Merge "Update auth parameters to support Keystone v3"

This commit is contained in:
Jenkins 2016-06-23 05:05:18 +00:00 committed by Gerrit Code Review
commit 9b1b605756
6 changed files with 145 additions and 88 deletions

View File

@ -18,6 +18,19 @@
# (optional) Tenant to authenticate with.
# Defaults to 'services'.
#
# [*keystone_project_domain_name*]
# (optional) Project domain name to authenticate with.
# Defaults to 'default'.
#
# [*keystone_user_domain_name*]
# (optional) User domain name to authenticate with.
# Defaults to 'default'.
#
# [*keystone_auth_type*]
# (optional) An authentication type to use with an OpenStack Identity server.
# The value should contain auth plugin name.
# Defaults to 'password'.
#
# [*keystone_password*]
# Password to authenticate with.
# Mandatory.
@ -26,9 +39,9 @@
# (optional) Public Identity API endpoint.
# Defaults to 'false'.
#
# [*keystone_identity_uri*]
# (optional) Complete admin Identity API endpoint.
# Defaults to: false
# [*keystone_auth_url*]
# (optional) URL used by the plugin to know where to authenticate the service user.
# Defaults to $::os_service_default.
#
# [*host*]
# (optional) The aodh api bind address.
@ -54,22 +67,41 @@
# [*sync_db*]
# (optional) Run gnocchi-upgrade db sync on api nodes after installing the package.
# Defaults to false
#
# DEPRECATED PARAMETERS
#
# [*keystone_identity_uri*]
# (optional) DEPRECATED. Complete admin Identity API endpoint.
# Defaults to: undef
#
class aodh::api (
$manage_service = true,
$enabled = true,
$package_ensure = 'present',
$keystone_user = 'aodh',
$keystone_tenant = 'services',
$keystone_password = false,
$keystone_auth_uri = false,
$keystone_identity_uri = false,
$host = '0.0.0.0',
$port = '8042',
$service_name = $::aodh::params::api_service_name,
$sync_db = false,
$manage_service = true,
$enabled = true,
$package_ensure = 'present',
$keystone_user = 'aodh',
$keystone_tenant = 'services',
$keystone_password = false,
$keystone_auth_uri = false,
$keystone_auth_url = $::os_service_default,
$keystone_project_domain_name = 'default',
$keystone_user_domain_name = 'default',
$keystone_auth_type = 'password',
$host = '0.0.0.0',
$port = '8042',
$service_name = $::aodh::params::api_service_name,
$sync_db = false,
# DEPRECATED PARAMETERS
$keystone_identity_uri = undef,
) inherits aodh::params {
if $keystone_identity_uri {
warning('keystone_identity_uri is deprecated, and will be removed in a future release.')
$keystone_auth_url_real = $keystone_identity_uri
} else {
$keystone_auth_url_real = $keystone_auth_url
}
include ::aodh::params
include ::aodh::policy
@ -126,22 +158,16 @@ class aodh::api (
}
aodh_config {
'keystone_authtoken/auth_uri' : value => $keystone_auth_uri;
'keystone_authtoken/admin_tenant_name' : value => $keystone_tenant;
'keystone_authtoken/admin_user' : value => $keystone_user;
'keystone_authtoken/admin_password' : value => $keystone_password, secret => true;
'api/host' : value => $host;
'api/port' : value => $port;
}
if $keystone_identity_uri {
aodh_config {
'keystone_authtoken/identity_uri': value => $keystone_identity_uri;
}
} else {
aodh_config {
'keystone_authtoken/identity_uri': ensure => absent;
}
'keystone_authtoken/auth_uri' : value => $keystone_auth_uri;
'keystone_authtoken/auth_url' : value => $keystone_auth_url_real;
'keystone_authtoken/project_name' : value => $keystone_tenant;
'keystone_authtoken/project_domain_name' : value => $keystone_project_domain_name;
'keystone_authtoken/user_domain_name' : value => $keystone_user_domain_name;
'keystone_authtoken/auth_type' : value => $keystone_auth_type;
'keystone_authtoken/username' : value => $keystone_user;
'keystone_authtoken/password' : value => $keystone_password, secret => true;
'api/host' : value => $host;
'api/port' : value => $port;
}
}

