scenario002: enable Barbican and Volume Encryption testing
Start testing Barbican for real. Depends-On: I7a51c1a3baae5fd96b75cc73acd4c8c3e2c4ade5 Change-Id: I034a38bb7adde9f39db99b1a82715ce11e8ca63b
This commit is contained in:
parent
f62758afe2
commit
abd6b91e05
@ -52,6 +52,7 @@ scenario](#All-In-One).
|
|||||||
| horizon | | | X | X |
|
| horizon | | | X | X |
|
||||||
| ironic | | X | | |
|
| ironic | | X | | |
|
||||||
| zaqar | | X | | |
|
| zaqar | | X | | |
|
||||||
|
| barbican | | X | | |
|
||||||
| ceph | X | | | |
|
| ceph | X | | | |
|
||||||
| mongodb | | X | | |
|
| mongodb | | X | | |
|
||||||
|
|
||||||
|
@ -19,10 +19,14 @@ case $::osfamily {
|
|||||||
$ipv6 = false
|
$ipv6 = false
|
||||||
# zaqar is not packaged in Ubuntu Trusty
|
# zaqar is not packaged in Ubuntu Trusty
|
||||||
$zaqar_enabled = false
|
$zaqar_enabled = false
|
||||||
|
# we'll start testing barbican after Newton stable, Ubuntu packaging is not
|
||||||
|
# updated enough.
|
||||||
|
$barbican_enabled = false
|
||||||
}
|
}
|
||||||
'RedHat': {
|
'RedHat': {
|
||||||
$ipv6 = true
|
$ipv6 = true
|
||||||
$zaqar_enabled = true
|
$zaqar_enabled = true
|
||||||
|
$barbican_enabled = true
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
fail("Unsupported osfamily (${::osfamily})")
|
fail("Unsupported osfamily (${::osfamily})")
|
||||||
@ -49,18 +53,28 @@ class { '::openstack_integration::glance':
|
|||||||
backend => 'swift',
|
backend => 'swift',
|
||||||
}
|
}
|
||||||
include ::openstack_integration::neutron
|
include ::openstack_integration::neutron
|
||||||
include ::openstack_integration::nova
|
|
||||||
include ::openstack_integration::cinder
|
|
||||||
include ::openstack_integration::swift
|
include ::openstack_integration::swift
|
||||||
include ::openstack_integration::ironic
|
include ::openstack_integration::ironic
|
||||||
include ::openstack_integration::zaqar
|
include ::openstack_integration::zaqar
|
||||||
include ::openstack_integration::mongodb
|
include ::openstack_integration::mongodb
|
||||||
include ::openstack_integration::provision
|
include ::openstack_integration::provision
|
||||||
|
|
||||||
|
class { '::openstack_integration::nova':
|
||||||
|
volume_encryption => $barbican_enabled,
|
||||||
|
}
|
||||||
|
|
||||||
|
class { '::openstack_integration::cinder':
|
||||||
|
volume_encryption => $barbican_enabled,
|
||||||
|
}
|
||||||
|
|
||||||
|
if $barbican_enabled {
|
||||||
|
include ::openstack_integration::barbican
|
||||||
|
}
|
||||||
|
|
||||||
class { '::openstack_integration::tempest':
|
class { '::openstack_integration::tempest':
|
||||||
cinder => true,
|
cinder => true,
|
||||||
swift => true,
|
swift => true,
|
||||||
ironic => true,
|
ironic => true,
|
||||||
zaqar => $zaqar_enabled,
|
zaqar => $zaqar_enabled,
|
||||||
|
attach_encrypted_volume => $barbican_enabled,
|
||||||
}
|
}
|
||||||
|
74
manifests/barbican.pp
