8 :concat_basedir => '/var/lib/puppet/concat',
9 :fqdn => 'some.host.tld'
15 :osfamily => 'Debian',
16 :operatingsystem => 'Debian',
17 :operatingsystemrelease => '7.0'
22 'admin_token' => 'service_token',
23 'package_ensure' => 'present',
24 'public_bind_host' => '0.0.0.0',
25 'admin_bind_host' => '0.0.0.0',
26 'public_port' => '5000',
27 'admin_port' => '35357',
28 'admin_token' => 'service_token',
29 'compute_port' => '8774',
32 'catalog_type' => 'sql',
33 'catalog_driver' => false,
34 'token_provider' => 'keystone.token.providers.uuid.Provider',
35 'token_driver' => 'keystone.token.persistence.backends.sql.Token',
36 'cache_dir' => '/var/cache/keystone',
37 'enable_ssl' => false,
38 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem',
39 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem',
40 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
41 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
42 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
44 'database_connection' => 'sqlite:////var/lib/keystone/keystone.db',
45 'database_idle_timeout' => '200',
46 'enable_pki_setup' => true,
47 'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
48 'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
49 'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
50 'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
51 'rabbit_host' => 'localhost',
52 'rabbit_password' => 'guest',
53 'rabbit_userid' => 'guest',
57 'package_ensure' => 'latest',
58 'public_bind_host' => '0.0.0.0',
59 'admin_bind_host' => '0.0.0.0',
60 'public_port' => '5001',
61 'admin_port' => '35358',
62 'admin_token' => 'service_token_override',
63 'compute_port' => '8778',
66 'catalog_type' => 'template',
67 'token_provider' => 'keystone.token.providers.uuid.Provider',
68 'token_driver' => 'keystone.token.backends.kvs.Token',
69 'public_endpoint' => 'https://localhost:5000/v2.0/',
70 'admin_endpoint' => 'https://localhost:35357/v2.0/',
72 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem',
73 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem',
74 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
75 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
76 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
78 'database_connection' => 'mysql://a:b@c/d',
79 'database_idle_timeout' => '300',
80 'enable_pki_setup' => true,
81 'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
82 'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
83 'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
84 'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
85 'rabbit_host' => '127.0.0.1',
86 'rabbit_password' => 'openstack',
87 'rabbit_userid' => 'admin',
90 httpd_params = {'service_name' => 'httpd'}.merge(default_params)
92 shared_examples_for 'core keystone examples' do |param_hash|
93 it { should contain_class('keystone::params') }
95 it { should contain_package('keystone').with(
96 'ensure' => param_hash['package_ensure'],
100 it { should contain_group('keystone').with(
101 'ensure' => 'present',
105 it { should contain_user('keystone').with(
106 'ensure' => 'present',
111 it 'should contain the expected directories' do
112 ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone'].each do |d|
113 should contain_file(d).with(
114 'ensure' => 'directory',
115 'owner' => 'keystone',
116 'group' => 'keystone',
118 'require' => 'Package[keystone]'
123 it 'should only synchronize the db if $enabled is true' do
124 if param_hash['enabled']
125 should contain_exec('keystone-manage db_sync').with(
127 :refreshonly => true,
128 :subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'],
129 :require => 'User[keystone]'
134 it 'should contain correct config' do
144 should contain_keystone_config("DEFAULT/#{config}").with_value(param_hash[config])
148 it 'should contain correct admin_token config' do
149 should contain_keystone_config('DEFAULT/admin_token').with_value(param_hash['admin_token']).with_secret(true)
152 it 'should contain correct mysql config' do
153 should contain_keystone_config('database/idle_timeout').with_value(param_hash['database_idle_timeout'])
154 should contain_keystone_config('database/connection').with_value(param_hash['database_connection']).with_secret(true)
157 it { should contain_keystone_config('token/provider').with_value(
158 param_hash['token_provider']
161 it 'should contain correct token driver' do
162 should contain_keystone_config('token/driver').with_value(param_hash['token_driver'])
165 it 'should ensure proper setting of admin_endpoint and public_endpoint' do
