From 6dc69ab67f9b72ab5c7653f9f268ab1e0a7a83e7 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 23 Jan 2021 10:34:52 +0900 Subject: [PATCH] Create independent classes for key managers This change introduces the new independent classes to manage options for key managers, which are implemented in the castellan library. Depends-on: https://review.opendev.org/772676 Change-Id: I5fc9b4e2db56daf998294245465e8c5fcbd8a061 --- manifests/init.pp | 59 ++++++++++-------- manifests/key_manager.pp | 22 +++++++ manifests/key_manager/barbican.pp | 60 +++++++++++++++++++ .../notes/keymgr-opts-a22700480639d3db.yaml | 21 +++++++ spec/classes/cinder_init_spec.rb | 3 - .../cinder_key_manager_barbican_spec.rb | 57 ++++++++++++++++++ spec/classes/cinder_key_manager_spec.rb | 39 ++++++++++++ 7 files changed, 233 insertions(+), 28 deletions(-) create mode 100644 manifests/key_manager.pp create mode 100644 manifests/key_manager/barbican.pp create mode 100644 releasenotes/notes/keymgr-opts-a22700480639d3db.yaml create mode 100644 spec/classes/cinder_key_manager_barbican_spec.rb create mode 100644 spec/classes/cinder_key_manager_spec.rb diff --git a/manifests/init.pp b/manifests/init.pp index 3e333b4e..0a0bbc5c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -178,21 +178,6 @@ # (Optional) Password for message broker authentication # Defaults to $::os_service_default. # -# [*keymgr_backend*] -# (Optional) Key Manager service class. -# Example of valid value: barbican -# Defaults to $::os_service_default. -# -# [*keymgr_encryption_api_url*] -# (Optional) Key Manager service URL -# Example of valid value: https://localhost:9311/v1 -# Defaults to $::os_service_default. -# -# [*keymgr_encryption_auth_url*] -# (Optional) Auth URL for keymgr authentication. Should be in format -# http://auth_url:5000/v3 -# Defaults to $::os_service_default. -# # [*storage_availability_zone*] # (optional) Availability zone of the node. # Defaults to 'nova' @@ -241,10 +226,6 @@ # in the cinder config. # Defaults to false. # -# [*backend_host*] -# (optional) Backend override of host value. -# Defaults to undef. -# # [*enable_force_upload*] # (optional) Enables the Force option on upload_to_image. This # enables running upload_volume on in-use volumes for backends that @@ -286,6 +267,25 @@ # (Optional) Accept clients using either SSL or plain TCP # Defaults to undef. # +# [*backend_host*] +# (optional) Backend override of host value. +# Defaults to undef. +# +# [*keymgr_backend*] +# (Optional) Key Manager service class. +# Example of valid value: barbican +# Defaults to undef. +# +# [*keymgr_encryption_api_url*] +# (Optional) Key Manager service URL +# Example of valid value: https://localhost:9311/v1 +# Defaults to undef. +# +# [*keymgr_encryption_auth_url*] +# (Optional) Auth URL for keymgr authentication. Should be in format +# http://auth_url:5000/v3 +# Defaults to undef. +# class cinder ( $default_transport_url = $::os_service_default, $rpc_response_timeout = $::os_service_default, @@ -323,9 +323,6 @@ class cinder ( $amqp_sasl_config_name = $::os_service_default, $amqp_username = $::os_service_default, $amqp_password = $::os_service_default, - $keymgr_backend = $::os_service_default, - $keymgr_encryption_api_url = $::os_service_default, - $keymgr_encryption_auth_url = $::os_service_default, $package_ensure = 'present', $api_paste_config = '/etc/cinder/api-paste.ini', $storage_availability_zone = 'nova', @@ -348,6 +345,9 @@ class cinder ( $database_max_overflow = undef, $amqp_allow_insecure_clients = undef, $backend_host = undef, + $keymgr_backend = undef, + $keymgr_encryption_api_url = undef, + $keymgr_encryption_auth_url = undef, ) inherits cinder::params { include cinder::deps @@ -462,9 +462,6 @@ removed in a future realse. Use cinder::db::database_max_overflow instead') 'DEFAULT/host': value => $host; 'DEFAULT/enable_new_services': value => $enable_new_services; 'DEFAULT/enable_force_upload': value => $enable_force_upload; - 'key_manager/backend': value => $keymgr_backend; - 'barbican/barbican_endpoint': value => $keymgr_encryption_api_url; - 'barbican/auth_endpoint': value => $keymgr_encryption_auth_url; } if $backend_host != undef { @@ -480,6 +477,18 @@ Use the cinder::backends::backend_host parameter instead') 'DEFAULT/enable_v3_api': value => $enable_v3_api; } + if $keymgr_backend != undef { + warning('The keymgr_backend parameter is deprecated. Use the cinder::key_manager class') + include cinder::key_manager + } + + ['keymgr_encryption_api_url', 'keymgr_encryption_auth_url'].each |String $barbican_opt| { + if getvar("${barbican_opt}") != undef { + warning("The ${barbican_opt} parameter is deprecated. Use the cinder::key_manager::barbican class") + } + include cinder::key_manager::barbican + } + oslo::concurrency { 'cinder_config': lock_path => $lock_path } diff --git a/manifests/key_manager.pp b/manifests/key_manager.pp new file mode 100644 index 00000000..4dd21c64 --- /dev/null +++ b/manifests/key_manager.pp @@ -0,0 +1,22 @@ +# == Class: cinder::key_manager +# +# Setup and configure Key Manager options +# +# === Parameters +# +# [*backend*] +# (Optional) Specify the key manager implementation. +# Defaults to $::os_service_default +# +class cinder::key_manager ( + $backend = $::os_service_default, +) { + + include cinder::deps + + $backend_real = pick($cinder::keymgr_backend, $backend) + + oslo::key_manager { 'cinder_config': + backend => $backend_real, + } +} diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp new file mode 100644 index 00000000..9463f9f4 --- /dev/null +++ b/manifests/key_manager/barbican.pp @@ -0,0 +1,60 @@ +# == Class: cinder::key_manager::barbican +# +# Setup and configure Barbican Key Manager options +# +# === Parameters +# +# [*barbican_endpoint*] +# (Optional) Use this endpoint to connect to Barbican. +# Defaults to $::os_service_default +# +# [*barbican_api_version*] +# (Optional) Version of the Barbican API. +# Defaults to $::os_service_default +# +# [*auth_endpoint*] +# (Optional) Use this endpoint to connect to Keystone. +# Defaults to $::os_service_default +# +# [*retry_delay*] +# (Optional) Number of seconds to wait before retrying poll for key creation +# completion. +# Defaults to $::os_service_default +# +# [*number_of_retries*] +# (Optional) Number of times to retry poll fo key creation completion. +# Defaults to $::os_service_default +# +# [*barbican_endpoint_type*] +# (Optional) Specifies the type of endpoint. +# Defaults to $::os_service_default +# +# [*barbican_region_name*] +# (Optional) Specifies the region of the chosen endpoint. +# Defaults to $::os_service_default +# +class cinder::key_manager::barbican ( + $barbican_endpoint = $::os_service_default, + $barbican_api_version = $::os_service_default, + $auth_endpoint = $::os_service_default, + $retry_delay = $::os_service_default, + $number_of_retries = $::os_service_default, + $barbican_endpoint_type = $::os_service_default, + $barbican_region_name = $::os_service_default, +) { + + include cinder::deps + + $barbican_endpoint_real = pick($cinder::keymgr_encryption_api_url, $barbican_endpoint) + $auth_endpoint_real = pick($cinder::keymgr_encryption_auth_url, $auth_endpoint) + + oslo::key_manager::barbican { 'cinder_config': + barbican_endpoint => $barbican_endpoint_real, + barbican_api_version => $barbican_api_version, + auth_endpoint => $auth_endpoint_real, + retry_delay => $retry_delay, + number_of_retries => $number_of_retries, + barbican_endpoint_type => $barbican_endpoint_type, + barbican_region_name => $barbican_region_name, + } +} diff --git a/releasenotes/notes/keymgr-opts-a22700480639d3db.yaml b/releasenotes/notes/keymgr-opts-a22700480639d3db.yaml new file mode 100644 index 00000000..f433929b --- /dev/null +++ b/releasenotes/notes/keymgr-opts-a22700480639d3db.yaml @@ -0,0 +1,21 @@ +--- +features: + - | + The new ``cinder::key_manager`` class has been added. This class manages + basic options of key managers. + + - | + The new ``cinder::key_manager::barbican`` class has been added. This class + manages options of BarbicanKeyManager. + +deprecations: + - | + The ``cinder::api::keymgr_backend`` parameter has been deprecated. Use + the ``cinder::key_manager`` class. + + - | + The following parameters of the ``cinder`` class have been deprecated in + favor of the new ``cinder::key_manager::barbican`` class. + + - ``keymgr_encryption_api_url`` + - ``keymgr_encryption_auth_url`` diff --git a/spec/classes/cinder_init_spec.rb b/spec/classes/cinder_init_spec.rb index 6102b152..ae794a5d 100644 --- a/spec/classes/cinder_init_spec.rb +++ b/spec/classes/cinder_init_spec.rb @@ -46,9 +46,6 @@ describe 'cinder' do is_expected.to contain_cinder_config('DEFAULT/host').with_value('') is_expected.to contain_cinder_config('DEFAULT/enable_new_services').with_value('') is_expected.to contain_cinder_config('oslo_concurrency/lock_path').with(:value => '/var/lock/cinder') - is_expected.to contain_cinder_config('key_manager/backend').with_value('') - is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('') - is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('') # backend_host should not be written to DEFAULT section is_expected.not_to contain_cinder_config('DEFAULT/backend_host') diff --git a/spec/classes/cinder_key_manager_barbican_spec.rb b/spec/classes/cinder_key_manager_barbican_spec.rb new file mode 100644 index 00000000..83781618 --- /dev/null +++ b/spec/classes/cinder_key_manager_barbican_spec.rb @@ -0,0 +1,57 @@ +require 'spec_helper' + +describe 'cinder::key_manager::barbican' do + shared_examples 'cinder::key_manager::barbican' do + context 'with default parameters' do + it { + is_expected.to contain_oslo__key_manager__barbican('cinder_config').with( + :barbican_endpoint => '', + :barbican_api_version => '', + :auth_endpoint => '', + :retry_delay => '', + :number_of_retries => '', + :barbican_endpoint_type => '', + :barbican_region_name => '', + ) + } + end + + context 'with specified parameters' do + let :params do + { + :barbican_endpoint => 'http://localhost:9311/', + :barbican_api_version => 'v1', + :auth_endpoint => 'http://localhost:5000', + :retry_delay => 1, + :number_of_retries => 60, + :barbican_endpoint_type => 'public', + :barbican_region_name => 'regionOne', + } + end + + it { + is_expected.to contain_oslo__key_manager__barbican('cinder_config').with( + :barbican_endpoint => 'http://localhost:9311/', + :barbican_api_version => 'v1', + :auth_endpoint => 'http://localhost:5000', + :retry_delay => 1, + :number_of_retries => 60, + :barbican_endpoint_type => 'public', + :barbican_region_name => 'regionOne', + ) + } + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge(OSDefaults.get_facts()) + end + + it_behaves_like 'cinder::key_manager::barbican' + end + end +end diff --git a/spec/classes/cinder_key_manager_spec.rb b/spec/classes/cinder_key_manager_spec.rb new file mode 100644 index 00000000..de80bafc --- /dev/null +++ b/spec/classes/cinder_key_manager_spec.rb @@ -0,0 +1,39 @@ +require 'spec_helper' + +describe 'cinder::key_manager' do + shared_examples 'cinder::key_manager' do + context 'with default parameters' do + it { + is_expected.to contain_oslo__key_manager('cinder_config').with( + :backend => '' + ) + } + end + + context 'with specified parameters' do + let :params do + { + :backend => 'barbican' + } + end + + it { + is_expected.to contain_oslo__key_manager('cinder_config').with( + :backend => 'barbican' + ) + } + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge(OSDefaults.get_facts()) + end + + it_behaves_like 'cinder::key_manager' + end + end +end