Add support for [neutron] keystoneauth options

Octavia recently introduced keystoneauth options to the [neutron] section, and these will be required in a future release. This introduces support for the basic keystoneauth options to meet that requirement. The default values intentionally lack the password value, which triggers the fallback logic in Octavia to use service_auth options instead. Depends-on: https://review.opendev.org/c/openstack/octavia/+/866327 Change-Id: I72c61970e4878c2a06fd42026e53b788943cf945
2023-09-07 17:31:00 +09:00 · 2023-09-07 17:31:00 +09:00 · 296a7a31ff
parent b3bccf3b50
commit 296a7a31ff
4 changed files with 170 additions and 24 deletions
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@ -4,16 +4,56 @@
 #
 # === Parameters:
 #
+# [*auth_url*]
+#   (Optional) Keystone Authentication URL
+#   Defaults to 'http://localhost:5000'
+#
+# [*username*]
+#   (Optional) User for accessing neutron
+#   Defaults to 'neutron'
+#
+# [*password*]
+#   (Optional) Password for user. This will be required in a future release.
+#   Defaults to $facts['os_service_default']
+#
+# [*project_name*]
+#   (Optional) Tenant for accessing neutron
+#   Defaults to 'services'
+#
+# [*user_domain_name*]
+#   (Optional) keystone user domain
+#   Defaults to 'Default'
+#
+# [*project_domain_name*]
+#   (Optional) keystone project domain
+#   Defaults to 'Default'
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $facts['os_service_default']
+#
+# [*auth_type*]
+#   (Optional) keystone authentication type
+#   Defaults to 'password'
+#
+# [*region_name*]
+#   (Optional) The region in which the identity server can be found.
+#   Defaults to $facts['os_service_default']
+#
 # [*service_name*]
 #   (Optional) The name of the neutron service in the keystone catalog.
 #   Defaults to $facts['os_service_default']
 #
-# [*endpoint*]
-#   (Optional) Custom neutron endpoint if override is necessary.
+# [*endpoint_override*]
+#   (Optional) Always use this endpoint URL for requests for this client.
 #   Defaults to $facts['os_service_default']
 #
-# [*region_name*]
-#   (Optional) Region in catalog to use for neutron.
+# [*valid_interfaces*]
+#   (Optional) List of interfaces, in order of preference for endpoint URL.
+#   Defaults to $facts['os_service_default']
+#
+# [*endpoint*]
+#   (Optional) Custom neutron endpoint if override is necessary.
 #   Defaults to $facts['os_service_default']
 #
 # [*endpoint_type*]
@ -21,18 +61,59 @@
 #   Defaults to $facts['os_service_default']
 #
 class octavia::neutron (
-  $service_name         = $facts['os_service_default'],
-  $endpoint             = $facts['os_service_default'],
+  $auth_url             = 'http://localhost:5000',
+  $username             = 'neutron',
+  $password             = $facts['os_service_default'],
+  $project_name         = 'services',
+  $user_domain_name     = 'Default',
+  $project_domain_name  = 'Default',
+  $system_scope         = $facts['os_service_default'],
+  $auth_type            = 'password',
  $region_name          = $facts['os_service_default'],
-  $endpoint_type        = $facts['os_service_default'],
+  $service_name         = $facts['os_service_default'],
+  $endpoint_override    = $facts['os_service_default'],
+  $valid_interfaces     = $facts['os_service_default'],
+  # DEPRECATED PARMAETERS
+  $endpoint             = undef,
+  $endpoint_type        = undef,
 ) {

  include octavia::deps

+  if $endpoint != undef {
+    warning('The endpoint parameter is deprecated. Use endpoint_override.')
+  }
+
+  if $endpoint_type != undef {
+    warning('The endpoint_type parameter is deprecated. Use endpoint_type.')
+  }
+
+  if is_service_default($password) {
+    warning('[neutron] section will require valid credential options in a future release')
+  }
+
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $facts['os_service_default']
+    $project_domain_name_real = $facts['os_service_default']
+  }
+
  octavia_config {
-    'neutron/service_name':  value => $service_name;
-    'neutron/endpoint':      value => $endpoint;
-    'neutron/region_name':   value => $region_name;
-    'neutron/endpoint_type': value => $endpoint_type;
+    'neutron/auth_url':            value => $auth_url;
+    'neutron/username':            value => $username;
+    'neutron/project_name':        value => $project_name_real;
+    'neutron/password':            value => $password, secret => true;
+    'neutron/user_domain_name':    value => $user_domain_name;
+    'neutron/project_domain_name': value => $project_domain_name_real;
+    'neutron/system_scope':        value => $system_scope;
+    'neutron/auth_type':           value => $auth_type;
+    'neutron/region_name':         value => $region_name;
+    'neutron/service_name':        value => $service_name;
+    'neutron/endpoint_override':   value => $endpoint_override;
+    'neutron/valid_interfaces':    value => join(any2array($valid_interfaces), ',');
+    'neutron/endpoint':            value => pick($endpoint, $facts['os_service_default']);
+    'neutron/endpoint_type':       value => pick($endpoint_type, $facts['os_service_default']);
  }
 }
--- a/releasenotes/notes/neutron-sdk-opts-eda1fae468d8bf50.yaml
+++ b/releasenotes/notes/neutron-sdk-opts-eda1fae468d8bf50.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    The ``octavia::neutron`` class now supports basic keystoneauth options.
+
+deprecations:
+  - |
+    The following parameters of the ``octavia::neutron`` class have been
+    deprecated.
+
+    - ``endpoint``
+    - ``endpoint_type``
--- a/spec/classes/octavia_neutron_spec.rb
+++ b/spec/classes/octavia_neutron_spec.rb
@ -4,30 +4,83 @@ describe 'octavia::neutron' do
  shared_examples 'octavia::neutron' do
    context 'with default parameters' do
      it {
-        should contain_octavia_config('neutron/service_name').with_value('<SERVICE DEFAULT>')
-        should contain_octavia_config('neutron/endpoint').with_value('<SERVICE DEFAULT>')
-        should contain_octavia_config('neutron/region_name').with_value('<SERVICE DEFAULT>')
-        should contain_octavia_config('neutron/endpoint_type').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/auth_url').with_value('http://localhost:5000')
+        is_expected.to contain_octavia_config('neutron/username').with_value('neutron')
+        is_expected.to contain_octavia_config('neutron/password').with_value('<SERVICE DEFAULT>').with_secret(true)
+        is_expected.to contain_octavia_config('neutron/project_name').with_value('services')
+        is_expected.to contain_octavia_config('neutron/user_domain_name').with_value('Default')
+        is_expected.to contain_octavia_config('neutron/project_domain_name').with_value('Default')
+        is_expected.to contain_octavia_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/auth_type').with_value('password')
+        is_expected.to contain_octavia_config('neutron/region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/service_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/endpoint_override').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/valid_interfaces').with_value('<SERVICE DEFAULT>')
+
+        is_expected.to contain_octavia_config('neutron/endpoint').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/endpoint_type').with_value('<SERVICE DEFAULT>')
      }
    end

