Remove deprecated bootstrap code

Removes all the deprecated code related to
the old admin token and bootstrap usage in
favor of the new keystone::bootstrap class.

Change-Id: Ic339b88708eb98a067530b9741301c3f2dafddd5
This commit is contained in:
Tobias Urdin 2020-06-18 16:32:12 +02:00
parent 9ebf00d435
commit e421e3ad9c
10 changed files with 41 additions and 366 deletions

View File

@ -57,8 +57,7 @@
# Defaults to 'public'
#
class keystone::bootstrap (
# TODO(tobias-urdin): Make the password required when compat is removed.
$password = undef,
$password,
$username = 'admin',
$email = 'admin@localhost',
$project_name = 'admin',
@ -74,134 +73,9 @@ class keystone::bootstrap (
include ::keystone::deps
# TODO(tobias-urdin): Remove compat layer.
if $password == undef {
if defined('$::keystone::admin_password') and $::keystone::admin_password != undef {
$password_real = $::keystone::admin_password
warning('Using deprecated keystone::admin_password as admin password')
# Check if we differ from the roles admin pw
if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != $password_real {
warning('The keystone::admin_password and keystone::roles::admin::password differs and will cause a flip-flopping\
behaviour and authentication issues for the admin user.')
}
} elsif defined('$::keystone::admin_token') and $::keystone::admin_token != undef {
$password_real = $::keystone::admin_token
warning('Using deprecated keystone::admin_token as admin password')
# Check if we differ from the roles admin pw
if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != $password_real {
warning('The keystone::admin_token and keystone::roles::admin::password differs and will cause a flip-flopping\
behaviour and authentication issues for the admin user.')
}
} else {
# Check the keystone::roles::admin class as well.
if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != undef {
$password_real = $::keystone::roles::admin::password
warning('Using deprecated keystone::roles::admin::password as admin password')
} else {
fail('keystone::bootstrap::password is undef, could not resolve a password')
}
}
} else {
$password_real = $password
}
if defined('$::keystone::endpoint::public_url') and $::keystone::endpoint::public_url != undef {
$public_url_real = $::keystone::endpoint::public_url
$using_deprecated_public_url = true
warning('Using deprecated keystone::endpoint::public_url, please update to using keystone::bootstrap')
} else {
$public_url_real = $public_url
$using_deprecated_public_url = false
}
if defined('$::keystone::endpoint::internal_url') and $::keystone::endpoint::internal_url != undef {
$internal_url_final = $::keystone::endpoint::internal_url
$using_deprecated_internal_url = true
warning('Using deprecated keystone::endpoint::internal_url, please update to using keystone::bootstrap')
} else {
$internal_url_final = $internal_url
$using_deprecated_internal_url = false
}
if defined('$::keystone::endpoint::admin_url') and $::keystone::endpoint::admin_url != undef {
$admin_url_real = $::keystone::endpoint::admin_url
warning('Using deprecated keystone::endpoint::admin_url, please update to using keystone::bootstrap')
} else {
$admin_url_real = $admin_url
}
if defined('$::keystone::endpoint::region') and $::keystone::endpoint::region != undef {
$region_real = $::keystone::endpoint::region
warning('Using deprecated keystone::endpoint::region, please update to using keystone::bootstrap')
} else {
$region_real = $region
}
if !$using_deprecated_internal_url and $internal_url == undef and $using_deprecated_public_url {
warning('Using deprecated keystone::endpoint::public_url for keystone::bootstrap::internal_url')
}
if defined('$::keystone::roles::admin::admin') and $::keystone::roles::admin::admin != undef {
$username_real = $::keystone::roles::admin::admin
if $username_real != $username and $username == 'admin' {
warning('Using keystone::roles::admin::admin as username, the keystone::bootstrap::username default is different\
dont forget to set that later')
}
} else {
$username_real = $username
}
if defined('$::keystone::roles::admin::email') and $::keystone::roles::admin::email != undef {
$email_real = $::keystone::roles::admin::email
if $email_real != $email and $email == 'admin@localhost' {
warning('Using keystone::roles::admin::email as email, the keystone::bootstrap::email default is different\
dont forget to set that later')
}
} else {
$email_real = $email
}
if defined('$::keystone::roles::admin::admin_roles') and $::keystone::roles::admin::admin_roles != undef {
$role_name_real = $::keystone::roles::admin::admin_roles
warning("Using keystone::roles::admin::admin_roles with value ${role_name_real} note that the\
keystone::bootstrap when used will only set a single role, by default the 'admin' role.")
