From a7498d6dbc76349d76a800f7b2e01f1ae29d6115 Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias.urdin@binero.com>
Date: Fri, 19 Apr 2024 10:03:05 +0200
Subject: [PATCH] Add nova::compute::libvirt::secret_ceph resource

This adds the nova::compute::libvirt::secret_ceph
resource definition that can be used to define
libvirt secrets of ceph type.

Before this patch one could only handle one libvirt
secret by configuring the parameters in the
nova::compute::rbd class and with this one can
configure multiple.

This adds a new manage_libvirt_secret parameter
defaulting to true in the nova::compute::rbd class
so that one can disable the creation of the libvirt
secret from that class.

Change-Id: Ief031f5dd4b0648d5629789cb7d6d2f6f946fbf8
---
 manifests/compute/libvirt/secret_ceph.pp      | 85 +++++++++++++++++
 manifests/compute/rbd.pp                      | 60 +++++++-----
 .../libvirt-secret-ceph-b4b11706463f13c6.yaml |  8 ++
 .../nova_compute_libvirt_secret_ceph_spec.rb  | 91 +++++++++++++++++++
 templates/libvirt-secret-ceph.xml.epp         |  6 ++
 templates/secret.xml-compute.erb              |  6 --
 6 files changed, 225 insertions(+), 31 deletions(-)
 create mode 100644 manifests/compute/libvirt/secret_ceph.pp
 create mode 100644 releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml
 create mode 100644 spec/defines/nova_compute_libvirt_secret_ceph_spec.rb
 create mode 100644 templates/libvirt-secret-ceph.xml.epp
 delete mode 100644 templates/secret.xml-compute.erb

diff --git a/manifests/compute/libvirt/secret_ceph.pp b/manifests/compute/libvirt/secret_ceph.pp
new file mode 100644
index 000000000..039bb24d9
--- /dev/null
+++ b/manifests/compute/libvirt/secret_ceph.pp
@@ -0,0 +1,85 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Define: nova::compute::libvirt::secret_ceph
+#
+# Configure a libvirt secret with ceph type.
+#
+# === Parameters
+#
+# [*uuid*]
+# (Required) The UUID of the libvirt secret.
+#
+# [*value*]
+# (Required) The value to store in the secret.
+#
+# [*secret_name*]
+# (Optional) The name of the libvirt secret.
+# Defaults to $name
+#
+# [*secret_path*]
+# (Optional) Directory to store files related to secrets.
+# Defaults to /etc/nova
+#
+define nova::compute::libvirt::secret_ceph(
+  String $uuid,
+  String $value,
+  String[1] $secret_name            = $name,
+  Stdlib::Absolutepath $secret_path = '/etc/nova',
+) {
+
+  $xml_file = "${secret_path}/libvirt-secret-${uuid}.xml"
+  file { $xml_file:
+    ensure  => 'present',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => epp('nova/libvirt-secret-ceph.xml.epp', {
+      'secret_name' => $secret_name,
+      'uuid'        => $uuid,
+    }),
+    require => Anchor['nova::config::begin'],
+  }
+
+  $secret_file = "${secret_path}/libvirt-secret-${uuid}.secret"
+  file { $secret_file:
+    ensure    => 'present',
+    owner     => 'root',
+    group     => 'root',
+    mode      => '0600',
+    content   => $value,
+    show_diff => false,
+    require   => Anchor['nova::config::begin'],
+  }
+
+  exec { "get-or-set virsh secret ${uuid}":
+    command => [
+      '/usr/bin/virsh', 'secret-define', '--file', $xml_file,
+    ],
+    unless  => "/usr/bin/virsh secret-list | grep -i ${uuid}",
+    require => File[$xml_file],
+  }
+  Service<| tag == 'libvirt-service' |> -> Exec["get-or-set virsh secret ${uuid}"]
+
+  exec { "set-secret-value virsh secret ${uuid}":
+    command   => [
+      '/usr/bin/virsh', 'secret-set-value', '--secret', $uuid,
+      '--file', $secret_file,
+    ],
+    unless    => "/usr/bin/virsh secret-get-value ${uuid} | grep -f ${secret_file}",
+    logoutput => false,
+    require   => [
+      File[$secret_file],
+      Exec["get-or-set virsh secret ${uuid}"],
+    ],
+  }
+}
diff --git a/manifests/compute/rbd.pp b/manifests/compute/rbd.pp
index db173bc4c..96ec86bee 100644
--- a/manifests/compute/rbd.pp
+++ b/manifests/compute/rbd.pp
@@ -84,6 +84,10 @@
 #   only in Ubuntu/Debian.
 #   Defaults to 'present'
 #
+# [*manage_libvirt_secret*]
+#   (optional) Manage the libvirt secret
+#   Defaults to true
+#
 class nova::compute::rbd (
   $libvirt_rbd_user,
   $libvirt_rbd_secret_uuid                      = false,
@@ -98,6 +102,7 @@ class nova::compute::rbd (
   Boolean $manage_ceph_client                   = true,
   $ceph_client_ensure                           = 'present',
   $package_ensure                               = 'present',
+  Boolean $manage_libvirt_secret                = true,
 ) {
 
   include nova::deps
@@ -128,33 +133,38 @@ class nova::compute::rbd (
       'libvirt/rbd_secret_uuid': value => $libvirt_rbd_secret_uuid;
     }
 
