Allow libvirt secret key setting from param

Currently the libvirt secret key is demanded to the ceph cluster via the $(ceph auth get-key ...) command which requires the ceph cluste to be already up and also assumes the computes are provisioned with the client.admin keyring. With this change we add a libvirt_rbd_secret_key parameter which, if passed, is used instead so that computes can be configured without the distribution of additional keys. Change-Id: I70da06159c0d3c6fa204b5f7a468909ffab4d633 Closes-Bug: #1439949
2015-04-03 11:28:19 +02:00 · 2015-04-03 11:28:19 +02:00 · a8ba5a41cd
commit a8ba5a41cd
parent c191303e6b
2 changed files with 29 additions and 1 deletions
--- a/manifests/compute/rbd.pp
+++ b/manifests/compute/rbd.pp
@ -38,6 +38,13 @@
 #   Required to use cephx.
 #   Default to false.
 #
+# [*libvirt_rbd_secret_key*]
+#   (optional) The cephx key to use as key for the libvirt secret,
+#   it must be base64 encoded; when not provided this key will be
+#   requested to the ceph cluster, which assumes the node is
+#   provided of the client.admin keyring as well.
+#   Default to undef.
+#
 # [*rbd_keyring*]
 #   (optional) The keyring name to use when retrieving the RBD secret
 #   Default to 'client.nova'
@ -46,6 +53,7 @@
 class nova::compute::rbd (
  $libvirt_rbd_user,
  $libvirt_rbd_secret_uuid      = false,
+  $libvirt_rbd_secret_key       = undef,
  $libvirt_images_rbd_pool      = 'rbd',
  $libvirt_images_rbd_ceph_conf = '/etc/ceph/ceph.conf',
  $rbd_keyring                  = 'client.nova',
@ -75,8 +83,13 @@ class nova::compute::rbd (
      require => File['/etc/nova/secret.xml']
    }

+    if $libvirt_rbd_secret_key {
+      $libvirt_key = $libvirt_rbd_secret_key
+    } else {
+      $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
+    }
    exec { 'set-secret-value virsh':
-      command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 $(ceph auth get-key ${rbd_keyring})",
+      command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
      unless  => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid}",
      require => Exec['get-or-set virsh secret']
    }
--- a/spec/classes/nova_compute_rbd_spec.rb
+++ b/spec/classes/nova_compute_rbd_spec.rb
@ -90,6 +90,21 @@ describe 'nova::compute::rbd' do
      end
    end

+    context 'when using cephx and passing libvirt_rbd_secret_key' do
+      before :each do
+        params.merge!(
+          :libvirt_rbd_secret_uuid => 'UUID',
+          :libvirt_rbd_secret_key  => 'LIBVIRT/SECRET/KEY',
+        )
+      end
+
+      it 'set libvirt secret key from passed key' do
+        is_expected.to contain_exec('set-secret-value virsh').with(
+          :command => "/usr/bin/virsh secret-set-value --secret #{params[:libvirt_rbd_secret_uuid]} --base64 #{params[:libvirt_rbd_secret_key]}"
+        )
+      end
+    end
+
  end

  context 'on Debian platforms' do