diff --git a/manifests/worker.pp b/manifests/worker.pp index ce0e7830..66d4c98b 100644 --- a/manifests/worker.pp +++ b/manifests/worker.pp @@ -67,6 +67,11 @@ # (optional) Name of Openstack SSH keypair for communicating with amphora # Defaults to 'octavia-ssh-key' # +# [*enable_ssh_access*] +# (optional) Enable SSH key configuration for amphorae. Note that setting +# to false disables configuration of SSH key related properties. +# Defaults to true +# # [*key_path*] # (optional) full path to the private key for the amphora SSH key # Defaults to '/etc/octavia/.ssh/octavia_ssh_key' @@ -90,6 +95,7 @@ class octavia::worker ( $compute_driver = 'compute_nova_driver', $network_driver = 'allowed_address_pairs_driver', $amp_ssh_key_name = 'octavia-ssh-key', + $enable_ssh_access = true, $key_path = '/etc/octavia/.ssh/octavia_ssh_key', $manage_keygen = false ) inherits octavia::params { @@ -148,6 +154,10 @@ class octavia::worker ( tag => ['octavia-service'], } + if $manage_keygen and ! $enable_ssh_access { + fail('SSH key management cannot be enabled when SSH key access is disabled') + } + if $manage_keygen { exec {'create_amp_key_dir': path => ['/bin', '/usr/bin'], @@ -177,6 +187,15 @@ class octavia::worker ( -> Ssh_keygen[$amp_ssh_key_name] } + if $enable_ssh_access { + $ssh_key_name_real = $amp_ssh_key_name + $key_path_real = $key_path + } + else { + $ssh_key_name_real = $::os_service_default + $key_path_real = $::os_service_default + } + octavia_config { 'controller_worker/amp_flavor_id' : value => $amp_flavor_id; 'controller_worker/amp_image_tag' : value => $amp_image_tag; @@ -186,7 +205,7 @@ class octavia::worker ( 'controller_worker/amphora_driver' : value => $amphora_driver; 'controller_worker/compute_driver' : value => $compute_driver; 'controller_worker/network_driver' : value => $network_driver; - 'controller_worker/amp_ssh_key_name' : value => $amp_ssh_key_name; - 'haproxy_amphora/key_path' : value => $key_path; + 'controller_worker/amp_ssh_key_name' : value => $ssh_key_name_real; + 'haproxy_amphora/key_path' : value => $key_path_real; } } diff --git a/releasenotes/notes/add-enable-ssh-access-param-1f2454d898b9b59b.yaml b/releasenotes/notes/add-enable-ssh-access-param-1f2454d898b9b59b.yaml new file mode 100644 index 00000000..a4839ae8 --- /dev/null +++ b/releasenotes/notes/add-enable-ssh-access-param-1f2454d898b9b59b.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Added 'octavia::worker::enable_ssh_access' parameter to enable + configuring without an OpenStack SSH key. Note that when set to false, + configuration of SSH key related properties is disabled. diff --git a/spec/classes/octavia_worker_spec.rb b/spec/classes/octavia_worker_spec.rb index ea9fcc98..bb770845 100644 --- a/spec/classes/octavia_worker_spec.rb +++ b/spec/classes/octavia_worker_spec.rb @@ -55,6 +55,29 @@ describe 'octavia::worker' do is_expected.to contain_octavia_config('haproxy_amphora/key_path').with_value('/etc/octavia/.ssh/octavia_ssh_key') end + context 'with ssh key access disabled' do + before do + params.merge!({ :enable_ssh_access => false }) end + + it 'disables configuration of SSH key properties' do + is_expected.to contain_octavia_config('controller_worker/amp_ssh_key_name').with_value('') + is_expected.to contain_octavia_config('haproxy_amphora/key_path').with_value('') + end + end + + context 'with ssh key access disabled and key management enabled' do + before do + params.merge!({ + :enable_ssh_access => false, + :manage_keygen => true, + }) + end + + it "raises an error" do + is_expected.to raise_error(Puppet::Error) + end + end + it 'deploys nova flavor for octavia worker' do is_expected.to contain_nova_flavor('octavia_65').with( :ensure => 'present',