Replace legacy facts and use fact hash

... because the latest lint no longer allows usage of legacy facts and
top scope fact.

Change-Id: Ie757167eedce6fa1c99d08f96be1173871f21817

examples/apache_dropin.pp

@@ -34,8 +34,8 @@ class { 'keystone':
 }
 class { 'keystone::bootstrap':
   password   => 'ChangeMe',
-  public_url => "https://${::fqdn}:5000",
+  public_url => "https://${facts['networking']['fqdn']}:5000",
-  admin_url  => "https://${::fqdn}:5000",
+  admin_url  => "https://${facts['networking']['fqdn']}:5000",
 }
 
 keystone_config { 'ssl/enable': value => true }

examples/apache_with_paths.pp

@@ -35,8 +35,8 @@ class { 'keystone':
 }
 class { 'keystone::bootstrap':
   password   => 'ChangeMe',
-  public_url => "https://${::fqdn}:443/v3",
+  public_url => "https://${facts['networking']['fqdn']}:443/v3",
-  admin_url  => "https://${::fqdn}:443/v3",
+  admin_url  => "https://${facts['networking']['fqdn']}:443/v3",
 }
 
 keystone_config { 'ssl/enable': ensure  => absent }

examples/k2k_sp_shib.pp

@@ -53,8 +53,8 @@ class { 'keystone':
 
 class { 'keystone::bootstrap':
   password   => 'ChangeMe',
-  public_url => "https://${::fqdn}:5000",
+  public_url => "https://${facts['networking']['fqdn']}:5000",
-  admin_url  => "https://${::fqdn}:5000",
+  admin_url  => "https://${facts['networking']['fqdn']}:5000",
 }
 
 keystone_config { 'ssl/enable': value => true }

manifests/cache.pp

@@ -8,99 +8,99 @@
 #   the cache region. This should not need to be changed unless there
 #   is another dogpile.cache region with the same configuration name.
 #   (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*expiration_time*]
 #   (Optional) Default TTL, in seconds, for any cached item in the
 #   dogpile.cache region. This applies to any cached method that
 #   doesn't have an explicit cache expiration time defined for it.
 #   (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*backend*]
 #   (Optional) Dogpile.cache backend module. It is recommended that
 #   Memcache with pooling (oslo_cache.memcache_pool) or Redis
 #   (dogpile.cache.redis) be used in production deployments. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*backend_argument*]
 #   (Optional) Arguments supplied to the backend module. Specify this option
 #   once per argument to be passed to the dogpile.cache backend.
 #   Example format: "<argname>:<value>". (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*proxies*]
 #   (Optional) Proxy classes to import that will affect the way the
 #   dogpile.cache backend functions. See the dogpile.cache documentation on
 #   changing-backend-behavior. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*enabled*]
 #   (Optional) Global toggle for caching. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*debug_cache_backend*]
 #   (Optional) Extra debugging from the cache backend (cache keys,
 #   get/set/delete/etc calls). This is only really useful if you need
 #   to see the specific cache-backend get/set/delete calls with the keys/values.
 #   Typically this should be left set to false. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*memcache_servers*]
 #   (Optional) Memcache servers in the format of "host:port".
 #   (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
 #   (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*memcache_dead_retry*]
 #   (Optional) Number of seconds memcached server is considered dead before
 #   it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool
 #   backends only). (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*memcache_socket_timeout*]
 #   (Optional) Timeout in seconds for every call to a server.
 #   (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
 #   (floating point value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*enable_socket_keepalive*]
 #   (Optional) Global toggle for the socket keepalive of dogpile's
 #   pymemcache backend
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*socket_keepalive_idle*]
 #   (Optional) The time (in seconds) the connection needs to remain idle
 #   before TCP starts sending keepalive probes. Should be a positive integer
 #   most greater than zero.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*socket_keepalive_interval*]
 #   (Optional) The time (in seconds) between individual keepalive probes.
 #   Should be a positive integer most greater than zero.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*socket_keepalive_count*]
 #   (Optional) The maximum number of keepalive probes TCP should send before
 #   dropping the connection. Should be a positive integer most greater than
 #   zero.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*memcache_pool_maxsize*]
 #   (Optional) Max total number of open connections to every memcached server.
 #   (oslo_cache.memcache_pool backend only). (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*memcache_pool_unused_timeout*]
 #   (Optional) Number of seconds a connection to memcached is held unused
 #   in the pool before it is closed. (oslo_cache.memcache_pool backend only)
 #   (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*memcache_pool_connection_get_timeout*]
 #   (Optional) Number of seconds that an operation will wait to get a memcache
 #   client connection. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*manage_backend_package*]
 #   (Optional) Whether to install the backend package for the cache.
@@ -109,18 +109,18 @@
 # [*token_caching*]
 #   (Optional) Toggle for token system caching. This has no effect unless
 #   cache_backend, cache_enabled and cache_memcache_servers is set.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*tls_enabled*]
 #   (Optional) Global toggle for TLS usage when communicating with
 #   the caching servers.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*tls_cafile*]
 #   (Optional) Path to a file of concatenated CA certificates in PEM
 #   format necessary to establish the caching server's authenticity.
 #   If tls_enabled is False, this option is ignored.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*tls_certfile*]
 #   (Optional) Path to a single file in PEM format containing the
@@ -128,84 +128,84 @@
 #   needed to establish the certificate's authenticity. This file
 #   is only required when client side authentication is necessary.
 #   If tls_enabled is False, this option is ignored.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*tls_keyfile*]
 #   (Optional) Path to a single file containing the client's private
 #   key in. Otherwise the private key will be taken from the file
 #   specified in tls_certfile. If tls_enabled is False, this option
 #   is ignored.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*tls_allowed_ciphers*]
 #   (Optional) Set the available ciphers for sockets created with
 #   the TLS context. It should be a string in the OpenSSL cipher
 #   list format. If not specified, all OpenSSL enabled ciphers will
 #   be available.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*enable_retry_client*]
 #   (Optional) Enable retry client mechanisms to handle failure.
 #   Those mechanisms can be used to wrap all kind of pymemcache
 #   clients. The wrapper allows you to define how many attempts
 #   to make and how long to wait between attempts.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*retry_attempts*]
 #   (Optional) Number of times to attempt an action before failing.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*retry_delay*]
 #   (Optional) Number of seconds to sleep between each attempt.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*hashclient_retry_attempts*]
 #   (Optional) Amount of times a client should be tried
 #   before it is marked dead and removed from the pool in
 #   the HashClient's internal mechanisms.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*hashclient_retry_delay*]
 #   (Optional) Time in seconds that should pass between
 #   retry attempts in the HashClient's internal mechanisms.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*dead_timeout*]
 #   (Optional) Time in seconds before attempting to add a node
 #   back in the pool in the HashClient's internal mechanisms.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 class keystone::cache(
-  $config_prefix                        = $::os_service_default,
+  $config_prefix                        = $facts['os_service_default'],
-  $expiration_time                      = $::os_service_default,
+  $expiration_time                      = $facts['os_service_default'],
-  $backend                              = $::os_service_default,
+  $backend                              = $facts['os_service_default'],
-  $backend_argument                     = $::os_service_default,
+  $backend_argument                     = $facts['os_service_default'],
-  $proxies                              = $::os_service_default,
+  $proxies                              = $facts['os_service_default'],
-  $enabled                              = $::os_service_default,
+  $enabled                              = $facts['os_service_default'],
-  $debug_cache_backend                  = $::os_service_default,
+  $debug_cache_backend                  = $facts['os_service_default'],
-  $memcache_servers                     = $::os_service_default,
+  $memcache_servers                     = $facts['os_service_default'],
-  $memcache_dead_retry                  = $::os_service_default,
+  $memcache_dead_retry                  = $facts['os_service_default'],
-  $memcache_socket_timeout              = $::os_service_default,
+  $memcache_socket_timeout              = $facts['os_service_default'],
-  $enable_socket_keepalive              = $::os_service_default,
+  $enable_socket_keepalive              = $facts['os_service_default'],
-  $socket_keepalive_idle                = $::os_service_default,
+  $socket_keepalive_idle                = $facts['os_service_default'],
-  $socket_keepalive_interval            = $::os_service_default,
+  $socket_keepalive_interval            = $facts['os_service_default'],
-  $socket_keepalive_count               = $::os_service_default,
+  $socket_keepalive_count               = $facts['os_service_default'],
-  $memcache_pool_maxsize                = $::os_service_default,
+  $memcache_pool_maxsize                = $facts['os_service_default'],
-  $memcache_pool_unused_timeout         = $::os_service_default,
+  $memcache_pool_unused_timeout         = $facts['os_service_default'],
-  $memcache_pool_connection_get_timeout = $::os_service_default,
+  $memcache_pool_connection_get_timeout = $facts['os_service_default'],
   $manage_backend_package               = true,
-  $token_caching                        = $::os_service_default,
+  $token_caching                        = $facts['os_service_default'],
-  $tls_enabled                          = $::os_service_default,
+  $tls_enabled                          = $facts['os_service_default'],
-  $tls_cafile                           = $::os_service_default,
+  $tls_cafile                           = $facts['os_service_default'],
-  $tls_certfile                         = $::os_service_default,
+  $tls_certfile                         = $facts['os_service_default'],
-  $tls_keyfile                          = $::os_service_default,
+  $tls_keyfile                          = $facts['os_service_default'],
-  $tls_allowed_ciphers                  = $::os_service_default,
+  $tls_allowed_ciphers                  = $facts['os_service_default'],
-  $enable_retry_client                  = $::os_service_default,
+  $enable_retry_client                  = $facts['os_service_default'],
-  $retry_attempts                       = $::os_service_default,
+  $retry_attempts                       = $facts['os_service_default'],
-  $retry_delay                          = $::os_service_default,
+  $retry_delay                          = $facts['os_service_default'],
-  $hashclient_retry_attempts            = $::os_service_default,
+  $hashclient_retry_attempts            = $facts['os_service_default'],
-  $hashclient_retry_delay               = $::os_service_default,
+  $hashclient_retry_delay               = $facts['os_service_default'],
-  $dead_timeout                         = $::os_service_default,
+  $dead_timeout                         = $facts['os_service_default'],
 ){
 
