Add separate manifest for configuring access to neutron

Without these parameters ironic uses keystone_authtoken credentials. This is deprecated since Newton and can be removed at any moment. This patch provides a manifest to configure separate credentials and moves other related parameters to it. Reset [neutron]url to os_service_default to allow ironic to guess it, rather then using a value that it probably wrong. Change-Id: I7a9a78521c3495f04ca0a9f625b0d844ee56c56a Partial-Bug: #1661250
2017-02-03 17:08:45 +01:00 · 2017-02-03 17:08:45 +01:00 · ee74484b3a
commit ee74484b3a
parent c995ec4840
7 changed files with 173 additions and 7 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -43,10 +43,6 @@
 #   Should be an valid interger
 #   Defaults to '1000'.
 #
-# [*neutron_url*]
-#   (optional) The Neutron URL to be used for requests from ironic
-#   Defaults to 'http://127.0.0.1:9696/'
-#
 # [*admin_password*]
 #   (required) The password to set for the ironic admin user in keystone
 #
@ -72,6 +68,12 @@
 #   HTTPProxyToWSGI middleware.
 #   Defaults to $::os_service_default.
 #
+# DEPRECATED
+#
+# [*neutron_url*]
+#   (optional) The Neutron URL to be used for requests from ironic
+#   Defaults to undef
+#
 class ironic::api (
  $package_ensure               = 'present',
  $enabled                      = true,
@ -80,9 +82,10 @@ class ironic::api (
  $port                         = '6385',
  $max_limit                    = '1000',
  $workers                      = $::os_service_default,
-  $neutron_url                  = 'http://127.0.0.1:9696/',
  $public_endpoint              = $::os_service_default,
  $enable_proxy_headers_parsing = $::os_service_default,
+  # DEPRECATED
+  $neutron_url                  = undef,
 ) inherits ironic::params {

  include ::ironic::deps
@ -90,6 +93,13 @@ class ironic::api (
  include ::ironic::policy
  include ::ironic::api::authtoken

+  # For backward compatibility only, remove when neutron_url is removed
+  include ::ironic::neutron
+
+  if $neutron_url {
+    warning('Using ironic::api::neutron_url is deprecated, use ironic::neutron::api_endpoint instead')
+  }
+
  # Configure ironic.conf
  ironic_config {
    'api/host_ip':         value => $host_ip;
@ -97,7 +107,6 @@ class ironic::api (
    'api/max_limit':       value => $max_limit;
    'api/api_workers':     value => $workers;
    'api/public_endpoint': value => $public_endpoint;
-    'neutron/url':         value => $neutron_url;
  }

  # Install package
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -360,6 +360,7 @@ class ironic (
  include ::ironic::params