View File

@ -21,17 +21,31 @@
# the keystone tenant name for aodh services
# Optional. Defaults to 'services'
#
# [*project_domain_id*]
# the keystone project domain id for aodh services
# Optional. Defaults to 'default'
#
# [*user_domain_id*]
# the keystone user domain id for aodh services
# Optional. Defaults to 'default'
#
# [*auth_tenant_id*]
# the keystone tenant id for aodh services.
# Optional. Defaults to undef.
# Optional. Defaults to $::os_service_default.
#
# [*auth_type*]
# An authentication type to use with an OpenStack Identity server.
# The value should contain auth plugin name.
# Optional. Defaults to 'password'.
#
# [*auth_cacert*]
# Certificate chain for SSL validation. Optional; Defaults to 'undef'
# Certificate chain for SSL validation.
# Optional. Defaults to $::os_service_default
#
# [*auth_endpoint_type*]
# Type of endpoint in Identity service catalog to use for
# communication with OpenStack services.
# Optional. Defaults to undef.
# Optional. Defaults to $::os_service_default.
#
class aodh::auth (
$auth_password,
@ -39,35 +53,26 @@ class aodh::auth (
$auth_region = 'RegionOne',
$auth_user = 'aodh',
$auth_tenant_name = 'services',
$auth_tenant_id = undef,
$auth_cacert = undef,
$auth_endpoint_type = undef,
$project_domain_id = 'default',
$user_domain_id = 'default',
$auth_type = 'password',
$auth_tenant_id = $::os_service_default,
$auth_cacert = $::os_service_default,
$auth_endpoint_type = $::os_service_default,
) {
if $auth_cacert {
aodh_config { 'service_credentials/os_cacert': value => $auth_cacert }
} else {
aodh_config { 'service_credentials/os_cacert': ensure => absent }
}
aodh_config {
'service_credentials/os_auth_url' : value => $auth_url;
'service_credentials/os_region_name' : value => $auth_region;
'service_credentials/os_username' : value => $auth_user;
'service_credentials/os_password' : value => $auth_password, secret => true;
'service_credentials/os_tenant_name' : value => $auth_tenant_name;
}
if $auth_tenant_id {
aodh_config {
'service_credentials/os_tenant_id' : value => $auth_tenant_id;
}
}
if $auth_endpoint_type {
aodh_config {
'service_credentials/os_endpoint_type' : value => $auth_endpoint_type;
}
'service_credentials/auth_url' : value => $auth_url;
'service_credentials/region_name' : value => $auth_region;
'service_credentials/username' : value => $auth_user;
'service_credentials/password' : value => $auth_password, secret => true;
'service_credentials/project_name' : value => $auth_tenant_name;
'service_credentials/cacert' : value => $auth_cacert;
'service_credentials/tenant_id' : value => $auth_tenant_id;
'service_credentials/endpoint_type' : value => $auth_endpoint_type;
'service_credentials/project_domain_id' : value => $project_domain_id;
'service_credentials/user_domain_id' : value => $user_domain_id;
'service_credentials/auth_type' : value => $auth_type;
}
}

View File

@ -0,0 +1,6 @@
---
features:
- Update service_credentials and keystone_authtoken parameters to support
Keystone v3 and password auth_type.
deprecations:
- Deprecate keystone_identity_uri from aodh::api class.

View File

@ -45,7 +45,7 @@ describe 'basic aodh' do
class { '::aodh::api':
enabled => true,
keystone_password => 'a_big_secret',
keystone_identity_uri => 'http://127.0.0.1:35357/',
keystone_auth_uri => 'http://127.0.0.1:5000',
service_name => 'httpd',
}
include ::apache