   include keystone::deps

manifests/cors.pp

@@ -8,41 +8,41 @@
 #   (Optional) Indicate whether this resource may be shared with the domain
 #   received in the requests "origin" header.
 #   (string value)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*allow_credentials*]
 #   (Optional) Indicate that the actual request can include user credentials.
 #   (boolean value)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*expose_headers*]
 #   (Optional) Indicate which headers are safe to expose to the API.
 #   (list value)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*max_age*]
 #   (Optional) Maximum cache age of CORS preflight requests.
 #   (integer value)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*allow_methods*]
 #   (Optional) Indicate which methods can be used during the actual request.
 #   (list value)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*allow_headers*]
 #   (Optional) Indicate which header field names may be used during the actual
 #   request.
 #   (list value)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 class keystone::cors (
-  $allowed_origin    = $::os_service_default,
+  $allowed_origin    = $facts['os_service_default'],
-  $allow_credentials = $::os_service_default,
+  $allow_credentials = $facts['os_service_default'],
-  $expose_headers    = $::os_service_default,
+  $expose_headers    = $facts['os_service_default'],
-  $max_age           = $::os_service_default,
+  $max_age           = $facts['os_service_default'],
-  $allow_methods     = $::os_service_default,
+  $allow_methods     = $facts['os_service_default'],
-  $allow_headers     = $::os_service_default,
+  $allow_headers     = $facts['os_service_default'],
 ) {
 
   include keystone::deps

manifests/db.pp

@@ -7,7 +7,7 @@
 # [*database_db_max_retries*]
 #   Maximum retries in case of connection error or deadlock error before
 #   error is raised. Set to -1 to specify an infinite retry count.
-#   (Optional) Defaults to $::os_service_default
+#   (Optional) Defaults to $facts['os_service_default']
 #
 # [*database_connection*]
 #   Url used to connect to database.
@@ -15,44 +15,44 @@
 #
 # [*database_connection_recycle_time*]
 #   Timeout when db connections should be reaped.
-#   (Optional) Defaults to $::os_service_default
+#   (Optional) Defaults to $facts['os_service_default']
 #
 # [*database_max_retries*]
 #   Maximum number of database connection retries during startup.
 #   Setting -1 implies an infinite retry count.
-#   (Optional) Defaults to $::os_service_default
+#   (Optional) Defaults to $facts['os_service_default']
 #
 # [*database_retry_interval*]
 #   Interval between retries of opening a database connection.
-#   (Optional) Defaults to $::os_service_default
+#   (Optional) Defaults to $facts['os_service_default']
 #
 # [*database_max_pool_size*]
 #   Maximum number of SQL connections to keep open in a pool.
-#   (Optional) Defaults to $::os_service_default
+#   (Optional) Defaults to $facts['os_service_default']
 #
 # [*database_max_overflow*]
 #   If set, use this value for max_overflow with sqlalchemy.
-#   (Optional) Defaults to $::os_service_default
+#   (Optional) Defaults to $facts['os_service_default']
 #
 # [*database_pool_timeout*]
 #   (Optional) If set, use this value for pool_timeout with SQLAlchemy.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*mysql_enable_ndb*]
 #   (Optional) If True, transparently enables support for handling MySQL
 #   Cluster (NDB).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 class keystone::db (
-  $database_db_max_retries          = $::os_service_default,
+  $database_db_max_retries          = $facts['os_service_default'],
   $database_connection              = 'sqlite:////var/lib/keystone/keystone.sqlite',
-  $database_connection_recycle_time = $::os_service_default,
+  $database_connection_recycle_time = $facts['os_service_default'],
-  $database_max_pool_size           = $::os_service_default,
+  $database_max_pool_size           = $facts['os_service_default'],
-  $database_max_retries             = $::os_service_default,
+  $database_max_retries             = $facts['os_service_default'],
-  $database_retry_interval          = $::os_service_default,
+  $database_retry_interval          = $facts['os_service_default'],
-  $database_max_overflow            = $::os_service_default,
+  $database_max_overflow            = $facts['os_service_default'],
-  $database_pool_timeout            = $::os_service_default,
+  $database_pool_timeout            = $facts['os_service_default'],
-  $mysql_enable_ndb                 = $::os_service_default,
+  $mysql_enable_ndb                 = $facts['os_service_default'],
 ) {
 
   include keystone::deps

manifests/federation.pp

@@ -7,16 +7,16 @@
 #   This setting ensures that keystone only sends token data back to trusted
 #   servers. This is performed as a precaution, specifically to prevent man-in-
 #   the-middle (MITM) attacks.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*remote_id_attribute*]
 #   (Optional) Value to be used to obtain the entity ID of the Identity
 #   Provider from the environment.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 class keystone::federation (
-  $trusted_dashboards  = $::os_service_default,
+  $trusted_dashboards  = $facts['os_service_default'],
-  $remote_id_attribute = $::os_service_default,
+  $remote_id_attribute = $facts['os_service_default'],
 ) {
 
   include keystone::deps

manifests/federation/identity_provider.pp

@@ -85,15 +85,15 @@ class keystone::federation::identity_provider(
   $certfile                      = $::keystone::ssl_ca_certs,
   $keyfile                       = $::keystone::ssl_ca_key,
   $user                          = $::keystone::params::user,
-  $idp_organization_name         = $::os_service_default,
+  $idp_organization_name         = $facts['os_service_default'],
-  $idp_organization_display_name = $::os_service_default,
+  $idp_organization_display_name = $facts['os_service_default'],
-  $idp_organization_url          = $::os_service_default,
+  $idp_organization_url          = $facts['os_service_default'],
-  $idp_contact_company           = $::os_service_default,
+  $idp_contact_company           = $facts['os_service_default'],
-  $idp_contact_name              = $::os_service_default,
+  $idp_contact_name              = $facts['os_service_default'],
-  $idp_contact_surname           = $::os_service_default,
+  $idp_contact_surname           = $facts['os_service_default'],
-  $idp_contact_email             = $::os_service_default,
+  $idp_contact_email             = $facts['os_service_default'],
-  $idp_contact_telephone         = $::os_service_default,
+  $idp_contact_telephone         = $facts['os_service_default'],
-  $idp_contact_type              = $::os_service_default,
+  $idp_contact_type              = $facts['os_service_default'],
   $package_ensure                = present,
 ) inherits keystone::params {
 

manifests/federation/shibboleth.pp

@@ -74,8 +74,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
     'auth/saml2':   ensure => absent;
   }
 
-  if $::osfamily == 'Debian' or ($::osfamily == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {
+  if $facts['os']['family'] == 'Debian' or ($facts['os']['family'] == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {
-    if $::osfamily == 'RedHat' {
+    if $facts['os']['family'] == 'RedHat' {
       warning('The platform is not officially supported, use at your own risk.  Check manifest documentation for more.')
       apache::mod { 'shib2':
         id   => 'mod_shib',
@@ -90,7 +90,7 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
       content => template('keystone/shibboleth.conf.erb'),
       order   => $template_order,
     }
-  } elsif $::osfamily == 'Redhat' {
+  } elsif $facts['os']['family'] == 'Redhat' {
     if !$suppress_warning {
       warning( 'Can not configure Shibboleth in Apache on RedHat OS.Read the Note on this federation/shibboleth.pp' )
     }

manifests/healthcheck.pp

@@ -6,28 +6,28 @@
 #
 # [*detailed*]
 #   (Optional) Show more detailed information as part of the response.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*backends*]
 #   (Optional) Additional backends that can perform health checks and report
 #   that information back as part of a request.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*disable_by_file_path*]
 #   (Optional) Check the presence of a file to determine if an application
 #   is running on a port.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*disable_by_file_paths*]
 #   (Optional) Check the presence of a file to determine if an application
 #   is running on a port. Expects a "port:path" list of strings.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 class keystone::healthcheck (
-  $detailed              = $::os_service_default,
+  $detailed              = $facts['os_service_default'],
-  $backends              = $::os_service_default,
+  $backends              = $facts['os_service_default'],
-  $disable_by_file_path  = $::os_service_default,
+  $disable_by_file_path  = $facts['os_service_default'],
-  $disable_by_file_paths = $::os_service_default,
+  $disable_by_file_paths = $facts['os_service_default'],
 ) {
 
