From 2a977455b705b1725a69cc8d2ea779a747212b36 Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Wed, 25 Oct 2017 14:21:47 +0100
Subject: [PATCH] Fix key_manager in nova config for Queens

keymgr_api_class is now deprecated in favor of keymgr_backend, with
full backward compatibility for users.
keymgr_backend is set to nova.keymgr.conf_key_mgr.ConfKeyManager
by default and configure key_manager/backend instead of
key_manager/api_class.

Change-Id: I7f4136ad32d70fe8a00e9147077224f9c4779b03
Related-Bug: #1725298
---
 manifests/compute.pp                          | 32 ++++++++++++++-----
 .../api_key_backend-c1cd58916c1ba43b.yaml     |  8 +++++
 spec/classes/nova_compute_spec.rb             | 18 +++++++++--
 3 files changed, 47 insertions(+), 11 deletions(-)
 create mode 100644 releasenotes/notes/api_key_backend-c1cd58916c1ba43b.yaml

diff --git a/manifests/compute.pp b/manifests/compute.pp
index 286f2c38b..7768baa0d 100644
--- a/manifests/compute.pp
+++ b/manifests/compute.pp
@@ -115,11 +115,6 @@
 #   resume their state each time the compute node boots or restarts.
 #   Defaults to $::os_service_default
 #
-# [*keymgr_api_class*]
-#   (optional) Key Manager service.
-#   Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
-#   Defaults to $::os_service_default
-#
 # [*barbican_auth_endpoint*]
 #   (optional) Keystone v3 API URL.
 #   Example: http://localhost:5000/v3
@@ -142,6 +137,18 @@
 #   will disable itself.
 #   Defaults to $::os_service_default
 #
+# [*keymgr_backend*]
+#   (optional) Key Manager service class.
+#   Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+#   Defaults to 'nova.keymgr.conf_key_mgr.ConfKeyManager'.
+#
+# DEPRECATED PARAMETERS
+#
+# [*keymgr_api_class*]
+#   (optional) Key Manager service.
+#   Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+#   Defaults to $::os_service_default
+#
 class nova::compute (
   $enabled                                     = true,
   $manage_service                              = true,
@@ -167,12 +174,14 @@ class nova::compute (
   $resize_confirm_window                       = $::os_service_default,
   $vcpu_pin_set                                = $::os_service_default,
   $resume_guests_state_on_host_boot            = $::os_service_default,
-  $keymgr_api_class                            = $::os_service_default,
   $barbican_auth_endpoint                      = $::os_service_default,
   $barbican_endpoint                           = $::os_service_default,
   $barbican_api_version                        = $::os_service_default,
   $max_concurrent_live_migrations              = $::os_service_default,
   $consecutive_build_service_disable_threshold = $::os_service_default,
+  $keymgr_backend                              = 'nova.keymgr.conf_key_mgr.ConfKeyManager',
+  # DEPRECATED PARAMETERS
+  $keymgr_api_class                            = undef,
 ) {
 
   include ::nova::deps
@@ -182,8 +191,15 @@ class nova::compute (
 
   include ::nova::pci
 
+  if $keymgr_api_class {
+    warning('The keymgr_api_class parameter is deprecated, use keymgr_backend')
+    $keymgr_backend_real = $keymgr_api_class
+  } else {
+    $keymgr_backend_real = $keymgr_backend
+  }
+
   # cryptsetup is required when Barbican is encrypting volumes
-  if $keymgr_api_class =~ /barbican/ {
+  if $keymgr_backend_real =~ /barbican/ {
     ensure_packages('cryptsetup', {
       ensure => present,
       tag    => 'openstack',
@@ -198,7 +214,7 @@ class nova::compute (
     'DEFAULT/resize_confirm_window':             value => $resize_confirm_window;
     'DEFAULT/vcpu_pin_set':                      value => $vcpu_pin_set_real;
     'DEFAULT/resume_guests_state_on_host_boot':  value => $resume_guests_state_on_host_boot;
-    'key_manager/api_class':                     value => $keymgr_api_class;
+    'key_manager/backend':                       value => $keymgr_backend_real;
     'barbican/auth_endpoint':                    value => $barbican_auth_endpoint;
     'barbican/barbican_endpoint':                value => $barbican_endpoint;
     'barbican/barbican_api_version':             value => $barbican_api_version;
diff --git a/releasenotes/notes/api_key_backend-c1cd58916c1ba43b.yaml b/releasenotes/notes/api_key_backend-c1cd58916c1ba43b.yaml
new file mode 100644
index 000000000..9219013d2
--- /dev/null
+++ b/releasenotes/notes/api_key_backend-c1cd58916c1ba43b.yaml
@@ -0,0 +1,8 @@
+---
+deprecations:
+  - |
+    keymgr_api_class is now deprecated in favor of keymgr_backend, with
+    full backward compatibility for users.
+    keymgr_backend is set to nova.keymgr.conf_key_mgr.ConfKeyManager
+    by default and configures key_manager/backend instead of
+    key_manager/api_class.
diff --git a/spec/classes/nova_compute_spec.rb b/spec/classes/nova_compute_spec.rb
index d00f1ca59..dc18c1e51 100644
--- a/spec/classes/nova_compute_spec.rb
+++ b/spec/classes/nova_compute_spec.rb
@@ -29,7 +29,7 @@ describe 'nova::compute' do
       it { is_expected.to contain_nova_config('DEFAULT/vcpu_pin_set').with(:value => '<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('DEFAULT/resume_guests_state_on_host_boot').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to_not contain_nova_config('vnc/novncproxy_base_url') }
-      it { is_expected.to contain_nova_config('key_manager/api_class').with_value('<SERVICE DEFAULT>') }
+      it { is_expected.to contain_nova_config('key_manager/backend').with_value('nova.keymgr.conf_key_mgr.ConfKeyManager') }
       it { is_expected.to contain_nova_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('barbican/barbican_api_version').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>') }
@@ -74,7 +74,7 @@ describe 'nova::compute' do
           :resize_confirm_window              => '3',
           :vcpu_pin_set                       => ['4-12','^8','15'],
           :resume_guests_state_on_host_boot   => true,
-          :keymgr_api_class                   => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
+          :keymgr_backend                     => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
           :barbican_endpoint                  => 'http://localhost',
           :barbican_api_version               => 'v1',
           :barbican_auth_endpoint             => 'http://127.0.0.1:5000/v3',
@@ -103,7 +103,7 @@ describe 'nova::compute' do
       end
 
       it 'configures barbican service' do
-        is_expected.to contain_nova_config('key_manager/api_class').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
+        is_expected.to contain_nova_config('key_manager/backend').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
         is_expected.to contain_nova_config('barbican/barbican_endpoint').with_value('http://localhost')
         is_expected.to contain_nova_config('barbican/barbican_api_version').with_value('v1')
         is_expected.to contain_nova_config('barbican/auth_endpoint').with_value('http://127.0.0.1:5000/v3')
@@ -141,6 +141,18 @@ describe 'nova::compute' do
       end
     end
 
+    context 'with barbican deprecated parameters' do
+      let :params do
+        {
+          :keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
+        }
+      end
+      it 'should set keymgr parameter' do
+        is_expected.to contain_nova_config('key_manager/backend').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
+        is_expected.to contain_package('cryptsetup').with( :ensure => 'present' )
+      end
+    end
+
     context 'when vcpu_pin_set and pci params are empty' do
       let :params do
         { :vcpu_pin_set    => ""}