:15:07 +02:00
'tag' => 'keystone-fernet-key',
Make replacing fernet keys if they already exist configurable When setting up fernet keys, the file resource will replace the contents of the keys (if they exist already) by default. This is not necessarily what all deployments want, since some might do the key-rotation out of band. So this makes the replacing of these keys configurable, so it won't affect already existing deployments if the keys were already set, rotation happened at some point and one runs puppet again. Change-Id: I8a56d1154dae1c7c53e3b9a997505156859b2826
2017-03-15 15:54:50 +02:00
)}
end
describe 'when not replacing fernet_keys and setting fernet_keys parameter' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_keys' => {
'/etc/keystone/fernet-keys/0' => {
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
},
'/etc/keystone/fernet-keys/1' => {
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
},
},
'fernet_replace_keys' => false,
})
end
it { is_expected.to_not contain_exec('keystone-manage fernet_setup') }
it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
'owner' => 'keystone',
'mode' => '0600',
'replace' => false,
'subscribe' => 'Anchor[keystone::install::end]',
)}
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
Allow the management of the Fernet Keys When keystone uses Fernet tokens in a multi node environment, each of the nodes needs to have a copy of the keys used by other nodes. While the upstream suggestion is to run the command on one node and then copy the keys to the others, deployments using a central configuration server do not usually follow workflows like this. Instead the keys are generated off server, and managed in a central data store. This change follows the pattern set for credentials key management. Change-Id: Ibd2a7692c247d0367c5fd331bb88790f882c2c91
2016-09-15 22:54:16 -04:00
'owner' => 'keystone',
set 0600 permissions on fernet keys & folder Fernet keys and the fernet key folder should be managed with permissions 0600 for more security on the keys. Same for the credentials folder and credentials. Change-Id: I42b868d27582d1edec22fd93cb1c86f489e144a2
2016-10-04 22:29:02 -06:00
'mode' => '0600',
Make replacing fernet keys if they already exist configurable When setting up fernet keys, the file resource will replace the contents of the keys (if they exist already) by default. This is not necessarily what all deployments want, since some might do the key-rotation out of band. So this makes the replacing of these keys configurable, so it won't affect already existing deployments if the keys were already set, rotation happened at some point and one runs puppet again. Change-Id: I8a56d1154dae1c7c53e3b9a997505156859b2826
2017-03-15 15:54:50 +02:00
'replace' => false,
Allow the management of the Fernet Keys When keystone uses Fernet tokens in a multi node environment, each of the nodes needs to have a copy of the keys used by other nodes. While the upstream suggestion is to run the command on one node and then copy the keys to the others, deployments using a central configuration server do not usually follow workflows like this. Instead the keys are generated off server, and managed in a central data store. This change follows the pattern set for credentials key management. Change-Id: Ibd2a7692c247d0367c5fd331bb88790f882c2c91
2016-09-15 22:54:16 -04:00
'subscribe' => 'Anchor[keystone::install::end]',
)}
end
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
shared_examples "when configuring default domain" do
WSGI: use real service name in restart_keystone Exec Before, when running the Exec which restart Keystone service, we used $service_name but this is wrong because service_name can be keystone, openstack-keystone or httpd. On Ubuntu/Debian, Apache service name is not httpd but apache2. So the service could never be restarted if we were 1/ running Ubuntu/Debian 2/ changing the default domain name. This patch looks up in puppetlabs-apache the real Apache service name when $service_name is httpd (if WSGI is enabled and eventlet disabled). That way, we are sure the service name that will be used will the right one. Also add some unit tests that validate this change. Change-Id: I85226d862b63e227867ed43bc35d7fefc9e424cd Closes-bug: #1479783
2015-07-30 10:16:30 -04:00
describe 'with default domain and eventlet service is managed and enabled' do
support for keystone v3 api - keystone and keystone::roles::admin This patch implements these parts of the blueprint: 1) Allows user to specify the default domain If the user specifies a domain other than 'Default', class keystone will create that domain, and write the id of the domain to the [identity] default_domain_id parameter in keystone.conf, using the keystone_domain { is_default => true } resource. 2) Allows user to specify a separate service domain for service accounts One of the use cases for v3 is the ability to have the service account keystone_user resources (e.g. glance, cinder, etc.) to be in a separate domain from the regular user accounts. keystone::roles::admin allows to specify this domain. Implements: blueprint api-v3-support Change-Id: I3c69ee343e4335f4ce86cd72d6a9e664f7abcf25
2015-04-17 15:21:41 -06:00
let :params do
default_params.merge({
'default_domain'=> 'test',
