diff --git a/manifests/cinder.pp b/manifests/cinder.pp index d28ffb516..7b00cec97 100644 --- a/manifests/cinder.pp +++ b/manifests/cinder.pp @@ -33,6 +33,10 @@ # admin context through the OpenStack Identity service. # Defaults to 'Default' if password is set # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*username*] # (optional) Username for connecting to Cinder services in admin context # through the OpenStack Identity service. @@ -85,6 +89,7 @@ class nova::cinder ( $timeout = $::os_service_default, $project_name = undef, $project_domain_name = undef, + $system_scope = undef, $username = undef, $user_domain_name = undef, $os_region_name = $::os_service_default, @@ -110,18 +115,26 @@ Use the nova::cinder::os_region_name parameter') 'cinder/region_name': ensure => absent; } + if is_service_default($password) { $auth_type_real = pick($auth_type, $::os_service_default) $auth_url_real = pick($auth_url, $::os_service_default) $project_name_real = pick($project_name, $::os_service_default) $project_domain_name_real = pick($project_domain_name, $::os_service_default) + $system_scope_real = pick($system_scope, $::os_service_default) $username_real = pick($username, $::os_service_default) $user_domain_name_real = pick($user_domain_name, $::os_service_default) } else { + $system_scope_real = pick($system_scope, $::os_service_default) + if is_service_default($system_scope_real) { + $project_name_real = pick($project_name, 'services') + $project_domain_name_real = pick($project_domain_name, 'Default') + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } $auth_type_real = pick($auth_type, 'password') $auth_url_real = pick($auth_url, 'http://127.0.0.1:5000/') - $project_name_real = pick($project_name, 'services') - $project_domain_name_real = pick($project_domain_name, 'Default') $username_real = pick($username, 'cinder') $user_domain_name_real = pick($user_domain_name, 'Default') } @@ -133,6 +146,7 @@ Use the nova::cinder::os_region_name parameter') 'cinder/timeout': value => $timeout; 'cinder/project_name': value => $project_name_real; 'cinder/project_domain_name': value => $project_domain_name_real; + 'cinder/system_scope': value => $system_scope_real; 'cinder/username': value => $username_real; 'cinder/user_domain_name': value => $user_domain_name_real; 'cinder/os_region_name': value => $os_region_name_real; diff --git a/manifests/ironic/common.pp b/manifests/ironic/common.pp index 8c5c280f0..248a63847 100644 --- a/manifests/ironic/common.pp +++ b/manifests/ironic/common.pp @@ -12,6 +12,10 @@ # The Ironic Keystone project name. # Defaults to 'services' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*password*] # The admin password for Ironic to connect to Nova. # Defaults to 'ironic' @@ -59,6 +63,7 @@ class nova::ironic::common ( $auth_url = 'http://127.0.0.1:5000/', $password = 'ironic', $project_name = 'services', + $system_scope = $::os_service_default, $username = 'admin', $endpoint_override = $::os_service_default, $region_name = $::os_service_default, @@ -73,18 +78,27 @@ class nova::ironic::common ( include nova::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + nova_config { 'ironic/auth_plugin': value => $auth_plugin; 'ironic/username': value => $username; 'ironic/password': value => $password, secret => true; 'ironic/auth_url': value => $auth_url; - 'ironic/project_name': value => $project_name; + 'ironic/project_name': value => $project_name_real; + 'ironic/system_scope': value => $system_scope; 'ironic/endpoint_override': value => $endpoint_override; 'ironic/region_name': value => $region_name; 'ironic/api_max_retries': value => $api_max_retries; 'ironic/api_retry_interval': value => $api_retry_interval; 'ironic/user_domain_name': value => $user_domain_name; - 'ironic/project_domain_name': value => $project_domain_name; + 'ironic/project_domain_name': value => $project_domain_name_real; 'ironic/service_type': value => $service_type; 'ironic/valid_interfaces': value => join(any2array($valid_interfaces), ','); 'ironic/timeout': value => $timeout; diff --git a/manifests/metadata/novajoin/api.pp b/manifests/metadata/novajoin/api.pp index 8e91787fc..cbcb05f07 100644 --- a/manifests/metadata/novajoin/api.pp +++ b/manifests/metadata/novajoin/api.pp @@ -92,6 +92,10 @@ # (optional) Project name (for novajoin auth). # Defaults to 'services' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*configure_kerberos*] # (optional) Whether or not to create a kerberos configuration file. # Defaults to false @@ -124,6 +128,7 @@ class nova::metadata::novajoin::api ( $username = 'novajoin', $project_domain_name = 'Default', $project_name = 'services', + $system_scope = $::os_service_default, $configure_kerberos = false, $ipa_realm = undef, ) { @@ -139,6 +144,14 @@ class nova::metadata::novajoin::api ( fail('password is missing') } + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + if $nova::params::novajoin_package_name == undef { fail("Unsupported osfamily: ${::osfamily} operatingsystem") } @@ -206,8 +219,9 @@ class nova::metadata::novajoin::api ( 'service_credentials/password': value => $password; 'service_credentials/username': value => $username; 'service_credentials/user_domain_name': value => $user_domain_name; - 'service_credentials/project_name': value => $project_name; - 'service_credentials/project_domain_name': value => $project_domain_name; + 'service_credentials/project_name': value => $project_name_real; + 'service_credentials/project_domain_name': value => $project_domain_name_real; + 'service_credentials/system_scope': value => $system_scope; } if $manage_service { diff --git a/manifests/vendordata.pp b/manifests/vendordata.pp index 459642d61..37791e60e 100644 --- a/manifests/vendordata.pp +++ b/manifests/vendordata.pp @@ -62,6 +62,10 @@ # (optional) Project name for the vendordata dynamic plugin credentials. # Defaults to $::os_service_default # +# [*vendordata_dynamic_auth_system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*vendordata_dynamic_auth_user_domain_name*] # (optional) User domain name for the vendordata dynamic plugin credentials. # Defaults to 'Default' @@ -83,6 +87,7 @@ class nova::vendordata( $vendordata_dynamic_auth_password = $::os_service_default, $vendordata_dynamic_auth_project_domain_name = 'Default', $vendordata_dynamic_auth_project_name = $::os_service_default, + $vendordata_dynamic_auth_system_scope = $::os_service_default, $vendordata_dynamic_auth_user_domain_name = 'Default', $vendordata_dynamic_auth_username = $::os_service_default, ) inherits nova::params { @@ -102,6 +107,14 @@ class nova::vendordata( $vendordata_dynamic_targets_real = $::os_service_default } + if is_service_default($vendordata_dynamic_auth_system_scope) { + $vendordata_dynamic_auth_project_name_real = $vendordata_dynamic_auth_project_name + $vendordata_dynamic_auth_project_domain_name_real = $vendordata_dynamic_auth_project_domain_name + } else { + $vendordata_dynamic_auth_project_name_real = $::os_service_default + $vendordata_dynamic_auth_project_domain_name_real = $::os_service_default + } + nova_config { 'api/vendordata_jsonfile_path': value => $vendordata_jsonfile_path; 'api/vendordata_providers': value => $vendordata_providers_real; @@ -113,8 +126,9 @@ class nova::vendordata( 'vendordata_dynamic_auth/auth_url': value => $vendordata_dynamic_auth_auth_url; 'vendordata_dynamic_auth/os_region_name': value => $vendordata_dynamic_auth_os_region_name; 'vendordata_dynamic_auth/password': value => $vendordata_dynamic_auth_password, secret => true; - 'vendordata_dynamic_auth/project_domain_name': value => $vendordata_dynamic_auth_project_domain_name; - 'vendordata_dynamic_auth/project_name': value => $vendordata_dynamic_auth_project_name; + 'vendordata_dynamic_auth/project_domain_name': value => $vendordata_dynamic_auth_project_domain_name_real; + 'vendordata_dynamic_auth/project_name': value => $vendordata_dynamic_auth_project_name_real; + 'vendordata_dynamic_auth/system_scope': value => $vendordata_dynamic_auth_system_scope; 'vendordata_dynamic_auth/user_domain_name': value => $vendordata_dynamic_auth_user_domain_name; 'vendordata_dynamic_auth/username': value => $vendordata_dynamic_auth_username; } diff --git a/releasenotes/notes/system_scope-all-3d705c45620c2959.yaml b/releasenotes/notes/system_scope-all-3d705c45620c2959.yaml new file mode 100644 index 000000000..cb45e9e6f --- /dev/null +++ b/releasenotes/notes/system_scope-all-3d705c45620c2959.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + The new ``system_scope`` parameter has been added to the following classes. + + - ``nova::cinder`` + - ``nova::ironic::common`` + - ``nova::metadata::novajoin::api`` + + - | + The new ``nova::vendordata::vendordata_dynamic_auth_system_scope`` + parameter has been added. diff --git a/spec/classes/nova_cinder_spec.rb b/spec/classes/nova_cinder_spec.rb index f38a082d0..6179674f5 100644 --- a/spec/classes/nova_cinder_spec.rb +++ b/spec/classes/nova_cinder_spec.rb @@ -11,6 +11,7 @@ describe 'nova::cinder' do should contain_nova_config('cinder/timeout').with_value('') should contain_nova_config('cinder/project_name').with_value('') should contain_nova_config('cinder/project_domain_name').with_value('') + should contain_nova_config('cinder/system_scope').with_value('') should contain_nova_config('cinder/username').with_value('') should contain_nova_config('cinder/user_domain_name').with_value('') should contain_nova_config('cinder/os_region_name').with_value('') @@ -35,6 +36,7 @@ describe 'nova::cinder' do should contain_nova_config('cinder/timeout').with_value('') should contain_nova_config('cinder/project_name').with_value('services') should contain_nova_config('cinder/project_domain_name').with_value('Default') + should contain_nova_config('cinder/system_scope').with_value('') should contain_nova_config('cinder/username').with_value('cinder') should contain_nova_config('cinder/user_domain_name').with_value('Default') should contain_nova_config('cinder/os_region_name').with_value('') @@ -45,6 +47,7 @@ describe 'nova::cinder' do end end + context 'when specified parameters' do let :params do { @@ -67,6 +70,7 @@ describe 'nova::cinder' do should contain_nova_config('cinder/timeout').with_value('60') should contain_nova_config('cinder/project_name').with_value('services') should contain_nova_config('cinder/project_domain_name').with_value('Default') + should