Move the keymgr_XXX parameters from cinder::api to init

The Key Manager is used by several cinder services, and not just cinder-api. For example, the cinder-backup and cinder-volume services use the Key Manager to clone encryption keys. Moving the Key Manager parameters from cinder::api to init ensures the settings are always configured, even when the cinder-api service isn't included in the deployment. Closes-Bug: #1886081 Change-Id: Ie3c95da2c0dab83e3c4b7e10f8a3531301692da5
2020-07-02 10:16:49 -07:00 · 2020-07-02 10:16:49 -07:00 · 970fa8d7a1
parent 4f41338ab4
commit 970fa8d7a1
5 changed files with 86 additions and 51 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -4,16 +4,6 @@
 #
 # === Parameters
 #
-# [*keymgr_encryption_api_url*]
-#   (optional) Key Manager service URL
-#   Example of valid value: https://localhost:9311/v1
-#   Defaults to $::os_service_default
-#
-# [*keymgr_encryption_auth_url*]
-#   (optional) Auth URL for keymgr authentication. Should be in format
-#   http://auth_url:5000/v3
-#   Defaults to $::os_service_default.
-#
 # [*service_workers*]
 #   (optional) Number of cinder-api workers
 #   Defaults to $::os_workers
@ -114,12 +104,22 @@
 #   will also need to be changed to match.
 #   Defaults to $::os_service_default
 #
+# DEPRECATED PARAMETERS
+#
+# [*keymgr_encryption_api_url*]
+#   (optional) Key Manager service URL
+#   Example of valid value: https://localhost:9311/v1
+#   Defaults to undef
+#
+# [*keymgr_encryption_auth_url*]
+#   (optional) Auth URL for keymgr authentication. Should be in format
+#   http://auth_url:5000/v3
+#   Defaults to undef
+#
 # [*keymgr_backend*]
 #   (optional) Key Manager service class.
 #   Example of valid value: barbican
-#   Defaults to $::os_service_default
-#
-# DEPRECATED PARAMETERS
+#   Defaults to undef
 #
 # [*os_region_name*]
 #   (optional) Some operations require cinder to make API requests
@ -128,8 +128,6 @@
 #   Defaults to undef
 #
 class cinder::api (
-  $keymgr_encryption_api_url      = $::os_service_default,
-  $keymgr_encryption_auth_url     = $::os_service_default,
  $service_workers                = $::os_workers,
  $package_ensure                 = 'present',
  $bind_host                      = '0.0.0.0',
@ -153,8 +151,10 @@ class cinder::api (
  $ca_file                        = $::os_service_default,
  $auth_strategy                  = 'keystone',
  $osapi_volume_listen_port       = $::os_service_default,
-  $keymgr_backend                 = $::os_service_default,
  # DEPRECATED PARAMETERS
+  $keymgr_backend                 = undef,
+  $keymgr_encryption_api_url      = undef,
+  $keymgr_encryption_auth_url     = undef,
  $os_region_name                 = undef
 ) inherits cinder::params {

@ -162,6 +162,12 @@ class cinder::api (
  include cinder::params
  include cinder::policy

+  ['keymgr_backend', 'keymgr_encryption_api_url', 'keymgr_encryption_auth_url'].each |String $keymgr_var| {
+    if getvar("${keymgr_var}") != undef {
+      warning("cinder::api::${keymgr_var} is deprecated, use cinder::${keymgr_var} instead.")
+    }
+  }
+
  if $os_region_name != undef {
    warning('cinder::api::os_region_name is deprecated and has no effect. \
 Use cinder::nova::region_name instead')
@ -243,12 +249,6 @@ running as a standalone service, or httpd for being run by a httpd server")
    max_request_body_size        => $max_request_body_size,
  }

-  cinder_config {
-    'key_manager/backend':        value => $keymgr_backend;
-    'barbican/barbican_endpoint': value => $keymgr_encryption_api_url;
-    'barbican/auth_endpoint':     value => $keymgr_encryption_auth_url;
-  }
-
  if $auth_strategy == 'keystone' {
    include cinder::keystone::authtoken
  }
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -182,6 +182,21 @@
 #   (Optional) Password for message broker authentication
 #   Defaults to $::os_service_default.
 #
+# [*keymgr_backend*]
+#   (Optional) Key Manager service class.
+#   Example of valid value: barbican
+#   Defaults to $::os_service_default.
+#
+# [*keymgr_encryption_api_url*]
+#   (Optional) Key Manager service URL
+#   Example of valid value: https://localhost:9311/v1
+#   Defaults to $::os_service_default.
+#
+# [*keymgr_encryption_auth_url*]
+#   (Optional) Auth URL for keymgr authentication. Should be in format
+#   http://auth_url:5000/v3
+#   Defaults to $::os_service_default.
+#
 # [*database_connection*]
 #    Url used to connect to database.
 #    (Optional) Defaults to undef.
@ -309,6 +324,9 @@ class cinder (
  $amqp_sasl_config_name              = $::os_service_default,
  $amqp_username                      = $::os_service_default,
  $amqp_password                      = $::os_service_default,
+  $keymgr_backend                     = $::os_service_default,
+  $keymgr_encryption_api_url          = $::os_service_default,
+  $keymgr_encryption_auth_url         = $::os_service_default,
  $package_ensure                     = 'present',
  $api_paste_config                   = '/etc/cinder/api-paste.ini',
  $storage_availability_zone          = 'nova',
@ -399,6 +417,13 @@ class cinder (
    $default_availability_zone_real = $default_availability_zone
  }