-    file { '/etc/nova/secret.xml':
-      content => template('nova/secret.xml-compute.erb'),
-      require => Anchor['nova::config::begin'],
-    }
+    if $manage_libvirt_secret {
+      file { '/etc/nova/secret.xml':
+        content => epp('nova/libvirt-secret-ceph.xml.epp', {
+          'secret_name' => "${rbd_keyring} secret",
+          'uuid'        => $libvirt_rbd_secret_uuid,
+        }),
+        require => Anchor['nova::config::begin'],
+      }
 
-    #Variable name shrunk in favor of removing
-    #the more than 140 chars puppet-lint warning.
-    #variable used in the get-or-set virsh secret
-    #resource.
-    $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
-    exec { 'get-or-set virsh secret':
-      command => $cm,
-      unless  => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
-      require => File['/etc/nova/secret.xml'],
-    }
-    Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
+      #Variable name shrunk in favor of removing
+      #the more than 140 chars puppet-lint warning.
+      #variable used in the get-or-set virsh secret
+      #resource.
+      $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
+      exec { 'get-or-set virsh secret':
+        command => $cm,
+        unless  => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
+        require => File['/etc/nova/secret.xml'],
+      }
+      Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
 
-    if $libvirt_rbd_secret_key {
-      $libvirt_key = $libvirt_rbd_secret_key
-    } else {
-      $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
-    }
-    exec { 'set-secret-value virsh':
-      command   => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
-      unless    => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
-      logoutput => false,
-      require   => Exec['get-or-set virsh secret'],
+      if $libvirt_rbd_secret_key {
+        $libvirt_key = $libvirt_rbd_secret_key
+      } else {
+        $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
+      }
+      exec { 'set-secret-value virsh':
+        command   => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
+        unless    => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
+        logoutput => false,
+        require   => Exec['get-or-set virsh secret'],
+      }
     }
   } else {
     nova_config {
diff --git a/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml b/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml
new file mode 100644
index 000000000..2e7fd1c9f
--- /dev/null
+++ b/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added new ``nova::compute::libvirt::secret_ceph`` resource definition that
+    can be used to create a libvirt secret of type ceph.
+  - |
+    Added new ``manage_libvirt_secret`` parameter defaulting to true in the
+    ``nova::compute::rbd`` class.
diff --git a/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb b/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb
new file mode 100644
index 000000000..d3873f71a
--- /dev/null
+++ b/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb
@@ -0,0 +1,91 @@
+require 'spec_helper'
+
+describe 'nova::compute::libvirt::secret_ceph' do
+  shared_examples 'nova::compute::libvirt::secret_ceph' do
+    describe 'with required parameters' do
+      let :pre_condition do
+        "include nova"
+      end
+
+      let :params do
+        {
+          :uuid        => '4f515eff-47e4-425c-b24d-9c6adc56401c',
+          :value       => 'AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==',
+          :secret_name => 'client.openstack',
+          :secret_path => '/tmp',
+        }
+      end
+
+      let :title do
+        'random'
+      end
+
+      it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml').with(
+        :ensure  => 'present',
+        :owner   => 'root',
+        :group   => 'root',
+        :mode    => '0600',
+        :require => 'Anchor[nova::config::begin]',
+      )}
+
+      it {
+        verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml', [
+          "<secret ephemeral=\'no\' private=\'no\'>",
+          "  <usage type=\'ceph\'>",
+          "    <name>client.openstack</name>",
+          "  </usage>",
+          "  <uuid>4f515eff-47e4-425c-b24d-9c6adc56401c</uuid>",
+          "</secret>"
+        ])
+      }
+
+      it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret').with(
+        :ensure    => 'present',
+        :owner     => 'root',
+        :group     => 'root',
+        :mode      => '0600',
+        :show_diff => false,
+        :require   => 'Anchor[nova::config::begin]',
+      )}
+
+      it {
+        verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret', [
+          "AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==",
+        ])
+      }
+
+      it { is_expected.to contain_exec('get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with(
+        :command => [
+          '/usr/bin/virsh', 'secret-define', '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml',
+        ],
+        :unless  => "/usr/bin/virsh secret-list | grep -i 4f515eff-47e4-425c-b24d-9c6adc56401c",
+        :require => 'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml]',
+      )}
+
+      it { is_expected.to contain_exec('set-secret-value virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with(
+        :command   => [
+          '/usr/bin/virsh', 'secret-set-value', '--secret', '4f515eff-47e4-425c-b24d-9c6adc56401c',
+          '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret',
+        ],
+        :unless    => "/usr/bin/virsh secret-get-value 4f515eff-47e4-425c-b24d-9c6adc56401c | grep -f /tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret",
+        :logoutput => false,
+        :require   => [
+          'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret]',
+          'Exec[get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c]',
+        ],
+      )}
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'nova::compute::libvirt::secret_ceph'
+    end
+  end
+end
diff --git a/templates/libvirt-secret-ceph.xml.epp b/templates/libvirt-secret-ceph.xml.epp
new file mode 100644
index 000000000..fa9f9bc0e
--- /dev/null
+++ b/templates/libvirt-secret-ceph.xml.epp
@@ -0,0 +1,6 @@
+<secret ephemeral='no' private='no'>
+  <usage type='ceph'>
+    <name><%= $secret_name -%></name>
+  </usage>
+  <uuid><%= $uuid -%></uuid>
+</secret>
diff --git a/templates/secret.xml-compute.erb b/templates/secret.xml-compute.erb
deleted file mode 100644
index c772552b3..000000000
--- a/templates/secret.xml-compute.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-<secret ephemeral='no' private='no'>
-  <usage type='ceph'>
-    <name><%= @rbd_keyring %> secret</name>
-  </usage>
-  <uuid><%= @libvirt_rbd_secret_uuid %></uuid>
-</secret>