Formulas testing revision 2019/10

Partial cherry-pick of fixes in c4b6ed93cbcbf8115d1887bd60048524c95f6d20

Related: PROD-32744
Related: PROD-33633
Related: PROD-33634
Related: PROD-33698
Related: PROD-33984

Change-Id: I8bcf38769b69d0677d97f6207a147b6b6786ee4b
diff --git a/tests/integration/pike/single/config_spec.rb b/tests/integration/pike/single/config_spec.rb
new file mode 100644
index 0000000..156f002
--- /dev/null
+++ b/tests/integration/pike/single/config_spec.rb
@@ -0,0 +1,245 @@
+ssl_enabled = attribute("ssl", default: false)
+keystone_default_ssl = {
+  'transport_url' => 'rabbit://openstack:password@',
+  'log_config_append'         => '/etc/keystone/logging.conf',
+  'debug'                     => 'false',
+  'notification_format'       => 'cadf',
+  'admin_token'               => 'RANDOMSTRINGTOKEN',
+  'log_dir'                   => '/var/log/keystone',
+  'secure_proxy_ssl_header'   => 'HTTP_X_FORWARDED_PROTO',
+  'verbose'                   => 'true',
+keystone_default = {
+  'transport_url' => 'rabbit://openstack:password@',
+  'log_config_append'         => '/etc/keystone/logging.conf',
+  'debug'                     => 'false',
+  'notification_format'       => 'cadf',
+  'admin_token'               => 'RANDOMSTRINGTOKEN',
+  'log_dir'                   => '/var/log/keystone',
+  'secure_proxy_ssl_header'   => 'HTTP_X_FORWARDED_PROTO',
+  'verbose'                   => 'true',
+keystone_assignment = {
+  'driver' => 'sql'
+keystone_auth = {
+  'methods' => 'password,token',
+  'oidc'    => 'keystone.auth.plugins.mapped.Mapped',
+  'saml2'   => 'keystone.auth.plugins.mapped.Mapped',
+keystone_catalog = {
+  'template_file' => 'default_catalog.templates',
+  'driver'        => 'sql',
+keystone_credential = {
+  'key_repository' => '/var/lib/keystone/credential-keys'
+keystone_fernet_tokens = {
+  'key_repository'  => '/etc/keystone/fernet-keys/',
+  'max_active_keys' => '3',
+keystone_identity = {
+  'driver'                          => 'sql',
+keystone_token = {
+  'expiration'     => '86400',
+  'provider'       => 'fernet',
+  'caching'        => 'false',
+  'hash_algorithm' => 'sha256',
+  'driver'         => 'keystone.token.persistence.backends.memcache_pool.Token',
+  'revoke_by_id'   => 'False',
+keystone_cache = {
+  'backend'          => 'oslo_cache.memcache_pool',
+  'enabled'          => 'True',
+  'memcache_servers' => '',
+keystone_oslo_messaging_rabbit = {
+  'heartbeat_timeout_threshold' => '0',
+  'heartbeat_rate'              => '2',
+keystone_oslo_messaging_rabbit_ssl = {
+  'rabbit_use_ssl'     => 'true',
+  'kombu_ssl_version'  => 'TLSv1_2',
+  'kombu_ssl_ca_certs' => '/etc/keystone/ssl/mysql/ca-cert.pem',
+keystone_database = {
+  'connection'              => 'mysql+pymysql://keystone:passw0rd@',
+  'max_pool_size'           => '10',
+  'max_retries'             => '-1',
+  'max_overflow'            => '30',
+  'idle_timeout'            => '3600',
+keystone_database_ssl = {
+  'connection'              => 'mysql+pymysql://keystone:passw0rd@',
+  'max_pool_size'           => '10',
+  'max_retries'             => '-1',
+  'max_overflow'            => '30',
+  'idle_timeout'            => '3600',
+keystone_oslo_middleware = {
+  'max_request_body_size'        => '114688',
+  'enable_proxy_headers_parsing' => 'True',
+keystone_cors = {
+  'allowed_origin'    => '',
+  'allow_credentials' => 'True',
+  'expose_headers'    => 'X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token',
+  'max_age'           => '3600',
+  'allow_methods'     => 'GET,PUT,POST,DELETE,PATCH',
+  'allow_headers'     => 'X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name',
+keystone_profiler = {
+  'enabled' => 'True',
+keystone_oidc = {
+  'remote_id_attribute' => 'HTTP_OIDC_ISS'
+keystone_saml2 = {
+  'remote_id_attribute' => 'HTTP_OIDC_ISS'
+keystone_security_compliance = {
+  'disable_user_account_days_inactive' => '90',
+  'lockout_failure_attempts'           => '60',
+  'lockout_duration'                   => '600',
+  'password_expires_days'              => '730',
+  'unique_last_password_count'         => '5',
+  'minimum_password_age'               => '0',
+  'password_regex'                     => '^[a-zA-Z0-9]{32,}$$',
+  'password_regex_description'         => 'Your password could contains capital letters, lowercase letters, digits and have a minimum length of 32 characters',
+  'change_password_upon_first_use'     => 'False',
+keystone_federation = {
+  'cache_group_membership_in_db' => 'True',
+keystone_resource = {
+  'admin_project_domain_name' => 'project',
+  'admin_project_name'        => 'projectname',
+keystone_extra_headers = {
+  'Distribution'          => 'Ubuntu',
+control 'Keystone' do
+  describe parse_config_file('/etc/keystone/keystone.conf') do
+    describe 'Keystone messaging' do
+      if ssl_enabled
+        keystone_oslo_messaging_rabbit.merge!(keystone_oslo_messaging_rabbit_ssl)
+        keystone_default.merge!(keystone_default_ssl)
+        describe 'SSL' do
+          its('DEFAULT') {
+            should include(keystone_default)
+          }
+          its('oslo_messaging_rabbit') {
+            should include(keystone_oslo_messaging_rabbit)
+          }
+        end
+      else
+        describe 'non SSL' do
+          its('DEFAULT') {
+            should include(keystone_default)
+          }
+          its('oslo_messaging_rabbit') {
+            should include(keystone_oslo_messaging_rabbit)
+          }
+        end
+      end
+    end
+    describe 'Keystone database' do
+      if ssl_enabled
+        keystone_database.merge!(keystone_database_ssl)
+        describe 'SSL' do
+          its('database') {
+            should include(keystone_database)
+          }
+        end
+      else
+        describe 'non SSL' do
+          its('database') {
+            should include(keystone_database)
+          }
+        end
+      end
+    end
+    describe 'Keystone config' do
+      its('DEFAULT') {
+        should include(keystone_default)
+      }
+      its('assignment') {
+        should include(keystone_assignment)
+      }
+      its('auth') {
+        should include(keystone_auth)
+      }
+      its('catalog') {
+        should include(keystone_catalog)
+      }
+      its('credential') {
+        should include(keystone_credential)
+      }
+      its('fernet_tokens') {
+        should include(keystone_fernet_tokens)