   include keystone::deps

manifests/init.pp

@@ -32,15 +32,15 @@
 #
 # [*password_hash_algorithm*]
 #   (Optional) The password hash algorithm to use.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*password_hash_rounds*]
 #   (Optional) The amount of rounds to do on the hash.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*revoke_driver*]
 #   (Optional) Driver for token revocation.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*revoke_by_id*]
 #   (Optional) Revoke token by token identifier.
@@ -62,11 +62,11 @@
 #   (Optional) A URL representing the messaging driver to use and its full
 #   configuration. Transport URLs take the form:
 #     transport://user:pass@host1:port[,hostN:portN]/virtual_host
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*rabbit_ha_queues*]
 #   (Optional) Use HA queues in RabbitMQ.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*rabbit_heartbeat_timeout_threshold*]
 #   (Optional) Number of seconds after which the RabbitMQ broker is considered
@@ -74,14 +74,14 @@
 #   Heartbeating helps to ensure the TCP connection to RabbitMQ isn't silently
 #   closed, resulting in missed or lost messages from the queue.
 #   (Requires kombu >= 3.0.7 and amqp >= 1.4.0)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*rabbit_heartbeat_rate*]
 #   (Optional) How often during the rabbit_heartbeat_timeout_threshold period to
 #   check the heartbeat on RabbitMQ connection.  (i.e. rabbit_heartbeat_rate=2
 #   when rabbit_heartbeat_timeout_threshold=60, the heartbeat will be checked
 #   every 30 seconds.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*rabbit_heartbeat_in_pthread*]
 #   (Optional) EXPERIMENTAL: Run the health check heartbeat thread
@@ -91,86 +91,86 @@
 #   example if the parent process have monkey patched the
 #   stdlib by using eventlet/greenlet then the heartbeat
 #   will be run through a green thread.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*rabbit_use_ssl*]
 #   (Optional) Connect over SSL for RabbitMQ
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*kombu_ssl_ca_certs*]
 #   (Optional) SSL certification authority file (valid only if SSL enabled).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*kombu_ssl_certfile*]
 #   (Optional) SSL cert file (valid only if SSL enabled).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*kombu_ssl_keyfile*]
 #   (Optional) SSL key file (valid only if SSL enabled).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*kombu_ssl_version*]
 #   (Optional) SSL version to use (valid only if SSL enabled).
 #   Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
 #   available on some distributions.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*kombu_reconnect_delay*]
 #   (Optional) How long to wait before reconnecting in response
 #   to an AMQP consumer cancel notification. (floating point value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*kombu_failover_strategy*]
 #   (Optional) Determines how the next RabbitMQ node is chosen in case the one
 #   we are currently connected to becomes unavailable. Takes effect only if
 #   more than one RabbitMQ node is provided in config. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*kombu_compression*]
 #   (Optional) Possible values are: gzip, bz2. If not set compression will not
 #   be used. This option may notbe available in future versions. EXPERIMENTAL.
 #   (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*notification_transport_url*]
 #   (Optional) A URL representing the messaging driver to use for notifications
 #   and its full configuration. Transport URLs take the form:
 #     transport://user:pass@host1:port[,hostN:portN]/virtual_host
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*notification_driver*]
 #   RPC driver. Not enabled by default (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*notification_topics*]
 #   (Optional) AMQP topics to publish to when using the RPC notification driver.
 #   (list value)
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*notification_format*]
 #   (Optional) Define the notification format for identity service events.
 #   Valid values are 'basic' and 'cadf'.
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*notification_opt_out*]
 #   (Optional) Opt out notifications that match the patterns expressed in this
 #   list.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*control_exchange*]
 #   (Optional) AMQP exchange to connect to if using RabbitMQ
 #   (string value)
-#   Default to $::os_service_default
+#   Default to $facts['os_service_default']
 #
 # [*rpc_response_timeout*]
 #   (Optional) Seconds to wait for a response from a call.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*public_endpoint*]
 #   (Optional) The base public endpoint URL for keystone that are
 #   advertised to clients (NOTE: this does NOT affect how
 #   keystone listens for connections) (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*service_name*]
 #   (Optional) Name of the service that will be providing the
@@ -193,7 +193,7 @@
 #
 # [*max_token_size*]
 #   (Optional) maximum allowable Keystone token size
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*sync_db*]
 #   (Optional) Run db sync on the node.
@@ -213,7 +213,7 @@
 #
 # [*fernet_max_active_keys*]
 #   (Optional) Number of maximum active Fernet keys. Integer > 0.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*fernet_keys*]
 #   (Optional) Hash of Keystone fernet keys
@@ -274,7 +274,7 @@
 #
 # [*policy_driver*]
 #   Policy backend driver. (string value)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*using_domain_config*]
 #   (Optional) Eases the use of the keystone_domain_config resource type.
@@ -303,11 +303,11 @@
 #
 # [*enable_proxy_headers_parsing*]
 #   (Optional) Enable oslo middleware to parse proxy headers.
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*max_request_body_size*]
 #   (Optional) Set max request body size
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*purge_config*]
 #   (Optional) Whether to set only the specified config options
@@ -316,7 +316,7 @@
 #
 # [*amqp_durable_queues*]
 #   (Optional) Whether to use durable queues in AMQP.
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # DEPRECATED PARAMETERS
 #
@@ -340,55 +340,55 @@ class keystone(
   $catalog_template_file                = '/etc/keystone/default_catalog.templates',
   $token_provider                       = 'fernet',
   $token_expiration                     = 3600,
-  $password_hash_algorithm              = $::os_service_default,
+  $password_hash_algorithm              = $facts['os_service_default'],
-  $password_hash_rounds                 = $::os_service_default,
+  $password_hash_rounds                 = $facts['os_service_default'],
-  $revoke_driver                        = $::os_service_default,
+  $revoke_driver                        = $facts['os_service_default'],
   $revoke_by_id                         = true,
-  $public_endpoint                      = $::os_service_default,
+  $public_endpoint                      = $facts['os_service_default'],
   $manage_service                       = true,
   $enabled                              = true,
-  $rabbit_heartbeat_timeout_threshold   = $::os_service_default,
+  $rabbit_heartbeat_timeout_threshold   = $facts['os_service_default'],
-  $rabbit_heartbeat_rate                = $::os_service_default,
+  $rabbit_heartbeat_rate                = $facts['os_service_default'],
-  $rabbit_heartbeat_in_pthread          = $::os_service_default,
+  $rabbit_heartbeat_in_pthread          = $facts['os_service_default'],
-  $rabbit_use_ssl                       = $::os_service_default,
+  $rabbit_use_ssl                       = $facts['os_service_default'],
-  $default_transport_url                = $::os_service_default,
+  $default_transport_url                = $facts['os_service_default'],
-  $rabbit_ha_queues                     = $::os_service_default,
+  $rabbit_ha_queues                     = $facts['os_service_default'],
-  $kombu_ssl_ca_certs                   = $::os_service_default,
+  $kombu_ssl_ca_certs                   = $facts['os_service_default'],
-  $kombu_ssl_certfile                   = $::os_service_default,
+  $kombu_ssl_certfile                   = $facts['os_service_default'],
-  $kombu_ssl_keyfile                    = $::os_service_default,
+  $kombu_ssl_keyfile                    = $facts['os_service_default'],
-  $kombu_ssl_version                    = $::os_service_default,
+  $kombu_ssl_version                    = $facts['os_service_default'],
-  $kombu_reconnect_delay                = $::os_service_default,
+  $kombu_reconnect_delay                = $facts['os_service_default'],
-  $kombu_failover_strategy              = $::os_service_default,
+  $kombu_failover_strategy              = $facts['os_service_default'],
-  $kombu_compression                    = $::os_service_default,
+  $kombu_compression                    = $facts['os_service_default'],
-  $notification_transport_url           = $::os_service_default,
+  $notification_transport_url           = $facts['os_service_default'],
-  $notification_driver                  = $::os_service_default,
+  $notification_driver                  = $facts['os_service_default'],
-  $notification_topics                  = $::os_service_default,
+  $notification_topics                  = $facts['os_service_default'],
-  $notification_format                  = $::os_service_default,
+  $notification_format                  = $facts['os_service_default'],
-  $notification_opt_out                 = $::os_service_default,
+  $notification_opt_out                 = $facts['os_service_default'],
-  $control_exchange                     = $::os_service_default,
+  $control_exchange                     = $facts['os_service_default'],
-  $rpc_response_timeout                 = $::os_service_default,
+  $rpc_response_timeout                 = $facts['os_service_default'],
   $service_name                         = $::keystone::params::service_name,
-  $max_token_size                       = $::os_service_default,
+  $max_token_size                       = $facts['os_service_default'],
   $sync_db                              = true,
   $enable_fernet_setup                  = true,
   $fernet_key_repository                = '/etc/keystone/fernet-keys',
-  $fernet_max_active_keys               = $::os_service_default,
+  $fernet_max_active_keys               = $facts['os_service_default'],
   $fernet_keys                          = false,
   $fernet_replace_keys                  = true,
   $enable_credential_setup              = true,
   $credential_key_repository            = '/etc/keystone/credential-keys',
   $credential_keys                      = false,
   $default_domain                       = undef,
-  $policy_driver                        = $::os_service_default,
+  $policy_driver                        = $facts['os_service_default'],
   $using_domain_config                  = false,
   $domain_config_directory              = '/etc/keystone/domains',
   $keystone_user                        = $::keystone::params::user,
   $keystone_group                       = $::keystone::params::group,
   $manage_policyrcd                     = false,
-  $enable_proxy_headers_parsing         = $::os_service_default,
+  $enable_proxy_headers_parsing         = $facts['os_service_default'],
-  $max_request_body_size                = $::os_service_default,
+  $max_request_body_size                = $facts['os_service_default'],
   $purge_config                         = false,
-  $amqp_durable_queues                  = $::os_service_default,
+  $amqp_durable_queues                  = $facts['os_service_default'],
   # DEPRECATED PARAMETERS
   $catalog_type                         = undef,
 ) inherits keystone::params {
@@ -408,7 +408,7 @@ class keystone(
     # openstacklib policy_rcd only affects debian based systems.
     Policy_rcd <| title == 'keystone' |> -> Package['keystone']
     Policy_rcd['apache2'] -> Package['httpd']
-    if ($::operatingsystem == 'Ubuntu') {
+    if ($facts['os']['name'] == 'Ubuntu') {
       $policy_services = 'apache2'
     } else {
       $policy_services = ['keystone', 'apache2']
@@ -526,7 +526,7 @@ class keystone(
 
     case $service_name {
       $::keystone::params::service_name: {
-        if $::operatingsystem != 'Debian' {
+        if $facts['os']['name'] != 'Debian' {
           # TODO(tkajinam): Make this hard-fail
           warning('Keystone under Eventlet is no longer supported by this operating system')
         }
@@ -547,7 +547,7 @@ class keystone(
         $service_name_real = $::apache::params::service_name
         Service <| title == 'httpd' |> { tag +> 'keystone-service' }
 
