openstack/puppet-keystone
Code Issues Proposed changes
2cc59127e4
puppet-keystone/spec/acceptance/10_basic_keystone_spec.rb
Takashi Kajinami 2cc59127e4 service_identity: Allow omitting internal/admin endpoints 
Keystone v3 API no longer requires all the three endpoint types are
created and some deployments may use only public endpoints (or public
and internal endpoints).

This looses the validation to allow such deployment architecture.

Change-Id: I3873352dd3ea8556fbaa4ce3c558a912cc5f52e7
2024-02-26 20:15:56 +09:00

448 lines
17 KiB
Ruby
Raw Blame History

require 'spec_helper_acceptance'
describe 'keystone server running with Apache/WSGI with resources' do
context 'default parameters' do
it 'should work with no errors' do
pp= <<-EOS
include openstack_integration
include openstack_integration::repos
include openstack_integration::apache
include openstack_integration::mysql
include openstack_integration::memcached
include openstack_integration::keystone
keystone::resource::service_identity { 'ci':
service_type => 'ci',
service_description => 'ci service',
service_name => 'ci',
password => 'secret',
public_url => 'http://127.0.0.1:1234',
admin_url => 'http://127.0.0.1:1234',
internal_url => 'http://127.0.0.1:1234',
}
# v3 admin
keystone_domain { 'admin_domain':
ensure => present,
enabled => true,
description => 'Domain for admin v3 users',
}
keystone_domain { 'service_domain':
ensure => present,
enabled => true,
description => 'Domain for admin v3 users',
}
keystone_tenant { 'servicesv3::service_domain':
ensure => present,
enabled => true,
description => 'Tenant for the openstack services',
}
keystone_tenant { 'openstackv3::admin_domain':
ensure => present,
enabled => true,
description => 'admin tenant',
}
keystone_user { 'adminv3::admin_domain':
ensure => present,
enabled => true,
email => 'test@example.tld',
password => 'a_big_secret',
}
keystone_user_role { 'adminv3::admin_domain@openstackv3::admin_domain':
ensure => present,
roles => ['admin'],
}
keystone_user { 'user_with_description':
ensure => present,
enabled => true,
description => 'my super description',
email => 'me@example.tld',
password => 'super_secret',
}
# service user exists only in the service_domain - must
# use v3 api
keystone::resource::service_identity { 'civ3':
service_type => 'civ3',
service_description => 'civ3 service',
service_name => 'civ3',
password => 'secret',
tenant => 'servicesv3',
public_url => 'http://127.0.0.1:1234/v3',
admin_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3',
user_domain => 'service_domain',
project_domain => 'service_domain',
}
keystone::resource::service_identity { 'civ3alt::service_domain':
service_type => 'civ3alt',
service_description => 'civ3alt service',
service_name => 'civ3alt',
password => 'secret',
tenant => 'servicesv3::service_domain',
public_url => 'http://127.0.0.1:1234/v3',
admin_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3',
}
keystone::resource::service_identity { 'civ3public':
service_type => 'civ3public',
service_description => 'civ3public service',
service_name => 'civ3public',
password => 'secret',
tenant => 'servicesv3',
public_url => 'http://127.0.0.1:1234/v3',
user_domain => 'service_domain',
project_domain => 'service_domain',
}
keystone::resource::service_identity { 'civ3noadmin':
service_type => 'civ3noadmin',
service_description => 'civ3noadmin service',
service_name => 'civ3noadmin',
password => 'secret',
tenant => 'servicesv3',
public_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3',
user_domain => 'service_domain',
project_domain => 'service_domain',
}
EOS
# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe port(5000) do
it { is_expected.to be_listening }
end
shared_examples_for 'keystone user/tenant/service/role/endpoint resources using v3 API' do |auth_creds|
it 'should find ci user' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 user list --long") do |r|
expect(r.stdout).to match(/ci/)
expect(r.stdout).to match(/user\_with\_description/)
expect(r.stdout).to match(/my\ super\ description/)
expect(r.stderr).to be_empty
end
end
it 'should find services tenant' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 project list") do |r|
expect(r.stdout).to match(/services/)
expect(r.stderr).to be_empty
end
end
it 'should find ci service' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 service list") do |r|
expect(r.stdout).to match(/ci/)
expect(r.stderr).to be_empty
end
end
it 'should find admin role' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 role assignment list --names") do |r|
expect(r.stdout).to match(/admin/)
expect(r.stderr).to be_empty
end
end
it 'should find ci endpoints' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 endpoint list") do |r|
expect(r.stdout).to match(/1234/)
expect(r.stderr).to be_empty
end
end
end
describe 'with v2 admin with v3 credentials' do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username admin --os-password a_big_secret --os-project-name openstack --os-user-domain-name Default --os-project-domain-name Default'
end
describe "with v2 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username ci --os-password secret --os-project-name services --os-user-domain-name Default --os-project-domain-name Default'
end
describe 'with v3 admin with v3 credentials' do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username adminv3 --os-password a_big_secret --os-project-name openstackv3' \
' --os-user-domain-name admin_domain --os-project-domain-name admin_domain'
end
describe "with v3 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username civ3 --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
end
describe "with v3 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username civ3alt --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
end
end
describe 'composite namevar quick test' do
context 'similar resources different naming' do
let(:pp) do
<<-EOM
keystone_tenant { 'openstackv3':
ensure => present,
enabled => true,
description => 'admin tenant',
domain => 'admin_domain'
