Merge "Remove deprecated bootstrap code"

manifests/bootstrap.pp

@@ -57,8 +57,7 @@
 #    Defaults to 'public'
 #
 class keystone::bootstrap (
-  # TODO(tobias-urdin): Make the password required when compat is removed.
-  $password             = undef,
+  $password,
   $username             = 'admin',
   $email                = 'admin@localhost',
   $project_name         = 'admin',
@@ -74,134 +73,9 @@ class keystone::bootstrap (
 
   include ::keystone::deps
 
-  # TODO(tobias-urdin): Remove compat layer.
-  if $password == undef {
-    if defined('$::keystone::admin_password') and $::keystone::admin_password != undef {
-      $password_real = $::keystone::admin_password
-      warning('Using deprecated keystone::admin_password as admin password')
-      # Check if we differ from the roles admin pw
-      if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != $password_real {
-        warning('The keystone::admin_password and keystone::roles::admin::password differs and will cause a flip-flopping\
-          behaviour and authentication issues for the admin user.')
-      }
-    } elsif defined('$::keystone::admin_token') and $::keystone::admin_token != undef {
-      $password_real = $::keystone::admin_token
-      warning('Using deprecated keystone::admin_token as admin password')
-      # Check if we differ from the roles admin pw
-      if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != $password_real {
-        warning('The keystone::admin_token and keystone::roles::admin::password differs and will cause a flip-flopping\
-          behaviour and authentication issues for the admin user.')
-      }
-    } else {
-      # Check the keystone::roles::admin class as well.
-      if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != undef {
-        $password_real = $::keystone::roles::admin::password
-        warning('Using deprecated keystone::roles::admin::password as admin password')
-      } else {
-        fail('keystone::bootstrap::password is undef, could not resolve a password')
-      }
-    }
-  } else {
-    $password_real = $password
-  }
-  if defined('$::keystone::endpoint::public_url') and $::keystone::endpoint::public_url != undef {
-    $public_url_real = $::keystone::endpoint::public_url
-    $using_deprecated_public_url = true
-    warning('Using deprecated keystone::endpoint::public_url, please update to using keystone::bootstrap')
-  } else {
-    $public_url_real = $public_url
-    $using_deprecated_public_url = false
-  }
-  if defined('$::keystone::endpoint::internal_url') and $::keystone::endpoint::internal_url != undef {
-    $internal_url_final = $::keystone::endpoint::internal_url
-    $using_deprecated_internal_url = true
-    warning('Using deprecated keystone::endpoint::internal_url, please update to using keystone::bootstrap')
-  } else {
-    $internal_url_final = $internal_url
-    $using_deprecated_internal_url = false
-  }
-  if defined('$::keystone::endpoint::admin_url') and $::keystone::endpoint::admin_url != undef {
-    $admin_url_real = $::keystone::endpoint::admin_url
-    warning('Using deprecated keystone::endpoint::admin_url, please update to using keystone::bootstrap')
-  } else {
-    $admin_url_real = $admin_url
-  }
-  if defined('$::keystone::endpoint::region') and $::keystone::endpoint::region != undef {
-    $region_real = $::keystone::endpoint::region
-    warning('Using deprecated keystone::endpoint::region, please update to using keystone::bootstrap')
-  } else {
-    $region_real = $region
-  }
-  if !$using_deprecated_internal_url and $internal_url == undef and $using_deprecated_public_url {
-    warning('Using deprecated keystone::endpoint::public_url for keystone::bootstrap::internal_url')
-  }
-  if defined('$::keystone::roles::admin::admin') and $::keystone::roles::admin::admin != undef {
-    $username_real = $::keystone::roles::admin::admin
-    if $username_real != $username and $username == 'admin' {
-      warning('Using keystone::roles::admin::admin as username, the keystone::bootstrap::username default is different\
-        dont forget to set that later')
-    }
-  } else {
-    $username_real = $username
-  }
-  if defined('$::keystone::roles::admin::email') and $::keystone::roles::admin::email != undef {
-    $email_real = $::keystone::roles::admin::email
-    if $email_real != $email and $email == 'admin@localhost' {
-      warning('Using keystone::roles::admin::email as email, the keystone::bootstrap::email default is different\
-        dont forget to set that later')
-    }
-  } else {
-    $email_real = $email
-  }
-  if defined('$::keystone::roles::admin::admin_roles') and $::keystone::roles::admin::admin_roles != undef {
-    $role_name_real = $::keystone::roles::admin::admin_roles
-    warning("Using keystone::roles::admin::admin_roles with value ${role_name_real} note that the\
-      keystone::bootstrap when used will only set a single role, by default the 'admin' role.")
-    warning('Will use the first value in admin_roles for bootstrap and all (if multiple) for all other resources!')
-    if is_array($role_name_real) {
-      $bootstrap_role_name = $role_name_real[0]
-    } else {
-      $bootstrap_role_name = $role_name_real
-    }
-  } else {
-    $role_name_real = [$role_name]
-    $bootstrap_role_name = $role_name
-  }
-  if defined('$::keystone::roles::admin::admin_tenant') {
-    $admin_tenant = $::keystone::roles::admin::admin_tenant
-    if ($admin_tenant == undef or $admin_tenant == 'openstack') {
-      # Try to keep the backward compatible creation of the openstack project.
-      # We still create the 'admin' project with the bootstrap process below.
-      # This is a best effort, we still ignore the description and default domain.
-      ensure_resource('keystone_tenant', 'openstack', {
-        'ensure'  => 'present',
-        'enabled' => true,
-      })
-      ensure_resource('keystone_user_role', "${username_real}@openstack", {
-        'ensure' => 'present',
-        'roles'  => $role_name_real,
-      })
-
-      # Use the default value so we create the "admin" project
-      $project_name_real = $project_name
-    } else {
-      warning('Using keystone::roles::admin::admin_tenant as project name for admin')
-      $project_name_real = $admin_tenant
-    }
-  } else {
-    $project_name_real = $project_name
-  }
-  if defined('$::keystone::roles::admin::service_tenant') and $::keystone::roles::admin::service_tenant != undef {
-    warning('Using keystone::roles::admin::service_tenant as service project name')
-    $service_project_name_real = $::keystone::roles::admin::service_tenant
-  } else {
-    $service_project_name_real = $service_project_name
-  }
-  # Compat code ends here.
-
-  $internal_url_real = $internal_url_final ? {
-    undef   => $public_url_real,
-    default => $internal_url_final
+  $internal_url_real = $internal_url ? {
+    undef   => $public_url,
+    default => $internal_url
   }
 
