puppet-keystone/spec/acceptance/default_domain_spec.rb

require 'spec_helper_acceptance'

describe 'basic keystone server with changed domain id' do
  after(:context) do
    clean_up_manifest = <<-EOM
      class { '::keystone':
            verbose             => true,
            debug               => true,
            database_connection => 'mysql+pymysql://keystone:keystone@127.0.0.1/keystone',
            admin_token         => 'admin_token',
            enabled             => true,
      }

      keystone_config { 'identity/default_domain_id': ensure => absent}
    EOM
    apply_manifest(clean_up_manifest, :catch_failures => true)
  end

  context 'new domain id' do
    let(:pp) do
      <<-EOM
      Exec { logoutput => 'on_failure' }

      # make sure apache is stopped before keystone eventlet
      # in case of wsgi was run before
      class { '::apache':
        service_ensure => 'stopped',
      }
      Service['httpd'] -> Service['keystone']

      # Common resources
      case $::osfamily {
        'Debian': {
          include ::apt
          class { '::openstack_extras::repo::debian::ubuntu':
            release         => 'liberty',
            repo            => 'proposed',
            package_require => true,
          }
        }
        'RedHat': {
          class { '::openstack_extras::repo::redhat::redhat':
            manage_rdo => false,
            repo_hash => {
              'openstack-common-testing' => {
                'baseurl'  => 'http://cbs.centos.org/repos/cloud7-openstack-common-testing/x86_64/os/',
                'descr'    => 'openstack-common-testing',
                'gpgcheck' => 'no',
              },
              'openstack-liberty-testing' => {
                'baseurl'  => 'http://cbs.centos.org/repos/cloud7-openstack-liberty-testing/x86_64/os/',
                'descr'    => 'openstack-liberty-testing',
                'gpgcheck' => 'no',
              },
              'openstack-liberty-trunk' => {
                'baseurl'  => 'http://trunk.rdoproject.org/centos7-liberty/current-passed-ci/',
                'descr'    => 'openstack-liberty-trunk',
                'gpgcheck' => 'no',
              },
            },
          }
          package { 'openstack-selinux': ensure => 'latest' }
        }
        default: {
          fail("Unsupported osfamily (${::osfamily})")
        }
      }

      class { '::mysql::server': }

      # Keystone resources
      class { '::keystone::client': }
      class { '::keystone::cron::token_flush': }
      class { '::keystone::db::mysql':
        password => 'keystone',
      }
      class { '::keystone':
        verbose             => true,
        debug               => true,
        database_connection => 'mysql+pymysql://keystone:keystone@127.0.0.1/keystone',
        admin_token         => 'admin_token',
        enabled             => true,
        default_domain      => 'my_default_domain'
      }
      keystone_tenant { 'project_in_my_default_domain':
        ensure      => present,
        enabled     => true,
        description => 'Project in another default domain',
      }
      keystone_user { 'user_in_my_default_domain':
        ensure      => present,
        enabled     => true,
        email       => 'test@example.tld',
        password    => 'a_big_secret',
      }
      keystone_user_role { 'user_in_my_default_domain@project_in_my_default_domain':
        ensure         => present,
        roles          => ['admin'],
      }
      keystone_domain { 'other_domain': ensure => present }
      keystone_user { 'user_in_my_default_domain::other_domain':
          ensure      => present,
          enabled     => true,
          email       => 'test@example.tld',
          password    => 'a_big_secret',
      }
      keystone_tenant { 'project_in_my_default_domain::other_domain':
          ensure      => present,
          enabled     => true,
          description => 'Project in other domain',
       }
      keystone_user_role { 'user_in_my_default_domain@::other_domain':
        ensure         => present,
        user_domain    => 'other_domain',
        roles          => ['admin'],
      }
      EOM
    end

