Add a new parameter to enable/disable bootstrap

This change introduces a new parameter to enable/disable bootstrap command by the keystone::bootstrap command. This parameter is useful expecially in the deployment with multiple controller nodes, and we can run bootstrap command on only one of the controller nodes while we generate puppet.conf on all controller nodes, so that we can use openstack providers in all controller nodes. Change-Id: If049e33fefc2681d2f4340f5910402b07e6e286f
2020-10-20 20:30:47 +09:00 · 2020-10-20 20:30:47 +09:00 · b8515bc3e4
commit b8515bc3e4
parent e361dcbd5f
3 changed files with 117 additions and 63 deletions
--- a/manifests/bootstrap.pp
+++ b/manifests/bootstrap.pp
@ -56,6 +56,10 @@
 #   (Optional) Which interface endpoint should be used.
 #    Defaults to 'public'
 #
 # [*bootstrap*]
 #   (Optional) Whether to run keystone-manage bootstrap command.
 #   Defaults to true
 #
 class keystone::bootstrap (
  $password,
  $username             = 'admin',
@ -69,6 +73,7 @@ class keystone::bootstrap (
  $internal_url         = undef,
  $region               = 'RegionOne',
  $interface            = 'public',
  $bootstrap            = true,
 ) inherits keystone::params {
  include keystone::deps
@ -84,71 +89,73 @@ class keystone::bootstrap (
    $keystone_user = $::keystone::params::keystone_user
  }
-  # The initial bootstrap that creates all resources required but
+  if $bootstrap {
-  # only subscribes to notifies from the keystone::dbsync::end anchor
+    # The initial bootstrap that creates all resources required but
-  # which means this is not guaranteed to execute on each run.
+    # only subscribes to notifies from the keystone::dbsync::end anchor
-  exec { 'keystone bootstrap':
+    # which means this is not guaranteed to execute on each run.
-    command     => 'keystone-manage bootstrap',
+    exec { 'keystone bootstrap':
-    environment => [
+      command     => 'keystone-manage bootstrap',
-      "OS_BOOTSTRAP_USERNAME=${username}",
+      environment => [
-      "OS_BOOTSTRAP_PASSWORD=${password}",
+        "OS_BOOTSTRAP_USERNAME=${username}",
-      "OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
+        "OS_BOOTSTRAP_PASSWORD=${password}",
-      "OS_BOOTSTRAP_ROLE_NAME=${role_name}",
+        "OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
-      "OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
+        "OS_BOOTSTRAP_ROLE_NAME=${role_name}",
-      "OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
+        "OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
-      "OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
+        "OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
-      "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
+        "OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
-      "OS_BOOTSTRAP_REGION_ID=${region}",
+        "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
-    ],
+        "OS_BOOTSTRAP_REGION_ID=${region}",
-    user        => $keystone_user,
+      ],
-    path        => '/usr/bin',
+      user        => $keystone_user,
-    refreshonly => true,
+      path        => '/usr/bin',
-    subscribe   => Anchor['keystone::dbsync::end'],
+      refreshonly => true,
-    notify      => Anchor['keystone::service::begin'],
+      subscribe   => Anchor['keystone::dbsync::end'],
-    tag         => 'keystone-bootstrap',
+      notify      => Anchor['keystone::service::begin'],
      tag         => 'keystone-bootstrap',
    }
    # Since the bootstrap is not guaranteed to execute on each run we
    # use the below resources to make sure the current resources are
    # correct so if some value was updated we set that.
    ensure_resource('keystone_role', $role_name, {
      'ensure' => 'present',
    })
    ensure_resource('keystone_user', $username, {
      'ensure'   => 'present',
      'enabled'  => true,
      'email'    => $email,
      'password' => $password,
    })
    ensure_resource('keystone_tenant', $service_project_name, {
      'ensure'  => 'present',
      'enabled' => true,
    })
    ensure_resource('keystone_tenant', $project_name, {
      'ensure'  => 'present',
      'enabled' => true,
    })
    ensure_resource('keystone_user_role', "${username}@${project_name}", {
      'ensure' => 'present',
      'roles'  => $role_name,
    })
    ensure_resource('keystone_service', "${service_name}::identity", {
      'ensure' => 'present',
    })
    ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
      'ensure'       => 'present',
      'public_url'   => $public_url,
      'admin_url'    => $admin_url,
      'internal_url' => $internal_url_real,
    })
  }
  # Since the bootstrap is not guaranteed to execute on each run we
  # use the below resources to make sure the current resources are
  # correct so if some value was updated we set that.
  ensure_resource('keystone_role', $role_name, {
    'ensure' => 'present',
  })
  ensure_resource('keystone_user', $username, {
    'ensure'   => 'present',
    'enabled'  => true,
    'email'    => $email,
    'password' => $password,
  })
  ensure_resource('keystone_tenant', $service_project_name, {
    'ensure'  => 'present',
    'enabled' => true,
  })
  ensure_resource('keystone_tenant', $project_name, {
    'ensure'  => 'present',
    'enabled' => true,
  })
  ensure_resource('keystone_user_role', "${username}@${project_name}", {
    'ensure' => 'present',
    'roles'  => $role_name,
  })
  ensure_resource('keystone_service', "${service_name}::identity", {
    'ensure' => 'present',
  })
  ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
    'ensure'       => 'present',
    'public_url'   => $public_url,
    'admin_url'    => $admin_url,
    'internal_url' => $internal_url_real,
  })
  # The below creates and populates the /etc/keystone/puppet.conf file that contains
  # the credentials that can be loaded by providers. Ensure it has the proper owner,
  # group and mode so that it cannot be read by anything other than root.
--- a/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml
+++ b/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml
@ -0,0 +1,7 @@
 ---
 features:
  - |
    The new ``keystone::bootstrap::bootstrap`` parameter has been added, to
    disable ``keystone-manage bootstrap`` command. This is useful to generate
    ``/etc/keystone/puppet.conf`` on multiple nodes while running bootstrap
    command on a single node.
--- a/spec/classes/keystone_bootstrap_spec.rb
+++ b/spec/classes/keystone_bootstrap_spec.rb
@ -179,6 +179,46 @@ describe 'keystone::bootstrap' do
      )}
    end
    context 'with bootstrap disabled' do
      let :params do
        {
          :bootstrap => false,
          :password  => 'secret'
        }
      end
      it { is_expected.to contain_class('keystone::deps') }
      it { is_expected.to_not contain_exec('keystone bootstrap') }
      it { is_expected.to_not contain_keystone_role('admin') }
      it { is_expected.to_not contain_keystone_user('admin') }
      it { is_expected.to_not contain_keystone_tenant('services') }
      it { is_expected.to_not contain_keystone_tenant('admin') }
      it { is_expected.to_not contain_keystone_user_role('admin@admin') }
      it { is_expected.to_not contain_keystone_service('keystone::identity') }
      it { is_expected.to_not contain_keystone_endpoint('RegionOne/keystone::identity') }
      it { is_expected.to contain_file('/etc/keystone/puppet.conf').with(
        :ensure => 'present',
        :replace => false,
        :content => '',
        :owner   => 'root',
        :group   => 'root',
        :mode    => '0600',
        :require => 'Anchor[keystone::install::end]',
      )}
      it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with(
        :username     => 'admin',
        :password     => 'secret',
        :auth_url     => 'http://127.0.0.1:5000',
        :project_name => 'admin',
        :region_name  => 'RegionOne',
        :interface    => 'public',
      )}
    end
    context 'when setting keystone_user param in keystone' do
      let :params do
        {