   if defined('$::keystone::keystone_user') {
@@ -216,15 +90,15 @@ class keystone::bootstrap (
   exec { 'keystone bootstrap':
     command     => 'keystone-manage bootstrap',
     environment => [
-      "OS_BOOTSTRAP_USERNAME=${username_real}",
-      "OS_BOOTSTRAP_PASSWORD=${password_real}",
-      "OS_BOOTSTRAP_PROJECT_NAME=${project_name_real}",
-      "OS_BOOTSTRAP_ROLE_NAME=${bootstrap_role_name}",
+      "OS_BOOTSTRAP_USERNAME=${username}",
+      "OS_BOOTSTRAP_PASSWORD=${password}",
+      "OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
+      "OS_BOOTSTRAP_ROLE_NAME=${role_name}",
       "OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
-      "OS_BOOTSTRAP_ADMIN_URL=${admin_url_real}",
-      "OS_BOOTSTRAP_PUBLIC_URL=${public_url_real}",
+      "OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
+      "OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
       "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
-      "OS_BOOTSTRAP_REGION_ID=${region_real}",
+      "OS_BOOTSTRAP_REGION_ID=${region}",
     ],
     user        => $keystone_user,
     path        => '/usr/bin',
@@ -238,40 +112,40 @@ class keystone::bootstrap (
   # use the below resources to make sure the current resources are
   # correct so if some value was updated we set that.
 
