Globally support system scope credentials

After spending huge effort to understand the exact requirements to
enforce SRBAC, we learned it's very difficult to find the required
scope in each credential. This requires understanding implementation of
client-side as well as server-side, and requirement might be different
according to the deployment architecture or features used.

Instead of implementing support based on the actual implementation,
this introduces support for system scope credentials to all places
where keystone user credential is defined, and make all credential
configurations consistent.

Change-Id: I180c00bf826387176427a85319cb254713d40924
changes/05/831805/3
Takashi Kajinami 11 months ago
parent 0d9aaa05fd
commit 69df6cf152

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to cinder in admin context
# through the OpenStack Identity service.
@ -57,18 +61,30 @@ class ironic::cinder (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'cinder/auth_type': value => $auth_type;
'cinder/username': value => $username;
'cinder/password': value => $password, secret => true;
'cinder/auth_url': value => $auth_url;
'cinder/project_name': value => $project_name;
'cinder/project_name': value => $project_name_real;
'cinder/user_domain_name': value => $user_domain_name;
'cinder/project_domain_name': value => $project_domain_name;
'cinder/project_domain_name': value => $project_domain_name_real;
'cinder/system_scope': value => $system_scope;
'cinder/region_name': value => $region_name;
'cinder/endpoint_override': value => $endpoint_override;
}

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to glance in admin context
# through the OpenStack Identity service.
@ -103,6 +107,7 @@ class ironic::glance (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$num_retries = $::os_service_default,
$api_insecure = $::os_service_default,
@ -117,6 +122,8 @@ class ironic::glance (
$swift_account_project_name = undef,
) {
include ironic::deps
if $api_servers {
warning("The ironic::glance::api_servers parameter is deprecated and \
has no effect. Please use ironic::glance::endpoint_override instead.")
@ -130,14 +137,23 @@ has no effect. Please use ironic::glance::endpoint_override instead.")
fail('swift_account_project_name and swift_account can not be specified in the same time.')
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'glance/auth_type': value => $auth_type;
'glance/username': value => $username;
'glance/password': value => $password, secret => true;
'glance/auth_url': value => $auth_url;
'glance/project_name': value => $project_name;
'glance/project_name': value => $project_name_real;
'glance/user_domain_name': value => $user_domain_name;
'glance/project_domain_name': value => $project_domain_name;
'glance/project_domain_name': value => $project_domain_name_real;
'glance/system_scope': value => $system_scope;
'glance/region_name': value => $region_name;
'glance/num_retries': value => $num_retries;
'glance/insecure': value => $api_insecure;

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to ironic in admin context
# through the OpenStack Identity service.
@ -65,20 +69,30 @@ class ironic::inspector::ironic (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
$max_retries = $::os_service_default,
$retry_interval = $::os_service_default,
) {
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_inspector_config {
'ironic/auth_type': value => $auth_type;
'ironic/username': value => $username;
'ironic/password': value => $password, secret => true;
'ironic/auth_url': value => $auth_url;
'ironic/project_name': value => $project_name;
'ironic/project_name': value => $project_name_real;
'ironic/user_domain_name': value => $user_domain_name;
'ironic/project_domain_name': value => $project_domain_name;
'ironic/project_domain_name': value => $project_domain_name_real;
'ironic/system_scope': value => $system_scope;
'ironic/region_name': value => $region_name;
'ironic/endpoint_override': value => $endpoint_override;
'ironic/max_retries': value => $max_retries;

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for accessing Keystone catalog
# through the OpenStack Identity service.
@ -57,20 +61,30 @@ class ironic::inspector::service_catalog (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_inspector_config {
'service_catalog/auth_type': value => $auth_type;
'service_catalog/username': value => $username;
'service_catalog/password': value => $password, secret => true;
'service_catalog/auth_url': value => $auth_url;
'service_catalog/project_name': value => $project_name;
'service_catalog/project_name': value => $project_name_real;
'service_catalog/user_domain_name': value => $user_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name_real;
'service_catalog/system_scope': value => $system_scope;
'service_catalog/region_name': value => $region_name;
'service_catalog/endpoint_override': value => $endpoint_override;
}

