Stein fixes

- Cookstyle fixes
- Refactor Berksfile to use groups so we can exclude integration testing
  cookbooks
- Update documentation
- Cleanup line wraps
- Enable sensitive resources for the template[/etc/ironic/ironic.conf] to
  resources improve security.
- Update delivery configuration to exclude integration cookbooks
- Fix ChefSpec output.
- Add missing ChefSpec tests
- Switch package installations to send packages as arrays instead of individual
  package resources. This generally speeds up chef runs.
- Cleanup array syntax using %w() instead of []

Depends-On: https://review.opendev.org/701027
Depends-On: https://review.opendev.org/706101
Depends-On: https://review.opendev.org/706151
Depends-On: https://review.opendev.org/706157
Depends-On: https://review.opendev.org/708059
Change-Id: Icf11e0e66e1d9d34c4b8142e2a6a14d2da666390

.delivery/project.toml

@@ -1 +1,9 @@
-remote_file = "https://raw.githubusercontent.com/chef-cookbooks/community_cookbook_tools/master/delivery/project.toml"
+[local_phases]
+unit = 'rspec spec/'
+lint = 'cookstyle --display-cop-names --extra-details'
+syntax = "berks install -e integration"
+provision = "echo skipping"
+deploy = "echo skipping"
+smoke = "echo skipping"
+functional = "echo skipping"
+cleanup = "echo skipping"

Berksfile

@@ -2,21 +2,21 @@ source 'https://supermarket.chef.io'
 
 solver :ruby, :required
 
-%w(
-  client
-  -common
-  -dns
-  -identity
-  -image
-  -integration-test
-  -network
-  -ops-database
-  -ops-messaging
-).each do |cookbook|
+[
+  %w(client dep),
+  %w(-common dep),
+  %w(-dns integration),
+  %w(-identity dep),
+  %w(-image dep),
+  %w(-integration-test integration),
+  %w(-network dep),
+  %w(-ops-database integration),
+  %w(-ops-messaging integration),
+].each do |cookbook, group|
   if Dir.exist?("../cookbook-openstack#{cookbook}")
-    cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}"
+    cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}", group: group
   else
-    cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}"
+    cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}", group: group
   end
 end
 

README.rst

@@ -20,9 +20,9 @@ https://docs.openstack.org/ironic/latest/
 Requirements
 ============
 
-- Chef 14 or higher
-- ChefDK 3.2.30 for testing (also includes Berkshelf for cookbook
-  dependency resolution)
+- Chef 15 or higher
+- Chef Workstation 0.15.18 for testing (also includes Berkshelf for
+  cookbook dependency resolution)
 
 Platform
 ========
@@ -37,10 +37,10 @@ Cookbooks
 The following cookbooks are dependencies:
 
 - 'apache2', '~> 8.0'
-- 'openstack-common', '>= 18.0.0'
-- 'openstack-identity', '>= 18.0.0'
-- 'openstack-image', '>= 18.0.0'
-- 'openstack-network', '>= 18.0.0'
+- 'openstack-common', '>= 19.0.0'
+- 'openstack-identity', '>= 19.0.0'
+- 'openstack-image', '>= 19.0.0'
+- 'openstack-network', '>= 19.0.0'
 
 Attributes
 ==========
@@ -103,7 +103,7 @@ License and Author
 +-----------------+---------------------------------------------------+
 | **Copyright**   | Copyright (c) 2019, x-ion GmbH                    |
 +-----------------+---------------------------------------------------+
-| **Copyright**   | Copyright (c) 2019, Oregon State University       |
+| **Copyright**   | Copyright (c) 2019-2020, Oregon State University  |
 +-----------------+---------------------------------------------------+
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may