-  ensure_resource('keystone_role', $role_name_real, {
+  ensure_resource('keystone_role', $role_name, {
     'ensure' => 'present',
   })
 
-  ensure_resource('keystone_user', $username_real, {
+  ensure_resource('keystone_user', $username, {
     'ensure'   => 'present',
     'enabled'  => true,
-    'email'    => $email_real,
-    'password' => $password_real,
+    'email'    => $email,
+    'password' => $password,
   })
 
-  ensure_resource('keystone_tenant', $service_project_name_real, {
+  ensure_resource('keystone_tenant', $service_project_name, {
     'ensure'  => 'present',
     'enabled' => true,
   })
 
-  ensure_resource('keystone_tenant', $project_name_real, {
+  ensure_resource('keystone_tenant', $project_name, {
     'ensure'  => 'present',
     'enabled' => true,
   })
 
-  ensure_resource('keystone_user_role', "${username_real}@${project_name_real}", {
+  ensure_resource('keystone_user_role', "${username}@${project_name}", {
     'ensure' => 'present',
-    'roles'  => $role_name_real,
+    'roles'  => $role_name,
   })
 
   ensure_resource('keystone_service', "${service_name}::identity", {
     'ensure' => 'present',
   })
 
-  ensure_resource('keystone_endpoint', "${region_real}/${service_name}::identity", {
+  ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
     'ensure'       => 'present',
-    'public_url'   => $public_url_real,
-    'admin_url'    => $admin_url_real,
+    'public_url'   => $public_url,
+    'admin_url'    => $admin_url,
     'internal_url' => $internal_url_real,
   })
 
@@ -289,19 +163,19 @@ class keystone::bootstrap (
   }
 
   if $interface == 'admin' {
-    $auth_url_real = $admin_url_real
+    $auth_url_real = $admin_url
   } elsif $interface == 'internal' {
     $auth_url_real = $internal_url_real
   } else {
-    $auth_url_real = $public_url_real
+    $auth_url_real = $public_url
   }
 
   keystone::resource::authtoken { 'keystone_puppet_config':
-    username     => $username_real,
-    password     => $password_real,
+    username     => $username,
+    password     => $password,
     auth_url     => $auth_url_real,
-    project_name => $project_name_real,
-    region_name  => $region_real,
+    project_name => $project_name,
+    region_name  => $region,
     interface    => $interface,
   }
 }

manifests/endpoint.pp

@@ -1,74 +0,0 @@
-# == Class: keystone::endpoint
-#
-# DEPRECATED!
-#
-# Creates the auth endpoints for keystone
-#
-# === Parameters
-#
-# [*public_url*]
-#   (optional) Public url for keystone endpoint.
-#   Defaults to undef
-#   This url should *not* contain any version or trailing '/'.
-#
-# [*internal_url*]
-#   (optional) Internal url for keystone endpoint.
-#   Defaults to undef
-#   This url should *not* contain any version or trailing '/'.
-#
-# [*admin_url*]
-#   (optional) Admin url for keystone endpoint.
-#   Defaults to undef
-#   This url should *not* contain any version or trailing '/'.
-#
-# [*region*]
-#   (optional) Region for endpoint.
-#   Defaults to undef
-#
-# [*user_domain*]
-#   (Optional) Domain for $auth_name
-#   Defaults to undef (use the keystone server default domain)
-#
-# [*project_domain*]
-#   (Optional) Domain for $tenant (project)
-#   Defaults to undef (use the keystone server default domain)
-#
-# [*default_domain*]
-#   (Optional) Domain for $auth_name and $tenant (project)
-#   If keystone_user_domain is not specified, use $keystone_default_domain
-#   If keystone_project_domain is not specified, use $keystone_default_domain
-#   Defaults to undef
-#
-# [*version*]
-#   (optional) API version for endpoint.
-#   Defaults to undef.
-#
-# === Examples
-#
-#  class { 'keystone::endpoint':
-#    public_url   => 'https://154.10.10.23:5000',
-#    internal_url => 'https://11.0.1.7:5000',
-#    admin_url    => 'https://10.0.1.7:5000',
-#  }
-#
-class keystone::endpoint (
-  $public_url        = undef,
-  $internal_url      = undef,
-  $admin_url         = undef,
-  $region            = undef,
-  $user_domain       = undef,
-  $project_domain    = undef,
-  $default_domain    = undef,
-  $version           = undef,
-) {
-
-  warning('The keystone::endpoint class has been replaced with keystone::bootstrap class\
-    will try to use the backward compatible approach')
-
-  if !defined('$::keystone::roles::admin::admin_tenant') {
-    fail('You are using the backward compatible approach instead of keystone::bootstrap\
-      you need to ensure that keystone::roles::admin is defined BEFORE keystone::endpoint in your manifest')
-  }
-
-  include keystone::bootstrap
-}