})
end
WSGI: use real service name in restart_keystone Exec Before, when running the Exec which restart Keystone service, we used $service_name but this is wrong because service_name can be keystone, openstack-keystone or httpd. On Ubuntu/Debian, Apache service name is not httpd but apache2. So the service could never be restarted if we were 1/ running Ubuntu/Debian 2/ changing the default domain name. This patch looks up in puppetlabs-apache the real Apache service name when $service_name is httpd (if WSGI is enabled and eventlet disabled). That way, we are sure the service name that will be used will the right one. Also add some unit tests that validate this change. Change-Id: I85226d862b63e227867ed43bc35d7fefc9e424cd Closes-bug: #1479783
2015-07-30 10:16:30 -04:00
it { is_expected.to contain_exec('restart_keystone').with(
'command' => "service #{platform_parameters[:service_name]} restart",
) }
it { is_expected.to contain_anchor('default_domain_created') }
end
describe 'with default domain and wsgi service is managed and enabled' do
let :pre_condition do
Convert all class usage to relative names Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf
2019-12-08 23:09:22 +01:00
'include apache'
WSGI: use real service name in restart_keystone Exec Before, when running the Exec which restart Keystone service, we used $service_name but this is wrong because service_name can be keystone, openstack-keystone or httpd. On Ubuntu/Debian, Apache service name is not httpd but apache2. So the service could never be restarted if we were 1/ running Ubuntu/Debian 2/ changing the default domain name. This patch looks up in puppetlabs-apache the real Apache service name when $service_name is httpd (if WSGI is enabled and eventlet disabled). That way, we are sure the service name that will be used will the right one. Also add some unit tests that validate this change. Change-Id: I85226d862b63e227867ed43bc35d7fefc9e424cd Closes-bug: #1479783
2015-07-30 10:16:30 -04:00
end
let :params do
default_params.merge({
'default_domain'=> 'test',
'service_name' => 'httpd',
})
end
v3: make sure default domain is created before any other resource When using Keystone v3 and domains, we need to make sure the default domain (if its name if not 'Default') is created before any other domain scoped resource. By creating a new anchor, we can add the requirement in Keystone types that need this dependency. If the default domain name is not modified, the Anchor won't be in the catalog but it's not an issue when using 'autorequire' in Puppet types. This patch also change the default domains in acceptance tests, so we can actually test the feature and make sure resources are created after having the default domain created. Change-Id: I2870eaa98f816c92df901ed2fa92e8db89b67656 Closes-bug: #1478037
2015-07-24 14:24:37 -04:00
it { is_expected.to contain_anchor('default_domain_created') }
support for keystone v3 api - keystone and keystone::roles::admin This patch implements these parts of the blueprint: 1) Allows user to specify the default domain If the user specifies a domain other than 'Default', class keystone will create that domain, and write the id of the domain to the [identity] default_domain_id parameter in keystone.conf, using the keystone_domain { is_default => true } resource. 2) Allows user to specify a separate service domain for service accounts One of the use cases for v3 is the ability to have the service account keystone_user resources (e.g. glance, cinder, etc.) to be in a separate domain from the regular user accounts. keystone::roles::admin allows to specify this domain. Implements: blueprint api-v3-support Change-Id: I3c69ee343e4335f4ce86cd72d6a9e664f7abcf25
2015-04-17 15:21:41 -06:00
end
describe 'with default domain and service is not managed' do
let :params do
default_params.merge({
'default_domain' => 'test',
'manage_service' => false,
})
end
it { is_expected.to_not contain_exec('restart_keystone') }
v3: make sure default domain is created before any other resource When using Keystone v3 and domains, we need to make sure the default domain (if its name if not 'Default') is created before any other domain scoped resource. By creating a new anchor, we can add the requirement in Keystone types that need this dependency. If the default domain name is not modified, the Anchor won't be in the catalog but it's not an issue when using 'autorequire' in Puppet types. This patch also change the default domains in acceptance tests, so we can actually test the feature and make sure resources are created after having the default domain created. Change-Id: I2870eaa98f816c92df901ed2fa92e8db89b67656 Closes-bug: #1478037
2015-07-24 14:24:37 -04:00
it { is_expected.to contain_anchor('default_domain_created') }
support for keystone v3 api - keystone and keystone::roles::admin This patch implements these parts of the blueprint: 1) Allows user to specify the default domain If the user specifies a domain other than 'Default', class keystone will create that domain, and write the id of the domain to the [identity] default_domain_id parameter in keystone.conf, using the keystone_domain { is_default => true } resource. 2) Allows user to specify a separate service domain for service accounts One of the use cases for v3 is the ability to have the service account keystone_user resources (e.g. glance, cinder, etc.) to be in a separate domain from the regular user accounts. keystone::roles::admin allows to specify this domain. Implements: blueprint api-v3-support Change-Id: I3c69ee343e4335f4ce86cd72d6a9e664f7abcf25