attributes/default.rb

@@ -1,9 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Attributes:: default
 #
-# Copyright 2015, IBM, Corp
+# Copyright:: 2015, IBM, Corp
+# Copyright:: 2019-2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -104,19 +105,25 @@ default['openstack']['bare_metal']['ssl']['ciphers'] = ''
 case node['platform_family']
 when 'fedora', 'rhel'
   default['openstack']['bare_metal']['platform'] = {
-    'ironic_api_packages' => ['openstack-ironic-api', 'mod_wsgi'],
+    'ironic_api_packages' => %w(openstack-ironic-api mod_wsgi),
     'ironic_api_service' => 'openstack-ironic-api',
-    'ironic_conductor_packages' => ['openstack-ironic-conductor', 'ipmitool'],
+    'ironic_conductor_packages' => %w(openstack-ironic-conductor ipmitool),
     'ironic_conductor_service' => 'openstack-ironic-conductor',
-    'ironic_common_packages' => ['openstack-ironic-common', 'python-ironicclient'],
+    'ironic_common_packages' => %w(openstack-ironic-common python-ironicclient),
   }
 when 'debian'
   default['openstack']['bare_metal']['platform'] = {
     'ironic_api_packages' => ['ironic-api'],
     'ironic_api_service' => 'ironic-api',
-    'ironic_conductor_packages' => ['ironic-conductor', 'ipmitool'],
+    'ironic_conductor_packages' => %w(ironic-conductor ipmitool),
     'ironic_conductor_service' => 'ironic-conductor',
-    'ironic_common_packages' => ['python3-ironic', 'python3-ironic-lib', 'python3-ironicclient', 'ironic-common'],
+    'ironic_common_packages' =>
+      %w(
+        python3-ironic
+        python3-ironic-lib
+        python3-ironicclient
+        ironic-common
+      ),
   }
 end
 

metadata.rb

@@ -1,25 +1,19 @@
-name 'openstack-bare-metal'
-maintainer 'openstack-chef'
-maintainer_email 'openstack-discuss@lists.openstack.org'
-license 'Apache-2.0'
-description 'Installs/Configures OpenStack Bare Metal service Ironic'
-version '18.0.0'
-issues_url 'https://launchpad.net/openstack-chef'
-source_url 'https://opendev.org/openstack/cookbook-openstack-bare-metal'
-chef_version '>= 14.0'
-
-recipe 'openstack-bare-metal::api', 'Installs the ironic-api, sets up the ironic database'
-recipe 'openstack-bare-metal::conductor', 'Installs the ironic-conductor service'
-recipe 'openstack-bare-metal::default', 'Temp workaround to create ironic db with user'
-recipe 'openstack-bare-metal::identity_registration', 'Registers ironic service/user/endpoints in keystone'
-recipe 'openstack-bare-metal::ironic-common', 'Defines the common pieces of repeated code from the other recipes'
+name              'openstack-bare-metal'
+maintainer        'openstack-chef'
+maintainer_email  'openstack-discuss@lists.openstack.org'
+license           'Apache-2.0'
+description       'Installs/Configures OpenStack Bare Metal service Ironic'
+version           '19.0.0'
+issues_url        'https://launchpad.net/openstack-chef'
+source_url        'https://opendev.org/openstack/cookbook-openstack-bare-metal'
+chef_version      '>= 15.0'
 
 %w(ubuntu redhat centos).each do |os|
   supports os
 end
 
 depends 'apache2', '~> 8.0'
-depends 'openstack-common', '>= 18.0.0'
-depends 'openstack-identity', '>= 18.0.0'
-depends 'openstack-image', '>= 18.0.0'
-depends 'openstack-network', '>= 18.0.0'
+depends 'openstack-common', '>= 19.0.0'
+depends 'openstack-identity', '>= 19.0.0'
+depends 'openstack-image', '>= 19.0.0'
+depends 'openstack-network', '>= 19.0.0'

recipes/api.rb

@@ -1,9 +1,10 @@
 # Encoding: utf-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Recipe:: api
 #
-# Copyright 2015, IBM Corp.
+# Copyright:: 2015, IBM Corp.
+# Copyright:: 2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -27,10 +28,8 @@ include_recipe 'openstack-bare-metal::ironic-common'
 
 platform_options = node['openstack']['bare_metal']['platform']
 