warning('Will use the first value in admin_roles for bootstrap and all (if multiple) for all other resources!')
if is_array($role_name_real) {
$bootstrap_role_name = $role_name_real[0]
} else {
$bootstrap_role_name = $role_name_real
}
} else {
$role_name_real = [$role_name]
$bootstrap_role_name = $role_name
}
if defined('$::keystone::roles::admin::admin_tenant') {
$admin_tenant = $::keystone::roles::admin::admin_tenant
if ($admin_tenant == undef or $admin_tenant == 'openstack') {
# Try to keep the backward compatible creation of the openstack project.
# We still create the 'admin' project with the bootstrap process below.
# This is a best effort, we still ignore the description and default domain.
ensure_resource('keystone_tenant', 'openstack', {
'ensure' => 'present',
'enabled' => true,
})
ensure_resource('keystone_user_role', "${username_real}@openstack", {
'ensure' => 'present',
'roles' => $role_name_real,
})
# Use the default value so we create the "admin" project
$project_name_real = $project_name
} else {
warning('Using keystone::roles::admin::admin_tenant as project name for admin')
$project_name_real = $admin_tenant
}
} else {
$project_name_real = $project_name
}
if defined('$::keystone::roles::admin::service_tenant') and $::keystone::roles::admin::service_tenant != undef {
warning('Using keystone::roles::admin::service_tenant as service project name')
$service_project_name_real = $::keystone::roles::admin::service_tenant
} else {
$service_project_name_real = $service_project_name
}
# Compat code ends here.
$internal_url_real = $internal_url_final ? {
undef => $public_url_real,
default => $internal_url_final
$internal_url_real = $internal_url ? {
undef => $public_url,
default => $internal_url
}
if defined('$::keystone::keystone_user') {
@ -216,15 +90,15 @@ class keystone::bootstrap (
exec { 'keystone bootstrap':
command => 'keystone-manage bootstrap',
environment => [
"OS_BOOTSTRAP_USERNAME=${username_real}",
"OS_BOOTSTRAP_PASSWORD=${password_real}",
"OS_BOOTSTRAP_PROJECT_NAME=${project_name_real}",
"OS_BOOTSTRAP_ROLE_NAME=${bootstrap_role_name}",
"OS_BOOTSTRAP_USERNAME=${username}",
"OS_BOOTSTRAP_PASSWORD=${password}",
"OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
"OS_BOOTSTRAP_ROLE_NAME=${role_name}",
"OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
"OS_BOOTSTRAP_ADMIN_URL=${admin_url_real}",
"OS_BOOTSTRAP_PUBLIC_URL=${public_url_real}",
"OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
"OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
"OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
"OS_BOOTSTRAP_REGION_ID=${region_real}",
"OS_BOOTSTRAP_REGION_ID=${region}",
],
user => $keystone_user,
path => '/usr/bin',
@ -238,40 +112,40 @@ class keystone::bootstrap (
# use the below resources to make sure the current resources are
# correct so if some value was updated we set that.
ensure_resource('keystone_role', $role_name_real, {
ensure_resource('keystone_role', $role_name, {
'ensure' => 'present',
})
ensure_resource('keystone_user', $username_real, {
ensure_resource('keystone_user', $username, {
'ensure' => 'present',
'enabled' => true,
'email' => $email_real,
'password' => $password_real,
'email' => $email,
'password' => $password,
})
ensure_resource('keystone_tenant', $service_project_name_real, {
ensure_resource('keystone_tenant', $service_project_name, {
'ensure' => 'present',
'enabled' => true,
})
ensure_resource('keystone_tenant', $project_name_real, {
ensure_resource('keystone_tenant', $project_name, {
'ensure' => 'present',
'enabled' => true,
})
ensure_resource('keystone_user_role', "${username_real}@${project_name_real}", {
ensure_resource('keystone_user_role', "${username}@${project_name}", {
'ensure' => 'present',
'roles' => $role_name_real,
'roles' => $role_name,
})
ensure_resource('keystone_service', "${service_name}::identity", {
'ensure' => 'present',
})
ensure_resource('keystone_endpoint', "${region_real}/${service_name}::identity", {
ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
'ensure' => 'present',
'public_url' => $public_url_real,
'admin_url' => $admin_url_real,
'public_url' => $public_url,
'admin_url' => $admin_url,
'internal_url' => $internal_url_real,
})
@ -289,19 +163,19 @@ class keystone::bootstrap (
}
if $interface == 'admin' {
$auth_url_real = $admin_url_real
$auth_url_real = $admin_url
} elsif $interface == 'internal' {
$auth_url_real = $internal_url_real
} else {
$auth_url_real = $public_url_real
$auth_url_real = $public_url
}
keystone::resource::authtoken { 'keystone_puppet_config':
username => $username_real,
password => $password_real,
username => $username,
password => $password,
auth_url => $auth_url_real,
project_name => $project_name_real,
region_name => $region_real,
project_name => $project_name,
region_name => $region,
interface => $interface,
}
}