}
keystone_user { 'adminv3::useless_when_the_domain_is_set':
ensure => present,
enabled => true,
email => 'test@example.tld',
password => 'a_big_secret',
domain => 'admin_domain'
}
keystone_user_role { 'adminv3::admin_domain@openstackv3::admin_domain':
ensure => present,
roles => ['admin'],
}
EOM
end
it 'should not do any modification' do
apply_manifest(pp, :catch_changes => true)
end
end
end
describe 'composite namevar for keystone_service' do
let(:pp) do
<<-EOM
keystone_service { 'service_1::type_1': ensure => present }
keystone_service { 'service_1': type => 'type_2', ensure => present }
EOM
end
it 'should be possible to create two services different only by their type' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
end
describe 'composite namevar for keystone_service and keystone_endpoint' do
let(:pp) do
<<-EOM
keystone_service { 'service_1::type_1': ensure => present }
keystone_service { 'service_1': type => 'type_2', ensure => present }
keystone_endpoint { 'RegionOne/service_1::type_2':
ensure => present,
public_url => 'http://public_service1_type2',
internal_url => 'http://internal_service1_type2',
admin_url => 'http://admin_service1_type2'
}
keystone_endpoint { 'service_1':
ensure => present,
region => 'RegionOne',
type => 'type_1',
public_url => 'http://public_service1_type1/',
internal_url => 'http://internal_service1_type1/',
admin_url => 'http://admin_service1_type1/'
}
EOM
end
it 'should be possible to create two services different only by their type' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe 'puppet service are created' do
it 'for service' do
command('puppet resource keystone_service') do |result|
expect(result.stdout)
.to match(/keystone_service { 'service_1::type_1':/)
expect(result.stdout)
.to match(/keystone_service { 'service_1::type_2':/)
end
end
end
describe 'puppet endpoints are created' do
it 'for service' do
command('puppet resource keystone_endpoint') do |result|
expect(result.stdout)
.to match(/keystone_endpoint { 'RegionOne\/service_1::type_1':/)
expect(result.stdout)
.to match(/keystone_endpoint { 'RegionOne\/service_1::type_2':/)
end
end
end
end
context '#keystone_domain_config' do
# make sure everything is clean before playing the manifest
shared_examples 'clean_domain_configuration', :clean_domain_cfg => true do
before(:context) do
run_shell('rm -rf /etc/keystone/domains')
run_shell('rm -rf /tmp/keystone.*.conf')
end
end
context 'one domain configuration', :clean_domain_cfg => true do
context 'simple use case' do
let(:pp) do
<<-EOM
file { '/etc/keystone/domains': ensure => directory }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe file('/etc/keystone/domains/keystone.services.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/auth.com\/1/ }
end
end
context 'with a non default identity/domain_config_dir' do
let(:pp) do
<<-EOM
keystone_config { 'identity/domain_config_dir': value => '/tmp' }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe file('/tmp/keystone.services.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/auth.com\/1/ }
end
end
end
context 'with a multiple configurations', :clean_domain_cfg => true do
let(:pp) do
<<-EOM
file { '/etc/keystone/domains': ensure => directory }
keystone_config { 'identity/domain_config_dir': value => '/etc/keystone/domains' }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
keystone_domain_config { 'services::http/url':
value => 'http://auth.com/2',
}
keystone_domain_config { 'external::ldap/url':
value => 'http://ext-auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
it 'should list puppet resources' do
command('puppet resource keystone_domain_config') do |r|
expect(r.exit_code).to eq 0
end
end
describe file('/etc/keystone/domains/keystone.external.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/ext-auth.com\/1/ }
end
end
context 'checking that the purge is working' do
let(:pp) do
<<-EOM
resources { 'keystone_domain_config': purge => true }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe file('/etc/keystone/domains/keystone.services.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/auth.com\/1/ }
end
end
context '#ldap_backend', :clean_domain_cfg => true do
context 'manifest' do
let(:pp) do
<<-EOM
include openstack_integration::apache
class { 'openstack_integration::keystone':
default_domain => 'default_domain',
using_domain_config => true,
}
keystone_domain { 'domain_1_ldap_backend': ensure => present }
keystone_domain { 'domain_2_ldap_backend': ensure => present }
keystone::ldap_backend { 'domain_1_ldap_backend':
url => 'ldap://foo',
user => 'cn=foo,dc=example,dc=com',
identity_driver => 'ldap',
}
keystone::ldap_backend { 'domain_2_ldap_backend':
url => 'ldap://bar',
user => 'cn=bar,dc=test,dc=com',
identity_driver => 'ldap',
}
EOM
end
it 'should apply the manifest correctly' do
apply_manifest(pp, :accept_all_exit_codes => true)
# Cannot really test it as keystone will try to connect to
# the ldap backend when it restarts. But the ldap server
# which doesn't exit. The next "test" clean everything up
# to have a working keystone again.
# TODO: Should we add a working ldap server ?
end
describe file('/etc/keystone/domains/keystone.domain_1_ldap_backend.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=ldap:\/\/foo\nuser=cn=foo,dc=example,dc=com/ }
end
describe file('/etc/keystone/domains/keystone.domain_2_ldap_backend.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=ldap:\/\/bar\nuser=cn=bar,dc=test,dc=com/ }
end
end
context 'clean up', :clean_domain_cfg => true do
# we must revert the changes as ldap backend is not fully
# functional and are "domain read only". All subsequent tests
# will fail without this.
let(:pp) do
<<-EOM
keystone_config {
'identity/driver': value => 'sql';
'credential/driver': ensure => absent;
'assignment/driver': ensure => absent;
'identity/domain_specific_drivers_enabled': ensure => absent;
'identity/domain_config_dir': ensure => absent;
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
end
end
end
end
View Git Blame Copy Permalink