Enable Key Manager service (Barbican) parameter

Allow to use Barbican in Nova with keymgr/api_class parameter.
If Barbican is configured, cryptsetup package will be installed, as it's
required to encrypt volumes on nova-compute nodes.

Change-Id: I380ac4d2a71d71c3ccfcdcaf39d5bcde518b9553

manifests/compute.pp

@@ -104,6 +104,11 @@
 #    for virtual machine processes
 #    Defaults to $::os_service_default
 #
+# [*keymgr_api_class*]
+#   (optional) Key Manager service.
+#   Example of valid value: nova.keymgr.barbican.BarbicanKeyManager
+#   Defaults to $::os_service_default
+#
 # DEPRECATED PARAMETERS
 #
 #  [*default_availability_zone*]
@@ -151,6 +156,7 @@ class nova::compute (
   $config_drive_format                = $::os_service_default,
   $allow_resize_to_same_host          = false,
   $vcpu_pin_set                       = $::os_service_default,
+  $keymgr_api_class                   = $::os_service_default,
   # DEPRECATED PARAMETERS
   $default_availability_zone          = undef,
   $default_schedule_zone              = undef,
@@ -182,6 +188,14 @@ class nova::compute (
     warning('compute_manager is marked as deprecated in Nova but still needed when Ironic is used. It will be removed once Nova removes it.')
   }
 
+  # cryptsetup is required when Barbican is encrypting volumes
+  if $keymgr_api_class =~ /barbican/ {
+    ensure_packages('cryptsetup', {
+      ensure => present,
+      tag    => 'openstack',
+    })
+  }
+
   include ::nova::availability_zone
 
   nova_config {
@@ -190,6 +204,7 @@ class nova::compute (
     'DEFAULT/heal_instance_info_cache_interval': value => $heal_instance_info_cache_interval;
     'DEFAULT/allow_resize_to_same_host':         value => $allow_resize_to_same_host;
     'DEFAULT/vcpu_pin_set':                      value => join(any2array($vcpu_pin_set), ',');
+    'keymgr/api_class':                          value => $keymgr_api_class;
   }
 
   if ($vnc_enabled) {

releasenotes/notes/barbican-356c86ac7a7a327c.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - Allow to configure Key Manager api class parameter to communicate with Barbican.
+    If Barbican is enabled, cryptsetup will be deployed on compute nodes.

spec/classes/nova_compute_spec.rb

@@ -27,7 +27,9 @@ describe 'nova::compute' do
       it { is_expected.to contain_nova_config('DEFAULT/allow_resize_to_same_host').with(:value => 'false') }
       it { is_expected.to contain_nova_config('DEFAULT/vcpu_pin_set').with(:value => '<SERVICE DEFAULT>') }
       it { is_expected.to_not contain_nova_config('vnc/novncproxy_base_url') }
+      it { is_expected.to contain_nova_config('keymgr/api_class').with_value('<SERVICE DEFAULT>') }
 
+      it { is_expected.to_not contain_package('cryptsetup').with( :ensure => 'present' )}
 
       it { is_expected.to_not contain_package('bridge-utils').with(
         :ensure => 'present',
@@ -68,6 +70,7 @@ describe 'nova::compute' do
           :pci_passthrough                    => "[{\"vendor_id\":\"8086\",\"product_id\":\"0126\"},{\"vendor_id\":\"9096\",\"product_id\":\"1520\",\"physical_network\":\"physnet1\"}]",
           :config_drive_format                => 'vfat',
           :vcpu_pin_set                       => ['4-12','^8','15'],
+          :keymgr_api_class                   => 'nova.keymgr.barbican.BarbicanKeyManager',
         }
       end
 
@@ -91,6 +94,11 @@ describe 'nova::compute' do
         is_expected.to contain_nova_config('DEFAULT/compute_manager').with_value('ironic.nova.compute.manager.ClusteredComputeManager')
       end
 
+      it 'configures barbican service' do
+        is_expected.to contain_nova_config('keymgr/api_class').with_value('nova.keymgr.barbican.BarbicanKeyManager')
+        is_expected.to contain_package('cryptsetup').with( :ensure => 'present' )
+      end
+
       it 'configures vnc in nova.conf' do
         is_expected.to contain_nova_config('vnc/enabled').with_value(true)
         is_expected.to contain_nova_config('vnc/vncserver_proxyclient_address').with_value('127.0.0.1')