166 if param_hash['admin_endpoint']
167 should contain_keystone_config('DEFAULT/admin_endpoint').with_value(param_hash['admin_endpoint'])
169 should contain_keystone_config('DEFAULT/admin_endpoint').with_ensure('absent')
171 if param_hash['public_endpoint']
172 should contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint'])
174 should contain_keystone_config('DEFAULT/public_endpoint').with_ensure('absent')
178 it 'should contain correct rabbit_password' do
179 should contain_keystone_config('DEFAULT/rabbit_password').with_value(param_hash['rabbit_password']).with_secret(true)
183 [default_params, override_params].each do |param_hash|
184 describe "when #{param_hash == default_params ? "using default" : "specifying"} class parameters for service" do
190 it_configures 'core keystone examples', param_hash
192 it { should contain_service('keystone').with(
193 'ensure' => param_hash['enabled'] ? 'running' : 'stopped',
194 'enable' => param_hash['enabled'],
202 describe "when using default class parameters for httpd" do
207 let :pre_condition do
211 it_configures 'core keystone examples', httpd_params
215 should contain_service('keystone')
216 }.to raise_error(RSpec::Expectations::ExpectationNotMetError, /expected that the catalogue would contain Service\[keystone\]/)
221 describe 'with deprecated sql_connection parameter' do
223 { :admin_token => 'service_token',
224 :sql_connection => 'mysql://a:b@c/d' }
227 it { should contain_keystone_config('database/connection').with_value(params[:sql_connection]) }
230 describe 'with deprecated idle_timeout parameter' do
232 { :admin_token => 'service_token',
233 :idle_timeout => 365 }
236 it { should contain_keystone_config('database/idle_timeout').with_value(params[:idle_timeout]) }
239 describe 'when configuring signing token provider' do
241 describe 'when configuring as UUID' do
244 'admin_token' => 'service_token',
245 'token_provider' => 'keystone.token.providers.uuid.Provider'
248 it { should contain_exec('keystone-manage pki_setup').with(
249 :creates => '/etc/keystone/ssl/private/signing_key.pem'
251 it { should contain_file('/var/cache/keystone').with_ensure('directory') }
253 describe 'when overriding the cache dir' do
255 params.merge!(:cache_dir => '/var/lib/cache/keystone')
257 it { should contain_file('/var/lib/cache/keystone') }
260 describe 'when disable pki_setup' do
262 params.merge!(:enable_pki_setup => false)
264 it { should_not contain_exec('keystone-manage pki_setup') }
268 describe 'when configuring as PKI' do
271 'admin_token' => 'service_token',
272 'token_provider' => 'keystone.token.providers.pki.Provider'
275 it { should contain_exec('keystone-manage pki_setup').with(
276 :creates => '/etc/keystone/ssl/private/signing_key.pem'
278 it { should contain_file('/var/cache/keystone').with_ensure('directory') }
280 describe 'when overriding the cache dir' do
282 params.merge!(:cache_dir => '/var/lib/cache/keystone')
284 it { should contain_file('/var/lib/cache/keystone') }
287 describe 'when disable pki_setup' do
289 params.merge!(:enable_pki_setup => false)
291 it { should_not contain_exec('keystone-manage pki_setup') }
295 describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
298 'admin_token' => 'service_token',
299 'token_provider' => 'keystone.token.providers.uuid.Provider',
300 'enable_pki_setup' => false,
301 'signing_certfile' => 'signing_certfile',
302 'signing_keyfile' => 'signing_keyfile',
303 'signing_ca_certs' => 'signing_ca_certs',
304 'signing_ca_key' => 'signing_ca_key',
305 'signing_cert_subject' => 'signing_cert_subject',
306 'signing_key_size' => 2048
310 it { should_not contain_exec('keystone-manage pki_setup') }
312 it 'should contain correct PKI certfile config' do
313 should contain_keystone_config('signing/certfile').with_value('signing_certfile')
316 it 'should contain correct PKI keyfile config' do
317 should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
320 it 'should contain correct PKI ca_certs config' do
321 should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
324 it 'should contain correct PKI ca_key config' do
325 should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
328 it 'should contain correct PKI cert_subject config' do
329 should contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
332 it 'should contain correct PKI key_size config' do
333 should contain_keystone_config('signing/key_size').with_value('2048')
337 describe 'when configuring PKI signing cert paths with pki_setup disabled' do
340 'admin_token' => 'service_token',