2015-04-17 15:21:41 -06:00
end
end
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
context 'on RedHat platforms' do
let :facts do
$::os_service_default in db and logging Switch to $::os_service_default all params in logging and db. Changes: logging.pp, db.pp and tests. Related-bug: #1515273 Change-Id: Ib84dceafb032747adc1d8b6e56bd01e89aa802cb
2015-11-21 03:24:54 +00:00
@default_facts.merge(global_facts.merge({
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
:osfamily => 'RedHat',
Fix apache tests We recently updated the apache module which added a requirement on the $::operatingsystem fact. We were not always passing this in, so to fix the error we need to provide this fact. Change-Id: Ic803c9ec9feacaa774f705d978bb4d738961d605
2016-12-22 08:09:28 -07:00
:operatingsystem => 'RedHat',
Install python3-keystoneclient in Fedora or RedHat > 7 Fedora repo [1] has python3 packages, start consuming those. [1] http://trunk.rdoproject.org/fedora/puppet-passed-ci/ Change-Id: Id15a40384286a825f65658bdb1ad924a917d9031
2018-10-26 12:08:28 +05:30
:operatingsystemrelease => '7.0',
:os => { :name => 'RedHat', :family => 'RedHat', :release => { :major => '7', :minor => '0' } },
$::os_service_default in db and logging Switch to $::os_service_default all params in logging and db. Changes: logging.pp, db.pp and tests. Related-bug: #1515273 Change-Id: Ib84dceafb032747adc1d8b6e56bd01e89aa802cb
2015-11-21 03:24:54 +00:00
}))
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
end
let :platform_parameters do
{
WSGI: use real service name in restart_keystone Exec Before, when running the Exec which restart Keystone service, we used $service_name but this is wrong because service_name can be keystone, openstack-keystone or httpd. On Ubuntu/Debian, Apache service name is not httpd but apache2. So the service could never be restarted if we were 1/ running Ubuntu/Debian 2/ changing the default domain name. This patch looks up in puppetlabs-apache the real Apache service name when $service_name is httpd (if WSGI is enabled and eventlet disabled). That way, we are sure the service name that will be used will the right one. Also add some unit tests that validate this change. Change-Id: I85226d862b63e227867ed43bc35d7fefc9e424cd Closes-bug: #1479783
2015-07-30 10:16:30 -04:00
:service_name => 'openstack-keystone',
:httpd_service_name => 'httpd',
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
}
end
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
it_behaves_like 'when using default class parameters for httpd on RedHat'
it_behaves_like 'when configuring default domain'
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
end
context 'on Debian platforms' do
let :facts do
$::os_service_default in db and logging Switch to $::os_service_default all params in logging and db. Changes: logging.pp, db.pp and tests. Related-bug: #1515273 Change-Id: Ib84dceafb032747adc1d8b6e56bd01e89aa802cb
2015-11-21 03:24:54 +00:00
@default_facts.merge(global_facts.merge({
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
:osfamily => 'Debian',
:operatingsystem => 'Debian',
Install python3-keystoneclient in Fedora or RedHat > 7 Fedora repo [1] has python3 packages, start consuming those. [1] http://trunk.rdoproject.org/fedora/puppet-passed-ci/ Change-Id: Id15a40384286a825f65658bdb1ad924a917d9031
2018-10-26 12:08:28 +05:30
:operatingsystemrelease => '7.0',
:os => { :name => 'Debian', :family => 'Debian', :release => { :major => '7', :minor => '0' } },
$::os_service_default in db and logging Switch to $::os_service_default all params in logging and db. Changes: logging.pp, db.pp and tests. Related-bug: #1515273 Change-Id: Ib84dceafb032747adc1d8b6e56bd01e89aa802cb
2015-11-21 03:24:54 +00:00
}))
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
end
let :platform_parameters do
{
WSGI: use real service name in restart_keystone Exec Before, when running the Exec which restart Keystone service, we used $service_name but this is wrong because service_name can be keystone, openstack-keystone or httpd. On Ubuntu/Debian, Apache service name is not httpd but apache2. So the service could never be restarted if we were 1/ running Ubuntu/Debian 2/ changing the default domain name. This patch looks up in puppetlabs-apache the real Apache service name when $service_name is httpd (if WSGI is enabled and eventlet disabled). That way, we are sure the service name that will be used will the right one. Also add some unit tests that validate this change. Change-Id: I85226d862b63e227867ed43bc35d7fefc9e424cd Closes-bug: #1479783
2015-07-30 10:16:30 -04:00
:service_name => 'keystone',
:httpd_service_name => 'apache2',
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
}
end
Convert to rspec-puppet-facts and cleanup docs/testing This converts some more testing to rspec-puppet-facts so there is only these three missing now until done: * keystone_init_spec.rb * keystone_federation_identity_provider_spec.rb * keystone_ldap_spec.rb Also does cleanup of some formatting for documentation and testing specs. Change-Id: Ifd74aa8cedf630d98f9e12ab276300409a68eecd