contain_nova_config('cinder/system_scope').with_value('') should contain_nova_config('cinder/username').with_value('cinder') should contain_nova_config('cinder/user_domain_name').with_value('Default') should contain_nova_config('cinder/os_region_name').with_value('RegionOne') @@ -75,7 +79,20 @@ describe 'nova::cinder' do should contain_nova_config('cinder/cross_az_attach').with_value(true) should contain_nova_config('cinder/debug').with_value(true) end + end + context 'when system_scope is set' do + let :params do + { + :password => 's3cr3t', + :system_scope => 'all' + } + end + it 'configures system-scoped credential' do + is_expected.to contain_nova_config('cinder/project_domain_name').with_value('') + is_expected.to contain_nova_config('cinder/project_name').with_value('') + is_expected.to contain_nova_config('cinder/system_scope').with_value('all') + end end end diff --git a/spec/classes/nova_ironic_common_spec.rb b/spec/classes/nova_ironic_common_spec.rb index 02e3cb6df..1b6c82aa4 100644 --- a/spec/classes/nova_ironic_common_spec.rb +++ b/spec/classes/nova_ironic_common_spec.rb @@ -11,10 +11,11 @@ describe 'nova::ironic::common' do is_expected.to contain_nova_config('ironic/password').with_value('ironic').with_secret(true) is_expected.to contain_nova_config('ironic/auth_url').with_value('http://127.0.0.1:5000/') is_expected.to contain_nova_config('ironic/project_name').with_value('services') + is_expected.to contain_nova_config('ironic/system_scope').with_value('') is_expected.to contain_nova_config('ironic/endpoint_override').with_value('') is_expected.to contain_nova_config('ironic/region_name').with_value('') - is_expected.to contain_nova_config('ironic/api_max_retries').with('value' => '') - is_expected.to contain_nova_config('ironic/api_retry_interval').with('value' => '') + is_expected.to contain_nova_config('ironic/api_max_retries').with_value('') + is_expected.to contain_nova_config('ironic/api_retry_interval').with_value('') is_expected.to contain_nova_config('ironic/user_domain_name').with_value('Default') is_expected.to contain_nova_config('ironic/project_domain_name').with_value('Default') is_expected.to contain_nova_config('ironic/service_type').with_value('') @@ -48,17 +49,31 @@ describe 'nova::ironic::common' do is_expected.to contain_nova_config('ironic/password').with_value('s3cr3t').with_secret(true) is_expected.to contain_nova_config('ironic/auth_url').with_value('http://10.0.0.10:5000/') is_expected.to contain_nova_config('ironic/project_name').with_value('services2') + is_expected.to contain_nova_config('ironic/system_scope').with_value('') is_expected.to contain_nova_config('ironic/endpoint_override').with_value('http://10.0.0.10:6385/v1') is_expected.to contain_nova_config('ironic/region_name').with_value('regionTwo') - is_expected.to contain_nova_config('ironic/api_max_retries').with('value' => '60') - is_expected.to contain_nova_config('ironic/api_retry_interval').with('value' => '2') - is_expected.to contain_nova_config('ironic/user_domain_name').with('value' => 'custom_domain') - is_expected.to contain_nova_config('ironic/project_domain_name').with('value' => 'custom_domain') + is_expected.to contain_nova_config('ironic/api_max_retries').with_value('60') + is_expected.to contain_nova_config('ironic/api_retry_interval').with_value('2') + is_expected.to contain_nova_config('ironic/user_domain_name').with_value('custom_domain') + is_expected.to contain_nova_config('ironic/project_domain_name').with_value('custom_domain') is_expected.to contain_nova_config('ironic/service_type').with_value('baremetal') is_expected.to contain_nova_config('ironic/timeout').with_value(30) is_expected.to contain_nova_config('ironic/valid_interfaces').with_value('internal') end end + + context 'when system_scope is set' do + let :params do + { + :system_scope => 'all' + } + end + it 'configures system-scoped credential' do + is_expected.to contain_nova_config('ironic/project_domain_name').with_value('') + is_expected.to contain_nova_config('ironic/project_name').with_value('') + is_expected.to contain_nova_config('ironic/system_scope').with_value('all') + end + end end on_supported_os({ diff --git a/spec/classes/nova_metadata_novajoin_api_spec.rb b/spec/classes/nova_metadata_novajoin_api_spec.rb index 92a1e2b49..1bc8a90b1 100644 --- a/spec/classes/nova_metadata_novajoin_api_spec.rb +++ b/spec/classes/nova_metadata_novajoin_api_spec.rb @@ -106,7 +106,7 @@ describe 'nova::metadata::novajoin::api' do should contain_novajoin_config('service_credentials/auth_url').with_value(param_hash[:keystone_auth_url]) should contain_novajoin_config('service_credentials/password').with_value(param_hash[:password]) should contain_novajoin_config('service_credentials/project_name').with_value(param_hash[:project_name]) - should_not contain_novajoin_config('service_credentials/user_domain_id') + should contain_novajoin_config('service_credentials/system_scope').with_value('') should contain_novajoin_config('service_credentials/user_domain_name').with_value(param_hash[:user_domain_name]) should contain_novajoin_config('service_credentials/project_domain_name').with_value(param_hash[:project_domain_name]) should