341 'token_provider' => 'keystone.token.providers.pki.Provider',
342 'enable_pki_setup' => false,
343 'signing_certfile' => 'signing_certfile',
344 'signing_keyfile' => 'signing_keyfile',
345 'signing_ca_certs' => 'signing_ca_certs',
346 'signing_ca_key' => 'signing_ca_key',
347 'signing_cert_subject' => 'signing_cert_subject',
348 'signing_key_size' => 2048
352 it { should_not contain_exec('keystone-manage pki_setup') }
354 it 'should contain correct PKI certfile config' do
355 should contain_keystone_config('signing/certfile').with_value('signing_certfile')
358 it 'should contain correct PKI keyfile config' do
359 should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
362 it 'should contain correct PKI ca_certs config' do
363 should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
366 it 'should contain correct PKI ca_key config' do
367 should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
370 it 'should contain correct PKI cert_subject config' do
371 should contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
374 it 'should contain correct PKI key_size config' do
375 should contain_keystone_config('signing/key_size').with_value('2048')
379 describe 'with invalid catalog_type' do
381 { :admin_token => 'service_token',
382 :catalog_type => 'invalid' }
385 it_raises "a Puppet::Error", /validate_re\(\): "invalid" does not match "template|sql"/
388 describe 'when configuring catalog driver' do
390 { :admin_token => 'service_token',
391 :catalog_driver => 'keystone.catalog.backends.alien.AlienCatalog' }
394 it { should contain_keystone_config('catalog/driver').with_value(params[:catalog_driver]) }
397 describe 'when configuring deprecated token_format as UUID with enable_pki_setup' do
400 'admin_token' => 'service_token',
401 'token_format' => 'UUID'
404 it { should contain_exec('keystone-manage pki_setup').with(
405 :creates => '/etc/keystone/ssl/private/signing_key.pem'
407 it { should contain_file('/var/cache/keystone').with_ensure('directory') }
408 describe 'when overriding the cache dir' do
411 'admin_token' => 'service_token',
412 'token_provider' => 'keystone.token.providers.pki.Provider',
413 'cache_dir' => '/var/lib/cache/keystone'
416 it { should contain_file('/var/lib/cache/keystone') }
420 describe 'when configuring deprecated token_format as UUID without enable_pki_setup' do
423 'admin_token' => 'service_token',
424 'token_format' => 'UUID',
425 'enable_pki_setup' => false
428 it { should_not contain_exec('keystone-manage pki_setup') }
429 it { should contain_file('/var/cache/keystone').with_ensure('directory') }
430 describe 'when overriding the cache dir' do
433 'admin_token' => 'service_token',
434 'token_provider' => 'keystone.token.providers.uuid.Provider',
435 'cache_dir' => '/var/lib/cache/keystone'
438 it { should contain_file('/var/lib/cache/keystone') }
442 describe 'when configuring deprecated token_format as PKI with enable_pki_setup' do
445 'admin_token' => 'service_token',
446 'token_format' => 'PKI',
449 it { should contain_exec('keystone-manage pki_setup').with(
450 :creates => '/etc/keystone/ssl/private/signing_key.pem'
452 it { should contain_file('/var/cache/keystone').with_ensure('directory') }
453 describe 'when overriding the cache dir' do
456 'admin_token' => 'service_token',
457 'token_provider' => 'keystone.token.providers.pki.Provider',
458 'cache_dir' => '/var/lib/cache/keystone'
461 it { should contain_file('/var/lib/cache/keystone') }
465 describe 'when configuring deprecated token_format as PKI without enable_pki_setup' do
468 'admin_token' => 'service_token',
469 'token_format' => 'PKI',
470 'enable_pki_setup' => false
473 it { should_not contain_exec('keystone-manage pki_setup') }
474 it { should contain_file('/var/cache/keystone').with_ensure('directory') }
475 describe 'when overriding the cache dir' do
478 'admin_token' => 'service_token',
479 'token_provider' => 'keystone.token.providers.pki.Provider',
480 'cache_dir' => '/var/lib/cache/keystone'
483 it { should contain_file('/var/lib/cache/keystone') }
489 describe 'when configuring token expiration' do
492 'admin_token' => 'service_token',
493 'token_expiration' => '42',
497 it { should contain_keystone_config("token/expiration").with_value('42') }
500 describe 'when not configuring token expiration' do
503 'admin_token' => 'service_token',
507 it { should contain_keystone_config("token/expiration").with_value('3600') }
510 describe 'configure memcache servers if set' do
513 'admin_token' => 'service_token',
514 'memcache_servers' => [ 'SERVER1:11211', 'SERVER2:11211' ],
