Fix hardcoded protocols for identity_uri endpoints

Fix hardcoded protocols for: ceph-osd, radosgw, ironic-compute, neutron metadata, sahara Related blueprint: selective-ssl Change-Id: I61df0040de7cf911bd85aba30b4807cec0975161 Closes-Bug: #1533819
2016-01-14 15:37:45 +02:00 · 2016-01-14 15:37:45 +02:00 · 3f97fc1dfa
commit 3f97fc1dfa
parent c9d5314333
10 changed files with 60 additions and 25 deletions
--- a/deployment/puppet/osnailyfacter/modular/ceph/ceph-osd.pp
+++ b/deployment/puppet/osnailyfacter/modular/ceph/ceph-osd.pp
@ -25,6 +25,10 @@ prepare_network_config($network_scheme)
 $ceph_cluster_network      = get_network_role_property('ceph/replication', 'network')
 $ceph_public_network       = get_network_role_property('ceph/public', 'network')
 $ceph_tuning_settings      = hiera('ceph_tuning_settings', {})
+$ssl_hash                  = hiera_hash('use_ssl', {})
+$admin_auth_protocol       = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
+$admin_auth_address        = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
+$admin_identity_url        = "${admin_auth_protocol}://${admin_auth_address}:35357"

 class {'ceph':
  primary_mon              => $primary_mon,
@ -35,7 +39,7 @@ class {'ceph':
  osd_pool_default_pg_num  => $storage_hash['pg_num'],
  osd_pool_default_pgp_num => $storage_hash['pg_num'],
  use_rgw                  => $storage_hash['objects_ceph'],
-  rgw_keystone_url         => "${service_endpoint}:35357",
+  rgw_keystone_url         => $admin_identity_url,
  glance_backend           => $glance_backend,
  rgw_pub_ip               => $public_vip,
  rgw_adm_ip               => $management_vip,
--- a/deployment/puppet/osnailyfacter/modular/ceph/radosgw.pp
+++ b/deployment/puppet/osnailyfacter/modular/ceph/radosgw.pp
@ -11,6 +11,9 @@ $radosgw_large_pool_name = ".rgw"
 $mon_address_map  = get_node_to_ipaddr_map_by_network_role(hiera_hash('ceph_monitor_nodes'), 'ceph/public')
 $external_lb      = hiera('external_lb', false)
 $ssl_hash         = hiera_hash('use_ssl', {})
+$admin_identity_protocol = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
+$admin_identity_address  = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
+$admin_identity_url      = "${admin_identity_protocol}://${admin_identity_address}:35357"

 if ($storage_hash['volumes_ceph'] or
  $storage_hash['images_ceph'] or
@ -54,9 +57,6 @@ if $use_ceph and $storage_hash['objects_ceph'] {
    $internal_auth_protocol  = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'protocol', 'http')
    $internal_auth_address   = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'hostname', [$service_endpoint, $management_vip])
    $internal_auth_url       = "${internal_auth_protocol}://${internal_auth_address}:5000"
-    $admin_identity_protocol = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
-    $admin_identity_address  = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
-    $admin_identity_url      = "${admin_identity_protocol}://${admin_identity_address}:35357"
  }

  haproxy_backend_status { 'keystone-admin' :
@ -109,7 +109,7 @@ if $use_ceph and $storage_hash['objects_ceph'] {
    #rgw Keystone settings
    rgw_use_pki                      => false,
    rgw_use_keystone                 => true,
-    rgw_keystone_url                 => "${service_endpoint}:35357",
+    rgw_keystone_url                 => $admin_identity_url,
    rgw_keystone_admin_token         => $keystone_hash['admin_token'],
    rgw_keystone_token_cache_size    => '10',
    rgw_keystone_accepted_roles      => '_member_, Member, admin, swiftoperator',
--- a/deployment/puppet/osnailyfacter/modular/ironic/ironic-compute.pp
+++ b/deployment/puppet/osnailyfacter/modular/ironic/ironic-compute.pp
@ -40,6 +40,12 @@ $memcached_port                 = hiera('memcache_server_port', '11211')
 $memcached_addresses            = suffix($memcached_servers, ":${memcached_port}")
 $notify_on_state_change         = 'vm_and_task_state'

+$ssl_hash                       = hiera_hash('use_ssl', {})
+$admin_identity_protocol        = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
+$admin_identity_address         = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
+$admin_identity_uri             = "${admin_identity_protocol}://${admin_identity_address}:35357"
+
+
 ####### Disable upstart startup on install #######
 tweaks::ubuntu_service_override { 'nova-compute':
  package_name => "nova-compute",
@ -83,7 +89,7 @@ class { '::nova::compute':


 class { 'nova::compute::ironic':
-  admin_url         => "http://${service_endpoint}:35357/v2.0",
+  admin_url         => "${admin_identity_uri}/v2.0",
  admin_user        => $ironic_user,
  admin_tenant_name => $ironic_tenant,
  admin_passwd      => $ironic_user_password,
@ -93,7 +99,7 @@ class { 'nova::compute::ironic':
 class { 'nova::network::neutron':
  neutron_admin_password => $neutron_config['keystone']['admin_password'],
  neutron_url            => "http://${neutron_endpoint}:9696",
-  neutron_admin_auth_url => "http://${service_endpoint}:35357/v2.0",
+  neutron_admin_auth_url => "${admin_identity_uri}/v2.0",
 }

 cs_resource { "p_nova_compute_ironic":
--- a/deployment/puppet/osnailyfacter/modular/openstack-network/agents/metadata.pp
+++ b/deployment/puppet/osnailyfacter/modular/openstack-network/agents/metadata.pp
@ -17,8 +17,12 @@ if $use_neutron and ($controller or ($dvr and $compute)) {

