Move the keymgr_XXX parameters from cinder::api to init
The Key Manager is used by several cinder services, and not just cinder-api. For example, the cinder-backup and cinder-volume services use the Key Manager to clone encryption keys. Moving the Key Manager parameters from cinder::api to init ensures the settings are always configured, even when the cinder-api service isn't included in the deployment. Closes-Bug: #1886081 Change-Id: Ie3c95da2c0dab83e3c4b7e10f8a3531301692da5
This commit is contained in:
Alan Bishop
@@ -4,16 +4,6 @@
|
|||||||
#
|
#
|
||||||
# === Parameters
|
# === Parameters
|
||||||
#
|
#
|
||||||
# [*keymgr_encryption_api_url*]
|
|
||||||
# (optional) Key Manager service URL
|
|
||||||
# Example of valid value: https://localhost:9311/v1
|
|
||||||
# Defaults to $::os_service_default
|
|
||||||
#
|
|
||||||
# [*keymgr_encryption_auth_url*]
|
|
||||||
# (optional) Auth URL for keymgr authentication. Should be in format
|
|
||||||
# http://auth_url:5000/v3
|
|
||||||
# Defaults to $::os_service_default.
|
|
||||||
#
|
|
||||||
# [*service_workers*]
|
# [*service_workers*]
|
||||||
# (optional) Number of cinder-api workers
|
# (optional) Number of cinder-api workers
|
||||||
# Defaults to $::os_workers
|
# Defaults to $::os_workers
|
||||||
@@ -114,12 +104,22 @@
|
|||||||
# will also need to be changed to match.
|
# will also need to be changed to match.
|
||||||
# Defaults to $::os_service_default
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
|
# DEPRECATED PARAMETERS
|
||||||
|
#
|
||||||
|
# [*keymgr_encryption_api_url*]
|
||||||
|
# (optional) Key Manager service URL
|
||||||
|
# Example of valid value: https://localhost:9311/v1
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*keymgr_encryption_auth_url*]
|
||||||
|
# (optional) Auth URL for keymgr authentication. Should be in format
|
||||||
|
# http://auth_url:5000/v3
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
# [*keymgr_backend*]
|
# [*keymgr_backend*]
|
||||||
# (optional) Key Manager service class.
|
# (optional) Key Manager service class.
|
||||||
# Example of valid value: barbican
|
# Example of valid value: barbican
|
||||||
# Defaults to $::os_service_default
|
# Defaults to undef
|
||||||
#
|
|
||||||
# DEPRECATED PARAMETERS
|
|
||||||
#
|
#
|
||||||
# [*os_region_name*]
|
# [*os_region_name*]
|
||||||
# (optional) Some operations require cinder to make API requests
|
# (optional) Some operations require cinder to make API requests
|
||||||
@@ -128,8 +128,6 @@
|
|||||||
# Defaults to undef
|
# Defaults to undef
|
||||||
#
|
#
|
||||||
class cinder::api (
|
class cinder::api (
|
||||||
$keymgr_encryption_api_url = $::os_service_default,
|
|
||||||
$keymgr_encryption_auth_url = $::os_service_default,
|
|
||||||
$service_workers = $::os_workers,
|
$service_workers = $::os_workers,
|
||||||
$package_ensure = 'present',
|
$package_ensure = 'present',
|
||||||
$bind_host = '0.0.0.0',
|
$bind_host = '0.0.0.0',
|
||||||
@@ -153,8 +151,10 @@ class cinder::api (
|
|||||||
$ca_file = $::os_service_default,
|
$ca_file = $::os_service_default,
|
||||||
$auth_strategy = 'keystone',
|
$auth_strategy = 'keystone',
|
||||||
$osapi_volume_listen_port = $::os_service_default,
|
$osapi_volume_listen_port = $::os_service_default,
|
||||||
$keymgr_backend = $::os_service_default,
|
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
|
$keymgr_backend = undef,
|
||||||
|
$keymgr_encryption_api_url = undef,
|
||||||
|
$keymgr_encryption_auth_url = undef,
|
||||||
$os_region_name = undef
|
$os_region_name = undef
|
||||||
) inherits cinder::params {
|
) inherits cinder::params {
|
||||||
|
|
||||||
@@ -162,6 +162,12 @@ class cinder::api (
|
|||||||
include cinder::params
|
include cinder::params
|
||||||
include cinder::policy
|
include cinder::policy
|
||||||
|
|
||||||
|
['keymgr_backend', 'keymgr_encryption_api_url', 'keymgr_encryption_auth_url'].each |String $keymgr_var| {
|
||||||
|
if getvar("${keymgr_var}") != undef {
|
||||||
|
warning("cinder::api::${keymgr_var} is deprecated, use cinder::${keymgr_var} instead.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if $os_region_name != undef {
|
if $os_region_name != undef {
|
||||||
warning('cinder::api::os_region_name is deprecated and has no effect. \
|
warning('cinder::api::os_region_name is deprecated and has no effect. \
|
||||||
Use cinder::nova::region_name instead')
|
Use cinder::nova::region_name instead')
|
||||||
@@ -243,12 +249,6 @@ running as a standalone service, or httpd for being run by a httpd server")
|
|||||||
max_request_body_size => $max_request_body_size,
|
max_request_body_size => $max_request_body_size,
|
||||||
}
|
}
|
||||||
|
|
||||||
cinder_config {
|
|
||||||
'key_manager/backend': value => $keymgr_backend;
|
|
||||||
'barbican/barbican_endpoint': value => $keymgr_encryption_api_url;
|
|
||||||
'barbican/auth_endpoint': value => $keymgr_encryption_auth_url;
