diff --git a/manifests/compute.pp b/manifests/compute.pp index a80f56495..d0ff6a1d8 100644 --- a/manifests/compute.pp +++ b/manifests/compute.pp @@ -157,19 +157,6 @@ # resume their state each time the compute node boots or restarts. # Defaults to $::os_service_default # -# [*barbican_auth_endpoint*] -# (optional) Keystone v3 API URL. -# Example: http://localhost:5000/v3 -# Defaults to $::os_service_default -# -# [*barbican_endpoint*] -# (optional) Barbican URL. -# Defaults to $::os_service_default -# -# [*barbican_api_version*] -# (optional) Barbican API version. -# Defaults to $::os_service_default -# # [*max_concurrent_builds*] # (optional) Maximum number of instance builds to run concurrently # Defaults to $::os_service_default @@ -192,11 +179,6 @@ # will disable itself. # Defaults to $::os_service_default # -# [*keymgr_backend*] -# (optional) Key Manager service class. -# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager -# Defaults to 'nova.keymgr.conf_key_mgr.ConfKeyManager'. -# # [*reserved_huge_pages*] # (optional) Number of huge memory pages to reserved per NUMA host cell. # Defaults to $::os_service_default @@ -311,6 +293,24 @@ # (optional) Whether to verify image signatures. (boolean value) # Defaults to undef # +# [*keymgr_backend*] +# (optional) Key Manager service class. +# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager +# Defaults to undef +# +# [*barbican_auth_endpoint*] +# (optional) Keystone v3 API URL. +# Example: http://localhost:5000/v3 +# Defaults to undef +# +# [*barbican_endpoint*] +# (optional) Barbican URL. +# Defaults to undef +# +# [*barbican_api_version*] +# (optional) Barbican API version. +# Defaults to undef +# class nova::compute ( $enabled = true, $manage_service = true, @@ -342,15 +342,11 @@ class nova::compute ( $cpu_shared_set = $::os_service_default, $cpu_dedicated_set = $::os_service_default, $resume_guests_state_on_host_boot = $::os_service_default, - $barbican_auth_endpoint = $::os_service_default, - $barbican_endpoint = $::os_service_default, - $barbican_api_version = $::os_service_default, $max_concurrent_builds = $::os_service_default, $max_concurrent_live_migrations = $::os_service_default, $sync_power_state_pool_size = $::os_service_default, $sync_power_state_interval = $::os_service_default, $consecutive_build_service_disable_threshold = $::os_service_default, - $keymgr_backend = 'nova.keymgr.conf_key_mgr.ConfKeyManager', $reserved_huge_pages = $::os_service_default, $neutron_physnets_numa_nodes_mapping = {}, $neutron_tunnel_numa_nodes = [], @@ -372,6 +368,10 @@ class nova::compute ( $allow_resize_to_same_host = undef, $pci_passthrough = undef, $verify_glance_signatures = undef, + $keymgr_backend = undef, + $barbican_auth_endpoint = undef, + $barbican_endpoint = undef, + $barbican_api_version = undef, ) { include nova::deps @@ -457,14 +457,6 @@ Use the same parameter in nova::api class.') } } - # cryptsetup is required when Barbican is encrypting volumes - if $keymgr_backend =~ /barbican/ { - ensure_packages('cryptsetup', { - ensure => present, - tag => 'openstack', - }) - } - if !empty($neutron_physnets_numa_nodes_mapping) { validate_legacy(Hash, 'validate_hash', $neutron_physnets_numa_nodes_mapping) $neutron_physnets_real = keys($neutron_physnets_numa_nodes_mapping) @@ -527,10 +519,6 @@ Use the same parameter in nova::api class.') 'DEFAULT/resize_confirm_window': value => $resize_confirm_window; 'DEFAULT/shutdown_timeout': value => $shutdown_timeout; 'DEFAULT/resume_guests_state_on_host_boot': value => $resume_guests_state_on_host_boot; - 'key_manager/backend': value => $keymgr_backend; - 'barbican/auth_endpoint': value => $barbican_auth_endpoint; - 'barbican/barbican_endpoint': value => $barbican_endpoint; - 'barbican/barbican_api_version': value => $barbican_api_version; 'DEFAULT/max_concurrent_builds': value => $max_concurrent_builds_real; 'DEFAULT/max_concurrent_live_migrations': value => $max_concurrent_live_migrations; 'DEFAULT/sync_power_state_pool_size': value => $sync_power_state_pool_size; @@ -552,6 +540,18 @@ Use the same parameter in nova::api class.') value => $block_device_allocate_retries_interval_real; } + if $keymgr_backend != undef { + warning('The keymgr_backend parameter has been deprecated. Use the nova::key_manager class') + include nova::key_manager + } + + ['barbican_auth_endpoint', 'barbican_endpoint', 'barbican_api_version'].each |String $barbican_opt| { + if getvar("${barbican_opt}") != undef { + warning("The ${barbican_opt} parameter is deprecated. Use the nova::key_manager::barbican class") + } + include nova::key_manager::barbican + } + if ($vnc_enabled) { include nova::vncproxy::common diff --git a/manifests/key_manager.pp b/manifests/key_manager.pp new file mode 100644 index 000000000..8c7f9e715 --- /dev/null +++ b/manifests/key_manager.pp @@ -0,0 +1,22 @@ +# == Class: nova::key_manager +# +# Setup and configure Key Manager options +# +# === Parameters +# +# [*backend*] +# (Optional) Specify the key manager implementation. +# Defaults to 'nova.keymgr.conf_key_mgr.ConfKeyManager' +# +class nova::key_manager ( + $backend = 'nova.keymgr.conf_key_mgr.ConfKeyManager', +) { + + include nova::deps + + $backend_real = pick($nova::compute::keymgr_backend, $backend) + + oslo::key_manager { 'nova_config': + backend => $backend_real, + } +} diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp new file mode 100644 index 000000000..541504837 --- /dev/null +++ b/manifests/key_manager/barbican.pp @@ -0,0 +1,67 @@ +# == Class: nova::key_manager::barbican +# +# Setup and configure Barbican Key Manager options +# +# === Parameters +# +# [*barbican_endpoint*] +# (Optional) Use this endpoint to connect to Barbican. +# Defaults to $::os_service_default +# +# [*barbican_api_version*] +# (Optional) Version of the Barbican API. +# Defaults to $::os_service_default +# +# [*auth_endpoint*] +# (Optional) Use this endpoint to connect to Keystone. +# Defaults to $::os_service_default +# +# [*retry_delay*] +# (Optional) Number of seconds to wait before retrying poll for key creation +# completion. +# Defaults to $::os_service_default +# +# [*number_of_retries*] +# (Optional) Number of times to retry poll fo key creation completion. +# Defaults to $::os_service_default +# +# [*barbican_endpoint_type*] +# (Optional) Specifies the type of endpoint. +# Defaults to $::os_service_default +# +# [*barbican_region_name*] +# (Optional) Specifies the region of the chosen endpoint. +# Defaults to $::os_service_default +# +class nova::key_manager::barbican ( + $barbican_endpoint = $::os_service_default, + $barbican_api_version = $::os_service_default, + $auth_endpoint = $::os_service_default, + $retry_delay = $::os_service_default, + $number_of_retries = $::os_service_default, + $barbican_endpoint_type = $::os_service_default, + $barbican_region_name = $::os_service_default, +) { + + include nova::deps + + $barbican_endpoint_real = pick($nova::compute::barbican_endpoint, $barbican_endpoint) + $auth_endpoint_real = pick($nova::compute::barbican_auth_endpoint, $auth_endpoint) + $barbican_api_version_real = pick($nova::compute::barbican_api_version, $barbican_api_version) + + # cryptsetup is required when Barbican is encrypting volumes + ensure_packages('cryptsetup', { + ensure => present, + tag => 'openstack', + }) + + oslo::key_manager::barbican { 'nova_config': + barbican_endpoint => $barbican_endpoint_real, + barbican_api_version => $barbican_api_version_real, + auth_endpoint => $auth_endpoint_real, + retry_delay => $retry_delay, + number_of_retries => $number_of_retries, + barbican_endpoint_type => $barbican_endpoint_type, + barbican_region_name => $barbican_region_name, + } +} diff --git a/releasenotes/notes/keymgr-opts-415025c5134a413b.yaml b/releasenotes/notes/keymgr-opts-415025c5134a413b.yaml new file mode 100644 index 000000000..746ad9b11 --- /dev/null +++ b/releasenotes/notes/keymgr-opts-415025c5134a413b.