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to swift in admin context
# through the OpenStack Identity service.
@ -67,20 +71,30 @@ class ironic::inspector::swift (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
$container = $::os_service_default,
$delete_after = $::os_service_default,
) {
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_inspector_config {
'swift/auth_type': value => $auth_type;
'swift/username': value => $username;
'swift/password': value => $password, secret => true;
'swift/auth_url': value => $auth_url;
'swift/project_name': value => $project_name;
'swift/project_name': value => $project_name_real;
'swift/user_domain_name': value => $user_domain_name;
'swift/project_domain_name': value => $project_domain_name;
'swift/project_domain_name': value => $project_domain_name_real;
'swift/system_scope': value => $system_scope;
'swift/region_name': value => $region_name;
'swift/endpoint_override': value => $endpoint_override;
'swift/container': value => $container;

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to neutron in admin context
# through the OpenStack Identity service.
@ -72,6 +76,7 @@ class ironic::neutron (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
$dhcpv6_stateful_address_count = $::os_service_default,
@ -84,14 +89,23 @@ class ironic::neutron (
has no effect. Please use ironic::neutron::endpoint_override instead.")
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'neutron/auth_type': value => $auth_type;
'neutron/username': value => $username;
'neutron/password': value => $password, secret => true;
'neutron/auth_url': value => $auth_url;
'neutron/project_name': value => $project_name;
'neutron/project_name': value => $project_name_real;
'neutron/user_domain_name': value => $user_domain_name;
'neutron/project_domain_name': value => $project_domain_name;
'neutron/project_domain_name': value => $project_domain_name_real;
'neutron/system_scope': value => $system_scope;
'neutron/region_name': value => $region_name;
'neutron/endpoint_override': value => $endpoint_override;
'neutron/dhcpv6_stateful_address_count': value => $dhcpv6_stateful_address_count;

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for accessing Keystone catalog
# through the OpenStack Identity service.
@ -57,20 +61,30 @@ class ironic::service_catalog (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'service_catalog/auth_type': value => $auth_type;
'service_catalog/username': value => $username;
'service_catalog/password': value => $password, secret => true;
'service_catalog/auth_url': value => $auth_url;
'service_catalog/project_name': value => $project_name;
'service_catalog/project_name': value => $project_name_real;
'service_catalog/user_domain_name': value => $user_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name_real;
'service_catalog/system_scope': value => $system_scope;
'service_catalog/region_name': value => $region_name;
'service_catalog/endpoint_override': value => $endpoint_override;
}

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to swift in admin context
# through the OpenStack Identity service.
@ -57,18 +61,30 @@ class ironic::swift (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'swift/auth_type': value => $auth_type;
'swift/username': value => $username;
'swift/password': value => $password, secret => true;
'swift/auth_url': value => $auth_url;
'swift/project_name': value => $project_name;
'swift/project_name': value => $project_name_real;
'swift/user_domain_name': value => $user_domain_name;
'swift/project_domain_name': value => $project_domain_name;
'swift/project_domain_name': value => $project_domain_name_real;
'swift/system_scope': value => $system_scope;
'swift/region_name': value => $region_name;
'swift/endpoint_override': value => $endpoint_override;
}

@ -0,0 +1,12 @@
---
features:
- |
The new ``system_scope`` parameter has been added to the following classes.
- ``ironic::cinder``
- ``ironic::glance``
- ``ironic::neutron``
- ``ironic::service_catalog``
- ``ironic::swift``
- ``ironic::inspector::ironic``
- ``ironic::inspector::swift``

@ -41,6 +41,7 @@ describe 'ironic::cinder' do
is_expected.to contain_ironic_config('cinder/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('cinder/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::cinder' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::cinder' do
is_expected.to contain_ironic_config('cinder/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('cinder/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('cinder/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('cinder/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/system_scope').with_value('all')
end
end
end
on_supported_os({

