From e0441b532200a881de62f1c49aa3a1e1f9e28f46 Mon Sep 17 00:00:00 2001 From: Christoph Albers Date: Wed, 31 Aug 2016 15:48:17 +0200 Subject: [PATCH] use_cookbook-openstackclient/identity_v3 - Now use cookbook-openstackclient to create endpoints role service and user - added domain creation and access granting - added values to work with identity_v3 - rewrote specs to work again - added needed keystone_authtoken attributes + neutron - updated readme Change-Id: I84f850f32f25a318c3ed3c7337a0dfa6f641a5fe Depends-On: I0f8955f05de9b33711c54b9a198f45018cceb8e1 Depends-On: I2d404a424bd79a6e9b282304e21591fa33a48981 Depends-On: If7b4d6e563081a0be9957353d73ef61a9688df56 --- Berksfile | 6 +- README.md | 1 + attributes/default.rb | 2 +- attributes/nova_conf.rb | 13 ++- metadata.rb | 1 + recipes/identity_registration.rb | 100 ++++++++++--------- recipes/nova-common.rb | 2 +- spec/identity_registration_spec.rb | 153 ++++++++++++----------------- spec/nova-common_spec.rb | 13 ++- 9 files changed, 147 insertions(+), 144 deletions(-) diff --git a/Berksfile b/Berksfile index 9ae96a3d..48f8cb7b 100644 --- a/Berksfile +++ b/Berksfile @@ -2,11 +2,13 @@ source "https://supermarket.chef.io" metadata +cookbook "openstack-network", + github: "openstack/cookbook-openstack-network" cookbook "openstack-image", github: "openstack/cookbook-openstack-image" cookbook "openstack-identity", github: "openstack/cookbook-openstack-identity" cookbook "openstack-common", github: "openstack/cookbook-openstack-common" -cookbook "openstack-network", - github: "openstack/cookbook-openstack-network" +cookbook "openstackclient", + github: "cloudbau/cookbook-openstackclient" diff --git a/README.md b/README.md index 3b0d9b34..c0f137f6 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ The following cookbooks are dependencies: - 'openstack-image', '>= 14.0.0' - 'openstack-network', '>= 14.0.0' - 'python', '~> 1.4.6' +- 'openstackclient', '>= 0.1.0' Attributes ========== diff --git a/attributes/default.rb b/attributes/default.rb index 7f0edfaf..7f59eac5 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -253,7 +253,7 @@ end default['openstack']['endpoints'][type]['compute-xvpvnc']['path'] = '/console' # The OpenStack Compute (Nova) Native API endpoint default['openstack']['endpoints'][type]['compute-api']['port'] = '8774' - default['openstack']['endpoints'][type]['compute-api']['path'] = '/v2/%(tenant_id)s' + default['openstack']['endpoints'][type]['compute-api']['path'] = '/v2.1/%(tenant_id)s' # The OpenStack Compute (Nova) novnc endpoint default['openstack']['endpoints'][type]['compute-novnc']['port'] = '6080' default['openstack']['endpoints'][type]['compute-novnc']['path'] = '/vnc_auto.html' diff --git a/attributes/nova_conf.rb b/attributes/nova_conf.rb index 4b4f31d5..2774ac2e 100644 --- a/attributes/nova_conf.rb +++ b/attributes/nova_conf.rb @@ -22,10 +22,13 @@ default['openstack']['compute']['conf'].tap do |conf| # [keystone_authtoken] conf['keystone_authtoken']['signing_dir'] = '/var/cache/nova/api' - conf['keystone_authtoken']['auth_type'] = 'v2password' + conf['keystone_authtoken']['auth_type'] = 'v3password' conf['keystone_authtoken']['region_name'] = node['openstack']['region'] conf['keystone_authtoken']['username'] = 'nova' - conf['keystone_authtoken']['tenant_name'] = 'service' + conf['keystone_authtoken']['user_domain_name'] = 'Default' + conf['keystone_authtoken']['project_domain_name'] = 'Default' + conf['keystone_authtoken']['project_name'] = 'service' + conf['keystone_authtoken']['auth_version'] = 'v3' # [libvirt] conf['libvirt']['virt_type'] = 'kvm' @@ -44,11 +47,13 @@ default['openstack']['compute']['conf'].tap do |conf| end # [neutron] - conf['neutron']['auth_type'] = 'v2password' + conf['neutron']['auth_type'] = 'v3password' conf['neutron']['region_name'] = node['openstack']['region'] conf['neutron']['username'] = 'neutron' - conf['neutron']['tenant_name'] = 'service' + conf['neutron']['user_domain_name'] = 