Use secret_ceph resource in nova::compute::rbd
This migrates the libvirt secret handling in the nova::compute::rbd class to using the new secret_ceph definition. We also deprecate the rbd_keyring approach were we now require the usage of libvirt_rbd_secret_key if manage_libvirt_secret is set to true (the default) and we have a libvirt_rbd_secret_uuid given. Change-Id: I8be56ebfc7c7ed6fb6d1d92f0ffec4a6d714a5d1
This commit is contained in:
parent
a7498d6dbc
commit
d033bb39de
@ -53,7 +53,7 @@
|
||||
# [*libvirt_rbd_secret_uuid*]
|
||||
# (optional) The libvirt uuid of the secret for the rbd_user.
|
||||
# Required to use cephx.
|
||||
# Default to false.
|
||||
# Default to undef.
|
||||
#
|
||||
# [*libvirt_rbd_secret_key*]
|
||||
# (optional) The cephx key to use as key for the libvirt secret,
|
||||
@ -62,10 +62,6 @@
|
||||
# provided of the client.admin keyring as well.
|
||||
# Default to undef.
|
||||
#
|
||||
# [*rbd_keyring*]
|
||||
# (optional) The keyring name to use when retrieving the RBD secret
|
||||
# Default to 'client.nova'
|
||||
#
|
||||
# [*ephemeral_storage*]
|
||||
# (optional) Whether or not to use the rbd driver for the nova
|
||||
# ephemeral storage or for the cinder volumes only.
|
||||
@ -88,26 +84,37 @@
|
||||
# (optional) Manage the libvirt secret
|
||||
# Defaults to true
|
||||
#
|
||||
# == Deprecated parameters
|
||||
#
|
||||
# [*rbd_keyring*]
|
||||
# (optional) The keyring name to use when retrieving the RBD secret
|
||||
# Default to undef
|
||||
#
|
||||
class nova::compute::rbd (
|
||||
$libvirt_rbd_user,
|
||||
$libvirt_rbd_secret_uuid = false,
|
||||
$libvirt_rbd_secret_uuid = undef,
|
||||
$libvirt_rbd_secret_key = undef,
|
||||
$libvirt_images_rbd_pool = 'rbd',
|
||||
$libvirt_images_rbd_ceph_conf = '/etc/ceph/ceph.conf',
|
||||
$libvirt_images_rbd_glance_store_name = $facts['os_service_default'],
|
||||
$libvirt_images_rbd_glance_copy_poll_interval = $facts['os_service_default'],
|
||||
$libvirt_images_rbd_glance_copy_timeout = $facts['os_service_default'],
|
||||
$rbd_keyring = 'client.nova',
|
||||
Boolean $ephemeral_storage = true,
|
||||
Boolean $manage_ceph_client = true,
|
||||
$ceph_client_ensure = 'present',
|
||||
$package_ensure = 'present',
|
||||
Boolean $manage_libvirt_secret = true,
|
||||
## DEPRECATED PARAMETERS
|
||||
$rbd_keyring = undef,
|
||||
) {
|
||||
|
||||
include nova::deps
|
||||
include nova::params
|
||||
|
||||
if $rbd_keyring != undef {
|
||||
warning('The rbd_keyring parameter is deprecated and has no effect')
|
||||
}
|
||||
|
||||
if $manage_ceph_client {
|
||||
# Install ceph client libraries
|
||||
package { 'ceph-client-package':
|
||||
@ -128,42 +135,27 @@ class nova::compute::rbd (
|
||||
'libvirt/rbd_user': value => $libvirt_rbd_user;
|
||||
}
|
||||
|
||||
if $libvirt_rbd_secret_uuid {
|
||||
if $libvirt_rbd_secret_uuid != undef {
|
||||
nova_config {
|
||||
'libvirt/rbd_secret_uuid': value => $libvirt_rbd_secret_uuid;
|
||||
}
|
||||
|
||||
# TODO(tobias-urdin): Remove these two when propagated
|
||||
file { '/etc/nova/secret.xml':
|
||||
ensure => 'absent',
|
||||
}
|
||||
file { '/etc/nova/virsh.secret':
|
||||
ensure => 'absent',
|
||||
}
|
||||
|
||||
if $manage_libvirt_secret {
|
||||
file { '/etc/nova/secret.xml':
|
||||
content => epp('nova/libvirt-secret-ceph.xml.epp', {
|
||||
'secret_name' => "${rbd_keyring} secret",
|
||||
'uuid' => $libvirt_rbd_secret_uuid,
|
||||
}),
|
||||
require => Anchor['nova::config::begin'],
|
||||
if $libvirt_rbd_secret_key == undef {
|
||||
fail('libvirt_rbd_secret_key is required when libvirt_rbd_secret_uuid is set')
|
||||
}
|
||||
|
||||
#Variable name shrunk in favor of removing
|
||||
#the more than 140 chars puppet-lint warning.
