From b8515bc3e48166025c12aab91318ec12f18fac0d Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 20 Oct 2020 20:30:47 +0900 Subject: [PATCH] Add a new parameter to enable/disable bootstrap This change introduces a new parameter to enable/disable bootstrap command by the keystone::bootstrap command. This parameter is useful expecially in the deployment with multiple controller nodes, and we can run bootstrap command on only one of the controller nodes while we generate puppet.conf on all controller nodes, so that we can use openstack providers in all controller nodes. Change-Id: If049e33fefc2681d2f4340f5910402b07e6e286f --- manifests/bootstrap.pp | 133 +++++++++--------- ...stone-bootstrap-flag-9eac9280f6f6d7ed.yaml | 7 + spec/classes/keystone_bootstrap_spec.rb | 40 ++++++ 3 files changed, 117 insertions(+), 63 deletions(-) create mode 100644 releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml diff --git a/manifests/bootstrap.pp b/manifests/bootstrap.pp index d8db3348b..0a0857087 100644 --- a/manifests/bootstrap.pp +++ b/manifests/bootstrap.pp @@ -56,6 +56,10 @@ # (Optional) Which interface endpoint should be used. # Defaults to 'public' # +# [*bootstrap*] +# (Optional) Whether to run keystone-manage bootstrap command. +# Defaults to true +# class keystone::bootstrap ( $password, $username = 'admin', @@ -69,6 +73,7 @@ class keystone::bootstrap ( $internal_url = undef, $region = 'RegionOne', $interface = 'public', + $bootstrap = true, ) inherits keystone::params { include keystone::deps @@ -84,71 +89,73 @@ class keystone::bootstrap ( $keystone_user = $::keystone::params::keystone_user } - # The initial bootstrap that creates all resources required but - # only subscribes to notifies from the keystone::dbsync::end anchor - # which means this is not guaranteed to execute on each run. - exec { 'keystone bootstrap': - command => 'keystone-manage bootstrap', - environment => [ - "OS_BOOTSTRAP_USERNAME=${username}", - "OS_BOOTSTRAP_PASSWORD=${password}", - "OS_BOOTSTRAP_PROJECT_NAME=${project_name}", - "OS_BOOTSTRAP_ROLE_NAME=${role_name}", - "OS_BOOTSTRAP_SERVICE_NAME=${service_name}", - "OS_BOOTSTRAP_ADMIN_URL=${admin_url}", - "OS_BOOTSTRAP_PUBLIC_URL=${public_url}", - "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}", - "OS_BOOTSTRAP_REGION_ID=${region}", - ], - user => $keystone_user, - path => '/usr/bin', - refreshonly => true, - subscribe => Anchor['keystone::dbsync::end'], - notify => Anchor['keystone::service::begin'], - tag => 'keystone-bootstrap', + if $bootstrap { + # The initial bootstrap that creates all resources required but + # only subscribes to notifies from the keystone::dbsync::end anchor + # which means this is not guaranteed to execute on each run. + exec { 'keystone bootstrap': + command => 'keystone-manage bootstrap', + environment => [ + "OS_BOOTSTRAP_USERNAME=${username}", + "OS_BOOTSTRAP_PASSWORD=${password}", + "OS_BOOTSTRAP_PROJECT_NAME=${project_name}", + "OS_BOOTSTRAP_ROLE_NAME=${role_name}", + "OS_BOOTSTRAP_SERVICE_NAME=${service_name}", + "OS_BOOTSTRAP_ADMIN_URL=${admin_url}", + "OS_BOOTSTRAP_PUBLIC_URL=${public_url}", + "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}", + "OS_BOOTSTRAP_REGION_ID=${region}", + ], + user => $keystone_user, + path => '/usr/bin', + refreshonly => true, + subscribe => Anchor['keystone::dbsync::end'], + notify => Anchor['keystone::service::begin'], + tag => 'keystone-bootstrap', + } + + # Since the bootstrap is not guaranteed to execute on each run we + # use the below resources to make sure the current resources are + # correct so if some value was updated we set that. + + ensure_resource('keystone_role', $role_name, { + 'ensure' => 'present', + }) + + ensure_resource('keystone_user', $username, { + 'ensure' => 'present', + 'enabled' => true, + 'email' => $email, + 'password' => $password, + }) + + ensure_resource('keystone_tenant', $service_project_name, { + 'ensure' => 'present', + 