+      }
+      its('identity') {
+        should include(keystone_identity)
+      }
+      its('token') {
+        should include(keystone_token)
+      }
+      its('cors') {
+        should include(keystone_cors)
+      }
+      its('oidc') {
+        should include(keystone_oidc)
+      }
+      its('saml2') {
+        should include(keystone_saml2)
+      }
+      its('security_compliance') {
+        should include(keystone_security_compliance)
+      }
+      its('federation') {
+        should include(keystone_federation)
+      }
+      its('resource') {
+        should include(keystone_resource)
+      }
+      its('extra_headers') {
+        should include(keystone_extra_headers)
+      }
+    end
+  end
diff --git a/tests/integration/queens/single/config_spec.rb b/tests/integration/queens/single/config_spec.rb
new file mode 100644
index 0000000..f82b08e
--- /dev/null
+++ b/tests/integration/queens/single/config_spec.rb
@@ -0,0 +1,300 @@
+ssl_enabled = attribute('ssl', default: false)
+keystone_default_ssl = {
+  'conn_pool_min_size'           => '2',
+  'conn_pool_ttl'                => '1200',
+  'control_exchange'             => 'openstack',
+  'debug'                        => 'True',
+  'executor_thread_pool_size'    => '64',
+  'log_config_append'            => '/etc/keystone/logging.conf',
+  'log_dir'                      => 'logdir',
+  'log_file'                     => 'logfile.log',
+  'notification_format'          => 'cadf',
+  'rpc_ack_timeout_base'         => '15',
+  'rpc_ack_timeout_multiplier'   => '2',
+  'rpc_conn_pool_size'           => '30',
+  'rpc_message_ttl'              => '300',
+  'rpc_poll_timeout'             => '1',
+  'rpc_response_timeout'         => '60',
+  'rpc_retry_attempts'           => '3',
+  'rpc_thread_pool_size'         => '100',
+  'rpc_use_acks'                 => 'False',
+  'syslog_log_facility'          => 'LOG_USER',
+  'transport_url'                => 'rabbit://openstack:password@',
+  'use_syslog'                   => 'True',
+keystone_default = {
+  'conn_pool_min_size'           => '2',
+  'conn_pool_ttl'                => '1200',
+  'control_exchange'             => 'openstack',
+  'debug'                        => 'True',
+  'executor_thread_pool_size'    => '64',
+  'log_config_append'            => '/etc/keystone/logging.conf',
+  'log_dir'                      => 'logdir',
+  'log_file'                     => 'logfile.log',
+  'notification_format'          => 'cadf',
+  'rpc_ack_timeout_base'         => '15',
+  'rpc_ack_timeout_multiplier'   => '2',
+  'rpc_conn_pool_size'           => '30',
+  'rpc_message_ttl'              => '300',
+  'rpc_poll_timeout'             => '1',
+  'rpc_response_timeout'         => '60',
+  'rpc_retry_attempts'           => '3',
+  'rpc_thread_pool_size'         => '100',
+  'rpc_use_acks'                 => 'False',
+  'syslog_log_facility'          => 'LOG_USER',
+  'transport_url'                => 'rabbit://openstack:password@',
+  'use_syslog'                   => 'True',
+keystone_assignment = {
+  'driver' => 'sql'
+keystone_auth = {
+  'methods' => 'password,token',
+  'oidc'    => 'keystone.auth.plugins.mapped.Mapped',
+  'saml2'   => 'keystone.auth.plugins.mapped.Mapped',
+keystone_catalog = {
+  'template_file' => 'default_catalog.templates',
+  'driver'        => 'sql',
+keystone_credential = {
+  'key_repository' => '/var/lib/keystone/credential-keys'
+keystone_fernet_tokens = {
+  'key_repository'  => '/etc/keystone/fernet-keys/',
+  'max_active_keys' => '3',
+keystone_identity = {
+  'driver'                          => 'sql',
+keystone_token = {
+  'expiration'     => '86400',
+  'provider'       => 'fernet',
+  'caching'        => 'false',
+  'hash_algorithm' => 'sha256',
+keystone_cache = {
+  'backend'                      => 'oslo_cache.memcache_pool',
+  'enabled'                      => 'True',
+keystone_oslo_messaging_rabbit = {
+  'heartbeat_rate'                       => '2',
+keystone_oslo_messaging_rabbit_ssl = {
+  'channel_max'                          => '2',
+  'connection_factory'                   => 'single',
+  'default_notification_exchange'        => 'exchange',
+  'default_notification_retry_attempts'  => '1',
+  'default_rpc_exchange'                 => 'rpc_exchange',
+  'default_rpc_retry_attempts'           => '10',
+  'default_serializer_type'              => 'json',
+  'frame_max'                            => '2',
+  'heartbeat_interval'                   => '3',
+  'heartbeat_rate'                       => '2',
+  'heartbeat_timeout_threshold'          => '60',
+  'host_connection_reconnect_delay'      => '10',
+  'notification_listener_prefetch_count' => '100',
+  'notification_persistence'             => 'False',
+  'notification_retry_delay'             => '10',
+  'pool_max_overflow'                    => '0',
+  'pool_max_size'                        => '30',
+  'pool_recycle'                         => '600',
+  'pool_stale'                           => '60',
+  'pool_timeout'                         => '30',
+  'rabbit_ha_queues'                     => 'True',
+  'rabbit_interval_max'                  => '30',
+  'rabbit_qos_prefetch_count'            => '64',
+  'rabbit_retry_backoff'                 => '2',
+  'rabbit_retry_interval'                => '1',
+  'rabbit_transient_queues_ttl'          => '1800',
+  'rpc_listener_prefetch_count'          => '100',
+  'rpc_queue_expiration'                 => '60',
+  'rpc_reply_exchange'                   => 'rpc_reply_exchange',
+  'rpc_reply_listener_prefetch_count'    => '100',
+  'rpc_reply_retry_attempts'             => '10',
+  'rpc_reply_retry_delay'                => '10',
+  'rpc_retry_delay'                      => '10',
+  'socket_timeout'                       => '10',
+  'ssl'                                  => 'true',
+  'ssl_ca_file'                          => '/etc/keystone/ssl/mysql/ca-cert.pem',
+  'ssl_version'                          => 'TLSv1_2',
+  'tcp_user_timeout'                     => '10',
+keystone_database = {
+  'connection'              => 'mysql+pymysql://keystone:passw0rd@',
+  'max_overflow'            => '30',
+  'max_pool_size'           => '10',
+  'max_retries'             => '-1',
+keystone_database_ssl = {
+  'connection'              => 'mysql+pymysql://keystone:passw0rd@',
+  'max_overflow'            => '30',
