openstack
/
puppet-nova
Code Issues Proposed changes

Merge "Remove novajoin support"

This commit is contained in:
Zuul 2022-05-23 17:31:12 +00:00 committed by Gerrit Code Review
parent 983374fbee 90be242323
commit c697f79f3e
16 changed files with 4 additions and 1417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/puppet/provider/novajoin_config/ini_setting.rb
View File

@ -1,10 +0,0 @@
Puppet::Type.type(:novajoin_config).provide(
:ini_setting,
:parent => Puppet::Type.type(:openstack_config).provider(:ini_setting)
) do
def self.file_path
'/etc/novajoin/join.conf'
end
end

53
lib/puppet/type/novajoin_config.rb
View File

@ -1,53 +0,0 @@
Puppet::Type.newtype(:novajoin_config) do
ensurable
newparam(:name, :namevar => true) do
desc 'Section/setting name to manage from join.conf'
newvalues(/\S+\/\S+/)
end
newproperty(:value) do
desc 'The value of the setting to be defined.'
munge do |value|
value = value.to_s.strip
value.capitalize! if value =~ /^(true|false)$/i
value
end
newvalues(/^[\S ]*$/)
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
newparam(:ensure_absent_val) do
desc 'A value that is specified as the value property will behave as if ensure => absent was specified'
defaultto('<SERVICE DEFAULT>')
end
autorequire(:anchor) do
['nova::install::end']
end
end

