From 848ac0b5e101850e7c3ad5140ac87e5476603f1b Mon Sep 17 00:00:00 2001
From: Rajesh Tailor <ratailor@redhat.com>
Date: Tue, 30 Apr 2019 11:47:12 +0530
Subject: [PATCH] Add cinder credentials in nova conf

Added user/project CONF with admin role at cinder group,
and when determine context is_admin and without token, do
authenticaion with user/project info to call cinder api.

When set reclaim_instance_interval > 0, and then delete an
instance which booted from volume with `delete_on_termination`
set as true. After reclaim_instance_interval time pass,
all volumes boot instance with state: attached and in-use,
even when attached instances was deleted.

This happens because as admin context from
`nova.compute.manager._reclaim_queued_deletes` did not have
any token info, then call cinder api would be failed.

The corresponding nova changes merged in change
https://review.opendev.org/#/c/522112/

Related-Bug: #1734025
Change-Id: Ib58c2ca04dfe6d1e1ff849f600a9a24724205078
---
 manifests/cinder.pp                           | 78 +++++++++++++++++++
 .../add-cinder-creds-91a50b74c8bdb541.yaml    | 12 +++
 spec/classes/nova_cinder_spec.rb              | 59 ++++++++++++++
 3 files changed, 149 insertions(+)
 create mode 100644 manifests/cinder.pp
 create mode 100644 releasenotes/notes/add-cinder-creds-91a50b74c8bdb541.yaml
 create mode 100644 spec/classes/nova_cinder_spec.rb

diff --git a/manifests/cinder.pp b/manifests/cinder.pp
new file mode 100644
index 000000000..115daa3c1
--- /dev/null
+++ b/manifests/cinder.pp
@@ -0,0 +1,78 @@
+# == Class: nova::cinder
+#
+# Configures Cinder credentials to use by Nova.
+#
+# === Parameters:
+#
+# [*password*]
+#   (required) Password for connecting to Cinder services in
+#   admin context through the OpenStack Identity service.
+#   Defaults to $::os_service_default
+#
+# [*auth_type*]
+#   Name of the auth type to load (string value)
+#   Defaults to $::os_service_default
+#
+# [*auth_url*]
+#   (optional) Points to the OpenStack Identity server IP and port.
+#   This is the Identity (keystone) admin API server IP and port value,
+#   and not the Identity service API IP and port.
+#   Defaults to $::os_service_default
+#
+# [*timeout*]
+#   (optional) Timeout value for connecting to cinder in seconds.
+#   Defaults to $::os_service_default
+#
+# [*region_name*]
+#   (optional) Region name for connecting to cinder in admin context
+#   through the OpenStack Identity service.
+#   Defaults to $::os_service_default
+#
+# [*project_name*]
+#   (optional) Project name for connecting to Cinder services in
+#   admin context through the OpenStack Identity service.
+#   Defaults to 'services'
+#
+# [*project_domain_name*]
+#   (optional) Project Domain name for connecting to Cinder services in
+#   admin context through the OpenStack Identity service.
+#   Defaults to 'Default'
+#
+# [*username*]
+#   (optional) Username for connecting to Cinder services in admin context
+#   through the OpenStack Identity service.
+#   Defaults to 'cinder'
+#
+# [*user_domain_name*]
+#   (optional) User Domain name for connecting to Cinder services in
+#   admin context through the OpenStack Identity service.
+#   Defaults to 'Default'
+#
+class nova::cinder (
+  $password            = $::os_service_default,
+  $auth_type           = $::os_service_default,
+  $auth_url            = $::os_service_default,
+  $timeout             = $::os_service_default,
+  $region_name         = $::os_service_default,
+  $project_name        = 'services',
+  $project_domain_name = 'Default',
+  $username            = 'cinder',
+  $user_domain_name    = 'Default',
+
+) {
+
+  include ::nova::deps
+
+  nova_config {
+    'cinder/password':            value => $password, secret => true;
+    'cinder/auth_type':           value => $auth_type;
+    'cinder/auth_url':            value => $auth_url;
+    'cinder/region_name':         value => $region_name;
+    'cinder/timeout':             value => $timeout;
+    'cinder/project_name':        value => $project_name;
+    'cinder/project_domain_name': value => $project_domain_name;
+    'cinder/username':            value => $username;
+    'cinder/user_domain_name':    value => $user_domain_name;
+
+  }
+}
diff --git a/releasenotes/notes/add-cinder-creds-91a50b74c8bdb541.yaml b/releasenotes/notes/add-cinder-creds-91a50b74c8bdb541.yaml
new file mode 100644
index 000000000..2e3c0fa71
--- /dev/null
+++ b/releasenotes/notes/add-cinder-creds-91a50b74c8bdb541.yaml
@@ -0,0 +1,12 @@
+---
+fixes:
+  - |
+    Add cinder credentials in cinder section of nova conf to fix issue
+    when reclaim_instance_interval > 0 and delete instance which booted
+    from volume 'delete_on_termination' set as true. The volume status
+    showing attached and in-use, even after instance deletion, since
+    the admin context didn't have any token info hence call to cinder
+    api failed.
+    In case when context is is_admin and without token,added cinder creds
+    used to do authentication with user/project info to call cinder api.
+    [Bug `1734025 <https://bugs.launchpad.net/nova/+bug/1734025>`_]
diff --git a/spec/classes/nova_cinder_spec.rb b/spec/classes/nova_cinder_spec.rb
new file mode 100644
index 000000000..4dde4d4dc
--- /dev/null
+++ b/spec/classes/nova_cinder_spec.rb
@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe 'nova::cinder' do
+
+  shared_examples 'nova::cinder' do
+    context 'with required parameters' do
+
+      it 'configures cinder in nova.conf' do
+        should contain_nova_config('cinder/password').with_value('<SERVICE DEFAULT>').with_secret(true)
+        should contain_nova_config('cinder/auth_type').with_value('<SERVICE DEFAULT>')
+        should contain_nova_config('cinder/auth_url').with_value('<SERVICE DEFAULT>')
+        should contain_nova_config('cinder/timeout').with_value('<SERVICE DEFAULT>')
+        should contain_nova_config('cinder/region_name').with_value('<SERVICE DEFAULT>')
+        should contain_nova_config('cinder/project_name').with_value('services')
+        should contain_nova_config('cinder/project_domain_name').with_value('Default')
+        should contain_nova_config('cinder/username').with_value('cinder')
+        should contain_nova_config('cinder/user_domain_name').with_value('Default')
+      end
+
+    end
+
+    context 'when specified parameters' do
+      let :params do
+        {
+          :password            => 's3cr3t',
+          :auth_type           => 'v3password',
+          :auth_url            => 'http://10.0.0.10:5000/v3',
+          :timeout             => 60,
+          :region_name         => 'RegionOne',
+        }
+      end
+
+      it 'configures cinder in nova.conf' do
+        should contain_nova_config('cinder/password').with_value('s3cr3t').with_secret(true)
+        should contain_nova_config('cinder/auth_type').with_value('v3password')
+        should contain_nova_config('cinder/auth_url').with_value('http://10.0.0.10:5000/v3')
+        should contain_nova_config('cinder/timeout').with_value('60')
+        should contain_nova_config('cinder/region_name').with_value('RegionOne')
+        should contain_nova_config('cinder/project_name').with_value('services')
+        should contain_nova_config('cinder/project_domain_name').with_value('Default')
+        should contain_nova_config('cinder/username').with_value('cinder')
+        should contain_nova_config('cinder/user_domain_name').with_value('Default')
+      end
+
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'nova::cinder'
+    end
+  end
+end