manifests/init.pp

@@ -456,23 +456,6 @@
 #   (Optional) The url to validate keystone against
 #   Defaults to undef
 #
-# [*admin_token*]
-#   Admin token that can be used to authenticate as a keystone
-#   admin. This is not the password for the admin user
-#   in the Keystone database. This is a token that bypasses authentication.
-#   Defaults to undef
-#
-# [*admin_password*]
-#   Keystone password for the admin user. This is not the admin_token.
-#   This is the password that the admin user signs into keystone with.
-#   Defaults to undef
-#
-# [*enable_bootstrap*]
-#   (Optional) Enable keystone bootstrapping.
-#   This option to true will automatically bootstrap the default domain
-#   user by running 'keystone-manage bootstrap'.
-#   Defaults to undef
-#
 # [*database_min_pool_size*]
 #   (Optional) Minimum number of SQL connections to keep open in a pool.
 #   Defaults to: undef
@@ -652,9 +635,6 @@ class keystone(
   $validate_insecure                    = undef,
   $validate_auth_url                    = undef,
   $validate_cacert                      = undef,
-  $admin_token                          = undef,
-  $admin_password                       = undef,
-  $enable_bootstrap                     = undef,
   $database_min_pool_size               = undef,
   $cache_backend                        = undef,
   $cache_backend_argument               = undef,
@@ -775,11 +755,6 @@ class keystone(
     purge  => $purge_config,
   }
 
-  # TODO(tobias-urdin): Remove this when admin_token is removed.
-  keystone_config {
-    'DEFAULT/admin_token': ensure => 'absent', secret => true;
-  }
-
   keystone_config {
     'DEFAULT/member_role_id':   value => $member_role_id;
     'DEFAULT/member_role_name': value => $member_role_name;