+  'max_pool_size'           => '10',
+  'max_retries'             => '-1',
+  'connection_recycle_time' => '280',
+keystone_oslo_middleware = {
+  'max_request_body_size'        => '114688',
+  'enable_proxy_headers_parsing' => 'True',
+keystone_cors = {
+  'allowed_origin'    => '',
+  'allow_credentials' => 'True',
+  'expose_headers'    => 'X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token',
+  'max_age'           => '3600',
+  'allow_methods'     => 'GET,PUT,POST,DELETE,PATCH',
+  'allow_headers'     => 'X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name',
+keystone_oidc = {
+  'remote_id_attribute' => 'HTTP_OIDC_ISS'
+keystone_saml2 = {
+  'remote_id_attribute' => 'HTTP_OIDC_ISS'
+keystone_security_compliance = {
+  'disable_user_account_days_inactive' => '90',
+  'lockout_failure_attempts'           => '60',
+  'lockout_duration'                   => '600',
+  'password_expires_days'              => '730',
+  'unique_last_password_count'         => '5',
+  'minimum_password_age'               => '0',
+  'password_regex'                     => '^[a-zA-Z0-9]{32,}$$',
+  'password_regex_description'         => 'Your password could contains capital letters, lowercase letters, digits and have a minimum length of 32 characters',
+  'change_password_upon_first_use'     => 'False',
+keystone_federation = {
+  'cache_group_membership_in_db' => 'True',
+keystone_resource = {
+  'admin_project_domain_name' => 'project',
+  'admin_project_name'        => 'projectname',
+keystone_oslo_middleware = {
+  'max_request_body_size'  => '114688',
+control 'Keystone' do
+  describe parse_config_file('/etc/keystone/keystone.conf') do
+    describe 'Keystone messaging' do
+      if ssl_enabled
+        keystone_oslo_messaging_rabbit.merge!(keystone_oslo_messaging_rabbit_ssl)
+        keystone_default.merge!(keystone_default_ssl)
+        describe 'SSL' do
+          its('DEFAULT') {
+            should include(keystone_default)
+          }
+          its('oslo_messaging_rabbit') {
+            should include(keystone_oslo_messaging_rabbit)
+          }
+        end
+      else
+        describe 'non SSL' do
+          its('DEFAULT') {
+            should include(keystone_default)
+          }
+          its('oslo_messaging_rabbit') {
+            should include(keystone_oslo_messaging_rabbit)
+          }
+        end
+      end
+    end
+    describe 'Keystone database' do
+      if ssl_enabled
+        keystone_database.merge!(keystone_database_ssl)
+        describe 'SSL' do
+          its('database') {
+            should include(keystone_database)
+          }
+        end
+      else
+        describe 'non SSL' do
+          its('database') {
+            should include(keystone_database)
+          }
+        end
+      end
+    end
+    describe 'Keystone config' do
+      its('DEFAULT') {
+        should include(keystone_default)
+      }
+      its('assignment') {
+        should include(keystone_assignment)
+      }
+      its('auth') {
+        should include(keystone_auth)
+      }
+      its('catalog') {
+        should include(keystone_catalog)
+      }
+      its('credential') {
+        should include(keystone_credential)
+      }
+      its('fernet_tokens') {
+        should include(keystone_fernet_tokens)
+      }
+      its('identity') {
+        should include(keystone_identity)
+      }
+      its('token') {
+        should include(keystone_token)
+      }
+      its('cors') {
+        should include(keystone_cors)
+      }
+      its('oidc') {
+        should include(keystone_oidc)
+      }
+      its('saml2') {
+        should include(keystone_saml2)
+      }
+      its('security_compliance') {
+        should include(keystone_security_compliance)
+      }
+      its('federation') {
+        should include(keystone_federation)
+      }
+      its('resource') {
+        should include(keystone_resource)
+      }
+      its('oslo_middleware') {
+        should include(keystone_oslo_middleware)
+      }
+      its('cache') {
+        should include(keystone_cache)
+      }
+    end
+  end
diff --git a/tests/pillar/apache_wsgi.sls b/tests/pillar/apache_wsgi.sls
deleted file mode 100644
index 880b53d..0000000
--- a/tests/pillar/apache_wsgi.sls
+++ /dev/null
@@ -1,192 +0,0 @@
-# Server state
-  server:
-    enabled: true
-    version: liberty
-    service_name: apache2
-    service_token: RANDOMSTRINGTOKEN
-    service_tenant: service
-    admin_tenant: admin
-    admin_name: admin
-    admin_password: passw0rd
-    admin_email: root@localhost
-    enable_proxy_headers_parsing: True
-    bind:
-      address:
-      private_address:
-      private_port: 35357
-      public_address:
-      public_port: 5000
-    region: RegionOne
-    database:
-      engine: mysql
-      host: localhost
-      name: keystone
-      password: passw0rd
-      user: keystone
-    tokens:
-      engine: cache
-      expiration: 86400
-      location: /etc/keystone/fernet-keys/
-    notification: false
-    notification_format: cadf
-    logging:
-      log_appender: false
-      log_handlers:
-        watchedfile:
-          enabled: true
-        fluentd:
-          enabled: false
-        ossyslog:
-          enabled: false
-    #message_queue:
-      #engine: rabbitmq
-      #host:
-      #port: 5672
-      #user: openstack
-      #password: password
-      #virtual_host: '/openstack'
-      #ha_queues: true
-# Client state
-  client:
-    enabled: false
-    server:
-      identity:
-        admin:
-          host: localhost
-          port: 35357
-          token: RANDOMSTRINGTOKEN
-        roles:
-        - admin
-        - Member
-        project:
-          service:
-            description: "OpenStack Service tenant"
-          admin:
-            description: "OpenStack Admin tenant"
-            user:
-              admin:
-                is_admin: true
-                password: passw0rd
-                email: admin@localhost
-        service:
-          keystone3:
-            type: identity
-            description: OpenStack Identity Service v3
-            endpoints:
-            - region: RegionOne
-              public_address: keystone
-              public_protocol: http
-              public_port: 5000
-              public_path: '/v3'
-              internal_address: keystone
-              internal_port: 5000
-              internal_path: '/v3'
-              admin_address: keystone
