OpenStack Keystone Puppet Module
Go to file
Emilien Macchi def536208d Manage Keystone_endpoint and Keystone_service without warnings by default
A recent change (1] made Keystone_endpoint matching service by name/type.
This change added a warning if endpoints were not created with a default
service.
The way this new feature was added is problematic because we had
warnings by default, since all Puppet modules use this define, so it
introduced a poor user experience.

This patch makes sure a service type is configured with the new way in
the keystone::resource::service_identity function, when creating
endpoint.
For backward compatibility, when no service type is specified, we have now a
conditional that sends a warning if no service type is set but still
create the endpoints.
For the service management, it adds the service type with the new way,
so we don't have any warning by default.

So from this patch, we don't have this kind of warning by default:
/Keystone_endpoint[RegionOne/keystone]/type: Support for a endpoint
without the type set is deprecated in Liberty. It will be dropped in
Mitaka

[1] http://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=0a4e06abb0f5b3f324464ff5219d2885816311ce

Closes-Bug: #1528308
Change-Id: I6e411d8f81c7ae5c768d85a236c0942d265c74dd
(cherry picked from commit 6e811badf0)
2015-12-22 17:22:23 +00:00
examples Merge "Support for Keystone as Service Provider" 2015-11-24 14:34:30 +00:00
ext support for keystone v3 api - examples 2015-07-09 16:36:30 +00:00
lib Merge "Keystone_endpoint match service by name/type." 2015-11-24 15:29:02 +00:00
manifests Manage Keystone_endpoint and Keystone_service without warnings by default 2015-12-22 17:22:23 +00:00
spec Manage Keystone_endpoint and Keystone_service without warnings by default 2015-12-22 17:22:23 +00:00
templates Support for Keystone as Service Provider 2015-11-24 11:48:26 +00:00
tests Add Puppet 4.x lint checks 2015-03-16 09:16:00 +01:00
.gitignore Try to use zuul-cloner to prepare fixtures 2015-10-08 15:01:39 -07:00
.gitreview Update .gitreview file for project rename 2015-06-12 23:12:30 +00:00
.sync.yml Initial msync run for all Puppet OpenStack modules 2015-08-06 20:47:48 +02:00
CHANGELOG.md release: prepare 7.0.0 (liberty) 2015-11-24 16:22:23 +00:00
Gemfile Try to use zuul-cloner to prepare fixtures 2015-10-08 15:01:39 -07:00
LICENSE Synchronize LICENSE file with OpenStack projects 2015-04-20 09:27:46 -04:00
README.md release: prepare 7.0.0 (liberty) 2015-11-24 16:22:23 +00:00
Rakefile release: prepare 7.0.0 (liberty) 2015-11-24 16:22:23 +00:00
metadata.json release: prepare 7.0.0 (liberty) 2015-11-24 16:22:23 +00:00

README.md

keystone

7.0.0 - 2015.2 - Liberty

Table of Contents

  1. Overview - What is the keystone module?
  2. Module Description - What does the module do?
  3. Setup - The basics of getting started with keystone
  4. Implementation - An under-the-hood peek at what the module is doing
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module
  7. Contributors - Those with commits

Overview

The keystone module is a part of OpenStack, an effort by the Openstack infrastructure team to provide continuous integration testing and code review for Openstack and Openstack community projects as part of the core software. The module its self is used to flexibly configure and manage the identify service for Openstack.

Module Description

The keystone module is a thorough attempt to make Puppet capable of managing the entirety of keystone. This includes manifests to provision region specific endpoint and database connections. Types are shipped as part of the keystone module to assist in manipulation of configuration files.

This module is tested in combination with other modules needed to build and leverage an entire Openstack software stack. These modules can be found, all pulled together in the openstack module.

Setup

What the keystone module affects

  • keystone, the identify service for Openstack.

Installing keystone

example% puppet module install openstack/keystone

Beginning with keystone

To utilize the keystone module's functionality you will need to declare multiple resources. The following is a modified excerpt from the openstack module. This is not an exhaustive list of all the components needed, we recommend you consult and understand the openstack module and the core openstack documentation.

Define a keystone node

class { 'keystone':
  verbose             => True,
  catalog_type        => 'sql',
  admin_token         => 'random_uuid',
  database_connection => 'mysql://keystone_admin:super_secret_db_password@openstack-controller.example.com/keystone',
}

# Adds the admin credential to keystone.
class { 'keystone::roles::admin':
  email        => 'admin@example.com',
  password     => 'super_secret',
}

# Installs the service user endpoint.
class { 'keystone::endpoint':
  public_url   => 'http://10.16.0.101:5000/v2.0',
  admin_url    => 'http://10.16.1.101:35357/v2.0',
  internal_url => 'http://10.16.2.101:5000/v2.0',
  region       => 'example-1',
}

Leveraging the Native Types

Keystone ships with a collection of native types that can be used to interact with the data stored in keystone. The following, related to user management could live throughout your Puppet code base. They even support puppet's ability to introspect the current environment much the same as puppet resource user, puppet resouce keystone_tenant will print out all the currently stored tenants and their parameters.

keystone_tenant { 'openstack':
  ensure  => present,
  enabled => True,
}
keystone_user { 'openstack':
  ensure  => present,
  enabled => True,
}
keystone_role { 'admin':
  ensure => present,
}
keystone_user_role { 'admin@openstack':
  roles => ['admin', 'superawesomedude'],
  ensure => present
}

These two will seldom be used outside openstack related classes, like nova or cinder. These are modified examples form Class['nova::keystone::auth'].

