From bc7651fa5f7d622616c8634a55c9339306583c23 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 23 Jan 2021 11:29:22 +0900 Subject: [PATCH] Create independent classes for key managers This change introduces the new independent classes to manage options for key managers, which are implemented in the castellan library. Depends-on: https://review.opendev.org/772676 Change-Id: Id54b87472ae67a9005276e52de9dd68172e22eff --- manifests/api.pp | 50 +++++++++------- manifests/key_manager.pp | 22 +++++++ manifests/key_manager/barbican.pp | 60 +++++++++++++++++++ .../key_manager-opts-ddaa497089657955.yaml | 21 +++++++ .../glance_key_manager_barbican_spec.rb | 57 ++++++++++++++++++ spec/classes/glance_key_manager_spec.rb | 39 ++++++++++++ 6 files changed, 226 insertions(+), 23 deletions(-) create mode 100644 manifests/key_manager.pp create mode 100644 manifests/key_manager/barbican.pp create mode 100644 releasenotes/notes/key_manager-opts-ddaa497089657955.yaml create mode 100644 spec/classes/glance_key_manager_barbican_spec.rb create mode 100644 spec/classes/glance_key_manager_spec.rb diff --git a/manifests/api.pp b/manifests/api.pp index 8d376dbb..5107440f 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -229,21 +229,6 @@ # (optional) Maximum number of results that could be returned by a request # Default: $::os_service_default. # -# [*keymgr_backend*] -# (optional) Key Manager service class. -# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager -# Defaults to undef. -# -# [*keymgr_encryption_api_url*] -# (optional) Key Manager service URL -# Example of valid value: https://localhost:9311/v1 -# Defaults to undef -# -# [*keymgr_encryption_auth_url*] -# (optional) Auth URL for keymgr authentication. Should be in format -# http://auth_url:5000/v3 -# Defaults to undef -# # DEPRECATED PARAMETERS # # [*stores*] @@ -299,6 +284,21 @@ # (optional) If set, use this value for max_overflow with sqlalchemy. # Defaults to undef. # +# [*keymgr_backend*] +# (optional) Key Manager service class. +# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager +# Defaults to undef +# +# [*keymgr_encryption_api_url*] +# (optional) Key Manager service URL +# Example of valid value: https://localhost:9311/v1 +# Defaults to undef +# +# [*keymgr_encryption_auth_url*] +# (optional) Auth URL for keymgr authentication. Should be in format +# http://auth_url:5000/v3 +# Defaults to undef +# class glance::api( $package_ensure = 'present', $bind_host = $::os_service_default, @@ -349,9 +349,6 @@ class glance::api( $validation_options = {}, $limit_param_default = $::os_service_default, $api_limit_max = $::os_service_default, - $keymgr_backend = undef, - $keymgr_encryption_api_url = undef, - $keymgr_encryption_auth_url = undef, # DEPRECATED PARAMETERS $stores = undef, $default_store = undef, @@ -365,6 +362,9 @@ class glance::api( $database_max_retries = undef, $database_retry_interval = undef, $database_max_overflow = undef, + $keymgr_backend = undef, + $keymgr_encryption_api_url = undef, + $keymgr_encryption_auth_url = undef, ) inherits glance { include glance::deps @@ -611,12 +611,16 @@ enabled_backends instead.') 'DEFAULT/ca_file' : value => $ca_file; } - if $keymgr_backend { - glance_api_config { - 'key_manager/backend': value => $keymgr_backend; - 'barbican/barbican_endpoint': value => $keymgr_encryption_api_url; - 'barbican/auth_endpoint': value => $keymgr_encryption_auth_url; + if $keymgr_backend != undef { + warning('The keymgr_backend parameter is deprecated. Use the glance::key_manager class') + include glance::key_manager + } + + ['keymgr_encryption_api_url', 'keymgr_encryption_auth_url'].each |String $barbican_opt| { + if getvar("${barbican_opt}") != undef { + warning("The ${barbican_opt} parameter is deprecated. Use the glance::key_manager::barbican class") } + include glance::key_manager::barbican } if $manage_service { diff --git a/manifests/key_manager.pp b/manifests/key_manager.pp new file mode 100644 index 00000000..2db3816c --- /dev/null +++ b/manifests/key_manager.pp @@ -0,0 +1,22 @@ +# == Class: glance::key_manager +# +# Setup and configure Key Manager options +# +# === Parameters +# +# [*backend*] +# (Optional) Specify the key manager implementation. +# Defaults to $::os_service_default +# +class glance::key_manager ( + $backend = $::os_service_default, +) { + + include glance::deps + + $backend_real = pick($glance::api::keymgr_backend, $backend) + + oslo::key_manager { 'glance_api_config': + backend => $backend_real, + } +} diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp new file mode 100644 index 00000000..f6f10aec --- /dev/null +++ b/manifests/key_manager/barbican.pp @@ -0,0 +1,60 @@ +# == Class: glance::key_manager::barbican +# +# Setup and configure Barbican Key Manager options +# +# === Parameters +# +# [*barbican_endpoint*] +# (Optional) Use this endpoint to connect to Barbican. +# Defaults to $::os_service_default +# +# [*barbican_api_version*] +# (Optional) Version of the Barbican API. +# Defaults to $::os_service_default +# +# [*auth_endpoint*] +# (Optional) Use this endpoint to connect to Keystone. +# Defaults to $::os_service_default +# +# [*retry_delay*] +# (Optional) Number of seconds to wait before retrying poll for key creation +# completion. +# Defaults to $::os_service_default +# +# [*number_of_retries*] +# (Optional) Number of times to retry poll fo key creation completion. +# Defaults to $::os_service_default +# +# [*barbican_endpoint_type*] +# (Optional) Specifies the type of endpoint. +# Defaults to $::os_service_default +# +# [*barbican_region_name*] +# (Optional) Specifies the region of the chosen endpoint. +# Defaults to $::os_service_default +# +class glance::key_manager::barbican ( + $barbican_endpoint = $::os_service_default, + $barbican_api_version = $::os_service_default, + $auth_endpoint = $::os_service_default, + $retry_delay = $::os_service_default, + $number_of_retries = $::os_service_default, + $barbican_endpoint_type = $::os_service_default, + $barbican_region_name = $::os_service_default, +) { + + include glance::deps + + $barbican_endpoint_real = pick($glance::api::keymgr_encryption_api_url, $barbican_endpoint) + $auth_endpoint_real = pick($glance::api::keymgr_encryption_auth_url, $auth_endpoint) + + oslo::key_manager::barbican { 'glance_api_config': + barbican_endpoint => $barbican_endpoint_real, + barbican_api_version => $barbican_api_version, + auth_endpoint => $auth_endpoint_real, + retry_delay => $retry_delay, + number_of_retries => $number_of_retries, + barbican_endpoint_type => $barbican_endpoint_type, + barbican_region_name => $barbican_region_name, + } +} diff --git a/releasenotes/notes/key_manager-opts-ddaa497089657955.yaml b/releasenotes/notes/key_manager-opts-ddaa497089657955.yaml new file mode 100644 index 00000000..a575864b --- /dev/null +++ b/releasenotes/notes/key_manager-opts-ddaa497089657955.yaml @@ -0,0 +1,21 @@ +--- +features: + - | + The new ``glance::key_manager`` class has been added. This class manages + basic options of key managers. + + - | + The new ``glance::key_manager::barbican`` class has been added. This class + manages options of BarbicanKeyManager. + +deprecations: + - | + The ``glance::api::keymgr_backend`` parameter has been deprecated. Use + the ``glance::key_manager`` class. + + - | + The following parameters of the ``glance::api`` class have been deprecated + in favor of the new ``glance::key_manager::barbican`` class. + + - ``keymgr_encryption_api_url`` + - ``keymgr_encryption_auth_url`` diff --git a/spec/classes/glance_key_manager_barbican_spec.rb b/spec/classes/glance_key_manager_barbican_spec.rb new file mode 100644 index 00000000..fd3c1f1b --- /dev/null +++ b/spec/classes/glance_key_manager_barbican_spec.rb @@ -0,0 +1,57 @@ +require 'spec_helper' + +describe 'glance::key_manager::barbican' do + shared_examples 'glance::key_manager::barbican' do + context 'with default parameters' do + it { + is_expected.to contain_oslo__key_manager__barbican('glance_api_config').with( + :barbican_endpoint => '', + :barbican_api_version => '', + :auth_endpoint => '', + :retry_delay => '', + :number_of_retries => '', + :barbican_endpoint_type => '', + :barbican_region_name => '', + ) + } + end + + context 'with specified parameters' do + let :params do + { + :barbican_endpoint => 'http://localhost:9311/', + :barbican_api_version => 'v1', + :auth_endpoint => 'http://localhost:5000', + :retry_delay => 1, + :number_of_retries => 60, + :barbican_endpoint_type => 'public', + :barbican_region_name => 'regionOne', + } + end + + it { + is_expected.to contain_oslo__key_manager__barbican('glance_api_config').with( + :barbican_endpoint => 'http://localhost:9311/', + :barbican_api_version => 'v1', + :auth_endpoint => 'http://localhost:5000', + :retry_delay => 1, + :number_of_retries => 60, + :barbican_endpoint_type => 'public', + :barbican_region_name => 'regionOne', + ) + } + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge(OSDefaults.get_facts()) + end + + it_behaves_like 'glance::key_manager::barbican' + end + end +end diff --git a/spec/classes/glance_key_manager_spec.rb b/spec/classes/glance_key_manager_spec.rb new file mode 100644 index 00000000..2aa88a24 --- /dev/null +++ b/spec/classes/glance_key_manager_spec.rb @@ -0,0 +1,39 @@ +require 'spec_helper' + +describe 'glance::key_manager' do + shared_examples 'glance::key_manager' do + context 'with default parameters' do + it { + is_expected.to contain_oslo__key_manager('glance_api_config').with( + :backend => '' + ) + } + end + + context 'with specified parameters' do + let :params do + { + :backend => 'barbican' + } + end + + it { + is_expected.to contain_oslo__key_manager('glance_api_config').with( + :backend => 'barbican' + ) + } + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge(OSDefaults.get_facts()) + end + + it_behaves_like 'glance::key_manager' + end + end +end