270
manifests/metadata/novajoin/api.pp
View File

@ -1,270 +0,0 @@
# == Class: nova::metadata::novajoin::api
#
# DEPRECATED !
# The nova::metadata::novajoin::api class encapsulates an
# IPA Nova Join API service.
#
# === Parameters
#
# [*password*]
# (required) Password for the novajoin service user.
#
# [*transport_url*]
# (required) Transport URL for notifier service to talk to
# the messaging queue.
#
# [*bind_address*]
# (optional) IP address for novajoin server to listen
# Defaults to '127.0.0.1'
#
# [*api_paste_config*]
# (optional) Filename for the paste deploy file.
# Defaults to '/etc/novajoin/join-api-paste.ini'.
#
# [*auth_strategy*]
# (optional) Strategy to use for authentication.
# Defaults to 'keystone'.
#
# [*auth_type*]
# (optional) Authentication type.
# Defaults to 'password'.
#
# [*cacert*]
# (optional) CA cert file.
# Defaults to '/etc/ipa/ca.crt'.
#
# [*connect_retries*]
# (optional) Number of connection retries to IPA.
# Defaults to 1.
#
# [*debug*]
# (optional) Set log level to debug.
# Defaults to false.
#
# [*enabled*]
# (optional) Whether to enable services.
# Defaults to true.
#
# [*enable_ipa_client_install*]
# (optional) whether to perform ipa_client_install
# Defaults to true.
#
# [*ensure_package*]
# (optional) The state of novajoin packages.
# Defaults to 'present'
#
# [*ipa_domain*]
# (optional) IPA domain
# Reads the value from /etc/ipa/default.conf if not defined.
#
# [*join_listen_port*]
# (optional) Port for novajoin service to listen on.
# Defaults to 9090
#
# [*keystone_auth_url*]
# (optional) auth_url for the keystone instance.
# Defaults to 'http:://127.0.0.1:5000'
#
# [*keytab*]
# (optional) Kerberos client keytab file.
# Defaults to '/etc/novajoin/krb5.keytab'
#
# [*log_dir*]
# (optional) log directory.
# Defaults to '/var/log/novajoin'
#
# [*manage_service*]
# (optional) If Puppet should manage service startup / shutdown.
# Defaults to true.
#
# [*user_domain_name*]
# (optional) Domain name for novajoin user.
# Defaults to 'Default'
#
# [*username*]
# (optional) User that the novajoin services run as.
# Defaults to 'novajoin'
#
# [*project_domain_name*]
# (optional) Domain name containing project (for novajoin auth).
# Defaults to 'Default'
#
# [*project_name*]
# (optional) Project name (for novajoin auth).
# Defaults to 'services'
#
# [*system_scope*]
# (optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*configure_kerberos*]
# (optional) Whether or not to create a kerberos configuration file.
# Defaults to false
#
# [*ipa_realm*]
# (optional) Kerberos realm. If left empty, the kerberos configuration will
# take the domain and upcase it.
# Defaults to undef
#
class nova::metadata::novajoin::api (
$transport_url,
$bind_address = '127.0.0.1',
$api_paste_config = '/etc/novajoin/join-api-paste.ini',
$auth_strategy = $::os_service_default,
$auth_type = 'password',
$cacert = '/etc/ipa/ca.crt',
$connect_retries = $::os_service_default,
$debug = $::os_service_default,
$enabled = true,
$enable_ipa_client_install = true,
$ensure_package = 'present',
$ipa_domain = undef,
$join_listen_port = $::os_service_default,
$keystone_auth_url = 'http://127.0.0.1:5000/',
$keytab = '/etc/novajoin/krb5.keytab',
$log_dir = '/var/log/novajoin',
$manage_service = true,
$password = undef,
$user_domain_name = 'Default',
$username = 'novajoin',
$project_domain_name = 'Default',
$project_name = 'services',
$system_scope = $::os_service_default,
$configure_kerberos = false,
$ipa_realm = undef,
) {
warning('Support for novajoin service is deprecated!')
include nova::params
include nova::metadata::novajoin::authtoken
include nova::metadata::novajoin::policy
if ! $username {
fail('username is missing')
}
if ! $password {
fail('password is missing')
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
if $nova::params::novajoin_package_name == undef {
fail("Unsupported osfamily: ${::osfamily} operatingsystem")
}
if $enable_ipa_client_install {
require ipaclient
# If we're installing IPA here, the hostname fact won't be populated yet,
# so we'll use a command to get it.
$ipa_hostname_real = '`grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3`'
} else {
# This assumes that the current node is already IPA enrolled, so the
# fact will work here.
$ipa_hostname_real = $::ipa_hostname
}
package { 'python-novajoin':
ensure => $ensure_package,
name => $nova::params::novajoin_package_name,
tag => ['openstack', 'novajoin-package'],
}
file { '/var/log/novajoin':
ensure => directory,
owner => $username,
group => $username,
recurse => true,
}
if $ipa_domain != undef {
novajoin_config {
'DEFAULT/domain': value => $ipa_domain;
}
$ipa_domain_real = $ipa_domain
} else {
$ipa_domain_real = $::domain
}
if $configure_kerberos {
if $ipa_realm != undef {
$ipa_realm_real
} else {
$ipa_realm_real = upcase($ipa_domain_real)
}
file { '/etc/novajoin/krb5.conf':
content => template('nova/krb5.conf.erb'),
owner => $username,
group => $username,
}
}
novajoin_config {
'DEFAULT/join_listen': value => $bind_address;
'DEFAULT/api_paste_config': value => $api_paste_config;
'DEFAULT/auth_strategy': value => $auth_strategy;
'DEFAULT/cacert': value => $cacert;
'DEFAULT/connect_retries': value => $connect_retries;
'DEFAULT/debug': value => $debug;
'DEFAULT/join_listen_port': value => $join_listen_port;
'DEFAULT/keytab': value => $keytab;
'DEFAULT/log_dir': value => $log_dir;
'DEFAULT/transport_url': value => $transport_url;
'service_credentials/auth_type': value => $auth_type;
'service_credentials/auth_url': value => $keystone_auth_url;
'service_credentials/password': value => $password;
'service_credentials/username': value => $username;
'service_credentials/user_domain_name': value => $user_domain_name;
'service_credentials/project_name': value => $project_name_real;
'service_credentials/project_domain_name': value => $project_domain_name_real;
'service_credentials/system_scope': value => $system_scope;
}
if $manage_service {
if $enabled {
$service_ensure = 'running'
} else {
$service_ensure = 'stopped'
}
service { 'novajoin-server':
ensure => $service_ensure,
name => $nova::params::novajoin_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'openstack',
}
service { 'novajoin-notify':
ensure => $service_ensure,
name => $nova::params::notify_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'openstack',
}
Novajoin_config<||> ~> Service['novajoin-server']
Novajoin_config<||> ~> Service['novajoin-notify']
Exec['get-service-user-keytab'] ~> Service['novajoin-server']
Exec['get-service-user-keytab'] ~> Service['novajoin-notify']
}
exec { 'get-service-user-keytab':
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ${ipa_hostname_real} \
-p nova/${::fqdn} -k ${keytab}",
creates => $keytab,
}
ensure_resource('file', $keytab, { owner => $username, require => Exec['get-service-user-keytab'] })
Package<| tag == 'novajoin-package' |> -> Exec['get-service-user-keytab']
Exec['get-service-user-keytab'] ~> Service<| title == 'nova-api'|>
}

