Merge "Add nova::compute::libvirt::secret_ceph resource"

2024-04-25 15:20:36 +00:00 · 2024-04-25 15:20:36 +00:00 · 96acc50a11
parent 7040f189ef a7498d6dbc
commit 96acc50a11
6 changed files with 225 additions and 31 deletions
--- a/manifests/compute/libvirt/secret_ceph.pp
+++ b/manifests/compute/libvirt/secret_ceph.pp
@ -0,0 +1,85 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Define: nova::compute::libvirt::secret_ceph
+#
+# Configure a libvirt secret with ceph type.
+#
+# === Parameters
+#
+# [*uuid*]
+# (Required) The UUID of the libvirt secret.
+#
+# [*value*]
+# (Required) The value to store in the secret.
+#
+# [*secret_name*]
+# (Optional) The name of the libvirt secret.
+# Defaults to $name
+#
+# [*secret_path*]
+# (Optional) Directory to store files related to secrets.
+# Defaults to /etc/nova
+#
+define nova::compute::libvirt::secret_ceph(
+  String $uuid,
+  String $value,
+  String[1] $secret_name            = $name,
+  Stdlib::Absolutepath $secret_path = '/etc/nova',
+) {
+
+  $xml_file = "${secret_path}/libvirt-secret-${uuid}.xml"
+  file { $xml_file:
+    ensure  => 'present',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => epp('nova/libvirt-secret-ceph.xml.epp', {
+      'secret_name' => $secret_name,
+      'uuid'        => $uuid,
+    }),
+    require => Anchor['nova::config::begin'],
+  }
+
+  $secret_file = "${secret_path}/libvirt-secret-${uuid}.secret"
+  file { $secret_file:
+    ensure    => 'present',
+    owner     => 'root',
+    group     => 'root',
+    mode      => '0600',
+    content   => $value,
+    show_diff => false,
+    require   => Anchor['nova::config::begin'],
+  }
+
+  exec { "get-or-set virsh secret ${uuid}":
+    command => [
+      '/usr/bin/virsh', 'secret-define', '--file', $xml_file,
+    ],
+    unless  => "/usr/bin/virsh secret-list | grep -i ${uuid}",
+    require => File[$xml_file],
+  }
+  Service<| tag == 'libvirt-service' |> -> Exec["get-or-set virsh secret ${uuid}"]
+
+  exec { "set-secret-value virsh secret ${uuid}":
+    command   => [
+      '/usr/bin/virsh', 'secret-set-value', '--secret', $uuid,
+      '--file', $secret_file,
+    ],
+    unless    => "/usr/bin/virsh secret-get-value ${uuid} | grep -f ${secret_file}",
+    logoutput => false,
+    require   => [
+      File[$secret_file],
+      Exec["get-or-set virsh secret ${uuid}"],
+    ],
+  }
+}
--- a/manifests/compute/rbd.pp
+++ b/manifests/compute/rbd.pp
@ -84,6 +84,10 @@
 #   only in Ubuntu/Debian.
 #   Defaults to 'present'
 #
+# [*manage_libvirt_secret*]
+#   (optional) Manage the libvirt secret
+#   Defaults to true
+#
 class nova::compute::rbd (
  $libvirt_rbd_user,
  $libvirt_rbd_secret_uuid                      = false,
@ -98,6 +102,7 @@ class nova::compute::rbd (
  Boolean $manage_ceph_client                   = true,
  $ceph_client_ensure                           = 'present',
  $package_ensure                               = 'present',
+  Boolean $manage_libvirt_secret                = true,
 ) {

  include nova::deps
@ -128,33 +133,38 @@ class nova::compute::rbd (
      'libvirt/rbd_secret_uuid': value => $libvirt_rbd_secret_uuid;
    }

-    file { '/etc/nova/secret.xml':
-      content => template('nova/secret.xml-compute.erb'),
-      require => Anchor['nova::config::begin'],
-    }
+    if $manage_libvirt_secret {
+      file { '/etc/nova/secret.xml':
+        content => epp('nova/libvirt-secret-ceph.xml.epp', {
+          'secret_name' => "${rbd_keyring} secret",
+          'uuid'        => $libvirt_rbd_secret_uuid,
+        }),
+        require => Anchor['nova::config::begin'],
+      }

-    #Variable name shrunk in favor of removing
-    #the more than 140 chars puppet-lint warning.
-    #variable used in the get-or-set virsh secret
-    #resource.
-    $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
-    exec { 'get-or-set virsh secret':
-      command => $cm,
-      unless  => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
-      require => File['/etc/nova/secret.xml'],
-    }
-    Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
+      #Variable name shrunk in favor of removing
+      #the more than 140 chars puppet-lint warning.
+      #variable used in the get-or-set virsh secret
+      #resource.
+      $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
+      exec { 'get-or-set virsh secret':
+        command => $cm,
+        unless  => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
+        require => File['/etc/nova/secret.xml'],
+      }
+      Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']

