keystone: enable fernet across all CI

The UUID tokens are deprecated as of the Pike release and they
will be removed in 2 releases.  The deployment choice should
be Fernet so we should test that extensively.

Change-Id: I7d9f8782afc2cb636e69e8dd1e16c68182c38959

README.md

@@ -43,7 +43,6 @@ scenario](#all-in-one).
 | ssl        |     yes     |      yes    |      yes    |     yes     |     no       |
 | ipv6       |   centos7   |    centos7  |    centos7  |   centos7   |     no       |
 | keystone   |      X      |       X     |       X     |      X      |      X       |
-| tokens     |    uuid     |     uuid    |    fernet   |   fernet    |    uuid      |
 | glance     |     rbd     |     swift   |     file    |  swift+rgw  |    file      |
 | nova       |     rbd     |       X     |       X     |     rbd     |      X       |
 | neutron    |     ovs     |      ovs    | linuxbridge |     ovs     |     ovs      |

fixtures/scenario003.pp

@@ -56,9 +56,7 @@ include ::openstack_integration::cacert
 include ::openstack_integration::memcached
 include ::openstack_integration::rabbitmq
 include ::openstack_integration::mysql
-class { '::openstack_integration::keystone':
-  token_provider => 'fernet',
-}
+include ::openstack_integration::keystone
 include ::openstack_integration::glance
 class { '::openstack_integration::neutron':
   driver => 'linuxbridge',

fixtures/scenario004.pp

@@ -42,9 +42,7 @@ include ::openstack_integration::cacert
 include ::openstack_integration::memcached
 include ::openstack_integration::rabbitmq
 include ::openstack_integration::mysql
-class { '::openstack_integration::keystone':
-  token_provider => 'fernet',
-}
+include ::openstack_integration::keystone
 class { '::openstack_integration::glance':
   backend => 'swift',
 }

manifests/keystone.pp

@@ -11,10 +11,6 @@
 #   and the associated configuration in keystone.conf is set up right.
 #   Defaults to false
 #
-# [*token_provider*]
-#   (optional) Define the token provider to use.
-#   Default to 'uuid'.
-#
 # [*token_expiration*]
 #   (optional) Define the token expiration to use.
 #   Default to '600'.
@@ -23,7 +19,6 @@
 class openstack_integration::keystone (
   $default_domain      = undef,
   $using_domain_config = false,
-  $token_provider      = 'uuid',
   $token_expiration    = '600',
 ) {
 
@@ -43,18 +38,20 @@ class openstack_integration::keystone (
     Exec['update-ca-certificates'] ~> Service['httpd']
   }
 
-  if $token_provider == 'fernet' {
-    $enable_fernet_setup = true
-    class { '::keystone::cron::fernet_rotate':
-      hour   => '*',
-      minute => '*/5',
-    }
+  # Keystone credential setup is not packaged in UCA yet.
+  # It should be done when Newton is released.
+  if $::osfamily == 'RedHat' {
+    $enable_credential_setup = true
   } else {
-    $enable_fernet_setup = false
+    $enable_credential_setup = false
   }
 
   class { '::keystone::client': }
   class { '::keystone::cron::token_flush': }
+  class { '::keystone::cron::fernet_rotate':
+    hour   => '*',
+    minute => '*/5',
+  }
   class { '::keystone::db::mysql':
     password => 'keystone',
   }
@@ -71,8 +68,7 @@ class openstack_integration::keystone (
     public_bind_host           => $::openstack_integration::config::host,
     admin_bind_host            => $::openstack_integration::config::host,
     manage_policyrcd           => true,
-    token_provider             => $token_provider,
-    enable_fernet_setup        => $enable_fernet_setup,
+    enable_credential_setup    => $enable_credential_setup,
     fernet_max_active_keys     => '4',
     token_expiration           => $token_expiration,
     default_transport_url      => os_transport_url({