Merge "Make replacing fernet keys if they already exist configurable"

manifests/init.pp

@@ -438,6 +438,11 @@
 #   Otherwise Puppet will manage keys with File resource.
 #   Defaults to false
 #
+# [*fernet_replace_keys*]
+#   (Optional) Whether or not to replace the fernet keys if they are already in
+#   the filesystem
+#   Defaults to true
+#
 # [*enable_credential_setup*]
 #   (Optional) Setup keystone for credentials.
 #   In a cluster environment where multiple Keystone nodes are running, you might
@@ -737,6 +742,7 @@ class keystone(
   $fernet_key_repository                = '/etc/keystone/fernet-keys',
   $fernet_max_active_keys               = $::os_service_default,
   $fernet_keys                          = false,
+  $fernet_replace_keys                  = true,
   $enable_credential_setup              = false,
   $credential_key_repository            = '/etc/keystone/credential-keys',
   $credential_keys                      = false,
@@ -1159,6 +1165,7 @@ running as a standalone service, or httpd for being run by a httpd server")
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
           'mode'      => '0600',
+          'replace'   => $fernet_replace_keys,
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )

releasenotes/notes/make-replacing-fernet-keys-configurable-4e8f342f4a8ec67a.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - The parameter 'fernet_replace_keys' was added; this tells the manifest to
+    not replace the fernet keys if they have been added already. This is useful
+    in cases where rotation happens outside of puppet, and running puppet again
+    would replace the keys and result in an invalid setup.

spec/classes/keystone_init_spec.rb

@@ -1082,15 +1082,48 @@ describe 'keystone' do
     it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
       'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
       'owner'     => 'keystone',
-      'owner'     => 'keystone',
       'mode'      => '0600',
+      'replace'   => true,
       'subscribe' => 'Anchor[keystone::install::end]',
     )}
     it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
       'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
       'owner'     => 'keystone',
+      'mode'      => '0600',
+      'replace'   => true,
+      'subscribe' => 'Anchor[keystone::install::end]',
+    )}
+  end
+
+  describe 'when not replacing fernet_keys and setting fernet_keys parameter' do
+    let :params do
+      default_params.merge({
+        'enable_fernet_setup' => true,
+        'fernet_keys' => {
+          '/etc/keystone/fernet-keys/0' => {
+            'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
+          },
+          '/etc/keystone/fernet-keys/1' => {
+            'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
+          },
+        },
+        'fernet_replace_keys' => false,
+      })
+    end
+
+    it { is_expected.to_not contain_exec('keystone-manage fernet_setup') }
+    it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
+      'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
       'owner'     => 'keystone',
       'mode'      => '0600',
+      'replace'   => false,
+      'subscribe' => 'Anchor[keystone::install::end]',
+    )}
+    it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
+      'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
+      'owner'     => 'keystone',
+      'mode'      => '0600',
+      'replace'   => false,
       'subscribe' => 'Anchor[keystone::install::end]',
     )}
   end