openstack/puppet-ironic
Code Issues Proposed changes

Globally support system scope credentials

Browse Source 
After spending huge effort to understand the exact requirements to
enforce SRBAC, we learned it's very difficult to find the required
scope in each credential. This requires understanding implementation of
client-side as well as server-side, and requirement might be different
according to the deployment architecture or features used.

Instead of implementing support based on the actual implementation,
this introduces support for system scope credentials to all places
where keystone user credential is defined, and make all credential
configurations consistent.

Change-Id: I180c00bf826387176427a85319cb254713d40924
This commit is contained in:
Takashi Kajinami 2022-03-04 01:04:54 +09:00
parent 0d9aaa05fd
commit 69df6cf152
17 changed files with 348 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
manifests/cinder.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to cinder in admin context
# through the OpenStack Identity service.
@ -57,18 +61,30 @@ class ironic::cinder (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'cinder/auth_type': value => $auth_type;
'cinder/username': value => $username;
'cinder/password': value => $password, secret => true;
'cinder/auth_url': value => $auth_url;
'cinder/project_name': value => $project_name;
'cinder/project_name': value => $project_name_real;
'cinder/user_domain_name': value => $user_domain_name;
'cinder/project_domain_name': value => $project_domain_name;
'cinder/project_domain_name': value => $project_domain_name_real;
'cinder/system_scope': value => $system_scope;
'cinder/region_name': value => $region_name;
'cinder/endpoint_override': value => $endpoint_override;
}

20
manifests/glance.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to glance in admin context
# through the OpenStack Identity service.
@ -103,6 +107,7 @@ class ironic::glance (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$num_retries = $::os_service_default,
$api_insecure = $::os_service_default,
@ -117,6 +122,8 @@ class ironic::glance (
$swift_account_project_name = undef,
) {
include ironic::deps
if $api_servers {
warning("The ironic::glance::api_servers parameter is deprecated and \
has no effect. Please use ironic::glance::endpoint_override instead.")
@ -130,14 +137,23 @@ has no effect. Please use ironic::glance::endpoint_override instead.")
fail('swift_account_project_name and swift_account can not be specified in the same time.')
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'glance/auth_type': value => $auth_type;
'glance/username': value => $username;
'glance/password': value => $password, secret => true;
'glance/auth_url': value => $auth_url;
'glance/project_name': value => $project_name;
'glance/project_name': value => $project_name_real;
'glance/user_domain_name': value => $user_domain_name;
'glance/project_domain_name': value => $project_domain_name;
'glance/project_domain_name': value => $project_domain_name_real;
'glance/system_scope': value => $system_scope;
'glance/region_name': value => $region_name;
'glance/num_retries': value => $num_retries;
'glance/insecure': value => $api_insecure;

18
manifests/inspector/ironic.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to ironic in admin context
# through the OpenStack Identity service.
@ -65,20 +69,30 @@ class ironic::inspector::ironic (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
$max_retries = $::os_service_default,
$retry_interval = $::os_service_default,
) {
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_inspector_config {
'ironic/auth_type': value => $auth_type;
'ironic/username': value => $username;
'ironic/password': value => $password, secret => true;
'ironic/auth_url': value => $auth_url;
'ironic/project_name': value => $project_name;
'ironic/project_name': value => $project_name_real;
'ironic/user_domain_name': value => $user_domain_name;
'ironic/project_domain_name': value => $project_domain_name;
'ironic/project_domain_name': value => $project_domain_name_real;
'ironic/system_scope': value => $system_scope;
'ironic/region_name': value => $region_name;
'ironic/endpoint_override': value => $endpoint_override;
'ironic/max_retries': value => $max_retries;

18
manifests/inspector/service_catalog.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for accessing Keystone catalog
# through the OpenStack Identity service.
@ -57,20 +61,30 @@ class ironic::inspector::service_catalog (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_inspector_config {
'service_catalog/auth_type': value => $auth_type;
'service_catalog/username': value => $username;
'service_catalog/password': value => $password, secret => true;
'service_catalog/auth_url': value => $auth_url;
'service_catalog/project_name': value => $project_name;
'service_catalog/project_name': value => $project_name_real;
'service_catalog/user_domain_name': value => $user_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name_real;
'service_catalog/system_scope': value => $system_scope;
'service_catalog/region_name': value => $region_name;
'service_catalog/endpoint_override': value => $endpoint_override;
}

