Add keystone roles for Octavia policies

This patch adds creation of the necessary keystone roles to support using Octavia's access policies. Related-Bug: #1762774 Change-Id: Ib34ad49d52bb6afba6d035cf966592e0f0fd9a85
2018-04-10 11:26:03 -02:30 · 2018-04-10 11:26:03 -02:30 · d6c8f91f63
commit d6c8f91f63
parent 32a7483cad
3 changed files with 83 additions and 0 deletions
--- a/manifests/roles.pp
+++ b/manifests/roles.pp
@ -0,0 +1,28 @@
+# == Class: octavia::roles
+#
+# Configure the octavia roles
+#
+# === Parameters
+#
+# [*role_names*]
+#   (optional) Create keystone roles to comply with Octavia policies.
+#   Defaults to ['load-balancer_observer', 'load-balancer_global_observer',
+#   'load-balancer_member', 'load-balancer_quota_admin', 'load-balancer_admin',
+#   'admin']
+#
+class octavia::roles (
+  $role_names = [
+      'load-balancer_observer',
+      'load-balancer_global_observer',
+      'load-balancer_member',
+      'load-balancer_quota_admin',
+      'load-balancer_admin',
+      'admin'
+      ]
+  ) {
+  if $role_names {
+    keystone_role { $role_names:
+      ensure => present
+    }
+  }
+}
--- a/releasenotes/notes/add-roles-for-octavia-2207bc1adea61c55.yaml
+++ b/releasenotes/notes/add-roles-for-octavia-2207bc1adea61c55.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added `octavia::roles::role_names` parameter to enable creation of the
+    keystone roles supported by the Octavia API.
--- a/spec/classes/octavia_roles_spec.rb
+++ b/spec/classes/octavia_roles_spec.rb
@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'octavia::roles' do
+
+  let :params do
+    {
+    }
+  end
+
+  shared_examples_for 'octavia-roles' do
+
+    context 'when using default args' do
+      it 'creates keystone roles' do
+        is_expected.to contain_keystone_role('load-balancer_observer')
+        is_expected.to contain_keystone_role('load-balancer_global_observer')
+        is_expected.to contain_keystone_role('load-balancer_member')
+        is_expected.to contain_keystone_role('load-balancer_quota_admin')
+        is_expected.to contain_keystone_role('load-balancer_admin')
+        is_expected.to contain_keystone_role('admin')
+      end
+    end
+
+    context 'when using custom roles' do
+      before do
+        params.merge!({
+          :role_names => ['foo', 'bar', 'krispy']
+        })
+      end
+      it 'creates custom keystone roles' do
+        is_expected.to contain_keystone_role('foo')
+        is_expected.to contain_keystone_role('bar')
+        is_expected.to contain_keystone_role('krispy')
+        is_expected.not_to contain_keystone_role('load-balancer_observer')
+      end
+    end
+
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+      it_behaves_like 'octavia-roles'
+    end
+  end
+
+end