-platform_options['ironic_api_packages'].each do |pkg|
-  package pkg do
-    action :upgrade
-  end
+package platform_options['ironic_api_packages'] do
+  action :upgrade
 end
 
 service 'ironic-api' do

recipes/conductor.rb

@@ -1,9 +1,10 @@
 # Encoding: utf-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Recipe:: conductor
 #
-# Copyright 2015, IBM Corp.
+# Copyright:: 2015, IBM Corp.
+# Copyright:: 2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,12 +27,9 @@ include_recipe 'openstack-bare-metal::ironic-common'
 
 platform_options = node['openstack']['bare_metal']['platform']
 
-platform_options['ironic_conductor_packages'].each do |pkg|
-  package pkg do
-    action :upgrade
-
-    notifies :restart, 'service[ironic-conductor]', :delayed
-  end
+package platform_options['ironic_conductor_packages'] do
+  action :upgrade
+  notifies :restart, 'service[ironic-conductor]', :delayed
 end
 
 service 'ironic-conductor' do
@@ -39,7 +37,4 @@ service 'ironic-conductor' do
   supports status: true, restart: true
   action [:enable, :start]
   subscribes :restart, 'template[/etc/ironic/ironic.conf]'
-  platform_options['ironic_common_packages'].each do |pkg|
-    subscribes :restart, "package[#{pkg}]", :delayed
-  end
 end

recipes/identity_registration.rb

@@ -1,9 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Recipe:: identity_registration
 #
-# Copyright 2015, IBM, Inc.
+# Copyright:: 2015, IBM, Inc.
+# Copyright:: 2019-2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -48,11 +49,11 @@ service_name = node['openstack']['bare_metal']['service_name']
 service_type = node['openstack']['bare_metal']['service_type']
 
 connection_params = {
-  openstack_auth_url:     auth_url,
-  openstack_username:     admin_user,
-  openstack_api_key:      admin_pass,
+  openstack_auth_url: auth_url,
+  openstack_username: admin_user,
+  openstack_api_key: admin_pass,
   openstack_project_name: admin_project,
-  openstack_domain_name:  admin_domain,
+  openstack_domain_name: admin_domain,
   # openstack_endpoint_type: endpoint_type,
 }
 

recipes/ironic-common.rb

@@ -1,9 +1,10 @@
 # Encoding: utf-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Recipe:: ironic-common
 #
-# Copyright 2015, IBM Corp.
+# Copyright:: 2015, IBM Corp.
+# Copyright:: 2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -28,17 +29,13 @@ end
 
 platform_options = node['openstack']['bare_metal']['platform']
 
-platform_options['ironic_common_packages'].each do |pkg|
-  package pkg do
-    action :upgrade
-  end
+package platform_options['ironic_common_packages'] do
+  action :upgrade
 end
 
 db_type = node['openstack']['db']['bare_metal']['service_type']
-node['openstack']['db']['python_packages'][db_type].each do |pkg|
-  package pkg do
-    action :upgrade
-  end
+package node['openstack']['db']['python_packages'][db_type] do
+  action :upgrade
 end
 
 db_user = node['openstack']['db']['bare_metal']['username']
@@ -54,7 +51,8 @@ if node['openstack']['endpoints']['db']['enabled_slave']
 end
 
 if node['openstack']['mq']['service_type'] == 'rabbit'
-  node.default['openstack']['bare_metal']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'bare_metal'
+  node.default['openstack']['bare_metal']['conf_secrets']['DEFAULT']['transport_url'] =
+    rabbit_transport_url 'bare_metal'
 end
 
 identity_endpoint = internal_endpoint 'identity'
@@ -73,15 +71,15 @@ ironic_conf_options = merge_config_options 'bare_metal'
 directory '/etc/ironic' do
   owner node['openstack']['bare_metal']['user']
   group node['openstack']['bare_metal']['group']
-  mode 00750
-  action :create
+  mode '750'
 end
 
 template '/etc/ironic/ironic.conf' do
   source 'ironic.conf.erb'
   owner node['openstack']['bare_metal']['user']
   group node['openstack']['bare_metal']['group']
-  mode 00640
+  sensitive true
+  mode '640'
   variables(
     service_config: ironic_conf_options
   )
@@ -101,7 +99,7 @@ if node['openstack']['bare_metal']['use_rootwrap']
     cookbook 'openstack-common'
     owner 'root'
     group 'root'
-    mode 0o0644
+    mode '644'
     variables(
       service_config: node['openstack']['bare_metal']['rootwrap']['conf']
     )

