diff --git a/manifests/rgw/keystone.pp b/manifests/rgw/keystone.pp index 5dd62b7e..04a9ddb2 100644 --- a/manifests/rgw/keystone.pp +++ b/manifests/rgw/keystone.pp @@ -88,8 +88,8 @@ define ceph::rgw::keystone ( exec { "${name}-nssdb-ca": command => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/ca -O /tmp/ca -openssl x509 -in /tmp/ca -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\" +wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/ca -O - | + openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\" ", unless => "/bin/true # comment to satisfy puppet syntax requirements set -ex @@ -101,8 +101,8 @@ certutil -d ${nss_db_path} -L | grep ^ca exec { "${name}-nssdb-signing": command => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/signing -O /tmp/signing -openssl x509 -in /tmp/signing -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\" +wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/signing -O - | + openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\" ", unless => "/bin/true # comment to satisfy puppet syntax requirements set -ex diff --git a/spec/acceptance/ceph_rgw_civet_spec.rb b/spec/acceptance/ceph_rgw_civet_spec.rb index eeda9f9b..26676abb 100644 --- a/spec/acceptance/ceph_rgw_civet_spec.rb +++ b/spec/acceptance/ceph_rgw_civet_spec.rb @@ -29,9 +29,13 @@ describe 'ceph rgw/civetweb' do # passing it directly as unqoted array is not supported everywhere packages = "[ 'python-ceph', 'ceph-common', 'librados2', 'librbd1', 'libcephfs1' ]" + keystone_admin_token = 'keystonetoken' + keystone_password = '123456' + test_user = 'testuser' test_password = '123456' test_email = 'testuser@example.com' + test_tenant = 'openstack' describe 'ceph::rgw::civetweb' do @@ -42,30 +46,30 @@ describe 'ceph rgw/civetweb' do case $::osfamily { 'Debian': { include ::apt - apt::source { 'cloudarchive-juno': + apt::source { 'cloudarchive-kilo': location => 'http://ubuntu-cloud.archive.canonical.com/ubuntu', - release => 'trusty-updates/juno', + release => 'trusty-updates/kilo', repos => 'main', include_src => false, required_packages => 'ubuntu-cloud-keyring', } + package { 'python-tz': + ensure => latest, + } } 'RedHat': { # ceph-radosgw expects open file limit of 32768 file { '/etc/security/limits.d/80-nofile.conf': content => '* hard nofile 32768', } - yumrepo { 'openstack-juno': - descr => 'OpenStack Juno Repository', - #baseurl => 'http://repos.fedorapeople.org/repos/openstack/openstack-juno/epel-7/', + yumrepo { 'openstack-kilo': + descr => 'OpenStack Kilo Repository', baseurl => 'http://repos.fedorapeople.org/repos/openstack/openstack-kilo/el7/', enabled => '1', gpgcheck => '0', - #gpgkey => 'https://raw.githubusercontent.com/redhat-openstack/rdo-release/juno/RPM-GPG-KEY-RDO-Juno', gpgkey => 'https://raw.githubusercontent.com/redhat-openstack/rdo-release/kilo/RPM-GPG-KEY-RDO-Kilo', priority => '15', # prefer over EPEL, but below ceph } - Yumrepo<||> -> Package['python-swiftclient'] } default: { fail ("Unsupported OS family ${::osfamily}") @@ -100,7 +104,7 @@ describe 'ceph rgw/civetweb' do } -> ceph::key { 'client.radosgw.gateway': - user => $apache_user, + user => $user, secret => '#{radosgw_key}', cap_mon => 'allow rwx', cap_osd => 'allow rwx', @@ -149,8 +153,6 @@ describe 'ceph rgw/civetweb' do } apply_manifest(pp, :catch_failures => true) - # Enable as soon as remaining changes are fixed - #apply_manifest(pp, :catch_changes => true) shell servicequery[osfamily] do |r| expect(r.exit_code).to be_zero @@ -168,19 +170,170 @@ describe 'ceph rgw/civetweb' do expect(r.exit_code).to be_zero end - #shell "swift -A http://127.0.0.1:7480/auth/1.0 -U #{test_user}:swift -K #{test_password} stat" do |r| - shell "swift -A http://127.0.0.1:80/auth/1.0 -U #{test_user}:swift -K #{test_password} stat" do |r| + shell "curl -i -H 'X-Auth-User: #{test_user}:swift' -H 'X-Auth-Key: #{test_password}' http://127.0.0.1:80/auth/v1.0/" do |r| expect(r.exit_code).to be_zero - expect(r.stdout).to match(/Content-Type: text\/plain; charset=utf-8/) + expect(r.stdout).to match(/HTTP\/1\.1 204 No Content/) expect(r.stdout).not_to match(/401 Unauthorized/) end end + it 'should configure keystone and ceph-rgw' do + pp = <<-EOS + $user = 'root' + class { 'ceph::repo': + release => '#{release}', + fastcgi => false, + } + class { 'ceph': + fsid => '#{fsid}', + mon_host => $::ipaddress, + mon_initial_members => 'a', + osd_pool_default_size => '1', + osd_pool_default_min_size => '1', + } + ceph::rgw { 'radosgw.gateway': + user => $user, + frontend_type => 'civetweb', + rgw_frontends => 'civetweb port=80', + } + + case $::osfamily { + 'Debian': { + #trusty ships with pbr 0.7 + #openstackclient.shell raises an requiring pbr!