1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
|
require 'spec_helper_acceptance'
describe 'keystone server running with Apache/WSGI with resources' do
context 'default parameters' do
it 'should work with no errors' do
pp= <<-EOS
include openstack_integration
include openstack_integration::repos
include openstack_integration::apache
include openstack_integration::mysql
include openstack_integration::memcached
include openstack_integration::keystone
keystone::resource::service_identity { 'ci':
service_type => 'ci',
service_description => 'ci service',
service_name => 'ci',
password => 'secret',
public_url => 'http://127.0.0.1:1234',
admin_url => 'http://127.0.0.1:1234',
internal_url => 'http://127.0.0.1:1234',
}
# v3 admin
keystone_domain { 'admin_domain':
ensure => present,
enabled => true,
description => 'Domain for admin v3 users',
}
keystone_domain { 'service_domain':
ensure => present,
enabled => true,
description => 'Domain for admin v3 users',
}
keystone_tenant { 'servicesv3::service_domain':
ensure => present,
enabled => true,
description => 'Tenant for the openstack services',
}
keystone_tenant { 'openstackv3::admin_domain':
ensure => present,
enabled => true,
description => 'admin tenant',
}
keystone_user { 'adminv3::admin_domain':
ensure => present,
enabled => true,
email => 'test@example.tld',
password => 'a_big_secret',
}
keystone_user_role { 'adminv3::admin_domain@openstackv3::admin_domain':
ensure => present,
roles => ['admin'],
}
keystone_user { 'user_with_description':
ensure => present,
enabled => true,
description => 'my super description',
email => 'me@example.tld',
password => 'super_secret',
}
# service user exists only in the service_domain - must
# use v3 api
keystone::resource::service_identity { 'civ3':
service_type => 'civ3',
service_description => 'civ3 service',
service_name => 'civ3',
password => 'secret',
tenant => 'servicesv3',
public_url => 'http://127.0.0.1:1234/v3',
admin_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3',
user_domain => 'service_domain',
project_domain => 'service_domain',
}
keystone::resource::service_identity { 'civ3alt::service_domain':
service_type => 'civ3alt',
service_description => 'civ3alt service',
service_name => 'civ3alt',
password => 'secret',
tenant => 'servicesv3::service_domain',
public_url => 'http://127.0.0.1:1234/v3',
admin_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3',
}
keystone::resource::service_identity { 'civ3public':
service_type => 'civ3public',
service_description => 'civ3public service',
service_name => 'civ3public',
password => 'secret',
tenant => 'servicesv3',
public_url => 'http://127.0.0.1:1234/v3',
user_domain => 'service_domain',
project_domain => 'service_domain',
}
keystone::resource::service_identity { 'civ3noadmin':
service_type => 'civ3noadmin',
service_description => 'civ3noadmin service',
service_name => 'civ3noadmin',
password => 'secret',
tenant => 'servicesv3',
public_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3',
user_domain => 'service_domain',
project_domain => 'service_domain',
}
EOS
# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe port(5000) do
it { is_expected.to be_listening }
end
shared_examples_for 'keystone user/tenant/service/role/endpoint resources using v3 API' do |auth_creds|
it 'should find ci user' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 user list --long") do |r|
expect(r.stdout).to match(/ci/)
expect(r.stdout).to match(/user\_with\_description/)
expect(r.stdout).to match(/my\ super\ description/)
expect(r.stderr).to be_empty
end
end
it 'should find services tenant' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 project list") do |r|
expect(r.stdout).to match(/services/)
expect(r.stderr).to be_empty
end
end
it 'should find ci service' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 service list") do |r|
expect(r.stdout).to match(/ci/)
expect(r.stderr).to be_empty
end
end
it 'should find admin role' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 role assignment list --names") do |r|
expect(r.stdout).to match(/admin/)
expect(r.stderr).to be_empty
end
end
it 'should find ci endpoints' do
command("openstack #{auth_creds} --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 endpoint list") do |r|
expect(r.stdout).to match(/1234/)
expect(r.stderr).to be_empty
end
end
end
describe 'with v2 admin with v3 credentials' do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username admin --os-password a_big_secret --os-project-name openstack --os-user-domain-name Default --os-project-domain-name Default'
end
describe "with v2 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username ci --os-password secret --os-project-name services --os-user-domain-name Default --os-project-domain-name Default'
end
describe 'with v3 admin with v3 credentials' do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username adminv3 --os-password a_big_secret --os-project-name openstackv3' \
' --os-user-domain-name admin_domain --os-project-domain-name admin_domain'
end
describe "with v3 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username civ3 --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
end
describe "with v3 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username civ3alt --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
end
end
describe 'composite namevar quick test' do
context 'similar resources different naming' do
let(:pp) do
<<-EOM
keystone_tenant { 'openstackv3':
ensure => present,
enabled => true,
description => 'admin tenant',
domain => 'admin_domain'
}
keystone_user { 'adminv3::useless_when_the_domain_is_set':
ensure => present,
enabled => true,
email => 'test@example.tld',
password => 'a_big_secret',
domain => 'admin_domain'
}
keystone_user_role { 'adminv3::admin_domain@openstackv3::admin_domain':
ensure => present,
roles => ['admin'],
}
EOM
end