-        if $::operatingsystem == 'Debian' {
+        if $facts['os']['name'] == 'Debian' {
           service { 'keystone':
             ensure => 'stopped',
             name   => $::keystone::params::service_name,

manifests/ldap.pp

@@ -6,60 +6,60 @@
 #
 # [*url*]
 #   URL for connecting to the LDAP server. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user*]
 #   User BindDN to query the LDAP server. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*password*]
 #   Password for the BindDN to query the LDAP server. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*suffix*]
 #   LDAP server suffix (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*query_scope*]
 #   The LDAP scope for queries, this can be either "one"
 #   (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*page_size*]
 #   Maximum results per page; a value of zero ("0") disables paging. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_tree_dn*]
 #   Search base for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_filter*]
 #   LDAP search filter for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_objectclass*]
 #   LDAP objectclass for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_id_attribute*]
 #   LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_name_attribute*]
 #   LDAP attribute mapped to user name. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_description_attribute*]
 #   LDAP attribute mapped to user description. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_mail_attribute*]
 #   LDAP attribute mapped to user email. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_attribute*]
 #   LDAP attribute mapped to user enabled flag. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_mask*]
 #   Bitmask integer to indicate the bit that the enabled value is stored in if
@@ -67,7 +67,7 @@
 #   boolean. A value of "0" indicates the mask is not used. If this is not set
 #   to "0" the typical value is "2". This is typically used when
 #   "user_enabled_attribute = userAccountControl". (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_default*]
 #   Default value to enable users. This should match an appropriate int value
@@ -75,7 +75,7 @@
 #   is enabled or disabled. If this is not set to "True" the typical value is
 #   "512". This is typically used when "user_enabled_attribute =
 #   userAccountControl". (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_invert*]
 #   Invert the meaning of the boolean enabled values. Some LDAP servers use a
@@ -83,30 +83,30 @@
 #   "user_enabled_invert = true" will allow these lock attributes to be used.
 #   This setting will have no effect if "user_enabled_mask" or
 #   "user_enabled_emulation" settings are in use. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_attribute_ignore*]
 #   List of attributes stripped off the user on update. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_default_project_id_attribute*]
 #   LDAP attribute mapped to default_project_id for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_pass_attribute*]
 #   LDAP attribute mapped to password. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_emulation*]
 #   If true, Keystone uses an alternative method to determine if
 #   a user is enabled or not by checking if they are a member of
 #   the "user_enabled_emulation_dn" group. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_emulation_dn*]
 #   DN of the group entry to hold enabled users when using enabled emulation.
 #   (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_additional_attribute_mapping*]
 #   List of additional LDAP attributes used for mapping
@@ -114,119 +114,119 @@
 #   format is <ldap_attr>:<user_attr>, where ldap_attr is the
 #   attribute in the LDAP entry and user_attr is the Identity
 #   API attribute. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_tree_dn*]
 #   Search base for groups. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_filter*]
 #   LDAP search filter for groups. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_objectclass*]
 #   LDAP objectclass for groups. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_id_attribute*]
 #   LDAP attribute mapped to group id. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_name_attribute*]
 #   LDAP attribute mapped to group name. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_member_attribute*]
 #   LDAP attribute mapped to show group membership. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_members_are_ids*]
 #   LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_desc_attribute*]
 #   LDAP attribute mapped to group description. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_attribute_ignore*]
 #   List of attributes stripped off the group on update. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_additional_attribute_mapping*]
 #   Additional attribute mappings for groups. Attribute mapping
 #   format is <ldap_attr>:<user_attr>, where ldap_attr is the
 #   attribute in the LDAP entry and user_attr is the Identity
 #   API attribute. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*chase_referrals*]
 #   Whether or not to chase returned referrals. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_tls*]
 #   Enable TLS for communicating with LDAP servers. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*tls_cacertfile*]
 #   CA certificate file path for communicating with LDAP servers. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*tls_cacertdir*]
 #   CA certificate directory path for communicating with LDAP servers. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*tls_req_cert*]
 #   Valid options for tls_req_cert are demand, never, and allow. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*identity_driver*]
 #   Identity backend driver. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_pool*]
 #   Enable LDAP connection pooling. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_size*]
 #   Connection pool size. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_retry_max*]
 #   Maximum count of reconnect trials. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_retry_delay*]
 #   Time span in seconds to wait between two reconnect trials. (floating point value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_connection_timeout*]
 #   Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_connection_lifetime*]
 #   Connection lifetime in seconds. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_auth_pool*]
 #   Enable LDAP connection pooling for end user authentication.
 #   If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*auth_pool_size*]
 #   End user auth connection pool size. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*auth_pool_connection_lifetime*]
 #   End user auth connection lifetime in seconds. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*credential_driver*]
 #   Credential backend driver. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*assignment_driver*]
 #   Assignment backend driver. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*package_ensure*]
 #   (optional) Desired ensure state of packages.
@@ -248,56 +248,56 @@
 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
 #
 class keystone::ldap(
-  $url                                  = $::os_service_default,
+  $url                                  = $facts['os_service_default'],
-  $user                                 = $::os_service_default,
+  $user                                 = $facts['os_service_default'],
-  $password                             = $::os_service_default,
+  $password                             = $facts['os_service_default'],
-  $suffix                               = $::os_service_default,
+  $suffix                               = $facts['os_service_default'],
-  $query_scope                          = $::os_service_default,
+  $query_scope                          = $facts['os_service_default'],
-  $page_size                            = $::os_service_default,
+  $page_size                            = $facts['os_service_default'],
-  $user_tree_dn                         = $::os_service_default,
+  $user_tree_dn                         = $facts['os_service_default'],
-  $user_filter                          = $::os_service_default,
+  $user_filter                          = $facts['os_service_default'],
-  $user_objectclass                     = $::os_service_default,
+  $user_objectclass                     = $facts['os_service_default'],
-  $user_id_attribute                    = $::os_service_default,
+  $user_id_attribute                    = $facts['os_service_default'],
-  $user_name_attribute                  = $::os_service_default,
+  $user_name_attribute                  = $facts['os_service_default'],
-  $user_description_attribute           = $::os_service_default,
+  $user_description_attribute           = $facts['os_service_default'],
-  $user_mail_attribute                  = $::os_service_default,
+  $user_mail_attribute                  = $facts['os_service_default'],
-  $user_enabled_attribute               = $::os_service_default,
+  $user_enabled_attribute               = $facts['os_service_default'],
-  $user_enabled_mask                    = $::os_service_default,
+  $user_enabled_mask                    = $facts['os_service_default'],
-  $user_enabled_default                 = $::os_service_default,
+  $user_enabled_default                 = $facts['os_service_default'],
-  $user_enabled_invert                  = $::os_service_default,
+  $user_enabled_invert                  = $facts['os_service_default'],
-  $user_attribute_ignore                = $::os_service_default,
+  $user_attribute_ignore                = $facts['os_service_default'],
-  $user_default_project_id_attribute    = $::os_service_default,
+  $user_default_project_id_attribute    = $facts['os_service_default'],
-  $user_pass_attribute                  = $::os_service_default,
+  $user_pass_attribute                  = $facts['os_service_default'],
-  $user_enabled_emulation               = $::os_service_default,
+  $user_enabled_emulation               = $facts['os_service_default'],
-  $user_enabled_emulation_dn            = $::os_service_default,
+  $user_enabled_emulation_dn            = $facts['os_service_default'],
-  $user_additional_attribute_mapping    = $::os_service_default,
+  $user_additional_attribute_mapping    = $facts['os_service_default'],
-  $group_tree_dn                        = $::os_service_default,
+  $group_tree_dn                        = $facts['os_service_default'],
-  $group_filter                         = $::os_service_default,
+  $group_filter                         = $facts['os_service_default'],
-  $group_objectclass                    = $::os_service_default,
+  $group_objectclass                    = $facts['os_service_default'],
-  $group_id_attribute                   = $::os_service_default,
+  $group_id_attribute                   = $facts['os_service_default'],
-  $group_name_attribute                 = $::os_service_default,
+  $group_name_attribute                 = $facts['os_service_default'],
-  $group_member_attribute               = $::os_service_default,
+  $group_member_attribute               = $facts['os_service_default'],
-  $group_members_are_ids                = $::os_service_default,
+  $group_members_are_ids                = $facts['os_service_default'],
-  $group_desc_attribute                 = $::os_service_default,
+  $group_desc_attribute                 = $facts['os_service_default'],
-  $group_attribute_ignore               = $::os_service_default,
+  $group_attribute_ignore               = $facts['os_service_default'],
-  $group_additional_attribute_mapping   = $::os_service_default,
+  $group_additional_attribute_mapping   = $facts['os_service_default'],
-  $chase_referrals                      = $::os_service_default,
+  $chase_referrals                      = $facts['os_service_default'],
-  $use_tls                              = $::os_service_default,
+  $use_tls                              = $facts['os_service_default'],
-  $tls_cacertdir                        = $::os_service_default,
+  $tls_cacertdir                        = $facts['os_service_default'],
-  $tls_cacertfile                       = $::os_service_default,
+  $tls_cacertfile                       = $facts['os_service_default'],
-  $tls_req_cert                         = $::os_service_default,
+  $tls_req_cert                         = $facts['os_service_default'],
-  $identity_driver                      = $::os_service_default,
+  $identity_driver                      = $facts['os_service_default'],
-  $assignment_driver                    = $::os_service_default,
+  $assignment_driver                    = $facts['os_service_default'],
-  $credential_driver                    = $::os_service_default,
+  $credential_driver                    = $facts['os_service_default'],
-  $use_pool                             = $::os_service_default,
+  $use_pool                             = $facts['os_service_default'],
-  $pool_size                            = $::os_service_default,
+  $pool_size                            = $facts['os_service_default'],
-  $pool_retry_max                       = $::os_service_default,
+  $pool_retry_max                       = $facts['os_service_default'],
-  $pool_retry_delay                     = $::os_service_default,
+  $pool_retry_delay                     = $facts['os_service_default'],
-  $pool_connection_timeout              = $::os_service_default,
+  $pool_connection_timeout              = $facts['os_service_default'],
-  $pool_connection_lifetime             = $::os_service_default,
+  $pool_connection_lifetime             = $facts['os_service_default'],
-  $use_auth_pool                        = $::os_service_default,
+  $use_auth_pool                        = $facts['os_service_default'],
-  $auth_pool_size                       = $::os_service_default,
+  $auth_pool_size                       = $facts['os_service_default'],
-  $auth_pool_connection_lifetime        = $::os_service_default,
+  $auth_pool_connection_lifetime        = $facts['os_service_default'],
   $package_ensure                       = present,
   $manage_packages                      = true,
 ) inherits keystone::params {