=0.7,<1.0,>=0.6' + #the latest is 0.10 + package { 'python-pbr': + ensure => 'latest', + } + include ::apt + apt::source { 'cloudarchive-kilo': + location => 'http://ubuntu-cloud.archive.canonical.com/ubuntu', + release => 'trusty-updates/kilo', + repos => 'main', + include => { + 'src' => 'false', + }, + } + package { 'ubuntu-cloud-keyring': + ensure => present, + } + package { 'python-tz': + ensure => latest, + } + Apt::Source['cloudarchive-kilo'] -> Package['ubuntu-cloud-keyring'] + #Package['ubuntu-cloud-keyring'] -> Package['keystone','python-swiftclient'] + #Exec['apt_update'] -> Package['keystone','python-swiftclient'] + #xec['apt_update'] -> Package['keystone'] + } + 'RedHat': { + yumrepo { 'openstack-kilo': + descr => 'OpenStack Kilo Repository', + baseurl => 'http://repos.fedorapeople.org/repos/openstack/openstack-kilo/el7/', + enabled => '1', + gpgcheck => '0', + gpgkey => 'https://raw.githubusercontent.com/redhat-openstack/rdo-release/kilo/RPM-GPG-KEY-RDO-Kilo', + priority => '15', # prefer over EPEL, but below ceph + } + Yumrepo<||> -> Package['keystone'] + } + } + + class { 'keystone': + verbose => true, + catalog_type => 'sql', + admin_token => '#{keystone_admin_token}', + admin_endpoint => "http://${::ipaddress}:35357", + } + -> + class { 'keystone::roles::admin': + email => 'admin@example.com', + password => '#{keystone_password}', + } + -> + class { 'keystone::endpoint': + public_url => "http://${::ipaddress}:5000", + admin_url => "http://${::ipaddress}:35357", + internal_url => "http://${::ipaddress}:5000", + region => 'example-1', + } + Service['keystone'] -> Ceph::Rgw::Keystone['radosgw.gateway'] + + keystone_service { 'swift': + ensure => present, + type => 'object-store', + description => 'Openstack Object Storage Service', + } + Keystone_service<||> -> Ceph::Rgw::Keystone['radosgw.gateway'] + keystone_endpoint { 'example-1/swift': + ensure => present, + public_url => "http://${::fqdn}:8080/swift/v1", + admin_url => "http://${::fqdn}:8080/swift/v1", + internal_url => "http://${::fqdn}:8080/swift/v1", + } + Keystone_endpoint<||> -> Ceph::Rgw::Keystone['radosgw.gateway'] + + keystone_user { '#{test_user}': + ensure => present, + enabled => true, + email => '#{test_email}', + password => '#{test_password}', + tenant => '#{test_tenant}', + } + Keystone_user<||> -> Ceph::Rgw::Keystone['radosgw.gateway'] + keystone_user_role { 'testuser@openstack': + ensure => present, + roles => ['_member_'], + } + Keystone_user_role<||> -> Ceph::Rgw::Keystone['radosgw.gateway'] + + #wget is used by ceph::rgw::keystone to pull down files + package { 'wget': # required for tests below + ensure => present, + } -> + ceph::rgw::keystone { 'radosgw.gateway': + rgw_keystone_url => "http://${::ipaddress}:5000", + rgw_keystone_admin_token => '#{keystone_admin_token}', + rgw_keystone_version => "v2.0", + user => $user, + } + EOS + + osfamily = fact 'osfamily' + + servicequery = { + 'Debian' => 'status radosgw id=radosgw.gateway', + 'RedHat' => 'service ceph-radosgw status id=radosgw.gateway', + } + + apply_manifest(pp, :catch_failures => true) + shell servicequery[osfamily] do |r| + expect(r.exit_code).to be_zero + end + + shell "curl -i -H 'X-Auth-User: #{test_user}:swift' -H 'X-Auth-Key: #{test_password}' http://127.0.0.1:80/auth/v1.0/" do |r| + expect(r.exit_code).to be_zero + expect(r.stdout).to match(/HTTP\/1\.1 204 No Content/) + expect(r.stdout).not_to match(/401 Unauthorized/) + end + + end + it 'should purge everything' do purge = <<-EOS - $radosgw = $::osfamily ? { - 'RedHat' => 