-    if $libvirt_rbd_secret_key {
-      $libvirt_key = $libvirt_rbd_secret_key
-    } else {
-      $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
-    }
-    exec { 'set-secret-value virsh':
-      command   => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
-      unless    => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
-      logoutput => false,
-      require   => Exec['get-or-set virsh secret'],
+      if $libvirt_rbd_secret_key {
+        $libvirt_key = $libvirt_rbd_secret_key
+      } else {
+        $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
+      }
+      exec { 'set-secret-value virsh':
+        command   => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
+        unless    => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
+        logoutput => false,
+        require   => Exec['get-or-set virsh secret'],
+      }
    }
  } else {
    nova_config {
--- a/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml
+++ b/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added new ``nova::compute::libvirt::secret_ceph`` resource definition that
+    can be used to create a libvirt secret of type ceph.
+  - |
+    Added new ``manage_libvirt_secret`` parameter defaulting to true in the
+    ``nova::compute::rbd`` class.
--- a/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb
+++ b/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb
@ -0,0 +1,91 @@
+require 'spec_helper'
+
+describe 'nova::compute::libvirt::secret_ceph' do
+  shared_examples 'nova::compute::libvirt::secret_ceph' do
+    describe 'with required parameters' do
+      let :pre_condition do
+        "include nova"
+      end
+
+      let :params do
+        {
+          :uuid        => '4f515eff-47e4-425c-b24d-9c6adc56401c',
+          :value       => 'AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==',
+          :secret_name => 'client.openstack',
+          :secret_path => '/tmp',
+        }
+      end
+
+      let :title do
+        'random'
+      end
+
+      it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml').with(
+        :ensure  => 'present',
+        :owner   => 'root',
+        :group   => 'root',
+        :mode    => '0600',
+        :require => 'Anchor[nova::config::begin]',
+      )}
+
+      it {
+        verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml', [
+          "<secret ephemeral=\'no\' private=\'no\'>",
+          "  <usage type=\'ceph\'>",
+          "    <name>client.openstack</name>",
+          "  </usage>",
+          "  <uuid>4f515eff-47e4-425c-b24d-9c6adc56401c</uuid>",
+          "</secret>"
+        ])
+      }
+
+      it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret').with(
+        :ensure    => 'present',
+        :owner     => 'root',
+        :group     => 'root',
+        :mode      => '0600',
+        :show_diff => false,
+        :require   => 'Anchor[nova::config::begin]',
+      )}
+
+      it {
+        verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret', [
+          "AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==",
+        ])
+      }
+
+      it { is_expected.to contain_exec('get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with(
+        :command => [
+          '/usr/bin/virsh', 'secret-define', '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml',
+        ],
+        :unless  => "/usr/bin/virsh secret-list | grep -i 4f515eff-47e4-425c-b24d-9c6adc56401c",
+        :require => 'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml]',
+      )}
+
+      it { is_expected.to contain_exec('set-secret-value virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with(
+        :command   => [
+          '/usr/bin/virsh', 'secret-set-value', '--secret', '4f515eff-47e4-425c-b24d-9c6adc56401c',
+          '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret',
+        ],
+        :unless    => "/usr/bin/virsh secret-get-value 4f515eff-47e4-425c-b24d-9c6adc56401c | grep -f /tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret",
+        :logoutput => false,
+        :require   => [
+          'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret]',
+          'Exec[get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c]',
+        ],
+      )}
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'nova::compute::libvirt::secret_ceph'
+    end
+  end
+end
--- a/templates/libvirt-secret-ceph.xml.epp
+++ b/templates/libvirt-secret-ceph.xml.epp
@ -0,0 +1,6 @@
+<secret ephemeral='no' private='no'>
+  <usage type='ceph'>
+    <name><%= $secret_name -%></name>
+  </usage>
+  <uuid><%= $uuid -%></uuid>
+</secret>
--- a/templates/secret.xml-compute.erb
+++ b/templates/secret.xml-compute.erb
@ -1,6 +0,0 @@
-<secret ephemeral='no' private='no'>
-  <usage type='ceph'>
-    <name><%= @rbd_keyring %> secret</name>
-  </usage>
-  <uuid><%= @libvirt_rbd_secret_uuid %></uuid>
-</secret>