diff --git a/lib/puppet/type/keystone_domain.rb b/lib/puppet/type/keystone_domain.rb index 5f449daee..b23e4e613 100644 --- a/lib/puppet/type/keystone_domain.rb +++ b/lib/puppet/type/keystone_domain.rb @@ -47,6 +47,6 @@ Puppet::Type.newtype(:keystone_domain) do # we should not do anything until the keystone service is started autorequire(:anchor) do - ['keystone_started'] + ['keystone::service::end'] end end diff --git a/lib/puppet/type/keystone_endpoint.rb b/lib/puppet/type/keystone_endpoint.rb index e7d8ee309..8566c3254 100644 --- a/lib/puppet/type/keystone_endpoint.rb +++ b/lib/puppet/type/keystone_endpoint.rb @@ -41,7 +41,7 @@ Puppet::Type.newtype(:keystone_endpoint) do # we should not do anything until the keystone service is started autorequire(:anchor) do - ['keystone_started'] + ['keystone::service::end'] end autorequire(:keystone_service) do diff --git a/lib/puppet/type/keystone_identity_provider.rb b/lib/puppet/type/keystone_identity_provider.rb index 9fd26d76f..0da5b8cbc 100644 --- a/lib/puppet/type/keystone_identity_provider.rb +++ b/lib/puppet/type/keystone_identity_provider.rb @@ -93,6 +93,6 @@ Puppet::Type.newtype(:keystone_identity_provider) do end autorequire(:anchor) do - ['keystone_started'] + ['keystone::service::end'] end end diff --git a/lib/puppet/type/keystone_role.rb b/lib/puppet/type/keystone_role.rb index 15ec26a5c..c4e50bbe3 100644 --- a/lib/puppet/type/keystone_role.rb +++ b/lib/puppet/type/keystone_role.rb @@ -23,6 +23,6 @@ Puppet::Type.newtype(:keystone_role) do # we should not do anything until the keystone service is started autorequire(:anchor) do - ['keystone_started'] + ['keystone::service::end'] end end diff --git a/lib/puppet/type/keystone_service.rb b/lib/puppet/type/keystone_service.rb index f9ac00f41..5cc53239c 100644 --- a/lib/puppet/type/keystone_service.rb +++ b/lib/puppet/type/keystone_service.rb @@ -35,7 +35,7 @@ Puppet::Type.newtype(:keystone_service) do # If there is no keystone config, authentication credentials # need to come from another source. autorequire(:anchor) do - ['keystone_started'] + ['keystone::service::end'] end def self.title_patterns diff --git a/lib/puppet/type/keystone_tenant.rb b/lib/puppet/type/keystone_tenant.rb index 1a9f6cfc0..03bef5b69 100644 --- a/lib/puppet/type/keystone_tenant.rb +++ b/lib/puppet/type/keystone_tenant.rb @@ -60,7 +60,7 @@ Puppet::Type.newtype(:keystone_tenant) do # If there is no keystone config, authentication credentials # need to come from another source. autorequire(:anchor) do - ['keystone_started', 'default_domain_created'] + ['keystone::service::end', 'default_domain_created'] end def self.title_patterns diff --git a/lib/puppet/type/keystone_user.rb b/lib/puppet/type/keystone_user.rb index 7de58b96d..7d1bec2e5 100644 --- a/lib/puppet/type/keystone_user.rb +++ b/lib/puppet/type/keystone_user.rb @@ -80,7 +80,7 @@ Puppet::Type.newtype(:keystone_user) do # we should not do anything until the keystone service is started autorequire(:anchor) do - ['keystone_started', 'default_domain_created'] + ['keystone::service::end', 'default_domain_created'] end def self.title_patterns diff --git a/lib/puppet/type/keystone_user_role.rb b/lib/puppet/type/keystone_user_role.rb index 3a442cd9f..a18aa16b9 100644 --- a/lib/puppet/type/keystone_user_role.rb +++ b/lib/puppet/type/keystone_user_role.rb @@ -104,7 +104,7 @@ Puppet::Type.newtype(:keystone_user_role) do # we should not do anything until the keystone service is started autorequire(:anchor) do - ['keystone_started'] + ['keystone::service::end'] end def self.title_patterns diff --git a/manifests/client.pp b/manifests/client.pp index bd89cb304..056eb1de9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -17,6 +17,8 @@ class keystone::client ( $ensure = 'present' ) inherits keystone::params { + include ::keystone::deps + package { 'python-keystoneclient': ensure => $ensure, name => $client_package_name, diff --git a/manifests/config.pp b/manifests/config.pp index 5d0c30fea..63871c154 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -28,6 +28,8 @@ class keystone::config ( $keystone_paste_ini = {}, ) { + include ::keystone::deps + validate_hash($keystone_config) validate_hash($keystone_paste_ini) diff --git a/manifests/cron/token_flush.pp b/manifests/cron/token_flush.pp index 565e0c0e9..c987e1289 100644 --- a/manifests/cron/token_flush.pp +++ b/manifests/cron/token_flush.pp @@ -65,6 +65,8 @@ class keystone::cron::token_flush ( $user = 'keystone', ) { + include ::keystone::deps + if $maxdelay == 0 { $sleep = '' } else { diff --git a/manifests/db.pp b/manifests/db.pp index 9305c58dc..b331cbcb4 100644 --- a/manifests/db.pp +++ b/manifests/db.pp @@ -43,6 +43,7 @@ class keystone::db ( $database_max_overflow = $::os_service_default, ) { + include ::keystone::deps include ::keystone::params # NOTE(spredzy): In order to keep backward compatibility we rely on the pick function @@ -84,7 +85,7 @@ class keystone::db ( package {'keystone-backend-package': ensure => present, name => $backend_package, - tag => 'openstack', + tag => ['openstack', 'keystone-package'], } } diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp index 075bb395e..2e0e882d8 100644 --- a/manifests/db/mysql.pp +++ b/manifests/db/mysql.pp @@ -58,6 +58,8 @@ class keystone::db::mysql( $allowed_hosts = undef ) { + include ::keystone::deps + validate_string($password) ::openstacklib::db::mysql { 'keystone': @@ -70,5 +72,7 @@ class keystone::db::mysql( allowed_hosts => $allowed_hosts, } - ::Openstacklib::Db::Mysql['keystone'] ~> Exec<| title == 'keystone-manage db_sync' |> + Anchor['keystone::db::begin'] + ~> Class['keystone::db::mysql'] + ~> Anchor['keystone::db::end'] } diff --git a/manifests/db/postgresql.pp b/manifests/db/postgresql.pp index 4bf5a6a75..b05fb124a 100644 --- a/manifests/db/postgresql.pp +++ b/manifests/db/postgresql.pp @@ -42,7 +42,7 @@ class keystone::db::postgresql( $privileges = 'ALL', ) { - Class['keystone::db::postgresql'] -> Service<| title == 'keystone' |> + include ::keystone::deps ::openstacklib::db::postgresql { 'keystone': password_hash => postgresql_password($user, $password), @@ -52,6 +52,7 @@ class keystone::db::postgresql( privileges => $privileges, } - ::Openstacklib::Db::Postgresql['keystone'] ~> Exec<| title == 'keystone-manage db_sync' |> - + Anchor['keystone::db::begin'] + ~> Class['keystone::db::postgresql'] + ~> Anchor['keystone::db::end'] } diff --git a/manifests/db/sync.pp b/manifests/db/sync.pp index 48128eb48..fd966568d 100644 --- a/manifests/db/sync.pp +++ b/manifests/db/sync.pp @@ -11,15 +11,22 @@ # Defaults to '' # class keystone::db::sync( - $extra_params = undef, + $extra_params = undef, ) { + + include ::keystone::deps + exec { 'keystone-manage db_sync': command => "keystone-manage ${extra_params} db_sync", path => '/usr/bin', user => 'keystone', refreshonly => true, - subscribe => [Package['keystone'], Keystone_config['database/connection']], + subscribe => [ + Anchor['keystone::install::end'], + Anchor['keystone::config::end'], + Anchor['keystone::dbsync::begin'] + ], + notify => Anchor['keystone::dbsync::end'], + tag => 'keystone-exec', } - - Exec['keystone-manage db_sync'] ~> Service<| title == 'keystone' |> } diff --git a/manifests/deps.pp b/manifests/deps.pp new file mode 100644 index 000000000..27a16a2ec --- /dev/null +++ b/manifests/deps.pp @@ -0,0 +1,74 @@ +# == Class: keystone::deps +# +# keystone anchors and dependency management +# +class keystone::deps { + # Setup anchors for install, config and service phases of the module. These + # anchors allow external modules to hook the begin and end of any of these + # phases. Package or service management can also be replaced by ensuring the + # package is absent or turning off service