Remove [ssl] parameters

... because these were already removed from Keystone during Newton cycle[1]. Note some parameters like [ssl] enabled were earlier migrated to the [eventlet_server_ssl] section[2] but later removed during Newton by a different patch[3]. [1] 20b851b240bc74694737a9a2e8f58816882b59ae [2] 2ed506995850ff5b60cac0be858d65375d15bf4b [3] ac039414ce997cfcafa09efa9e089e09c3058b70 Closes-Bug: #1967717 Change-Id: I74fe1bce563ff084ebe43425c3f6ffe51b321014
2022-04-04 15:20:30 +09:00 · 2022-04-04 15:20:30 +09:00 · 0954fea1d6
parent b038f20126
commit 0954fea1d6
3 changed files with 70 additions and 77 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -166,32 +166,6 @@
 #   keystone listens for connections) (string value)
 #   Defaults to $::os_service_default
 #
-# [*enable_ssl*]
-#   (Optional) Toggle for SSL support on the keystone eventlet servers.
-#   (boolean value)
-#   Defaults to false
-#
-# [*ssl_certfile*]
-#   (Optional) Path of the certfile for SSL. (string value)
-#   Defaults to '/etc/keystone/ssl/certs/keystone.pem'
-#
-# [*ssl_keyfile*]
-#   (Optional) Path of the keyfile for SSL. (string value)
-#   Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
-#
-# [*ssl_ca_certs*]
-#   (Optional) Path of the ca cert file for SSL. (string value)
-#   Defaults to '/etc/keystone/ssl/certs/ca.pem'
-#
-# [*ssl_ca_key*]
-#   (Optional) Path of the CA key file for SSL (string value)
-#   Defaults to '/etc/keystone/ssl/private/cakey.pem'
-#
-# [*ssl_cert_subject*]
-#   (Optional) SSL Certificate Subject (auto generated certificate)
-#   (string value)
-#   Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
-#
 # [*service_name*]
 #   (Optional) Name of the service that will be providing the
 #   server functionality of keystone.  For example, the default
@ -374,6 +348,32 @@
 #   (Optional) Where to log
 #   Defaults to undef.
 #
+# [*enable_ssl*]
+#   (Optional) Toggle for SSL support on the keystone eventlet servers.
+#   (boolean value)
+#   Defaults to undef
+#
+# [*ssl_certfile*]
+#   (Optional) Path of the certfile for SSL. (string value)
+#   Defaults to undef
+#
+# [*ssl_keyfile*]
+#   (Optional) Path of the keyfile for SSL. (string value)
+#   Defaults to undef
+#
+# [*ssl_ca_certs*]
+#   (Optional) Path of the ca cert file for SSL. (string value)
+#   Defaults to undef
+#
+# [*ssl_ca_key*]
+#   (Optional) Path of the CA key file for SSL (string value)
+#   Defaults to undef
+#
+# [*ssl_cert_subject*]
+#   (Optional) SSL Certificate Subject (auto generated certificate)
+#   (string value)
+#   Defaults to undef
+#
 # == Authors
 #
 #   Dan Bode dan@puppetlabs.com
@ -394,12 +394,6 @@ class keystone(
  $revoke_driver                        = $::os_service_default,
  $revoke_by_id                         = true,
  $public_endpoint                      = $::os_service_default,
-  $enable_ssl                           = false,
-  $ssl_certfile                         = '/etc/keystone/ssl/certs/keystone.pem',
-  $ssl_keyfile                          = '/etc/keystone/ssl/private/keystonekey.pem',
-  $ssl_ca_certs                         = '/etc/keystone/ssl/certs/ca.pem',
-  $ssl_ca_key                           = '/etc/keystone/ssl/private/cakey.pem',
-  $ssl_cert_subject                     = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
  $manage_service                       = true,
  $enabled                              = true,
  $rabbit_heartbeat_timeout_threshold   = $::os_service_default,
@ -450,6 +444,12 @@ class keystone(
  $catalog_type                         = undef,
  $log_dir                              = undef,
  $log_file                             = undef,
+  $enable_ssl                           = undef,
+  $ssl_certfile                         = undef,
+  $ssl_keyfile                          = undef,
+  $ssl_ca_certs                         = undef,
+  $ssl_ca_key                           = undef,
+  $ssl_cert_subject                     = undef,
 ) inherits keystone::params {

  include keystone::deps
@ -463,6 +463,18 @@ class keystone(
    }
  }

+  [
+    'enable_ssl',
+    'ssl_certfile',
+    'ssl_ca_certs',
+    'ssl_ca_key',
+    'ssl_cert_subject'
+  ].each |String $ssl_opt| {
+    if getvar($ssl_opt) != undef {
+      warning("The ${ssl_opt} parameter has been deprecated and has no effect.")
+    }
+  }
+
  if $manage_policyrcd {
    # openstacklib policy_rcd only affects debian based systems.
    Policy_rcd <| title == 'keystone' |> -> Package['keystone']
@ -544,25 +556,14 @@ class keystone(
    'policy/driver': value => $policy_driver;
  }