18
manifests/inspector/swift.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to swift in admin context
# through the OpenStack Identity service.
@ -67,20 +71,30 @@ class ironic::inspector::swift (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
$container = $::os_service_default,
$delete_after = $::os_service_default,
) {
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_inspector_config {
'swift/auth_type': value => $auth_type;
'swift/username': value => $username;
'swift/password': value => $password, secret => true;
'swift/auth_url': value => $auth_url;
'swift/project_name': value => $project_name;
'swift/project_name': value => $project_name_real;
'swift/user_domain_name': value => $user_domain_name;
'swift/project_domain_name': value => $project_domain_name;
'swift/project_domain_name': value => $project_domain_name_real;
'swift/system_scope': value => $system_scope;
'swift/region_name': value => $region_name;
'swift/endpoint_override': value => $endpoint_override;
'swift/container': value => $container;

18
manifests/neutron.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to neutron in admin context
# through the OpenStack Identity service.
@ -72,6 +76,7 @@ class ironic::neutron (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
$dhcpv6_stateful_address_count = $::os_service_default,
@ -84,14 +89,23 @@ class ironic::neutron (
has no effect. Please use ironic::neutron::endpoint_override instead.")
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'neutron/auth_type': value => $auth_type;
'neutron/username': value => $username;
'neutron/password': value => $password, secret => true;
'neutron/auth_url': value => $auth_url;
'neutron/project_name': value => $project_name;
'neutron/project_name': value => $project_name_real;
'neutron/user_domain_name': value => $user_domain_name;
'neutron/project_domain_name': value => $project_domain_name;
'neutron/project_domain_name': value => $project_domain_name_real;
'neutron/system_scope': value => $system_scope;
'neutron/region_name': value => $region_name;
'neutron/endpoint_override': value => $endpoint_override;
'neutron/dhcpv6_stateful_address_count': value => $dhcpv6_stateful_address_count;

18
manifests/service_catalog.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for accessing Keystone catalog
# through the OpenStack Identity service.
@ -57,20 +61,30 @@ class ironic::service_catalog (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'service_catalog/auth_type': value => $auth_type;
'service_catalog/username': value => $username;
'service_catalog/password': value => $password, secret => true;
'service_catalog/auth_url': value => $auth_url;
'service_catalog/project_name': value => $project_name;
'service_catalog/project_name': value => $project_name_real;
'service_catalog/user_domain_name': value => $user_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name;
'service_catalog/project_domain_name': value => $project_domain_name_real;
'service_catalog/system_scope': value => $system_scope;
'service_catalog/region_name': value => $region_name;
'service_catalog/endpoint_override': value => $endpoint_override;
}

20
manifests/swift.pp
View File

@ -40,6 +40,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to swift in admin context
# through the OpenStack Identity service.
@ -57,18 +61,30 @@ class ironic::swift (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
) {
include ironic::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'swift/auth_type': value => $auth_type;
'swift/username': value => $username;
'swift/password': value => $password, secret => true;
'swift/auth_url': value => $auth_url;
'swift/project_name': value => $project_name;
'swift/project_name': value => $project_name_real;
'swift/user_domain_name': value => $user_domain_name;
'swift/project_domain_name': value => $project_domain_name;
'swift/project_domain_name': value => $project_domain_name_real;
'swift/system_scope': value => $system_scope;
'swift/region_name': value => $region_name;
'swift/endpoint_override': value => $endpoint_override;
}

12
releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml Normal file
View File

@ -0,0 +1,12 @@
---
features:
- |
The new ``system_scope`` parameter has been added to the following classes.
- ``ironic::cinder``
- ``ironic::glance``
- ``ironic::neutron``
- ``ironic::service_catalog``
- ``ironic::swift``
- ``ironic::inspector::ironic``
- ``ironic::inspector::swift``

32
spec/classes/ironic_cinder_spec.rb
View File

@ -41,6 +41,7 @@ describe 'ironic::cinder' do
is_expected.to contain_ironic_config('cinder/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('cinder/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::cinder' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::cinder' do
is_expected.to contain_ironic_config('cinder/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('cinder/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('cinder/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('cinder/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('cinder/system_scope').with_value('all')
end
end
end
on_supported_os({

