puppet-nova/manifests/api.pp

#
# installs and configures nova api service
#
# * admin_password
# * enabled
# * ensure_package
# * auth_strategy
# * auth_host
# * auth_port
# * auth_protocol
# * auth_admin_prefix: path part of the auth url. Optional.
#     This allow admin auth URIs like http://auth_host:35357/keystone/admin.
#     (where '/keystone' is the admin prefix)
#     Defaults to false for empty. If defined, should be a string with a leading '/' and no trailing '/'.
# * admin_tenant_name
# * admin_user
# * enabled_apis
# * use_forwarded_for:
#     Treat X-Forwarded-For as the canonical remote address. Only
#     enable this if you have a sanitizing proxy. (boolean value)
#     (Optional). Defaults to false.
# * quantum_metadata_proxy_shared_secret
#
class nova::api(
  $admin_password,
  $enabled           = false,
  $ensure_package    = 'present',
  $auth_strategy     = 'keystone',
  $auth_host         = '127.0.0.1',
  $auth_port         = 35357,
  $auth_protocol     = 'http',
  $auth_admin_prefix = false,
  $admin_tenant_name = 'services',
  $admin_user        = 'nova',
  $api_bind_address  = '0.0.0.0',
  $metadata_listen   = '0.0.0.0',
  $enabled_apis      = 'ec2,osapi_compute,metadata',
  $volume_api_class  = 'nova.volume.cinder.API',
  $use_forwarded_for = false,
  $workers           = $::processorcount,
  $sync_db           = true,
  $quantum_metadata_proxy_shared_secret = undef
) {

  include nova::params
  require keystone::python

  Package<| title == 'nova-api' |> -> Nova_paste_api_ini<| |>

  Package<| title == 'nova-common' |> -> Class['nova::api']

  Nova_paste_api_ini<| |> ~> Exec['post-nova_config']
  Nova_paste_api_ini<| |> ~> Service['nova-api']

  class { 'cinder::client':
    notify => Service[$::nova::params::api_service_name],
  }

  nova::generic_service { 'api':
    enabled        => $enabled,
    ensure_package => $ensure_package,
    package_name   => $::nova::params::api_package_name,
    service_name   => $::nova::params::api_service_name,
  }

  nova_config {
    'DEFAULT/api_paste_config':      value => '/etc/nova/api-paste.ini';
    'DEFAULT/enabled_apis':          value => $enabled_apis;
    'DEFAULT/volume_api_class':      value => $volume_api_class;
    'DEFAULT/ec2_listen':            value => $api_bind_address;
    'DEFAULT/osapi_compute_listen':  value => $api_bind_address;
    'DEFAULT/metadata_listen':       value => $metadata_listen;
    'DEFAULT/osapi_volume_listen':   value => $api_bind_address;
    'DEFAULT/osapi_compute_workers': value => $workers;
    'DEFAULT/use_forwarded_for':     value => $use_forwarded_for;
  }

  if ($quantum_metadata_proxy_shared_secret){
    nova_config {
      'DEFAULT/service_quantum_metadata_proxy': value => true;
      'DEFAULT/quantum_metadata_proxy_shared_secret':
        value => $quantum_metadata_proxy_shared_secret;
    }
  } else {
    nova_config {
      'DEFAULT/service_quantum_metadata_proxy': value => false;
      'DEFAULT/quantum_metadata_proxy_shared_secret': ensure => absent;
    }
  }

  nova_paste_api_ini {
    'filter:authtoken/auth_host':         value => $auth_host;
    'filter:authtoken/auth_port':         value => $auth_port;
    'filter:authtoken/auth_protocol':     value => $auth_protocol;
    'filter:authtoken/admin_tenant_name': value => $admin_tenant_name;
    'filter:authtoken/admin_user':        value => $admin_user;
    'filter:authtoken/admin_password':    value => $admin_password, secret => true;
  }

  if $auth_admin_prefix {
    validate_re($auth_admin_prefix, '^(/.+[^/])?$')
    nova_paste_api_ini {
      'filter:authtoken/auth_admin_prefix': value => $auth_admin_prefix;
    }
  } else {
    nova_paste_api_ini {
      'filter:authtoken/auth_admin_prefix': ensure => absent;
    }
  }

  if 'occiapi' in $enabled_apis {
    if !defined(Package['python-pip']) {
      package { 'python-pip':
        ensure => latest,
      }
    }
    if !defined(Package['pyssf']) {
      package { 'pyssf':
        provider => pip,
        ensure   => latest,
        require  => Package['python-pip']
      }
    }
    package { 'openstackocci':
      provider => 'pip',
      ensure   => latest,
      require  => Package['python-pip'],
    }
  }

  # Added arg and if statement prevents this from being run
  # where db is not active i.e. the compute
  if $sync_db {
    Package<| title == 'nova-api' |> -> Exec['nova-db-sync']
    exec { 'nova-db-sync':
      command     => '/usr/bin/nova-manage db sync',
      refreshonly => true,
      subscribe   => Exec['post-nova_config'],
    }
  }

}
update inline docs 2012-10-14 13:00:26 -07:00			`#`
			`# installs and configures nova api service`
			`#`
			`# * admin_password`
			`# * enabled`
			`# * ensure_package`
			`# * auth_strategy`
			`# * auth_host`
			`# * auth_port`
			`# * auth_protocol`
Add parameter auth_admin_prefix to nova::api To support keystone urls like http://host:80/keystone/admin Implements blueprint serve-keystone-from-wsgi Change-Id: I1fa1f41e855bc50c20caff331eb7aa95fafee42a 2013-05-14 18:44:01 +02:00			`# * auth_admin_prefix: path part of the auth url. Optional.`
			`# This allow admin auth URIs like http://auth_host:35357/keystone/admin.`
			`# (where '/keystone' is the admin prefix)`
			`# Defaults to false for empty. If defined, should be a string with a leading '/' and no trailing '/'.`
update inline docs 2012-10-14 13:00:26 -07:00			`# * admin_tenant_name`
			`# * admin_user`
			`# * enabled_apis`
Adds Support for X-Forwarded-For HTTP Headers Previously, the nova::api class did not support proxies and load-balancers that use X-Forwarded-For Headers to identify the originating IP address of requests. This change implements the use_forwarded_for parameter to enable/disable the ability for Nova API to treat the X-Forwarded-For HTTP Header as the canonical remote address. Defaults to false for backwards compatibility and to disable X-Forwarded-For Headers. Change-Id: I3c7224bef1bfa4578ab2a298b05a24e46d618ce7 2013-07-30 23:31:44 +00:00			`# * use_forwarded_for:`
			`# Treat X-Forwarded-For as the canonical remote address. Only`
			`# enable this if you have a sanitizing proxy. (boolean value)`
			`# (Optional). Defaults to false.`
Allow configure nova-metadata for quantum Change-Id: I23da2c831d8c726a85a60aa51adfcb9d7a448013 2013-05-03 12:46:59 +02:00			`# * quantum_metadata_proxy_shared_secret`
update inline docs 2012-10-14 13:00:26 -07:00			`#`
Refactor nova services to use generic_service Previously, there was a lot of copy/paste code for handling the various nova services. This commit creates the define nova::generic_service which is used to capture common code for configuring nova services. It also updates the following classes to use that code: - nova::api - nova::cert - nova::compute - nova::objectstore - nova::network - nova::sceduler - nova::volume It also updates spec tests for all of these classes 2012-04-01 14:23:36 -07:00			`class nova::api(`
make passwords optional its more secure to force users to update password. otherwise folks could wind up not knowing they had things set to easy to guess defaults. 2012-10-14 13:01:23 -07:00			`$admin_password,`
Update keystone auth for nova Remove deprecated service entries for authtoken config. Move keystone config from nova class to nova::api class. 2012-04-23 17:46:17 -07:00			`$enabled = false,`
Update nova::api class to allow specification of specific package version for nova-api service. This required augmenting generic-service to allow specifing such package versions as well. Default behavior should not be affected, added spec to test these changes. 2012-05-08 13:32:36 -05:00			`$ensure_package = 'present',`
Update keystone auth for nova Remove deprecated service entries for authtoken config. Move keystone config from nova class to nova::api class. 2012-04-23 17:46:17 -07:00			`$auth_strategy = 'keystone',`
			`$auth_host = '127.0.0.1',`
			`$auth_port = 35357,`
			`$auth_protocol = 'http',`
Add parameter auth_admin_prefix to nova::api To support keystone urls like http://host:80/keystone/admin Implements blueprint serve-keystone-from-wsgi Change-Id: I1fa1f41e855bc50c20caff331eb7aa95fafee42a 2013-05-14 18:44:01 +02:00			`$auth_admin_prefix = false,`
Update keystone auth for nova Remove deprecated service entries for authtoken config. Move keystone config from nova class to nova::api class. 2012-04-23 17:46:17 -07:00			`$admin_tenant_name = 'services',`
			`$admin_user = 'nova',`
Adds the ability to set enabled APIs This modification both allows setting what API to enable and enables the [OCCI](http://www.occi-wg.org) [implementation](http://github.com/tmetsch/occi-os) for OpenStack. For usage [see the OpenStack wiki](http://wiki.openstack.org/occi). 2012-10-14 20:39:26 +02:00			`$api_bind_address = '0.0.0.0',`
Adds metadata_listen parameter Previously, metadata_listen used the api_bind_address parameter, but there are scenarios when it should listen on another IP address, such as localhost - for example, when using Quantum metadata. Change-Id: I8b1b2d8623a0626516342f7750eecb3087e8a880 2013-05-09 12:16:15 -06:00			`$metadata_listen = '0.0.0.0',`
Implement volume_api_class as an option 2012-11-16 04:54:53 -08:00			`$enabled_apis = 'ec2,osapi_compute,metadata',`
Added arg and if statement prevents db_sync from being run where db service is not active i.e. the compute 2012-11-28 22:17:22 -08:00			`$volume_api_class = 'nova.volume.cinder.API',`
Adds Support for X-Forwarded-For HTTP Headers Previously, the nova::api class did not support proxies and load-balancers that use X-Forwarded-For Headers to identify the originating IP address of requests. This change implements the use_forwarded_for parameter to enable/disable the ability for Nova API to treat the X-Forwarded-For HTTP Header as the canonical remote address. Defaults to false for backwards compatibility and to disable X-Forwarded-For Headers. Change-Id: I3c7224bef1bfa4578ab2a298b05a24e46d618ce7 2013-07-30 23:31:44 +00:00			`$use_forwarded_for = false,`
Allow user to set the number of api workers Defaults to ::processorcount Also reseting puppet 2.6 compat in spec/classes/nova_db_postgresql_spec.rb so that unit tests pass, it looks like our 2.6 unit test runner is using puppet 2.7 Change-Id: I521679ce497a6d9f39a88a6e1d16d5a4ca67255a 2013-04-26 06:17:03 -04:00			`$workers = $::processorcount,`
Allow configure nova-metadata for quantum Change-Id: I23da2c831d8c726a85a60aa51adfcb9d7a448013 2013-05-03 12:46:59 +02:00			`$sync_db = true,`
			`$quantum_metadata_proxy_shared_secret = undef`
Remove unnessary inheritance This commit removes any occurrences of the inherits keyword. Ineritance should only be used for overriding resources and accessing params from class defaults. Any other uses are confusing to people who may read this code in the future. 2012-04-23 16:57:54 -07:00			`) {`