manifests/ldap_backend.pp

@@ -9,59 +9,59 @@
 #
 # [*url*]
 #   URL for connecting to the LDAP server. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user*]
 #   User BindDN to query the LDAP server. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*password*]
 #   Password for the BindDN to query the LDAP server. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*suffix*]
 #   LDAP server suffix (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*query_scope*]
 #   The LDAP scope for queries, this can be either "one"
 #   (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*page_size*]
 #   Maximum results per page; a value of zero ("0") disables paging. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_tree_dn*]
 #   Search base for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_filter*]
 #   LDAP search filter for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_objectclass*]
 #   LDAP objectclass for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_id_attribute*]
 #   LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_name_attribute*]
 #   LDAP attribute mapped to user name. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_description_attribute*]
 #   LDAP attribute mapped to user description. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_mail_attribute*]
 #   LDAP attribute mapped to user email. (string value)
 #
 # [*user_enabled_attribute*]
 #   LDAP attribute mapped to user enabled flag. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_mask*]
 #   Bitmask integer to indicate the bit that the enabled value is stored in if
@@ -69,7 +69,7 @@
 #   boolean. A value of "0" indicates the mask is not used. If this is not set
 #   to "0" the typical value is "2". This is typically used when
 #   "user_enabled_attribute = userAccountControl". (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_default*]
 #   Default value to enable users. This should match an appropriate int value
@@ -77,7 +77,7 @@
 #   is enabled or disabled. If this is not set to "True" the typical value is
 #   "512". This is typically used when "user_enabled_attribute =
 #   userAccountControl". (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_invert*]
 #   Invert the meaning of the boolean enabled values. Some LDAP servers use a
@@ -85,30 +85,30 @@
 #   "user_enabled_invert = true" will allow these lock attributes to be used.
 #   This setting will have no effect if "user_enabled_mask" or
 #   "user_enabled_emulation" settings are in use. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_attribute_ignore*]
 #   List of attributes stripped off the user on update. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_default_project_id_attribute*]
 #   LDAP attribute mapped to default_project_id for users. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_pass_attribute*]
 #   LDAP attribute mapped to password. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_emulation*]
 #   If true, Keystone uses an alternative method to determine if
 #   a user is enabled or not by checking if they are a member of
 #   the "user_enabled_emulation_dn" group. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_enabled_emulation_dn*]
 #   DN of the group entry to hold enabled users when using enabled emulation.
 #   (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_additional_attribute_mapping*]
 #   List of additional LDAP attributes used for mapping
@@ -116,75 +116,75 @@
 #   format is <ldap_attr>:<user_attr>, where ldap_attr is the
 #   attribute in the LDAP entry and user_attr is the Identity
 #   API attribute. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_tree_dn*]
 #   Search base for groups. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_filter*]
 #   LDAP search filter for groups. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_objectclass*]
 #   LDAP objectclass for groups. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_id_attribute*]
 #   LDAP attribute mapped to group id. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_name_attribute*]
 #   LDAP attribute mapped to group name. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_member_attribute*]
 #   LDAP attribute mapped to show group membership. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_members_are_ids*]
 #   LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_desc_attribute*]
 #   LDAP attribute mapped to group description. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_attribute_ignore*]
 #   List of attributes stripped off the group on update. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_additional_attribute_mapping*]
 #   Additional attribute mappings for groups. Attribute mapping
 #   format is <ldap_attr>:<user_attr>, where ldap_attr is the
 #   attribute in the LDAP entry and user_attr is the Identity
 #   API attribute. (list value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*group_ad_nesting*]
 #   If enabled, group queries will use Active Directory specific
 #   filters for nested groups. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*chase_referrals*]
 #   Whether or not to chase returned referrals. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_tls*]
 #   Enable TLS for communicating with LDAP servers. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*tls_cacertfile*]
 #   CA certificate file path for communicating with LDAP servers. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*tls_cacertdir*]
 #   CA certificate directory path for communicating with LDAP servers. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*tls_req_cert*]
 #   Valid options for tls_req_cert are demand, never, and allow. (string value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*identity_driver*]
 #   Identity backend driver. (string value)
@@ -192,40 +192,40 @@
 #
 # [*use_pool*]
 #   Enable LDAP connection pooling. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_size*]
 #   Connection pool size. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_retry_max*]
 #   Maximum count of reconnect trials. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_retry_delay*]
 #   Time span in seconds to wait between two reconnect trials. (floating point value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_connection_timeout*]
 #   Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*pool_connection_lifetime*]
 #   Connection lifetime in seconds. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_auth_pool*]
 #   Enable LDAP connection pooling for end user authentication.
 #   If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*auth_pool_size*]
 #   End user auth connection pool size. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*auth_pool_connection_lifetime*]
 #   End user auth connection lifetime in seconds. (integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*package_ensure*]
 #   (optional) Desired ensure state of packages.
@@ -245,55 +245,55 @@
 # == Dependencies
 # == Examples
 define keystone::ldap_backend(
-  $url                                  = $::os_service_default,
+  $url                                  = $facts['os_service_default'],
-  $user                                 = $::os_service_default,
+  $user                                 = $facts['os_service_default'],
-  $password                             = $::os_service_default,
+  $password                             = $facts['os_service_default'],
-  $suffix                               = $::os_service_default,
+  $suffix                               = $facts['os_service_default'],
-  $query_scope                          = $::os_service_default,
+  $query_scope                          = $facts['os_service_default'],
-  $page_size                            = $::os_service_default,
+  $page_size                            = $facts['os_service_default'],
-  $user_tree_dn                         = $::os_service_default,
+  $user_tree_dn                         = $facts['os_service_default'],
-  $user_filter                          = $::os_service_default,
+  $user_filter                          = $facts['os_service_default'],
-  $user_objectclass                     = $::os_service_default,
+  $user_objectclass                     = $facts['os_service_default'],
-  $user_id_attribute                    = $::os_service_default,
+  $user_id_attribute                    = $facts['os_service_default'],
-  $user_name_attribute                  = $::os_service_default,
+  $user_name_attribute                  = $facts['os_service_default'],
-  $user_description_attribute           = $::os_service_default,
+  $user_description_attribute           = $facts['os_service_default'],
-  $user_mail_attribute                  = $::os_service_default,
+  $user_mail_attribute                  = $facts['os_service_default'],
-  $user_enabled_attribute               = $::os_service_default,
+  $user_enabled_attribute               = $facts['os_service_default'],
-  $user_enabled_mask                    = $::os_service_default,
+  $user_enabled_mask                    = $facts['os_service_default'],
-  $user_enabled_default                 = $::os_service_default,
+  $user_enabled_default                 = $facts['os_service_default'],
-  $user_enabled_invert                  = $::os_service_default,
+  $user_enabled_invert                  = $facts['os_service_default'],
-  $user_attribute_ignore                = $::os_service_default,
+  $user_attribute_ignore                = $facts['os_service_default'],
-  $user_default_project_id_attribute    = $::os_service_default,
+  $user_default_project_id_attribute    = $facts['os_service_default'],
-  $user_pass_attribute                  = $::os_service_default,
+  $user_pass_attribute                  = $facts['os_service_default'],
-  $user_enabled_emulation               = $::os_service_default,
+  $user_enabled_emulation               = $facts['os_service_default'],
-  $user_enabled_emulation_dn            = $::os_service_default,
+  $user_enabled_emulation_dn            = $facts['os_service_default'],
-  $user_additional_attribute_mapping    = $::os_service_default,
+  $user_additional_attribute_mapping    = $facts['os_service_default'],
-  $group_tree_dn                        = $::os_service_default,
+  $group_tree_dn                        = $facts['os_service_default'],
-  $group_filter                         = $::os_service_default,
+  $group_filter                         = $facts['os_service_default'],
-  $group_objectclass                    = $::os_service_default,
+  $group_objectclass                    = $facts['os_service_default'],
-  $group_id_attribute                   = $::os_service_default,
+  $group_id_attribute                   = $facts['os_service_default'],
-  $group_name_attribute                 = $::os_service_default,
+  $group_name_attribute                 = $facts['os_service_default'],
-  $group_member_attribute               = $::os_service_default,
+  $group_member_attribute               = $facts['os_service_default'],
-  $group_members_are_ids                = $::os_service_default,
+  $group_members_are_ids                = $facts['os_service_default'],
-  $group_desc_attribute                 = $::os_service_default,
+  $group_desc_attribute                 = $facts['os_service_default'],
-  $group_attribute_ignore               = $::os_service_default,
+  $group_attribute_ignore               = $facts['os_service_default'],
-  $group_additional_attribute_mapping   = $::os_service_default,
+  $group_additional_attribute_mapping   = $facts['os_service_default'],
-  $group_ad_nesting                     = $::os_service_default,
+  $group_ad_nesting                     = $facts['os_service_default'],
-  $chase_referrals                      = $::os_service_default,
+  $chase_referrals                      = $facts['os_service_default'],
-  $use_tls                              = $::os_service_default,
+  $use_tls                              = $facts['os_service_default'],
-  $tls_cacertdir                        = $::os_service_default,
+  $tls_cacertdir                        = $facts['os_service_default'],
-  $tls_cacertfile                       = $::os_service_default,
+  $tls_cacertfile                       = $facts['os_service_default'],
-  $tls_req_cert                         = $::os_service_default,
+  $tls_req_cert                         = $facts['os_service_default'],
   $identity_driver                      = 'ldap',
-  $use_pool                             = $::os_service_default,
+  $use_pool                             = $facts['os_service_default'],
-  $pool_size                            = $::os_service_default,
+  $pool_size                            = $facts['os_service_default'],
-  $pool_retry_max                       = $::os_service_default,
+  $pool_retry_max                       = $facts['os_service_default'],
-  $pool_retry_delay                     = $::os_service_default,
+  $pool_retry_delay                     = $facts['os_service_default'],
-  $pool_connection_timeout              = $::os_service_default,
+  $pool_connection_timeout              = $facts['os_service_default'],
-  $pool_connection_lifetime             = $::os_service_default,
+  $pool_connection_lifetime             = $facts['os_service_default'],
-  $use_auth_pool                        = $::os_service_default,
+  $use_auth_pool                        = $facts['os_service_default'],
-  $auth_pool_size                       = $::os_service_default,
+  $auth_pool_size                       = $facts['os_service_default'],
-  $auth_pool_connection_lifetime        = $::os_service_default,
+  $auth_pool_connection_lifetime        = $facts['os_service_default'],
   $package_ensure                       = present,
   $manage_packages                      = true,
   $create_domain_entry                  = false,

