Use novajoin-specific user and directory

This uses novajoin's user and directory for the novajoin service instead
of relying on the nova service user and /etc/nova. It also removes some
nova-specific parameters related to auth, to replace them with more
generic names.

Change-Id: I5e02164854542ad08b1b517f52334187913ee4e8

manifests/metadata/novajoin/api.pp

@@ -5,8 +5,8 @@
 #
 # === Parameters
 #
-# [*nova_password*]
+# [*service_password*]
-#   (required) Password for the nova service user.
+#   (required) Password for the novajoin service user.
 #
 # [*transport_url*]
 #   (required) Transport URL for notifier service to talk to
@@ -18,7 +18,7 @@
 #
 # [*api_paste_config*]
 #   (optional) Filename for the paste deploy file.
-#   Defaults to '/etc/nova/join-api-paste.ini'.
+#   Defaults to '/etc/novajoin/join-api-paste.ini'.
 #
 # [*auth_strategy*]
 #   (optional) Strategy to use for authentication.
@@ -66,7 +66,7 @@
 #
 # [*keytab*]
 #   (optional) Kerberos client keytab file.
-#   Defaults to '/etc/nova/krb5.keytab'
+#   Defaults to '/etc/novajoin/krb5.keytab'
 #
 # [*log_dir*]
 #   (optional) log directory.
@@ -76,27 +76,35 @@
 #   (optional) If Puppet should manage service startup / shutdown.
 #   Defaults to true.
 #
+# [*service_user*]
+#   (optional) User that the novajoin services run as.
+#   Defaults to 'novajoin'
+#
+# [*project_domain_name*]
+#   (optional) Domain name containing project (for novajoin auth).
+#   Defaults to 'default'
+#
+# [*project_name*]
+#   (optional) Project name (for novajoin auth).
+#   Defaults to 'service'
+#
+# [*user_domain_id*]
+#   (optional) Domain for novajoin user.
+#   Defaults to 'default'
+#
+# DEPRECATED PARAMETERS
+#
 # [*nova_user*]
 #   (optional) User that nova services run as.
 #   Defaults to 'nova'
 #
-# [*project_domain_name*]
+# [*nova_password*]
-#   (optional) Domain name containing project (for nova auth).
+#   (required) Password for the nova service user.
-#   Defaults to 'default'
-#
-# [*project_name*]
-#   (optional) Project name (for nova auth).
-#   Defaults to 'service'
-#
-# [*user_domain_id*]
-#   (optional) Domain for nova user.
-#   Defaults to 'default'
 #
 class nova::metadata::novajoin::api (
-  $nova_password,
   $transport_url,
   $bind_address              = '127.0.0.1',
-  $api_paste_config          = '/etc/nova/join-api-paste.ini',
+  $api_paste_config          = '/etc/novajoin/join-api-paste.ini',
   $auth_strategy             = $::os_service_default,
   $auth_type                 = 'password',
   $cacert                    = '/etc/ipa/ca.crt',
@@ -108,16 +116,42 @@ class nova::metadata::novajoin::api (
   $ipa_domain                = undef,
   $join_listen_port          = $::os_service_default,
   $keystone_auth_url         = 'http://127.0.0.1:35357/',
-  $keytab                    = '/etc/nova/krb5.keytab',
+  $keytab                    = '/etc/novajoin/krb5.keytab',
   $log_dir                   = '/var/log/novajoin',
   $manage_service            = true,
-  $nova_user                 = 'nova',
+  $service_password          = undef,
+  $service_user              = 'novajoin',
   $project_domain_name       = 'default',
   $project_name              = 'service',
   $user_domain_id            = 'default',
+  # DEPRECATED PARAMETERS
+  $nova_user                 = 'nova',
+  $nova_password             = undef,
 ) {
   include ::nova::metadata::novajoin::authtoken
 
+  if $service_user {
+    $service_user_real = $service_user
+  } else {
+    warning('The nova_user parameter is deprecated. use service_user instead')
+    $service_user_real = $nova_user
+  }
+
+  if ! $service_user_real {
+    fail('service_user is missing')
+  }
+
+  if $service_password {
+    $service_password_real = $service_password
+  } else {
+    warning('The nova_password parameter is deprecated. use service_password instead')
+    $service_password_real = $nova_password
+  }
+
+  if ! $service_password_real {
+    fail('service_password is missing')
+  }
+
   case $::osfamily {
     'RedHat': {
       $package_name        = 'python-novajoin'
@@ -158,8 +192,8 @@ class nova::metadata::novajoin::api (
     'DEFAULT/transport_url':                   value => $transport_url;
     'service_credentials/auth_type':           value => $auth_type;
     'service_credentials/auth_url':            value => $keystone_auth_url;
-    'service_credentials/password':            value => $nova_password;
+    'service_credentials/password':            value => $service_password_real;
-    'service_credentials/username':            value => $nova_user;
+    'service_credentials/username':            value => $service_user_real;
     'service_credentials/project_name':        value => $project_name;
     'service_credentials/user_domain_id':      value => $user_domain_id;
     'service_credentials/project_domain_name':
@@ -199,7 +233,7 @@ class nova::metadata::novajoin::api (
     require => Package['python-novajoin']
   }
 
-  ensure_resource('file', $keytab, { owner => $nova_user, require => Exec['get-service-user-keytab'] })
+  ensure_resource('file', $keytab, { owner => $service_user, require => Exec['get-service-user-keytab'] })
 
