scenario002: enable Barbican and Volume Encryption testing

Start testing Barbican for real.

Depends-On: I7a51c1a3baae5fd96b75cc73acd4c8c3e2c4ade5
Change-Id: I034a38bb7adde9f39db99b1a82715ce11e8ca63b
This commit is contained in:
Emilien Macchi 2016-07-08 15:59:50 -04:00 committed by Denis Egorenko
parent f62758afe2
commit abd6b91e05
8 changed files with 186 additions and 34 deletions

View File

@ -52,6 +52,7 @@ scenario](#All-In-One).
| horizon | | | X | X | | horizon | | | X | X |
| ironic | | X | | | | ironic | | X | | |
| zaqar | | X | | | | zaqar | | X | | |
| barbican | | X | | |
| ceph | X | | | | | ceph | X | | | |
| mongodb | | X | | | | mongodb | | X | | |

View File

@ -19,10 +19,14 @@ case $::osfamily {
$ipv6 = false $ipv6 = false
# zaqar is not packaged in Ubuntu Trusty # zaqar is not packaged in Ubuntu Trusty
$zaqar_enabled = false $zaqar_enabled = false
# we'll start testing barbican after Newton stable, Ubuntu packaging is not
# updated enough.
$barbican_enabled = false
} }
'RedHat': { 'RedHat': {
$ipv6 = true $ipv6 = true
$zaqar_enabled = true $zaqar_enabled = true
$barbican_enabled = true
} }
default: { default: {
fail("Unsupported osfamily (${::osfamily})") fail("Unsupported osfamily (${::osfamily})")
@ -49,18 +53,28 @@ class { '::openstack_integration::glance':
backend => 'swift', backend => 'swift',
} }
include ::openstack_integration::neutron include ::openstack_integration::neutron
include ::openstack_integration::nova
include ::openstack_integration::cinder
include ::openstack_integration::swift include ::openstack_integration::swift
include ::openstack_integration::ironic include ::openstack_integration::ironic
include ::openstack_integration::zaqar include ::openstack_integration::zaqar
include ::openstack_integration::mongodb include ::openstack_integration::mongodb
include ::openstack_integration::provision include ::openstack_integration::provision
class { '::openstack_integration::nova':
volume_encryption => $barbican_enabled,
}
class { '::openstack_integration::cinder':
volume_encryption => $barbican_enabled,
}
if $barbican_enabled {
include ::openstack_integration::barbican
}
class { '::openstack_integration::tempest': class { '::openstack_integration::tempest':
cinder => true, cinder => true,
swift => true, swift => true,
ironic => true, ironic => true,
zaqar => $zaqar_enabled, zaqar => $zaqar_enabled,
attach_encrypted_volume => $barbican_enabled,
} }

74
manifests/barbican.pp Normal file
View File

@ -0,0 +1,74 @@
class openstack_integration::barbican {
include ::openstack_integration::config
include ::openstack_integration::params
rabbitmq_user { 'barbican':
admin => true,
password => 'an_even_bigger_secret',
provider => 'rabbitmqctl',
require => Class['::rabbitmq'],
}
rabbitmq_user_permissions { 'barbican@/':
configure_permission => '.*',
write_permission => '.*',
read_permission => '.*',
provider => 'rabbitmqctl',
require => Class['::rabbitmq'],
}
Rabbitmq_user_permissions['barbican@/'] -> Service<| tag == 'barbican-service' |>
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'barbican':
notify => Service['httpd'],
require => Package['barbican-api'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
include ::barbican
class { '::barbican::db::mysql':
password => 'barbican',
}
class { '::barbican::db':
database_connection => 'mysql+pymysql://barbican:barbican@127.0.0.1/barbican?charset=utf8',
}
class { '::barbican::keystone::auth':
public_url => "${::openstack_integration::config::base_url}:9311",
internal_url => "${::openstack_integration::config::base_url}:9311",
admin_url => "${::openstack_integration::config::base_url}:9311",
password => 'a_big_secret',
}
include ::barbican::quota
include ::barbican::keystone::notification
class { '::barbican::api::logging':
debug => true,
}
class { '::barbican::api':
host_href => "${::openstack_integration::config::base_url}:9311",
auth_type => 'keystone',
keystone_password => 'a_big_secret',
service_name => 'httpd',
enabled_certificate_plugins => ['simple_certificate'],
db_auto_create => false,
auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3",
rabbit_userid => 'barbican',
rabbit_password => 'an_even_bigger_secret',
rabbit_port => $::openstack_integration::config::rabbit_port,
rabbit_use_ssl => $::openstack_integration::config::ssl,
rabbit_host => $::openstack_integration::config::ip_for_url,
}
# add me in puppet-barbican
barbican_config {
'keystone_authtoken/auth_uri': value => "${::openstack_integration::config::keystone_auth_uri}/v3";
}
include ::apache
class { '::barbican::wsgi::apache':
bind_host => $::openstack_integration::config::ip_for_url,
ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/barbican/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => 2,
}
}