+  # NOTE(abishop): Remove the picks when cinder::api::keymgr_* are removed.
+  $keymgr_backend_real = pick($cinder::api::keymgr_backend, $keymgr_backend)
+  $keymgr_encryption_api_url_real = pick($cinder::api::keymgr_encryption_api_url,
+                                          $keymgr_encryption_api_url)
+  $keymgr_encryption_auth_url_real = pick($cinder::api::keymgr_encryption_auth_url,
+                                          $keymgr_encryption_auth_url)
+
  cinder_config {
    'DEFAULT/report_interval':                  value => $report_interval;
    'DEFAULT/service_down_time':                value => $service_down_time;
@ -409,6 +434,9 @@ class cinder (
    'DEFAULT/image_conversion_dir':             value => $image_conversion_dir;
    'DEFAULT/host':                             value => $host;
    'DEFAULT/enable_new_services':              value => $enable_new_services;
+    'key_manager/backend':                      value => $keymgr_backend_real;
+    'barbican/barbican_endpoint':               value => $keymgr_encryption_api_url_real;
+    'barbican/auth_endpoint':                   value => $keymgr_encryption_auth_url_real;

    # NOTE(abishop): $backend_host is not written here because it is not a valid
    # DEFAULT option. It is only recognized in the backend sections. Instead,
--- a/releasenotes/notes/move-keymgr-params-to-init-a745c0eed3062392.yaml
+++ b/releasenotes/notes/move-keymgr-params-to-init-a745c0eed3062392.yaml
@ -0,0 +1,18 @@
+---
+deprecations:
+  - |
+    Cinder's Key Manager parameters have moved from cinder::api to
+    the cinder class. The following parameters are deprecated:
+    * cinder::api::keymgr_backend
+    * cinder::api::keymgr_encryption_api_url
+    * cinder::api::keymgr_encryption_auth_url
+    They are replaced by the following new parameters:
+    * cinder::keymgr_backend
+    * cinder::keymgr_encryption_api_url
+    * cinder::keymgr_encryption_auth_url
+fixes:
+  - |
+    Cinder's Key Manager parameters are no longer associated with just the
+    cinder-api service. The parameters are always configured so that the
+    cinder-volume and cinder-backup services can also access the Key Manager.
+    Fixes `bug 1886081 <https://bugs.launchpad.net/puppet-cinder/+bug/1886081>`
--- a/spec/classes/cinder_api_spec.rb
+++ b/spec/classes/cinder_api_spec.rb
@ -31,9 +31,6 @@ describe 'cinder::api' do
        is_expected.to contain_cinder_config('DEFAULT/osapi_volume_base_URL').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_cinder_config('DEFAULT/osapi_max_limit').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_cinder_config('DEFAULT/auth_strategy').with_value('keystone')
-        is_expected.to contain_cinder_config('key_manager/backend').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_cinder_config('DEFAULT/osapi_volume_listen_port').with('value' => '<SERVICE DEFAULT>')

        is_expected.to contain_oslo__middleware('cinder_config').with(
@ -120,16 +117,6 @@ describe 'cinder::api' do
      )}
    end

-    context 'with encryption_auth_url' do
-      let :params do
-        req_params.merge({ :keymgr_encryption_auth_url => 'http://localhost:5000/v3' })
-      end
-
-      it { is_expected.to contain_cinder_config('barbican/auth_endpoint').with(
-        :value => 'http://localhost:5000/v3'
-      )}
-    end
-
    context 'while validating the service with default command' do
      let :params do
        req_params.merge({
@ -227,22 +214,6 @@ describe 'cinder::api' do

      it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
    end
-
-    context 'with barbican parameters' do
-      let :params do
-        req_params.merge!({
-          :keymgr_backend             => 'barbican',
-          :keymgr_encryption_api_url  => 'https://localhost:9311/v1',
-          :keymgr_encryption_auth_url => 'https://localhost:5000/v3',
-        })
-      end
-      it 'should set keymgr parameters' do
-        is_expected.to contain_cinder_config('key_manager/backend').with_value('barbican')
-        is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1')
-        is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3')
-      end
-    end
-
  end

  on_supported_os({
--- a/spec/classes/cinder_init_spec.rb
+++ b/spec/classes/cinder_init_spec.rb
@ -48,6 +48,9 @@ describe 'cinder' do
        is_expected.to contain_cinder_config('DEFAULT/host').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_cinder_config('DEFAULT/enable_new_services').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_cinder_config('oslo_concurrency/lock_path').with(:value => '/var/lock/cinder')
+        is_expected.to contain_cinder_config('key_manager/backend').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>')

        # backend_host should not be written to DEFAULT section
        is_expected.not_to contain_cinder_config('DEFAULT/backend_host')
@ -274,6 +277,21 @@ describe 'cinder' do
        :topics        => params[:notification_topics],
      )}
    end
+
+    context 'with keymgr parameters' do
+      let :params do
+        req_params.merge!({
+          :keymgr_backend             => 'barbican',
+          :keymgr_encryption_api_url  => 'https://localhost:9311/v1',
+          :keymgr_encryption_auth_url => 'https://localhost:5000/v3',
+        })
+      end
+      it 'should set keymgr parameters' do
+        is_expected.to contain_cinder_config('key_manager/backend').with_value('barbican')
+        is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1')
+        is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3')
+      end
+    end
  end

  on_supported_os({