openstack/puppet-nova
Code Issues Proposed changes

Implement class to configure parameters to use service token

Browse Source 
This patch introduces nova::keystone::service_user class
to configure parameters to enable service token feature
in Nova.

Depends-on: https://review.opendev.org/#/c/666467/
Change-Id: I0400fdbaf098121c0f5e380379b7cfb660963ddd
This commit is contained in:
Takashi Kajinami
2019-06-20 11:01:19 +09:00
parent 6ba4a0029e
commit 9cde9d9326
4 changed files with 191 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
manifests/keystone/service_user.pp Normal file
View File

@@ -0,0 +1,101 @@
# class: nova::keystone::service_user
#
# Configure the service_user section in the configuration file
#
# === Parameters
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'nova'
#
# [*password*]
# (Optional) Password to create for the service user
# Defaults to $::os_service_default
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http:://127.0.0.1:5000'
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*user_domain_name*]
# (Optional) Name of domain for $user_domain_name
# Defaults to 'Default'
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_domain_name
# Defaults to 'Default'
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true
# Defaults to 'false'
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $::os_service_default
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to $::os_service_default
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
class nova::keystone::service_user(
$username = 'nova',
$password = $::os_service_default,
$auth_url = 'http://127.0.0.1:5000/',
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$send_service_user_token = false,
$insecure = $::os_service_default,
$auth_type = 'password',
$auth_version = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$keyfile = $::os_service_default,
$region_name = $::os_service_default,
) {
include ::nova::deps
keystone::resource::service_user { 'nova_config':
username => $username,
password => $password,
project_name => $project_name,
auth_url => $auth_url,
auth_version => $auth_version,
auth_type => $auth_type,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
send_service_user_token => $send_service_user_token,
insecure => $insecure,
cafile => $cafile,
certfile => $certfile,
keyfile => $keyfile,
region_name => $region_name,
}
}

5
releasenotes/notes/service_token-aa4c96bd76469c56.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
features:
- |
New class, nova::keystone::service_user, is introduced to configure
parameters to service token feature.

8
spec/classes/nova_keystone_authtoken_spec.rb
View File

@@ -61,8 +61,7 @@ describe 'nova::keystone::authtoken' do
:auth_type => 'password', :auth_type => 'password',
:auth_version => 'v3', :auth_version => 'v3',
:cache => 'somevalue', :cache => 'somevalue',
:cafile => :cafile => '/opt/stack/data/cafile.pem',
'/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt', :certfile => 'certfile.crt',
:delay_auth_decision => false, :delay_auth_decision => false,
:enforce_token_bind => 'permissive', :enforce_token_bind => 'permissive',
@@ -78,8 +77,7 @@ describe 'nova::keystone::authtoken' do
:memcache_secret_key => 'secret_key', :memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT', :memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true, :memcache_use_advanced_pool => true,
:memcached_servers => :memcached_servers => ['memcached01:11211','memcached02:11211'],
['memcached01:11211','memcached02:11211'],
:manage_memcache_package => true, :manage_memcache_package => true,
:region_name => 'region2', :region_name => 'region2',
:token_cache_time => '301', :token_cache_time => '301',
@@ -88,7 +86,7 @@ describe 'nova::keystone::authtoken' do
end end
it 'configure keystone_authtoken' do it 'configure keystone_authtoken' do
is_expected.to contain_nova_config('keystone_authtoken/www_authenticate_uri').with_value('https://10.0.0.1:9999/') is_expected.to contain_nova_config('keystone_authtoken/www_authenticate_uri').with_value('https://10.0.0.1:9999/')
is_expected.to contain_nova_config('keystone_authtoken/username').with_value(params[:username]) is_expected.to contain_nova_config('keystone_authtoken/username').with_value(params[:username])
is_expected.to contain_nova_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true) is_expected.to contain_nova_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
is_expected.to contain_nova_config('keystone_authtoken/auth_url').with_value(params[:auth_url]) is_expected.to contain_nova_config('keystone_authtoken/auth_url').with_value(params[:auth_url])

82
spec/classes/nova_keystone_service_user_spec.rb Normal file
View File

@@ -0,0 +1,82 @@
require 'spec_helper'
describe 'nova::keystone::service_user' do
let :params do
{ :password => 'nova_password', }
end
shared_examples 'nova service_user' do
context 'with default parameters' do
it 'configure service_user' do
is_expected.to contain_nova_config('service_user/username').with_value('nova')
is_expected.to contain_nova_config('service_user/password').with_value('nova_password')
is_expected.to contain_nova_config('service_user/auth_url').with_value('http://127.0.0.1:5000/')
is_expected.to contain_nova_config('service_user/project_name').with_value('services')
is_expected.to contain_nova_config('service_user/user_domain_name').with_value('Default')
is_expected.to contain_nova_config('service_user/project_domain_name').with_value('Default')
is_expected.to contain_nova_config('service_user/insecure').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('service_user/send_service_user_token').with_value(false)
is_expected.to contain_nova_config('service_user/auth_type').with_value('password')
is_expected.to contain_nova_config('service_user/auth_version').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('service_user/cafile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('service_user/certfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('service_user/keyfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('service_user/region_name').with_value('<SERVICE DEFAULT>')
end
end
context 'when overriding parameters' do
before do
params.merge!({
:username => 'myuser',
:password => 'mypasswd',
:auth_url => 'http://:127.0.0.1:5000',
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:send_service_user_token => true,
:insecure => false,
:auth_type => 'password',
:auth_version => 'v3',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'keyfile',
:region_name => 'region2',
})
end
it 'configure service_user' do
is_expected.to contain_nova_config('service_user/username').with_value(params[:username])
is_expected.to contain_nova_config('service_user/password').with_value(params[:password]).with_secret(true)
is_expected.to contain_nova_config('service_user/auth_url').with_value(params[:auth_url])
is_expected.to contain_nova_config('service_user/project_name').with_value(params[:project_name])
is_expected.to contain_nova_config('service_user/user_domain_name').with_value(params[:user_domain_name])
is_expected.to contain_nova_config('service_user/project_domain_name').with_value(params[:project_domain_name])
is_expected.to contain_nova_config('service_user/send_service_user_token').with_value(params[:send_service_user_token])
is_expected.to contain_nova_config('service_user/insecure').with_value(params[:insecure])
is_expected.to contain_nova_config('service_user/auth_type').with_value(params[:auth_type])
is_expected.to contain_nova_config('service_user/auth_version').with_value(params[:auth_version])
is_expected.to contain_nova_config('service_user/cafile').with_value(params[:cafile])
is_expected.to contain_nova_config('service_user/certfile').with_value(params[:certfile])
is_expected.to contain_nova_config('service_user/keyfile').with_value(params[:keyfile])
is_expected.to contain_nova_config('service_user/region_name').with_value(params[:region_name])
end
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
it_behaves_like 'nova service_user'
end
end
end