Normal file
74
manifests/barbican.pp
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
class openstack_integration::barbican {
|
||||||
|
|
||||||
|
include ::openstack_integration::config
|
||||||
|
include ::openstack_integration::params
|
||||||
|
|
||||||
|
rabbitmq_user { 'barbican':
|
||||||
|
admin => true,
|
||||||
|
password => 'an_even_bigger_secret',
|
||||||
|
provider => 'rabbitmqctl',
|
||||||
|
require => Class['::rabbitmq'],
|
||||||
|
}
|
||||||
|
rabbitmq_user_permissions { 'barbican@/':
|
||||||
|
configure_permission => '.*',
|
||||||
|
write_permission => '.*',
|
||||||
|
read_permission => '.*',
|
||||||
|
provider => 'rabbitmqctl',
|
||||||
|
require => Class['::rabbitmq'],
|
||||||
|
}
|
||||||
|
Rabbitmq_user_permissions['barbican@/'] -> Service<| tag == 'barbican-service' |>
|
||||||
|
|
||||||
|
if $::openstack_integration::config::ssl {
|
||||||
|
openstack_integration::ssl_key { 'barbican':
|
||||||
|
notify => Service['httpd'],
|
||||||
|
require => Package['barbican-api'],
|
||||||
|
}
|
||||||
|
Exec['update-ca-certificates'] ~> Service['httpd']
|
||||||
|
}
|
||||||
|
|
||||||
|
include ::barbican
|
||||||
|
class { '::barbican::db::mysql':
|
||||||
|
password => 'barbican',
|
||||||
|
}
|
||||||
|
class { '::barbican::db':
|
||||||
|
database_connection => 'mysql+pymysql://barbican:barbican@127.0.0.1/barbican?charset=utf8',
|
||||||
|
}
|
||||||
|
class { '::barbican::keystone::auth':
|
||||||
|
public_url => "${::openstack_integration::config::base_url}:9311",
|
||||||
|
internal_url => "${::openstack_integration::config::base_url}:9311",
|
||||||
|
admin_url => "${::openstack_integration::config::base_url}:9311",
|
||||||
|
password => 'a_big_secret',
|
||||||
|
}
|
||||||
|
include ::barbican::quota
|
||||||
|
include ::barbican::keystone::notification
|
||||||
|
class { '::barbican::api::logging':
|
||||||
|
debug => true,
|
||||||
|
}
|
||||||
|
class { '::barbican::api':
|
||||||
|
host_href => "${::openstack_integration::config::base_url}:9311",
|
||||||
|
auth_type => 'keystone',
|
||||||
|
keystone_password => 'a_big_secret',
|
||||||
|
service_name => 'httpd',
|
||||||
|
enabled_certificate_plugins => ['simple_certificate'],
|
||||||
|
db_auto_create => false,
|
||||||
|
auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3",
|
||||||
|
rabbit_userid => 'barbican',
|
||||||
|
rabbit_password => 'an_even_bigger_secret',
|
||||||
|
rabbit_port => $::openstack_integration::config::rabbit_port,
|
||||||
|
rabbit_use_ssl => $::openstack_integration::config::ssl,
|
||||||
|
rabbit_host => $::openstack_integration::config::ip_for_url,
|
||||||
|
}
|
||||||
|
# add me in puppet-barbican
|
||||||
|
barbican_config {
|
||||||
|
'keystone_authtoken/auth_uri': value => "${::openstack_integration::config::keystone_auth_uri}/v3";
|
||||||
|
}
|
||||||
|
include ::apache
|
||||||
|
class { '::barbican::wsgi::apache':
