From 17675623f357dd52a72a44494a3023d7c361133c Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Tue, 6 Sep 2016 18:13:32 -0400
Subject: [PATCH] Allow to manage credential files contents

Running keystone-manage credential_setup has not been designed for
multinode environment.

Keystone team suggests to run this command on one node, to export the
keys and collect them on every Keystone server.

Most of people don't have this mechanism when deploying OpenStack.

This patch aims to allow to use puppet-keystone to manage credential
files using Puppet file resource. All credentials would be defined in a
hash where file path and content is defined.

Here is an example:
   credential_keys:
     /etc/keystone/credential-keys/0:
       content: t-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=
     /etc/keystone/credential-keys/1:
       content: GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=

To enable this feature, you'll need to set enable_credential_setup to
True and configure credential_keys with a valid hash.

Change-Id: Ic335ea201b58c99e9fd8a0a2c0865b461ff8f672
---
 manifests/init.pp                             | 54 ++++++++++++++-----
 ...one-credential-setup-0971292cf1b0bde7.yaml |  3 ++
 spec/classes/keystone_spec.rb                 | 30 +++++++++++
 3 files changed, 74 insertions(+), 13 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index ef3ab0581..314f17164 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -425,9 +425,12 @@
 #   Defaults to $::os_service_default
 #
 # [*enable_credential_setup*]
-#   (Optional) Setup keystone for credentials. This is typically only
-#   run on a single node, then the credentials are replicated to the other nodes
-#   in a cluster.
+#   (Optional) Setup keystone for credentials.
+#   In a cluster environment where multiple Keystone nodes are running, you might
+#   need the same keys everywhere; so you'll have to set credential_keys parameter in
+#   order to let Puppet manage Keystone keys in a consistent way, otherwise
+#   keystone-manage will generate different set of keys on keystone nodes and the
+#   service won't work.
 #   This feature was added at the end of Newton. The default value is now False
 #   by default but will switch to True once UCA will have latest Keystone version.
 #   Defaults to False
@@ -437,6 +440,20 @@
 #   be set if enable_credential_setup is set to true.
 #   Defaults to '/etc/keystone/credential-keys'
 #
+# [*credential_keys*]
+#   (Optional) Hash of Keystone credential keys
+#   If you enable this parameter, make sure enable_credential_setup is set to True.
+#   Example of valid value:
+#   credential_keys:
+#     /etc/keystone/credential-keys/0:
+#       content: t-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=
+#     /etc/keystone/credential-keys/1:
+#       content: GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=
+#   Puppet will create a file per key in $credential_key_repository.
+#   Note: defaults to false so keystone-manage credential_setup will be executed.
+#   Otherwise Puppet will manage keys with File resource.
+#   Defaults to false
+#
 # [*enable_bootstrap*]
 #   (Optional) Enable keystone bootstrapping.
 #   Per upstream Keystone Mitaka commit 7b7fea7a3fe7677981fbf9bac5121bc15601163
@@ -689,6 +706,7 @@ class keystone(
   $fernet_max_active_keys               = $::os_service_default,
   $enable_credential_setup              = false,
   $credential_key_repository            = '/etc/keystone/credential-keys',
+  $credential_keys                      = false,
   $default_domain                       = undef,
   $member_role_id                       = $::os_service_default,
   $member_role_name                     = $::os_service_default,
@@ -1086,16 +1104,26 @@ class keystone(
       subscribe => Anchor['keystone::install::end'],
     })
 
-    exec { 'keystone-manage credential_setup':
-      command     => "keystone-manage credential_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
-      path        => '/usr/bin',
-      user        => $keystone_user,
-      refreshonly => true,
-      creates     => "${credential_key_repository}/0",
-      notify      => Anchor['keystone::service::begin'],
-      subscribe   => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
-      require     => File[$credential_key_repository],
-      tag         => 'keystone-exec',
+    if $credential_keys {
+      validate_hash($credential_keys)
+      create_resources('file', $credential_keys, {
+          'owner'     => $keystone_user,
+          'group'     => $keystone_group,
+          'subscribe' => 'Anchor[keystone::install::end]',
+        }
+      )
+    } else {
+      exec { 'keystone-manage credential_setup':
+        command     => "keystone-manage credential_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
+        path        => '/usr/bin',
+        user        => $keystone_user,
+        refreshonly => true,
+        creates     => "${credential_key_repository}/0",
+        notify      => Anchor['keystone::service::begin'],
+        subscribe   => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
+        require     => File[$credential_key_repository],
+        tag         => 'keystone-exec',
+      }
     }
   }
 
diff --git a/releasenotes/notes/keystone-credential-setup-0971292cf1b0bde7.yaml b/releasenotes/notes/keystone-credential-setup-0971292cf1b0bde7.yaml
index 9edb38b77..65b2ae87d 100644
--- a/releasenotes/notes/keystone-credential-setup-0971292cf1b0bde7.yaml
+++ b/releasenotes/notes/keystone-credential-setup-0971292cf1b0bde7.yaml
@@ -6,3 +6,6 @@ features:
     management of credential directory, keystone-manage credential_setup execution (can
     be enabled with enable_credential_setup boolean) and the configuration of
     credential/key_repository in keystone.conf.
+    Note, if credential_keys parameter is set to a valid hash, keystone-manage won't
+    be used to generate credential keys but Puppet will manage file resources for each
+    key in the hash. It allows to generate the same keys in multinode environment.
diff --git a/spec/classes/keystone_spec.rb b/spec/classes/keystone_spec.rb
index 5e8cc11fc..6f96e12e6 100644
--- a/spec/classes/keystone_spec.rb
+++ b/spec/classes/keystone_spec.rb
@@ -947,6 +947,36 @@ describe 'keystone' do
       ) }
     end
 
+    describe 'when setting credential_keys parameter' do
+      let :params do
+        default_params.merge({
+          'enable_credential_setup' => true,
+          'credential_keys' => {
+            '/etc/keystone/credential-keys/0' => {
+              'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
+            },
+            '/etc/keystone/credential-keys/1' => {
+              'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
+            },
+          }
+        })
+      end
+
+      it { is_expected.to_not contain_exec('keystone-manage credential_setup') }
+      it { is_expected.to contain_file('/etc/keystone/credential-keys/0').with(
+        'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
+        'owner'     => 'keystone',
+        'owner'     => 'keystone',
+        'subscribe' => 'Anchor[keystone::install::end]',
+      )}
+      it { is_expected.to contain_file('/etc/keystone/credential-keys/1').with(
+        'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
+        'owner'     => 'keystone',
+        'owner'     => 'keystone',
+        'subscribe' => 'Anchor[keystone::install::end]',
+      )}
+    end
+
     describe 'when disabling credential_setup' do
       let :params do
         default_params.merge({