-              admin_port: 35357
-              admin_path: '/v3'
-          keystone:
-            type: identity
-            description: OpenStack Identity Service
-            endpoints:
-            - region: RegionOne
-              public_address: keystone
-              public_protocol: http
-              public_port: 5000
-              public_path: '/v2.0'
-              internal_address: keystone
-              internal_port: 5000
-              internal_path: '/v2.0'
-              admin_address: keystone
-              admin_port: 35357
-              admin_path: '/v2.0'
-          #keystone3:
-            #name: keystone3
-            #type: identity
-            #description: OpenStack Identity Service v3
-            #endpoints:
-            #- region: RegionTwo
-              #public_address: keystone
-              #public_protocol: http
-              #public_port: 5000
-              #public_path: '/v3'
-              #internal_address: keystone
-              #internal_port: 5000
-              #internal_path: '/v3'
-              #admin_address: keystone
-              #admin_port: 35357
-              #admin_path: '/v3'
-          #keystone:
-            #name: keystone
-            #type: identity
-            #description: OpenStack Identity Service
-            #endpoints:
-            #- region: RegionTwo
-              #public_address: keystone
-              #public_protocol: http
-              #public_port: 5000
-              #public_path: '/v2.0'
-              #internal_address: keystone
-              #internal_port: 5000
-              #internal_path: '/v2.0'
-              #admin_address: keystone
-              #admin_port: 35357
-              #admin_path: '/v2.0'
-# CI related dependencies
-  server:
-    enabled: true
-    default_mpm: event
-    mpm:
-      prefork:
-        enabled: true
-        servers:
-          start: 5
-          spare:
-            min: 2
-            max: 10
-        max_requests: 0
-        max_clients: 20
-        limit: 20
-    site:
-      keystone:
-        enabled: true
-        type: keystone
-        name: wsgi
-        host:
-          name: localhost
-    pkgs:
-      - apache2
-    modules:
-      - wsgi
-  client:
-    enabled: true
-    version: '5.7'
-    admin:
-      host: localhost
-      port: 3306
-      user: admin
-      password: password
-      encoding: utf8
-  server:
-    enabled: true
-    version: "5.7"
-    force_encoding: utf8
-    bind:
-      address:
-      port: 3306
-      protocol: tcp
-    database:
-      keystone:
-        encoding: utf8
-        users:
-        - host: '%'
-          name: keystone
-          password: passw0rd
-          rights: all
-        - host:
-          name: keystone
-          password: passw0rd
-          rights: all
diff --git a/tests/pillar/client_resources_v3.sls b/tests/pillar/client_resources_v3.sls
deleted file mode 100644
index f68ef70..0000000
--- a/tests/pillar/client_resources_v3.sls
+++ /dev/null
@@ -1,145 +0,0 @@
-  - single
-  client:
-    resources:
-      v3:
-        enabled: true
-        cloud_name: 'admin_identity'
-        domains:
-          'Default':
-            enabled: True
-            status: present
-            projects:
-              service:
-                status: present
-                description: "OpenStack Service tenant"
-              admin:
-                status: absent
-                description: "OpenStack Admin tenant"
-          'User_domain':
-            enabled: True
-            status: absent
-            projects:
-              user_domain_service:
-                status: present
-                description: "OpenStack Service tenant"
-              user_domain_admin:
-                status: absent
-                description: "OpenStack Admin tenant"
-          'User_domain_0':
-            enabled: True
-            status: absent
-            force_delete: True
-            projects:
-              user_domain_0_service:
-                status: present
-                description: "OpenStack Service tenant"
-              user_domain_0_admin:
-                status: absent
-                description: "OpenStack Admin tenant"
-          'User_domain_1':
-            enabled: False
-            status: absent
-            projects:
-              user_domain_1_service:
-                status: present
-                description: "OpenStack Service tenant"
-              user_domain_1_admin:
-                status: absent
-                description: "OpenStack Admin tenant"
-        roles:
-          service_admin:
-            name: admin
-            enabled: true
-            status: present
-          global_Member:
-            name: Member
-            enabled: true
-            status: absent
-          global_Member_0:
-            name: Member
-            enabled: False
-            status: absent
-        users:
-          admin:
-            enabled: true
-            status: present
-            password: passw0rd
-            email: root@localhost
-            roles:
-              service_admin:
-                status: assigned
-                name: admin
-                project_id: admin
-          user:
-            enabled: true
-            status: absent
-            password: passw0rd
-            email: root@localhost
-            roles:
-              global_Member:
-                status: unassigned
-                name: user
-                project_id: user
-          user0:
-            enabled: False
-            status: absent
-            password: passw0rd
-            email: root@localhost
-            roles:
-              global_Member:
-                status: unassigned
-                name: user
-                project_id: user
-        services:
-          keystone:
-            enabled: True
-            status: present
-            type: 'identity'
-            description: "OpenStack Identity Service"
-            endpoints:
-              keystone_public:
-                status: present
-                interface: 'public'
-                url:
-                region: RegionOne
-              keystone_internal:
-                status: absent
-                interface: 'internal'
-                url:
-                region: RegionOne
-          keystone_0:
-            enabled: True
-            status: absent