'enabled' => true, + }) + + ensure_resource('keystone_tenant', $project_name, { + 'ensure' => 'present', + 'enabled' => true, + }) + + ensure_resource('keystone_user_role', "${username}@${project_name}", { + 'ensure' => 'present', + 'roles' => $role_name, + }) + + ensure_resource('keystone_service', "${service_name}::identity", { + 'ensure' => 'present', + }) + + ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", { + 'ensure' => 'present', + 'public_url' => $public_url, + 'admin_url' => $admin_url, + 'internal_url' => $internal_url_real, + }) } - # Since the bootstrap is not guaranteed to execute on each run we - # use the below resources to make sure the current resources are - # correct so if some value was updated we set that. - - ensure_resource('keystone_role', $role_name, { - 'ensure' => 'present', - }) - - ensure_resource('keystone_user', $username, { - 'ensure' => 'present', - 'enabled' => true, - 'email' => $email, - 'password' => $password, - }) - - ensure_resource('keystone_tenant', $service_project_name, { - 'ensure' => 'present', - 'enabled' => true, - }) - - ensure_resource('keystone_tenant', $project_name, { - 'ensure' => 'present', - 'enabled' => true, - }) - - ensure_resource('keystone_user_role', "${username}@${project_name}", { - 'ensure' => 'present', - 'roles' => $role_name, - }) - - ensure_resource('keystone_service', "${service_name}::identity", { - 'ensure' => 'present', - }) - - ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", { - 'ensure' => 'present', - 'public_url' => $public_url, - 'admin_url' => $admin_url, - 'internal_url' => $internal_url_real, - }) - # The below creates and populates the /etc/keystone/puppet.conf file that contains # the credentials that can be loaded by providers. Ensure it has the proper owner, # group and mode so that it cannot be read by anything other than root. diff --git a/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml b/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml new file mode 100644 index 000000000..045fbc54a --- /dev/null +++ b/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + The new ``keystone::bootstrap::bootstrap`` parameter has been added, to + disable ``keystone-manage bootstrap`` command. This is useful to generate + ``/etc/keystone/puppet.conf`` on multiple nodes while running bootstrap + command on a single node. diff --git a/spec/classes/keystone_bootstrap_spec.rb b/spec/classes/keystone_bootstrap_spec.rb index 1ee578169..b0a1e2dc5 100644 --- a/spec/classes/keystone_bootstrap_spec.rb +++ b/spec/classes/keystone_bootstrap_spec.rb @@ -179,6 +179,46 @@ describe 'keystone::bootstrap' do )} end + context 'with bootstrap disabled' do + let :params do + { + :bootstrap => false, + :password => 'secret' + } + end + + it { is_expected.to contain_class('keystone::deps') } + + it { is_expected.to_not contain_exec('keystone bootstrap') } + + it { is_expected.to_not contain_keystone_role('admin') } + it { is_expected.to_not contain_keystone_user('admin') } + it { is_expected.to_not contain_keystone_tenant('services') } + it { is_expected.to_not contain_keystone_tenant('admin') } + it { is_expected.to_not contain_keystone_user_role('admin@admin') } + it { is_expected.to_not contain_keystone_service('keystone::identity') } + it { is_expected.to_not contain_keystone_endpoint('RegionOne/keystone::identity') } + + it { is_expected.to contain_file('/etc/keystone/puppet.conf').with( + :ensure => 'present', + :replace => false, + :content => '', + :owner => 'root', + :group => 'root', + :mode => '0600', + :require => 'Anchor[keystone::install::end]', + )} + + it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with( + :username => 'admin', + :password => 'secret', + :auth_url => 'http://127.0.0.1:5000', + :project_name => 'admin', + :region_name => 'RegionOne', + :interface => 'public', + )} + end + context 'when setting keystone_user param in keystone' do let :params do {