118
manifests/metadata/novajoin/auth.pp
View File

@ -1,118 +0,0 @@
# == Class: nova::metadata::novajoin::auth
#
# DEPRECATED !
# Creates nova endpoints and service account in keystone
#
# === Parameters:
#
# [*password*]
# Password to create for the service user
#
# [*auth_name*]
# (optional) The name of the novajoin service user
# Defaults to 'novajoin'
#
# [*service_name*]
# (optional) Name of the service.
# Defaults to 'novajoin'.
#
# [*service_type*]
# (Optional) Type of service.
# Defaults to 'compute-vendordata-plugin'.
#
# [*service_description*]
# (optional) Description for keystone service.
# Defaults to 'Openstack Compute Service'.
#
# [*public_url*]
# (optional) The endpoint's public url.
# Defaults to 'http://127.0.0.1:8774/v2.1'
#
# [*internal_url*]
# (optional) The endpoint's internal url.
# Defaults to 'http://127.0.0.1:8774/v2.1'
#
# [*admin_url*]
# (optional) The endpoint's admin url.
# Defaults to 'http://127.0.0.1:8774/v2.1'
#
# [*region*]
# (optional) The region in which to place the endpoints
# Defaults to 'RegionOne'
#
# [*tenant*]
# (optional) The tenant to use for the novajoin service user
# Defaults to 'services'
#
# [*roles*]
# (Optional) List of roles assigned to the nova service user
# Defaults to ['admin']
#
# [*system_scope*]
# Scope for system operations
# string; optional: default to 'all'
#
# [*system_roles*]
# List of system roles;
# string; optional: default to []
#
# [*email*]
# (optional) The email address for the novajoin service user
# Defaults to 'novajoin@localhost'
#
# [*configure_endpoint*]
# (optional) Whether to create the endpoint.
# Defaults to false
#
# [*configure_user*]
# (optional) Whether to create the service user.
# Defaults to true
#
# [*configure_user_role*]
# (optional) Whether to configure the admin role for the service user.
# Defaults to true
#
class nova::metadata::novajoin::auth(
$password,
$auth_name = 'novajoin',
$service_name = 'novajoin',
$service_type = 'compute-vendordata-plugin',
$service_description = 'Novajoin vendordata plugin',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$email = 'novajoin@localhost',
$public_url = 'http://127.0.0.1:9090',
$internal_url = 'http://127.0.0.1:9090',
$admin_url = 'http://127.0.0.1:9090',
$configure_endpoint = false,
$configure_user = true,
$configure_user_role = true,
) {
warning('Support for novajoin service is deprecated!')
Keystone::Resource::Service_identity['novajoin'] -> Service <| name == 'novajoin-server' |>
keystone::resource::service_identity { 'novajoin':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
configure_endpoint => $configure_endpoint,
service_type => $service_type,
service_description => $service_description,
service_name => $service_name,
region => $region,
auth_name => $auth_name,
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
}

