Merge "Use secret_ceph resource in nova::compute::rbd"

2024-04-25 15:20:38 +00:00 · 2024-04-25 15:20:38 +00:00 · 1ebe4ac2c8
parent 96acc50a11 d033bb39de
commit 1ebe4ac2c8
3 changed files with 53 additions and 100 deletions
--- a/manifests/compute/rbd.pp
+++ b/manifests/compute/rbd.pp
@ -53,7 +53,7 @@
 # [*libvirt_rbd_secret_uuid*]
 #   (optional) The libvirt uuid of the secret for the rbd_user.
 #   Required to use cephx.
-#   Default to false.
+#   Default to undef.
 #
 # [*libvirt_rbd_secret_key*]
 #   (optional) The cephx key to use as key for the libvirt secret,
@ -62,10 +62,6 @@
 #   provided of the client.admin keyring as well.
 #   Default to undef.
 #
-# [*rbd_keyring*]
-#   (optional) The keyring name to use when retrieving the RBD secret
-#   Default to 'client.nova'
-#
 # [*ephemeral_storage*]
 #   (optional) Whether or not to use the rbd driver for the nova
 #   ephemeral storage or for the cinder volumes only.
@ -88,26 +84,37 @@
 #   (optional) Manage the libvirt secret
 #   Defaults to true
 #
+# == Deprecated parameters
+#
+# [*rbd_keyring*]
+#   (optional) The keyring name to use when retrieving the RBD secret
+#   Default to undef
+#
 class nova::compute::rbd (
  $libvirt_rbd_user,
-  $libvirt_rbd_secret_uuid                      = false,
+  $libvirt_rbd_secret_uuid                      = undef,
  $libvirt_rbd_secret_key                       = undef,
  $libvirt_images_rbd_pool                      = 'rbd',
  $libvirt_images_rbd_ceph_conf                 = '/etc/ceph/ceph.conf',
  $libvirt_images_rbd_glance_store_name         = $facts['os_service_default'],
  $libvirt_images_rbd_glance_copy_poll_interval = $facts['os_service_default'],
  $libvirt_images_rbd_glance_copy_timeout       = $facts['os_service_default'],
-  $rbd_keyring                                  = 'client.nova',
  Boolean $ephemeral_storage                    = true,
  Boolean $manage_ceph_client                   = true,
  $ceph_client_ensure                           = 'present',
  $package_ensure                               = 'present',
  Boolean $manage_libvirt_secret                = true,
+  ## DEPRECATED PARAMETERS
+  $rbd_keyring                                  = undef,
 ) {

  include nova::deps
  include nova::params

+  if $rbd_keyring != undef {
+    warning('The rbd_keyring parameter is deprecated and has no effect')
+  }
+
  if $manage_ceph_client {
    # Install ceph client libraries
    package { 'ceph-client-package':
@ -128,42 +135,27 @@ class nova::compute::rbd (
    'libvirt/rbd_user': value => $libvirt_rbd_user;
  }

-  if $libvirt_rbd_secret_uuid {
+  if $libvirt_rbd_secret_uuid != undef {
    nova_config {
      'libvirt/rbd_secret_uuid': value => $libvirt_rbd_secret_uuid;
    }

+    # TODO(tobias-urdin): Remove these two when propagated
+    file { '/etc/nova/secret.xml':
+      ensure => 'absent',
+    }
+    file { '/etc/nova/virsh.secret':
+      ensure => 'absent',
+    }
+
    if $manage_libvirt_secret {
-      file { '/etc/nova/secret.xml':
-        content => epp('nova/libvirt-secret-ceph.xml.epp', {
-          'secret_name' => "${rbd_keyring} secret",
-          'uuid'        => $libvirt_rbd_secret_uuid,
-        }),
-        require => Anchor['nova::config::begin'],
+      if $libvirt_rbd_secret_key == undef {
+        fail('libvirt_rbd_secret_key is required when libvirt_rbd_secret_uuid is set')
      }