    describe 'puppet apply' do
      it 'should work with no errors and catch deprecation warning' do
        apply_manifest(pp, :catch_failures => true) do |result|
          expect(result.stderr)
            .to include_regexp([/Keystone_tenant\[project_in_my_default_domain\]\/domain: Support for a resource without.*. Currently using 'my_default_domain' as default domain/,
                                /Keystone_user\[user_in_my_default_domain\]\/domain/,
                                /Keystone_user_role\[user_in_my_default_domain@project_in_my_default_domain\]\/user_domain/,
                                /Keystone_user_role\[user_in_my_default_domain@project_in_my_default_domain\]\/project_domain/])
        end
      end
      it 'should be idempotent' do
        apply_manifest(pp, :catch_changes => true) do |result|
          expect(result.stderr)
            .to include_regexp(/Warning: \/Keystone_tenant.*Currently using 'my_default_domain'/)
        end
      end
    end
    describe 'puppet resources are successful created' do
      it 'for tenant' do
        shell('puppet resource keystone_tenant') do |result|
          expect(result.stdout)
            .to include_regexp([/keystone_tenant { 'project_in_my_default_domain::my_default_domain':/,
                                /keystone_tenant { 'project_in_my_default_domain::other_domain':/])
        end
      end
      it 'for user' do
        shell('puppet resource keystone_user') do |result|
          expect(result.stdout)
            .to include_regexp([/keystone_user { 'user_in_my_default_domain::my_default_domain':/,
                                /keystone_user { 'user_in_my_default_domain::other_domain':/])
        end
      end
      it 'for role' do
        shell('puppet resource keystone_user_role') do |result|
          expect(result.stdout)
            .to include_regexp([/keystone_user_role { 'user_in_my_default_domain::my_default_domain@project_in_my_default_domain::my_default_domain':/,
                                /keystone_user_role { 'user_in_my_default_domain::other_domain@::other_domain':/])
        end
      end
    end
  end
end
Add composite namevar for tenant, user, user_role. There are two sides on this patch, the user facing one, and the developer's one. It gives more flexibility for the interface used by the user for the Keystone_tenant, Keystone_user and Keystone_user_roles resources. For instance to specify a user and give the admin role, currently you have to: keystone_user { 'new_admin::admin_domain': ensure => present, enabled => true, tenant => 'openstackv3::admin_domain', email => 'test@example.tld', password => 'a_big_secret', } keystone_user_role { 'new_admin::admin_domain@openstackv3::admin_domain': ensure => present, roles => ['admin'], } Now you can specify it like this: keystone_user { 'new_admin': ensure => present, enabled => true, domain => 'admin_domain', tenant => 'openstackv3::admin_domain', email => 'test@example.tld', password => 'a_big_secret', } keystone_user_role { 'new_admin@openstackv3': ensure => present, user_domain => 'admin_domain', project_domain => 'admin_domain', roles => ['admin'], } For the developer this simplify the code. Puppet is using composite namevar to make all the resources unique. So guessing what pattern is used in the title is no longer required. For instance this : keystone_tenant { 'project_one': ensure => present } keystone_tenant { 'meaningless': name => 'project_one', domain => 'Default', ensure => present } is detected as the same tenant by puppet. The same is true for dependencies. This is working correctly: keystone_tenant { 'meaningless': name => 'project_one', domain => 'domain_one', ensure => present } file {'/tmp/needed': ensure => present, require => Keystone_tenant['project_one::domain_one'] } In autorequire term in type definition, you just have to pass the fully qualified name (with the domain suffix for user and tenant) of the resource and puppet will do the matching, whatever the original title is. See the examples in user and tenant in keystone_user_role type. Change-Id: I4deb27dc6f71fb7a7ec6a9c72bd0e1412c2e9a30 2015-09-23 20:17:31 +02:00			`require 'spec_helper_acceptance'`

			`describe 'basic keystone server with changed domain id' do`
			`after(:context) do`
			`clean_up_manifest = <<-EOM`
			`class { '::keystone':`
			`verbose => true,`
			`debug => true,`
Support of PyMySQL driver for MySQL backend Add ability to use python-pymysql library as backend for MySQL connections. Switch acceptance tests on pyMySQL usage. Docs: https://wiki.openstack.org/wiki/PyMySQL_evaluation Change-Id: I52447482f15a1c075566c7596ce7c5465446fb5a 2015-11-05 18:58:51 +03:00			`database_connection => 'mysql+pymysql://keystone:keystone@127.0.0.1/keystone',`
Add composite namevar for tenant, user, user_role. There are two sides on this patch, the user facing one, and the developer's one. It gives more flexibility for the interface used by the user for the Keystone_tenant, Keystone_user and Keystone_user_roles resources. For instance to specify a user and give the admin role, currently you have to: keystone_user { 'new_admin::admin_domain': ensure => present, enabled => true, tenant => 'openstackv3::admin_domain', email => 'test@example.tld', password => 'a_big_secret', } keystone_user_role { 'new_admin::admin_domain@openstackv3::admin_domain': ensure => present, roles => ['admin'], } Now you can specify it like this: keystone_user { 'new_admin': ensure => present, enabled => true, domain => 'admin_domain', tenant => 'openstackv3::admin_domain', email => 'test@example.tld', password => 'a_big_secret', } keystone_user_role { 'new_admin@openstackv3': ensure => present, user_domain => 'admin_domain', project_domain => 'admin_domain', roles => ['admin'], } For the developer this simplify the code. Puppet is using composite namevar to make all the resources unique. So guessing what pattern is used in the title is no longer required. For instance this : keystone_tenant { 'project_one': ensure => present } keystone_tenant { 'meaningless': name => 'project_one', domain => 'Default', ensure => present } is detected as the same tenant by puppet. The same is true for dependencies. This is working correctly: keystone_tenant { 'meaningless': name => 'project_one', domain => 'domain_one', ensure => present } file {'/tmp/needed': ensure => present, require => Keystone_tenant['project_one::domain_one'] } In autorequire term in type definition, you just have to pass the fully qualified name (with the domain suffix for user and tenant) of the resource and puppet will do the matching, whatever the original title is. See the examples in user and tenant in keystone_user_role type. Change-Id: I4deb27dc6f71fb7a7ec6a9c72bd0e1412c2e9a30 2015-09-23 20:17:31 +02:00			`admin_token => 'admin_token',`
			`enabled => true,`
			`}`

