Merge "Update auth parameters to support Keystone v3"
This commit is contained in:
commit
9b1b605756
|
@ -18,6 +18,19 @@
|
|||
# (optional) Tenant to authenticate with.
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*keystone_project_domain_name*]
|
||||
# (optional) Project domain name to authenticate with.
|
||||
# Defaults to 'default'.
|
||||
#
|
||||
# [*keystone_user_domain_name*]
|
||||
# (optional) User domain name to authenticate with.
|
||||
# Defaults to 'default'.
|
||||
#
|
||||
# [*keystone_auth_type*]
|
||||
# (optional) An authentication type to use with an OpenStack Identity server.
|
||||
# The value should contain auth plugin name.
|
||||
# Defaults to 'password'.
|
||||
#
|
||||
# [*keystone_password*]
|
||||
# Password to authenticate with.
|
||||
# Mandatory.
|
||||
|
@ -26,9 +39,9 @@
|
|||
# (optional) Public Identity API endpoint.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
# [*keystone_identity_uri*]
|
||||
# (optional) Complete admin Identity API endpoint.
|
||||
# Defaults to: false
|
||||
# [*keystone_auth_url*]
|
||||
# (optional) URL used by the plugin to know where to authenticate the service user.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*host*]
|
||||
# (optional) The aodh api bind address.
|
||||
|
@ -54,22 +67,41 @@
|
|||
# [*sync_db*]
|
||||
# (optional) Run gnocchi-upgrade db sync on api nodes after installing the package.
|
||||
# Defaults to false
|
||||
#
|
||||
# DEPRECATED PARAMETERS
|
||||
#
|
||||
# [*keystone_identity_uri*]
|
||||
# (optional) DEPRECATED. Complete admin Identity API endpoint.
|
||||
# Defaults to: undef
|
||||
#
|
||||
|
||||
class aodh::api (
|
||||
$manage_service = true,
|
||||
$enabled = true,
|
||||
$package_ensure = 'present',
|
||||
$keystone_user = 'aodh',
|
||||
$keystone_tenant = 'services',
|
||||
$keystone_password = false,
|
||||
$keystone_auth_uri = false,
|
||||
$keystone_identity_uri = false,
|
||||
$host = '0.0.0.0',
|
||||
$port = '8042',
|
||||
$service_name = $::aodh::params::api_service_name,
|
||||
$sync_db = false,
|
||||
$manage_service = true,
|
||||
$enabled = true,
|
||||
$package_ensure = 'present',
|
||||
$keystone_user = 'aodh',
|
||||
$keystone_tenant = 'services',
|
||||
$keystone_password = false,
|
||||
$keystone_auth_uri = false,
|
||||
$keystone_auth_url = $::os_service_default,
|
||||
$keystone_project_domain_name = 'default',
|
||||
$keystone_user_domain_name = 'default',
|
||||
$keystone_auth_type = 'password',
|
||||
$host = '0.0.0.0',
|
||||
$port = '8042',
|
||||
$service_name = $::aodh::params::api_service_name,
|
||||
$sync_db = false,
|
||||
# DEPRECATED PARAMETERS
|
||||
$keystone_identity_uri = undef,
|
||||
) inherits aodh::params {
|
||||
|
||||
if $keystone_identity_uri {
|
||||
warning('keystone_identity_uri is deprecated, and will be removed in a future release.')
