diff --git a/recipes/ironic-common.rb b/recipes/ironic-common.rb index a028dd9..bd71d58 100644 --- a/recipes/ironic-common.rb +++ b/recipes/ironic-common.rb @@ -68,6 +68,7 @@ identity_admin_endpoint = admin_endpoint 'identity-admin' service_pass = get_password 'service', 'openstack-bare-metal' auth_uri = auth_uri_transform(identity_endpoint.to_s, node['openstack']['bare-metal']['api']['auth']['version']) +identity_uri = identity_uri_transform(identity_admin_endpoint) template '/etc/ironic/ironic.conf' do source 'ironic.conf.erb' @@ -83,7 +84,7 @@ template '/etc/ironic/ironic.conf' do glance_host: image_endpoint.host, glance_port: image_endpoint.port, auth_uri: auth_uri, - identity_admin_endpoint: identity_admin_endpoint, + identity_uri: identity_uri, service_pass: service_pass ) end diff --git a/spec/ironic-common_spec.rb b/spec/ironic-common_spec.rb index 95fdb4c..10efe2b 100644 --- a/spec/ironic-common_spec.rb +++ b/spec/ironic-common_spec.rb @@ -76,7 +76,13 @@ describe 'openstack-bare-metal::ironic-common' do it 'sets the default auth attributes' do [ /^insecure=false$/, - %r(^signing_dir=/var/cache/ironic/api$) + %r(^signing_dir=/var/cache/ironic/api$), + %r(^auth_uri=http://127.0.0.1:5000/v2.0$), + %r(^identity_uri=http://127.0.0.1:35357/$), + /^auth_version=v2.0$/, + /^admin_user=ironic$/, + /^admin_password=service_pass$/, + /^admin_tenant_name=service$/ ].each do |line| expect(chef_run).to render_config_file(file.name).with_section_content('keystone_authtoken', line) end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index a8843bd..9305d7c 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -25,13 +25,13 @@ shared_context 'bare-metal-stubs' do before do allow_any_instance_of(Chef::Recipe).to receive(:get_password) .with('service', anything) - .and_return('') + .and_return('service_pass') allow_any_instance_of(Chef::Recipe).to receive(:get_password) .with('db', anything) - .and_return('') + .and_return('db_pass') allow_any_instance_of(Chef::Recipe).to receive(:get_password) .with('user', anything) - .and_return('') + .and_return('user_pass') allow_any_instance_of(Chef::Recipe).to receive(:get_secret) .with('openstack_identity_bootstrap_token') .and_return('bootstrap-token') diff --git a/templates/default/ironic.conf.erb b/templates/default/ironic.conf.erb index 5b3131d..98164df 100644 --- a/templates/default/ironic.conf.erb +++ b/templates/default/ironic.conf.erb @@ -933,38 +933,27 @@ glance_protocol=<%= @glance_scheme %> # Options defined in keystonemiddleware.auth_token # -# Host providing the admin Identity API endpoint (string -# value) -auth_host=<%= @identity_admin_endpoint.host %> - -# Port of the admin Identity API endpoint (integer value) -auth_port=<%= @identity_admin_endpoint.port %> - -# Protocol of the admin Identity API endpoint(http or https) -# (string value) -auth_protocol=<%= @identity_admin_endpoint.scheme %> - # Complete public Identity API endpoint. (string value) auth_uri=<%= @auth_uri %> # Complete admin Identity API endpoint. This should specify -# the unversioned root endpoint e.g. https://localhost:3537/ +# the unversioned root endpoint e.g. https://localhost:35357/ # (string value) -identity_uri=<%= @identity_admin_endpoint.scheme %>://<%= @identity_admin_endpoint.host %>:<%= @identity_admin_endpoint.port %> +identity_uri=<%= @identity_uri %> # API version of the admin Identity API endpoint. (string # value) auth_version=<%= node['openstack']['bare-metal']['api']['auth']['version'] %> # Keystone account username (string value) -admin_user = <%= node['openstack']['bare-metal']['service_user'] %> +admin_user=<%= node['openstack']['bare-metal']['service_user'] %> # Keystone account password (string value) -admin_password = <%= @service_pass %> +admin_password=<%= @service_pass %> # Keystone service account tenant name to validate user tokens # (string value) -admin_tenant_name = <%= node['openstack']['bare-metal']['service_tenant_name'] %> +admin_tenant_name=<%= node['openstack']['bare-metal']['service_tenant_name'] %> # Do not handle authorization requests within the middleware, # but delegate the authorization decision to downstream WSGI