contain_novajoin_config('service_credentials/username').with_value(param_hash[:username]) diff --git a/spec/classes/nova_vendordata_spec.rb b/spec/classes/nova_vendordata_spec.rb index 96f183715..fe09e8ed4 100644 --- a/spec/classes/nova_vendordata_spec.rb +++ b/spec/classes/nova_vendordata_spec.rb @@ -14,20 +14,21 @@ describe 'nova::vendordata' do context 'with default parameters' do it 'configures various stuff' do - is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with('value' => '') - is_expected.to contain_nova_config('api/vendordata_providers').with('value' => '') - is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with('value' => '') - is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with('value' => '') - is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with('value' => '') - is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with('value' => '') - is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with('value' => '') - is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with('value' => '') - is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with('value' => '') - is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with('value' => '') - is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with('value' => 'Default') - is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with('value' => '') - is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with('value' => 'Default') - is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with('value' => '') + is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with_value('') + is_expected.to contain_nova_config('api/vendordata_providers').with_value('') + is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with_value('') + is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with_value('') + is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with_value('') + is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with_value('Default') + is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/system_scope').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with_value('Default') + is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with_value('') end end @@ -52,20 +53,35 @@ describe 'nova::vendordata' do end it 'configures various stuff' do - is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with('value' => '/tmp') - is_expected.to contain_nova_config('api/vendordata_providers').with('value' => 'StaticJSON,DynamicJSON') - is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with('value' => 'join@http://127.0.0.1:9999/v1/') - is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with('value' => '30') - is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with('value' => '30') - is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with('value' => false) - is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with('value' => 'password') - is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with('value' => 'http://127.0.0.1:5000') - is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with('value' => 'RegionOne') - is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with('value' => 'secrete').with_secret(true) - is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with('value' => 'Default') - is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with('value' => 'project') - is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with('value' => 'Default') - is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with('value' => 'user') + is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with_value('/tmp') + is_expected.to contain_nova_config('api/vendordata_providers').with_value('StaticJSON,DynamicJSON') + is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with_value('join@http://127.0.0.1:9999/v1/') + is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with_value('30') + is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with_value('30') + is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with_value(false) + is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with_value('password') + is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with_value('http://127.0.0.1:5000') + is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with_value('RegionOne') + is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with_value('secrete').with_secret(true) + is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with_value('Default') + is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with_value('project') + is_expected.to contain_nova_config('vendordata_dynamic_auth/system_scope').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with_value('Default') + is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with_value('user') + end + end + + context 'when system_scope is set' do + before do + params.merge!({ + :vendordata_dynamic_auth_project_name => 'services', + :vendordata_dynamic_auth_system_scope => 'all' + }) + end + it 'configures system-scoped credential' do + is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with_value('') + is_expected.to contain_nova_config('vendordata_dynamic_auth/system_scope').with_value('all') end end end