-  # ssl config
-  if ($enable_ssl) {
-    keystone_config {
-      'ssl/enable':       value  => true;
-      'ssl/certfile':     value  => $ssl_certfile;
-      'ssl/keyfile':      value  => $ssl_keyfile;
-      'ssl/ca_certs':     value  => $ssl_ca_certs;
-      'ssl/ca_key':       value  => $ssl_ca_key;
-      'ssl/cert_subject': value  => $ssl_cert_subject;
-    }
-  } else {
-    keystone_config {
-      'ssl/enable':       value  => false;
-      'ssl/certfile':     value  => $::os_service_default;
-      'ssl/keyfile':      value  => $::os_service_default;
-      'ssl/ca_certs':     value  => $::os_service_default;
-      'ssl/ca_key':       value  => $::os_service_default;
-      'ssl/cert_subject': value  => $::os_service_default;
-    }
+  # TODO(tkajinam): Remove this after Z-release
+  keystone_config {
+    'ssl/enable':       ensure => absent;
+    'ssl/certfile':     ensure => absent;
+    'ssl/keyfile':      ensure => absent;
+    'ssl/ca_certs':     ensure => absent;
+    'ssl/ca_key':       ensure => absent;
+    'ssl/cert_subject': ensure => absent;
  }

  oslo::middleware { 'keystone_config':
--- a/releasenotes/notes/bug-1967717-9775a5b195672923.yaml
+++ b/releasenotes/notes/bug-1967717-9775a5b195672923.yaml
@ -0,0 +1,12 @@
+---
+deprecations:
+  - |
+    The following parameters of the ``keystone`` class have been deprecated and
+    have no effect now.
+
+    - ``enable_ssl``
+    - ``ssl_certfile``
+    - ``ssl_keyfile``
+    - ``ssl_ca_certs``
+    - ``ssl_ca_key``
+    - ``ssl_cert_subject``
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@ -38,12 +38,12 @@ describe 'keystone' do
        is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('revoke/driver').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('policy/driver').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/enable').with_value(false)
-        is_expected.to contain_keystone_config('ssl/certfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/keyfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/ca_certs').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/ca_key').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/cert_subject').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/enable').with_ensure('absent')
+        is_expected.to contain_keystone_config('ssl/certfile').with_ensure('absent')
+        is_expected.to contain_keystone_config('ssl/keyfile').with_ensure('absent')
+        is_expected.to contain_keystone_config('ssl/ca_certs').with_ensure('absent')
+        is_expected.to contain_keystone_config('ssl/ca_key').with_ensure('absent')
+        is_expected.to contain_keystone_config('ssl/cert_subject').with_ensure('absent')
        is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)

        is_expected.to contain_oslo__middleware('keystone_config').with(
@ -145,12 +145,6 @@ describe 'keystone' do
        is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value(12)
        is_expected.to contain_keystone_config('revoke/driver').with_value('sql')
        is_expected.to contain_keystone_config('policy/driver').with_value('sql')
-        is_expected.to contain_keystone_config('ssl/enable').with_value(false)
-        is_expected.to contain_keystone_config('ssl/certfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/keyfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/ca_certs').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/ca_key').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_keystone_config('ssl/cert_subject').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)

        is_expected.to contain_oslo__middleware('keystone_config').with(
@ -221,20 +215,6 @@ describe 'keystone' do
      it { is_expected.not_to contain_exec('keystone-manage db_sync') }
    end

-    context 'when enabling SSL' do
-      let :params do
-        {
-          'enable_ssl'  => true,
-        }
-      end
-      it {is_expected.to contain_keystone_config('ssl/enable').with_value(true)}
-      it {is_expected.to contain_keystone_config('ssl/certfile').with_value('/etc/keystone/ssl/certs/keystone.pem')}
-      it {is_expected.to contain_keystone_config('ssl/keyfile').with_value('/etc/keystone/ssl/private/keystonekey.pem')}
-      it {is_expected.to contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
-      it {is_expected.to contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
-      it {is_expected.to contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
-    end
-
    context 'with RabbitMQ communication SSLed' do
      let :params do
        {