OpenStack Nova Puppet Module
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

299 lines
8.8 KiB

# == Class: nova::metadata::novajoin::api
#
# The nova::metadata::novajoin::api class encapsulates an
# IPA Nova Join API service.
#
# === Parameters
#
# [*password*]
# (required) Password for the novajoin service user.
#
# [*transport_url*]
# (required) Transport URL for notifier service to talk to
# the messaging queue.
#
# [*bind_address*]
# (optional) IP address for novajoin server to listen
# Defaults to '127.0.0.1'
#
# [*api_paste_config*]
# (optional) Filename for the paste deploy file.
# Defaults to '/etc/novajoin/join-api-paste.ini'.
#
# [*auth_strategy*]
# (optional) Strategy to use for authentication.
# Defaults to 'keystone'.
#
# [*auth_type*]
# (optional) Authentication type.
# Defaults to 'password'.
#
# [*cacert*]
# (optional) CA cert file.
# Defaults to '/etc/ipa/ca.crt'.
#
# [*connect_retries*]
# (optional) Number of connection retries to IPA.
# Defaults to 1.
#
# [*debug*]
# (optional) Set log level to debug.
# Defaults to false.
#
# [*enabled*]
# (optional) Whether to enable services.
# Defaults to true.
#
# [*enable_ipa_client_install*]
# (optional) whether to perform ipa_client_install
# Defaults to true.
#
# [*ensure_package*]
# (optional) The state of novajoin packages.
# Defaults to 'present'
#
# [*ipa_domain*]
# (optional) IPA domain
# Reads the value from /etc/ipa/default.conf if not defined.
#
# [*join_listen_port*]
# (optional) Port for novajoin service to listen on.
# Defaults to 9090
#
# [*keystone_auth_url*]
# (optional) auth_url for the keystone instance.
# Defaults to 'http:://127.0.0.1:5000'
#
# [*keytab*]
# (optional) Kerberos client keytab file.
# Defaults to '/etc/novajoin/krb5.keytab'
#
# [*log_dir*]
# (optional) log directory.
# Defaults to '/var/log/novajoin'
#
# [*manage_service*]
# (optional) If Puppet should manage service startup / shutdown.
# Defaults to true.
#
# [*user_domain_name*]
# (optional) Domain name for novajoin user.
# Defaults to 'Default'
#
# [*username*]
# (optional) User that the novajoin services run as.
# Defaults to 'novajoin'
#
# [*project_domain_name*]
# (optional) Domain name containing project (for novajoin auth).
# Defaults to 'Default'
#
# [*project_name*]
# (optional) Project name (for novajoin auth).
# Defaults to 'services'
#
# [*configure_kerberos*]
# (optional) Whether or not to create a kerberos configuration file.
# Defaults to false
#
# [*ipa_realm*]
# (optional) Kerberos realm. If left empty, the kerberos configuration will
# take the domain and upcase it.
# Defaults to undef
#
# DEPRECATED PARAMETERS
#
# [*service_password*]
# (optional) Password for the novajoin service user.
# Defaults to undef
#
# [*service_user*]
# (optional) User that the novajoin services run as.
# Defaults to undef
#
# [*user_domain_id*]
# (optional) Domain for novajoin user.
# Defaults to undef
#
class nova::metadata::novajoin::api (
$transport_url,
$bind_address = '127.0.0.1',
$api_paste_config = '/etc/novajoin/join-api-paste.ini',
$auth_strategy = $::os_service_default,
$auth_type = 'password',
$cacert = '/etc/ipa/ca.crt',
$connect_retries = $::os_service_default,
$debug = $::os_service_default,
$enabled = true,
$enable_ipa_client_install = true,
$ensure_package = 'present',
$ipa_domain = undef,
$join_listen_port = $::os_service_default,
$keystone_auth_url = 'http://127.0.0.1:5000/',
$keytab = '/etc/novajoin/krb5.keytab',
$log_dir = '/var/log/novajoin',
$manage_service = true,
$password = undef,
$user_domain_name = 'Default',
$username = 'novajoin',
$project_domain_name = 'Default',
$project_name = 'services',
$configure_kerberos = false,
$ipa_realm = undef,
# DEPRECATED PARAMETERS
$service_password = undef,
$service_user = undef,
$user_domain_id = undef,
) {
include nova::params
include nova::metadata::novajoin::authtoken
include nova::metadata::novajoin::policy
if $service_user != undef {
warning('nova::metadata::novajoin::api::service_user is deprecated. \
Use username parameter instead')
$username_real = $service_user
} else {
$username_real = $username
}
if $service_password != undef {
warning('nova::metadata::novajoin::api::service_password is deprecated. \
Use password parameter instead')
$password_real = $service_password
} else {
$password_real = $password
}
if ! $username_real {
fail('username is missing')
}
if ! $password_real {
fail('password is missing')
}
if $nova::params::novajoin_package_name == undef {
fail("Unsupported osfamily: ${::osfamily} operatingsystem")