-            type: 'identity'
-            description: "OpenStack Identity Service"
-            endpoints:
-              keystone_0_public:
-                status: present
-                interface: 'public'
-                url:
-                region: RegionOne
-              keystone_0_internal:
-                status: absent
-                interface: 'internal'
-                url:
-                region: RegionOne
-          keystone_1:
-            enabled: False
-            status: absent
-            type: 'identity'
-            description: "OpenStack Identity Service"
-            endpoints:
-              keystone_1_public:
-                status: present
-                interface: 'public'
-                url:
-                region: RegionOne
-              keystone_1_internal:
-                status: absent
-                interface: 'internal'
-                url:
-                region: RegionOne
diff --git a/tests/pillar/repo_mcp_openstack_pike.sls b/tests/pillar/repo_mcp_openstack_pike.sls
new file mode 100644
index 0000000..fe6af3c
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_pike.sls
@@ -0,0 +1,12 @@
+  system:
+    enabled: true
+    repo:
+      mirantis_openstack_repo:
+        source: "deb{{ grains.get('oscodename') }} {{ grains.get('oscodename') }} main"
+        architectures: amd64
+        key_url: "{{ grains.get('oscodename') }}/archive-pike.key"
+        pin:
+        - pin: 'release l=pike'
+          priority: 1050
+          package: '*'
\ No newline at end of file
diff --git a/tests/pillar/repo_mcp_openstack_queens.sls b/tests/pillar/repo_mcp_openstack_queens.sls
new file mode 100644
index 0000000..ebe1964
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_queens.sls
@@ -0,0 +1,12 @@
+  system:
+    enabled: true
+    repo:
+      mirantis_openstack_repo:
+        source: "deb{{ grains.get('oscodename') }} {{ grains.get('oscodename') }} main"
+        architectures: amd64
+        key_url: "{{ grains.get('oscodename') }}/archive-queens.key"
+        pin:
+        - pin: 'release l=queens'
+          priority: 1050
+          package: '*'
\ No newline at end of file
diff --git a/tests/pillar/repo_mos9.sls b/tests/pillar/repo_mos9.sls
deleted file mode 100644
index 64d75b8..0000000
--- a/tests/pillar/repo_mos9.sls
+++ /dev/null
@@ -1,8 +0,0 @@
-  system:
-    enabled: true
-    repo:
-      mirantis_openstack:
-        source: "deb [arch=amd64] mos9.0 main restricted"
-        architectures: amd64
-        key_url: ""
diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index 7227af7..ba1ef77 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -3,12 +3,56 @@
     enabled: true
     version: liberty
+    service_name: apache2
     service_token: RANDOMSTRINGTOKEN
     service_tenant: service
+    admin_project:
+      name: projectname
+      domain: project
     admin_tenant: admin
     admin_name: admin
     admin_password: passw0rd
     admin_email: root@localhost
+    enable_proxy_headers_parsing: True
+    cors:
+      allowed_origin: ''
+      allow_credentials: True
+      expose_headers: 'X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token'
+      allow_headers: 'X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name'
+      max_age: 3600
+      allow_methods: 'GET,PUT,POST,DELETE,PATCH'
+    auth_methods:
+    - password
+    - token
+    federation:
+      oidc:
+        remote_id_attribute: HTTP_OIDC_ISS
+        remote_id_attribute_value: remote_id_attribute_value
+        oidc_claim_prefix: oidc_claim_prefix
+        oidc_client_id: oidc_client_id
+        oidc_client_secret: oidc_client_secret
+        oidc_crypto_passphrase: oidc_crypto_passphrase
+        oidc_redirect_uri: oidc_redirect_uri
+        oidc_provider_metadata_url: oidc_provider_metadata_url
+        oidc_response_type: oidc_response_type
+        oidc_scope: oidc_scope
+        oidc_ssl_validate_server: oidc_ssl_validate_server
+        oidc_oauth_ssl_validate_server: oidc_oauth_ssl_validate_server
+        oidc_oauth_introspection_endpoint: oidc_oauth_introspection_endpoint
+        oidc_oauth_introspection_token_param_name: oidc_oauth_introspection_token_param_name
+        oidc_oauth_remote_user_claim: oidc_oauth_remote_user_claim
+        oidc_oauth_verify_jwks_uri: oidc_oauth_verify_jwks_uri
+        odic_token_iat_slack: odic_token_iat_slack
+        oidc_provider_issuer: oidc_provider_issuer
+        oidc_provider_authorization_endpoint: oidc_provider_authorization_endpoint
+        oidc_provider_token_endpoint: oidc_provider_token_endpoint
+        oidc_provider_token_endpoint_auth: oidc_provider_token_endpoint_auth
+        oidc_provider_user_info_endpoint: oidc_provider_user_info_endpoint
+        oidc_provider_jwks_uri: oidc_provider_jwks_uri
+        protocol: oidc
+      saml2:
+        remote_id_attribute: HTTP_OIDC_ISS
+        protocol: saml2
@@ -18,16 +62,16 @@
     region: RegionOne
       engine: mysql
-      host: localhost
+      host:
       name: keystone
       password: passw0rd
       user: keystone
-      engine: cache
+      engine: fernet
       expiration: 86400
       location: /etc/keystone/fernet-keys/
       allow_expired_window: 86400
-    notification: false
+    notification: true
     notification_format: cadf
       disable_user_account_days_inactive: 90
@@ -41,7 +85,12 @@
         Your password could contains capital letters, lowercase letters, digits and have a minimum length of 32 characters
       change_password_upon_first_use: False
-      log_appender: false
+      debug: true
+      log_file: 'logfile.log'
+      log_dir: logdir
+      use_syslog: true
+      syslog_log_facility: LOG_USER
+      log_appender: true
           enabled: true
@@ -52,18 +101,139 @@
         cache_group_membership_in_db: true
-    #message_queue:
-      #engine: rabbitmq
-      #host:
-      #port: 5672
-      #user: openstack
-      #password: password
-      #virtual_host: '/openstack'
-      #ha_queues: true
+    message_queue:
+      engine: rabbitmq
+      host:
+      port: 5672
+      user: openstack
+      password: password
+      virtual_host: '/openstack'
+      ha_queues: true
+      rabbit_ha_queues: true
+      rpc_conn_pool_size: 30
+      conn_pool_min_size: 2
+      conn_pool_ttl: 1200
+      rpc_poll_timeout: 1
+      rpc_thread_pool_size: 100
+      rpc_message_ttl: 300