289
manifests/metadata/novajoin/authtoken.pp
View File

@ -1,289 +0,0 @@
# class: nova::metadata::novajoin::authtoken
#
# DEPRECATED !
# Configure the keystone_authtoken section in the configuration file
#
# === Parameters
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'novajoin'
#
# [*password*]
# (Optional) Password to create for the service user
# Defaults to $::os_service_default
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http:://127.0.0.1:5000'
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*user_domain_name*]
# (Optional) Name of domain for $user_domain_name
# Defaults to 'Default'
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_domain_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $::os_service_default
#
# [*auth_section*]
# (Optional) Config Section from which to load plugin specific options
# Defaults to $::os_service_default.
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to $::os_service_default
#
# [*www_authenticate_uri*]
# (Optional) Complete public Identity API endpoint.
# Defaults to 'http://127.0.0.1:5000/'.
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cache*]
# (Optional) Env key for the swift cache.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean
# value
# Defaults to $::os_service_default.
#
# [*enforce_token_bind*]
# (Optional) Used to control the use and type of token binding. Can be set
# to: "disabled" to not check token binding. "permissive" (default) to
# validate binding information if the bind type is of a form known to the
# server and ignore it if not. "strict" like "permissive" but if the bind
# type is unknown the token will be rejected. "required" any form of token
# binding is needed to be allowed. Finally the name of a binding method that
# must be present in tokens. String value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API
# server.
# Defaults to $::os_service_default.
#
# [*http_request_max_retries*]
# (Optional) How many times are we trying to reconnect when communicating
# with Identity API Server. Integer value
# Defaults to $::os_service_default.
#
# [*include_service_catalog*]
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will
# not set the X-Service-Catalog header. Boolean value.
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*memcache_pool_conn_get_timeout*]
# (Optional) Number of seconds that an operation will wait to get a memcached
# client connection from the pool. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_dead_retry*]
# (Optional) Number of seconds memcached server is considered dead before it
# is tried again. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_maxsize*]
# (Optional) Maximum total number of open connections to every memcached
# server. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_socket_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in
# the pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_unused_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in
# the pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_secret_key*]
# (Optional, mandatory if memcache_security_strategy is defined) This string
# is used for key derivation.
# Defaults to $::os_service_default.
#
# [*memcache_security_strategy*]
# (Optional) If defined, indicate whether token data should be authenticated
# or authenticated and encrypted. If MAC, token data is authenticated (with
# HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the
# cache. If the value is not one of these options or empty, auth_token will
# raise an exception on initialization.
# Defaults to $::os_service_default.
#
# [*memcache_use_advanced_pool*]
# (Optional) Use the advanced (eventlet safe) memcached client pool. The
# advanced pool will only work under python 2.x Boolean value
# Defaults to $::os_service_default.
#
# [*memcached_servers*]
# (Optional) Optionally specify a list of memcached server(s) to use for
# caching. If left undefined, tokens will instead be cached in-process.
# Defaults to $::os_service_default.
#
# [*manage_memcache_package*]
# (Optional) Whether to install the python-memcache package.
# Defaults to false.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
# [*token_cache_time*]
# (Optional) In order to prevent excessive effort spent validating tokens,
# the middleware caches previously-seen tokens for a configurable duration
# (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default.
#
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity
# true/false
# Defaults to $::os_service_default.
#
# [*service_type*]
# (Optional) The name or type of the service as it appears in the service
# catalog. This is used to validate tokens that have restricted access rules.
# Defaults to $::os_service_default.
#
# [*interface*]
# (Optional) Interface to use for the Identity API endpoint. Valid values are
# "public", "internal" or "admin".
# Defaults to $::os_service_default.
#
# [*params*]
# (Optional) Hash of additional parameters to pass through to the keystone
# authtoken class. Values set here override the individual parameters above.
#
class nova::metadata::novajoin::authtoken(
$username = 'novajoin',
$password = $::os_service_default,
$auth_url = 'http://127.0.0.1:5000/',
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
$www_authenticate_uri = 'http://127.0.0.1:5000/',
$auth_version = $::os_service_default,
$cache = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default,
$http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default,
$keyfile = $::os_service_default,
$memcache_pool_conn_get_timeout = $::os_service_default,
$memcache_pool_dead_retry = $::os_service_default,
$memcache_pool_maxsize = $::os_service_default,
$memcache_pool_socket_timeout = $::os_service_default,
$memcache_pool_unused_timeout = $::os_service_default,
$memcache_secret_key = $::os_service_default,
$memcache_security_strategy = $::os_service_default,
$memcache_use_advanced_pool = $::os_service_default,
$memcached_servers = $::os_service_default,
$manage_memcache_package = false,
$region_name = $::os_service_default,
$token_cache_time = $::os_service_default,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default,
$service_type = $::os_service_default,
$interface = $::os_service_default,
$params = {},
) {
warning('Support for novajoin service is deprecated!')
include nova::deps
if is_service_default($password) {
fail('Please set password for novajoin service user')
}
keystone::resource::authtoken {
'novajoin_config':
* => $params;
default:
username => $username,
password => $password,
project_name => $project_name,
auth_url => $auth_url,
www_authenticate_uri => $www_authenticate_uri,
auth_version => $auth_version,
auth_type => $auth_type,
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,
certfile => $certfile,
delay_auth_decision => $delay_auth_decision,
enforce_token_bind => $enforce_token_bind,
http_connect_timeout => $http_connect_timeout,
http_request_max_retries => $http_request_max_retries,
include_service_catalog => $include_service_catalog,
keyfile => $keyfile,
memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
memcache_pool_dead_retry => $memcache_pool_dead_retry,
memcache_pool_maxsize => $memcache_pool_maxsize,
memcache_pool_socket_timeout => $memcache_pool_socket_timeout,
memcache_secret_key => $memcache_secret_key,
memcache_security_strategy => $memcache_security_strategy,
memcache_use_advanced_pool => $memcache_use_advanced_pool,
memcache_pool_unused_timeout => $memcache_pool_unused_timeout,
memcached_servers => $memcached_servers,
manage_memcache_package => $manage_memcache_package,
region_name => $region_name,
token_cache_time => $token_cache_time,
service_token_roles => $service_token_roles,
service_token_roles_required => $service_token_roles_required,
service_type => $service_type,
interface => $interface;
}
}

47
manifests/metadata/novajoin/policy.pp
View File

@ -1,47 +0,0 @@
# == Class: nova::metadata::novajoin::policy
#
# DEPRECATED !
# Configure the nova policies
#
# === Parameters
#
# [*policies*]
# (Optional) Set of policies to configure for novajoin
# Example :
# {
# 'novajoin-compute_service_user' => {
# 'key' => 'compute_service_user',
# 'value' => 'role:admin'
# }
# }
# Defaults to empty hash.
#
# [*policy_path*]
# (Optional) Path to the novajoin policy.yaml file
# Defaults to /etc/novajoin/policy.yaml
#
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
# file.
# Defaults to false.
#
class nova::metadata::novajoin::policy (
$policies = {},
$policy_path = '/etc/novajoin/policy.yaml',
$purge_config = false,
) {
warning('Support for novajoin service is deprecated!')
validate_legacy(Hash, 'validate_hash', $policies)
openstacklib::policy { $policy_path:
policies => $policies,
policy_path => $policy_path,
file_user => 'root',
file_format => 'yaml',
purge_config => $purge_config,
}
oslo::policy { 'novajoin_config': policy_file => $policy_path }
}