  $auth_region             = hiera('region', 'RegionOne')
  $service_endpoint        = hiera('service_endpoint')
+  $management_vip          = hiera('management_vip')
  $auth_api_version        = 'v2.0'
-  $admin_identity_uri      = "http://${service_endpoint}:35357"
+  $ssl_hash                = hiera_hash('use_ssl', {})
+  $admin_identity_protocol = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
+  $admin_identity_address  = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
+  $admin_identity_uri      = "${admin_identity_protocol}://${admin_identity_address}:35357"
  $admin_auth_url          = "${admin_identity_uri}/${auth_api_version}"

  $neutron_config          = hiera_hash('neutron_config')
@ -29,7 +33,6 @@ if $use_neutron and ($controller or ($dvr and $compute)) {

  $shared_secret           = try_get_value($neutron_config, 'metadata/metadata_proxy_shared_secret')

-  $management_vip          = hiera('management_vip')
  $nova_endpoint           = hiera('nova_endpoint', $management_vip)

  class { 'neutron::agents::metadata':
--- a/deployment/puppet/osnailyfacter/modular/sahara/sahara.pp
+++ b/deployment/puppet/osnailyfacter/modular/sahara/sahara.pp
@ -25,6 +25,12 @@ $amqp_port                  = hiera('amqp_port')
 $amqp_hosts                 = hiera('amqp_hosts')
 $external_lb                = hiera('external_lb', false)
 $ssl_hash                   = hiera_hash('use_ssl', {})
+$internal_auth_protocol     = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'protocol', 'http')
+$internal_auth_address      = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'hostname', [$service_endpoint, $management_vip])
+$internal_auth_url          = "${internal_auth_protocol}://${internal_auth_address}:5000"
+$admin_identity_protocol    = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
+$admin_identity_address     = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
+$admin_identity_uri         = "${admin_identity_protocol}://${admin_identity_address}:35357"

 #################################################################

@ -80,8 +86,8 @@ if $sahara_hash['enabled'] {
    database_max_retries   => $max_retries,
    database_idle_timeout  => $idle_timeout,
    sync_db                => $primary_controller,
-    auth_uri               => "http://${service_endpoint}:5000/v2.0/",
-    identity_uri           => "http://${service_endpoint}:35357/",
+    auth_uri               => "${internal_auth_url}/v2.0/",
+    identity_uri           => $admin_identity_uri,
    rpc_backend            => 'rabbit',
    use_neutron            => $use_neutron,
    admin_user             => $sahara_user,
@ -142,14 +148,6 @@ if $sahara_hash['enabled'] {

  if $primary_controller {

-    $internal_auth_protocol  = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'protocol', 'http')
-    $internal_auth_address   = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'hostname', [$service_endpoint, $management_vip])
-    $internal_auth_url       = "${internal_auth_protocol}://${internal_auth_address}:5000"
-
-    $admin_identity_protocol = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
-    $admin_identity_address  = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
-    $admin_identity_url      = "${admin_identity_protocol}://${admin_identity_address}:35357"
-
    haproxy_backend_status { 'keystone-public' :
      name  => 'keystone-1',
      url   => $external_lb ? {
@ -162,7 +160,7 @@ if $sahara_hash['enabled'] {
      name  => 'keystone-2',
      url   => $external_lb ? {
        default => $haproxy_stats_url,
-        true    => $admin_identity_url,
+        true    => $admin_identity_uri,
      },
    }

--- a/tests/noop/spec/hosts/ceph/ceph-osd_spec.rb
+++ b/tests/noop/spec/hosts/ceph/ceph-osd_spec.rb
@ -14,6 +14,12 @@ describe manifest do
    end
    ceph_tuning_settings = Noop.hiera 'ceph_tuning_settings'

+    public_ssl_hash = Noop.hiera('public_ssl')
+    let(:ssl_hash) { Noop.hiera_hash 'use_ssl', {} }
+    let(:admin_auth_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone', 'admin','protocol','http' }
+    let(:admin_auth_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','admin', 'hostname', [Noop.hiera('service_endpoint', Noop.hiera('management_vip'))]}
+    let(:admin_uri) { "#{admin_auth_protocol}://#{admin_auth_address}:35357" }
+
    if (storage_hash['images_ceph'] or storage_hash['objects_ceph'])
      it { should contain_class('ceph').with(
           'mon_hosts'                => ceph_monitor_nodes.keys,
@ -21,7 +27,7 @@ describe manifest do
           'osd_pool_default_pg_num'  => storage_hash['pg_num'],
           'osd_pool_default_pgp_num' => storage_hash['pg_num'],
           'ephemeral_ceph'           => storage_hash['ephemeral_ceph'],
-           'rgw_keystone_url'         => "#{service_endpoint}:35357"
+           'rgw_keystone_url'         => admin_uri,
           )
         }