|
||||
#variable used in the get-or-set virsh secret
|
||||
#resource.
|
||||
$cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
|
||||
exec { 'get-or-set virsh secret':
|
||||
command => $cm,
|
||||
unless => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
|
||||
require => File['/etc/nova/secret.xml'],
|
||||
}
|
||||
Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
|
||||
|
||||
if $libvirt_rbd_secret_key {
|
||||
$libvirt_key = $libvirt_rbd_secret_key
|
||||
} else {
|
||||
$libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
|
||||
}
|
||||
exec { 'set-secret-value virsh':
|
||||
command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
|
||||
unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
|
||||
logoutput => false,
|
||||
require => Exec['get-or-set virsh secret'],
|
||||
nova::compute::libvirt::secret_ceph { $libvirt_rbd_secret_uuid:
|
||||
uuid => $libvirt_rbd_secret_uuid,
|
||||
value => $libvirt_rbd_secret_key,
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
@ -0,0 +1,12 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
If you are setting ``libvirt_rbd_secret_uuid`` in the ``nova::compute::rbd``
|
||||
class you MUST now set ``libvirt_rbd_secret_key`` as well if the
|
||||
``manage_libvirt_secret`` parameters is set to true (the default) because
|
||||
the ``rbd_keyring`` parameter is deprecated and has no effect, we no longer
|
||||
get the Ceph authx key automatically if ``libvirt_rbd_secret_key`` is not set.
|
||||
deprecations:
|
||||
- |
|
||||
The ``nova::compute::rbd::rbd_keyring`` parameter is deprecated and has
|
||||
no effect.
|
@ -52,7 +52,6 @@ describe 'nova::compute::rbd' do
|
||||
before :each do
|
||||
params.merge!(
|
||||
:libvirt_rbd_user => 'joe',
|
||||
:libvirt_rbd_secret_uuid => false,
|
||||
:libvirt_images_rbd_pool => 'AnotherPool',
|
||||
:libvirt_images_rbd_ceph_conf => '/tmp/ceph.conf',
|
||||
:libvirt_images_rbd_glance_store_name => 'glance_rbd_store',
|
||||
@ -72,60 +71,25 @@ describe 'nova::compute::rbd' do
|
||||
end
|
||||
|
||||
context 'when using cephx' do
|
||||
before :each do
|
||||
params.merge!(
|
||||
:libvirt_rbd_secret_uuid => 'UUID',
|
||||
:rbd_keyring => 'client.rbd_test'
|
||||
)
|
||||
end
|
||||
|
||||
it 'configure nova.conf with RBD secret UUID' do
|
||||
is_expected.to contain_nova_config('libvirt/rbd_secret_uuid').with_value('UUID')
|
||||
end
|
||||
|
||||
it 'configure ceph on compute nodes' do
|
||||
verify_contents(catalogue, '/etc/nova/secret.xml', [
|
||||
"<secret ephemeral=\'no\' private=\'no\'>",
|
||||
" <usage type=\'ceph\'>",
|
||||
" <name>client.rbd_test secret</name>",
|
||||
" </usage>",
|
||||
" <uuid>UUID</uuid>",
|
||||
"</secret>"
|
||||
])
|
||||
is_expected.to contain_exec('get-or-set virsh secret').with(
|
||||
