Create a separate class to manage the trustee options

This change introduces the new heat::trustee class to manage
the parameters in the [trustee] options. These options have been set
according to authtoken parameters but it makes maintenance complicated
and the logic doesn't work properly when noauth is used.

This change also removes the [trustee] project_domain_name parameter
because the parameter has never been used actually.

Change-Id: I694a8ea771cc4d4dcfbf8384ece2be10d83ab3f0

manifests/init.pp

@@ -452,22 +452,18 @@ Use heat::engine::max_stacks_per_tenant instead.')
     password              => $amqp_password,
   }
 
-  $www_authenticate_uri = $::heat::keystone::authtoken::www_authenticate_uri
+  if !defined(Class[heat::trustee]) {
-  $auth_url = $::heat::keystone::authtoken::auth_url
+    warning('The heat:trustee class will be required to set trustee opiton in a future release')
-  $keystone_username = $::heat::keystone::authtoken::username
+    include heat::trustee
-  $keystone_password = $::heat::keystone::authtoken::password
+  }
-  $keystone_project_domain_name = $::heat::keystone::authtoken::project_domain_name
+  # TODO(tkajinam): Remove this when we remove the above logic
-  $keystone_user_domain_name = $::heat::keystone::authtoken::user_domain_name
+  heat_config {
+    'trustee/project_domain_name': ensure => absent;
+  }
 
   heat_config {
-    'trustee/auth_type':           value => 'password';
+    'clients_heat/url':      value => $heat_clients_url;
-    'trustee/auth_url':            value => $auth_url;
+    'clients/endpoint_type': value => $heat_clients_endpoint_type;
-    'trustee/username':            value => $keystone_username;
-    'trustee/password':            value => $keystone_password, secret => true;
-    'trustee/project_domain_name': value => $keystone_project_domain_name;
-    'trustee/user_domain_name':    value => $keystone_user_domain_name;
-    'clients_heat/url':            value => $heat_clients_url;
-    'clients/endpoint_type':       value => $heat_clients_endpoint_type;
   }
 
   if (!is_service_default($enable_stack_adopt)) {

manifests/trustee.pp

@@ -0,0 +1,66 @@
+# Class heat::trustee
+#
+#  heat trustee configuration
+#
+# == Parameters
+#
+# [*password*]
+#   (optional) Password for connecting to Cinder services in
+#   admin context through the OpenStack Identity service.
+#   Defaults to $::os_service_default
+#
+# [*auth_type*]
+#   (optional) Name of the auth type to load (string value)
+#   Defaults to 'password'
+#
+# [*auth_url*]
+#   (optional) Points to the OpenStack Identity server IP and port.
+#   This is the Identity (keystone) admin API server IP and port value,
+#   and not the Identity service API IP and port.
+#   Defaults to 'http://127.0.0.1:5000/'
+#
+# [*username*]
+#   (optional) Username for connecting to Cinder services in admin context
+#   through the OpenStack Identity service.
+#   Defaults to 'heat'
+#
+# [*user_domain_name*]
+#   (optional) User Domain name for connecting to Cinder services in
+#   admin context through the OpenStack Identity service.
+#   Defaults to 'Default'
+#
+class heat::trustee (
+  $password         = undef,
+  $auth_type        = undef,
+  $auth_url         = undef,
+  $username         = undef,
+  $user_domain_name = undef,
+) {
+
+  include heat::deps
+
+  if defined(Class[heat::keystone::authtoken]) {
+    # TODO(tkajinam): The following logic was added to keep compatibility with
+    # the old version which determines the trustee parameters based on
+    # authtoken parameters. This should be removed after Y release.
+    $password_real         = pick($password, $::heat::keystone::authtoken::password)
+    $auth_type_real        = pick($auth_type, $::heat::keystone::authtoken::auth_type)
+    $auth_url_real         = pick($auth_url, $::heat::keystone::authtoken::auth_url)
+    $username_real         = pick($username, $::heat::keystone::authtoken::username)
+    $user_domain_name_real = pick($user_domain_name, $::heat::keystone::authtoken::user_domain_name)
+  } else {
+    $password_real         = pick($password, $::os_service_default)
+    $auth_type_real        = pick($auth_type, 'password')
+    $auth_url_real         = pick($auth_url, 'http://127.0.0.1:5000/')
+    $username_real         = pick($username, 'heat')
+    $user_domain_name_real = pick($user_domain_name, 'Default')
+  }
+
+  heat_config {
+    'trustee/password':         value => $password_real, secret => true;
+    'trustee/auth_type':        value => $auth_type_real;
+    'trustee/auth_url':         value => $auth_url_real;
+    'trustee/username':         value => $username_real;
+    'trustee/user_domain_name': value => $user_domain_name_real;
+  }
+}

releasenotes/notes/trustee-opts-947b2ad84a44701f.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    The new ``heat::trustee`` class has been added. This class supports
+    parameters define in the ``trustee`` section.
+
+deprecations:
+  - |
+    The ``heat::trustee`` class should be included to manage ``trustee``
+    option. This class is included by the ``heat`` class and the parameters are
+    defined automatically based on the ``heat::keystone::authtoken`` class to
+    keep compatibility but this behavior will be removed in a future release.