+      rpc_use_acks: false
+      rpc_ack_timeout_base: 15
+      rpc_ack_timeout_multiplier: 2
+      rpc_retry_attempts: 3
+      executor_thread_pool_size: 64
+      rpc_response_timeout: 60
+      control_exchange: openstack
+      ssl:
+        version: TLSv1_2
+        cacert_file: ssl_ca_certs
+      x509:
+        key_file: kombu_ssl_keyfile
+        cert_file: kombu_ssl_certfile
+      rabbit_retry_interval: 1
+      rabbit_retry_backoff: 2
+      rabbit_interval_max: 30
+      rabbit_transient_queues_ttl: 1800
+      heartbeat_timeout_threshold: 60
+      heartbeat_rate: 2
+      channel_max: 2
+      frame_max: 2
+      heartbeat_interval: 3
+      socket_timeout: 10
+      tcp_user_timeout: 10
+      host_connection_reconnect_delay: 10
+      connection_factory: single
+      pool_max_size: 30
+      pool_max_overflow: 0
+      pool_timeout: 30
+      pool_recycle: 600
+      pool_stale: 60
+      default_serializer_type: json
+      notification_persistence: false
+      default_notification_exchange: exchange
+      notification_listener_prefetch_count: 100
+      default_notification_retry_attempts: 1
+      notification_retry_delay: 10
+      rpc_queue_expiration: 60
+      default_rpc_exchange: rpc_exchange
+      rpc_reply_exchange: rpc_reply_exchange
+      rpc_listener_prefetch_count: 100
+      rpc_reply_listener_prefetch_count: 100
+      rpc_reply_retry_attempts: 10
+      rpc_reply_retry_delay: 10
+      default_rpc_retry_attempts: 10
+      rpc_retry_delay: 10
+      rabbit_qos_prefetch_count: 64
+    healthcheck:
+      path: '/healthcheck'
+    max_request_body_size: 114688
+    profiler:
+      enabled: True
+    cache:
+      enabled: True
+      host:
+      port: 11211
+    policy:
+      policy_file: 'policy.json'
+    domain:
+      testing:
+        description: "Test domain"
+        backend: ldap
+        identity:
+          backend: ldap
+          driver: ldap
+        assignment:
+          backend: sql
+          driver: keystone.assignment.backends.sql.Assignment
+        ldap:
+          group_mapping: False
+          url: "ldaps://"
+          suffix: "dc=cloud,dc=domain,dc=com"
+          uid: keystone
+          password: password
+          query_scope: "sub"
+          bind_user: "CN=lab,CN=users,${keystone:server:domain:testing:ldap:suffix}"
+          filter:
+            user: "(memberOf=CN=Grp-atm-admins,CN=Users,${keystone:server:domain:testing:ldap:suffix})"
+          user_tree_dn: "CN=users,${keystone:server:domain:testing:ldap:suffix}"
+          user_id_attribute: "sAMAccountName"
+          user_name_attribute: "sAMAccountName"
+          user_pass_attribute: ""
+          user_enabled_default: 512
+          user_enabled_mask: 2
+          user_enabled_attribute: "userAccountControl"
+          user_attribute_ignore: "password,tenant_id,tenants"
 # Client state
     enabled: false
+    os_client_config:
+      enabled: true
+      cfgs:
+        root:
+          content:
+            clouds:
+              admin_identity:
+                region_name: RegionOne
+                identity_api_version: '3'
+                interface: 'internal'
+                auth:
+                  username: 'admin'
+                  password: passw0rd
+                  user_domain_name: 'Default'
+                  project_name: 'admin'
+                  project_domain_name: 'Default'
+                  auth_url: ''
+      admin_identity:
+        admin:
+          user: admin
+          password: passw0rd
+          project: admin
+          host: localhost
+          port: 5000
+          region_name: RegionOne
+          use_keystoneauth: true
+          protocol: http
           host: localhost
@@ -113,23 +283,32 @@
               admin_address: keystone
               admin_port: 35357
               admin_path: '/v2.0'
-          # TODO: enable once salt keystone module/states are fixed
-          #keystoneR2:
-            #service: keystone
-            #type: identity
-            #description: OpenStack Identity Service
-            #endpoints:
-            #- region: RegionTwo
-              #public_address: keystone
-              #public_protocol: http
-              #public_port: 5000
-              #public_path: '/v2.0'
-              #internal_address: keystone
-              #internal_port: 5000
-              #internal_path: '/v2.0'
-              #admin_address: keystone
-              #admin_port: 35357
-              #admin_path: '/v2.0'
+  server:
+    enabled: true
+    default_mpm: event
+    mpm:
+      prefork:
+        enabled: true
+        servers:
+          start: 5
+          spare:
+            min: 2
+            max: 10
+        max_requests: 0
+        max_clients: 20
+        limit: 20
+    site:
+      keystone:
+        enabled: true
+        type: keystone
+        name: wsgi
+        host:
+          name: localhost
+    pkgs:
+      - apache2
+    modules:
+      - wsgi
 # CI related dependencies
diff --git a/tests/pillar/single_domain.sls b/tests/pillar/single_domain.sls
deleted file mode 100644
index ec86a26..0000000
--- a/tests/pillar/single_domain.sls
+++ /dev/null
@@ -1,85 +0,0 @@
-# Server state
-  server:
-    enabled: true
-    version: liberty
-    service_token: RANDOMSTRINGTOKEN
-    service_tenant: service
-    admin_tenant: admin
-    admin_name: admin
-    admin_password: passw0rd
-    admin_email: root@localhost
-    bind:
-      address:
-      private_address:
-      private_port: 35357
-      public_address:
-      public_port: 5000
-    region: RegionOne
-    database:
-      engine: mysql
-      host: localhost
-      name: keystone
-      password: passw0rd
-      user: keystone
-    tokens:
-      engine: cache
-      expiration: 86400
-      location: /etc/keystone/fernet-keys/
-    notification: false
-    notification_format: cadf
-    logging:
-      log_appender: false
-      log_handlers:
-        watchedfile:
-          enabled: true
-        fluentd:
-          enabled: false
-        ossyslog:
-          enabled: false
-    domain:
-      testing:
-        description: "Test domain"
-        backend: ldap
-        identity:
-          backend: ldap
-          driver: ldap
-        assignment:
-          backend: sql
-          driver: keystone.assignment.backends.sql.Assignment
-        ldap:
-          url: "ldaps://"
-          suffix: "dc=cloud,dc=domain,dc=com"