View File

@ -1,74 +0,0 @@
# == Class: keystone::endpoint
#
# DEPRECATED!
#
# Creates the auth endpoints for keystone
#
# === Parameters
#
# [*public_url*]
# (optional) Public url for keystone endpoint.
# Defaults to undef
# This url should *not* contain any version or trailing '/'.
#
# [*internal_url*]
# (optional) Internal url for keystone endpoint.
# Defaults to undef
# This url should *not* contain any version or trailing '/'.
#
# [*admin_url*]
# (optional) Admin url for keystone endpoint.
# Defaults to undef
# This url should *not* contain any version or trailing '/'.
#
# [*region*]
# (optional) Region for endpoint.
# Defaults to undef
#
# [*user_domain*]
# (Optional) Domain for $auth_name
# Defaults to undef (use the keystone server default domain)
#
# [*project_domain*]
# (Optional) Domain for $tenant (project)
# Defaults to undef (use the keystone server default domain)
#
# [*default_domain*]
# (Optional) Domain for $auth_name and $tenant (project)
# If keystone_user_domain is not specified, use $keystone_default_domain
# If keystone_project_domain is not specified, use $keystone_default_domain
# Defaults to undef
#
# [*version*]
# (optional) API version for endpoint.
# Defaults to undef.
#
# === Examples
#
# class { 'keystone::endpoint':
# public_url => 'https://154.10.10.23:5000',
# internal_url => 'https://11.0.1.7:5000',
# admin_url => 'https://10.0.1.7:5000',
# }
#
class keystone::endpoint (
$public_url = undef,
$internal_url = undef,
$admin_url = undef,
$region = undef,
$user_domain = undef,
$project_domain = undef,
$default_domain = undef,
$version = undef,
) {
warning('The keystone::endpoint class has been replaced with keystone::bootstrap class\
will try to use the backward compatible approach')
if !defined('$::keystone::roles::admin::admin_tenant') {
fail('You are using the backward compatible approach instead of keystone::bootstrap\
you need to ensure that keystone::roles::admin is defined BEFORE keystone::endpoint in your manifest')
}
include keystone::bootstrap
}

View File

@ -456,23 +456,6 @@
# (Optional) The url to validate keystone against
# Defaults to undef
#
# [*admin_token*]
# Admin token that can be used to authenticate as a keystone
# admin. This is not the password for the admin user
# in the Keystone database. This is a token that bypasses authentication.
# Defaults to undef
#
# [*admin_password*]
# Keystone password for the admin user. This is not the admin_token.
# This is the password that the admin user signs into keystone with.
# Defaults to undef
#
# [*enable_bootstrap*]
# (Optional) Enable keystone bootstrapping.
# This option to true will automatically bootstrap the default domain
# user by running 'keystone-manage bootstrap'.
# Defaults to undef
#
# [*database_min_pool_size*]
# (Optional) Minimum number of SQL connections to keep open in a pool.
# Defaults to: undef
@ -652,9 +635,6 @@ class keystone(
$validate_insecure = undef,
$validate_auth_url = undef,
$validate_cacert = undef,
$admin_token = undef,
$admin_password = undef,
$enable_bootstrap = undef,
$database_min_pool_size = undef,
$cache_backend = undef,
$cache_backend_argument = undef,
@ -775,11 +755,6 @@ class keystone(
purge => $purge_config,
}
# TODO(tobias-urdin): Remove this when admin_token is removed.
keystone_config {
'DEFAULT/admin_token': ensure => 'absent', secret => true;
}
keystone_config {
'DEFAULT/member_role_id': value => $member_role_id;
'DEFAULT/member_role_name': value => $member_role_name;