2020-02-03 23:17:58 +01:00
it_behaves_like 'when using default class parameters for httpd on Debian'
it_behaves_like 'when configuring default domain'
Fix service keystone conflict when running in apache service keystone is started after the package is installed. When running keystone inside apache, we must ensure service keystone is neither running nor start at boot. This fixes error of apache during start: 'Address already in use: make_sock: could not bind to address host:35357' also add test for redhat platform when httpd is in use. Change-Id: Ie761450ea05a0c92e595b12d1c7ced9481eb967c
2014-10-13 13:27:32 +02:00
end
Add a new param for fernet tokens config "revoke_id" param was added for fernet tokens configuration. It revokes token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens. Change-Id: I645cd591f1018a9a595d8f738a782f64c0a984a4
2015-10-27 15:48:53 +02:00
Add keystone domain specific configuration. Implements blueprint keystone-domain-configuration Adds a provider able to configure multiple domains and two parameters in keystone class to setup a working multi-domains configuration. The keystone_config type has been refactored into a mixin to be shared by keystone_config and keystone_domain_config. The provider, even though it is inheriting from openstack_config (and not keystone_config because it hard code the path), has required more new code. The problem is that we have several configuration files to work with (one per domain) which is unusual. The self.prefetch method is required to check the current catalog. If it's changing the Keystone_config[identity/domain_config_dir] we take it directly into account without the need for another run. Keystone_config[identity/domain_config_dir] configuration and the associated directory are autorequired. Change-Id: I5e4b298460ee592640af59ac9dcbefa3daf98098
2015-09-01 16:06:39 +02:00
describe "when configuring using_domain_config" do
describe 'with default config' do
let :params do
default_params
end
it { is_expected.to_not contain_file('/etc/keystone/domains') }
end
describe 'when using domain config' do
let :params do
default_params.merge({
'using_domain_config'=> true,
})
end
it { is_expected.to contain_file('/etc/keystone/domains').with(
'ensure' => "directory",
) }
it { is_expected
.to contain_keystone_config('identity/domain_specific_drivers_enabled')
.with('value' => true,
) }
it { is_expected
.to contain_keystone_config('identity/domain_config_dir')
.with('value' => '/etc/keystone/domains',
) }
end
describe 'when using domain config and a wrong directory' do
let :params do
default_params.merge({
'using_domain_config'=> true,
'domain_config_directory' => 'this/is/not/an/absolute/path'
})
end
Use validate_legacy This changes all the puppet 3 validate_* functions to use the validate_legacy function. The validate_legacy function has been available since about three years but require Puppet >= 4.4.0 and since there is Puppet 4.10.12 as latest we should assume people are running a fairly new Puppet 4 version. This is the first step to then remove all validate function calls and use proper types for parameter as described in spec [1]. [1] https://review.openstack.org/#/c/568929/ Depends-On: https://review.openstack.org/#/c/639215/ Change-Id: Idd720f18893bea0ec1d26859e0a6907a5daa8980
2019-02-23 12:32:35 +01:00
it { should raise_error(Puppet::Error) }
Add keystone domain specific configuration. Implements blueprint keystone-domain-configuration Adds a provider able to configure multiple domains and two parameters in keystone class to setup a working multi-domains configuration. The keystone_config type has been refactored into a mixin to be shared by keystone_config and keystone_domain_config. The provider, even though it is inheriting from openstack_config (and not keystone_config because it hard code the path), has required more new code. The problem is that we have several configuration files to work with (one per domain) which is unusual. The self.prefetch method is required to check the current catalog. If it's changing the Keystone_config[identity/domain_config_dir] we take it directly into account without the need for another run. Keystone_config[identity/domain_config_dir] configuration and the associated directory are autorequired. Change-Id: I5e4b298460ee592640af59ac9dcbefa3daf98098
2015-09-01 16:06:39 +02:00
end
describe 'when setting domain directory and not using domain config' do
let :params do
default_params.merge({
'using_domain_config'=> false,
'domain_config_directory' => '/this/is/an/absolute/path'
})
end
it 'should raise an error' do
expect { should contain_file('/etc/keystone/domains') }
.to raise_error(Puppet::Error, %r(You must activate domain))
end
end
describe 'when setting domain directory and using domain config' do
let :params do
default_params.merge({
'using_domain_config'=> true,
'domain_config_directory' => '/this/is/an/absolute/path'
})
end
it { is_expected.to contain_file('/this/is/an/absolute/path').with(
'ensure' => "directory",
) }
end
end
saving my work (not even the initial commit)
2012-01-02 15:39:23 -08:00
end
Copy Permalink