CONFIG_PARAM= not handled well by hiera

tl;dr - CONFIG_PARAM= in an ans.txt file is not handled well or consistently. This has not caused problems for anyone but me (the keystone ldap commit) by a combination of hacking around bogus behavior, and dumb luck.

The problem is this: If you have an ans.txt file with

CONFIG_PARAM=

That is, there is only a newline after the = - an empty value, this is read into packstack by ConfigParser and turned into this config element:

config['CONFIG_PARAM'] = ''

That is, the config parameter is present, and has the value of the empty string. Note that in python, '' != None.

When this gets converted to yaml, it comes out like this:

CONFIG_PARAM: ''

When this gets used in puppet by hiera, it comes out like this:

$value = hiera('CONFIG_PARAM')

$value is '' - note that in puppet '' != undef, so this will not trigger default class parameter evaluation (bad).

So, why is this a problem for me, and not anyone else? Good question. I worked with Ivan last night who found the following in his defaults.yaml in testing:

$ grep "['][']" /var/tmp/packstack/20141204-000528-OE65bD/hieradata/defaults.yaml
CONFIG_AMQP_NSS_CERTDB_PW: ''
CONFIG_AMQP_SSL_CERT_FILE: ''
CONFIG_AMQP_SSL_KEY_FILE: ''
CONFIG_DEFAULT_PASSWORD: ''
CONFIG_NEUTRON_ML2_VXLAN_GROUP: ''
CONFIG_NEUTRON_OVS_BRIDGE_IFACES: ''
CONFIG_NEUTRON_OVS_TUNNEL_IF: ''
CONFIG_NTP_SERVERS: ''
CONFIG_PROVISION_TEMPEST_USER: ''
CONFIG_REPO: ''
CONFIG_RH_USER: ''
CONFIG_SATELLITE_URL: ''
CONFIG_SWIFT_STORAGES: ''
EXCLUDE_SERVERS: ''

I went through every single one of these parameters to find out how they are used with hiera in puppet.

CONFIG_AMQP_NSS_CERTDB_PW
CONFIG_AMQP_SSL_CERT_FILE
CONFIG_AMQP_SSL_KEY_FILE

These are only used if CONFIG_AMQP_ENABLE_SSL is set to a value that evaluates to true in puppet, which means it is probably not tested or used very often, which is why no one seems to have a problem. The code assumes that if they are not set, they should be set to undef. Since '' != undef, empty strings will be used for these values, which means the cert db for amqp will have no password == unencrypted. This is bad.

CONFIG_DEFAULT_PASSWORD - not used directly in puppet template code

CONFIG_NEUTRON_ML2_VXLAN_GROUP - the puppet code explicitly hacks around the bogus '' definition:

if hiera('CONFIG_NEUTRON_ML2_VXLAN_GROUP') == '' {
  $vxlan_group_value = undef
} else {
  $vxlan_group_value = hiera('CONFIG_NEUTRON_ML2_VXLAN_GROUP')
}

CONFIG_NEUTRON_OVS_BRIDGE_IFACES - not used

CONFIG_NEUTRON_OVS_TUNNEL_IF - handled in puppet by a hack similar to CONFIG_NEUTRON_ML2_VXLAN_GROUP

CONFIG_NTP_SERVERS - used like this:
$cfg_ntp_servers = hiera('CONFIG_NTP_SERVERS')
exec { 'ntpdate':
  command => "/usr/sbin/ntpdate ${cfg_ntp_servers}",
  tries => 3,
}

This is equivalent to calling ntpdate with no arguments. I'm not sure what happens in this case.

CONFIG_PROVISION_TEMPEST_USER - explicitly tested for a value of '' meaning not set

CONFIG_REPO
CONFIG_RH_USER
CONFIG_SATELLITE_URL
CONFIG_SWIFT_STORAGES
EXCLUDE_SERVERS

None of these are used directly in puppet code.