Switch to fernet tokens by default

In the upcoming puppet keystone release, the default is being switched
to fernet. This change updates packstack to properly handle the fernet
provider configuration for keystone and makes it the new default.
Since the upstream will be enabling the fernet token setup by default,
packstack needs to properly turn off the fernet setup when using uuid.

Change-Id: Id9f6d54e7e5190c3a01f60c511d8a470436bff7d

README.md

@@ -187,7 +187,7 @@ This is the current matrix of available tests:
 
 |     -      | scenario001 | scenario002 | scenario003 |
 |:----------:|:-----------:|:-----------:|:------------:
-| keystone   |      X      |      X      |      X      |
+| keystone   |   FERNET    |    UUID     |    FERNET   |
 | glance     |    file     |    swift    |     file    |
 | nova       |      X      |      X      |      X      |
 | neutron    |      X      |      X      |      X      |

docs/packstack.rst

@@ -335,7 +335,7 @@ Keystone Config parameters
     Identity service API version string. ['v2.0', 'v3']
 
 **CONFIG_KEYSTONE_TOKEN_FORMAT**
-    Identity service token format (UUID or PKI). The recommended format for new deployments is UUID. ['UUID', 'PKI']
+    Identity service token format (UUID, PKI or FERNET). The recommended format for new deployments is FERNET. ['UUID', 'PKI', 'FERNET']
 
 **CONFIG_KEYSTONE_IDENTITY_BACKEND**
     Type of Identity service backend (sql or ldap). ['sql', 'ldap']

packstack/plugins/keystone_100.py

@@ -151,13 +151,13 @@ def initConfig(controller):
 
             {"CMD_OPTION": "keystone-token-format",
              "PROMPT": "Enter the Keystone token format.",
-             "OPTION_LIST": ['UUID', 'PKI'],
+             "OPTION_LIST": ['UUID', 'PKI', 'FERNET'],
              "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'UUID',
+             "DEFAULT_VALUE": 'FERNET',
              "MASK_INPUT": False,
              "LOOSE_VALIDATION": False,
              "CONF_NAME": 'CONFIG_KEYSTONE_TOKEN_FORMAT',
-             "USE_DEFAULT": True,
+             "USE_DEFAULT": False,
              "NEED_CONFIRM": False,
              "CONDITION": False},
 

packstack/puppet/modules/packstack/manifests/keystone.pp

@@ -6,6 +6,11 @@ class packstack::keystone ()
     $keystone_cfg_ks_db_pw = hiera('CONFIG_KEYSTONE_DB_PW')
     $keystone_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
     $keystone_token_provider_str = downcase(hiera('CONFIG_KEYSTONE_TOKEN_FORMAT'))
+    if $keystone_token_provider_str == 'fernet' {
+      $enable_fernet_setup = true
+    } else {
+      $enable_fernet_setup = false
+    }
     $keystone_url = regsubst(regsubst(hiera('CONFIG_KEYSTONE_PUBLIC_URL'),'/v2.0',''),'/v3','')
     $keystone_admin_url = hiera('CONFIG_KEYSTONE_ADMIN_URL')
 
@@ -33,6 +38,7 @@ class packstack::keystone ()
       admin_token         => hiera('CONFIG_KEYSTONE_ADMIN_TOKEN'),
       database_connection => "mysql+pymysql://keystone_admin:${keystone_cfg_ks_db_pw}@${keystone_cfg_mariadb_host}/keystone",
       token_provider      => "keystone.token.providers.${keystone_token_provider_str}.Provider",
+      enable_fernet_setup => $enable_fernet_setup,
       debug               => hiera('CONFIG_DEBUG_MODE'),
       service_name        => 'httpd',
       enable_ssl          => $keystone_use_ssl,

tests/scenario002.sh

@@ -31,6 +31,7 @@ $SUDO packstack ${ADDITIONAL_ARGS} \
           --os-neutron-lbaas-install=y \
           --os-sahara-install=y \
           --os-trove-install=y \
+          --keystone-token-format=UUID \
           --provision-uec-kernel-url="/tmp/cirros/cirros-0.3.4-x86_64-vmlinuz" \
           --provision-uec-ramdisk-url="/tmp/cirros/cirros-0.3.4-x86_64-initrd" \
           --provision-uec-disk-url="/tmp/cirros/cirros-0.3.4-x86_64-disk.img" \