			`keystone_config { 'identity/default_domain_id': ensure => absent}`
			`EOM`
			`apply_manifest(clean_up_manifest, :catch_failures => true)`
			`end`

			`context 'new domain id' do`
			`let(:pp) do`
			`<<-EOM`
			`Exec { logoutput => 'on_failure' }`

			`# make sure apache is stopped before keystone eventlet`
			`# in case of wsgi was run before`
			`class { '::apache':`
			`service_ensure => 'stopped',`
			`}`
			`Service['httpd'] -> Service['keystone']`

			`# Common resources`
			`case $::osfamily {`
			`'Debian': {`
			`include ::apt`
			`class { '::openstack_extras::repo::debian::ubuntu':`
			`release => 'liberty',`
			`repo => 'proposed',`
			`package_require => true,`
			`}`
			`}`
			`'RedHat': {`
			`class { '::openstack_extras::repo::redhat::redhat':`
			`manage_rdo => false,`
			`repo_hash => {`
			`'openstack-common-testing' => {`
			`'baseurl' => 'http://cbs.centos.org/repos/cloud7-openstack-common-testing/x86_64/os/',`
			`'descr' => 'openstack-common-testing',`
			`'gpgcheck' => 'no',`
			`},`
			`'openstack-liberty-testing' => {`
			`'baseurl' => 'http://cbs.centos.org/repos/cloud7-openstack-liberty-testing/x86_64/os/',`
			`'descr' => 'openstack-liberty-testing',`
			`'gpgcheck' => 'no',`
			`},`
			`'openstack-liberty-trunk' => {`
			`'baseurl' => 'http://trunk.rdoproject.org/centos7-liberty/current-passed-ci/',`
			`'descr' => 'openstack-liberty-trunk',`
			`'gpgcheck' => 'no',`
			`},`
			`},`
			`}`
			`package { 'openstack-selinux': ensure => 'latest' }`
			`}`
			`default: {`
			`fail("Unsupported osfamily (${::osfamily})")`
			`}`
			`}`