|
|
||||||
}
|
|
||||||
|
|
||||||
if $auth_strategy == 'keystone' {
|
if $auth_strategy == 'keystone' {
|
||||||
include cinder::keystone::authtoken
|
include cinder::keystone::authtoken
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -182,6 +182,21 @@
|
|||||||
# (Optional) Password for message broker authentication
|
# (Optional) Password for message broker authentication
|
||||||
# Defaults to $::os_service_default.
|
# Defaults to $::os_service_default.
|
||||||
#
|
#
|
||||||
|
# [*keymgr_backend*]
|
||||||
|
# (Optional) Key Manager service class.
|
||||||
|
# Example of valid value: barbican
|
||||||
|
# Defaults to $::os_service_default.
|
||||||
|
#
|
||||||
|
# [*keymgr_encryption_api_url*]
|
||||||
|
# (Optional) Key Manager service URL
|
||||||
|
# Example of valid value: https://localhost:9311/v1
|
||||||
|
# Defaults to $::os_service_default.
|
||||||
|
#
|
||||||
|
# [*keymgr_encryption_auth_url*]
|
||||||
|
# (Optional) Auth URL for keymgr authentication. Should be in format
|
||||||
|
# http://auth_url:5000/v3
|
||||||
|
# Defaults to $::os_service_default.
|
||||||
|
#
|
||||||
# [*database_connection*]
|
# [*database_connection*]
|
||||||
# Url used to connect to database.
|
# Url used to connect to database.
|
||||||
# (Optional) Defaults to undef.
|
# (Optional) Defaults to undef.
|
||||||
@@ -309,6 +324,9 @@ class cinder (
|
|||||||
$amqp_sasl_config_name = $::os_service_default,
|
$amqp_sasl_config_name = $::os_service_default,
|
||||||
$amqp_username = $::os_service_default,
|
$amqp_username = $::os_service_default,
|
||||||
$amqp_password = $::os_service_default,
|
$amqp_password = $::os_service_default,
|
||||||
|
$keymgr_backend = $::os_service_default,
|
||||||
|
$keymgr_encryption_api_url = $::os_service_default,
|
||||||
|
$keymgr_encryption_auth_url = $::os_service_default,
|
||||||
$package_ensure = 'present',
|
$package_ensure = 'present',
|
||||||
$api_paste_config = '/etc/cinder/api-paste.ini',
|
$api_paste_config = '/etc/cinder/api-paste.ini',
|
||||||
$storage_availability_zone = 'nova',
|
$storage_availability_zone = 'nova',
|
||||||
@@ -399,6 +417,13 @@ class cinder (
|
|||||||
$default_availability_zone_real = $default_availability_zone
|
$default_availability_zone_real = $default_availability_zone
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# NOTE(abishop): Remove the picks when cinder::api::keymgr_* are removed.
|
||||||
|
$keymgr_backend_real = pick($cinder::api::keymgr_backend, $keymgr_backend)
|
||||||
|
$keymgr_encryption_api_url_real = pick($cinder::api::keymgr_encryption_api_url,
|
||||||
|
$keymgr_encryption_api_url)
|
||||||
|
$keymgr_encryption_auth_url_real = pick($cinder::api::keymgr_encryption_auth_url,
|
||||||
|
$keymgr_encryption_auth_url)
|
||||||
|
|
||||||
cinder_config {
|
cinder_config {
|
||||||
'DEFAULT/report_interval': value => $report_interval;
|
'DEFAULT/report_interval': value => $report_interval;
|
||||||
'DEFAULT/service_down_time': value => $service_down_time;
|
'DEFAULT/service_down_time': value => $service_down_time;
|
||||||
@@ -409,6 +434,9 @@ class cinder (
|
|||||||
'DEFAULT/image_conversion_dir': value => $image_conversion_dir;
|
'DEFAULT/image_conversion_dir': value => $image_conversion_dir;
|
||||||
'DEFAULT/host': value => $host;
|
'DEFAULT/host': value => $host;
|
||||||
'DEFAULT/enable_new_services': value => $enable_new_services;
|
'DEFAULT/enable_new_services': value => $enable_new_services;
|
||||||
|
'key_manager/backend': value => $keymgr_backend_real;
|
||||||
|
'barbican/barbican_endpoint': value => $keymgr_encryption_api_url_real;
|
||||||
|
'barbican/auth_endpoint': value => $keymgr_encryption_auth_url_real;
|
||||||
|
|
||||||
# NOTE(abishop): $backend_host is not written here because it is not a valid
|
# NOTE(abishop): $backend_host is not written here because it is not a valid
|
||||||
# DEFAULT option. It is only recognized in the backend sections. Instead,
|
# DEFAULT option. It is only recognized in the backend sections. Instead,
|
||||||
|
|||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
Cinder's Key Manager parameters have moved from cinder::api to
|
||||||
|
the cinder class. The following parameters are deprecated:
|
||||||
|
* cinder::api::keymgr_backend
|
||||||
|
* cinder::api::keymgr_encryption_api_url
|
||||||
|
* cinder::api::keymgr_encryption_auth_url
|
||||||
|
They are replaced by the following new parameters:
|
||||||
|
* cinder::keymgr_backend
|
||||||
|
* cinder::keymgr_encryption_api_url
|
||||||
|
* cinder::keymgr_encryption_auth_url
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Cinder's Key Manager parameters are no longer associated with just the
|
||||||
|
cinder-api service. The parameters are always configured so that the
|
||||||
|
cinder-volume and cinder-backup services can also access the Key Manager.