|
||||
$keystone_auth_url_real = $keystone_identity_uri
|
||||
} else {
|
||||
$keystone_auth_url_real = $keystone_auth_url
|
||||
}
|
||||
|
||||
include ::aodh::params
|
||||
include ::aodh::policy
|
||||
|
||||
|
@ -126,22 +158,16 @@ class aodh::api (
|
|||
}
|
||||
|
||||
aodh_config {
|
||||
'keystone_authtoken/auth_uri' : value => $keystone_auth_uri;
|
||||
'keystone_authtoken/admin_tenant_name' : value => $keystone_tenant;
|
||||
'keystone_authtoken/admin_user' : value => $keystone_user;
|
||||
'keystone_authtoken/admin_password' : value => $keystone_password, secret => true;
|
||||
'api/host' : value => $host;
|
||||
'api/port' : value => $port;
|
||||
}
|
||||
|
||||
if $keystone_identity_uri {
|
||||
aodh_config {
|
||||
'keystone_authtoken/identity_uri': value => $keystone_identity_uri;
|
||||
}
|
||||
} else {
|
||||
aodh_config {
|
||||
'keystone_authtoken/identity_uri': ensure => absent;
|
||||
}
|
||||
'keystone_authtoken/auth_uri' : value => $keystone_auth_uri;
|
||||
'keystone_authtoken/auth_url' : value => $keystone_auth_url_real;
|
||||
'keystone_authtoken/project_name' : value => $keystone_tenant;
|
||||
'keystone_authtoken/project_domain_name' : value => $keystone_project_domain_name;
|
||||
'keystone_authtoken/user_domain_name' : value => $keystone_user_domain_name;
|
||||
'keystone_authtoken/auth_type' : value => $keystone_auth_type;
|
||||
'keystone_authtoken/username' : value => $keystone_user;
|
||||
'keystone_authtoken/password' : value => $keystone_password, secret => true;
|
||||
'api/host' : value => $host;
|
||||
'api/port' : value => $port;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -21,17 +21,31 @@
|
|||
# the keystone tenant name for aodh services
|
||||
# Optional. Defaults to 'services'
|
||||
#
|
||||
# [*project_domain_id*]
|
||||
# the keystone project domain id for aodh services
|
||||
# Optional. Defaults to 'default'
|
||||
#
|
||||
# [*user_domain_id*]
|
||||
# the keystone user domain id for aodh services
|
||||
# Optional. Defaults to 'default'
|
||||
#
|
||||
# [*auth_tenant_id*]
|
||||
# the keystone tenant id for aodh services.
|
||||
# Optional. Defaults to undef.
|
||||
# Optional. Defaults to $::os_service_default.
|
||||
#
|
||||
# [*auth_type*]
|
||||
# An authentication type to use with an OpenStack Identity server.
|
||||
# The value should contain auth plugin name.
|
||||
# Optional. Defaults to 'password'.
|
||||
#
|
||||
# [*auth_cacert*]
|
||||
# Certificate chain for SSL validation. Optional; Defaults to 'undef'
|
||||
# Certificate chain for SSL validation.
|
||||
# Optional. Defaults to $::os_service_default
|
||||
#
|
||||
# [*auth_endpoint_type*]
|
||||
# Type of endpoint in Identity service catalog to use for
|
||||
# communication with OpenStack services.
|
||||
# Optional. Defaults to undef.
|
||||
# Optional. Defaults to $::os_service_default.
|
||||
#
|
||||
class aodh::auth (
|
||||
$auth_password,
|
||||
|
@ -39,35 +53,26 @@ class aodh::auth (
|
|||
$auth_region = 'RegionOne',
|
||||
$auth_user = 'aodh',
|
||||
$auth_tenant_name = 'services',
|
||||
$auth_tenant_id = undef,
|
||||
$auth_cacert = undef,
|
||||
$auth_endpoint_type = undef,
|
||||
$project_domain_id = 'default',
|
||||
$user_domain_id = 'default',
|
||||
$auth_type = 'password',
|
||||
$auth_tenant_id = $::os_service_default,
|
||||
$auth_cacert = $::os_service_default,
|
||||
$auth_endpoint_type = $::os_service_default,
|
||||
) {
|
||||
|
||||
if $auth_cacert {
|
||||
aodh_config { 'service_credentials/os_cacert': value => $auth_cacert }
|
||||
} else {
|
||||
aodh_config { 'service_credentials/os_cacert': ensure => absent }
|
||||
}
|
||||
|
||||
aodh_config {
|
||||
'service_credentials/os_auth_url' : value => $auth_url;
|
||||
'service_credentials/os_region_name' : value => $auth_region;
|
||||
'service_credentials/os_username' : value => $auth_user;
|
||||
'service_credentials/os_password' : value => $auth_password, secret => true;
|
||||
'service_credentials/os_tenant_name' : value => $auth_tenant_name;