			`class { '::mysql::server': }`

			`# Keystone resources`
			`class { '::keystone::client': }`
			`class { '::keystone::cron::token_flush': }`
			`class { '::keystone::db::mysql':`
			`password => 'keystone',`
			`}`
			`class { '::keystone':`
			`verbose => true,`
			`debug => true,`
Support of PyMySQL driver for MySQL backend Add ability to use python-pymysql library as backend for MySQL connections. Switch acceptance tests on pyMySQL usage. Docs: https://wiki.openstack.org/wiki/PyMySQL_evaluation Change-Id: I52447482f15a1c075566c7596ce7c5465446fb5a 2015-11-05 18:58:51 +03:00			`database_connection => 'mysql+pymysql://keystone:keystone@127.0.0.1/keystone',`
Add composite namevar for tenant, user, user_role. There are two sides on this patch, the user facing one, and the developer's one. It gives more flexibility for the interface used by the user for the Keystone_tenant, Keystone_user and Keystone_user_roles resources. For instance to specify a user and give the admin role, currently you have to: keystone_user { 'new_admin::admin_domain': ensure => present, enabled => true, tenant => 'openstackv3::admin_domain', email => 'test@example.tld', password => 'a_big_secret', } keystone_user_role { 'new_admin::admin_domain@openstackv3::admin_domain': ensure => present, roles => ['admin'], } Now you can specify it like this: keystone_user { 'new_admin': ensure => present, enabled => true, domain => 'admin_domain', tenant => 'openstackv3::admin_domain', email => 'test@example.tld', password => 'a_big_secret', } keystone_user_role { 'new_admin@openstackv3': ensure => present, user_domain => 'admin_domain', project_domain => 'admin_domain', roles => ['admin'], } For the developer this simplify the code. Puppet is using composite namevar to make all the resources unique. So guessing what pattern is used in the title is no longer required. For instance this : keystone_tenant { 'project_one': ensure => present } keystone_tenant { 'meaningless': name => 'project_one', domain => 'Default', ensure => present } is detected as the same tenant by puppet. The same is true for dependencies. This is working correctly: keystone_tenant { 'meaningless': name => 'project_one', domain => 'domain_one', ensure => present } file {'/tmp/needed': ensure => present, require => Keystone_tenant['project_one::domain_one'] } In autorequire term in type definition, you just have to pass the fully qualified name (with the domain suffix for user and tenant) of the resource and puppet will do the matching, whatever the original title is. See the examples in user and tenant in keystone_user_role type. Change-Id: I4deb27dc6f71fb7a7ec6a9c72bd0e1412c2e9a30 2015-09-23 20:17:31 +02:00			`admin_token => 'admin_token',`
			`enabled => true,`
			`default_domain => 'my_default_domain'`
			`}`
			`keystone_tenant { 'project_in_my_default_domain':`
			`ensure => present,`
			`enabled => true,`
			`description => 'Project in another default domain',`
			`}`
			`keystone_user { 'user_in_my_default_domain':`
			`ensure => present,`
			`enabled => true,`
			`email => 'test@example.tld',`
			`password => 'a_big_secret',`
			`}`
			`keystone_user_role { 'user_in_my_default_domain@project_in_my_default_domain':`
			`ensure => present,`
			`roles => ['admin'],`
			`}`
			`keystone_domain { 'other_domain': ensure => present }`
			`keystone_user { 'user_in_my_default_domain::other_domain':`
			`ensure => present,`
			`enabled => true,`
			`email => 'test@example.tld',`
			`password => 'a_big_secret',`
			`}`
			`keystone_tenant { 'project_in_my_default_domain::other_domain':`
			`ensure => present,`
			`enabled => true,`
			`description => 'Project in other domain',`
			`}`
			`keystone_user_role { 'user_in_my_default_domain@::other_domain':`
			`ensure => present,`
			`user_domain => 'other_domain',`
			`roles => ['admin'],`
			`}`
			`EOM`
			`end`

			`describe 'puppet apply' do`
			`it 'should work with no errors and catch deprecation warning' do`
			`apply_manifest(pp, :catch_failures => true) do \|result\|`
			`expect(result.stderr)`
			`.to include_regexp([/Keystone_tenant\[project_in_my_default_domain\]\/domain: Support for a resource without.*. Currently using 'my_default_domain' as default domain/,`
			`/Keystone_user\[user_in_my_default_domain\]\/domain/,`
			`/Keystone_user_role\[user_in_my_default_domain@project_in_my_default_domain\]\/user_domain/,`
			`/Keystone_user_role\[user_in_my_default_domain@project_in_my_default_domain\]\/project_domain/])`
			`end`
			`end`
			`it 'should be idempotent' do`
			`apply_manifest(pp, :catch_changes => true) do \|result\|`
			`expect(result.stderr)`
			`.to include_regexp(/Warning: \/Keystone_tenant.*Currently using 'my_default_domain'/)`
			`end`
			`end`
			`end`
			`describe 'puppet resources are successful created' do`
			`it 'for tenant' do`
			`shell('puppet resource keystone_tenant') do \|result\|`
			`expect(result.stdout)`
			`.to include_regexp([/keystone_tenant { 'project_in_my_default_domain::my_default_domain':/,`
			`/keystone_tenant { 'project_in_my_default_domain::other_domain':/])`
			`end`
			`end`
			`it 'for user' do`
			`shell('puppet resource keystone_user') do \|result\|`
			`expect(result.stdout)`
			`.to include_regexp([/keystone_user { 'user_in_my_default_domain::my_default_domain':/,`
			`/keystone_user { 'user_in_my_default_domain::other_domain':/])`
			`end`
			`end`
			`it 'for role' do`
			`shell('puppet resource keystone_user_role') do \|result\|`
			`expect(result.stdout)`
			`.to include_regexp([/keystone_user_role { 'user_in_my_default_domain::my_default_domain@project_in_my_default_domain::my_default_domain':/,`
			`/keystone_user_role { 'user_in_my_default_domain::other_domain@::other_domain':/])`
			`end`
			`end`
			`end`
			`end`
			`end`