			`include nova::params`
Add a coupld of api deps - nova-common should be installed first - keystone client libs should be installed. 2012-11-06 12:07:54 -08:00			`require keystone::python`
removed the confighash changed isserviceenabled flag to enable. - updated it to effect ensure and enable state of service 2011-05-27 11:25:26 -07:00
Use ini native types for paste_api - remove old templates - add native type and provider. 2012-10-09 22:22:37 -07:00			`Package<\| title == 'nova-api' \|> -> Nova_paste_api_ini<\| \|>`
Fix dep cycle for nova api 2012-04-07 19:32:13 -07:00
Add a coupld of api deps - nova-common should be installed first - keystone client libs should be installed. 2012-11-06 12:07:54 -08:00			`Package<\| title == 'nova-common' \|> -> Class['nova::api']`

Use ini native types for paste_api - remove old templates - add native type and provider. 2012-10-09 22:22:37 -07:00			`Nova_paste_api_ini<\| \|> ~> Exec['post-nova_config']`
			`Nova_paste_api_ini<\| \|> ~> Service['nova-api']`
moved db-sync to nova::api - db should not be respnsoble for managing its migration. - it should not have to install nova - it may be an external utility - nova::api was chosen as the best component to couple the migration to. 2011-06-22 16:49:59 -07:00
Puppet lint Change-Id: Ia95da80607a05f228aec9cce6468f75aef0a4711 2013-05-08 18:09:29 -04:00			`class { 'cinder::client':`
			`notify => Service[$::nova::params::api_service_name],`
Adding cinderclient as a dependency of nova::api required because volume_api_class = nova.volume.cinder.API 2012-11-02 13:31:58 -04:00			`}`