6
manifests/params.pp
View File

@ -21,7 +21,6 @@ class nova::params {
$python_package_name = 'python3-nova'
$compute_package_name = 'openstack-nova-compute'
$conductor_package_name = 'openstack-nova-conductor'
$novajoin_package_name = 'python3-novajoin'
$doc_package_name = 'openstack-nova-doc'
$libvirt_package_name = 'libvirt'
$libvirt_guests_package_name = 'libvirt-client'
@ -49,8 +48,6 @@ class nova::params {
$virtstorage_service_name = 'virtstoraged'
$scheduler_service_name = 'openstack-nova-scheduler'
$tgt_service_name = 'tgtd'
$novajoin_service_name = 'novajoin-server'
$notify_service_name = 'novajoin-notify'
$vncproxy_service_name = 'openstack-nova-novncproxy'
$serialproxy_service_name = 'openstack-nova-serialproxy'
$spicehtml5proxy_service_name = 'openstack-nova-spicehtml5proxy'
@ -77,7 +74,6 @@ class nova::params {
$python_package_name = 'python3-nova'
$compute_package_name = 'nova-compute'
$conductor_package_name = 'nova-conductor'
$novajoin_package_name = undef
$doc_package_name = 'nova-doc'
$libvirt_package_name = 'libvirt-daemon-system'
$scheduler_package_name = 'nova-scheduler'
@ -93,8 +89,6 @@ class nova::params {
$vncproxy_service_name = 'nova-novncproxy'
$serialproxy_service_name = 'nova-serialproxy'
$tgt_service_name = 'tgt'
$novajoin_service_name = undef
$notify_service_name = undef
$nova_wsgi_script_path = '/usr/lib/cgi-bin/nova'
$nova_api_wsgi_script_source = '/usr/bin/nova-api-wsgi'
$nova_metadata_wsgi_script_source = '/usr/bin/nova-metadata-wsgi'

4
metadata.json
View File

@ -1,10 +1,6 @@
{
"author": "Puppet Labs and OpenStack Contributors",
"dependencies": [
{
"name": "joshuabaird/ipaclient",
"version_requirement": ">=2.5.1"
},
{
"name": "puppetlabs/inifile",
"version_requirement": ">=2.0.0 <6.0.0"

4
releasenotes/notes/remove-novajoin-21f76d1fe28c305e.yaml Normal file
View File

@ -0,0 +1,4 @@
---
upgrade:
- |
Support for the novajoin service has been removed.