View File

@ -8,14 +8,17 @@ describe 'aodh::api' do
end
let :params do
{ :enabled => true,
:manage_service => true,
:keystone_password => 'aodh-passw0rd',
:keystone_tenant => 'services',
:keystone_user => 'aodh',
:package_ensure => 'latest',
:port => '8042',
:host => '0.0.0.0',
{ :enabled => true,
:manage_service => true,
:keystone_password => 'aodh-passw0rd',
:keystone_tenant => 'services',
:keystone_user => 'aodh',
:keystone_project_domain_name => 'default',
:keystone_user_domain_name => 'default',
:keystone_auth_type => 'password',
:package_ensure => 'latest',
:port => '8042',
:host => '0.0.0.0',
}
end
@ -38,10 +41,12 @@ describe 'aodh::api' do
end
it 'configures keystone authentication middleware' do
is_expected.to contain_aodh_config('keystone_authtoken/admin_tenant_name').with_value( params[:keystone_tenant] )
is_expected.to contain_aodh_config('keystone_authtoken/admin_user').with_value( params[:keystone_user] )
is_expected.to contain_aodh_config('keystone_authtoken/admin_password').with_value( params[:keystone_password] )
is_expected.to contain_aodh_config('keystone_authtoken/admin_password').with_value( params[:keystone_password] ).with_secret(true)
is_expected.to contain_aodh_config('keystone_authtoken/project_name').with_value( params[:keystone_tenant] )
is_expected.to contain_aodh_config('keystone_authtoken/username').with_value( params[:keystone_user] )
is_expected.to contain_aodh_config('keystone_authtoken/password').with_value( params[:keystone_password] ).with_secret(true)
is_expected.to contain_aodh_config('keystone_authtoken/project_domain_name').with_value( params[:keystone_project_domain_name] )
is_expected.to contain_aodh_config('keystone_authtoken/user_domain_name').with_value( params[:keystone_user_domain_name] )
is_expected.to contain_aodh_config('keystone_authtoken/auth_type').with_value( params[:keystone_auth_type] )
is_expected.to contain_aodh_config('api/host').with_value( params[:host] )
is_expected.to contain_aodh_config('api/port').with_value( params[:port] )
end
@ -128,16 +133,29 @@ describe 'aodh::api' do
it_raises 'a Puppet::Error', /Invalid service_name/
end
context "with custom keystone identity_uri and auth_uri" do
context "with custom keystone auth_uri" do
before do
params.merge!({
:keystone_identity_uri => 'https://foo.bar:35357/',
:keystone_auth_uri => 'https://foo.bar:5000/v2.0/',
:keystone_auth_uri => 'https://foo.bar:5000',
:keystone_auth_url => 'https://foo.bar:35357',
})
end
it 'configures identity_uri and auth_uri but deprecates old auth settings' do
is_expected.to contain_aodh_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:35357/");
is_expected.to contain_aodh_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000/v2.0/");
it 'configures auth_uri but deprecates old auth settings' do
is_expected.to contain_aodh_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000");
is_expected.to contain_aodh_config('keystone_authtoken/auth_url').with_value("https://foo.bar:35357");
end
end
context "with deprecated keystone auth_uri" do
before do
params.merge!({
:keystone_auth_uri => 'https://foo.bar:5000',
:keystone_identity_uri => 'https://foo.bar:35357/deprecated',
})
end
it 'configures auth_uri but deprecates old auth settings' do
is_expected.to contain_aodh_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000");
is_expected.to contain_aodh_config('keystone_authtoken/auth_url').with_value("https://foo.bar:35357/deprecated");
end
end
end

View File

@ -14,13 +14,15 @@ describe 'aodh::auth' do
shared_examples_for 'aodh-auth' do
it 'configures authentication' do
is_expected.to contain_aodh_config('service_credentials/os_auth_url').with_value('http://localhost:5000/v2.0')
is_expected.to contain_aodh_config('service_credentials/os_region_name').with_value('RegionOne')
is_expected.to contain_aodh_config('service_credentials/os_username').with_value('aodh')
is_expected.to contain_aodh_config('service_credentials/os_password').with_value('password')
is_expected.to contain_aodh_config('service_credentials/os_password').with_value(params[:auth_password]).with_secret(true)
is_expected.to contain_aodh_config('service_credentials/os_tenant_name').with_value('services')
is_expected.to contain_aodh_config('service_credentials/os_cacert').with(:ensure => 'absent')
is_expected.to contain_aodh_config('service_credentials/auth_url').with_value('http://localhost:5000/v2.0')
is_expected.to contain_aodh_config('service_credentials/region_name').with_value('RegionOne')
is_expected.to contain_aodh_config('service_credentials/project_domain_id').with_value('default')
is_expected.to contain_aodh_config('service_credentials/user_domain_id').with_value('default')
is_expected.to contain_aodh_config('service_credentials/auth_type').with_value('password')
is_expected.to contain_aodh_config('service_credentials/username').with_value('aodh')
is_expected.to contain_aodh_config('service_credentials/password').with_value('password').with_secret(true)
is_expected.to contain_aodh_config('service_credentials/project_name').with_value('services')
is_expected.to contain_aodh_config('service_credentials/cacert').with(:value => '<SERVICE DEFAULT>')
end
context 'when overriding parameters' do
@ -30,8 +32,8 @@ describe 'aodh::auth' do
:auth_endpoint_type => 'internalURL',
)
end
it { is_expected.to contain_aodh_config('service_credentials/os_cacert').with_value(params[:auth_cacert]) }
it { is_expected.to contain_aodh_config('service_credentials/os_endpoint_type').with_value(params[:auth_endpoint_type]) }
it { is_expected.to contain_aodh_config('service_credentials/cacert').with_value(params[:auth_cacert]) }
it { is_expected.to contain_aodh_config('service_credentials/endpoint_type').with_value(params[:auth_endpoint_type]) }
end
end