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + The new ``nova::key_manager`` class has been added. This class manages + basic options of key managers. + + - | + The new ``nova::key_manager::barbican`` class has been added. This class + manages options of BarbicanKeyManager. + +deprecations: + - | + The ``nova::compute::keymgr_backend`` parameter has been deprecated. Use + the ``cinder::key_manager`` class. + + - | + The following parameters of the ``nova::compute`` class have been + deprecated in favor of the new ``nova::barbican`` class. + + - ``barbican_auth_endpoint`` + - ``barbican_endpoint`` + - ``barbican_api_version`` diff --git a/spec/classes/nova_compute_spec.rb b/spec/classes/nova_compute_spec.rb index b18dacb30..c5a972188 100644 --- a/spec/classes/nova_compute_spec.rb +++ b/spec/classes/nova_compute_spec.rb @@ -24,14 +24,6 @@ describe 'nova::compute' do }) end - it 'does not configures barbican service' do - is_expected.to contain_nova_config('key_manager/backend').with_value('nova.keymgr.conf_key_mgr.ConfKeyManager') - is_expected.to contain_nova_config('barbican/barbican_endpoint').with_value('') - is_expected.to contain_nova_config('barbican/barbican_api_version').with_value('') - is_expected.to contain_nova_config('barbican/auth_endpoint').with_value('') - is_expected.to_not contain_package('cryptsetup').with( :ensure => 'present' ) - end - it 'does not configure vncproxy base url in nova.conf' do is_expected.to contain_nova_config('vnc/enabled').with_value(true) is_expected.to_not contain_nova_config('vnc/novncproxy_base_url') diff --git a/spec/classes/nova_key_manager_barbican_spec.rb b/spec/classes/nova_key_manager_barbican_spec.rb new file mode 100644 index 000000000..53209407a --- /dev/null +++ b/spec/classes/nova_key_manager_barbican_spec.rb @@ -0,0 +1,67 @@ +require 'spec_helper' + +describe 'nova::key_manager::barbican' do + shared_examples 'nova::key_manager::barbican' do + context 'with default parameters' do + it { + is_expected.to contain_oslo__key_manager__barbican('nova_config').with( + :barbican_endpoint => '', + :barbican_api_version => '', + :auth_endpoint => '', + :retry_delay => '', + :number_of_retries => '', + :barbican_endpoint_type => '', + :barbican_region_name => '', + ) + + is_expected.to contain_package('cryptsetup').with( + :ensure => 'present', + :tag => 'openstack', + ) + } + end + + context 'with specified parameters' do + let :params do + { + :barbican_endpoint => 'http://localhost:9311/', + :barbican_api_version => 'v1', + :auth_endpoint => 'http://localhost:5000', + :retry_delay => 1, + :number_of_retries => 60, + :barbican_endpoint_type => 'public', + :barbican_region_name => 'regionOne', + } + end + + it { + is_expected.to contain_oslo__key_manager__barbican('nova_config').with( + :barbican_endpoint => 'http://localhost:9311/', + :barbican_api_version => 'v1', + :auth_endpoint => 'http://localhost:5000', + :retry_delay => 1, + :number_of_retries => 60, + :barbican_endpoint_type => 'public', + :barbican_region_name => 'regionOne', + ) + + is_expected.to contain_package('cryptsetup').with( + :ensure => 'present', + :tag => 'openstack', + ) + } + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge(OSDefaults.get_facts()) + end + + it_behaves_like 'nova::key_manager::barbican' + end + end +end diff --git a/spec/classes/nova_key_manager_spec.rb b/spec/classes/nova_key_manager_spec.rb new file mode 100644 index 000000000..1c238b3e5 --- /dev/null +++ b/spec/classes/nova_key_manager_spec.rb @@ -0,0 +1,39 @@ +require 'spec_helper' + +describe 'nova::key_manager' do + shared_examples 'nova::key_manager' do + context 'with default parameters' do + it { + is_expected.to contain_oslo__key_manager('nova_config').with( + :backend => 'nova.keymgr.conf_key_mgr.ConfKeyManager' + ) + } + end + + context 'with specified parameters' do + let :params do + { + :backend => 'barbican' + } + end + + it { + is_expected.to contain_oslo__key_manager('nova_config').with( + :backend => 'barbican' + ) + } + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge(OSDefaults.get_facts()) + end + + it_behaves_like 'nova::key_manager' + end + end +end