188
spec/classes/nova_metadata_novajoin_api_spec.rb
View File

@ -1,188 +0,0 @@
require 'spec_helper'
describe 'nova::metadata::novajoin::api' do
let :default_params do
{
:bind_address => '127.0.0.1',
:api_paste_config => '/etc/novajoin/join-api-paste.ini',
:auth_strategy => '<SERVICE DEFAULT>',
:auth_type => 'password',
:cacert => '/etc/ipa/ca.crt',
:connect_retries => '<SERVICE DEFAULT>',
:debug => '<SERVICE DEFAULT>',
:enabled => true,
:enable_ipa_client_install => true,
:ensure_package => 'present',
:join_listen_port => '<SERVICE DEFAULT>',
:keytab => '/etc/novajoin/krb5.keytab',
:log_dir => '/var/log/novajoin',
:username => 'novajoin',
:project_domain_name => 'Default',
:project_name => 'services',
:user_domain_name => 'Default',
:ipa_domain => 'EXAMPLE.COM',
:keystone_auth_url => 'https://keystone.example.com:5000',
:password => 'my_secret_password',
:transport_url => 'rabbit:rabbit_pass@rabbit_host',
}
end
let :pre_condition do
"class { 'ipaclient': password => 'join_otp', }
class { 'nova::metadata::novajoin::authtoken':
password => 'passw0rd',
}"
end
shared_examples 'nova::metadata::novajoin::api' do
[{},
{
:bind_address => '0.0.0.0',
:api_paste_config => '/etc/novajoin/join-api-paste.ini',
:auth_strategy => 'noauth2',
:auth_type => 'password',
:cacert => '/etc/ipa/ca.crt',
:connect_retries => 2,
:debug => true,
:enabled => false,
:enable_ipa_client_install => false,
:ensure_package => 'present',
:join_listen_port => '9921',
:keytab => '/etc/krb5.conf',
:log_dir => '/var/log/novajoin',
:username => 'novajoin1',
:project_domain_name => 'Default',
:project_name => 'services',
:user_domain_name => 'Default',
:ipa_domain => 'EXAMPLE2.COM',
:keystone_auth_url => 'https://keystone2.example.com:5000',
:password => 'my_secret_password2',
:transport_url => 'rabbit:rabbit_pass2@rabbit_host',
}
].each do |param_set|
context "when #{param_set == {} ? "using default" : "specifying"} class parameters" do
let :param_hash do
default_params.merge(param_set)
end
let :params do
param_hash
end
it { should contain_class('nova::metadata::novajoin::authtoken') }
it { should contain_service('novajoin-server').with(
'ensure' => param_hash[:enabled] ? 'running': 'stopped',
'enable' => param_hash[:enabled],
'hasstatus' => true,
'hasrestart' => true,
'tag' => 'openstack',
)}
it { should contain_service('novajoin-notify').with(
'ensure' => param_hash[:enabled] ? 'running': 'stopped',
'enable' => param_hash[:enabled],
'hasstatus' => true,
'hasrestart' => true,
'tag' => 'openstack',
)}
it {
should contain_novajoin_config('DEFAULT/join_listen').with_value(param_hash[:bind_address])
should contain_novajoin_config('DEFAULT/api_paste_config').with_value(param_hash[:api_paste_config])
should contain_novajoin_config('DEFAULT/auth_strategy').with_value(param_hash[:auth_strategy])
should contain_novajoin_config('DEFAULT/cacert').with_value(param_hash[:cacert])
should contain_novajoin_config('DEFAULT/connect_retries').with_value(param_hash[:connect_retries])
should contain_novajoin_config('DEFAULT/debug').with_value(param_hash[:debug])
should contain_novajoin_config('DEFAULT/join_listen_port').with_value(param_hash[:join_listen_port])
should contain_novajoin_config('DEFAULT/keytab').with_value(param_hash[:keytab])
should contain_novajoin_config('DEFAULT/log_dir').with_value(param_hash[:log_dir])
should contain_novajoin_config('DEFAULT/domain').with_value(param_hash[:ipa_domain])
should contain_novajoin_config('DEFAULT/transport_url').with_value(param_hash[:transport_url])
}
it {
should contain_novajoin_config('service_credentials/auth_type').with_value(param_hash[:auth_type])
should contain_novajoin_config('service_credentials/auth_url').with_value(param_hash[:keystone_auth_url])
should contain_novajoin_config('service_credentials/password').with_value(param_hash[:password])
should contain_novajoin_config('service_credentials/project_name').with_value(param_hash[:project_name])
should contain_novajoin_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
should contain_novajoin_config('service_credentials/user_domain_name').with_value(param_hash[:user_domain_name])
should contain_novajoin_config('service_credentials/project_domain_name').with_value(param_hash[:project_domain_name])
should contain_novajoin_config('service_credentials/username').with_value(param_hash[:username])
}
it {
if param_hash[:enable_ipa_client_install]
should contain_exec('get-service-user-keytab').with(
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
)
else
should contain_exec('get-service-user-keytab').with(
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ipa.ipadomain \
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
)
end
}
it { should contain_file("/var/log/novajoin").with(
'ensure' => 'directory',
'owner' => "#{param_hash[:username]}",
'group' => "#{param_hash[:username]}",
'recurse' => true
)}
it { should contain_file("#{param_hash[:keytab]}").with(
'owner' => "#{param_hash[:username]}",
'require' => 'Exec[get-service-user-keytab]',
)}
end
end
context 'with disabled service managing' do
let :params do
{
:manage_service => false,
:ipa_domain => 'EXAMPLE.COM',
:password => 'my_secret_password',
:transport_url => 'rabbit:rabbit_pass@rabbit_host',
}
end
it { should_not contain_service('novajoin-server') }
it { should_not contain_service('novajoin-notify') }
end
end
shared_examples 'nova::metadata::novajoin::api on RedHat' do
let :params do
default_params
end
it { should contain_package('python-novajoin').with(
:name => platform_params[:novajoin_package_name],
:tag => ['openstack', 'novajoin-package'],
)}
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts({ :ipa_hostname => 'ipa.ipadomain',
:fqdn => "undercloud.example.com" }))
end
if facts[:osfamily] == 'RedHat'
it_behaves_like 'nova::metadata::novajoin::api'
it_behaves_like 'nova::metadata::novajoin::api on RedHat'
let (:platform_params) do
{ :novajoin_package_name => 'python3-novajoin' }
end
end
end
end
end

89
spec/classes/nova_metadata_novajoin_auth_spec.rb
View File

@ -1,89 +0,0 @@
#
# Unit tests for nova::metadata::novajoin::auth
#
require 'spec_helper'
describe 'nova::metadata::novajoin::auth' do
shared_examples_for 'nova::metadata::novajoin::auth' do
context 'with default class parameters' do
let :params do
{ :password => 'novajoin_password' }
end
it { is_expected.to contain_keystone__resource__service_identity('novajoin').with(
:configure_user => true,
:configure_user_role => true,
:configure_endpoint => false,
:service_name => 'novajoin',
:service_type => 'compute-vendordata-plugin',
:service_description => 'Novajoin vendordata plugin',
:region => 'RegionOne',
:auth_name => 'novajoin',
:password => 'novajoin_password',
:email => 'novajoin@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:9090',
:internal_url => 'http://127.0.0.1:9090',
:admin_url => 'http://127.0.0.1:9090',
) }
end
context 'when overriding parameters' do
let :params do
{ :password => 'novajoin_password',
:auth_name => 'alt_novajoin',
:email => 'alt_novajoin@alt_localhost',
:tenant => 'alt_service',
:configure_endpoint => true,
:configure_user => false,
:configure_user_role => false,
:service_description => 'Alternative Novajoin vendordata plugin',
:service_name => 'alt_service',
:service_type => 'alt_compute-vendordata-plugin',
:region => 'RegionTwo',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81' }
end
it { is_expected.to contain_keystone__resource__service_identity('novajoin').with(
:configure_user => false,
:configure_user_role => false,
:configure_endpoint => true,
:service_name => 'alt_service',
:service_type => 'alt_compute-vendordata-plugin',
:service_description => 'Alternative Novajoin vendordata plugin',
:region => 'RegionTwo',
:auth_name => 'alt_novajoin',
:password => 'novajoin_password',
:email => 'alt_novajoin@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',
) }
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
it_behaves_like 'nova::metadata::novajoin::auth'
end
end
end

