Add glance image signature verification parameter

Change-Id: I06e428e51bf157ea22b7f46b9c00cfdf7bea5a7d
2017-12-07 16:20:34 -05:00 · 2017-12-07 16:20:34 -05:00 · f567320681
parent 9606525df2
commit f567320681
3 changed files with 14 additions and 1 deletions
--- a/manifests/compute.pp
+++ b/manifests/compute.pp
@ -142,6 +142,10 @@
 #   Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
 #   Defaults to 'nova.keymgr.conf_key_mgr.ConfKeyManager'.
 #
+# [*verify_glance_signatures*]
+#   (optional) Whether to verify image signatures. (boolean value)
+#   Defaults to $::os_service_default
+#
 # DEPRECATED PARAMETERS
 #
 # [*keymgr_api_class*]
@ -180,6 +184,7 @@ class nova::compute (
  $max_concurrent_live_migrations              = $::os_service_default,
  $consecutive_build_service_disable_threshold = $::os_service_default,
  $keymgr_backend                              = 'nova.keymgr.conf_key_mgr.ConfKeyManager',
+  $verify_glance_signatures                    = $::os_service_default,
  # DEPRECATED PARAMETERS
  $keymgr_api_class                            = undef,
 ) {
@ -294,7 +299,8 @@ class nova::compute (
  }

  nova_config {
-    'DEFAULT/config_drive_format': value => $config_drive_format;
+    'DEFAULT/config_drive_format':     value => $config_drive_format;
+    'glance/verify_glance_signatures': value => $verify_glance_signatures;
  }

 }
--- a/releasenotes/notes/add-glance-image-verification-parameter-456df02dd26552d3.yaml
+++ b/releasenotes/notes/add-glance-image-verification-parameter-456df02dd26552d3.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - Added parameter verify_glance_signatures to enable verification of signatures
+    on glance images.
--- a/spec/classes/nova_compute_spec.rb
+++ b/spec/classes/nova_compute_spec.rb
@ -33,6 +33,7 @@ describe 'nova::compute' do
      it { is_expected.to contain_nova_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>') }
      it { is_expected.to contain_nova_config('barbican/barbican_api_version').with_value('<SERVICE DEFAULT>') }
      it { is_expected.to contain_nova_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>') }
+      it { is_expected.to contain_nova_config('glance/verify_glance_signatures').with_value('<SERVICE DEFAULT>') }
      it { is_expected.to contain_nova_config('DEFAULT/max_concurrent_live_migrations').with_value('<SERVICE DEFAULT>') }
      it { is_expected.to contain_nova_config('compute/consecutive_build_service_disable_threshold').with_value('<SERVICE DEFAULT>') }

@ -79,6 +80,7 @@ describe 'nova::compute' do
          :barbican_api_version               => 'v1',
          :barbican_auth_endpoint             => 'http://127.0.0.1:5000/v3',
          :max_concurrent_live_migrations     => '4',
+          :verify_glance_signatures           => true,
          :consecutive_build_service_disable_threshold => '9',
        }
      end
@ -132,6 +134,7 @@ describe 'nova::compute' do
      it { is_expected.to contain_nova_config('compute/consecutive_build_service_disable_threshold').with_value('9') }

      it { is_expected.to contain_nova_config('DEFAULT/resume_guests_state_on_host_boot').with_value(true) }
+      it { is_expected.to contain_nova_config('glance/verify_glance_signatures').with_value(true) }

      it 'configures nova config_drive_format to vfat' do
        is_expected.to contain_nova_config('DEFAULT/config_drive_format').with_value('vfat')