-          uid: keystone
-          password: password
-# CI related dependencies
-  client:
-    enabled: true
-    version: '5.7'
-    admin:
-      host: localhost
-      port: 3306
-      user: admin
-      password: password
-      encoding: utf8
-  server:
-    enabled: true
-    version: "5.7"
-    force_encoding: utf8
-    bind:
-      address:
-      port: 3306
-      protocol: tcp
-    database:
-      keystone:
-        encoding: utf8
-        users:
-        - host: '%'
-          name: keystone
-          password: passw0rd
-          rights: all
-        - host:
-          name: keystone
-          password: passw0rd
-          rights: all
diff --git a/tests/pillar/single_fernet.sls b/tests/pillar/single_fernet.sls
deleted file mode 100644
index d87b63c..0000000
--- a/tests/pillar/single_fernet.sls
+++ /dev/null
@@ -1,70 +0,0 @@
-  server:
-    enabled: true
-    version: liberty
-    service_token: token
-    service_tenant: service
-    admin_tenant: admin
-    admin_name: admin
-    admin_password: passw0rd
-    admin_email: root@localhost
-    bind:
-      address:
-      private_address:
-      private_port: 35357
-      public_address:
-      public_port: 5000
-    region: RegionOne
-    database:
-      engine: mysql
-      host: localhost
-      name: keystone
-      password: passw0rd
-      user: keystone
-    tokens:
-      engine: fernet
-      expiration: 86400
-      location: /etc/keystone/fernet-keys/
-      max_active_keys: 4
-    notification: false
-    notification_format: cadf
-    logging:
-      log_appender: false
-      log_handlers:
-        watchedfile:
-          enabled: true
-        fluentd:
-          enabled: false
-        ossyslog:
-          enabled: false
-# CI related dependencies
-  client:
-    enabled: false
-    version: '5.7'
-    admin:
-      host: localhost
-      port: 3306
-      user: admin
-      password: password
-      encoding: utf8
-  server:
-    enabled: true
-    version: "5.7"
-    force_encoding: utf8
-    bind:
-      address:
-      port: 3306
-      protocol: tcp
-    database:
-      keystone:
-        encoding: utf8
-        users:
-        - host: '%'
-          name: keystone
-          password: passw0rd
-          rights: all
-        - host:
-          name: keystone
-          password: passw0rd
-          rights: all
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
deleted file mode 100644
index 8e42d8e..0000000
--- a/tests/pillar/ssl.sls
+++ /dev/null
@@ -1,62 +0,0 @@
-# Test case with enabled SSL of the following communication paths:
-# - messaging (rabbitmq)
-  server:
-    enabled: true
-    version: liberty
-    service_token: token
-    service_tenant: service
-    admin_tenant: admin
-    admin_name: admin
-    admin_password: passw0rd
-    admin_email: root@localhost
-    bind:
-      address:
-      private_address:
-      private_port: 35357
-      public_address:
-      public_port: 5000
-    region: RegionOne
-    database:
-      engine: mysql
-      host:
-      name: keystone
-      password: passw0rd
-      user: keystone
-      ssl:
-        enabled: True
-    tokens:
-      engine: cache
-      expiration: 86400
-      location: /etc/keystone/fernet-keys/
-    notification: true
-    notification_format: cadf
-    logging:
-      log_appender: false
-      log_handlers:
-        watchedfile:
-          enabled: true
-        fluentd:
-          enabled: false
-        ossyslog:
-          enabled: false
-    message_queue:
-      engine: rabbitmq
-      host:
-      port: 5671
-      user: openstack
-      password: passw0rd
-      virtual_host: '/openstack'
-      ha_queues: true
-      ssl:
-        enabled: True
-    cache:
-      engine: memcached
-      members:
-      - host:
-        port: 11211
-      - host:
-        port: 11211
-      - host:
-        port: 11211
diff --git a/tests/ b/tests/
index 9761585..4665d34 100755
--- a/tests/
+++ b/tests/
@@ -1,5 +1,15 @@
 #!/usr/bin/env bash
+# Script source:
+# Script requirments:
+#apt-get install -y python-yaml virtualenv git
 set -e
 [ -n "$DEBUG" ] && set -x
@@ -14,32 +24,40 @@
 SALT_OPTS="${SALT_OPTS} --retcode-passthrough --local -c ${SALT_CONFIG_DIR} --log-file=/dev/null"
 if [ "x${SALT_VERSION}" != "x" ]; then
 ## Functions
 log_info() {
-    echo "[INFO] $*"
+    echo -e "[INFO] $*"
 log_err() {
-    echo "[ERROR] $*" >&2
+    echo -e "[ERROR] $*" >&2
 setup_virtualenv() {
     log_info "Setting up Python virtualenv"
+    dependency_check virtualenv
     virtualenv $VENV_DIR
     source ${VENV_DIR}/bin/activate
     python -m pip install salt${PIP_SALT_VERSION}
+    if [[ -f ${CURDIR}/test-requirements.txt ]]; then
+       python -m pip install -r ${CURDIR}/test-requirements.txt
+    fi
 setup_mock_bin() {
@@ -59,12 +77,19 @@
         state_name=$(basename ${pillar%.sls})
         echo -e "  ${state_name}:\n    - ${state_name}" >> ${SALT_PILLAR_DIR}/top.sls
+    for pillar in $(find $PILLARDIR  -mindepth 2 -type f -iname *.sls); do
+        state_name=$(basename "${pillar%*.sls}")
+        os_release=$(echo $pillar | rev | cut -d'/' -f2 | rev)
+        grep ${FORMULA_NAME}: ${pillar} &>/dev/null || continue
+        echo -e "  ${os_release}_${state_name}:\n    - ${os_release}.${state_name}" >> ${SALT_PILLAR_DIR}/top.sls
+    done
 setup_salt() {
     [ ! -d ${SALT_FILE_DIR} ] && mkdir -p ${SALT_FILE_DIR}
     [ ! -d ${SALT_CONFIG_DIR} ] && mkdir -p ${SALT_CONFIG_DIR}
     [ ! -d ${SALT_CACHE_DIR} ] && mkdir -p ${SALT_CACHE_DIR}
+    [ ! -d ${SALT_CACHE_EXTMODS_DIR} ] && mkdir -p ${SALT_CACHE_EXTMODS_DIR}
     echo "base:" > ${SALT_FILE_DIR}/top.sls
     for pillar in ${PILLARDIR}/*.sls; do
@@ -72,10 +97,17 @@
         state_name=$(basename ${pillar%.sls})
         echo -e "  ${state_name}:\n    - ${FORMULA_NAME}" >> ${SALT_FILE_DIR}/top.sls
+    for pillar in $(find $PILLARDIR  -mindepth 2 -type f -iname *.sls); do
+        state_name=$(basename "${pillar%*.sls}")
+        os_release=$(echo $pillar | rev | cut -d'/' -f2 | rev)
+        grep ${FORMULA_NAME}: ${pillar} &>/dev/null || continue
+        echo -e "  ${os_release}_${state_name}:\n    - ${FORMULA_NAME}" >> ${SALT_FILE_DIR}/top.sls
+    done
     cat << EOF > ${SALT_CONFIG_DIR}/minion
 file_client: local
 cachedir: ${SALT_CACHE_DIR}
+extension_modules:  ${SALT_CACHE_EXTMODS_DIR}
 verify_env: False
 minion_id_caching: False
@@ -83,7 +115,6 @@
   - ${CURDIR}/..