View File

@ -1,102 +0,0 @@
# == Class: keystone::roles::admin
#
# DEPRECATED!
#
# This class implements some reasonable admin defaults for keystone.
#
# It creates the following keystone objects:
# * service tenant (tenant used by all service users)
# * "admin" tenant (defaults to "openstack")
# * admin user (that defaults to the "admin" tenant)
# * admin role
# * adds admin role to admin user on the "admin" tenant
#
# === Parameters:
#
# [*password*]
# The admin password. Required. In a later release
# this will default to $keystone::admin_password.
# Defaults to undef
#
# [*email*]
# The email address for the admin. Optional.
# Defaults to undef
#
# [*admin_roles*]
# The list of the roles with admin privileges. Optional.
# Defaults to undef
#
# [*admin_tenant*]
# The name of the tenant to be used for admin privileges. Optional.
# Defaults to openstack.
#
# [*service_tenant*]
# The name of service keystone tenant. Optional.
# Defaults to undef
#
# [*admin*]
# Admin user. Optional.
# Defaults to undef
#
# [*admin_tenant_desc*]
# Optional. Description for admin tenant,
# Defaults to undef
#
# [*service_tenant_desc*]
# Optional. Description for admin tenant,
# Defaults to undef
#
# [*configure_user*]
# Optional. Should the admin user be created?
# Defaults to undef
#
# [*configure_user_role*]
# Optional. Should the admin role be configured for the admin user?
# Defaults to undef
#
# [*admin_user_domain*]
# Optional. Domain of the admin user
# Defaults to undef (undef will resolve to class keystone $default_domain)
#
# [*target_admin_domain*]
# Optional. Domain where the admin user will have the $admin_role
# Defaults to undef (undef will not associate the $admin_role to any
# domain, only project)
#
# [*admin_project_domain*]
# Optional. Domain of the admin tenant
# Defaults to undef (undef will resolve to class keystone $default_domain)
#
# [*service_project_domain*]
# Optional. Domain for $service_tenant
# Defaults to undef (undef will resolve to class keystone $default_domain)
#
# == Dependencies
# == Examples
# == Authors
#
# Dan Bode dan@puppetlabs.com
#
# == Copyright
#
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class keystone::roles::admin(
$password = undef,
$email = undef,
$admin = undef,
$admin_tenant = 'openstack',
$admin_roles = undef,
$service_tenant = undef,
$admin_tenant_desc = undef,
$service_tenant_desc = undef,
$configure_user = undef,
$configure_user_role = undef,
$admin_user_domain = undef,
$admin_project_domain = undef,
$service_project_domain = undef,
$target_admin_domain = undef,
) {
warning('The keystone::roles::admin class has been replaced with keystone::bootstrap class')
}

View File

@ -0,0 +1,11 @@
---
upgrade:
- |
The classes keystone::endpoint and keystone::roles::admin is removed, use
the new keystone::bootstrap class directly.
- |
The password parameter in keystone::bootstrap is required and does not
default to undef.
- |
The deprecated parameters admin_token, admin_password and enable_bootstrap
in the keystone class is removed.

View File

@ -4,7 +4,6 @@ describe 'keystone::federation::identity_provider' do
let :pre_condition do
"class { 'keystone':
admin_token => 'dummy',
service_name => 'httpd',
enable_ssl=> true }"
end
@ -37,7 +36,6 @@ describe 'keystone::federation::identity_provider' do
context 'keystone not running under apache' do
let :pre_condition do
"class { 'keystone':
admin_token => 'dummy',
service_name => 'keystone',
enable_ssl=> true }"
end

View File

@ -8,9 +8,7 @@ describe 'keystone::federation::openidc' do
let(:pre_condition) do
<<-EOS
class { 'keystone':
admin_token => 'service_token',
}
class { 'keystone': }
include keystone::wsgi::apache
EOS

View File

@ -4,10 +4,7 @@ describe 'keystone::federation' do
let(:pre_condition) do
<<-EOS
class { 'keystone':
admin_token => 'service_token',
admin_password => 'special_password',
}
class { 'keystone': }
EOS
end

View File

@ -4,7 +4,6 @@ describe 'keystone::wsgi::apache' do
let :pre_condition do
"class { 'keystone':
admin_token => 'dummy',
service_name => 'httpd',
enable_ssl => true,
}"

View File

@ -26,7 +26,6 @@ def setup_provider_tests
def self.reset
@public_endpoint = nil
@tenant_hash = nil
@admin_token = nil
@keystone_file = nil
Puppet::Provider::Keystone.class_variable_set('@@default_domain_id', nil)
@domain_hash = nil