Use puppetlabs-apache to load auth modules.

... so that we don't have to maintain the required logics to enable
the module in our modules.

Related-Bug: #2006924
Change-Id: Ia46deea226a58638e74eee0c0172f0c3c5fa62e7

manifests/federation/mellon.pp

@@ -27,28 +27,36 @@
 #  The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
 #  (Optional) Defaults to 331.
 #
+# [*enable_websso*]
+#   (optional) Whether or not to enable Web Single Sign-On (SSO)
+#   Defaults to false
+#
+# DEPRECATED PARAMETERS
+#
 # [*package_ensure*]
 #   (optional) Desired ensure state of packages.
 #   accepts latest or specific versions.
 #   Defaults to present.
 #
-# [*enable_websso*]
-#   (optional) Whether or not to enable Web Single Sign-On (SSO)
-#   Defaults to false
-#
 class keystone::federation::mellon (
   $methods,
   $idp_name,
   $protocol_name,
   $template_order = 331,
-  $package_ensure = present,
   $enable_websso  = false,
+  # DEPRECATED PARAMETERS
+  $package_ensure = undef,
 ) {
 
   include apache
+  include apache::mod::auth_mellon
   include keystone::deps
   include keystone::params
 
+  if $package_ensure != undef {
+    warning('The package_ensure parameter is deprecated and has no effect.')
+  }
+
   # Note: if puppet-apache modify these values, this needs to be updated
   if $template_order <= 330 or $template_order >= 999 {
     fail('The template order should be greater than 330 and less than 999.')
@@ -76,11 +84,6 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
     }
   }
 
-  ensure_packages([$::keystone::params::mellon_package_name], {
-    ensure => $package_ensure,
-    tag    => 'keystone-support-package',
-  })
-
   concat::fragment { 'configure_mellon_keystone':
     target  => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
     content => template('keystone/mellon.conf.erb'),

manifests/federation/openidc.pp

@@ -128,10 +128,12 @@
 #  The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
 #  (Optional) Defaults to 331.
 #
+# DEPRECATED PARAMETERS
+#
 # [*package_ensure*]
 #  (Optional) Desired ensure state of packages.
 #  accepts latest or specific versions.
-#  Defaults to present.
+#  Defaults to undef,
 #
 class keystone::federation::openidc (
   $keystone_url,
@@ -160,16 +162,20 @@ class keystone::federation::openidc (
   $redis_password                 = undef,
   $remote_id_attribute            = undef,
   $template_order                 = 331,
-  $package_ensure                 = present,
+  # DEPRECATED PARAMETERS
+  $package_ensure                 = undef,
 ) {
 
   include apache
-  include apache::mod::authn_core
+  include apache::mod::auth_openidc
-  include apache::mod::authz_user
 
   include keystone::deps
   include keystone::params
 
+  if $package_ensure != undef {
+    warning('The package_ensure parameter is deprecated and has no effect.')
+  }
+
   if !($openidc_verify_method in ['introspection', 'jwks']) {
     fail('Unsupported token verification method.' +
         '  Must be one of "introspection" or "jwks"')
@@ -229,11 +235,6 @@ class keystone::federation::openidc (
     }
   }
 
-  ensure_packages([$::keystone::params::openidc_package_name], {
-    ensure => $package_ensure,
-    tag    => 'keystone-support-package',
-  })
-
   concat::fragment { 'configure_openidc_keystone':
     target  => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
     content => template('keystone/openidc.conf.erb'),

manifests/params.pp

@@ -20,8 +20,6 @@ class keystone::params {
       $python_memcache_package_name = 'python3-memcache'
       $python_ldappool_package_name = 'python3-ldappool'
       $python_pysaml2_package_name  = 'python3-pysaml2'
-      $mellon_package_name          = 'libapache2-mod-auth-mellon'
-      $openidc_package_name         = 'libapache2-mod-auth-openidc'
     }
     'RedHat': {
       $package_name                 = 'openstack-keystone'
@@ -30,8 +28,6 @@ class keystone::params {
       $python_memcache_package_name = 'python3-memcached'
       $python_ldappool_package_name = 'python3-ldappool'
       $python_pysaml2_package_name  = 'python3-pysaml2'
-      $mellon_package_name          = 'mod_auth_mellon'
-      $openidc_package_name         = 'mod_auth_openidc'
     }
     default: {
       fail("Unsupported osfamily ${::osfamily}")

metadata.json

@@ -3,7 +3,7 @@
     "dependencies": [
         {
             "name": "puppetlabs/apache",
-            "version_requirement": ">=5.0.0 <9.0.0"
+            "version_requirement": ">=5.5.0 <9.0.0"
         },
         {
             "name": "puppetlabs/concat",

releasenotes/notes/use-puppetlabs-apache-to-load-auth-modules-175642ed1b2b0df8.yaml

@@ -0,0 +1,8 @@
+---
+deprecations:
+  - |
+    The following parameters have been deprecated and have no effect. Now
+    the module packages are managed using puppetlabs-apache module.
+
+    - ``keystone::federation::openidc::package_ensure``
+    - ``keystone::federation::mellon::package_ensure``

spec/classes/keystone_federation_mellon_spec.rb

@@ -42,6 +42,10 @@ describe 'keystone::federation::mellon' do
 
   shared_examples 'Federation Mellon' do
     context 'with only required parameters' do
+      it 'should enable auth_mellon module' do
+        is_expected.to contain_class('apache::mod::auth_mellon')
+      end
+
       it 'should have basic params for mellon in Keystone configuration' do
         is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
         is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
@@ -88,13 +92,6 @@ describe 'keystone::federation::mellon' do
       end
 
       it_behaves_like 'Federation Mellon'
-
-      case [:osfamily]
-      when 'Debian'
-        it { is_expected.to contain_package('libapache2-mod-auth-mellon') }
-      when 'RedHat'
-        it { is_expected.to contain_package('mod_auth_mellon') }
-      end
     end
   end
 end

spec/classes/keystone_federation_openidc_spec.rb

@@ -58,22 +58,7 @@ describe 'keystone::federation::openidc' do
       facts.merge!(OSDefaults.get_facts({}))
     end
 
-    let(:platform_parameters) do
+    it { is_expected.to contain_class('apache::mod::auth_openidc') }
-      case facts[:osfamily]
-      when 'Debian'
-        {
-          :openidc_package_name => 'libapache2-mod-auth-openidc',
-        }
-      when 'RedHat'
-        {
-          :openidc_package_name => 'mod_auth_openidc',
-        }
-      end
-    end
-
-    it { is_expected.to contain_package(platform_parameters[:openidc_package_name]) }
-    it { is_expected.to contain_class('apache::mod::authn_core') }
-    it { is_expected.to contain_class('apache::mod::authz_user') }
 
     context 'with only required parameters' do
       it 'should have basic params for openidc in Keystone configuration' do

templates/openidc.conf.erb

@@ -1,4 +1,3 @@
-  LoadModule auth_openidc_module modules/mod_auth_openidc.so
   OIDCClaimPrefix "OIDC-"
   OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
   OIDCScope "openid email profile"