spec/api-rhel_spec.rb

@@ -11,8 +11,7 @@ describe 'openstack-bare-metal::api' do
     include_context 'bare-metal-stubs'
 
     it do
-      expect(chef_run).to upgrade_package('openstack-ironic-api')
-      expect(chef_run).to upgrade_package('mod_wsgi')
+      expect(chef_run).to upgrade_package %w(openstack-ironic-api mod_wsgi)
     end
 
     it do

spec/api_spec.rb

@@ -1,9 +1,9 @@
 # Encoding: utf-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Spec:: api_spec
 #
-# Copyright 2015, IBM Corp.
+# Copyright:: 2015, IBM Corp.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

spec/conductor-rhel_spec.rb

@@ -0,0 +1,15 @@
+require_relative 'spec_helper'
+
+describe 'openstack-bare-metal::conductor' do
+  describe 'redhat' do
+    let(:runner) { ChefSpec::SoloRunner.new(REDHAT_OPTS) }
+    let(:node) { runner.node }
+    cached(:chef_run) { runner.converge(described_recipe) }
+
+    include_context 'bare-metal-stubs'
+
+    it do
+      expect(chef_run).to upgrade_package %w(openstack-ironic-conductor ipmitool)
+    end
+  end
+end

spec/conductor_spec.rb

@@ -1,9 +1,9 @@
 # Encoding: utf-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Spec:: conductor_spec
 #
-# Copyright 2015, IBM Corp.
+# Copyright:: 2015, IBM Corp.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -32,14 +32,12 @@ describe 'openstack-bare-metal::conductor' do
       expect(chef_run).to include_recipe('openstack-bare-metal::ironic-common')
     end
 
-    it 'upgrades ironic conductor packages' do
-      %w(ironic-conductor ipmitool).each do |pkg|
-        expect(chef_run).to upgrade_package(pkg)
-      end
+    it do
+      expect(chef_run).to upgrade_package %w(ironic-conductor ipmitool)
     end
 
     describe 'ironic-conductor packages' do
-      let(:package) { chef_run.package('ironic-conductor') }
+      let(:package) { chef_run.package(%w(ironic-conductor ipmitool)) }
 
       it 'sends a notification to the service' do
         expect(package).to notify('service[ironic-conductor]').to(:restart).delayed
@@ -56,10 +54,6 @@ describe 'openstack-bare-metal::conductor' do
       it 'subscribes to the template creation' do
         expect(service).to subscribe_to('template[/etc/ironic/ironic.conf]')
       end
-
-      it 'subscribes to the common packages' do
-        expect(service).to subscribe_to('package[python3-ironicclient]').delayed
-      end
     end
   end
 end

spec/ironic-common-rhel_spec.rb

@@ -0,0 +1,15 @@
+require_relative 'spec_helper'
+
+describe 'openstack-bare-metal::ironic-common' do
+  describe 'redhat' do
+    let(:runner) { ChefSpec::SoloRunner.new(REDHAT_OPTS) }
+    let(:node) { runner.node }
+    cached(:chef_run) { runner.converge(described_recipe) }
+
+    include_context 'bare-metal-stubs'
+
+    it do
+      expect(chef_run).to upgrade_package %w(openstack-ironic-common python-ironicclient)
+    end
+  end
+end

spec/ironic-common_spec.rb

@@ -1,9 +1,9 @@
 # Encoding: utf-8
 #
-# Cookbook Name:: openstack-bare-metal
+# Cookbook:: openstack-bare-metal
 # Spec:: ironic_common_spec
 #
-# Copyright 2015, IBM Corp.
+# Copyright:: 2015, IBM Corp.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -28,11 +28,8 @@ describe 'openstack-bare-metal::ironic-common' do
 
     include_context 'bare-metal-stubs'
 