# Setup the nova keystone service
keystone_service { 'nova':
  ensure      => present,
  type        => 'compute',
  description => 'Openstack Compute Service',
}

Services can also be written with the type as a suffix:

keystone_service { 'nova::type':
  ensure      => present,
  description => 'Openstack Compute Service',
}


# Setup nova keystone endpoint
keystone_endpoint { 'example-1-west/nova':
   ensure       => present,
   type         => 'compute',
   public_url   => "http://127.0.0.1:8774/v2/%(tenant_id)s",
   admin_url    => "http://127.0.0.1:8774/v2/%(tenant_id)s",
   internal_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
}

Endpoints can also be written with the type as a suffix:

keystone_endpoint { 'example-1-west/nova::compute':
   ensure       => present,
   public_url   => "http://127.0.0.1:8774/v2/%(tenant_id)s",
   admin_url    => "http://127.0.0.1:8774/v2/%(tenant_id)s",
   internal_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
}

Defining a endpoint without the type is supported in Liberty release for backward compatibility, but will be dropped in Mitaka, as this can lead to corruption of the endpoint database if omitted. See (this bug)[https://bugs.launchpad.net/puppet-keystone/+bug/1506996]

Setting up a database for keystone

A keystone database can be configured separately from the keystone services.

If one needs to actually install a fresh database they have the choice of mysql or postgres. Use the mysql::server or postgreql::server classes to do this setup then the Class['keystone::db::mysql'] or Class['keystone::db::postgresql'] for adding the needed databases and users that will be needed by keystone.

  • For mysql
class { 'mysql::server': }

class { 'keystone::db::mysql':
  password      => 'super_secret_db_password',
  allowed_hosts => '%',
}
  • For postgresql
class { 'postgresql::server': }

class { 'keystone::db::postgresql': password => 'super_secret_db_password', }

About Keystone V3 syntax in keystone_user/keystone_tenant/keystone_user_role

A complete description of the syntax available for those resources are in examples/user_project_user_role_composite_namevar.pp

About Keystone V3 and default domain

For users

With Keystone V3, domains made their appearance. For backward compatibility a default domain is defined in the keystone.conf file. All the V2 resources are then assigned to this default domain. The default domain id is by default default associated with the name Default.

What it means is that this user:

keystone_user { 'my_non_full_qualified_user':
  ensure => present
}

will be assigned to the Default domain.

The same is true for keystone_tenant and keystone_user_role:

keystone_tenant { 'project_one':
  ensure => present
}

keystone_user_role { 'user_one@project_one':
  ensure => present,
  roles  => ['admin']
}

will be assigned to the Default domain.

Now, you can change the default domain if you want. But then the puppet resource you defined will have to be fully qualified.

So, for instance, if you change the default domain to be my_new_default, then you'll have to do:

keystone_user { 'full_qualified_user::my_new_default':
  ensure => present
}
keystone_tenant { 'project_one::my_new_default':
  ensure => present
}

keystone_user_role { 'user_one::my_new_default@project_one::my_new_default':
  ensure => present,
  roles  => ['admin']
}

as the module will always assign a resource without domain to the Default domain.

A depreciation warning will be visible in the log when you have changed the default domain id and used an non fully qualified name for you resource.

In Mitaka, a depreciation warning will be displayed all the time if you used non fully qualified resource.

After Mitaka all the resources will have to be fully qualified.

For developers

Other module can try to find user/tenant resource using Puppet's indirection. The rule for the name of the resources are this:

  1. fully qualified if domain is not 'Default';
  2. short form if domain is 'Default'

This is for backward compatibility.

Note that, as stated above, the 'Default' domain is hardcoded. It is not related to the real default domain which can be set to something else. But then again, you will have to set the fully qualified name.

You can check spec/acceptance/default_domain_spec.rb to have a example of the behavior described here.

Implementation

keystone

keystone is a combination of Puppet manifest and ruby code to delivery configuration and extra functionality through types and providers.

Types

keystone_config

The keystone_config provider is a children of the ini_setting provider. It allows one to write an entry in the /etc/keystone/keystone.conf file.

keystone_config { 'DEFAULT/verbose' :
  value => true,
}

This will write verbose=true in the [DEFAULT] section.

name

Section/setting name to manage from keystone.conf

value

The value of the setting to be defined.

secret

Whether to hide the value from Puppet logs. Defaults to false.

ensure_absent_val

If value is equal to ensure_absent_val then the resource will behave as if ensure => absent was specified. Defaults to <SERVICE DEFAULT>

Limitations

  • All the keystone types use the CLI tools and so need to be ran on the keystone node.

Upgrade warning

  • If you've setup Openstack using previous versions of this module you need to be aware that it used UUID as the dedault to the token_format parameter but now defaults to PKI. If you're using this module to manage a Grizzly Openstack deployment that was set up using a development release of the modules or are attempting an upgrade from Folsom then you'll need to make sure you set the token_format to UUID at classification time.

Beaker-Rspec

This module has beaker-rspec tests

To run:

shell bundle install bundle exec rspec spec/acceptance

Development

Developer documentation for the entire puppet-openstack project.

Contributors