'ceph-radosgw', - default => 'radosgw', + case $::osfamily { + 'Debian': { + $radosgw = 'radosgw' + include ::apt + apt::source { 'cloudarchive-kilo': + ensure => absent, + } + } + 'RedHat': { + $radosgw = 'ceph-radosgw' + yumrepo { 'openstack-kilo': + ensure => absent, + } + } } ceph::osd { '/srv/data': ensure => absent, @@ -222,10 +375,7 @@ describe 'ceph rgw/civetweb' do osfamily = fact 'osfamily' - # RGW on CentOS is currently broken, so lets disable tests for now. - #if osfamily != 'RedHat' - apply_manifest(purge, :catch_failures => true) - #end + apply_manifest(purge, :catch_failures => true) end end end diff --git a/spec/defines/ceph_rgw_keystone_spec.rb b/spec/defines/ceph_rgw_keystone_spec.rb index 8c5e27d4..4962a33c 100644 --- a/spec/defines/ceph_rgw_keystone_spec.rb +++ b/spec/defines/ceph_rgw_keystone_spec.rb @@ -69,16 +69,16 @@ describe 'ceph::rgw::keystone' do it { is_expected.to contain_exec('radosgw.gateway-nssdb-ca').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O /tmp/ca -openssl x509 -in /tmp/ca -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\" +wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - | + openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\" ", 'user' => 'www-data', ) } it { is_expected.to contain_exec('radosgw.gateway-nssdb-signing').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O /tmp/signing -openssl x509 -in /tmp/signing -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\" +wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - | + openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\" ", 'user' => 'www-data', ) } @@ -122,16 +122,16 @@ openssl x509 -in /tmp/signing -pubkey | certutil -A -d /var/lib/ceph/nss -n sign it { is_expected.to contain_exec('radosgw.custom-nssdb-ca').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O /tmp/ca -openssl x509 -in /tmp/ca -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\" +wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - | + openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\" ", 'user' => 'www-data', ) } it { is_expected.to contain_exec('radosgw.custom-nssdb-signing').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O /tmp/signing -openssl x509 -in /tmp/signing -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\" +wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - | + openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\" ", 'user' => 'www-data', ) } @@ -187,16 +187,16 @@ openssl x509 -in /tmp/signing -pubkey | certutil -A -d /some/path/to/nss -n sign it { is_expected.to contain_exec('radosgw.gateway-nssdb-ca').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O /tmp/ca -openssl x509 -in /tmp/ca -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\" +wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - | + openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\" ", 'user' => 'apache', ) } it { is_expected.to contain_exec('radosgw.gateway-nssdb-signing').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O /tmp/signing -openssl x509 -in /tmp/signing -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\" +wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - | + openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\" ", 'user' => 'apache', ) } @@ -240,16 +240,16 @@ openssl x509 -in /tmp/signing -pubkey | certutil -A -d /var/lib/ceph/nss -n sign it { is_expected.to contain_exec('radosgw.custom-nssdb-ca').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O /tmp/ca -openssl x509 -in /tmp/ca -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\" +wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - | + openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\" ", 'user' => 'apache', ) } it { is_expected.to contain_exec('radosgw.custom-nssdb-signing').with( 'command' => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O /tmp/signing -openssl x509 -in /tmp/signing -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\" +wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - | + openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\" ", 'user' => 'apache', ) }