|
||||
}
|
||||
|
||||
if $auth_tenant_id {
|
||||
aodh_config {
|
||||
'service_credentials/os_tenant_id' : value => $auth_tenant_id;
|
||||
}
|
||||
}
|
||||
|
||||
if $auth_endpoint_type {
|
||||
aodh_config {
|
||||
'service_credentials/os_endpoint_type' : value => $auth_endpoint_type;
|
||||
}
|
||||
'service_credentials/auth_url' : value => $auth_url;
|
||||
'service_credentials/region_name' : value => $auth_region;
|
||||
'service_credentials/username' : value => $auth_user;
|
||||
'service_credentials/password' : value => $auth_password, secret => true;
|
||||
'service_credentials/project_name' : value => $auth_tenant_name;
|
||||
'service_credentials/cacert' : value => $auth_cacert;
|
||||
'service_credentials/tenant_id' : value => $auth_tenant_id;
|
||||
'service_credentials/endpoint_type' : value => $auth_endpoint_type;
|
||||
'service_credentials/project_domain_id' : value => $project_domain_id;
|
||||
'service_credentials/user_domain_id' : value => $user_domain_id;
|
||||
'service_credentials/auth_type' : value => $auth_type;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- Update service_credentials and keystone_authtoken parameters to support
|
||||
Keystone v3 and password auth_type.
|
||||
deprecations:
|
||||
- Deprecate keystone_identity_uri from aodh::api class.
|
|
@ -45,7 +45,7 @@ describe 'basic aodh' do
|
|||
class { '::aodh::api':
|
||||
enabled => true,
|
||||
keystone_password => 'a_big_secret',
|
||||
keystone_identity_uri => 'http://127.0.0.1:35357/',
|
||||
keystone_auth_uri => 'http://127.0.0.1:5000',
|
||||
service_name => 'httpd',
|
||||
}
|
||||
include ::apache
|
||||
|
|
|
@ -8,14 +8,17 @@ describe 'aodh::api' do
|
|||
end
|
||||
|
||||
let :params do
|
||||
{ :enabled => true,
|
||||
:manage_service => true,
|
||||
:keystone_password => 'aodh-passw0rd',
|
||||
:keystone_tenant => 'services',
|
||||
:keystone_user => 'aodh',
|
||||
:package_ensure => 'latest',
|
||||
:port => '8042',
|
||||
:host => '0.0.0.0',
|
||||
{ :enabled => true,
|
||||
:manage_service => true,
|
||||
:keystone_password => 'aodh-passw0rd',
|
||||
:keystone_tenant => 'services',
|
||||
:keystone_user => 'aodh',
|
||||
:keystone_project_domain_name => 'default',
|
||||
:keystone_user_domain_name => 'default',
|
||||
:keystone_auth_type => 'password',
|
||||
:package_ensure => 'latest',
|
||||
:port => '8042',
|
||||
:host => '0.0.0.0',
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -38,10 +41,12 @@ describe 'aodh::api' do
|
|||
end
|
||||
|
||||
it 'configures keystone authentication middleware' do
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/admin_tenant_name').with_value( params[:keystone_tenant] )
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/admin_user').with_value( params[:keystone_user] )
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/admin_password').with_value( params[:keystone_password] )
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/admin_password').with_value( params[:keystone_password] ).with_secret(true)
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/project_name').with_value( params[:keystone_tenant] )
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/username').with_value( params[:keystone_user] )
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/password').with_value( params[:keystone_password] ).with_secret(true)
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/project_domain_name').with_value( params[:keystone_project_domain_name] )
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/user_domain_name').with_value( params[:keystone_user_domain_name] )
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/auth_type').with_value( params[:keystone_auth_type] )
|
||||
is_expected.to contain_aodh_config('api/host').with_value( params[:host] )
|
||||
is_expected.to contain_aodh_config('api/port').with_value( params[:port] )
|
||||
end
|
||||
|
@ -128,16 +133,29 @@ describe 'aodh::api' do
|
|||
