diff --git a/CHANGELOG.md b/CHANGELOG.md index e005a42..047e4a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ This file is used to list changes made in each version of the openstack-metering * Sync conf files with Juno * Set os_region_name properly * Upgrading berkshelf from 2.0.18 to 3.1.5 +* Allow cafile, os_cacert, insecure, memcached_servers, memcache_security_strategy, memcache_secret_key and has +h_algorithms to be configurable ## 10.0.0 * Upgrading to Juno diff --git a/README.md b/README.md index 398d533..a2e9557 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,15 @@ Attributes ========== * `openstack['telemetry']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with identity service. -* `openstack['telemetry']['sample_source'] - The source name of emitted samples, default value is openstack. +* `openstack['telemetry']['sample_source']` - The source name of emitted samples, default value is openstack. +* `openstack['telemetry']['api']['auth']['memcached_servers']` - A list of memcached server(s) to use for caching +* `openstack['telemetry']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT +* `openstack['telemetry']['api']['auth']['memcache_secret_key']` - This string is used for key derivation +* `openstack['telemetry']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens +* `openstack['telemetry']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections +* `openstack['telemetry']['api']['auth']['insecure']` - Set whether to verify HTTPS connections +* `openstack['telemetry']['service-credentials']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections (for service polling authentication) +* `openstack['telemetry']['service-credentials']['insecure']` - Set whether to verify HTTPS connections (for service polling authentication) The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance: diff --git a/attributes/default.rb b/attributes/default.rb index f5ac22f..74bf4bf 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -34,6 +34,24 @@ default['openstack']['telemetry']['api']['auth']['cache_dir'] = '/var/cache/ceil default['openstack']['telemetry']['api']['auth']['version'] = node['openstack']['api']['auth']['version'] +# A list of memcached server(s) to use for caching +default['openstack']['telemetry']['api']['auth']['memcached_servers'] = nil + +# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT +default['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] = nil + +# This string is used for key derivation +default['openstack']['telemetry']['api']['auth']['memcache_secret_key'] = nil + +# Hash algorithms to use for hashing PKI tokens +default['openstack']['telemetry']['api']['auth']['hash_algorithms'] = 'md5' + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections +default['openstack']['telemetry']['api']['auth']['cafile'] = nil + +# Verify HTTPS connections +default['openstack']['telemetry']['api']['auth']['insecure'] = false + default['openstack']['telemetry']['user'] = 'ceilometer' default['openstack']['telemetry']['group'] = 'ceilometer' @@ -42,6 +60,12 @@ default['openstack']['telemetry']['service_user'] = 'ceilometer' default['openstack']['telemetry']['service_tenant_name'] = 'service' default['openstack']['telemetry']['service_role'] = 'admin' +# A PEM encoded Certificate Authority to use when verifying HTTPs connections (for service polling authentication) +default['openstack']['telemetry']['service-credentials']['cafile'] = nil + +# Verify HTTPS connections (for service polling authentication) +default['openstack']['telemetry']['service-credentials']['insecure'] = false + default['openstack']['telemetry']['sample_source'] = 'openstack' case node['openstack']['compute']['driver'] diff --git a/spec/common_spec.rb b/spec/common_spec.rb index 2e47dd6..65541ec 100644 --- a/spec/common_spec.rb +++ b/spec/common_spec.rb @@ -132,6 +132,50 @@ describe 'openstack-telemetry::common' do end end + context 'service_credentials attributes with default values' do + it 'sets cafile' do + expect(chef_run).not_to render_file(file.name).with_content(/^os_cacert = $/) + end + + it 'sets insecure' do + expect(chef_run).to render_file(file.name).with_content(/^insecure = false$/) + end + end + + context 'service_credentials attributes' do + it 'sets cafile' do + node.set['openstack']['telemetry']['service-credentials']['cafile'] = 'dir/to/path' + expect(chef_run).to render_file(file.name).with_content(%r{^os_cacert = dir/to/path$}) + end + + it 'sets insecure' do + node.set['openstack']['telemetry']['service-credentials']['insecure'] = true + expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/) + end + end + + context 'keystone authtoken attributes with default values' do + it 'sets memcached server(s)' do + expect(chef_run).not_to render_file(file.name).with_content(/^memcached_servers = $/) + end + + it 'sets memcache security strategy' do + expect(chef_run).not_to render_file(file.name).with_content(/^memcache_security_strategy = $/) + end + + it 'sets memcache secret key' do + expect(chef_run).not_to render_file(file.name).with_content(/^memcache_secret_key = $/) + end + + it 'sets cafile' do + expect(chef_run).not_to render_file(file.name).with_content(/^cafile = $/) + end + + it 'sets token hash algorithms' do + expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = md5$/) + end + end + context 'has keystone authtoken configuration' do it 'has auth_uri' do expect(chef_run).to render_file(file.name).with_content( @@ -177,6 +221,36 @@ describe 'openstack-telemetry::common' do expect(chef_run).to render_file(file.name).with_content( /^#{Regexp.quote('signing_dir = /var/cache/ceilometer/api')}$/) end + + it 'sets memcached server(s)' do + node.set['openstack']['telemetry']['api']['auth']['memcached_servers'] = 'localhost:11211' + expect(chef_run).to render_file(file.name).with_content(/^memcached_servers = localhost:11211$/) + end + + it 'sets memcache security strategy' do + node.set['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] = 'MAC' + expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy = MAC$/) + end + + it 'sets memcache secret key' do + node.set['openstack']['telemetry']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF' + expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key = 0123456789ABCDEF$/) + end + + it 'sets cafile' do + node.set['openstack']['telemetry']['api']['auth']['cafile'] = 'dir/to/path' + expect(chef_run).to render_file(file.name).with_content(%r{^cafile = dir/to/path$}) + end + + it 'sets insecure' do + node.set['openstack']['telemetry']['api']['auth']['insecure'] = true + expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/) + end + + it 'sets token hash algorithm' do + node.set['openstack']['telemetry']['api']['auth']['hash_algorithms'] = 'sha2' + expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = sha2$/) + end end it 'has metering secret' do diff --git a/templates/default/ceilometer.conf.erb b/templates/default/ceilometer.conf.erb index 13748e9..420f134 100644 --- a/templates/default/ceilometer.conf.erb +++ b/templates/default/ceilometer.conf.erb @@ -74,6 +74,32 @@ admin_user = <%= @service_user %> admin_password = <%= @service_pass %> signing_dir = <%= node["openstack"]["telemetry"]["api"]["auth"]["cache_dir"] %> +# A list of memcached server(s) to use for caching. +<% if node['openstack']['telemetry']['api']['auth']['memcached_servers'] %> +memcached_servers = <%= node['openstack']['telemetry']['api']['auth']['memcached_servers'] %> +<% end %> + +# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. +<% if node['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] %> +memcache_security_strategy = <%= node['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] %> +<% end %> + +# This string is used for key derivation. +<% if node['openstack']['telemetry']['api']['auth']['memcache_secret_key'] %> +memcache_secret_key = <%= node['openstack']['telemetry']['api']['auth']['memcache_secret_key'] %> +<% end %> + +# Hash algorithms to use for hashing PKI tokens. +hash_algorithms = <%= node['openstack']['telemetry']['api']['auth']['hash_algorithms'] %> + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +<% if node['openstack']['telemetry']['api']['auth']['cafile'] %> +cafile = <%= node['openstack']['telemetry']['api']['auth']['cafile'] %> +<% end %> + +# Verify HTTPS connections. (boolean value) +insecure = <%= node['openstack']['telemetry']['api']['auth']['insecure'] %> + [publisher_rpc] metering_secret = <%= @metering_secret %> @@ -91,3 +117,11 @@ wsdl_location = <%= node['openstack']['compute']['vmware']['wsdl_location'] %> [service_credentials] os_region_name = <%= node['openstack']['telemetry']['region'] %> + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. (for service polling authentication) +<% if node['openstack']['telemetry']['service-credentials']['cafile'] %> +os_cacert = <%= node['openstack']['telemetry']['service-credentials']['cafile'] %> +<% end %> + +# Verify HTTPS connections. (boolean value, for service polling authentication) +insecure = <%= node['openstack']['telemetry']['service-credentials']['insecure'] %>