'Default' conf['neutron']['service_metadata_proxy'] = true + conf['neutron']['project_name'] = 'service' + conf['neutron']['project_domain_name'] = 'Default' # [cinder] section conf['cinder']['os_region_name'] = node['openstack']['region'] diff --git a/metadata.rb b/metadata.rb index 2c61b453..9a7aae41 100644 --- a/metadata.rb +++ b/metadata.rb @@ -18,3 +18,4 @@ depends 'openstack-identity', '>= 14.0.0' depends 'openstack-image', '>= 14.0.0' depends 'openstack-network', '>= 14.0.0' depends 'python', '~> 1.4.6' +depends 'openstackclient' diff --git a/recipes/identity_registration.rb b/recipes/identity_registration.rb index 3b25e0cf..b6872586 100644 --- a/recipes/identity_registration.rb +++ b/recipes/identity_registration.rb @@ -26,67 +26,77 @@ class ::Chef::Recipe end identity_admin_endpoint = admin_endpoint 'identity' -bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token' -auth_uri = ::URI.decode identity_admin_endpoint.to_s +interfaces = { + public: { url: public_endpoint('compute-api') }, + internal: { url: internal_endpoint('compute-api') }, + admin: { url: admin_endpoint('compute-api') } +} +auth_url = ::URI.decode identity_admin_endpoint.to_s service_pass = get_password 'service', 'openstack-compute' service_user = node['openstack']['compute']['conf']['keystone_authtoken']['username'] service_role = node['openstack']['compute']['service_role'] -service_tenant_name = node['openstack']['compute']['conf']['keystone_authtoken']['tenant_name'] -public_nova_api_endpoint = public_endpoint 'compute-api' -admin_nova_api_endpoint = admin_endpoint 'compute-api' -internal_nova_api_endpoint = internal_endpoint 'compute-api' +service_project_name = node['openstack']['compute']['conf']['keystone_authtoken']['project_name'] +service_domain_name = node['openstack']['compute']['conf']['keystone_authtoken']['user_domain_name'] + # TBD, another clean up opportunity. We could use the 'admin', and # 'internal' endpoints for a single service name. For now, we'll # leave the old names in place. region = node['openstack']['region'] +admin_user = node['openstack']['identity']['admin_user'] +admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] +admin_project = node['openstack']['identity']['admin_project'] +admin_domain = node['openstack']['identity']['admin_domain_name'] + +connection_params = { + openstack_auth_url: "#{auth_url}/auth/tokens", + openstack_username: admin_user, + openstack_api_key: admin_pass, + openstack_project_name: admin_project, + openstack_domain_name: admin_domain +} + +# Register Compute Service +openstack_service 'nova' do + type 'compute' + connection_params connection_params +end + +interfaces.each do |interface, res| + # Register Compute Endpoints + openstack_endpoint 'compute' do + service_name 'nova' + interface interface.to_s + url res[:url].to_s + region region + connection_params connection_params + end +end # Register Service Tenant -openstack_identity_register 'Register Service Tenant' do - auth_uri auth_uri - bootstrap_token bootstrap_token - tenant_name service_tenant_name - tenant_description 'Service Tenant' - action :create_tenant +openstack_project service_project_name do + connection_params connection_params end # Register Service User -openstack_identity_register 'Register Service User' do - auth_uri auth_uri - bootstrap_token bootstrap_token - tenant_name service_tenant_name - user_name service_user - user_pass service_pass - action :create_user +openstack_user service_user do + project_name service_project_name + role_name service_role + password service_pass + connection_params connection_params end -## Grant Admin role to Service User for Service Tenant ## -openstack_identity_register "Grant 'admin' Role to Service User for Service Tenant" do - auth_uri auth_uri - bootstrap_token bootstrap_token - tenant_name service_tenant_name - user_name service_user +## Grant Service role to Service User for Service Tenant ## +openstack_user