-      #Variable name shrunk in favor of removing
-      #the more than 140 chars puppet-lint warning.
-      #variable used in the get-or-set virsh secret
-      #resource.
-      $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
-      exec { 'get-or-set virsh secret':
-        command => $cm,
-        unless  => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
-        require => File['/etc/nova/secret.xml'],
-      }
-      Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
-
-      if $libvirt_rbd_secret_key {
-        $libvirt_key = $libvirt_rbd_secret_key
-      } else {
-        $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
-      }
-      exec { 'set-secret-value virsh':
-        command   => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
-        unless    => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
-        logoutput => false,
-        require   => Exec['get-or-set virsh secret'],
+      nova::compute::libvirt::secret_ceph { $libvirt_rbd_secret_uuid:
+        uuid  => $libvirt_rbd_secret_uuid,
+        value => $libvirt_rbd_secret_key,
      }
    }
  } else {
--- a/releasenotes/notes/nova-compute-rbd-libvirt-secret-2c78325557a27411.yaml
+++ b/releasenotes/notes/nova-compute-rbd-libvirt-secret-2c78325557a27411.yaml
@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    If you are setting ``libvirt_rbd_secret_uuid`` in the ``nova::compute::rbd``
+    class you MUST now set ``libvirt_rbd_secret_key`` as well if the
+    ``manage_libvirt_secret`` parameters is set to true (the default) because
+    the ``rbd_keyring`` parameter is deprecated and has no effect, we no longer
+    get the Ceph authx key automatically if ``libvirt_rbd_secret_key`` is not set.
+deprecations:
+  - |
+    The ``nova::compute::rbd::rbd_keyring`` parameter is deprecated and has
+    no effect.
--- a/spec/classes/nova_compute_rbd_spec.rb
+++ b/spec/classes/nova_compute_rbd_spec.rb
@ -52,7 +52,6 @@ describe 'nova::compute::rbd' do
      before :each do
        params.merge!(
          :libvirt_rbd_user                             => 'joe',
-          :libvirt_rbd_secret_uuid                      => false,
          :libvirt_images_rbd_pool                      => 'AnotherPool',
          :libvirt_images_rbd_ceph_conf                 => '/tmp/ceph.conf',
          :libvirt_images_rbd_glance_store_name         => 'glance_rbd_store',
@ -72,60 +71,25 @@ describe 'nova::compute::rbd' do
    end

    context 'when using cephx' do
-      before :each do
-        params.merge!(
-          :libvirt_rbd_secret_uuid => 'UUID',
-          :rbd_keyring             => 'client.rbd_test'
-        )
-      end
-
-      it 'configure nova.conf with RBD secret UUID' do
-          is_expected.to contain_nova_config('libvirt/rbd_secret_uuid').with_value('UUID')
-      end
-
-      it 'configure ceph on compute nodes' do
-        verify_contents(catalogue, '/etc/nova/secret.xml', [
-          "<secret ephemeral=\'no\' private=\'no\'>",
-          "  <usage type=\'ceph\'>",
-          "    <name>client.rbd_test secret</name>",
-          "  </usage>",
-          "  <uuid>UUID</uuid>",
-          "</secret>"
-        ])
-        is_expected.to contain_exec('get-or-set virsh secret').with(
-          :command =>  '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
-          :unless  => '/usr/bin/virsh secret-list | grep -i UUID',
-          :require => 'File[/etc/nova/secret.xml]',
-        )
-        is_expected.to contain_exec('set-secret-value virsh').with(
-          :command   => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
-          :logoutput => false,
-        )
-      end
-    end
-
-    context 'when using cephx and passing libvirt_rbd_secret_key' do
-      before :each do
+      before do
        params.merge!(
          :libvirt_rbd_secret_uuid => 'UUID',
          :libvirt_rbd_secret_key  => 'LIBVIRT/SECRET/KEY',
        )
      end

-      it 'set libvirt secret key from passed key' do
-        is_expected.to contain_exec('set-secret-value virsh').with(
-          :command   => "/usr/bin/virsh secret-set-value --secret #{params[:libvirt_rbd_secret_uuid]} --base64 #{params[:libvirt_rbd_secret_key]}",
-          :logoutput => false,
-        )
-      end
+      it { is_expected.to contain_nova__compute__libvirt__secret_ceph('UUID').with(
+        :uuid  => params[:libvirt_rbd_secret_uuid],
+        :value => params[:libvirt_rbd_secret_key],
+      )}
    end

    context 'when using cephx but disabling ephemeral storage' do
-      before :each do
+      before do
        params.merge!(
-          :libvirt_rbd_secret_uuid      => 'UUID',
-          :rbd_keyring                  => 'client.rbd_test',
-          :ephemeral_storage            => false
+          :libvirt_rbd_secret_uuid => 'UUID',
+          :libvirt_rbd_secret_key  => 'LIBVIRT/SECRET/KEY',
+          :ephemeral_storage       => false
        )
      end

@ -139,25 +103,10 @@ describe 'nova::compute::rbd' do
          is_expected.to contain_nova_config('libvirt/rbd_secret_uuid').with_value('UUID')
      end

-      it 'configure ceph on compute nodes' do
-        verify_contents(catalogue, '/etc/nova/secret.xml', [
-          "<secret ephemeral=\'no\' private=\'no\'>",
-          "  <usage type=\'ceph\'>",
-          "    <name>client.rbd_test secret</name>",
-          "  </usage>",
-          "  <uuid>UUID</uuid>",
-          "</secret>"
-        ])
-        is_expected.to contain_exec('get-or-set virsh secret').with(
-          :command =>  '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
-          :unless  => '/usr/bin/virsh secret-list | grep -i UUID',
-          :require => 'File[/etc/nova/secret.xml]',
-        )
-        is_expected.to contain_exec('set-secret-value virsh').with(
-          :command   => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
-          :logoutput => false,
-        )
-      end
+      it { is_expected.to contain_nova__compute__libvirt__secret_ceph('UUID').with(
+        :uuid  => params[:libvirt_rbd_secret_uuid],
+        :value => params[:libvirt_rbd_secret_key],
+      )}
    end

    context 'when not managing ceph client' do