170
spec/classes/nova_metadata_novajoin_authtoken_spec.rb
View File

@ -1,170 +0,0 @@
require 'spec_helper'
describe 'nova::metadata::novajoin::authtoken' do
let :params do
{ :password => 'novajoin_password', }
end
shared_examples 'nova::metadata::novajoin::authtoken' do
context 'with default parameters' do
it 'configure keystone_authtoken' do
is_expected.to contain_keystone__resource__authtoken('novajoin_config').with(
:username => 'novajoin',
:password => 'novajoin_password',
:auth_url => 'http://127.0.0.1:5000/',
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
:www_authenticate_uri => 'http://127.0.0.1:5000/',
:auth_version => '<SERVICE DEFAULT>',
:cache => '<SERVICE DEFAULT>',
:cafile => '<SERVICE DEFAULT>',
:certfile => '<SERVICE DEFAULT>',
:delay_auth_decision => '<SERVICE DEFAULT>',
:enforce_token_bind => '<SERVICE DEFAULT>',
:http_connect_timeout => '<SERVICE DEFAULT>',
:http_request_max_retries => '<SERVICE DEFAULT>',
:include_service_catalog => '<SERVICE DEFAULT>',
:keyfile => '<SERVICE DEFAULT>',
:memcache_pool_conn_get_timeout => '<SERVICE DEFAULT>',
:memcache_pool_dead_retry => '<SERVICE DEFAULT>',
:memcache_pool_maxsize => '<SERVICE DEFAULT>',
:memcache_pool_socket_timeout => '<SERVICE DEFAULT>',
:memcache_pool_unused_timeout => '<SERVICE DEFAULT>',
:memcache_secret_key => '<SERVICE DEFAULT>',
:memcache_security_strategy => '<SERVICE DEFAULT>',
:memcache_use_advanced_pool => '<SERVICE DEFAULT>',
:memcached_servers => '<SERVICE DEFAULT>',
:manage_memcache_package => false,
:region_name => '<SERVICE DEFAULT>',
:token_cache_time => '<SERVICE DEFAULT>',
:service_token_roles => '<SERVICE DEFAULT>',
:service_token_roles_required => '<SERVICE DEFAULT>',
:service_type => '<SERVICE DEFAULT>',
:interface => '<SERVICE DEFAULT>',
)
end
end
context 'when overriding parameters' do
before do
params.merge!({
:www_authenticate_uri => 'https://10.0.0.1:9999/',
:username => 'myuser',
:password => 'mypasswd',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
:auth_version => 'v3',
:cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:delay_auth_decision => false,
:enforce_token_bind => 'permissive',
:http_connect_timeout => '300',
:http_request_max_retries => '3',
:include_service_catalog => true,
:keyfile => 'keyfile',
:memcache_pool_conn_get_timeout => '9',
:memcache_pool_dead_retry => '302',
:memcache_pool_maxsize => '11',
:memcache_pool_socket_timeout => '2',
:memcache_pool_unused_timeout => '61',
:memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true,
:memcached_servers => ['memcached01:11211','memcached02:11211'],
:manage_memcache_package => true,
:region_name => 'region2',
:token_cache_time => '301',
:service_token_roles => ['service'],
:service_token_roles_required => false,
:service_type => 'identity',
:interface => 'internal',
})
end
it 'configure keystone_authtoken' do
is_expected.to contain_keystone__resource__authtoken('novajoin_config').with(
:www_authenticate_uri => 'https://10.0.0.1:9999/',
:username => 'myuser',
:password => 'mypasswd',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
:auth_version => 'v3',
:cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:delay_auth_decision => false,
:enforce_token_bind => 'permissive',
:http_connect_timeout => '300',
:http_request_max_retries => '3',
:include_service_catalog => true,
:keyfile => 'keyfile',
:memcache_pool_conn_get_timeout => '9',
:memcache_pool_dead_retry => '302',
:memcache_pool_maxsize => '11',
:memcache_pool_socket_timeout => '2',
:memcache_pool_unused_timeout => '61',
:memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true,
:memcached_servers => ['memcached01:11211','memcached02:11211'],
:manage_memcache_package => true,
:region_name => 'region2',
:token_cache_time => '301',
:service_token_roles => ['service'],
:service_token_roles_required => false,
:service_type => 'identity',
:interface => 'internal',
)
end
end
context 'when overriding parameters via params hash' do
before do
params.merge!({
:username => 'myuser',
:params => { 'username' => 'myotheruser' },
})
end
it 'configure keystone_authtoken' do
is_expected.to contain_keystone__resource__authtoken('novajoin_config').with(
:username => 'myotheruser',
)
end
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
it_configures 'nova::metadata::novajoin::authtoken'
end
end
end