    context 'with specified parameters' do
      let :params do
        {
+          :auth_url             => 'http://127.0.0.1:5000',
+          :username             => 'some_user',
+          :password             => 'secrete',
+          :project_name         => 'some_project_name',
+          :user_domain_name     => 'my_domain_name',
+          :project_domain_name  => 'our_domain_name',
+          :auth_type            => 'v3password',
+          :region_name          => 'regionOne',
          :service_name         => 'networking',
-          :endpoint             => 'http://127.0.0.1:9696',
-          :region_name          => 'RegionOne',
-          :endpoint_type        => 'internalURL',
+          :endpoint_override    => 'http://127.0.0.1:9696',
+          :valid_interfaces     => ['internal', 'public'],
        }
      end

      it {
-        should contain_octavia_config('neutron/service_name').with_value('networking')
-        should contain_octavia_config('neutron/endpoint').with_value('http://127.0.0.1:9696')
-        should contain_octavia_config('neutron/region_name').with_value('RegionOne')
-        should contain_octavia_config('neutron/endpoint_type').with_value('internalURL')
+        is_expected.to contain_octavia_config('neutron/auth_url').with_value('http://127.0.0.1:5000')
+        is_expected.to contain_octavia_config('neutron/username').with_value('some_user')
+        is_expected.to contain_octavia_config('neutron/project_name').with_value('some_project_name')
+        is_expected.to contain_octavia_config('neutron/password').with_value('secrete').with_secret(true)
+        is_expected.to contain_octavia_config('neutron/user_domain_name').with_value('my_domain_name')
+        is_expected.to contain_octavia_config('neutron/project_domain_name').with_value('our_domain_name')
+        is_expected.to contain_octavia_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/auth_type').with_value('v3password')
+        is_expected.to contain_octavia_config('neutron/region_name').with_value('regionOne')
+        is_expected.to contain_octavia_config('neutron/service_name').with_value('networking')
+        is_expected.to contain_octavia_config('neutron/endpoint_override').with_value('http://127.0.0.1:9696')
+        is_expected.to contain_octavia_config('neutron/valid_interfaces').with_value('internal,public')
      }
    end
+
+    context 'with deprecated parameters' do
+      let :params do
+        {
+          :endpoint      => 'http://127.0.0.1:9696',
+          :endpoint_type => 'internalURL',
+        }
+      end
+
+      it {
+        is_expected.to contain_octavia_config('neutron/endpoint').with_value('http://127.0.0.1:9696')
+        is_expected.to contain_octavia_config('neutron/endpoint_type').with_value('internalURL')
+      }
+    end
+
+    context 'when system_scope is set' do
+      let :params do
+        {
+          :system_scope => 'all'
+        }
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_octavia_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('neutron/system_scope').with_value('all')
+      end
+    end
  end

  on_supported_os({
--- a/spec/classes/octavia_service_auth_spec.rb
+++ b/spec/classes/octavia_service_auth_spec.rb
@ -27,7 +27,7 @@ describe 'octavia::service_auth' do
    context 'when credentials are configured' do
      before do
        params.merge!({
-          :auth_url            => 'http://199.199.199.199:64371',
+          :auth_url            => 'http://127.0.0.1:5000',
          :username            => 'some_user',
          :project_name        => 'some_project_name',
          :user_domain_name    => 'my_domain_name',
@ -38,7 +38,7 @@ describe 'octavia::service_auth' do
      end

      it 'configures credentials' do
-        is_expected.to contain_octavia_config('service_auth/auth_url').with_value('http://199.199.199.199:64371')
+        is_expected.to contain_octavia_config('service_auth/auth_url').with_value('http://127.0.0.1:5000')
        is_expected.to contain_octavia_config('service_auth/username').with_value('some_user')
        is_expected.to contain_octavia_config('service_auth/project_name').with_value('some_project_name')
        is_expected.to contain_octavia_config('service_auth/password').with_value('secrete').with_secret(true)