-  - /usr/share/salt-formulas/env
@@ -93,13 +124,14 @@
 fetch_dependency() {
+    # example: fetch_dependency "linux:"
     dep_name="$(echo $1|cut -d : -f 1)"
     dep_source="$(echo $1|cut -d : -f 2-)"
     dep_root="${DEPSDIR}/$(basename $dep_source .git)"
-    [ -d /usr/share/salt-formulas/env/${dep_name} ] && log_info "Dependency $dep_name already present in system-wide salt env" && return 0
-    [ -d $dep_root ] && log_info "Dependency $dep_name already fetched" && return 0
+    dependency_check git
+    [ -d $dep_root ] && { log_info "Dependency $dep_name already fetched"; return 0; }
     log_info "Fetching dependency $dep_name"
     [ ! -d ${DEPSDIR} ] && mkdir -p ${DEPSDIR}
@@ -109,6 +141,19 @@
     METADATA="${dep_metadata}" install_dependencies
+    # Link modules *.py files to temporary salt-root
+    local SALT_ROOT=${1:-$SALT_FILE_DIR}
+    local SALT_ENV=${2:-$DEPSDIR}
+    mkdir -p "${SALT_ROOT}/_modules/"
+    # from git, development versions
+    find ${SALT_ENV} -maxdepth 3 -mindepth 3 -path '*_modules*' -iname "*.py" -type f -print0 | while read -d $'\0' file; do
+      ln -fs $(readlink -e ${file}) "$SALT_ROOT"/_modules/$(basename ${file}) ;
+    done
+    salt_run saltutil.sync_all
 install_dependencies() {
     grep -E "^dependencies:" ${METADATA} >/dev/null || return 0
     (python - | while read dep; do fetch_dependency "$dep"; done) << EOF
@@ -129,13 +174,30 @@
 prepare() {
-    [ -d ${BUILDDIR} ] && mkdir -p ${BUILDDIR}
+    if [[ -f ${BUILDDIR}/.prepare_done ]]; then
+      log_info "${BUILDDIR}/.prepare_done exist, not rebuilding BUILDDIR"
+      return
+    fi
+    [[ -d ${BUILDDIR} ]] && mkdir -p ${BUILDDIR}
-    which salt-call || setup_virtualenv
+    [[ ! -f "${VENV_DIR}/bin/activate" ]] && setup_virtualenv
+    link_modules
+    touch ${BUILDDIR}/.prepare_done
+lint_releasenotes() {
+    [[ ! -f "${VENV_DIR}/bin/activate" ]] && setup_virtualenv
+    source ${VENV_DIR}/bin/activate
+    reno lint ${CURDIR}/../
+lint() {
+#    lint_releasenotes
+    log_err "TODO: lint_releasenotes"
 run() {
@@ -152,7 +214,7 @@
             meta_name=$(basename ${meta})
             echo "Checking meta ${meta_name} ..."
             salt_run --out=quiet --id=${state_name} cp.get_template ${meta} ${SALT_CACHE_DIR}/${meta_name} \
-              || (log_err "Failed to render meta ${meta} using pillar ${FORMULA_NAME}.${state_name}"; exit 1)
+              || { log_err "Failed to render meta ${meta} using pillar ${FORMULA_NAME}.${state_name}"; exit 1; }
             cat ${SALT_CACHE_DIR}/${meta_name}
@@ -161,10 +223,52 @@
 real_run() {
     for pillar in ${PILLARDIR}/*.sls; do
         state_name=$(basename ${pillar%.sls})
-        salt_run --id=${state_name} state.sls ${FORMULA_NAME} || (log_err "Execution of ${FORMULA_NAME}.${state_name} failed"; exit 1)
+        salt_run --id=${state_name} state.sls ${FORMULA_NAME} || { log_err "Execution of ${FORMULA_NAME}.${state_name} failed"; exit 1; }
+  # Run modelschema.model_validate validation.
+  # TEST iterateble, run for `each formula ROLE against each ROLE_PILLARNAME`
+  # Pillars should be named in conviend ROLE_XXX.sls or ROLE.sls
+  # Example:
+  # client.sls  client_auth.sls  server.sls  server_auth.sls
+  if [ -d ${SCHEMARDIR} ]; then
+    # model validator require py modules
+    fetch_dependency "salt:"
+    link_modules
+    salt_run saltutil.clear_cache; salt_run saltutil.refresh_pillar; salt_run saltutil.sync_all;
+    for role in $(find $SCHEMARDIR/* -maxdepth 0 -type f -iname *.yaml); do
+      role_name=$(basename "${role%*.yaml}")
+      for pillar in $(ls pillar/${role_name}*.sls | grep -v ${IGNORE_MODELVALIDATE_MASK} ); do
+        pillar_name=$(basename "${pillar%*.sls}")
+        local _message="FORMULA:${FORMULA_NAME} ROLE:${role_name} against PILLAR:${pillar_name}"
+        log_info "model_validate ${_message}"
+        # Rendered Example:
+        # python $(which salt-call) --local -c /test1/maas/tests/build/salt --id=maas_cluster modelschema.model_validate maas cluster
+        salt_run -m ${DEPSDIR}/salt-formula-salt --id=${pillar_name} modelschema.model_validate ${FORMULA_NAME} ${role_name} || { log_err "Execution of model_validate ${_message} failed"; exit 1 ; }
+      done
+    done
+    for schema in $(find $SCHEMARDIR -mindepth 2 -type f -iname *.yaml); do
+        role_name=$(basename "${schema%*.yaml}")
+        os_release=$(echo $schema | rev | cut -d'/' -f2 | rev)
+        local _message="FORMULA:${FORMULA_NAME} ROLE:${role_name} against PILLAR:${role_name}"
+        log_info "model_validate ${_message}"
+        salt_run -m ${DEPSDIR}/salt-formula-salt --id=${os_release}_${role_name} modelschema.model_validate ${FORMULA_NAME} ${role_name} ${os_release} || { log_err "Execution of model_validate ${_message} failed"; exit 1 ; }
+    done
+  else
+    log_info "${SCHEMARDIR} not found!";
+  fi
+dependency_check() {
+    which $DEPENDENCY_COMMAND > /dev/null || ( log_err "Command \"$DEPENDENCY_COMMAND\" can not be found in default path."; exit 1; )
+  done
 _atexit() {
     trap true INT TERM EXIT
@@ -178,6 +282,10 @@
 ## Main
+log_info "Running version: ${__ScriptVersion}"
+log_info "Command line: '${__ScriptFullName} ${__ScriptArgs}'"
 trap _atexit INT TERM EXIT
 case $1 in
@@ -187,14 +295,23 @@
+    lint)
+        lint
+        ;;
+    model-validate)
+       prepare
+       run_model_validate
+        ;;
+#        lint
+        run_model_validate
diff --git a/tests/test-requirements.txt b/tests/test-requirements.txt
new file mode 100644
index 0000000..a0f561a
--- /dev/null
+++ b/tests/test-requirements.txt
@@ -0,0 +1,2 @@