-    it 'upgrades ironic common packages' do
-      expect(chef_run).to upgrade_package('ironic-common')
-      expect(chef_run).to upgrade_package('python3-ironic')
-      expect(chef_run).to upgrade_package('python3-ironic-lib')
-      expect(chef_run).to upgrade_package('python3-ironicclient')
+    it do
+      expect(chef_run).to upgrade_package %w(python3-ironic python3-ironic-lib python3-ironicclient ironic-common)
     end
 
     describe '/etc/ironic' do
@@ -42,7 +39,7 @@ describe 'openstack-bare-metal::ironic-common' do
         expect(chef_run).to create_directory(dir.name).with(
           user: 'ironic',
           group: 'ironic',
-          mode: 0o0750
+          mode: '750'
         )
       end
     end
@@ -58,41 +55,43 @@ describe 'openstack-bare-metal::ironic-common' do
 
       it 'should create the ironic.conf template' do
         expect(chef_run).to create_template(file.name).with(
+          source: 'ironic.conf.erb',
           user: 'ironic',
           group: 'ironic',
-          mode: 0o0640
+          mode: '640',
+          sensitive: true
         )
       end
 
-      [
-        /^auth_strategy = keystone$/,
-        /^control_exchange = ironic$/,
-        /^glance_api_version = 2$/,
-        %r{^state_path = /var/lib/ironic$},
-        %r{^transport_url = rabbit://guest:mypass@127.0.0.1:5672$},
-      ].each do |line|
-        it do
+      it '[DEFAULT]' do
+        [
+          /^auth_strategy = keystone$/,
+          /^control_exchange = ironic$/,
+          /^glance_api_version = 2$/,
+          %r{^state_path = /var/lib/ironic$},
+          %r{^transport_url = rabbit://guest:mypass@127.0.0.1:5672$},
+        ].each do |line|
           expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', line)
         end
       end
-      [
-        /^auth_type = password$/,
-        /^region_name = RegionOne$/,
-        /^username = ironic$/,
-        /^project_name = service$/,
-        /^user_domain_name = Default$/,
-        /^project_domain_name = Default$/,
-        %r{^auth_url = http://127.0.0.1:5000/v3$},
-        /^password = ironic_pass$/,
-      ].each do |line|
-        it do
+      it '[keystone_authtoken]' do
+        [
+          /^auth_type = password$/,
+          /^region_name = RegionOne$/,
+          /^username = ironic$/,
+          /^project_name = service$/,
+          /^user_domain_name = Default$/,
+          /^project_domain_name = Default$/,
+          %r{^auth_url = http://127.0.0.1:5000/v3$},
+          /^password = ironic_pass$/,
+        ].each do |line|
           expect(chef_run).to render_config_file(file.name).with_section_content('keystone_authtoken', line)
         end
       end
-      [
-        %r{^lock_path = /var/lib/cinder/tmp$},
-      ].each do |line|
-        it do
+      it '[oslo_concurrency]' do
+        [
+          %r{^lock_path = /var/lib/cinder/tmp$},
+        ].each do |line|
           expect(chef_run).to render_config_file(file.name).with_section_content('oslo_concurrency', line)
         end
       end
@@ -128,7 +127,7 @@ describe 'openstack-bare-metal::ironic-common' do
         expect(chef_run).to create_template(file.name).with(
           user: 'root',
           group: 'root',
-          mode: 0o644
+          mode: '644'
         )
       end
 
@@ -141,7 +140,7 @@ describe 'openstack-bare-metal::ironic-common' do
             /^syslog_log_facility = syslog$/,
             /^syslog_log_level = ERROR$/,
           ].each do |line|
-            expect(chef_run).to render_config_file(file.name).with_content(line)
+            expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', line)
           end
         end
       end

spec/spec_helper.rb

@@ -109,7 +109,7 @@ shared_examples 'expects to create ironic directories' do
     expect(chef_run).to create_directory('/etc/ironic').with(
       owner: 'ironic',
       group: 'ironic',
-      mode: 0o750
+      mode: '750'
     )
   end
 end
@@ -122,7 +122,7 @@ shared_examples 'expects to create ironic conf' do
       expect(chef_run).to create_template(file.name).with(
         owner: 'ironic',
         group: 'ironic',
-        mode: 0o640
+        mode: '640'
       )
     end