Merge "Migrate glance/verify_glance_signatures to more common place"

manifests/compute.pp

@@ -197,10 +197,6 @@
 #   Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
 #   Defaults to 'nova.keymgr.conf_key_mgr.ConfKeyManager'.
 #
-# [*verify_glance_signatures*]
-#   (optional) Whether to verify image signatures. (boolean value)
-#   Defaults to $::os_service_default
-#
 # [*reserved_huge_pages*]
 #   (optional) Number of huge memory pages to reserved per NUMA host cell.
 #   Defaults to $::os_service_default
@@ -311,6 +307,10 @@
 #   [ { "vendor_id" => "1234","product_id" => "5678" },
 #     { "vendor_id" => "4321","product_id" => "8765", "physical_network" => "default" } ]
 #
+# [*verify_glance_signatures*]
+#   (optional) Whether to verify image signatures. (boolean value)
+#   Defaults to undef
+#
 class nova::compute (
   $enabled                                     = true,
   $manage_service                              = true,
@@ -351,7 +351,6 @@ class nova::compute (
   $sync_power_state_interval                   = $::os_service_default,
   $consecutive_build_service_disable_threshold = $::os_service_default,
   $keymgr_backend                              = 'nova.keymgr.conf_key_mgr.ConfKeyManager',
-  $verify_glance_signatures                    = $::os_service_default,
   $reserved_huge_pages                         = $::os_service_default,
   $neutron_physnets_numa_nodes_mapping         = {},
   $neutron_tunnel_numa_nodes                   = [],
@@ -372,6 +371,7 @@ class nova::compute (
   $vcpu_pin_set                                = undef,
   $allow_resize_to_same_host                   = undef,
   $pci_passthrough                             = undef,
+  $verify_glance_signatures                    = undef,
 ) {
 
   include nova::deps
@@ -416,6 +416,14 @@ class nova::compute (
 Use the same parameter in nova::api class.')
   }
 
+  if $verify_glance_signatures != undef {
+    # NOTE(tkajinam): If nova::glance is defined first and the deployment doesn't use hieradata
+    #                 it doesn't pick up this value correctly and unset the parameter.
+    #                 However we'd avoid hard failure here and just leave warning.
+    warning('verify_glance_signatures is deprecated. Use the same parameter in nova::glance')
+  }
+  include nova::glance
+
   if empty($vcpu_pin_set) {
     $vcpu_pin_set_real = undef
   } else {
@@ -601,7 +609,6 @@ Use the same parameter in nova::api class.')
 
   nova_config {
     'DEFAULT/config_drive_format':     value => $config_drive_format;
-    'glance/verify_glance_signatures': value => $verify_glance_signatures;
   }
 
 }

manifests/glance.pp

@@ -16,6 +16,10 @@
 #   (optional) Number of retries in glance operation
 #   Defaults to $::os_service_default
 #
+# [*verify_glance_signatures*]
+#   (optional) Whether to verify image signatures. (boolean value)
+#   Defaults to $::os_service_default
+#
 # [*enable_rbd_download*]
 #   (optional) Enable download of Glance images directly via RBD
 #   Defaults to $::os_service_default
@@ -40,29 +44,32 @@
 #   Defaults to $::os_service_default
 #
 class nova::glance (
-  $endpoint_override   = $::os_service_default,
+  $endpoint_override        = $::os_service_default,
-  $valid_interfaces    = $::os_service_default,
+  $valid_interfaces         = $::os_service_default,
-  $num_retries         = $::os_service_default,
+  $num_retries              = $::os_service_default,
-  $enable_rbd_download = $::os_service_default,
+  $verify_glance_signatures = $::os_service_default,
-  $rbd_user            = $::os_service_default,
+  $enable_rbd_download      = $::os_service_default,
-  $rbd_connect_timeout = $::os_service_default,
+  $rbd_user                 = $::os_service_default,
-  $rbd_pool            = $::os_service_default,
+  $rbd_connect_timeout      = $::os_service_default,
-  $rbd_ceph_conf       = $::os_service_default,
+  $rbd_pool                 = $::os_service_default,
+  $rbd_ceph_conf            = $::os_service_default,
 ) {
 
   include nova::deps
 
   $endpoint_override_real = pick($::nova::glance_endpoint_override, $endpoint_override)
   $num_retries_real = pick($::nova::glance_num_retries, $num_retries)
+  $verify_glance_signatures_real = pick($::nova::compute::verify_glance_signatures, $verify_glance_signatures)
 