spec/classes/heat_init_spec.rb

@@ -91,10 +91,6 @@ describe 'heat' do
       is_expected.to contain_heat_config('DEFAULT/max_json_body_size').with_value('<SERVICE DEFAULT>')
     end
 
-    it 'configures project_domain_*' do
-      is_expected.to contain_heat_config('trustee/project_domain_name').with_value( 'Default' )
-    end
-
     it 'configures user_domain_*' do
       is_expected.to contain_heat_config('trustee/user_domain_name').with_value( 'Default' )
     end
@@ -317,12 +313,10 @@ describe 'heat' do
   shared_examples_for "with custom keystone project_domain_* and user_domain_*" do
     before do
       params.merge!({
-        :keystone_project_domain_name => 'domain1',
+        :keystone_user_domain_name => 'domain1',
-        :keystone_user_domain_name    => 'domain1',
       })
     end
     it 'configures project_domain_* and user_domain_*' do
-      is_expected.to contain_heat_config('trustee/project_domain_name').with_value("domain1");
       is_expected.to contain_heat_config('trustee/user_domain_name').with_value("domain1");
     end
   end

spec/classes/heat_trustree_spec.rb

@@ -0,0 +1,96 @@
+require 'spec_helper'
+
+describe 'heat::trustee' do
+
+  shared_examples_for 'heat::trustee' do
+
+    context 'with defaults' do
+      let :params do
+        {}
+      end
+      it 'configures trustee options' do
+        is_expected.to contain_heat_config('trustee/password').with_value('<SERVICE DEFAULT>').with_secret(true)
+        is_expected.to contain_heat_config('trustee/auth_url').with_value('http://127.0.0.1:5000/')
+        is_expected.to contain_heat_config('trustee/auth_type').with_value('password')
+        is_expected.to contain_heat_config('trustee/username').with_value('heat')
+        is_expected.to contain_heat_config('trustee/user_domain_name').with_value('Default')
+      end
+    end
+
+    context 'with parameters overridden' do
+      let :params do
+        {
+          :password         => 'heat_password',
+          :auth_type        => 'v3password',
+          :auth_url         => 'https://localhost:13000/',
+          :username         => 'alt_heat',
+          :user_domain_name => 'MyDomain',
+        }
+      end
+      it 'configures trustee options' do
+        is_expected.to contain_heat_config('trustee/password').with_value('heat_password').with_secret(true)
+        is_expected.to contain_heat_config('trustee/auth_url').with_value('https://localhost:13000/')
+        is_expected.to contain_heat_config('trustee/auth_type').with_value('v3password')
+        is_expected.to contain_heat_config('trustee/username').with_value('alt_heat')
+        is_expected.to contain_heat_config('trustee/user_domain_name').with_value('MyDomain')
+      end
+    end
+
+    context 'with authtoken defaults' do
+      let :pre_condition do
+        "class { 'heat::keystone::authtoken':
+           password => 'heat_password',
+         }"
+      end
+
+      let :params do
+        {}
+      end
+
+      it 'configures trustee options' do
+        is_expected.to contain_heat_config('trustee/password').with_value('heat_password').with_secret(true)
+        is_expected.to contain_heat_config('trustee/auth_url').with_value('http://127.0.0.1:5000/')
+        is_expected.to contain_heat_config('trustee/auth_type').with_value('password')
+        is_expected.to contain_heat_config('trustee/username').with_value('heat')
+        is_expected.to contain_heat_config('trustee/user_domain_name').with_value('Default')
+      end
+    end
+
+    context 'with authtoken parameters' do
+      let :pre_condition do
+        "class { 'heat::keystone::authtoken':
+           password         => 'heat_password',
+           auth_type        => 'v3password',
+           auth_url         => 'https://localhost:13000/',
+           username         => 'alt_heat',
+           user_domain_name => 'MyDomain',
+         }"
+      end
+
+      let :params do
+        {}
+      end
+
+      it 'configures trustee options' do
+        is_expected.to contain_heat_config('trustee/password').with_value('heat_password').with_secret(true)
+        is_expected.to contain_heat_config('trustee/auth_url').with_value('https://localhost:13000/')
+        is_expected.to contain_heat_config('trustee/auth_type').with_value('v3password')
+        is_expected.to contain_heat_config('trustee/username').with_value('alt_heat')
+        is_expected.to contain_heat_config('trustee/user_domain_name').with_value('MyDomain')
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'heat::trustee'
+    end
+  end
+
+end