74799f9e34
There are two sides on this patch, the user facing one, and the
developer's one.
It gives more flexibility for the interface used by the user for the
Keystone_tenant, Keystone_user and Keystone_user_roles resources. For
instance to specify a user and give the admin role, currently you have
to:
keystone_user { 'new_admin::admin_domain':
ensure => present,
enabled => true,
tenant => 'openstackv3::admin_domain',
email => 'test@example.tld',
password => 'a_big_secret',
}
keystone_user_role { 'new_admin::admin_domain@openstackv3::admin_domain':
ensure => present,
roles => ['admin'],
}
Now you can specify it like this:
keystone_user { 'new_admin':
ensure => present,
enabled => true,
domain => 'admin_domain',
tenant => 'openstackv3::admin_domain',
email => 'test@example.tld',
password => 'a_big_secret',
}
keystone_user_role { 'new_admin@openstackv3':
ensure => present,
user_domain => 'admin_domain',
project_domain => 'admin_domain',
roles => ['admin'],
}
For the developer this simplify the code. Puppet is using composite
namevar to make all the resources unique. So guessing what pattern is
used in the title is no longer required. For instance this :
keystone_tenant { 'project_one': ensure => present }
keystone_tenant { 'meaningless': name => 'project_one', domain => 'Default', ensure => present }
is detected as the same tenant by puppet.
The same is true for dependencies. This is working correctly:
keystone_tenant { 'meaningless': name => 'project_one', domain => 'domain_one', ensure => present }
file {'/tmp/needed': ensure => present, require => Keystone_tenant['project_one::domain_one'] }
In autorequire term in type definition, you just have to pass the fully
qualified name (with the domain suffix for user and tenant) of the
resource and puppet will do the matching, whatever the original title
is. See the examples in user and tenant in keystone_user_role type.
Change-Id: I4deb27dc6f71fb7a7ec6a9c72bd0e1412c2e9a30
|
||
|---|---|---|
| examples | ||
| ext | ||
| lib | ||
| manifests | ||
| spec | ||
| tests | ||
| .gitignore | ||
| .gitreview | ||
| .sync.yml | ||
| CHANGELOG.md | ||
| Gemfile | ||
| LICENSE | ||
| metadata.json | ||
| Rakefile | ||
| README.md | ||
keystone
6.1.0 - 2015.1 - Kilo
Table of Contents
- Overview - What is the keystone module?
- Module Description - What does the module do?
- Setup - The basics of getting started with keystone
- Implementation - An under-the-hood peek at what the module is doing
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Contributors - Those with commits
Overview
The keystone module is a part of OpenStack, an effort by the Openstack infrastructure team to provide continuous integration testing and code review for Openstack and Openstack community projects as part of the core software. The module its self is used to flexibly configure and manage the identify service for Openstack.
Module Description
The keystone module is a thorough attempt to make Puppet capable of managing the entirety of keystone. This includes manifests to provision region specific endpoint and database connections. Types are shipped as part of the keystone module to assist in manipulation of configuration files.
This module is tested in combination with other modules needed to build and leverage an entire Openstack software stack. These modules can be found, all pulled together in the openstack module.
Setup
What the keystone module affects
- keystone, the identify service for Openstack.
Installing keystone
example% puppet module install openstack/keystone
Beginning with keystone
To utilize the keystone module's functionality you will need to declare multiple resources. The following is a modified excerpt from the openstack module. This is not an exhaustive list of all the components needed, we recommend you consult and understand the openstack module and the core openstack documentation.
Define a keystone node
class { 'keystone':
verbose => True,
catalog_type => 'sql',
admin_token => 'random_uuid',
database_connection => 'mysql://keystone_admin:super_secret_db_password@openstack-controller.example.com/keystone',
}
# Adds the admin credential to keystone.
class { 'keystone::roles::admin':
email => 'admin@example.com',
password => 'super_secret',
}
# Installs the service user endpoint.
class { 'keystone::endpoint':
public_url => 'http://10.16.0.101:5000/v2.0',
admin_url => 'http://10.16.1.101:35357/v2.0',
internal_url => 'http://10.16.2.101:5000/v2.0',
region => 'example-1',
}
Leveraging the Native Types
Keystone ships with a collection of native types that can be used to interact with the data stored in keystone. The following, related to user management could live throughout your Puppet code base. They even support puppet's ability to introspect the current environment much the same as puppet resource user, puppet resouce keystone_tenant will print out all the currently stored tenants and their parameters.
keystone_tenant { 'openstack':
ensure => present,
enabled => True,
}
keystone_user { 'openstack':
ensure => present,
enabled => True,
}
keystone_role { 'admin':
ensure => present,
}
keystone_user_role { 'admin@openstack':
roles => ['admin', 'superawesomedude'],
ensure => present
}
These two will seldom be used outside openstack related classes, like nova or cinder. These are modified examples form Class['nova::keystone::auth'].
# Setup the nova keystone service
keystone_service { 'nova':
ensure => present,
type => 'compute',
description => 'Openstack Compute Service',
}
# Setup nova keystone endpoint
keystone_endpoint { 'example-1-west/nova':
ensure => present,
public_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
admin_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
internal_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
}
Setting up a database for keystone
A keystone database can be configured separately from the keystone services.
If one needs to actually install a fresh database they have the choice of mysql or postgres. Use the mysql::server or postgreql::server classes to do this setup then the Class['keystone::db::mysql'] or Class['keystone::db::postgresql'] for adding the needed databases and users that will be needed by keystone.
- For mysql
class { 'mysql::server': }
class { 'keystone::db::mysql':
password => 'super_secret_db_password',
allowed_hosts => '%',
}
- For postgresql
class { 'postgresql::server': }
class { 'keystone::db::postgresql': password => 'super_secret_db_password', }
Implementation
keystone
keystone is a combination of Puppet manifest and ruby code to delivery configuration and extra functionality through types and providers.
Types
keystone_config
The keystone_config provider is a children of the ini_setting provider. It allows one to write an entry in the /etc/keystone/keystone.conf file.
keystone_config { 'DEFAULT/verbose' :
value => true,
}
This will write verbose=true in the [DEFAULT] section.
name
Section/setting name to manage from keystone.conf
value
The value of the setting to be defined.
secret
Whether to hide the value from Puppet logs. Defaults to false.
ensure_absent_val
If value is equal to ensure_absent_val then the resource will behave as if ensure => absent was specified. Defaults to <SERVICE DEFAULT>
Limitations
- All the keystone types use the CLI tools and so need to be ran on the keystone node.
Upgrade warning
- If you've setup Openstack using previous versions of this module you need to be aware that it used UUID as the dedault to the token_format parameter but now defaults to PKI. If you're using this module to manage a Grizzly Openstack deployment that was set up using a development release of the modules or are attempting an upgrade from Folsom then you'll need to make sure you set the token_format to UUID at classification time.
Beaker-Rspec
This module has beaker-rspec tests
To run:
shell bundle install bundle exec rspec spec/acceptance
Development
Developer documentation for the entire puppet-openstack project.