   nova_config {
-    'glance/endpoint_override':   value => $endpoint_override_real;
+    'glance/endpoint_override':        value => $endpoint_override_real;
-    'glance/valid_interfaces':    value => join(any2array($valid_interfaces), ',');
+    'glance/valid_interfaces':         value => join(any2array($valid_interfaces), ',');
-    'glance/num_retries':         value => $num_retries_real;
+    'glance/num_retries':              value => $num_retries_real;
-    'glance/enable_rbd_download': value => $enable_rbd_download;
+    'glance/verify_glance_signatures': value => $verify_glance_signatures_real;
-    'glance/rbd_user':            value => $rbd_user;
+    'glance/enable_rbd_download':      value => $enable_rbd_download;
-    'glance/rbd_connect_timeout': value => $rbd_connect_timeout;
+    'glance/rbd_user':                 value => $rbd_user;
-    'glance/rbd_pool':            value => $rbd_pool;
+    'glance/rbd_connect_timeout':      value => $rbd_connect_timeout;
-    'glance/rbd_ceph_conf':       value => $rbd_ceph_conf;
+    'glance/rbd_pool':                 value => $rbd_pool;
+    'glance/rbd_ceph_conf':            value => $rbd_ceph_conf;
   }
 }

releasenotes/notes/migrate-verify_glance_signatures-3fbef6e4f0d7f49f.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The ``nova::compute::verify_glance_signatures`` parameter has been
+    deprecated in favor of the new ``nova::glance::verify_glance_signatures``
+    parameter.

spec/classes/nova_compute_spec.rb

@@ -56,7 +56,6 @@ describe 'nova::compute' do
       it { is_expected.to contain_nova_config('DEFAULT/resize_confirm_window').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('DEFAULT/shutdown_timeout').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('DEFAULT/resume_guests_state_on_host_boot').with_value('<SERVICE DEFAULT>') }
-      it { is_expected.to contain_nova_config('glance/verify_glance_signatures').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('DEFAULT/max_concurrent_builds').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('DEFAULT/max_concurrent_live_migrations').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('DEFAULT/sync_power_state_pool_size').with_value('<SERVICE DEFAULT>') }
@@ -122,7 +121,6 @@ describe 'nova::compute' do
           :max_concurrent_live_migrations     => '4',
           :sync_power_state_pool_size         => '10',
           :sync_power_state_interval          => '0',
-          :verify_glance_signatures           => true,
           :consecutive_build_service_disable_threshold => '9',
           :live_migration_wait_for_vif_plug   => true,
           :max_disk_devices_to_attach         => 20,
@@ -190,7 +188,6 @@ describe 'nova::compute' do
       it { is_expected.to contain_nova_config('DEFAULT/max_concurrent_live_migrations').with_value('4') }
       it { is_expected.to contain_nova_config('DEFAULT/sync_power_state_pool_size').with_value('10') }
       it { is_expected.to contain_nova_config('DEFAULT/sync_power_state_interval').with_value('0') }
-      it { is_expected.to contain_nova_config('glance/verify_glance_signatures').with_value(true) }
       it { is_expected.to contain_nova_config('compute/consecutive_build_service_disable_threshold').with_value('9') }
       it { is_expected.to contain_nova_config('compute/live_migration_wait_for_vif_plug').with_value(true) }
       it { is_expected.to contain_nova_config('compute/max_disk_devices_to_attach').with_value(20) }

spec/classes/nova_glance_spec.rb

@@ -12,6 +12,7 @@ describe 'nova::glance' do
         is_expected.to contain_nova_config('glance/endpoint_override').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('glance/valid_interfaces').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('glance/num_retries').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('glance/verify_glance_signatures').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('glance/enable_rbd_download').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('glance/rbd_user').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('glance/rbd_connect_timeout').with_value('<SERVICE DEFAULT>')
@@ -23,14 +24,15 @@ describe 'nova::glance' do
     context 'with specific parameters' do
       let :params do
         {
-          :endpoint_override   => 'http://localhost:9292',
+          :endpoint_override        => 'http://localhost:9292',
-          :valid_interfaces    => 'internal',
+          :valid_interfaces         => 'internal',
-          :num_retries         => 3,
+          :num_retries              => 3,
-          :enable_rbd_download => true,
+          :verify_glance_signatures => false,
-          :rbd_user            => 'nova',
+          :enable_rbd_download      => true,
-          :rbd_connect_timeout => 5,
+          :rbd_user                 => 'nova',
-          :rbd_pool            => 'images',
+          :rbd_connect_timeout      => 5,
-          :rbd_ceph_conf       => '/etc/ceph/ceph.conf',
+          :rbd_pool                 => 'images',
+          :rbd_ceph_conf            => '/etc/ceph/ceph.conf',
         }
       end
 
@@ -38,6 +40,7 @@ describe 'nova::glance' do
         is_expected.to contain_nova_config('glance/endpoint_override').with_value('http://localhost:9292')
         is_expected.to contain_nova_config('glance/valid_interfaces').with_value('internal')
         is_expected.to contain_nova_config('glance/num_retries').with_value(3)
+        is_expected.to contain_nova_config('glance/verify_glance_signatures').with_value(false)
         is_expected.to contain_nova_config('glance/enable_rbd_download').with_value(true)
         is_expected.to contain_nova_config('glance/rbd_user').with_value('nova')
         is_expected.to contain_nova_config('glance/rbd_connect_timeout').with_value(5)