service_user do role_name service_role + project_name service_project_name + connection_params connection_params action :grant_role end -# Register Compute Service -openstack_identity_register 'Register Compute Service' do - auth_uri auth_uri - bootstrap_token bootstrap_token - service_name 'nova' - service_type 'compute' - service_description 'Nova Compute Service' - action :create_service -end - -# Register Compute Endpoint -openstack_identity_register 'Register Compute Endpoint' do - auth_uri auth_uri - bootstrap_token bootstrap_token - service_type 'compute' - endpoint_region region - endpoint_adminurl ::URI.decode admin_nova_api_endpoint.to_s - endpoint_internalurl ::URI.decode internal_nova_api_endpoint.to_s - endpoint_publicurl ::URI.decode public_nova_api_endpoint.to_s - action :create_endpoint +openstack_user service_user do + domain_name service_domain_name + role_name service_role + user_name service_user + connection_params connection_params + action :grant_domain end diff --git a/recipes/nova-common.rb b/recipes/nova-common.rb index 0149ad5b..332f781e 100644 --- a/recipes/nova-common.rb +++ b/recipes/nova-common.rb @@ -139,7 +139,7 @@ Chef::Log.debug("openstack-compute::nova-common:network_endpoint|#{network_endpo Chef::Log.debug("openstack-compute::nova-common:image_endpoint|#{image_endpoint}") # Chef::Log.debug("openstack-compute::nova-common:ironic_endpoint|#{ironic_endpoint}") -if node['openstack']['compute']['conf']['neutron']['auth_type'] == 'v2password' +if node['openstack']['compute']['conf']['neutron']['auth_type'] == 'v3password' node.default['openstack']['compute']['conf_secrets'] .[]('neutron')['password'] = get_password 'service', 'openstack-network' diff --git a/spec/identity_registration_spec.rb b/spec/identity_registration_spec.rb index d758f7cc..95f83c1b 100644 --- a/spec/identity_registration_spec.rb +++ b/spec/identity_registration_spec.rb @@ -10,109 +10,86 @@ describe 'openstack-compute::identity_registration' do include_context 'compute_stubs' - it 'registers service tenant' do - expect(chef_run).to create_tenant_openstack_identity_register( - 'Register Service Tenant' + connection_params = { + openstack_auth_url: 'http://127.0.0.1:35357/v3/auth/tokens', + openstack_username: 'admin', + openstack_api_key: 'admin', + openstack_project_name: 'admin', + openstack_domain_name: 'default' + } + service_name = 'nova' + service_type = 'compute' + service_user = 'nova' + url = 'http://127.0.0.1:8774/v2.1/%(tenant_id)s' + region = 'RegionOne' + project_name = 'service' + role_name = 'admin' + password = 'nova-pass' + domain_name = 'Default' + + it "registers #{project_name} Project" do + expect(chef_run).to create_openstack_project( + project_name ).with( - auth_uri: 'http://127.0.0.1:35357/v2.0', - bootstrap_token: 'bootstrap-token', - tenant_name: 'service', - tenant_description: 'Service Tenant' + connection_params: connection_params ) end + it "registers #{service_name} service" do + expect(chef_run).to create_openstack_service( + service_name + ).with( + connection_params: connection_params, + type: service_type + ) + end + + context "registers #{service_name} endpoint" do + %w(admin internal public).each do |interface| + it "#{interface} endpoint with default values" do + expect(chef_run).to create_openstack_endpoint( + service_type + ).with( + service_name: service_name, + # interface: interface, + url: url, + region: region, + connection_params: connection_params + ) + end + end + end + it 'registers service user' do - expect(chef_run).to create_user_openstack_identity_register( - 'Register Service User' + expect(chef_run).to create_openstack_user( + service_user ).with( - auth_uri: 'http://127.0.0.1:35357/v2.0', - bootstrap_token: 'bootstrap-token', - tenant_name: 'service', - user_name: 'nova', - user_pass: 'nova-pass' + project_name: project_name, + role_name: role_name, + password: password, + connection_params: connection_params ) end - it 'grants admin role to service user for service tenant' do - expect(chef_run).to grant_role_openstack_identity_register( - "Grant 'admin' Role to Service User for Service Tenant" + it do + expect(chef_run).to grant_domain_openstack_user( + service_user ).with( - auth_uri: 'http://127.0.0.1:35357/v2.0', - bootstrap_token: 'bootstrap-token', - tenant_name: 'service', - user_name: 'nova', - role_name: 'admin' + domain_name: domain_name, + role_name: role_name, + connection_params: connection_params ) end - it 'registers compute service' do - expect(chef_run).to create_service_openstack_identity_register( - 'Register Compute Service' + it do + expect(chef_run).to grant_role_openstack_user( + service_user ).with( - auth_uri: 'http://127.0.0.1:35357/v2.0', - bootstrap_token: 'bootstrap-token', - service_name: 'nova', - service_type: 'compute', - service_description: 'Nova Compute Service' + project_name: project_name, + role_name: role_name, + password: password, + connection_params: connection_params ) end - - context 'registers compute endpoint' do - it 'with default values' do - expect(chef_run).to create_endpoint_openstack_identity_register( - 'Register Compute Endpoint' - ).with( - auth_uri: 'http://127.0.0.1:35357/v2.0', - bootstrap_token: 'bootstrap-token', - service_type: 'compute', - endpoint_region: 'RegionOne', - endpoint_adminurl: 'http://127.0.0.1:8774/v2/%(tenant_id)s', - endpoint_internalurl: 'http://127.0.0.1:8774/v2/%(tenant_id)s', - endpoint_publicurl: 'http://127.0.0.1:8774/v2/%(tenant_id)s' - ) - end - - it 'register endpoint with all different URLs' do - public_url = 'https://public.host:789/public_path' - internal_url = 'http://internal.host:456/internal_path' - admin_url = 'https://admin.host:123/admin_path' - node.set['openstack']['endpoints']['public']['compute-api']['uri'] = public_url - node.set['openstack']['endpoints']['internal']['compute-api']['uri'] = internal_url - node.set['openstack']['endpoints']['admin']['compute-api']['uri'] = admin_url - - expect(chef_run).to create_endpoint_openstack_identity_register( - 'Register Compute Endpoint' - ).with( - endpoint_adminurl: admin_url, - endpoint_internalurl: internal_url, - endpoint_publicurl: public_url - ) - end - - it 'with custom region override' do - node.set['openstack']['region'] = 'computeRegion' - expect(chef_run).to create_endpoint_openstack_identity_register( - 'Register Compute Endpoint' - ).with(endpoint_region: 'computeRegion') - end - end - - describe "when 'ec2' is not in the list of enabled_apis" do - before do - node.set['openstack']['compute']['conf']['DEFAULT']['enabled_apis'] = 'osapi_compute' - end - - it 'does not register ec2 service' do - expect(chef_run).not_to create_service_openstack_identity_register( - 'Register EC2 Service' - ) - end - - it 'does not register ec2 endpoint' do - expect(chef_run).not_to create_endpoint_openstack_identity_register( - 'Register EC2 Endpoint' - ) - end - end end end diff --git a/spec/nova-common_spec.rb b/spec/nova-common_spec.rb index c0dc21b5..9a6069ab 100644 --- a/spec/nova-common_spec.rb +++ b/spec/nova-common_spec.rb @@ -123,8 +123,12 @@ describe 'openstack-compute::nova-common' do context 'keystone_authtoken' do it 'has correct auth_token settings' do [ - 'auth_url = http://127.0.0.1:5000/v2.0', - 'password = nova-pass' + 'auth_url = http://127.0.0.1:5000/v3', + 'password = nova-pass', + 'username = nova', + 'project_name = service', + 'user_domain_name = Default', + 'project_domain_name = Default' ].each do |line| expect(chef_run).to render_config_file(file.name)\ .with_section_content('keystone_authtoken', /^#{Regexp.quote(line)}$/) @@ -145,7 +149,10 @@ describe 'openstack-compute::nova-common' do it do [ - + /^username = neutron$/, + /^project_name = service$/, + /^user_domain_name = Default/, + /^project_domain_name = Default/, %r{^url = http://127.0.0.1:9696$} ].each do |line| expect(chef_run).to render_config_file(file.name)\