   Novajoin_config<||> ~> Service<| title == 'novajoin-server'|>
   Novajoin_config<||> ~> Service<| title == 'novajoin-notify'|>

releasenotes/notes/Use-novajoin-specific-user-and-directory-2141e8c0bfc68c24.yaml

@@ -0,0 +1,5 @@
+---
+other:
+  - Novajoin now uses it's own user and configuration directory by default. As
+    to separate from the nova user and have it easier to use in containerized
+    environments.

spec/classes/nova_metadata_novajoin_api_spec.rb

@@ -16,7 +16,7 @@ describe 'nova::metadata::novajoin::api' do
   let :default_params do
     {
       :bind_address              => '127.0.0.1',
-      :api_paste_config          => '/etc/nova/join-api-paste.ini',
+      :api_paste_config          => '/etc/novajoin/join-api-paste.ini',
       :auth_strategy             => '<SERVICE DEFAULT>',
       :auth_type                 => 'password',
       :cacert                    => '/etc/ipa/ca.crt',
@@ -26,16 +26,16 @@ describe 'nova::metadata::novajoin::api' do
       :enable_ipa_client_install => true,
       :ensure_package            => 'present',
       :join_listen_port          => '<SERVICE DEFAULT>',
-      :keytab                    => '/etc/nova/krb5.keytab',
+      :keytab                    => '/etc/novajoin/krb5.keytab',
       :log_dir                   => '/var/log/novajoin',
       :manage_service            => true,
-      :nova_user                 => 'nova',
+      :service_user              => 'novajoin',
       :project_domain_name       => 'default',
       :project_name              => 'service',
       :user_domain_id            => 'default',
       :ipa_domain                => 'EXAMPLE.COM',
       :keystone_auth_url         => 'https://keystone.example.com:35357',
-      :nova_password             => 'my_secret_password',
+      :service_password          => 'my_secret_password',
       :transport_url             => 'rabbit:rabbit_pass@rabbit_host',
     }
   end
@@ -43,7 +43,7 @@ describe 'nova::metadata::novajoin::api' do
   [{},
    {
       :bind_address              => '0.0.0.0',
-      :api_paste_config          => '/etc/nova/join-api-paste.ini',
+      :api_paste_config          => '/etc/novajoin/join-api-paste.ini',
       :auth_strategy             => 'noauth2',
       :auth_type                 => 'password',
       :cacert                    => '/etc/ipa/ca.crt',
@@ -56,13 +56,13 @@ describe 'nova::metadata::novajoin::api' do
       :keytab                    => '/etc/krb5.conf',
       :log_dir                   => '/var/log/novajoin',
       :manage_service            => true,
-      :nova_user                 => 'nova1',
+      :service_user              => 'novajoin1',
       :project_domain_name       => 'default',
       :project_name              => 'service',
       :user_domain_id            => 'default',
       :ipa_domain                => 'EXAMPLE2.COM',
       :keystone_auth_url         => 'https://keystone2.example.com:35357',
-      :nova_password             => 'my_secret_password2',
+      :service_password          => 'my_secret_password2',
       :transport_url             => 'rabbit:rabbit_pass2@rabbit_host',
     }
   ].each do |param_set|
@@ -122,11 +122,11 @@ describe 'nova::metadata::novajoin::api' do
       it 'is_expected.to configure service credentials' do
         is_expected.to contain_novajoin_config('service_credentials/auth_type').with_value(param_hash[:auth_type])
         is_expected.to contain_novajoin_config('service_credentials/auth_url').with_value(param_hash[:keystone_auth_url])
-        is_expected.to contain_novajoin_config('service_credentials/password').with_value(param_hash[:nova_password])
+        is_expected.to contain_novajoin_config('service_credentials/password').with_value(param_hash[:service_password])
         is_expected.to contain_novajoin_config('service_credentials/project_name').with_value(param_hash[:project_name])
         is_expected.to contain_novajoin_config('service_credentials/user_domain_id').with_value(param_hash[:user_domain_id])
         is_expected.to contain_novajoin_config('service_credentials/project_domain_name').with_value(param_hash[:project_domain_name])
-        is_expected.to contain_novajoin_config('service_credentials/username').with_value(param_hash[:nova_user])
+        is_expected.to contain_novajoin_config('service_credentials/username').with_value(param_hash[:service_user])
       end
 
       it 'is_expected.to get service user keytab' do
@@ -137,7 +137,7 @@ describe 'nova::metadata::novajoin::api' do
       end
 
       it { is_expected.to contain_file("#{param_hash[:keytab]}").with(
-        'owner'   => "#{param_hash[:nova_user]}",
+        'owner'   => "#{param_hash[:service_user]}",
         'require' => 'Exec[get-service-user-keytab]',
       )}
 
@@ -158,7 +158,7 @@ describe 'nova::metadata::novajoin::api' do
         :manage_service    => false,
         :enabled           => false,
         :ipa_domain        => 'EXAMPLE.COM',
-        :nova_password  => 'my_secret_password',
+        :service_password  => 'my_secret_password',
         :transport_url     => 'rabbit:rabbit_pass@rabbit_host',
       }
     end

spec/classes/nova_metadata_novajoin_auth_spec.rb

@@ -128,7 +128,7 @@ describe 'nova::metadata::novajoin::auth' do
        }
       class { '::ipaclient': password => 'join_otp', }
        class { '::nova::metadata::novajoin::api':
-         nova_password => 'secrete',
+         service_password => 'secrete',
          transport_url => 'rabbit://127.0.0.1//',
        }"
     end