515 'token_driver' => 'keystone.token.backends.memcache.Token',
516 'cache_backend' => 'dogpile.cache.memcached',
517 'cache_backend_argument' => ['url:SERVER1:12211'],
521 it { should contain_keystone_config("memcache/servers").with_value('SERVER1:11211,SERVER2:11211') }
522 it { should contain_keystone_config('cache/enabled').with_value(true) }
523 it { should contain_keystone_config('token/caching').with_value(true) }
524 it { should contain_keystone_config('cache/backend').with_value('dogpile.cache.memcached') }
525 it { should contain_keystone_config('cache/backend_argument').with_value('url:SERVER1:12211') }
526 it { should contain_package('python-memcache').with(
527 :name => 'python-memcache',
532 describe 'do not configure memcache servers when not set' do
537 it { should contain_keystone_config("cache/enabled").with_ensure('absent') }
538 it { should contain_keystone_config("token/caching").with_ensure('absent') }
539 it { should contain_keystone_config("cache/backend").with_ensure('absent') }
540 it { should contain_keystone_config("cache/backend_argument").with_ensure('absent') }
541 it { should contain_keystone_config("cache/debug_cache_backend").with_ensure('absent') }
542 it { should contain_keystone_config("memcache/servers").with_ensure('absent') }
545 describe 'raise error if memcache_servers is not an array' do
548 'admin_token' => 'service_token',
549 'memcache_servers' => 'ANY_SERVER:11211'
553 it { expect { should contain_class('keystone::params') }.to \
554 raise_error(Puppet::Error, /is not an Array/) }
557 describe 'with syslog disabled by default' do
562 it { should contain_keystone_config('DEFAULT/use_syslog').with_value(false) }
563 it { should_not contain_keystone_config('DEFAULT/syslog_log_facility') }
566 describe 'with syslog enabled' do
568 default_params.merge({
569 :use_syslog => 'true',
573 it { should contain_keystone_config('DEFAULT/use_syslog').with_value(true) }
574 it { should contain_keystone_config('DEFAULT/syslog_log_facility').with_value('LOG_USER') }
577 describe 'with syslog enabled and custom settings' do
579 default_params.merge({
580 :use_syslog => 'true',
581 :log_facility => 'LOG_LOCAL0'
585 it { should contain_keystone_config('DEFAULT/use_syslog').with_value(true) }
586 it { should contain_keystone_config('DEFAULT/syslog_log_facility').with_value('LOG_LOCAL0') }
589 describe 'with log_file disabled by default' do
593 it { should contain_keystone_config('DEFAULT/log_file').with_ensure('absent') }
596 describe 'with log_file and log_dir enabled' do
598 default_params.merge({
599 :log_file => 'keystone.log',
600 :log_dir => '/var/lib/keystone'
603 it { should contain_keystone_config('DEFAULT/log_file').with_value('keystone.log') }
604 it { should contain_keystone_config('DEFAULT/log_dir').with_value('/var/lib/keystone') }
607 describe 'with log_file and log_dir disabled' do
609 default_params.merge({
614 it { should contain_keystone_config('DEFAULT/log_file').with_ensure('absent') }
615 it { should contain_keystone_config('DEFAULT/log_dir').with_ensure('absent') }
618 describe 'when configuring api binding with deprecated parameter' do
620 default_params.merge({
621 :bind_host => '10.0.0.2',
624 it { should contain_keystone_config('DEFAULT/public_bind_host').with_value('10.0.0.2') }
625 it { should contain_keystone_config('DEFAULT/admin_bind_host').with_value('10.0.0.2') }
628 describe 'when enabling SSL' do
631 'admin_token' => 'service_token',
632 'enable_ssl' => true,
633 'public_endpoint' => 'https://localhost:5000/v2.0/',
634 'admin_endpoint' => 'https://localhost:35357/v2.0/',
637 it {should contain_keystone_config('ssl/enable').with_value(true)}
638 it {should contain_keystone_config('ssl/certfile').with_value('/etc/keystone/ssl/certs/keystone.pem')}
639 it {should contain_keystone_config('ssl/keyfile').with_value('/etc/keystone/ssl/private/keystonekey.pem')}
640 it {should contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
641 it {should contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
642 it {should contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
643 it {should contain_keystone_config('DEFAULT/public_endpoint').with_value('https://localhost:5000/v2.0/')}
644 it {should contain_keystone_config('DEFAULT/admin_endpoint').with_value('https://localhost:35357/v2.0/')}
646 describe 'when disabling SSL' do
649 'admin_token' => 'service_token',
650 'enable_ssl' => false,
653 it {should contain_keystone_config('ssl/enable').with_value(false)}