|
||||||
|
Fixes `bug 1886081 <https://bugs.launchpad.net/puppet-cinder/+bug/1886081>`
|
||||||
@@ -31,9 +31,6 @@ describe 'cinder::api' do
|
|||||||
is_expected.to contain_cinder_config('DEFAULT/osapi_volume_base_URL').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/osapi_volume_base_URL').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('DEFAULT/osapi_max_limit').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/osapi_max_limit').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('DEFAULT/auth_strategy').with_value('keystone')
|
is_expected.to contain_cinder_config('DEFAULT/auth_strategy').with_value('keystone')
|
||||||
is_expected.to contain_cinder_config('key_manager/backend').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_cinder_config('DEFAULT/osapi_volume_listen_port').with('value' => '<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/osapi_volume_listen_port').with('value' => '<SERVICE DEFAULT>')
|
||||||
|
|
||||||
is_expected.to contain_oslo__middleware('cinder_config').with(
|
is_expected.to contain_oslo__middleware('cinder_config').with(
|
||||||
@@ -120,16 +117,6 @@ describe 'cinder::api' do
|
|||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with encryption_auth_url' do
|
|
||||||
let :params do
|
|
||||||
req_params.merge({ :keymgr_encryption_auth_url => 'http://localhost:5000/v3' })
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to contain_cinder_config('barbican/auth_endpoint').with(
|
|
||||||
:value => 'http://localhost:5000/v3'
|
|
||||||
)}
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'while validating the service with default command' do
|
context 'while validating the service with default command' do
|
||||||
let :params do
|
let :params do
|
||||||
req_params.merge({
|
req_params.merge({
|
||||||
@@ -227,22 +214,6 @@ describe 'cinder::api' do
|
|||||||
|
|
||||||
it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
|
it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with barbican parameters' do
|
|
||||||
let :params do
|
|
||||||
req_params.merge!({
|
|
||||||
:keymgr_backend => 'barbican',
|
|
||||||
:keymgr_encryption_api_url => 'https://localhost:9311/v1',
|
|
||||||
:keymgr_encryption_auth_url => 'https://localhost:5000/v3',
|
|
||||||
})
|
|
||||||
end
|
|
||||||
it 'should set keymgr parameters' do
|
|
||||||
is_expected.to contain_cinder_config('key_manager/backend').with_value('barbican')
|
|
||||||
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1')
|
|
||||||
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
on_supported_os({
|
on_supported_os({
|
||||||
|
|||||||
@@ -48,6 +48,9 @@ describe 'cinder' do
|
|||||||
is_expected.to contain_cinder_config('DEFAULT/host').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/host').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('DEFAULT/enable_new_services').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/enable_new_services').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('oslo_concurrency/lock_path').with(:value => '/var/lock/cinder')
|
is_expected.to contain_cinder_config('oslo_concurrency/lock_path').with(:value => '/var/lock/cinder')
|
||||||
|
is_expected.to contain_cinder_config('key_manager/backend').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>')
|
||||||
|
|
||||||
# backend_host should not be written to DEFAULT section
|
# backend_host should not be written to DEFAULT section
|
||||||
is_expected.not_to contain_cinder_config('DEFAULT/backend_host')
|
is_expected.not_to contain_cinder_config('DEFAULT/backend_host')
|
||||||
@@ -274,6 +277,21 @@ describe 'cinder' do
|
|||||||
:topics => params[:notification_topics],
|
:topics => params[:notification_topics],
|
||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with keymgr parameters' do
|
||||||
|
let :params do
|
||||||
|
req_params.merge!({
|
||||||
|
:keymgr_backend => 'barbican',
|
||||||
|
:keymgr_encryption_api_url => 'https://localhost:9311/v1',
|
||||||
|
:keymgr_encryption_auth_url => 'https://localhost:5000/v3',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
it 'should set keymgr parameters' do
|
||||||
|
is_expected.to contain_cinder_config('key_manager/backend').with_value('barbican')
|
||||||
|
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1')
|
||||||
|
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3')
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
on_supported_os({
|
on_supported_os({
|
||||||
|
|||||||
Reference in New Issue
Block a user