it 'should not do any modification' do
apply_manifest(pp, :catch_changes => true)
end
end
end
describe 'composite namevar for keystone_service' do
let(:pp) do
<<-EOM
keystone_service { 'service_1::type_1': ensure => present }
keystone_service { 'service_1': type => 'type_2', ensure => present }
EOM
end
it 'should be possible to create two services different only by their type' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
end
describe 'composite namevar for keystone_service and keystone_endpoint' do
let(:pp) do
<<-EOM
keystone_service { 'service_1::type_1': ensure => present }
keystone_service { 'service_1': type => 'type_2', ensure => present }
keystone_endpoint { 'RegionOne/service_1::type_2':
ensure => present,
public_url => 'http://public_service1_type2',
internal_url => 'http://internal_service1_type2',
admin_url => 'http://admin_service1_type2'
}
keystone_endpoint { 'service_1':
ensure => present,
region => 'RegionOne',
type => 'type_1',
public_url => 'http://public_service1_type1/',
internal_url => 'http://internal_service1_type1/',
admin_url => 'http://admin_service1_type1/'
}
EOM
end
it 'should be possible to create two services different only by their type' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe 'puppet service are created' do
it 'for service' do
command('puppet resource keystone_service') do |result|
expect(result.stdout)
.to match(/keystone_service { 'service_1::type_1':/)
expect(result.stdout)
.to match(/keystone_service { 'service_1::type_2':/)
end
end
end
describe 'puppet endpoints are created' do
it 'for service' do
command('puppet resource keystone_endpoint') do |result|
expect(result.stdout)
.to match(/keystone_endpoint { 'RegionOne\/service_1::type_1':/)
expect(result.stdout)
.to match(/keystone_endpoint { 'RegionOne\/service_1::type_2':/)
end
end
end
end
context '#keystone_domain_config' do
# make sure everything is clean before playing the manifest
shared_examples 'clean_domain_configuration', :clean_domain_cfg => true do
before(:context) do
run_shell('rm -rf /etc/keystone/domains')
run_shell('rm -rf /tmp/keystone.*.conf')
end
end
context 'one domain configuration', :clean_domain_cfg => true do
context 'simple use case' do
let(:pp) do
<<-EOM
file { '/etc/keystone/domains': ensure => directory }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe file('/etc/keystone/domains/keystone.services.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/auth.com\/1/ }
end
end
context 'with a non default identity/domain_config_dir' do
let(:pp) do
<<-EOM
keystone_config { 'identity/domain_config_dir': value => '/tmp' }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe file('/tmp/keystone.services.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/auth.com\/1/ }
end
end
end
context 'with a multiple configurations', :clean_domain_cfg => true do
let(:pp) do
<<-EOM
file { '/etc/keystone/domains': ensure => directory }
keystone_config { 'identity/domain_config_dir': value => '/etc/keystone/domains' }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
keystone_domain_config { 'services::http/url':
value => 'http://auth.com/2',
}
keystone_domain_config { 'external::ldap/url':
value => 'http://ext-auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
it 'should list puppet resources' do
command('puppet resource keystone_domain_config') do |r|
expect(r.exit_code).to eq 0
end
end
describe file('/etc/keystone/domains/keystone.external.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/ext-auth.com\/1/ }
end
end
context 'checking that the purge is working' do
let(:pp) do
<<-EOM
resources { 'keystone_domain_config': purge => true }
keystone_domain_config { 'services::ldap/url':
value => 'http://auth.com/1',
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe file('/etc/keystone/domains/keystone.services.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=http:\/\/auth.com\/1/ }
end
end
context '#ldap_backend', :clean_domain_cfg => true do
context 'manifest' do
let(:pp) do
<<-EOM
include openstack_integration::apache
class { 'openstack_integration::keystone':
default_domain => 'default_domain',
using_domain_config => true,
}
keystone_domain { 'domain_1_ldap_backend': ensure => present }
keystone_domain { 'domain_2_ldap_backend': ensure => present }
keystone::ldap_backend { 'domain_1_ldap_backend':
url => 'ldap://foo',
user => 'cn=foo,dc=example,dc=com',
identity_driver => 'ldap',
}
keystone::ldap_backend { 'domain_2_ldap_backend':
url => 'ldap://bar',
user => 'cn=bar,dc=test,dc=com',
identity_driver => 'ldap',
}
EOM
end
it 'should apply the manifest correctly' do
apply_manifest(pp, :accept_all_exit_codes => true)
# Cannot really test it as keystone will try to connect to
# the ldap backend when it restarts. But the ldap server
# which doesn't exit. The next "test" clean everything up
# to have a working keystone again.
# TODO: Should we add a working ldap server ?
end
describe file('/etc/keystone/domains/keystone.domain_1_ldap_backend.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=ldap:\/\/foo\nuser=cn=foo,dc=example,dc=com/ }
end
describe file('/etc/keystone/domains/keystone.domain_2_ldap_backend.conf') do
it { is_expected.to be_file }
it { is_expected.to exist }
its(:content) { should match /\[ldap\]\nurl=ldap:\/\/bar\nuser=cn=bar,dc=test,dc=com/ }
end
end
context 'clean up', :clean_domain_cfg => true do
# we must revert the changes as ldap backend is not fully
# functional and are "domain read only". All subsequent tests
# will fail without this.
let(:pp) do
<<-EOM
keystone_config {
'identity/driver': value => 'sql';
'credential/driver': ensure => absent;
'assignment/driver': ensure => absent;
'identity/domain_specific_drivers_enabled': ensure => absent;
'identity/domain_config_dir': ensure => absent;
}
EOM
end
it 'should apply and be idempotent' do
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
end
end
end
end
|