View File

@ -5,8 +5,13 @@
# Can be 'iscsi' or 'rbd'. # Can be 'iscsi' or 'rbd'.
# Defaults to 'iscsi'. # Defaults to 'iscsi'.
# #
# [*volume_encryption*]
# (optional) Boolean to configure or not volume encryption
# Defaults to false.
#
class openstack_integration::cinder ( class openstack_integration::cinder (
$backend = 'iscsi', $backend = 'iscsi',
$volume_encryption = false,
) { ) {
include ::openstack_integration::config include ::openstack_integration::config
@ -57,13 +62,29 @@ class openstack_integration::cinder (
rabbit_use_ssl => $::openstack_integration::config::ssl, rabbit_use_ssl => $::openstack_integration::config::ssl,
debug => true, debug => true,
} }
class { '::cinder::api': if $volume_encryption {
keystone_password => 'a_big_secret', $keymgr_api_class = 'cinder.keymgr.barbican.BarbicanKeyManager'
$keymgr_encryption_api_url = "${::openstack_integration::config::base_url}:9311/v1"
$keymgr_encryption_auth_url = "${::openstack_integration::config::keystone_auth_uri}/v3"
} else {
$keymgr_api_class = undef
$keymgr_encryption_api_url = undef
$keymgr_encryption_auth_url = undef
}
class { '::cinder::keystone::authtoken':
password => 'a_big_secret',
user_domain_name => 'Default',
project_domain_name => 'Default',
auth_url => $::openstack_integration::config::keystone_admin_uri,
auth_uri => $::openstack_integration::config::keystone_auth_uri, auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri, }
class { '::cinder::api':
default_volume_type => 'BACKEND_1', default_volume_type => 'BACKEND_1',
public_endpoint => "${::openstack_integration::config::base_url}:8776", public_endpoint => "${::openstack_integration::config::base_url}:8776",
service_name => 'httpd', service_name => 'httpd',
keymgr_api_class => $keymgr_api_class,
keymgr_encryption_api_url => $keymgr_encryption_api_url,
keymgr_encryption_auth_url => $keymgr_encryption_auth_url,
} }
include ::apache include ::apache
class { '::cinder::wsgi::apache': class { '::cinder::wsgi::apache':

View File

@ -97,4 +97,19 @@ class openstack_integration::keystone (
user_domain => 'default', user_domain => 'default',
auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/", auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/",
} }
# We need tempest users to have the creator role to be able to store
# secrets in barbican. We do this by adding the creator role to the
# tempest_roles list in tempest.conf.
# We also need the Member role for some swift container tests.
# Ordinarily tempest code in dynamic_creds.py would create
# this role and assign users to it. This code is not executed, however,
# when tempest_roles is defined. Therefore we need to make sure this
# role is created here, and added to tempest_roles.
keystone_role { 'creator':
ensure => present,
}
keystone_role { 'Member':
ensure => present,
}
} }