  include ::ironic::glance
+  include ::ironic::neutron

  if $rabbit_user {
    warning('The rabbit_user parameter is deprecated. Please use rabbit_userid instead.')
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@ -0,0 +1,58 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: ironic::neutron
+#
+# [*api_endpoint*]
+#   (optional) The Neutron URL to be used for requests from ironic
+#   Defaults to $::os_service_default
+#
+# [*auth_type*]
+#   The authentication plugin to use when connecting to neutron.
+#   Defaults to 'password'
+#
+# [*auth_url*]
+#   The address of the keystone api endpoint.
+#   Defaults to $::os_service_default
+#
+# [*project_name*]
+#   The Keystone project name.
+#   Defaults to 'services'
+#
+# [*username*]
+#   The admin username for ironic to connect to neutron.
+#   Defaults to 'ironic'.
+#
+# [*password*]
+#   The admin password for ironic to connect to neutron.
+#   Defaults to $::os_service_default
+#
+class ironic::neutron (
+  $api_endpoint = $::os_service_default,
+  $auth_type    = 'password',
+  $auth_url     = $::os_service_default,
+  $project_name = 'services',
+  $username     = 'ironic',
+  $password     = $::os_service_default,
+) {
+
+  $api_endpoint_real = pick($::ironic::api::neutron_url, $api_endpoint)
+
+  ironic_config {
+    'neutron/url':          value => $api_endpoint_real;
+    'neutron/auth_type':    value => $auth_type;
+    'neutron/username':     value => $username;
+    'neutron/password':     value => $password, secret => true;
+    'neutron/auth_url':     value => $auth_url;
+    'neutron/project_name': value => $project_name;
+  }
+}
--- a/releasenotes/notes/neutron-manifest-8fbe400720ffc60e.yaml
+++ b/releasenotes/notes/neutron-manifest-8fbe400720ffc60e.yaml
@ -0,0 +1,17 @@
+---
+features:
+  - |
+    New manifest "ironic::neutron" to set parameters for connecting to neutron.
+    Please set credentials for ironic to access neutron using this manifest,
+    otherwise ironic falls back to using "keystone_authtoken" credentials,
+    which are deprecated for this purpose.
+deprecations:
+  - |
+    Parameter "ironic::api::neutron_url" is deprecated, use
+    "ironic::neutron::api_endpoint" instead.
+upgrade:
+  - |
+    Value of "ironic::neutron::api_endpoint" parameter (former
+    "ironic::api::neutron_url") was reset to the service default. The default
+    of "127.0.0.1:9696" was often wrong, without it ironic will fetch the
+    corrent one from the service catalog.
--- a/spec/classes/ironic_api_spec.rb
+++ b/spec/classes/ironic_api_spec.rb
@ -69,7 +69,6 @@ describe 'ironic::api' do
      is_expected.to contain_ironic_config('api/max_limit').with_value(p[:max_limit])
      is_expected.to contain_ironic_config('api/api_workers').with_value('<SERVICE DEFAULT>')
      is_expected.to contain_ironic_config('api/public_endpoint').with_value('<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('neutron/url').with_value('http://127.0.0.1:9696/')
      is_expected.to contain_ironic_config('oslo_middleware/enable_proxy_headers_parsing').with_value('<SERVICE DEFAULT>')
    end

--- a/spec/classes/ironic_init_spec.rb
+++ b/spec/classes/ironic_init_spec.rb
@ -72,6 +72,7 @@ describe 'ironic' do
    it { is_expected.to contain_class('ironic::params') }

    it { is_expected.to contain_class('ironic::glance') }
+    it { is_expected.to contain_class('ironic::neutron') }

    it 'installs ironic-common package' do
      is_expected.to contain_package('ironic-common').with(
--- a/spec/classes/ironic_neutron_spec.rb
+++ b/spec/classes/ironic_neutron_spec.rb
@ -0,0 +1,81 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for ironic::neutron
+#
+
+require 'spec_helper'
+
+describe 'ironic::neutron' do
+
+  let :default_params do
+    { :auth_type    => 'password',
+      :project_name => 'services',
+      :username     => 'ironic',
+    }
+  end
+
+  let :params do
+    {}
+  end
+
+  shared_examples_for 'ironic neutron configuration' do
+    let :p do
+      default_params.merge(params)
+    end
+
+    it 'configures ironic.conf' do
+      is_expected.to contain_ironic_config('neutron/url').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('neutron/auth_type').with_value(p[:auth_type])
+      is_expected.to contain_ironic_config('neutron/auth_url').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('neutron/project_name').with_value(p[:project_name])
+      is_expected.to contain_ironic_config('neutron/username').with_value(p[:username])
+      is_expected.to contain_ironic_config('neutron/password').with_value('<SERVICE DEFAULT>').with_secret(true)
+    end
+
+    context 'when overriding parameters' do
+      before :each do
+        params.merge!(
+            :api_endpoint => 'http://neutron.example.com',
+            :auth_type    => 'noauth',
+            :auth_url     => 'http://example.com',
+            :project_name => 'project1',
+            :username     => 'admin',
+            :password     => 'pa$$w0rd',
+        )
+      end
+
+      it 'should replace default parameter with new value' do
+        is_expected.to contain_ironic_config('neutron/url').with_value(p[:api_endpoint])
+        is_expected.to contain_ironic_config('neutron/auth_type').with_value(p[:auth_type])
+        is_expected.to contain_ironic_config('neutron/auth_url').with_value(p[:auth_url])
+        is_expected.to contain_ironic_config('neutron/project_name').with_value(p[:project_name])
+        is_expected.to contain_ironic_config('neutron/username').with_value(p[:username])
+        is_expected.to contain_ironic_config('neutron/password').with_value(p[:password]).with_secret(true)
+      end
+    end
+
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'ironic neutron configuration'
+    end
+  end
+
+end