management and having the + # replacement depend on the appropriate anchors. When applicable, end tags + # should be notified so that subscribers can determine if installation, + # config or service state changed and act on that if needed. + anchor { 'keystone::install::begin': } + -> Package<| tag == 'keystone-package'|> + ~> anchor { 'keystone::install::end': } + -> anchor { 'keystone::config::begin': } + -> Keystone_config<||> + ~> anchor { 'keystone::config::end': } + -> anchor { 'keystone::db::begin': } + -> anchor { 'keystone::db::end': } + ~> anchor { 'keystone::dbsync::begin': } + -> anchor { 'keystone::dbsync::end': } + ~> anchor { 'keystone::service::begin': } + ~> Service<| tag == 'keystone-service' |> + ~> anchor { 'keystone::service::end': } + + # paste-api.ini config should occur in the config block also. + Anchor['keystone::config::begin'] + -> Keystone_paste_ini<||> + ~> Anchor['keystone::config::end'] + + # policy config should occur in the config block also. + Anchor['keystone::config::begin'] + -> Openstacklib::Policy::Base<||> + ~> Anchor['keystone::config::end'] + + # Support packages need to be installed in the install phase, but we don't + # put them in the chain above because we don't want any false dependencies + # between packages with the keystone-package tag and the keystone-support-package + # tag. Note: the package resources here will have a 'before' relationshop on + # the keystone::install::end anchor. The line between keystone-support-package and + # keystone-package should be whether or not keystone services would need to be + # restarted if the package state was changed. + Anchor['keystone::install::begin'] + -> Package<| tag == 'keystone-support-package'|> + -> Anchor['keystone::install::end'] + + # We need openstackclient before marking service end so that keystone + # will have clients available to create resources. This tag handles the + # openstackclient but indirectly since the client is not available in + # all catalogs that don't need the client class (like many spec tests) + Package<| tag == 'openstack'|> + ~> Anchor['keystone::service::end'] + + # The following resources need to be provisioned after the service is up. + Anchor['keystone::service::end'] + -> Keystone_domain<||> + Anchor['keystone::service::end'] + -> Keystone_endpoint<||> + Anchor['keystone::service::end'] + -> Keystone_role<||> + Anchor['keystone::service::end'] + -> Keystone_service<||> + Anchor['keystone::service::end'] + -> Keystone_tenant<||> + Anchor['keystone::service::end'] + -> Keystone_user<||> + Anchor['keystone::service::end'] + -> Keystone_user_role<||> + + # Installation or config changes will always restart services. + Anchor['keystone::install::end'] ~> Anchor['keystone::service::begin'] + Anchor['keystone::config::end'] ~> Anchor['keystone::service::begin'] +} diff --git a/manifests/endpoint.pp b/manifests/endpoint.pp index b4808e5b9..3407cd919 100644 --- a/manifests/endpoint.pp +++ b/manifests/endpoint.pp @@ -62,6 +62,8 @@ class keystone::endpoint ( $version = 'unset', # defaults to 'v2.0' if unset by user ) { + include ::keystone::deps + if $version == 'unset' { # $version will be set to empty '' once tempest & all openstack clients # actually support versionless endpoints. diff --git a/manifests/federation/identity_provider.pp b/manifests/federation/identity_provider.pp index 62ef7d986..5a92c8316 100644 --- a/manifests/federation/identity_provider.pp +++ b/manifests/federation/identity_provider.pp @@ -63,6 +63,11 @@ # (Optional) User with access to keystone files. (string value) # Defaults to 'keystone'. # +# [*package_ensure*] +# (optional) Desired ensure state of packages. +# accepts latest or specific versions. +# Defaults to present. +# # == Dependencies # == Examples # == Authors @@ -89,7 +94,10 @@ class keystone::federation::identity_provider( $idp_contact_email = undef, $idp_contact_telephone = undef, $idp_contact_type = undef, + $package_ensure = present, ) { + + include ::keystone::deps include ::keystone::params if $::keystone::service_name != 'httpd' { @@ -97,7 +105,8 @@ class keystone::federation::identity_provider( } ensure_packages(['xmlsec1','python-pysaml2'], { - ensure => present + ensure => $package_ensure, + tag => 'keystone-support-package', }) keystone_config { @@ -125,12 +134,13 @@ class keystone::federation::identity_provider( } exec {'saml_idp_metadata': - path => '/usr/bin', - user => "${user}", - command => "keystone-manage saml_idp_metadata > ${idp_metadata_path}", - creates => $idp_metadata_path, - notify => Service[$::keystone::params::service_name], - subscribe => Package['keystone'], + path => '/usr/bin', + user => "${user}", + command => "keystone-manage saml_idp_metadata > ${idp_metadata_path}", + creates => $idp_metadata_path, + subscribe => Anchor['keystone::config::end'], + notify => Anchor['keystone::service::end'], + tag => 'keystone-exec', } file { $idp_metadata_path: @@ -139,6 +149,4 @@ class keystone::federation::identity_provider( owner => "${user}", } - Keystone_config<||> -> Exec<| title == 'saml_idp_metadata'|> - } diff --git a/manifests/federation/mellon.pp b/manifests/federation/mellon.pp index 0de7e2274..ee51bb65f 100644 --- a/manifests/federation/mellon.pp +++ b/manifests/federation/mellon.pp @@ -41,6 +41,11 @@ # The value 999 corresponds to the order for concat::fragment "${name}-file_footer". # (Optional) Defaults to 331. # +# [*package_ensure*] +# (optional) Desired ensure state of packages. +# accepts latest or specific versions. +# Defaults to present. +# class keystone::federation::mellon ( $methods, $idp_name, @@ -49,9 +54,11 @@ class keystone::federation::mellon ( $main_port = true, $module_plugin = 'keystone.auth.plugins.mapped.Mapped', $template_order = 331, + $package_ensure = present, ) { include ::apache + include ::keystone::deps include ::keystone::params # Note: if puppet-apache modify these values, this needs to be updated @@ -84,7 +91,8 @@ class keystone::federation::mellon ( } ensure_packages([$::keystone::params::mellon_package_name], { - ensure => present + ensure => $package_ensure, + tag => 'keystone-support-package', }) if $admin_port { diff --git a/manifests/federation/shibboleth.pp b/manifests/federation/shibboleth.pp index f26e40180..ab57216bd 100644 --- a/manifests/federation/shibboleth.pp +++ b/manifests/federation/shibboleth.pp @@ -69,6 +69,7 @@ class keystone::federation::shibboleth( ) { include ::apache + include ::keystone::deps # Note: if puppet-apache modify these values, this needs to be updated if $template_order <= 330 or $template_order >= 999 { diff --git a/manifests/init.pp b/manifests/init.pp index ad5d52fde..f1852b436 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -625,6 +625,7 @@ class keystone( $public_workers = max($::processorcount, 2), ) inherits keystone::params { + include ::keystone::deps include ::keystone::logging if ! $catalog_driver { @@ -651,12 +652,6 @@ class keystone( } } - Keystone_config<||> ~> Service[$service_name] - Keystone_config<||> ~> Exec<| title == 'keystone-manage bootstrap'|> - Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|> - Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|> - Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|> - include ::keystone::db include ::keystone::params @@ -692,6 +687,7 @@ class keystone( package { 'python-memcache': ensure => present, name => $::keystone::params::python_memcache_package_name, + tag => ['openstack', 'keystone-package'], } } @@ -725,7 +721,7 @@ class keystone( } if !is_service_default($memcache_servers) or !is_service_default($cache_memcache_servers) { - Service<| title == 'memcached' |> -> Service['keystone'] + Service<| title == 'memcached' |> -> Anchor['keystone::service::begin'] } # TODO(aschultz): remove