manifests/roles/admin.pp

@@ -1,102 +0,0 @@
-# == Class: keystone::roles::admin
-#
-# DEPRECATED!
-#
-# This class implements some reasonable admin defaults for keystone.
-#
-# It creates the following keystone objects:
-#   * service tenant (tenant used by all service users)
-#   * "admin" tenant (defaults to "openstack")
-#   * admin user (that defaults to the "admin" tenant)
-#   * admin role
-#   * adds admin role to admin user on the "admin" tenant
-#
-# === Parameters:
-#
-# [*password*]
-#   The admin password. Required. In a later release
-#   this will default to $keystone::admin_password.
-#   Defaults to undef
-#
-# [*email*]
-#   The email address for the admin. Optional.
-#   Defaults to undef
-#
-# [*admin_roles*]
-#   The list of the roles with admin privileges. Optional.
-#   Defaults to undef
-#
-# [*admin_tenant*]
-#   The name of the tenant to be used for admin privileges. Optional.
-#   Defaults to openstack.
-#
-# [*service_tenant*]
-#   The name of service keystone tenant. Optional.
-#   Defaults to undef
-#
-# [*admin*]
-#   Admin user. Optional.
-#   Defaults to undef
-#
-# [*admin_tenant_desc*]
-#   Optional. Description for admin tenant,
-#   Defaults to undef
-#
-# [*service_tenant_desc*]
-#   Optional. Description for admin tenant,
-#   Defaults to undef
-#
-# [*configure_user*]
-#   Optional. Should the admin user be created?
-#   Defaults to undef
-#
-# [*configure_user_role*]
-#   Optional. Should the admin role be configured for the admin user?
-#   Defaults to undef
-#
-# [*admin_user_domain*]
-#   Optional.  Domain of the admin user
-#   Defaults to undef (undef will resolve to class keystone $default_domain)
-#
-# [*target_admin_domain*]
-#   Optional.  Domain where the admin user will have the $admin_role
-#   Defaults to undef (undef will not associate the $admin_role to any
-#   domain, only project)
-#
-# [*admin_project_domain*]
-#   Optional.  Domain of the admin tenant
-#   Defaults to undef (undef will resolve to class keystone $default_domain)
-#
-# [*service_project_domain*]
-#   Optional.  Domain for $service_tenant
-#   Defaults to undef (undef will resolve to class keystone $default_domain)
-#
-# == Dependencies
-# == Examples
-# == Authors
-#
-#   Dan Bode dan@puppetlabs.com
-#
-# == Copyright
-#
-# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
-#
-class keystone::roles::admin(
-  $password               = undef,
-  $email                  = undef,
-  $admin                  = undef,
-  $admin_tenant           = 'openstack',
-  $admin_roles            = undef,
-  $service_tenant         = undef,
-  $admin_tenant_desc      = undef,
-  $service_tenant_desc    = undef,
-  $configure_user         = undef,
-  $configure_user_role    = undef,
-  $admin_user_domain      = undef,
-  $admin_project_domain   = undef,
-  $service_project_domain = undef,
-  $target_admin_domain    = undef,
-) {
-
-  warning('The keystone::roles::admin class has been replaced with keystone::bootstrap class')
-}

releasenotes/notes/remove-deprecated-bootstrap-2b81ba7a7b0b4d5d.yaml

@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The classes keystone::endpoint and keystone::roles::admin is removed, use
+    the new keystone::bootstrap class directly.
+  - |
+    The password parameter in keystone::bootstrap is required and does not
+    default to undef.
+  - |
+    The deprecated parameters admin_token, admin_password and enable_bootstrap
+    in the keystone class is removed.

spec/classes/keystone_federation_identity_provider_spec.rb

@@ -4,7 +4,6 @@ describe 'keystone::federation::identity_provider' do
 
   let :pre_condition do
         "class { 'keystone':
-          admin_token => 'dummy',
           service_name => 'httpd',
           enable_ssl=> true }"
   end
@@ -37,7 +36,6 @@ describe 'keystone::federation::identity_provider' do
     context 'keystone not running under apache' do
       let :pre_condition do
         "class { 'keystone':
-          admin_token => 'dummy',
           service_name => 'keystone',
           enable_ssl=> true }"
       end

spec/classes/keystone_federation_openidc_spec.rb

@@ -8,9 +8,7 @@ describe 'keystone::federation::openidc' do
 
   let(:pre_condition) do
     <<-EOS
-    class { 'keystone':
-      admin_token => 'service_token',
-    }
+    class { 'keystone': }
 
     include keystone::wsgi::apache
     EOS

spec/classes/keystone_federation_spec.rb

@@ -4,10 +4,7 @@ describe 'keystone::federation' do
 
   let(:pre_condition) do
     <<-EOS
-    class { 'keystone':
-      admin_token => 'service_token',
-      admin_password => 'special_password',
-    }
+    class { 'keystone': }
     EOS
   end
 

spec/classes/keystone_wsgi_apache_spec.rb

@@ -4,7 +4,6 @@ describe 'keystone::wsgi::apache' do
 
   let :pre_condition do
     "class { 'keystone':
-       admin_token  => 'dummy',
        service_name => 'httpd',
        enable_ssl   => true,
      }"

spec/spec_helper.rb

@@ -26,7 +26,6 @@ def setup_provider_tests
     def self.reset
       @public_endpoint = nil
       @tenant_hash    = nil
-      @admin_token    = nil
       @keystone_file  = nil
       Puppet::Provider::Keystone.class_variable_set('@@default_domain_id', nil)
       @domain_hash = nil