Add a new parameter to enable/disable bootstrap

This change introduces a new parameter to enable/disable bootstrap
command by the keystone::bootstrap command. This parameter is useful
expecially in the deployment with multiple controller nodes, and we
can run bootstrap command on only one of the controller nodes while
we generate puppet.conf on all controller nodes, so that we can use
openstack providers in all controller nodes.

Change-Id: If049e33fefc2681d2f4340f5910402b07e6e286f

manifests/bootstrap.pp

@@ -56,6 +56,10 @@
 #   (Optional) Which interface endpoint should be used.
 #    Defaults to 'public'
 #
+# [*bootstrap*]
+#   (Optional) Whether to run keystone-manage bootstrap command.
+#   Defaults to true
+#
 class keystone::bootstrap (
   $password,
   $username             = 'admin',
@@ -69,6 +73,7 @@ class keystone::bootstrap (
   $internal_url         = undef,
   $region               = 'RegionOne',
   $interface            = 'public',
+  $bootstrap            = true,
 ) inherits keystone::params {
 
   include keystone::deps
@@ -84,71 +89,73 @@ class keystone::bootstrap (
     $keystone_user = $::keystone::params::keystone_user
   }
 
-  # The initial bootstrap that creates all resources required but
-  # only subscribes to notifies from the keystone::dbsync::end anchor
-  # which means this is not guaranteed to execute on each run.
-  exec { 'keystone bootstrap':
-    command     => 'keystone-manage bootstrap',
-    environment => [
-      "OS_BOOTSTRAP_USERNAME=${username}",
-      "OS_BOOTSTRAP_PASSWORD=${password}",
-      "OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
-      "OS_BOOTSTRAP_ROLE_NAME=${role_name}",
-      "OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
-      "OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
-      "OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
-      "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
-      "OS_BOOTSTRAP_REGION_ID=${region}",
-    ],
-    user        => $keystone_user,
-    path        => '/usr/bin',
-    refreshonly => true,
-    subscribe   => Anchor['keystone::dbsync::end'],
-    notify      => Anchor['keystone::service::begin'],
-    tag         => 'keystone-bootstrap',
+  if $bootstrap {
+    # The initial bootstrap that creates all resources required but
+    # only subscribes to notifies from the keystone::dbsync::end anchor
+    # which means this is not guaranteed to execute on each run.
+    exec { 'keystone bootstrap':
+      command     => 'keystone-manage bootstrap',
+      environment => [
+        "OS_BOOTSTRAP_USERNAME=${username}",
+        "OS_BOOTSTRAP_PASSWORD=${password}",
+        "OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
+        "OS_BOOTSTRAP_ROLE_NAME=${role_name}",
+        "OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
+        "OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
+        "OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
+        "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
+        "OS_BOOTSTRAP_REGION_ID=${region}",
+      ],
+      user        => $keystone_user,
+      path        => '/usr/bin',
+      refreshonly => true,
+      subscribe   => Anchor['keystone::dbsync::end'],
+      notify      => Anchor['keystone::service::begin'],
+      tag         => 'keystone-bootstrap',
+    }
+
+    # Since the bootstrap is not guaranteed to execute on each run we
+    # use the below resources to make sure the current resources are
+    # correct so if some value was updated we set that.
+
+    ensure_resource('keystone_role', $role_name, {
+      'ensure' => 'present',
+    })
+
+    ensure_resource('keystone_user', $username, {
+      'ensure'   => 'present',
+      'enabled'  => true,
+      'email'    => $email,
+      'password' => $password,
+    })
+
+    ensure_resource('keystone_tenant', $service_project_name, {
+      'ensure'  => 'present',
+      'enabled' => true,
+    })
+
+    ensure_resource('keystone_tenant', $project_name, {
+      'ensure'  => 'present',
+      'enabled' => true,
+    })
+
+    ensure_resource('keystone_user_role', "${username}@${project_name}", {
+      'ensure' => 'present',
+      'roles'  => $role_name,
+    })
+
+    ensure_resource('keystone_service', "${service_name}::identity", {
+      'ensure' => 'present',
+    })
+
+    ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
+      'ensure'       => 'present',
+      'public_url'   => $public_url,
+      'admin_url'    => $admin_url,
+      'internal_url' => $internal_url_real,
+    })
   }
 
-  # Since the bootstrap is not guaranteed to execute on each run we
-  # use the below resources to make sure the current resources are
-  # correct so if some value was updated we set that.
-
-  ensure_resource('keystone_role', $role_name, {
-    'ensure' => 'present',
-  })
-
-  ensure_resource('keystone_user', $username, {
-    'ensure'   => 'present',
-    'enabled'  => true,
-    'email'    => $email,
-    'password' => $password,
-  })
-
-  ensure_resource('keystone_tenant', $service_project_name, {
-    'ensure'  => 'present',
-    'enabled' => true,
-  })
-
-  ensure_resource('keystone_tenant', $project_name, {
-    'ensure'  => 'present',
-    'enabled' => true,
-  })
-
-  ensure_resource('keystone_user_role', "${username}@${project_name}", {
-    'ensure' => 'present',
-    'roles'  => $role_name,
-  })
-
-  ensure_resource('keystone_service', "${service_name}::identity", {
-    'ensure' => 'present',
-  })
-
-  ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
-    'ensure'       => 'present',
-    'public_url'   => $public_url,
-    'admin_url'    => $admin_url,
-    'internal_url' => $internal_url_real,
-  })
-
   # The below creates and populates the /etc/keystone/puppet.conf file that contains
   # the credentials that can be loaded by providers. Ensure it has the proper owner,
   # group and mode so that it cannot be read by anything other than root.

releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The new ``keystone::bootstrap::bootstrap`` parameter has been added, to
+    disable ``keystone-manage bootstrap`` command. This is useful to generate
+    ``/etc/keystone/puppet.conf`` on multiple nodes while running bootstrap
+    command on a single node.

spec/classes/keystone_bootstrap_spec.rb

@@ -179,6 +179,46 @@ describe 'keystone::bootstrap' do
       )}
     end
 
+    context 'with bootstrap disabled' do
+      let :params do
+        {
+          :bootstrap => false,
+          :password  => 'secret'
+        }
+      end
+
+      it { is_expected.to contain_class('keystone::deps') }
+
+      it { is_expected.to_not contain_exec('keystone bootstrap') }
+
+      it { is_expected.to_not contain_keystone_role('admin') }
+      it { is_expected.to_not contain_keystone_user('admin') }
+      it { is_expected.to_not contain_keystone_tenant('services') }
+      it { is_expected.to_not contain_keystone_tenant('admin') }
+      it { is_expected.to_not contain_keystone_user_role('admin@admin') }
+      it { is_expected.to_not contain_keystone_service('keystone::identity') }
+      it { is_expected.to_not contain_keystone_endpoint('RegionOne/keystone::identity') }
+
+      it { is_expected.to contain_file('/etc/keystone/puppet.conf').with(
+        :ensure => 'present',
+        :replace => false,
+        :content => '',
+        :owner   => 'root',
+        :group   => 'root',
+        :mode    => '0600',
+        :require => 'Anchor[keystone::install::end]',
+      )}
+
+      it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with(
+        :username     => 'admin',
+        :password     => 'secret',
+        :auth_url     => 'http://127.0.0.1:5000',
+        :project_name => 'admin',
+        :region_name  => 'RegionOne',
+        :interface    => 'public',
+      )}
+    end
+
     context 'when setting keystone_user param in keystone' do
       let :params do
         {