in N cycle @@ -801,8 +797,9 @@ class keystone( path => '/usr/bin', refreshonly => true, creates => $signing_keyfile, - notify => Service[$service_name], - subscribe => Package['keystone'], + notify => Anchor['keystone::service::begin'], + subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']], + tag => 'keystone-exec', } } @@ -909,14 +906,15 @@ class keystone( validate => false, } $service_name_real = $::apache::params::service_name - Service['keystone'] -> Service[$service_name_real] + # leave this here because Ubuntu packages will start Keystone and we need it stopped + # before apache can run + Service['keystone'] -> Service[$service_name_real] } else { fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server') } if $sync_db { include ::keystone::db::sync - Class['::keystone::db::sync'] ~> Service[$service_name] } # Fernet tokens support @@ -927,8 +925,9 @@ class keystone( path => '/usr/bin', refreshonly => true, creates => "${fernet_key_repository}/0", - notify => Service[$service_name], - subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']], + notify => Anchor['keystone::service::begin'], + subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']], + tag => 'keystone-exec', } } @@ -979,13 +978,16 @@ class keystone( } if $enable_bootstrap { + # this requires the database to be up and running and configured + # and is only run once, so we don't need to notify the service exec { 'keystone-manage bootstrap': command => "keystone-manage bootstrap --bootstrap-password ${admin_token}", path => '/usr/bin', refreshonly => true, + notify => Anchor['keystone::service::begin'], + subscribe => Anchor['keystone::dbsync::end'], + tag => 'keystone-exec', } - Exec<| title == 'keystone-manage db_sync'|> ~> Exec<| title == 'keystone-manage bootstrap'|> - Exec['keystone-manage bootstrap'] ~> Service<| title == 'keystone' |> } if $using_domain_config { @@ -1002,7 +1004,7 @@ class keystone( group => 'keystone', mode => '0750', notify => Service[$service_name], - require => Package['keystone'], + require => Anchor['keystone::install::end'], } } # Here we want the creation to fail if the user has created those @@ -1019,7 +1021,4 @@ class keystone( {'value' => $domain_config_directory} ) } - anchor { 'keystone_started': - require => Service[$service_name] - } } diff --git a/manifests/ldap.pp b/manifests/ldap.pp index 18b90b1bf..a57c3f04a 100644 --- a/manifests/ldap.pp +++ b/manifests/ldap.pp @@ -356,6 +356,11 @@ # End user auth connection lifetime in seconds. (integer value) # Defaults to '60' # +# [*package_ensure*] +# (optional) Desired ensure state of packages. +# accepts latest or specific versions. +# Defaults to present. +# # === DEPRECATED group/name # # == Dependencies @@ -450,12 +455,14 @@ class keystone::ldap( $use_auth_pool = false, $auth_pool_size = 100, $auth_pool_connection_lifetime = 60, + $package_ensure = present, ) { + include ::keystone::deps + $ldap_packages = ['python-ldap', 'python-ldappool'] - package { $ldap_packages: - ensure => present, - } + ensure_resource('package', $ldap_packages, { ensure => $package_ensure, + tag => 'keystone-package' }) if ($tls_cacertdir != undef) { file { $tls_cacertdir: diff --git a/manifests/ldap_backend.pp b/manifests/ldap_backend.pp index 3da0292a3..b2ee10581 100644 --- a/manifests/ldap_backend.pp +++ b/manifests/ldap_backend.pp @@ -359,6 +359,11 @@ # End user auth connection lifetime in seconds. (integer value) # Defaults to '60' # +# [*package_ensure*] +# (optional) Desired ensure state of packages. +# accepts latest or specific versions. +# Defaults to present. +# # === DEPRECATED group/name # # == Dependencies @@ -444,8 +449,11 @@ define keystone::ldap_backend( $use_auth_pool = false, $auth_pool_size = 100, $auth_pool_connection_lifetime = 60, + $package_ensure = present, ) { + include ::keystone::deps + $domain_enabled = getparam(Keystone_config['identity/domain_specific_drivers_enabled'], 'value') $domain_dir_enabled = getparam(Keystone_config['identity/domain_config_dir'], 'value') $err_msg = "You should add \"using_domain_config => true\" parameter to your Keystone class, got \"${domain_enabled}\" for identity/domain_specific_drivers_enabled and \"${domain_dir_enabled}\" for identity/domain_config_dir" @@ -468,8 +476,8 @@ define keystone::ldap_backend( $ldap_packages = ['python-ldap', 'python-ldappool'] ensure_resource('package', $ldap_packages, { - ensure => present, - require => Package['keystone'], + ensure => $package_ensure, + tag => ['openstack', 'keystone-package'], }) if ($tls_cacertdir != undef) { diff --git a/manifests/logging.pp b/manifests/logging.pp index 1ad08a920..37320a23b 100644 --- a/manifests/logging.pp +++ b/manifests/logging.pp @@ -118,6 +118,8 @@ class keystone::logging( $log_date_format = $::os_service_default, ) { + include ::keystone::deps + # NOTE(spredzy): In order to keep backward compatibility we rely on the pick function # to use keystone:: first then keystone::logging::. $use_syslog_real = pick($::keystone::use_syslog,$use_syslog) diff --git a/manifests/policy.pp b/manifests/policy.pp index 13be064b0..65e2f301d 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -28,6 +28,8 @@ class keystone::policy ( $policy_path = '/etc/keystone/policy.json', ) { + include ::keystone::deps + validate_hash($policies) Openstacklib::Policy::Base { diff --git a/manifests/resource/authtoken.pp b/manifests/resource/authtoken.pp index 5165abb3a..a67be9541 100644 --- a/manifests/resource/authtoken.pp +++ b/manifests/resource/authtoken.pp @@ -160,6 +160,8 @@ define keystone::resource::authtoken( $insecure = false, ) { + include ::keystone::deps + if !$project_name and !$project_id and !$domain_name and !$domain_id { fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)') } diff --git a/manifests/resource/service_identity.pp b/manifests/resource/service_identity.pp index 2298201b0..821cdda2a 100644 --- a/manifests/resource/service_identity.pp +++ b/manifests/resource/service_identity.pp @@ -125,6 +125,9 @@ define keystone::resource::service_identity( $project_domain = undef, $default_domain = undef, ) { + + include ::keystone::deps + if $service_name == undef { $service_name_real = $auth_name } else { diff --git a/manifests/roles/admin.pp b/manifests/roles/admin.pp index 7afe373bc..e632b07d7 100644 --- a/manifests/roles/admin.pp +++ b/manifests/roles/admin.pp @@ -87,6 +87,8 @@ class keystone::roles::admin( $service_project_domain = undef, ) { + include ::keystone::deps + $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain])) keystone_domain { $domains: ensure => present, @@ -99,12 +101,14 @@ class keystone::roles::admin( description => $service_tenant_desc, domain => $service_project_domain, } + keystone_tenant { $admin_tenant: ensure => present, enabled => true, description => $admin_tenant_desc, domain => $admin_project_domain, } + keystone_role { 'admin': ensure => present, } diff --git a/manifests/service.pp b/manifests/service.pp index abf1d5e29..974baeec0 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -78,6 +78,8 @@ class keystone::service( $insecure = false, $cacert = undef, ) { + + include ::keystone::deps include ::keystone::params service { 'keystone': @@ -112,13 +114,8 @@ class keystone::service( subscribe => Service['keystone'], refreshonly => true, tries => $retries, - try_sleep => $delay + try_sleep => $delay, + notify => Anchor['keystone::service::end'], } - - Exec['validate_keystone_connection'] -> Keystone_user<||> - Exec['validate_keystone_connection'] -> Keystone_role<||> - Exec['validate_keystone_connection'] -> Keystone_tenant<||> - Exec['validate_keystone_connection'] -> Keystone_service<||> - Exec['validate_keystone_connection'] -> Keystone_endpoint<||> } } diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index 