manifests/logging.pp

@@ -6,72 +6,72 @@
 #
 # [*debug*]
 #   (Optional) Should the daemons log debug messages
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_syslog*]
 #   (Optional) Use syslog for logging.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_journal*]
 #   (Optional) Use journal for logging.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_json*]
 #   (Optional) Use JSON format for logging.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*use_stderr*]
 #   (Optional) Use stderr for logging
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*log_facility*]
 #   (Optional) Syslog facility to receive log lines.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*log_dir*]
 #   (Optional) Directory where logs should be stored.
-#   If set to $::os_service_default, it will not log to any directory.
+#   If set to $facts['os_service_default'], it will not log to any directory.
 #   Defaults to '/var/log/keystone'
 #
 # [*log_file*]
 #   (Optional) File where logs should be stored.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*logging_context_format_string*]
 #   (Optional) Format string to use for log messages with context.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
 #             [%(request_id)s %(user_identity)s] %(instance)s%(message)s'
 #
 # [*logging_default_format_string*]
 #   (Optional) Format string to use for log messages without context.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
 #             [-] %(instance)s%(message)s'
 #
 # [*logging_debug_format_suffix*]
 #   (Optional) Formatted data to append to log format when level is DEBUG.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: '%(funcName)s %(pathname)s:%(lineno)d'
 #
 # [*logging_exception_prefix*]
 #   (Optional) Prefix each line of exception output with this format.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s'
 #
 # [*logging_user_identity_format*]
 #   (Optional) Defines the format string for %(user_identity)s that is used in logging_context_format_string.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: '%(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s'
 #
 # [*log_config_append*]
 #   (Optional) The name of an additional logging configuration file.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   See https://docs.python.org/2/howto/logging.html
 #
 # [*default_log_levels*]
 #   (Optional) Hash of logger (keys) and level (values) pairs.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example:
 #     { 'amqp'  => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
 #          'sqlalchemy' => 'WARN', 'suds' => 'INFO',
@@ -83,55 +83,55 @@
 #
 # [*publish_errors*]
 #   (Optional) Publish error events (boolean value).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*fatal_deprecations*]
 #   (Optional) Make deprecations fatal (boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*instance_format*]
 #   (Optional) If an instance is passed with the log message, format it
 #              like this (string value).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: '[instance: %(uuid)s] '
 #
 # [*instance_uuid_format*]
 #   (Optional) If an instance UUID is passed with the log message, format
 #              it like this (string value).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: instance_uuid_format='[instance: %(uuid)s] '
 #
 # [*log_date_format*]
 #   (Optional) Format string for %%(asctime)s in log records.
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #   Example: 'Y-%m-%d %H:%M:%S'
 #
 # [*watch_log_file*]
 #   (Optional) Uses logging handler designed to watch file system (boolean value).
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 class keystone::logging(
-  $use_syslog                    = $::os_service_default,
+  $use_syslog                    = $facts['os_service_default'],
-  $use_journal                   = $::os_service_default,
+  $use_journal                   = $facts['os_service_default'],
-  $use_json                      = $::os_service_default,
+  $use_json                      = $facts['os_service_default'],
-  $use_stderr                    = $::os_service_default,
+  $use_stderr                    = $facts['os_service_default'],
-  $log_facility                  = $::os_service_default,
+  $log_facility                  = $facts['os_service_default'],
   $log_dir                       = '/var/log/keystone',
-  $log_file                      = $::os_service_default,
+  $log_file                      = $facts['os_service_default'],
-  $debug                         = $::os_service_default,
+  $debug                         = $facts['os_service_default'],
-  $logging_context_format_string = $::os_service_default,
+  $logging_context_format_string = $facts['os_service_default'],
-  $logging_default_format_string = $::os_service_default,
+  $logging_default_format_string = $facts['os_service_default'],
-  $logging_debug_format_suffix   = $::os_service_default,
+  $logging_debug_format_suffix   = $facts['os_service_default'],
-  $logging_exception_prefix      = $::os_service_default,
+  $logging_exception_prefix      = $facts['os_service_default'],
-  $logging_user_identity_format  = $::os_service_default,
+  $logging_user_identity_format  = $facts['os_service_default'],
-  $log_config_append             = $::os_service_default,
+  $log_config_append             = $facts['os_service_default'],
-  $default_log_levels            = $::os_service_default,
+  $default_log_levels            = $facts['os_service_default'],
-  $publish_errors                = $::os_service_default,
+  $publish_errors                = $facts['os_service_default'],
-  $fatal_deprecations            = $::os_service_default,
+  $fatal_deprecations            = $facts['os_service_default'],
-  $instance_format               = $::os_service_default,
+  $instance_format               = $facts['os_service_default'],
-  $instance_uuid_format          = $::os_service_default,
+  $instance_uuid_format          = $facts['os_service_default'],
-  $log_date_format               = $::os_service_default,
+  $log_date_format               = $facts['os_service_default'],
-  $watch_log_file                = $::os_service_default,
+  $watch_log_file                = $facts['os_service_default'],
 ) {
 
   include keystone::deps

manifests/messaging/amqp.pp

@@ -6,40 +6,40 @@
 #
 # [*amqp_pre_settled*]
 #   (Optional) Send messages of this type pre-settled
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*amqp_idle_timeout*]
 #   (Optional) Timeout for inactive connections
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*amqp_ssl_ca_file*]
 #   (Optional) CA certificate PEM file to verify server certificate
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*amqp_ssl_cert_file*]
 #   (Optional) Identifying certificate PEM file to present to clients
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*amqp_ssl_key_file*]
 #   (Optional) Private key PEM file used to sign cert_file certificate
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*amqp_ssl_key_password*]
 #   (Optional) Password for decrypting ssl_key_file (if encrypted)
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*amqp_sasl_mechanisms*]
 #   (Optional) Space separated list of acceptable SASL mechanisms
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 class keystone::messaging::amqp(
-  $amqp_pre_settled                     = $::os_service_default,
+  $amqp_pre_settled                     = $facts['os_service_default'],
-  $amqp_idle_timeout                    = $::os_service_default,
+  $amqp_idle_timeout                    = $facts['os_service_default'],
-  $amqp_ssl_ca_file                     = $::os_service_default,
+  $amqp_ssl_ca_file                     = $facts['os_service_default'],
-  $amqp_ssl_cert_file                   = $::os_service_default,
+  $amqp_ssl_cert_file                   = $facts['os_service_default'],
-  $amqp_ssl_key_file                    = $::os_service_default,
+  $amqp_ssl_key_file                    = $facts['os_service_default'],
-  $amqp_ssl_key_password                = $::os_service_default,
+  $amqp_ssl_key_password                = $facts['os_service_default'],
-  $amqp_sasl_mechanisms                 = $::os_service_default,
+  $amqp_sasl_mechanisms                 = $facts['os_service_default'],
 ) {
 
   include keystone::deps

manifests/params.pp

@@ -12,7 +12,7 @@ class keystone::params {
   $keystone_user       = $user
   $keystone_group      = $group
 
-  case $::osfamily {
+  case $facts['os']['family'] {
     'Debian': {
       $package_name                 = 'keystone'
       $service_name                 = 'keystone'
@@ -30,7 +30,7 @@ class keystone::params {
       $python_pysaml2_package_name  = 'python3-pysaml2'
     }
     default: {
-      fail("Unsupported osfamily ${::osfamily}")
+      fail("Unsupported osfamily: ${facts['os']['family']}")
     }
   }
 }

manifests/policy.pp

@@ -6,12 +6,12 @@
 #
 # [*enforce_scope*]
 #  (Optional) Whether or not to enforce scope when evaluating policies.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*enforce_new_defaults*]
 #  (Optional) Whether or not to use old deprecated defaults when evaluating
 #  policies.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*policies*]
 #   (Optional) Set of policies to configure for keystone
@@ -34,11 +34,11 @@
 #
 # [*policy_default_rule*]
 #   (Optional) Default rule. Enforced when a requested rule is not found.
-#   Defaults to $::os_service_default.
+#   Defaults to $facts['os_service_default'].
 #
 # [*policy_dirs*]
 #   (Optional) Path to the keystone policy folder
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*purge_config*]
 #   (optional) Whether to set only the specified policy rules in the policy
@@ -46,12 +46,12 @@
 #    Defaults to false.
 #
 class keystone::policy (
-  $enforce_scope        = $::os_service_default,
+  $enforce_scope        = $facts['os_service_default'],
-  $enforce_new_defaults = $::os_service_default,
+  $enforce_new_defaults = $facts['os_service_default'],
   $policies             = {},
   $policy_path          = '/etc/keystone/policy.yaml',
-  $policy_default_rule  = $::os_service_default,
+  $policy_default_rule  = $facts['os_service_default'],
-  $policy_dirs          = $::os_service_default,
+  $policy_dirs          = $facts['os_service_default'],
   $purge_config         = false,
 ) {
 