--- a/tests/noop/spec/hosts/ceph/radosgw_spec.rb
+++ b/tests/noop/spec/hosts/ceph/radosgw_spec.rb
@ -68,6 +68,7 @@ describe manifest do
      it 'should configure s3 keystone authentication for RadosGW' do
        should contain_class('ceph::radosgw').with(
          :rgw_use_keystone => true,
+          :rgw_keystone_url => admin_url,
        )
        should contain_ceph_conf("client.#{rgw_id}/rgw_s3_auth_use_keystone").with(
          :value => rgw_s3_auth_use_keystone,
--- a/tests/noop/spec/hosts/ironic/ironic-compute_spec.rb
+++ b/tests/noop/spec/hosts/ironic/ironic-compute_spec.rb
@ -28,11 +28,19 @@ describe manifest do
      end
    end

+    public_ssl_hash = Noop.hiera('public_ssl')
+    let(:ssl_hash) { Noop.hiera_hash 'use_ssl', {} }
+    let(:admin_auth_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone', 'admin','protocol','http' }
+    let(:admin_auth_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','admin', 'hostname', [Noop.hiera('service_endpoint', Noop.hiera('management_vip'))]}
+    let(:admin_uri) { "#{admin_auth_protocol}://#{admin_auth_address}:35357" }
+
    if ironic_enabled
      it 'nova config should have correct ironic settings' do
        should contain_nova_config('ironic/admin_password').with(:value => ironic_user_password)
        should contain_nova_config('DEFAULT/compute_driver').with(:value => 'ironic.IronicDriver')
        should contain_nova_config('DEFAULT/compute_manager').with(:value => 'ironic.nova.compute.manager.ClusteredComputeManager')
+        should contain_nova_config('ironic/admin_url').with(:value => "#{admin_uri}/v2.0")
+        should contain_nova_config('neutron/admin_auth_url')..with(:value => "#{admin_uri}/v2.0")
      end

      it 'nova config should have reserved_host_memory_mb set to 0' do
--- a/tests/noop/spec/hosts/openstack-network/agents/metadata_spec.rb
+++ b/tests/noop/spec/hosts/openstack-network/agents/metadata_spec.rb
@ -33,8 +33,10 @@ describe manifest do
      auth_region        = Noop.hiera('region', 'RegionOne')
      service_endpoint   = Noop.hiera('service_endpoint')
      auth_api_version   = 'v2.0'
-      admin_identity_uri = "http://#{service_endpoint}:35357"
-      admin_auth_url     = "#{admin_identity_uri}/#{auth_api_version}"
+      let(:ssl_hash) { Noop.hiera_hash 'use_ssl', {} }
+      let(:admin_auth_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone', 'admin','protocol','http' }
+      let(:admin_auth_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','admin', 'hostname', [Noop.hiera('service_endpoint', Noop.hiera('management_vip'))]}
+      let(:admin_auth_url) { "#{admin_auth_protocol}://#{admin_auth_address}:35357/#{auth_api_version}" }

      if neutron_compute_roles.include?(Noop.hiera('role'))
        context 'neutron-metadata-agent on compute' do
--- a/tests/noop/spec/hosts/sahara/sahara_spec.rb
+++ b/tests/noop/spec/hosts/sahara/sahara_spec.rb
@ -68,6 +68,13 @@ describe manifest do
      "#{sahara_protocol}://#{sahara_address}:#{api_bind_port}"
    }

+    let(:admin_auth_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone', 'admin','protocol','http' }
+    let(:admin_auth_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','admin', 'hostname', [Noop.hiera('service_endpoint', Noop.hiera('management_vip'))]}
+    let(:admin_uri) { "#{admin_auth_protocol}://#{admin_auth_address}:35357" }
+    let(:internal_auth_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','internal','protocol','http' }
+    let(:internal_auth_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','internal','hostname',[Noop.hiera('service_endpoint', ''), Noop.hiera('management_vip')] }
+    let(:auth_url) { "#{internal_auth_protocol}://#{internal_auth_address}:5000/v2.0/" }
+
    ############################################################################

    enable = Noop.hiera_structure('sahara/enabled')
@ -91,8 +98,8 @@ describe manifest do
        sql_connection = "mysql://#{db_user}:#{db_password}@#{db_host}/#{db_name}?read_timeout=#{read_timeout}"

        should contain_class('sahara').with(
-                   'auth_uri'               => "http://#{service_endpoint}:5000/v2.0/",
-                   'identity_uri'           => "http://#{service_endpoint}:35357/",
+                   'auth_uri'               => auth_url,
+                   'identity_uri'           => admin_uri,
                   'plugins'                => sahara_plugins,
                   'rpc_backend'            => 'rabbit',
                   'use_neutron'            => use_neutron,