5a3abef59..54d0a3a85 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -172,6 +172,7 @@ class keystone::wsgi::apache ( $vhost_custom_fragment = undef, ) { + include ::keystone::deps include ::keystone::params include ::apache include ::apache::mod::wsgi @@ -179,15 +180,25 @@ class keystone::wsgi::apache ( include ::apache::mod::ssl } - Package['keystone'] -> Package['httpd'] - Package['keystone'] ~> Service['httpd'] - Keystone_config <| |> ~> Service['httpd'] - Service['httpd'] -> Keystone_endpoint <| |> - Service['httpd'] -> Keystone_role <| |> - Service['httpd'] -> Keystone_service <| |> - Service['httpd'] -> Keystone_tenant <| |> - Service['httpd'] -> Keystone_user <| |> - Service['httpd'] -> Keystone_user_role <| |> + # The httpd package is untagged, but needs to have ordering enforced, + # so handle it here rather than in the deps class. + Anchor['keystone::install::begin'] + -> Package['httpd'] + -> Anchor['keystone::install::end'] + + # Configure apache during the config phase + Anchor['keystone::config::begin'] + -> Apache::Vhost<||> + ~> Anchor['keystone::config::end'] + + # Start the service during the service phase + Anchor['keystone::service::begin'] + -> Service['httpd'] + -> Anchor['keystone::service::end'] + + # Notify the service when config changes + Anchor['keystone::config::end'] + ~> Service['httpd'] ## Sanitize parameters @@ -204,7 +215,7 @@ class keystone::wsgi::apache ( ensure => directory, owner => 'keystone', group => 'keystone', - require => Package['httpd'], + require => Anchor['keystone::install::end'], } $wsgi_files = { @@ -221,7 +232,7 @@ class keystone::wsgi::apache ( 'owner' => 'keystone', 'group' => 'keystone', 'mode' => '0644', - 'require' => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']], + 'require' => File[$::keystone::params::keystone_wsgi_script_path], } $wsgi_script_source_real = $wsgi_script_source ? { diff --git a/spec/classes/keystone_db_spec.rb b/spec/classes/keystone_db_spec.rb index 83e3ce895..2bcfb9e18 100644 --- a/spec/classes/keystone_db_spec.rb +++ b/spec/classes/keystone_db_spec.rb @@ -92,7 +92,7 @@ describe 'keystone::db' do is_expected.to contain_package('keystone-backend-package').with( :ensure => 'present', :name => 'python-pymysql', - :tag => 'openstack' + :tag => ['openstack', 'keystone-package'] ) end end diff --git a/spec/classes/keystone_db_sync_spec.rb b/spec/classes/keystone_db_sync_spec.rb index c5f82a00c..ccc0af3bf 100644 --- a/spec/classes/keystone_db_sync_spec.rb +++ b/spec/classes/keystone_db_sync_spec.rb @@ -6,9 +6,11 @@ describe 'keystone::db::sync' do it { is_expected.to contain_exec('keystone-manage db_sync').with( :command => 'keystone-manage db_sync', - :user => 'keystone', :refreshonly => true, - :subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], + :subscribe => ['Anchor[keystone::install::end]', + 'Anchor[keystone::config::end]', + 'Anchor[keystone::dbsync::begin]'], + :notify => 'Anchor[keystone::dbsync::end]', ) } end @@ -23,9 +25,11 @@ describe 'keystone::db::sync' do it { is_expected.to contain_exec('keystone-manage db_sync').with( :command => 'keystone-manage --config-file /etc/keystone/keystone.conf db_sync', - :user => 'keystone', :refreshonly => true, - :subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], + :subscribe => ['Anchor[keystone::install::end]', + 'Anchor[keystone::config::end]', + 'Anchor[keystone::dbsync::begin]'], + :notify => 'Anchor[keystone::dbsync::end]', ) } end diff --git a/spec/classes/keystone_deps_spec.rb b/spec/classes/keystone_deps_spec.rb new file mode 100644 index 000000000..354981c3d --- /dev/null +++ b/spec/classes/keystone_deps_spec.rb @@ -0,0 +1,17 @@ +require 'spec_helper' + +describe 'keystone::deps' do + + it 'set up the anchors' do + is_expected.to contain_anchor('keystone::install::begin') + is_expected.to