it_raises 'a Puppet::Error', /Invalid service_name/
|
||||
end
|
||||
|
||||
context "with custom keystone identity_uri and auth_uri" do
|
||||
context "with custom keystone auth_uri" do
|
||||
before do
|
||||
params.merge!({
|
||||
:keystone_identity_uri => 'https://foo.bar:35357/',
|
||||
:keystone_auth_uri => 'https://foo.bar:5000/v2.0/',
|
||||
:keystone_auth_uri => 'https://foo.bar:5000',
|
||||
:keystone_auth_url => 'https://foo.bar:35357',
|
||||
})
|
||||
end
|
||||
it 'configures identity_uri and auth_uri but deprecates old auth settings' do
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:35357/");
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000/v2.0/");
|
||||
it 'configures auth_uri but deprecates old auth settings' do
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000");
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/auth_url').with_value("https://foo.bar:35357");
|
||||
end
|
||||
end
|
||||
|
||||
context "with deprecated keystone auth_uri" do
|
||||
before do
|
||||
params.merge!({
|
||||
:keystone_auth_uri => 'https://foo.bar:5000',
|
||||
:keystone_identity_uri => 'https://foo.bar:35357/deprecated',
|
||||
})
|
||||
end
|
||||
it 'configures auth_uri but deprecates old auth settings' do
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000");
|
||||
is_expected.to contain_aodh_config('keystone_authtoken/auth_url').with_value("https://foo.bar:35357/deprecated");
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -14,13 +14,15 @@ describe 'aodh::auth' do
|
|||
shared_examples_for 'aodh-auth' do
|
||||
|
||||
it 'configures authentication' do
|
||||
is_expected.to contain_aodh_config('service_credentials/os_auth_url').with_value('http://localhost:5000/v2.0')
|
||||
is_expected.to contain_aodh_config('service_credentials/os_region_name').with_value('RegionOne')
|
||||
is_expected.to contain_aodh_config('service_credentials/os_username').with_value('aodh')
|
||||
is_expected.to contain_aodh_config('service_credentials/os_password').with_value('password')
|
||||
is_expected.to contain_aodh_config('service_credentials/os_password').with_value(params[:auth_password]).with_secret(true)
|
||||
is_expected.to contain_aodh_config('service_credentials/os_tenant_name').with_value('services')
|
||||
is_expected.to contain_aodh_config('service_credentials/os_cacert').with(:ensure => 'absent')
|
||||
is_expected.to contain_aodh_config('service_credentials/auth_url').with_value('http://localhost:5000/v2.0')
|
||||
is_expected.to contain_aodh_config('service_credentials/region_name').with_value('RegionOne')
|
||||
is_expected.to contain_aodh_config('service_credentials/project_domain_id').with_value('default')
|
||||
is_expected.to contain_aodh_config('service_credentials/user_domain_id').with_value('default')
|
||||
is_expected.to contain_aodh_config('service_credentials/auth_type').with_value('password')
|
||||
is_expected.to contain_aodh_config('service_credentials/username').with_value('aodh')
|
||||
is_expected.to contain_aodh_config('service_credentials/password').with_value('password').with_secret(true)
|
||||
is_expected.to contain_aodh_config('service_credentials/project_name').with_value('services')
|
||||
is_expected.to contain_aodh_config('service_credentials/cacert').with(:value => '<SERVICE DEFAULT>')
|
||||
end
|
||||
|
||||
context 'when overriding parameters' do
|
||||
|
@ -30,8 +32,8 @@ describe 'aodh::auth' do
|
|||
:auth_endpoint_type => 'internalURL',
|
||||
)
|
||||
end
|
||||
it { is_expected.to contain_aodh_config('service_credentials/os_cacert').with_value(params[:auth_cacert]) }
|
||||
it { is_expected.to contain_aodh_config('service_credentials/os_endpoint_type').with_value(params[:auth_endpoint_type]) }
|
||||
it { is_expected.to contain_aodh_config('service_credentials/cacert').with_value(params[:auth_cacert]) }
|
||||
it { is_expected.to contain_aodh_config('service_credentials/endpoint_type').with_value(params[:auth_endpoint_type]) }
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue