Getting Started with Puppet for Keystone

Tripleo uses Puppet to manage the resources in a deployment. Puppet has a command line tool to look at resources.

On my deployed Overcloud, I have:

ls /etc/puppet/modules/keystone/lib/puppet/provider
keystone         keystone_domain_config      keystone_paste_ini  keystone_service  keystone_user_role
keystone_config  keystone_endpoint           keystone.rb         keystone_tenant
keystone_domain  keystone_identity_provider  keystone_role       keystone_user

So I can use the puppet CLI to query the state of my system, or make changes:

To look at the config:

sudo puppet resource keystone_config
keystone_config { 'DEFAULT/admin_bind_host':
  ensure => 'present',
  value  => '10.149.2.13',
}
keystone_config { 'DEFAULT/admin_port':
  ensure => 'present',
  value  => '35357',
}
keystone_config { 'DEFAULT/admin_token':
  ensure => 'present',
  value  => 'vtNheM6drk4mgKgbAtWQPrYJe',
}
keystone_config { 'DEFAULT/log_dir':
  ensure => 'present',
  value  => '/var/log/keystone',
}
...

OK, Admin Token is gross.

$ sudo puppet resource keystone_config DEFAULT/admin_token
keystone_config { 'DEFAULT/admin_token':
  ensure => 'present',
  value  => 'vtNheM6drk4mgKgbAtWQPrYJe',
}

Let’s get rid of that:

sudo puppet resource keystone_config DEFAULT/admin_token ensure=absent
Notice: /Keystone_config[DEFAULT/admin_token]/ensure: removed
keystone_config { 'DEFAULT/admin_token':
  ensure => 'absent',
}

Let’s add a user:

$ sudo puppet resource keystone_users
Error: Could not run: Could not find type keystone_users
[heat-admin@overcloud-controller-0 ~]$ 

Uh oh…what did I do?

[heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_config DEFAULT/admin_token ensure=present value=vtNheM6drk4mgKgbAtWQPrYJe
Notice: /Keystone_config[DEFAULT/admin_token]/ensure: created
keystone_config { 'DEFAULT/admin_token':
  ensure => 'present',
  value  => 'vtNheM6drk4mgKgbAtWQPrYJe',
}
[heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_user
keystone_user { 'admin':
  ensure  => 'present',
  email   => 'admin@example.com',
  enabled => 'true',
  id      => '7cbc569993ae41e7b2736ed2aa727644',
}
...

So it looks like the Puppet modules use the Admin token to do operations.

But I really want to get rid of that admin token…

Back on the undercloud, I have created a Keystone V3 RC file. I’m going to copy that to /root/openrc on the overcloud controller.

[stack@undercloud ~]$ scp overcloudrc.v3 heat-admin@10.149.2.13:
[stack@undercloud ~]$ ssh heat-admin@10.149.2.13
[heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_config DEFAULT/admin_token ensure=absent
keystone_config { 'DEFAULT/admin_token':
  ensure => 'absent',
}
[heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_user
Error: Could not run: Insufficient credentials to authenticate
[heat-admin@overcloud-controller-0 ~]$ sudo cp  overcloudrc.v3 /root/openrc
[heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_user
keystone_user { 'admin':
  ensure  => 'present',
  email   => 'admin@example.com',
  enabled => 'true',
  id      => '7cbc569993ae41e7b2736ed2aa727644',
}
...

Now let’s add a user:

$ sudo puppet resource keystone_user ayoung ensure=present email=ayoung@redhat.com enabled=true password=FreeIPA4All
Notice: /Keystone_user[ayoung]/ensure: created
keystone_user { 'ayoung':
  ensure  => 'present',
  email   => 'ayoung@redhat.com',
  enabled => 'false',
}

Big Shout out to Emilien Macchi who is the Master of Keystone Puppets and taught me about the openrc file.

Leave a Reply

Your email address will not be published. Required fields are marked *