contain_anchor('keystone::install::end') + is_expected.to contain_anchor('keystone::config::begin') + is_expected.to contain_anchor('keystone::config::end') + is_expected.to contain_anchor('keystone::db::begin') + is_expected.to contain_anchor('keystone::db::end') + is_expected.to contain_anchor('keystone::dbsync::begin') + is_expected.to contain_anchor('keystone::dbsync::end') + is_expected.to contain_anchor('keystone::service::begin') + is_expected.to contain_anchor('keystone::service::end') + end +end diff --git a/spec/classes/keystone_spec.rb b/spec/classes/keystone_spec.rb index 3961f01e9..a83440c5e 100644 --- a/spec/classes/keystone_spec.rb +++ b/spec/classes/keystone_spec.rb @@ -133,7 +133,10 @@ describe 'keystone' do :command => 'keystone-manage db_sync', :user => 'keystone', :refreshonly => true, - :subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], + :subscribe => ['Anchor[keystone::install::end]', + 'Anchor[keystone::config::end]', + 'Anchor[keystone::dbsync::begin]'], + :notify => 'Anchor[keystone::dbsync::end]', ) end end @@ -262,7 +265,7 @@ describe 'keystone' do 'tag' => 'keystone-service', ) } - it { is_expected.to contain_anchor('keystone_started') } + it { is_expected.to contain_anchor('keystone::service::end') } end end @@ -273,7 +276,7 @@ describe 'keystone' do end let :pre_condition do - 'include ::apache' + 'include ::keystone::wsgi::apache' end it_configures 'core keystone examples', httpd_params @@ -290,7 +293,7 @@ describe 'keystone' do 'enable' => false, 'validate' => false )} - it { is_expected.to contain_service('keystone').with_before(/Service\[#{platform_parameters[:httpd_service_name]}\]/) } + it { is_expected.to contain_service('httpd').with_before(/Anchor\[keystone::service::end\]/) } it { is_expected.to contain_exec('restart_keystone').with( 'command' => "service #{platform_parameters[:httpd_service_name]} restart", ) } @@ -315,7 +318,7 @@ describe 'keystone' do 'hasstatus' => true, 'hasrestart' => true ) } - it { is_expected.to contain_anchor('keystone_started') } + it { is_expected.to contain_anchor('keystone::service::end') } end describe 'when configuring signing token provider' do diff --git a/spec/classes/keystone_wsgi_apache_spec.rb b/spec/classes/keystone_wsgi_apache_spec.rb index e78d59b36..dcaf81410 100644 --- a/spec/classes/keystone_wsgi_apache_spec.rb +++ b/spec/classes/keystone_wsgi_apache_spec.rb @@ -29,7 +29,7 @@ describe 'keystone::wsgi::apache' do 'ensure' => 'directory', 'owner' => 'keystone', 'group' => 'keystone', - 'require' => 'Package[httpd]' + 'require' => 'Anchor[keystone::install::end]', )} it { is_expected.to contain_file('keystone_wsgi_admin').with( @@ -39,7 +39,7 @@ describe 'keystone::wsgi::apache' do 'owner' => 'keystone', 'group' => 'keystone', 'mode' => '0644', - 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] + 'require' => "File[#{platform_parameters[:wsgi_script_path]}]", )} it { is_expected.to contain_file('keystone_wsgi_main').with( @@ -49,7 +49,7 @@ describe 'keystone::wsgi::apache' do 'owner' => 'keystone', 'group' => 'keystone', 'mode' => '0644', - 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] + 'require' => "File[#{platform_parameters[:wsgi_script_path]}]", )} it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with( @@ -282,7 +282,7 @@ describe 'keystone::wsgi::apache' do 'owner' => 'keystone', 'group' => 'keystone', 'mode' => '0644', - 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] + 'require' => "File[#{platform_parameters[:wsgi_script_path]}]", )} it { is_expected.to contain_file('keystone_wsgi_main').with( @@ -292,7 +292,7 @@ describe 'keystone::wsgi::apache' do 'owner' => 'keystone', 'group' => 'keystone', 'mode' => '0644', - 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] + 'require' => "File[#{platform_parameters[:wsgi_script_path]}]", )} end