Refactor nova services to use generic_service Previously, there was a lot of copy/paste code for handling the various nova services. This commit creates the define nova::generic_service which is used to capture common code for configuring nova services. It also updates the following classes to use that code: - nova::api - nova::cert - nova::compute - nova::objectstore - nova::network - nova::sceduler - nova::volume It also updates spec tests for all of these classes 2012-04-01 14:23:36 -07:00			`nova::generic_service { 'api':`
Update nova::api class to allow specification of specific package version for nova-api service. This required augmenting generic-service to allow specifing such package versions as well. Default behavior should not be affected, added spec to test these changes. 2012-05-08 13:32:36 -05:00			`enabled => $enabled,`
			`ensure_package => $ensure_package,`
			`package_name => $::nova::params::api_package_name,`
			`service_name => $::nova::params::api_service_name,`
Keystoneification 2012-03-30 13:09:30 +02:00			`}`

make apis hosted by nova configurable for cinder support. 2012-10-11 02:01:06 -07:00			`nova_config {`
Allow user to set the number of api workers Defaults to ::processorcount Also reseting puppet 2.6 compat in spec/classes/nova_db_postgresql_spec.rb so that unit tests pass, it looks like our 2.6 unit test runner is using puppet 2.7 Change-Id: I521679ce497a6d9f39a88a6e1d16d5a4ca67255a 2013-04-26 06:17:03 -04:00			`'DEFAULT/api_paste_config': value => '/etc/nova/api-paste.ini';`
			`'DEFAULT/enabled_apis': value => $enabled_apis;`
			`'DEFAULT/volume_api_class': value => $volume_api_class;`
			`'DEFAULT/ec2_listen': value => $api_bind_address;`
			`'DEFAULT/osapi_compute_listen': value => $api_bind_address;`
Adds metadata_listen parameter Previously, metadata_listen used the api_bind_address parameter, but there are scenarios when it should listen on another IP address, such as localhost - for example, when using Quantum metadata. Change-Id: I8b1b2d8623a0626516342f7750eecb3087e8a880 2013-05-09 12:16:15 -06:00			`'DEFAULT/metadata_listen': value => $metadata_listen;`
Allow user to set the number of api workers Defaults to ::processorcount Also reseting puppet 2.6 compat in spec/classes/nova_db_postgresql_spec.rb so that unit tests pass, it looks like our 2.6 unit test runner is using puppet 2.7 Change-Id: I521679ce497a6d9f39a88a6e1d16d5a4ca67255a 2013-04-26 06:17:03 -04:00			`'DEFAULT/osapi_volume_listen': value => $api_bind_address;`
			`'DEFAULT/osapi_compute_workers': value => $workers;`
Adds Support for X-Forwarded-For HTTP Headers Previously, the nova::api class did not support proxies and load-balancers that use X-Forwarded-For Headers to identify the originating IP address of requests. This change implements the use_forwarded_for parameter to enable/disable the ability for Nova API to treat the X-Forwarded-For HTTP Header as the canonical remote address. Defaults to false for backwards compatibility and to disable X-Forwarded-For Headers. Change-Id: I3c7224bef1bfa4578ab2a298b05a24e46d618ce7 2013-07-30 23:31:44 +00:00			`'DEFAULT/use_forwarded_for': value => $use_forwarded_for;`
make apis hosted by nova configurable for cinder support. 2012-10-11 02:01:06 -07:00			`}`
Add api_paste_config value to nova::api This commit adds a config setting api_paste_config in the nova::api class that corresponds to the file resources in the class that manages the api_paste_config file. 2012-04-08 22:40:50 +00:00
Allow configure nova-metadata for quantum Change-Id: I23da2c831d8c726a85a60aa51adfcb9d7a448013 2013-05-03 12:46:59 +02:00			`if ($quantum_metadata_proxy_shared_secret){`
			`nova_config {`
			`'DEFAULT/service_quantum_metadata_proxy': value => true;`
			`'DEFAULT/quantum_metadata_proxy_shared_secret':`
			`value => $quantum_metadata_proxy_shared_secret;`
			`}`
			`} else {`
			`nova_config {`
			`'DEFAULT/service_quantum_metadata_proxy': value => false;`
			`'DEFAULT/quantum_metadata_proxy_shared_secret': ensure => absent;`
			`}`
			`}`