654 it {should contain_keystone_config('DEFAULT/public_endpoint').with_ensure('absent')}
655 it {should contain_keystone_config('DEFAULT/admin_endpoint').with_ensure('absent')}
657 describe 'not setting notification settings by default' do
662 it { should contain_keystone_config('DEFAULT/notification_driver').with_value(nil) }
663 it { should contain_keystone_config('DEFAULT/notification_topics').with_vaule(nil) }
664 it { should contain_keystone_config('DEFAULT/control_exchange').with_vaule(nil) }
667 describe 'with RabbitMQ communication SSLed' do
669 default_params.merge!({
670 :rabbit_use_ssl => true,
671 :kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
672 :kombu_ssl_certfile => '/path/to/ssl/cert/file',
673 :kombu_ssl_keyfile => '/path/to/ssl/keyfile',
674 :kombu_ssl_version => 'TLSv1'
679 should contain_keystone_config('DEFAULT/rabbit_use_ssl').with_value('true')
680 should contain_keystone_config('DEFAULT/kombu_ssl_ca_certs').with_value('/path/to/ssl/ca/certs')
681 should contain_keystone_config('DEFAULT/kombu_ssl_certfile').with_value('/path/to/ssl/cert/file')
682 should contain_keystone_config('DEFAULT/kombu_ssl_keyfile').with_value('/path/to/ssl/keyfile')
683 should contain_keystone_config('DEFAULT/kombu_ssl_version').with_value('TLSv1')
687 describe 'with RabbitMQ communication not SSLed' do
689 default_params.merge!({
690 :rabbit_use_ssl => false,
691 :kombu_ssl_ca_certs => 'undef',
692 :kombu_ssl_certfile => 'undef',
693 :kombu_ssl_keyfile => 'undef',
694 :kombu_ssl_version => 'TLSv1'
699 should contain_keystone_config('DEFAULT/rabbit_use_ssl').with_value('false')
700 should contain_keystone_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
701 should contain_keystone_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent')
702 should contain_keystone_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent')
703 should contain_keystone_config('DEFAULT/kombu_ssl_version').with_ensure('absent')
707 describe 'setting notification settings' do
709 default_params.merge({
710 :notification_driver => 'keystone.openstack.common.notifier.rpc_notifier',
711 :notification_topics => 'notifications',
712 :control_exchange => 'keystone'
716 it { should contain_keystone_config('DEFAULT/notification_driver').with_value('keystone.openstack.common.notifier.rpc_notifier') }
717 it { should contain_keystone_config('DEFAULT/notification_topics').with_value('notifications') }
718 it { should contain_keystone_config('DEFAULT/control_exchange').with_value('keystone') }
721 describe 'setting sql (default) catalog' do
726 it { should contain_keystone_config('catalog/driver').with_value('keystone.catalog.backends.sql.Catalog') }
729 describe 'setting default template catalog' do
732 :admin_token => 'service_token',
733 :catalog_type => 'template'
737 it { should contain_keystone_config('catalog/driver').with_value('keystone.catalog.backends.templated.Catalog') }
738 it { should contain_keystone_config('catalog/template_file').with_value('/etc/keystone/default_catalog.templates') }
741 describe 'with overridden validation_auth_url' do
744 :admin_token => 'service_token',
745 :validate_service => true,
746 :validate_auth_url => 'http://some.host:35357/v2.0',
747 :admin_endpoint => 'http://some.host:35357'
751 it { should contain_keystone_config('DEFAULT/admin_endpoint').with_value('http://some.host:35357') }
752 it { should contain_class('keystone::service').with(
754 'admin_endpoint' => 'http://some.host:35357/v2.0'
758 describe 'with service validation' do
761 :admin_token => 'service_token',
762 :validate_service => true,
763 :admin_endpoint => 'http://some.host:35357'
767 it { should contain_class('keystone::service').with(
769 'admin_endpoint' => 'http://some.host:35357'
773 describe 'setting another template catalog' do
776 :admin_token => 'service_token',
777 :catalog_type => 'template',
778 :catalog_template_file => '/some/template_file'
782 it { should contain_keystone_config('catalog/driver').with_value('keystone.catalog.backends.templated.Catalog') }
783 it { should contain_keystone_config('catalog/template_file').with_value('/some/template_file') }
786 describe 'setting service_provider' do
789 :osfamily => 'RedHat',
790 :operatingsystemrelease => '6.0'
794 describe 'with default service_provider' do
796 { 'admin_token' => 'service_token' }
799 it { should contain_service('keystone').with(
804 describe 'with overrided service_provider' do
807 'admin_token' => 'service_token',
808 'service_provider' => 'pacemaker'
812 it { should contain_service('keystone').with(
813 :provider => 'pacemaker'