}
if $enable_ipa_client_install {
require ipaclient
# If we're installing IPA here, the hostname fact won't be populated yet,
# so we'll use a command to get it.
$ipa_hostname_real = '`grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3`'
} else {
# This assumes that the current node is already IPA enrolled, so the
# fact will work here.
$ipa_hostname_real = $::ipa_hostname
}
package { 'python-novajoin':
ensure => $ensure_package,
name => $nova::params::novajoin_package_name,
tag => ['openstack', 'novajoin-package'],
}
file { '/var/log/novajoin':
ensure => directory,
owner => $username_real,
group => $username_real,
recurse => true,
}
if $ipa_domain != undef {
novajoin_config {
'DEFAULT/domain': value => $ipa_domain;
}
$ipa_domain_real = $ipa_domain
} else {
$ipa_domain_real = $::domain
}
if $configure_kerberos {
if $ipa_realm != undef {
$ipa_realm_real
} else {
$ipa_realm_real = upcase($ipa_domain_real)
}
file { '/etc/novajoin/krb5.conf':
content => template('nova/krb5.conf.erb'),
owner => $username_real,
group => $username_real,
}
}
novajoin_config {
'DEFAULT/join_listen': value => $bind_address;
'DEFAULT/api_paste_config': value => $api_paste_config;
'DEFAULT/auth_strategy': value => $auth_strategy;
'DEFAULT/cacert': value => $cacert;
'DEFAULT/connect_retries': value => $connect_retries;
'DEFAULT/debug': value => $debug;
'DEFAULT/join_listen_port': value => $join_listen_port;
'DEFAULT/keytab': value => $keytab;
'DEFAULT/log_dir': value => $log_dir;
'DEFAULT/transport_url': value => $transport_url;
'service_credentials/auth_type': value => $auth_type;
'service_credentials/auth_url': value => $keystone_auth_url;
'service_credentials/password': value => $password_real;
'service_credentials/username': value => $username_real;
'service_credentials/project_name': value => $project_name;
'service_credentials/project_domain_name':
value => $project_domain_name;
}
if $user_domain_id != undef {
warning('nova::metadata::novajoin::api::user_domain_id is deprecated. \
Use user_domain_name instead')
novajoin_config {
'service_credentials/user_domain_id': value => $user_domain_id;
}
} else {
novajoin_config {
'service_credentials/user_domain_name': value => $user_domain_name;
}
}
if $manage_service {
if $enabled {
$service_ensure = 'running'
} else {
$service_ensure = 'stopped'
}
}
service { 'novajoin-server':
ensure => $service_ensure,
name => $nova::params::novajoin_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'openstack',
}
service { 'novajoin-notify':
ensure => $service_ensure,
name => $nova::params::notify_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'openstack',
}
exec { 'get-service-user-keytab':
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ${ipa_hostname_real} \
-p nova/${::fqdn} -k ${keytab}",
creates => $keytab,
}
ensure_resource('file', $keytab, { owner => $username_real, require => Exec['get-service-user-keytab'] })
Package<| tag == 'novajoin-package' |> -> Exec['get-service-user-keytab']
Novajoin_config<||> ~> Service<| title == 'novajoin-server'|>
Novajoin_config<||> ~> Service<| title == 'novajoin-notify'|>
Exec['get-service-user-keytab'] ~> Service['novajoin-server']
Exec['get-service-user-keytab'] ~> Service['novajoin-notify']
Exec['get-service-user-keytab'] ~> Service<| title == 'nova-api'|>
}