manifests/resource/authtoken.pp

@@ -52,63 +52,63 @@
 #
 # [*project_name*]
 #   (Optional) Service project name
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*user_domain_name*]
 #   (Optional) Name of domain for $username
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*project_domain_name*]
 #   (Optional) Name of domain for $project_name
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*system_scope*]
 #   (Optional) Scope for system operations
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*insecure*]
 #  (Optional) If true, explicitly allow TLS without checking server cert
 #  against any certificate authorities.  WARNING: not recommended.  Use with
 #  caution.
-#  Defaults to $::os_service_default
+#  Defaults to $facts['os_service_default']
 #
 # [*auth_section*]
 #  (Optional) Config Section from which to load plugin specific options
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*auth_type*]
 #  (Optional) Authentication type to load
-#  Defaults to $::os_service_default
+#  Defaults to $facts['os_service_default']
 #
 # [*www_authenticate_uri*]
 #  (Optional) Complete public Identity API endpoint.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*auth_version*]
 #  (Optional) API version of the admin Identity API endpoint.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*cache*]
 #  (Optional) Env key for the swift cache.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*cafile*]
 #  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
 #  connections.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*certfile*]
 #  (Optional) Required if identity server requires client certificate
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*collect_timing*]
 #  (Optional) If true, collect per-method timing information for each API call.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*delay_auth_decision*]
 #  (Optional) Do not handle authorization requests within the middleware, but
 #  delegate the authorization decision to downstream WSGI components. Boolean value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*enforce_token_bind*]
 #  (Optional) Used to control the use and type of token binding. Can be set
@@ -118,56 +118,56 @@
 #  type is unknown the token will be rejected. "required" any form of token
 #  binding is needed to be allowed. Finally the name of a binding method that
 #  must be present in tokens. String value.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*http_connect_timeout*]
 #  (Optional) Request timeout value for communicating with Identity API server.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*http_request_max_retries*]
 #  (Optional) How many times are we trying to reconnect when communicating
 #  with Identity API Server. Integer value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*include_service_catalog*]
 #  (Optional) Indicate whether to set the X-Service-Catalog header. If False,
 #  middleware will not ask for service catalog on token validation and will not
 #  set the X-Service-Catalog header. Boolean value.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*keyfile*]
 #  (Optional) Required if identity server requires client certificate
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_pool_conn_get_timeout*]
 #  (Optional) Number of seconds that an operation will wait to get a memcached
 #  client connection from the pool. Integer value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_pool_dead_retry*]
 #  (Optional) Number of seconds memcached server is considered dead before it
 #  is tried again. Integer value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_pool_maxsize*]
 #  (Optional) Maximum total number of open connections to every memcached
 #  server. Integer value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_pool_socket_timeout*]
 #  (Optional) Number of seconds a connection to memcached is held unused in the
 #  pool before it is closed. Integer value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_pool_unused_timeout*]
 #  (Optional) Number of seconds a connection to memcached is held unused in the
 #  pool before it is closed. Integer value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_secret_key*]
 #  (Optional, mandatory if memcache_security_strategy is defined) This string
 #  is used for key derivation.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_security_strategy*]
 #  (Optional) If defined, indicate whether token data should be authenticated or
@@ -175,27 +175,27 @@
 #  in the cache. If ENCRYPT, token data is encrypted and authenticated in the
 #  cache. If the value is not one of these options or empty, auth_token will
 #  raise an exception on initialization.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcache_use_advanced_pool*]
 #  (Optional)  Use the advanced (eventlet safe) memcached client pool. The
 #  advanced pool will only work under python 2.x Boolean value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*memcached_servers*]
 #  (Optional) Optionally specify a list of memcached server(s) to use for
 #  caching. If left undefined, tokens will instead be cached in-process.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*region_name*]
 #  (Optional) The region in which the identity server can be found.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*token_cache_time*]
 #  (Optional) In order to prevent excessive effort spent validating tokens,
 #  the middleware caches previously-seen tokens for a configurable duration
 #  (in seconds). Set to -1 to disable caching completely. Integer value
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*manage_memcache_package*]
 #  (Optional) Whether to install the python-memcache package.
@@ -209,63 +209,63 @@
 #  here are applied as an ANY check so any role in this list
 #  must be present. For backwards compatibility reasons this
 #  currently only affects the allow_expired check. (list value)
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*service_token_roles_required*]
 #  (optional) backwards compatibility to ensure that the service tokens are
 #  compared against a list of possible roles for validity
 #  true/false
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*service_type*]
 #  (Optional) The name or type of the service as it appears in the service
 #  catalog. This is used to validate tokens that have restricted access rules.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*interface*]
 #  (Optional) Interface to use for the Identity API endpoint. Valid values are
 #  "public", "internal" or "admin".
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 define keystone::resource::authtoken(
   $username,
   $password,
   $auth_url,
-  $project_name                   = $::os_service_default,
+  $project_name                   = $facts['os_service_default'],
-  $user_domain_name               = $::os_service_default,
+  $user_domain_name               = $facts['os_service_default'],
-  $project_domain_name            = $::os_service_default,
+  $project_domain_name            = $facts['os_service_default'],
-  $system_scope                   = $::os_service_default,
+  $system_scope                   = $facts['os_service_default'],
-  $insecure                       = $::os_service_default,
+  $insecure                       = $facts['os_service_default'],
-  $auth_section                   = $::os_service_default,
+  $auth_section                   = $facts['os_service_default'],
-  $auth_type                      = $::os_service_default,
+  $auth_type                      = $facts['os_service_default'],
-  $www_authenticate_uri           = $::os_service_default,
+  $www_authenticate_uri           = $facts['os_service_default'],
-  $auth_version                   = $::os_service_default,
+  $auth_version                   = $facts['os_service_default'],
-  $cache                          = $::os_service_default,
+  $cache                          = $facts['os_service_default'],
-  $cafile                         = $::os_service_default,
+  $cafile                         = $facts['os_service_default'],
-  $certfile                       = $::os_service_default,
+  $certfile                       = $facts['os_service_default'],
-  $collect_timing                 = $::os_service_default,
+  $collect_timing                 = $facts['os_service_default'],
-  $delay_auth_decision            = $::os_service_default,
+  $delay_auth_decision            = $facts['os_service_default'],
-  $enforce_token_bind             = $::os_service_default,
+  $enforce_token_bind             = $facts['os_service_default'],
-  $http_connect_timeout           = $::os_service_default,
+  $http_connect_timeout           = $facts['os_service_default'],
-  $http_request_max_retries       = $::os_service_default,
+  $http_request_max_retries       = $facts['os_service_default'],
-  $include_service_catalog        = $::os_service_default,
+  $include_service_catalog        = $facts['os_service_default'],
-  $keyfile                        = $::os_service_default,
+  $keyfile                        = $facts['os_service_default'],
-  $memcache_pool_conn_get_timeout = $::os_service_default,
+  $memcache_pool_conn_get_timeout = $facts['os_service_default'],
-  $memcache_pool_dead_retry       = $::os_service_default,
+  $memcache_pool_dead_retry       = $facts['os_service_default'],
-  $memcache_pool_maxsize          = $::os_service_default,
+  $memcache_pool_maxsize          = $facts['os_service_default'],
-  $memcache_pool_socket_timeout   = $::os_service_default,
+  $memcache_pool_socket_timeout   = $facts['os_service_default'],
-  $memcache_pool_unused_timeout   = $::os_service_default,
+  $memcache_pool_unused_timeout   = $facts['os_service_default'],
-  $memcache_secret_key            = $::os_service_default,
+  $memcache_secret_key            = $facts['os_service_default'],
-  $memcache_security_strategy     = $::os_service_default,
+  $memcache_security_strategy     = $facts['os_service_default'],
-  $memcache_use_advanced_pool     = $::os_service_default,
+  $memcache_use_advanced_pool     = $facts['os_service_default'],
-  $memcached_servers              = $::os_service_default,
+  $memcached_servers              = $facts['os_service_default'],
-  $region_name                    = $::os_service_default,
+  $region_name                    = $facts['os_service_default'],
-  $token_cache_time               = $::os_service_default,
+  $token_cache_time               = $facts['os_service_default'],
   $manage_memcache_package        = false,
-  $service_token_roles            = $::os_service_default,
+  $service_token_roles            = $facts['os_service_default'],
-  $service_token_roles_required   = $::os_service_default,
+  $service_token_roles_required   = $facts['os_service_default'],
-  $service_type                   = $::os_service_default,
+  $service_type                   = $facts['os_service_default'],
-  $interface                      = $::os_service_default,
+  $interface                      = $facts['os_service_default'],
 ) {
 
   include keystone::params
@@ -308,7 +308,7 @@ define keystone::resource::authtoken(
       })
     }
   } else {
-    $memcached_servers_real = $::os_service_default
+    $memcached_servers_real = $facts['os_service_default']
   }
 
   if is_service_default($system_scope) {
@@ -317,8 +317,8 @@ define keystone::resource::authtoken(
   } else {
     # When system scope is used, project parameters should be removed otherwise
     # project scope is used.
-    $project_name_real        = $::os_service_default
+    $project_name_real        = $facts['os_service_default']
-    $project_domain_name_real = $::os_service_default
+    $project_domain_name_real = $facts['os_service_default']
   }
 
   $keystonemiddleware_options = {

manifests/resource/service_user.pp

@@ -23,15 +23,15 @@
 #
 # [*project_name*]
 #  (Optional) Service project name
-#  Defaults to $::os_service_default
+#  Defaults to $facts['os_service_default']
 #
 # [*user_domain_name*]
 #  (Optional) Name of domain for $username
-#  Defaults to $::os_service_default
+#  Defaults to $facts['os_service_default']
 #
 # [*project_domain_name*]
 #  (Optional) Name of domain for $project_name
-#  Defaults to $::os_service_default
+#  Defaults to $facts['os_service_default']
 #
 # [*send_service_user_token*]
 #  (Optional) The service uses service token feature when this is set as true
@@ -39,55 +39,55 @@
 #
 # [*system_scope*]
 #   (Optional) Scope for system operations
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*insecure*]
 #  (Optional) If true, explicitly allow TLS without checking server cert
 #  against any certificate authorities.  WARNING: not recommended.  Use with
 #  caution.
-#  Defaults to $::os_service_default
+#  Defaults to $facts['os_service_default']
 #
 # [*auth_type*]
 #  (Optional) Authentication type to load
-#  Defaults to $::os_service_default
+#  Defaults to $facts['os_service_default']
 #
 # [*auth_version*]
 #  (Optional) API version of the admin Identity API endpoint.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*cafile*]
 #  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
 #  connections.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*certfile*]
 #  (Optional) Required if identity server requires client certificate
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*keyfile*]
 #  (Optional) Required if identity server requires client certificate
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 # [*region_name*]
 #  (Optional) The region in which the identity server can be found.
-#  Defaults to $::os_service_default.
+#  Defaults to $facts['os_service_default'].
 #
 define keystone::resource::service_user(
   $username,
   $password,
   $auth_url,
-  $project_name            = $::os_service_default,
+  $project_name            = $facts['os_service_default'],
-  $user_domain_name        = $::os_service_default,
+  $user_domain_name        = $facts['os_service_default'],
-  $project_domain_name     = $::os_service_default,
+  $project_domain_name     = $facts['os_service_default'],
-  $system_scope            = $::os_service_default,
+  $system_scope            = $facts['os_service_default'],
   $send_service_user_token = false,
-  $insecure                = $::os_service_default,
+  $insecure                = $facts['os_service_default'],
-  $auth_type               = $::os_service_default,
+  $auth_type               = $facts['os_service_default'],
-  $auth_version            = $::os_service_default,
+  $auth_version            = $facts['os_service_default'],
-  $cafile                  = $::os_service_default,
+  $cafile                  = $facts['os_service_default'],
-  $certfile                = $::os_service_default,
+  $certfile                = $facts['os_service_default'],
-  $keyfile                 = $::os_service_default,
+  $keyfile                 = $facts['os_service_default'],
-  $region_name             = $::os_service_default,
+  $region_name             = $facts['os_service_default'],
 ) {
 
   include keystone::params
@@ -99,8 +99,8 @@ define keystone::resource::service_user(
   } else {
     # When system scope is used, project parameters should be removed otherwise
     # project scope is used.
-    $project_name_real        = $::os_service_default
+    $project_name_real        = $facts['os_service_default']
-    $project_domain_name_real = $::os_service_default
+    $project_domain_name_real = $facts['os_service_default']
   }
 