49
spec/classes/nova_metadata_novajoin_policy_spec.rb
View File

@ -1,49 +0,0 @@
require 'spec_helper'
describe 'nova::metadata::novajoin::policy' do
shared_examples_for 'novajoin policies' do
let :params do
{
:policy_path => '/etc/novajoin/policy.yaml',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
}
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy('/etc/novajoin/policy.yaml').with(
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
},
:policy_path => '/etc/novajoin/policy.yaml',
:file_user => 'root',
:file_format => 'yaml',
:purge_config => false,
)
is_expected.to contain_oslo__policy('novajoin_config').with(
:policy_file => '/etc/novajoin/policy.yaml',
)
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
it_configures 'novajoin policies'
end
end
end

41
spec/unit/provider/novajoin_config/ini_setting_spec.rb
View File

@ -1,41 +0,0 @@
require 'spec_helper'
provider_class = Puppet::Type.type(:novajoin_config).provider(:ini_setting)
describe provider_class do
it 'should default to the default setting when no other one is specified' do
resource = Puppet::Type::Novajoin_config.new(
{:name => 'DEFAULT/foo', :value => 'bar'}
)
provider = provider_class.new(resource)
expect(provider.section).to eq('DEFAULT')
expect(provider.setting).to eq('foo')
end
it 'should allow setting to be set explicitly' do
resource = Puppet::Type::Novajoin_config.new(
{:name => 'dude/foo', :value => 'bar'}
)
provider = provider_class.new(resource)
expect(provider.section).to eq('dude')
expect(provider.setting).to eq('foo')
end
it 'should ensure absent when <SERVICE DEFAULT> is specified as a value' do
resource = Puppet::Type::Novajoin_config.new(
{:name => 'dude/foo', :value => '<SERVICE DEFAULT>'}
)
provider = provider_class.new(resource)
provider.exists?
expect(resource[:ensure]).to eq :absent
end
it 'should ensure absent when value matches ensure_absent_val' do
resource = Puppet::Type::Novajoin_config.new(
{:name => 'dude/foo', :value => 'foo', :ensure_absent_val => 'foo' }
)
provider = provider_class.new(resource)
provider.exists?
expect(resource[:ensure]).to eq :absent
end
end

64
spec/unit/type/novajoin_config_spec.rb
View File

@ -1,64 +0,0 @@
require 'puppet'
require 'puppet/type/novajoin_config'
describe 'Puppet::Type.type(:novajoin_config)' do
before :each do
@novajoin_config = Puppet::Type.type(:novajoin_config).new(:name => 'DEFAULT/foo', :value => 'bar')
end
it 'should require a name' do
expect {
Puppet::Type.type(:novajoin_config).new({})
}.to raise_error(Puppet::Error, 'Title or name must be provided')
end
it 'should not expect a name with whitespace' do
expect {
Puppet::Type.type(:novajoin_config).new(:name => 'f oo')
}.to raise_error(Puppet::Error, /Parameter name failed/)
end
it 'should fail when there is no section' do
expect {
Puppet::Type.type(:novajoin_config).new(:name => 'foo')
}.to raise_error(Puppet::Error, /Parameter name failed/)
end
it 'should not require a value when ensure is absent' do
Puppet::Type.type(:novajoin_config).new(:name => 'DEFAULT/foo', :ensure => :absent)
end
it 'should accept a valid value' do
@novajoin_config[:value] = 'bar'
expect(@novajoin_config[:value]).to eq('bar')
end
it 'should not accept a value with whitespace' do
@novajoin_config[:value] = 'b ar'
expect(@novajoin_config[:value]).to eq('b ar')
end
it 'should accept valid ensure values' do
@novajoin_config[:ensure] = :present
expect(@novajoin_config[:ensure]).to eq(:present)
@novajoin_config[:ensure] = :absent
expect(@novajoin_config[:ensure]).to eq(:absent)
end
it 'should not accept invalid ensure values' do
expect {
@novajoin_config[:ensure] = :latest
}.to raise_error(Puppet::Error, /Invalid value/)
end
it 'should autorequire the package that install the file' do
catalog = Puppet::Resource::Catalog.new
anchor = Puppet::Type.type(:anchor).new(:name => 'nova::install::end')
catalog.add_resource anchor, @novajoin_config
dependency = @novajoin_config.autorequire
expect(dependency.size).to eq(1)
expect(dependency[0].target).to eq(@novajoin_config)
expect(dependency[0].source).to eq(anchor)
end
end

19
templates/krb5.conf.erb
View File

@ -1,19 +0,0 @@
[libdefaults]
default_realm = <%= @ipa_realm_real %>
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
<%= @ipa_realm_real %> = {
kdc = <%= @ipa_hostname %>:88
master_kdc = <%= @ipa_hostname %>:88
admin_server = <%= @ipa_hostname %>:749
default_domain = <%= @ipa_domain_real %>
}
[domain_realm]
.<%= @ipa_domain_real %> = <%= @ipa_realm_real %>
<%= @ipa_domain_real %> = <%= @ipa_realm_real %>