58
spec/classes/ironic_glance_spec.rb
View File

@ -41,37 +41,38 @@ describe 'ironic::glance' do
is_expected.to contain_ironic_config('glance/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('glance/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('glance/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/insecure').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/num_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_account').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_container').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_endpoint_url').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_temp_url_key').with(:value => '<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_account').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_container').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_endpoint_url').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/swift_temp_url_key').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/endpoint_override').with_value('<SERVICE DEFAULT>')
end
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:api_servers => '10.0.0.1:9292',
:api_insecure => true,
:num_retries => 42,
:swift_account => '00000000-0000-0000-0000-000000000000',
:swift_container => 'glance',
:swift_endpoint_url => 'http://example2.com',
:swift_temp_url_key => 'the-key',
:swift_temp_url_duration => 3600,
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:api_servers => '10.0.0.1:9292',
:api_insecure => true,
:num_retries => 42,
:swift_account => '00000000-0000-0000-0000-000000000000',
:swift_container => 'glance',
:swift_endpoint_url => 'http://example2.com',
:swift_temp_url_key => 'the-key',
:swift_temp_url_duration => 3600,
:endpoint_override => 'http://example2.com',
)
end
@ -83,6 +84,7 @@ describe 'ironic::glance' do
is_expected.to contain_ironic_config('glance/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('glance/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('glance/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('glance/insecure').with_value(p[:api_insecure])
is_expected.to contain_ironic_config('glance/num_retries').with_value(p[:num_retries])
@ -106,6 +108,18 @@ describe 'ironic::glance' do
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('glance/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('glance/system_scope').with_value('all')
end
end
end
on_supported_os({

36
spec/classes/ironic_inspector_ironic_spec.rb
View File

@ -42,6 +42,7 @@ describe 'ironic::inspector::ironic' do
is_expected.to contain_ironic_inspector_config('ironic/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value('<SERVICE DEFAULT>')
@ -51,17 +52,17 @@ describe 'ironic::inspector::ironic' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:max_retries => 30,
:retry_interval => 2,
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:max_retries => 30,
:retry_interval => 2,
)
end
@ -73,6 +74,7 @@ describe 'ironic::inspector::ironic' do
is_expected.to contain_ironic_inspector_config('ironic/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value(p[:endpoint_override])
is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value(p[:max_retries])
@ -80,6 +82,18 @@ describe 'ironic::inspector::ironic' do
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('all')
end
end
end
on_supported_os({

32
spec/classes/ironic_inspector_service_catalog_spec.rb
View File

@ -41,6 +41,7 @@ describe 'ironic::inspector::service_catalog' do
is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::inspector::service_catalog' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::inspector::service_catalog' do
is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('all')
end
end
end
on_supported_os({

36
spec/classes/ironic_inspector_swift_spec.rb
View File

@ -42,6 +42,7 @@ describe 'ironic::inspector::swift' do
is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('Default')
is_expected.to contain_ironic_inspector_config('swift/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/container').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value('<SERVICE DEFAULT>')
@ -50,17 +51,17 @@ describe 'ironic::inspector::swift' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:container => 'mycontainer',
:delete_after => 0,
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:container => 'mycontainer',
:delete_after => 0,
)
end
@ -73,12 +74,25 @@ describe 'ironic::inspector::swift' do
is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_inspector_config('swift/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value(p[:endpoint_override])
is_expected.to contain_ironic_inspector_config('swift/container').with_value(p[:container])
is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value(0)
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('all')
end
end
end
on_supported_os({

34
spec/classes/ironic_neutron_spec.rb
View File

@ -41,6 +41,7 @@ describe 'ironic::neutron' do
is_expected.to contain_ironic_config('neutron/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('neutron/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/endpoint_override').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value('<SERVICE DEFAULT>')
@ -49,16 +50,16 @@ describe 'ironic::neutron' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:dhcpv6_stateful_address_count => 8,
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:dhcpv6_stateful_address_count => 8,
)
end
@ -70,12 +71,25 @@ describe 'ironic::neutron' do
is_expected.to contain_ironic_config('neutron/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('neutron/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('neutron/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('neutron/endpoint_override').with_value(p[:endpoint_override])
is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value(p[:dhcpv6_stateful_address_count])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/system_scope').with_value('all')
end
end
end
on_supported_os({

32
spec/classes/ironic_service_catalog_spec.rb
View File

@ -41,6 +41,7 @@ describe 'ironic::service_catalog' do
is_expected.to contain_ironic_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::service_catalog' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::service_catalog' do
is_expected.to contain_ironic_config('service_catalog/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('all')
end
end
end
on_supported_os({

32
spec/classes/ironic_swift_spec.rb
View File

@ -41,6 +41,7 @@ describe 'ironic::swift' do
is_expected.to contain_ironic_config('swift/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('swift/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('swift/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@ -48,15 +49,15 @@ describe 'ironic::swift' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
)
end
@ -68,11 +69,24 @@ describe 'ironic::swift' do
is_expected.to contain_ironic_config('swift/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('swift/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('swift/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('swift/endpoint_override').with_value(p[:endpoint_override])
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('swift/system_scope').with_value('all')
end
end
end
on_supported_os({