   $service_user_options = {

manifests/security_compliance.pp

@@ -8,65 +8,65 @@
 # [*change_password_upon_first_use*]
 #   (Optional) Enabling this option requires users to change their password
 #   when the user is created, or upon administrative reset. (Boolean value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*disable_user_account_days_inactive*]
 #   (Optional) The maximum number of days a user can go without authenticating 
 #   before being considered "inactive" and automatically disabled (locked).
 #   (Integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*lockout_duration*]
 #   (Optional) The number of seconds a user account will be locked when the
 #   maximum number of failed authentication attempts (as specified by
 #   `[security_compliance] lockout_failure_attempts`) is exceeded.
 #   (Integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*lockout_failure_attempts*]
 #   (Optional) The maximum number of times that a user can fail to authenticate 
 #   before the user account is locked for the number of seconds specified by
 #   `[security_compliance] lockout_duration`. (Integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*minimum_password_age*]
 #   (Optional) The number of days that a password must be used before the user
 #   can change it. This prevents users from changing their passwords immediately
 #   in order to wipe out their password history and reuse an old password.
 #   (Integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*password_expires_days*]
 #   (Optional) The number of days for which a password will be considered valid 
 #   before requiring it to be changed. (Integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*password_regex*]
 #   (Optional) The regular expression used to validate password strength requirements.
 #   By default, the regular expression will match any password. (String value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*password_regex_description*]
 #   (Optional) Describe your password regular expression here in language for humans.
 #   (String value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 # [*unique_last_password_count*]
 #   (Optional) This controls the number of previous user password iterations to keep
 #   in history, in order to enforce that newly created passwords are unique.
 #   (Integer value)
-#   Defaults to $::os_service_default
+#   Defaults to $facts['os_service_default']
 #
 class keystone::security_compliance(
-  $change_password_upon_first_use     = $::os_service_default,
+  $change_password_upon_first_use     = $facts['os_service_default'],
-  $disable_user_account_days_inactive = $::os_service_default,
+  $disable_user_account_days_inactive = $facts['os_service_default'],
-  $lockout_duration                   = $::os_service_default,
+  $lockout_duration                   = $facts['os_service_default'],
-  $lockout_failure_attempts           = $::os_service_default,
+  $lockout_failure_attempts           = $facts['os_service_default'],
-  $minimum_password_age               = $::os_service_default,
+  $minimum_password_age               = $facts['os_service_default'],
-  $password_expires_days              = $::os_service_default,
+  $password_expires_days              = $facts['os_service_default'],
-  $password_regex                     = $::os_service_default,
+  $password_regex                     = $facts['os_service_default'],
-  $password_regex_description         = $::os_service_default,
+  $password_regex_description         = $facts['os_service_default'],
-  $unique_last_password_count         = $::os_service_default,
+  $unique_last_password_count         = $facts['os_service_default'],
 ) {
 
   include keystone::deps

manifests/wsgi/apache.pp

@@ -12,7 +12,7 @@
 #
 # [*servername*]
 #   (Optional) The servername for the virtualhost.
-#   Defaults to $::fqdn
+#   Defaults to $facts['networking']['fqdn']
 #
 # [*bind_host*]
 #   (Optional) The host/ip address Apache will listen on.
@@ -32,7 +32,7 @@
 #
 # [*workers*]
 #   (Optional) Number of WSGI workers to spawn.
-#   Defaults to $::os_workers_keystone
+#   Defaults to $facts['os_workers_keystone']
 #
 # [*ssl_cert*]
 #   (Optional) Path to SSL certificate
@@ -142,12 +142,12 @@
 #   Defaults to undef
 #
 class keystone::wsgi::apache (
-  $servername                        = $::fqdn,
+  $servername                        = $facts['networking']['fqdn'],
   $bind_host                         = undef,
   $port                              = 5000,
   $path                              = '/',
   $ssl                               = false,
-  $workers                           = $::os_workers_keystone,
+  $workers                           = $facts['os_workers_keystone'],
   $ssl_cert                          = undef,
   $ssl_key                           = undef,
   $ssl_chain                         = undef,
@@ -227,7 +227,7 @@ class keystone::wsgi::apache (
   # The file should be created after the apache class is invoked, otherwise
   # the file is deleted because of its default behavior which removes all files
   # in sites-available/sites-enabled.
-  if ($::operatingsystem == 'Ubuntu') {
+  if ($facts['os']['name'] == 'Ubuntu') {
     ensure_resource('file', '/etc/apache2/sites-available/keystone.conf', {
       'ensure'  => 'file',
       'content' => '',

manifests/wsgi/uwsgi.pp

@@ -11,7 +11,7 @@
 #
 # [*processes*]
 #   (Optional) Number of processes.
-#   Defaults to $::os_workers.
+#   Defaults to $facts['os_workers'].
 #
 # [*threads*]
 #   (Optional) Number of threads.
@@ -22,14 +22,14 @@
 #   Defaults to 100
 #
 class keystone::wsgi::uwsgi (
-  $processes         = $::os_workers,
+  $processes         = $facts['os_workers'],
   $threads           = 32,
   $listen_queue_size = 100,
 ){
 
   include keystone::deps
 
-  if $::operatingsystem != 'Debian'{
+  if $facts['os']['name'] != 'Debian'{
     warning('This class is only valid for Debian, as other operating systems are not using uwsgi by default.')
   }
 

spec/classes/keystone_client_spec.rb

@@ -42,7 +42,7 @@ describe 'keystone::client' do
       end
 
       let (:platform_params) do
-        case facts[:osfamily]
+        case facts[:os]['family']
         when 'Debian'
           { :client_package_name => 'python3-keystoneclient' }
         when 'RedHat'

spec/classes/keystone_federation_identity_provider_spec.rb

@@ -119,7 +119,7 @@ describe 'keystone::federation::identity_provider' do
       end
 
       let (:platform_params) do
-        if facts[:osfamily] == 'RedHat'
+        if facts[:os]['family'] == 'RedHat'
           keystone_service = 'openstack-keystone'
           python_pysaml2_package_name = 'python3-pysaml2'
         else

spec/classes/keystone_federation_mellon_spec.rb

@@ -86,9 +86,7 @@ describe 'keystone::federation::mellon' do
   }).each do |os,facts|
     context "on #{os}" do
       let (:facts) do
-        facts.merge(OSDefaults.get_facts({
+        facts.merge(OSDefaults.get_facts())
-          :concat_basedir => '/var/lib/puppet/concat'
-        }))
       end
 
       it_behaves_like 'Federation Mellon'

spec/classes/keystone_federation_shibboleth_spec.rb

@@ -143,14 +143,12 @@ describe 'keystone::federation::shibboleth' do
   }).each do |os,facts|
     context "on #{os}" do
       let (:facts) do
-        facts.merge(OSDefaults.get_facts({
+        facts.merge(OSDefaults.get_facts())
-          :concat_basedir => '/var/lib/puppet/concat'
-        }))
       end
 
       it_behaves_like 'keystone::federation::shibboleth'
       it_behaves_like 'keystone::federation::shibboleth with invalid parameters'
-      it_behaves_like "keystone::federation::shibboleth on #{facts[:osfamily]}"
+      it_behaves_like "keystone::federation::shibboleth on #{facts[:os]['family']}"
     end
   end
 end

spec/classes/keystone_init_spec.rb

@@ -177,7 +177,7 @@ describe 'keystone' do
       end
 
       it do
-        if facts[:operatingsystem] == 'Debian'
+        if facts[:os]['name'] == 'Debian'
           is_expected.to contain_service('keystone').with(
             :ensure => 'stopped',
             :name   => platform_params[:service_name],
@@ -620,14 +620,11 @@ describe 'keystone' do
   }).each do |os,facts|
     context "on #{os}" do
       let (:facts) do
-        facts.merge!(OSDefaults.get_facts({
+        facts.merge!(OSDefaults.get_facts())
-          :concat_basedir => '/var/lib/puppet/concat',
-          :fqdn           => 'some.host.tld',
-        }))
       end
 
       let(:platform_params) do
-        case facts[:osfamily]
+        case facts[:os]['family']
         when 'Debian'
           { :package_name       => 'keystone',
             :service_name       => 'keystone',

spec/classes/keystone_ldap_spec.rb

@@ -236,7 +236,7 @@ describe 'keystone::ldap' do
       end
 
       let (:platform_params) do
-        case facts[:osfamily]
+        case facts[:os]['family']
         when 'Debian'
           { :python_ldappool_package_name => 'python3-ldappool' }
         when 'RedHat'

spec/classes/keystone_wsgi_apache_spec.rb

@@ -16,7 +16,7 @@ describe 'keystone::wsgi::apache' do
       }
 
       it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
-        :servername                  => 'some.host.tld',
+        :servername                  => 'foo.example.com',
         :bind_host                   => nil,
         :bind_port                   => 5000,
         :group                       => 'keystone',
@@ -195,13 +195,11 @@ describe 'keystone::wsgi::apache' do
       let (:facts) do
         facts.merge!(OSDefaults.get_facts({
           :os_workers_keystone => 8,
-          :concat_basedir      => '/var/lib/puppet/concat',
-          :fqdn                => 'some.host.tld',
         }))
       end
 
       let(:platform_params) do
-        case facts[:osfamily]
+        case facts[:os]['family']
         when 'Debian'
           {
             :wsgi_script_path => '/usr/lib/cgi-bin/keystone',
@@ -214,7 +212,7 @@ describe 'keystone::wsgi::apache' do
       end
 
       it_behaves_like 'keystone::wsgi::apache'
-      if facts[:operatingsystem] == 'Ubuntu'
+      if facts[:os]['name'] == 'Ubuntu'
         it_behaves_like 'keystone::wsgi::apache on Ubuntu'
       end
     end

spec/defines/keystone_ldap_backend_spec.rb

@@ -216,7 +216,7 @@ describe 'keystone::ldap_backend' do
       end
 
       let (:platform_params) do
-        case facts[:osfamily]
+        case facts[:os]['family']
         when 'Debian'
           { :python_ldappool_package_name => 'python3-ldappool' }
         when 'RedHat'

spec/defines/keystone_resource_authtoken_spec.rb

@@ -273,7 +273,7 @@ describe 'keystone::resource::authtoken' do
       end
 
       let(:platform_params) do
-        case facts[:osfamily]
+        case facts[:os]['family']
         when 'Debian'
           memcache_package_name = 'python3-memcache'
         when 'RedHat'