|
||||||
|
bind_host => $::openstack_integration::config::ip_for_url,
|
||||||
|
ssl => $::openstack_integration::config::ssl,
|
||||||
|
ssl_key => "/etc/barbican/ssl/private/${::fqdn}.pem",
|
||||||
|
ssl_cert => $::openstack_integration::params::cert_path,
|
||||||
|
workers => 2,
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -5,8 +5,13 @@
|
|||||||
# Can be 'iscsi' or 'rbd'.
|
# Can be 'iscsi' or 'rbd'.
|
||||||
# Defaults to 'iscsi'.
|
# Defaults to 'iscsi'.
|
||||||
#
|
#
|
||||||
|
# [*volume_encryption*]
|
||||||
|
# (optional) Boolean to configure or not volume encryption
|
||||||
|
# Defaults to false.
|
||||||
|
#
|
||||||
class openstack_integration::cinder (
|
class openstack_integration::cinder (
|
||||||
$backend = 'iscsi',
|
$backend = 'iscsi',
|
||||||
|
$volume_encryption = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::openstack_integration::config
|
include ::openstack_integration::config
|
||||||
@ -57,13 +62,29 @@ class openstack_integration::cinder (
|
|||||||
rabbit_use_ssl => $::openstack_integration::config::ssl,
|
rabbit_use_ssl => $::openstack_integration::config::ssl,
|
||||||
debug => true,
|
debug => true,
|
||||||
}
|
}
|
||||||
class { '::cinder::api':
|
if $volume_encryption {
|
||||||
keystone_password => 'a_big_secret',
|
$keymgr_api_class = 'cinder.keymgr.barbican.BarbicanKeyManager'
|
||||||
|
$keymgr_encryption_api_url = "${::openstack_integration::config::base_url}:9311/v1"
|
||||||
|
$keymgr_encryption_auth_url = "${::openstack_integration::config::keystone_auth_uri}/v3"
|
||||||
|
} else {
|
||||||
|
$keymgr_api_class = undef
|
||||||
|
$keymgr_encryption_api_url = undef
|
||||||
|
$keymgr_encryption_auth_url = undef
|
||||||
|
}
|
||||||
|
class { '::cinder::keystone::authtoken':
|
||||||
|
password => 'a_big_secret',
|
||||||
|
user_domain_name => 'Default',
|
||||||
|
project_domain_name => 'Default',
|
||||||
|
auth_url => $::openstack_integration::config::keystone_admin_uri,
|
||||||
auth_uri => $::openstack_integration::config::keystone_auth_uri,
|
auth_uri => $::openstack_integration::config::keystone_auth_uri,
|
||||||
identity_uri => $::openstack_integration::config::keystone_admin_uri,
|
}
|
||||||
|
class { '::cinder::api':
|
||||||
default_volume_type => 'BACKEND_1',
|
default_volume_type => 'BACKEND_1',
|
||||||
public_endpoint => "${::openstack_integration::config::base_url}:8776",
|
public_endpoint => "${::openstack_integration::config::base_url}:8776",
|
||||||
service_name => 'httpd',
|
service_name => 'httpd',
|
||||||
|
keymgr_api_class => $keymgr_api_class,
|
||||||
|
keymgr_encryption_api_url => $keymgr_encryption_api_url,
|
||||||
|
keymgr_encryption_auth_url => $keymgr_encryption_auth_url,
|
||||||
}
|
}
|
||||||
include ::apache
|
include ::apache
|
||||||
class { '::cinder::wsgi::apache':
|
class { '::cinder::wsgi::apache':
|
||||||
|
@ -97,4 +97,19 @@ class openstack_integration::keystone (
|
|||||||
user_domain => 'default',
|
user_domain => 'default',
|
||||||
auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/",
|
auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# We need tempest users to have the creator role to be able to store
|
||||||
|
# secrets in barbican. We do this by adding the creator role to the
|
||||||
|
# tempest_roles list in tempest.conf.
|
||||||
|
# We also need the Member role for some swift container tests.
|
||||||
|
# Ordinarily tempest code in dynamic_creds.py would create
|
||||||
|
# this role and assign users to it. This code is not executed, however,
|
||||||
|
# when tempest_roles is defined. Therefore we need to make sure this
|
||||||
|
# role is created here, and added to tempest_roles.
|
||||||
|
keystone_role { 'creator':
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
keystone_role { 'Member':