Use ini native types for paste_api - remove old templates - add native type and provider. 2012-10-09 22:22:37 -07:00			`nova_paste_api_ini {`
			`'filter:authtoken/auth_host': value => $auth_host;`
			`'filter:authtoken/auth_port': value => $auth_port;`
			`'filter:authtoken/auth_protocol': value => $auth_protocol;`
			`'filter:authtoken/admin_tenant_name': value => $admin_tenant_name;`
			`'filter:authtoken/admin_user': value => $admin_user;`
Allow to hide config values from Puppet logs Hide configuration value from Puppet logs if the secret parameter is set to true. Fixes: bug #1173322 Change-Id: I0815c3a1b84201fc7c39d221ff7f07fbd22fbcd4 2013-05-28 18:00:50 -04:00			`'filter:authtoken/admin_password': value => $admin_password, secret => true;`
committed the code that was moved from openstack - also added nova::db 2011-05-26 12:19:52 -07:00			`}`
Remove nova-db-sync I never really understood why we had 2 resources to sync the nova db. This commit attempts to remove one. 2012-10-09 22:25:00 -07:00
Add parameter auth_admin_prefix to nova::api To support keystone urls like http://host:80/keystone/admin Implements blueprint serve-keystone-from-wsgi Change-Id: I1fa1f41e855bc50c20caff331eb7aa95fafee42a 2013-05-14 18:44:01 +02:00			`if $auth_admin_prefix {`
			`validate_re($auth_admin_prefix, '^(/.+[^/])?$')`
			`nova_paste_api_ini {`
			`'filter:authtoken/auth_admin_prefix': value => $auth_admin_prefix;`
			`}`
			`} else {`
			`nova_paste_api_ini {`
			`'filter:authtoken/auth_admin_prefix': ensure => absent;`
			`}`
			`}`

Adds the ability to set enabled APIs This modification both allows setting what API to enable and enables the [OCCI](http://www.occi-wg.org) [implementation](http://github.com/tmetsch/occi-os) for OpenStack. For usage [see the OpenStack wiki](http://wiki.openstack.org/occi). 2012-10-14 20:39:26 +02:00			`if 'occiapi' in $enabled_apis {`
			`if !defined(Package['python-pip']) {`
Puppet lint Change-Id: Ia95da80607a05f228aec9cce6468f75aef0a4711 2013-05-08 18:09:29 -04:00			`package { 'python-pip':`
			`ensure => latest,`
			`}`
Adds the ability to set enabled APIs This modification both allows setting what API to enable and enables the [OCCI](http://www.occi-wg.org) [implementation](http://github.com/tmetsch/occi-os) for OpenStack. For usage [see the OpenStack wiki](http://wiki.openstack.org/occi). 2012-10-14 20:39:26 +02:00			`}`
Puppet lint Change-Id: Ia95da80607a05f228aec9cce6468f75aef0a4711 2013-05-08 18:09:29 -04:00			`if !defined(Package['pyssf']) {`
			`package { 'pyssf':`
			`provider => pip,`
			`ensure => latest,`
			`require => Package['python-pip']`
			`}`
Adds the ability to set enabled APIs This modification both allows setting what API to enable and enables the [OCCI](http://www.occi-wg.org) [implementation](http://github.com/tmetsch/occi-os) for OpenStack. For usage [see the OpenStack wiki](http://wiki.openstack.org/occi). 2012-10-14 20:39:26 +02:00			`}`
Puppet lint Change-Id: Ia95da80607a05f228aec9cce6468f75aef0a4711 2013-05-08 18:09:29 -04:00			`package { 'openstackocci':`
			`provider => 'pip',`
			`ensure => latest,`
			`require => Package['python-pip'],`
Adds the ability to set enabled APIs This modification both allows setting what API to enable and enables the [OCCI](http://www.occi-wg.org) [implementation](http://github.com/tmetsch/occi-os) for OpenStack. For usage [see the OpenStack wiki](http://wiki.openstack.org/occi). 2012-10-14 20:39:26 +02:00			`}`
			`}`

Puppet lint Change-Id: Ia95da80607a05f228aec9cce6468f75aef0a4711 2013-05-08 18:09:29 -04:00			`# Added arg and if statement prevents this from being run`
			`# where db is not active i.e. the compute`
Added arg and if statement prevents db_sync from being run where db service is not active i.e. the compute 2012-11-28 22:17:22 -08:00			`if $sync_db {`
			`Package<\| title == 'nova-api' \|> -> Exec['nova-db-sync']`
Puppet lint Change-Id: Ia95da80607a05f228aec9cce6468f75aef0a4711 2013-05-08 18:09:29 -04:00			`exec { 'nova-db-sync':`
			`command => '/usr/bin/nova-manage db sync',`
			`refreshonly => true,`
Added arg and if statement prevents db_sync from being run where db service is not active i.e. the compute 2012-11-28 22:17:22 -08:00			`subscribe => Exec['post-nova_config'],`
			`}`
Remove nova-db-sync I never really understood why we had 2 resources to sync the nova db. This commit attempts to remove one. 2012-10-09 22:25:00 -07:00			`}`

committed the code that was moved from openstack - also added nova::db 2011-05-26 12:19:52 -07:00			`}`