@ -41,37 +41,38 @@ describe 'ironic::glance' do
is_expected.to contain_ironic_config('glance/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('glance/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('glance/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/insecure').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/num_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_account').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_container').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_endpoint_url').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_temp_url_key').with(:value => '<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_account').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_container').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_endpoint_url').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_temp_url_key').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/endpoint_override').with_value('<SERVICE DEFAULT>')
end
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:api_servers => '10.0.0.1:9292',
:api_insecure => true,
:num_retries => 42,
:swift_account => '00000000-0000-0000-0000-000000000000',
:swift_container => 'glance',
:swift_endpoint_url => 'http://example2.com',
:swift_temp_url_key => 'the-key',
:swift_temp_url_duration => 3600,
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:api_servers => '10.0.0.1:9292',
:api_insecure => true,
:num_retries => 42,
:swift_account => '00000000-0000-0000-0000-000000000000',
:swift_container => 'glance',
:swift_endpoint_url => 'http://example2.com',
:swift_temp_url_key => 'the-key',
:swift_temp_url_duration => 3600,
:endpoint_override => 'http://example2.com',
)
end
@ -83,6 +84,7 @@ describe 'ironic::glance' do
is_expected.to contain_ironic_config('glance/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('glance/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('glance/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('glance/insecure').with_value(p[:api_insecure])
is_expected.to contain_ironic_config('glance/num_retries').with_value(p[:num_retries])
@ -106,6 +108,18 @@ describe 'ironic::glance' do
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('glance/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/system_scope').with_value('all')
end
end
end
on_supported_os({

@ -42,6 +42,7 @@ describe 'ironic::inspector::ironic' do
is_expected.to contain_ironic_inspector_config('ironic/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value('<SERVICE DEFAULT>')
@ -51,17 +52,17 @@ describe 'ironic::inspector::ironic' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:max_retries => 30,
:retry_interval => 2,
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:max_retries => 30,
:retry_interval => 2,
)
end
@ -73,6 +74,7 @@ describe 'ironic::inspector::ironic' do
is_expected.to contain_ironic_inspector_config('ironic/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value(p[:endpoint_override])
is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value(p[:max_retries])
@ -80,6 +82,18 @@ describe 'ironic::inspector::ironic' do
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('all')
end
end
end
on_supported_os({

@ -41,6 +41,7 @@ describe 'ironic::inspector::service_catalog' do
is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::inspector::service_catalog' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::inspector::service_catalog' do
is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('all')
end
end
end
on_supported_os({

@ -42,6 +42,7 @@ describe 'ironic::inspector::swift' do
is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('swift/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/container').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value('<SERVICE DEFAULT>')
@ -50,17 +51,17 @@ describe 'ironic::inspector::swift' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:container => 'mycontainer',
:delete_after => 0,
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:container => 'mycontainer',
:delete_after => 0,
)
end
@ -73,12 +74,25 @@ describe 'ironic::inspector::swift' do
is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_inspector_config('swift/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value(p[:endpoint_override])
is_expected.to contain_ironic_inspector_config('swift/container').with_value(p[:container])
is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value(0)
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('all')
end
end
end
on_supported_os({

@ -41,6 +41,7 @@ describe 'ironic::neutron' do
is_expected.to contain_ironic_config('neutron/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('neutron/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/endpoint_override').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value('<SERVICE DEFAULT>')
@ -49,16 +50,16 @@ describe 'ironic::neutron' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:dhcpv6_stateful_address_count => 8,
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:dhcpv6_stateful_address_count => 8,
)
end
@ -70,12 +71,25 @@ describe 'ironic::neutron' do
is_expected.to contain_ironic_config('neutron/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('neutron/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('neutron/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('neutron/endpoint_override').with_value(p[:endpoint_override])
is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value(p[:dhcpv6_stateful_address_count])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/system_scope').with_value('all')
end
end
end
on_supported_os({

@ -41,6 +41,7 @@ describe 'ironic::service_catalog' do
is_expected.to contain_ironic_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::service_catalog' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::service_catalog' do
is_expected.to contain_ironic_config('service_catalog/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('all')
end
end
end
on_supported_os({

@ -41,6 +41,7 @@ describe 'ironic::swift' do
is_expected.to contain_ironic_config('swift/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('swift/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('swift/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::swift' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::swift' do
is_expected.to contain_ironic_config('swift/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('swift/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('swift/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('swift/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/system_scope').with_value('all')
end
end
end
on_supported_os({

Loading…
Cancel
Save