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -5,8 +5,13 @@
|
|||||||
# to use Libvirt RBD backend.
|
# to use Libvirt RBD backend.
|
||||||
# Defaults to false.
|
# Defaults to false.
|
||||||
#
|
#
|
||||||
|
# [*volume_encryption*]
|
||||||
|
# (optional) Boolean to configure or not volume encryption
|
||||||
|
# Defaults to false.
|
||||||
|
#
|
||||||
class openstack_integration::nova (
|
class openstack_integration::nova (
|
||||||
$libvirt_rbd = false,
|
$libvirt_rbd = false,
|
||||||
|
$volume_encryption = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::openstack_integration::config
|
include ::openstack_integration::config
|
||||||
@ -83,10 +88,22 @@ class openstack_integration::nova (
|
|||||||
class { '::nova::conductor': }
|
class { '::nova::conductor': }
|
||||||
class { '::nova::consoleauth': }
|
class { '::nova::consoleauth': }
|
||||||
class { '::nova::cron::archive_deleted_rows': }
|
class { '::nova::cron::archive_deleted_rows': }
|
||||||
|
if $volume_encryption {
|
||||||
|
$keymgr_api_class = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
|
||||||
|
$keymgr_auth_endpoint = "${::openstack_integration::config::keystone_auth_uri}/v3"
|
||||||
|
$barbican_endpoint = "${::openstack_integration::config::base_url}:9311"
|
||||||
|
} else {
|
||||||
|
$keymgr_api_class = undef
|
||||||
|
$keymgr_auth_endpoint = undef
|
||||||
|
$barbican_endpoint = undef
|
||||||
|
}
|
||||||
class { '::nova::compute':
|
class { '::nova::compute':
|
||||||
vnc_enabled => true,
|
vnc_enabled => true,
|
||||||
instance_usage_audit => true,
|
instance_usage_audit => true,
|
||||||
instance_usage_audit_period => 'hour',
|
instance_usage_audit_period => 'hour',
|
||||||
|
keymgr_api_class => $keymgr_api_class,
|
||||||
|
barbican_auth_endpoint => $keymgr_auth_endpoint,
|
||||||
|
barbican_endpoint => $barbican_endpoint,
|
||||||
}
|
}
|
||||||
class { '::nova::compute::libvirt':
|
class { '::nova::compute::libvirt':
|
||||||
libvirt_virt_type => 'qemu',
|
libvirt_virt_type => 'qemu',
|
||||||
|
@ -60,6 +60,10 @@
|
|||||||
# (optional) Define if Zaqar needs to be tested.
|
# (optional) Define if Zaqar needs to be tested.
|
||||||
# Default to false.
|
# Default to false.
|
||||||
#
|
#
|
||||||
|
# [*attach_encrypted_volume*]
|
||||||
|
# (optional) Define if Encrypted Volumes need to be tested.
|
||||||
|
# Default to false.
|
||||||
|
#
|
||||||
class openstack_integration::tempest (
|
class openstack_integration::tempest (
|
||||||
$aodh = false,
|
$aodh = false,
|
||||||
$ceilometer = false,
|
$ceilometer = false,
|
||||||
@ -76,6 +80,7 @@ class openstack_integration::tempest (
|
|||||||
$swift = false,
|
$swift = false,
|
||||||
$trove = false,
|
$trove = false,
|
||||||
$zaqar = false,
|
$zaqar = false,
|
||||||
|
$attach_encrypted_volume = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::openstack_integration::config
|
include ::openstack_integration::config
|
||||||
@ -107,6 +112,7 @@ class openstack_integration::tempest (
|
|||||||
admin_password => 'a_big_secret',
|
admin_password => 'a_big_secret',
|
||||||
admin_domain_name => 'Default',
|
admin_domain_name => 'Default',
|
||||||
auth_version => 'v3',
|
auth_version => 'v3',
|
||||||
|
tempest_roles => ['Member', 'creator'], # needed to use barbican.
|
||||||
image_name => 'cirros',
|
image_name => 'cirros',
|
||||||
image_name_alt => 'cirros_alt',
|
image_name_alt => 'cirros_alt',
|
||||||
cinder_available => $cinder,
|
cinder_available => $cinder,
|
||||||
@ -136,6 +142,7 @@ class openstack_integration::tempest (
|
|||||||
compute_build_interval => 10,
|
compute_build_interval => 10,
|
||||||
ca_certificates_file => $::openstack_integration::params::ca_bundle_cert_path,
|
ca_certificates_file => $::openstack_integration::params::ca_bundle_cert_path,
|
||||||
manage_tests_packages => true,
|
manage_tests_packages => true,
|
||||||
|
attach_encrypted_volume => $attach_encrypted_volume,
|
||||||
# TODO(emilien) optimization by 1/ using Hiera to configure Glance image source
|
# TODO(emilien) optimization by 1/ using Hiera to configure Glance image source
|
||||||
# and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image.
|
# and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image.
|
||||||
# img_dir => '/home/jenkins/cache/files',
|
# img_dir => '/home/jenkins/cache/files',
|
||||||
|
@ -190,6 +190,9 @@ TESTS="${TESTS} api.baremetal.admin.test_drivers"
|
|||||||
# Zaqar
|
# Zaqar
|
||||||
TESTS="${TESTS} TestManageQueue"
|
TESTS="${TESTS} TestManageQueue"
|
||||||
|
|
||||||
|
# Cinder encrypted volumes
|
||||||
|
TESTS="${TESTS} TestEncryptedCinderVolumes"
|
||||||
|
|
||||||
print_header 'Running Tempest'
|
print_header 'Running Tempest'
|
||||||
cd /tmp/openstack/tempest
|
cd /tmp/openstack/tempest
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user