:command => '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
|
||||
:unless => '/usr/bin/virsh secret-list | grep -i UUID',
|
||||
:require => 'File[/etc/nova/secret.xml]',
|
||||
)
|
||||
is_expected.to contain_exec('set-secret-value virsh').with(
|
||||
:command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
|
||||
:logoutput => false,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when using cephx and passing libvirt_rbd_secret_key' do
|
||||
before :each do
|
||||
before do
|
||||
params.merge!(
|
||||
:libvirt_rbd_secret_uuid => 'UUID',
|
||||
:libvirt_rbd_secret_key => 'LIBVIRT/SECRET/KEY',
|
||||
)
|
||||
end
|
||||
|
||||
it 'set libvirt secret key from passed key' do
|
||||
is_expected.to contain_exec('set-secret-value virsh').with(
|
||||
:command => "/usr/bin/virsh secret-set-value --secret #{params[:libvirt_rbd_secret_uuid]} --base64 #{params[:libvirt_rbd_secret_key]}",
|
||||
:logoutput => false,
|
||||
)
|
||||
end
|
||||
it { is_expected.to contain_nova__compute__libvirt__secret_ceph('UUID').with(
|
||||
:uuid => params[:libvirt_rbd_secret_uuid],
|
||||
:value => params[:libvirt_rbd_secret_key],
|
||||
)}
|
||||
end
|
||||
|
||||
context 'when using cephx but disabling ephemeral storage' do
|
||||
before :each do
|
||||
before do
|
||||
params.merge!(
|
||||
:libvirt_rbd_secret_uuid => 'UUID',
|
||||
:rbd_keyring => 'client.rbd_test',
|
||||
:ephemeral_storage => false
|
||||
:libvirt_rbd_secret_uuid => 'UUID',
|
||||
:libvirt_rbd_secret_key => 'LIBVIRT/SECRET/KEY',
|
||||
:ephemeral_storage => false
|
||||
)
|
||||
end
|
||||
|
||||
@ -139,25 +103,10 @@ describe 'nova::compute::rbd' do
|
||||
is_expected.to contain_nova_config('libvirt/rbd_secret_uuid').with_value('UUID')
|
||||
end
|
||||
|
||||
it 'configure ceph on compute nodes' do
|
||||
verify_contents(catalogue, '/etc/nova/secret.xml', [
|
||||
"<secret ephemeral=\'no\' private=\'no\'>",
|
||||
" <usage type=\'ceph\'>",
|
||||
" <name>client.rbd_test secret</name>",
|
||||
" </usage>",
|
||||
" <uuid>UUID</uuid>",
|
||||
"</secret>"
|
||||
])
|
||||
is_expected.to contain_exec('get-or-set virsh secret').with(
|
||||
:command => '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
|
||||
:unless => '/usr/bin/virsh secret-list | grep -i UUID',
|
||||
:require => 'File[/etc/nova/secret.xml]',
|
||||
)
|
||||
is_expected.to contain_exec('set-secret-value virsh').with(
|
||||
:command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
|
||||
:logoutput => false,
|
||||
)
|
||||
end
|
||||
it { is_expected.to contain_nova__compute__libvirt__secret_ceph('UUID').with(
|
||||
:uuid => params[:libvirt_rbd_secret_uuid],
|
||||
:value => params[:libvirt_rbd_secret_key],
|
||||
)}
|
||||
end
|
||||
|
||||
context 'when not managing ceph client' do
|
||||
|
Loading…
Reference in New Issue
Block a user