View File

@ -5,8 +5,13 @@
# to use Libvirt RBD backend. # to use Libvirt RBD backend.
# Defaults to false. # Defaults to false.
# #
# [*volume_encryption*]
# (optional) Boolean to configure or not volume encryption
# Defaults to false.
#
class openstack_integration::nova ( class openstack_integration::nova (
$libvirt_rbd = false, $libvirt_rbd = false,
$volume_encryption = false,
) { ) {
include ::openstack_integration::config include ::openstack_integration::config
@ -83,10 +88,22 @@ class openstack_integration::nova (
class { '::nova::conductor': } class { '::nova::conductor': }
class { '::nova::consoleauth': } class { '::nova::consoleauth': }
class { '::nova::cron::archive_deleted_rows': } class { '::nova::cron::archive_deleted_rows': }
if $volume_encryption {
$keymgr_api_class = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
$keymgr_auth_endpoint = "${::openstack_integration::config::keystone_auth_uri}/v3"
$barbican_endpoint = "${::openstack_integration::config::base_url}:9311"
} else {
$keymgr_api_class = undef
$keymgr_auth_endpoint = undef
$barbican_endpoint = undef
}
class { '::nova::compute': class { '::nova::compute':
vnc_enabled => true, vnc_enabled => true,
instance_usage_audit => true, instance_usage_audit => true,
instance_usage_audit_period => 'hour', instance_usage_audit_period => 'hour',
keymgr_api_class => $keymgr_api_class,
barbican_auth_endpoint => $keymgr_auth_endpoint,
barbican_endpoint => $barbican_endpoint,
} }
class { '::nova::compute::libvirt': class { '::nova::compute::libvirt':
libvirt_virt_type => 'qemu', libvirt_virt_type => 'qemu',

View File

@ -60,6 +60,10 @@
# (optional) Define if Zaqar needs to be tested. # (optional) Define if Zaqar needs to be tested.
# Default to false. # Default to false.
# #
# [*attach_encrypted_volume*]
# (optional) Define if Encrypted Volumes need to be tested.
# Default to false.
#
class openstack_integration::tempest ( class openstack_integration::tempest (
$aodh = false, $aodh = false,
$ceilometer = false, $ceilometer = false,
@ -76,6 +80,7 @@ class openstack_integration::tempest (
$swift = false, $swift = false,
$trove = false, $trove = false,
$zaqar = false, $zaqar = false,
$attach_encrypted_volume = false,
) { ) {
include ::openstack_integration::config include ::openstack_integration::config
@ -107,6 +112,7 @@ class openstack_integration::tempest (
admin_password => 'a_big_secret', admin_password => 'a_big_secret',
admin_domain_name => 'Default', admin_domain_name => 'Default',
auth_version => 'v3', auth_version => 'v3',
tempest_roles => ['Member', 'creator'], # needed to use barbican.
image_name => 'cirros', image_name => 'cirros',
image_name_alt => 'cirros_alt', image_name_alt => 'cirros_alt',
cinder_available => $cinder, cinder_available => $cinder,
@ -136,6 +142,7 @@ class openstack_integration::tempest (
compute_build_interval => 10, compute_build_interval => 10,
ca_certificates_file => $::openstack_integration::params::ca_bundle_cert_path, ca_certificates_file => $::openstack_integration::params::ca_bundle_cert_path,
manage_tests_packages => true, manage_tests_packages => true,
attach_encrypted_volume => $attach_encrypted_volume,
# TODO(emilien) optimization by 1/ using Hiera to configure Glance image source # TODO(emilien) optimization by 1/ using Hiera to configure Glance image source
# and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image. # and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image.
# img_dir => '/home/jenkins/cache/files', # img_dir => '/home/jenkins/cache/files',

View File

@ -190,6 +190,9 @@ TESTS="${TESTS} api.baremetal.admin.test_drivers"
# Zaqar # Zaqar
TESTS="${TESTS} TestManageQueue" TESTS="${TESTS} TestManageQueue"
# Cinder encrypted volumes
TESTS="${TESTS} TestEncryptedCinderVolumes"
print_header 'Running Tempest' print_header 'Running Tempest'
cd /tmp/openstack/tempest cd /tmp/openstack/tempest