From bf9f06e08052d86d1fec68b68a9a72c700ea9969 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Fri, 19 Apr 2024 10:03:05 +0200 Subject: [PATCH] Add nova::compute::libvirt::secret_ceph resource This adds the nova::compute::libvirt::secret_ceph resource definition that can be used to define libvirt secrets of ceph type. Before this patch one could only handle one libvirt secret by configuring the parameters in the nova::compute::rbd class and with this one can configure multiple. This adds a new manage_libvirt_secret parameter defaulting to true in the nova::compute::rbd class so that one can disable the creation of the libvirt secret from that class. Changes in backport: The line length needed to be adjusted on line 149 Change-Id: Ief031f5dd4b0648d5629789cb7d6d2f6f946fbf8 (cherry picked from commit a7498d6dbc76349d76a800f7b2e01f1ae29d6115) (cherry picked from commit 74a42d6b33b4d9a5fd2d5cb065826ec2a1a5df34) (cherry picked from commit f090015bb6ab371d595fc67e2f232ebf5fb2dd74) (cherry picked from commit a827cfa78eb8c781522dcc8f0d01921f0d652f31) --- manifests/compute/libvirt/secret_ceph.pp | 85 +++++++++++++++++ manifests/compute/rbd.pp | 60 +++++++----- .../libvirt-secret-ceph-b4b11706463f13c6.yaml | 8 ++ .../nova_compute_libvirt_secret_ceph_spec.rb | 91 +++++++++++++++++++ templates/libvirt-secret-ceph.xml.epp | 6 ++ templates/secret.xml-compute.erb | 6 -- 6 files changed, 225 insertions(+), 31 deletions(-) create mode 100644 manifests/compute/libvirt/secret_ceph.pp create mode 100644 releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml create mode 100644 spec/defines/nova_compute_libvirt_secret_ceph_spec.rb create mode 100644 templates/libvirt-secret-ceph.xml.epp delete mode 100644 templates/secret.xml-compute.erb diff --git a/manifests/compute/libvirt/secret_ceph.pp b/manifests/compute/libvirt/secret_ceph.pp new file mode 100644 index 000000000..039bb24d9 --- /dev/null +++ b/manifests/compute/libvirt/secret_ceph.pp @@ -0,0 +1,85 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Define: nova::compute::libvirt::secret_ceph +# +# Configure a libvirt secret with ceph type. +# +# === Parameters +# +# [*uuid*] +# (Required) The UUID of the libvirt secret. +# +# [*value*] +# (Required) The value to store in the secret. +# +# [*secret_name*] +# (Optional) The name of the libvirt secret. +# Defaults to $name +# +# [*secret_path*] +# (Optional) Directory to store files related to secrets. +# Defaults to /etc/nova +# +define nova::compute::libvirt::secret_ceph( + String $uuid, + String $value, + String[1] $secret_name = $name, + Stdlib::Absolutepath $secret_path = '/etc/nova', +) { + + $xml_file = "${secret_path}/libvirt-secret-${uuid}.xml" + file { $xml_file: + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0600', + content => epp('nova/libvirt-secret-ceph.xml.epp', { + 'secret_name' => $secret_name, + 'uuid' => $uuid, + }), + require => Anchor['nova::config::begin'], + } + + $secret_file = "${secret_path}/libvirt-secret-${uuid}.secret" + file { $secret_file: + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0600', + content => $value, + show_diff => false, + require => Anchor['nova::config::begin'], + } + + exec { "get-or-set virsh secret ${uuid}": + command => [ + '/usr/bin/virsh', 'secret-define', '--file', $xml_file, + ], + unless => "/usr/bin/virsh secret-list | grep -i ${uuid}", + require => File[$xml_file], + } + Service<| tag == 'libvirt-service' |> -> Exec["get-or-set virsh secret ${uuid}"] + + exec { "set-secret-value virsh secret ${uuid}": + command => [ + '/usr/bin/virsh', 'secret-set-value', '--secret', $uuid, + '--file', $secret_file, + ], + unless => "/usr/bin/virsh secret-get-value ${uuid} | grep -f ${secret_file}", + logoutput => false, + require => [ + File[$secret_file], + Exec["get-or-set virsh secret ${uuid}"], + ], + } +} diff --git a/manifests/compute/rbd.pp b/manifests/compute/rbd.pp index 6ad4712e5..c0f715b4a 100644 --- a/manifests/compute/rbd.pp +++ b/manifests/compute/rbd.pp @@ -84,6 +84,10 @@ # only in Ubuntu/Debian. # Defaults to 'present' # +# [*manage_libvirt_secret*] +# (optional) Manage the libvirt secret +# Defaults to true +# class nova::compute::rbd ( $libvirt_rbd_user, $libvirt_rbd_secret_uuid = false, @@ -98,6 +102,7 @@ class nova::compute::rbd ( $manage_ceph_client = true, $ceph_client_ensure = 'present', $package_ensure = 'present', + Boolean $manage_libvirt_secret = true, ) { include nova::deps @@ -128,33 +133,38 @@ class nova::compute::rbd ( 'libvirt/rbd_secret_uuid': value => $libvirt_rbd_secret_uuid; } - file { '/etc/nova/secret.xml': - content => template('nova/secret.xml-compute.erb'), - require => Anchor['nova::config::begin'], - } + if $manage_libvirt_secret { + file { '/etc/nova/secret.xml': + content => epp('nova/libvirt-secret-ceph.xml.epp', { + 'secret_name' => "${rbd_keyring} secret", + 'uuid' => $libvirt_rbd_secret_uuid, + }), + require => Anchor['nova::config::begin'], + } - #Variable name shrunk in favor of removing - #the more than 140 chars puppet-lint warning. - #variable used in the get-or-set virsh secret - #resource. - $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret' - exec { 'get-or-set virsh secret': - command => $cm, - unless => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}", - require => File['/etc/nova/secret.xml'], - } - Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret'] + #Variable name shrunk in favor of removing + #the more than 140 chars puppet-lint warning. + #variable used in the get-or-set virsh secret + #resource. + $c = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' >/etc/nova/virsh.secret' + exec { 'get-or-set virsh secret': + command => $c, + unless => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}", + require => File['/etc/nova/secret.xml'], + } + Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret'] - if $libvirt_rbd_secret_key { - $libvirt_key = $libvirt_rbd_secret_key - } else { - $libvirt_key = "$(ceph auth get-key ${rbd_keyring})" - } - exec { 'set-secret-value virsh': - command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}", - unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}", - logoutput => false, - require => Exec['get-or-set virsh secret'], + if $libvirt_rbd_secret_key { + $libvirt_key = $libvirt_rbd_secret_key + } else { + $libvirt_key = "$(ceph auth get-key ${rbd_keyring})" + } + exec { 'set-secret-value virsh': + command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}", + unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}", + logoutput => false, + require => Exec['get-or-set virsh secret'], + } } } else { nova_config { diff --git a/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml b/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml new file mode 100644 index 000000000..2e7fd1c9f --- /dev/null +++ b/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Added new ``nova::compute::libvirt::secret_ceph`` resource definition that + can be used to create a libvirt secret of type ceph. + - | + Added new ``manage_libvirt_secret`` parameter defaulting to true in the + ``nova::compute::rbd`` class. diff --git a/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb b/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb new file mode 100644 index 000000000..d3873f71a --- /dev/null +++ b/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb @@ -0,0 +1,91 @@ +require 'spec_helper' + +describe 'nova::compute::libvirt::secret_ceph' do + shared_examples 'nova::compute::libvirt::secret_ceph' do + describe 'with required parameters' do + let :pre_condition do + "include nova" + end + + let :params do + { + :uuid => '4f515eff-47e4-425c-b24d-9c6adc56401c', + :value => 'AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==', + :secret_name => 'client.openstack', + :secret_path => '/tmp', + } + end + + let :title do + 'random' + end + + it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml').with( + :ensure => 'present', + :owner => 'root', + :group => 'root', + :mode => '0600', + :require => 'Anchor[nova::config::begin]', + )} + + it { + verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml', [ + "", + " ", + " client.openstack", + " ", + " 4f515eff-47e4-425c-b24d-9c6adc56401c", + "" + ]) + } + + it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret').with( + :ensure => 'present', + :owner => 'root', + :group => 'root', + :mode => '0600', + :show_diff => false, + :require => 'Anchor[nova::config::begin]', + )} + + it { + verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret', [ + "AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==", + ]) + } + + it { is_expected.to contain_exec('get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with( + :command => [ + '/usr/bin/virsh', 'secret-define', '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml', + ], + :unless => "/usr/bin/virsh secret-list | grep -i 4f515eff-47e4-425c-b24d-9c6adc56401c", + :require => 'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml]', + )} + + it { is_expected.to contain_exec('set-secret-value virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with( + :command => [ + '/usr/bin/virsh', 'secret-set-value', '--secret', '4f515eff-47e4-425c-b24d-9c6adc56401c', + '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret', + ], + :unless => "/usr/bin/virsh secret-get-value 4f515eff-47e4-425c-b24d-9c6adc56401c | grep -f /tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret", + :logoutput => false, + :require => [ + 'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret]', + 'Exec[get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c]', + ], + )} + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + + it_behaves_like 'nova::compute::libvirt::secret_ceph' + end + end +end diff --git a/templates/libvirt-secret-ceph.xml.epp b/templates/libvirt-secret-ceph.xml.epp new file mode 100644 index 000000000..fa9f9bc0e --- /dev/null +++ b/templates/libvirt-secret-ceph.xml.epp @@ -0,0 +1,6 @@ + + + <%= $secret_name -%> + + <%= $uuid -%> + diff --git a/templates/secret.xml-compute.erb b/templates/secret.xml-compute.erb deleted file mode 100644 index c772552b3..000000000 --- a/templates/secret.xml-compute.erb +++ /dev/null @@ -1,6 +0,0 @@ - - - <%= @rbd_keyring %> secret - - <%= @libvirt_rbd_secret_uuid %> -