Fix key_manager config for Queens
keymgr_api_class is now deprecated in favor of keymgr_backend, with full backward compatibility for users. keymgr_backend is set to cinder.keymgr.conf_key_mgr.ConfKeyManager by default and configure key_manager/backend instead of key_manager/api_class. It reflects what openstack/cinder did in Queens cycle. Change-Id: I6f015a4ed4980d37622bb2931477af916cfc9003 Related-Bug: #1725298
This commit is contained in:
parent
d1d662d8a7
commit
aa87b39e73
|
@ -26,11 +26,6 @@
|
||||||
# (optional) Auth URL associated with the OpenStack privileged account.
|
# (optional) Auth URL associated with the OpenStack privileged account.
|
||||||
# Defaults to $::os_service_default.
|
# Defaults to $::os_service_default.
|
||||||
#
|
#
|
||||||
# [*keymgr_api_class*]
|
|
||||||
# (optional) Key Manager service class.
|
|
||||||
# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
|
|
||||||
# Defaults to $::os_service_default
|
|
||||||
#
|
|
||||||
# [*keymgr_encryption_api_url*]
|
# [*keymgr_encryption_api_url*]
|
||||||
# (optional) Key Manager service URL
|
# (optional) Key Manager service URL
|
||||||
# Example of valid value: https://localhost:9311/v1
|
# Example of valid value: https://localhost:9311/v1
|
||||||
|
@ -151,6 +146,11 @@
|
||||||
# If this value is modified the catalog URLs in the keystone::auth class
|
# If this value is modified the catalog URLs in the keystone::auth class
|
||||||
# will also need to be changed to match.
|
# will also need to be changed to match.
|
||||||
#
|
#
|
||||||
|
# [*keymgr_backend*]
|
||||||
|
# (optional) Key Manager service class.
|
||||||
|
# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
|
||||||
|
# Defaults to 'cinder.keymgr.conf_key_mgr.ConfKeyManager'.
|
||||||
|
#
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
#
|
#
|
||||||
# [*validation_options*]
|
# [*validation_options*]
|
||||||
|
@ -169,6 +169,11 @@
|
||||||
# try_sleep: 10
|
# try_sleep: 10
|
||||||
# Defaults to {}
|
# Defaults to {}
|
||||||
#
|
#
|
||||||
|
# [*keymgr_api_class*]
|
||||||
|
# (optional) Deprecated. Key Manager service class.
|
||||||
|
# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
|
||||||
|
# Defaults to undef.
|
||||||
|
#
|
||||||
class cinder::api (
|
class cinder::api (
|
||||||
$nova_catalog_info = 'compute:Compute Service:publicURL',
|
$nova_catalog_info = 'compute:Compute Service:publicURL',
|
||||||
$nova_catalog_admin_info = 'compute:Compute Service:adminURL',
|
$nova_catalog_admin_info = 'compute:Compute Service:adminURL',
|
||||||
|
@ -178,7 +183,6 @@ class cinder::api (
|
||||||
$os_privileged_user_password = $::os_service_default,
|
$os_privileged_user_password = $::os_service_default,
|
||||||
$os_privileged_user_tenant = $::os_service_default,
|
$os_privileged_user_tenant = $::os_service_default,
|
||||||
$os_privileged_user_auth_url = $::os_service_default,
|
$os_privileged_user_auth_url = $::os_service_default,
|
||||||
$keymgr_api_class = $::os_service_default,
|
|
||||||
$keymgr_encryption_api_url = $::os_service_default,
|
$keymgr_encryption_api_url = $::os_service_default,
|
||||||
$keymgr_encryption_auth_url = $::os_service_default,
|
$keymgr_encryption_auth_url = $::os_service_default,
|
||||||
$service_workers = $::os_workers,
|
$service_workers = $::os_workers,
|
||||||
|
@ -203,8 +207,10 @@ class cinder::api (
|
||||||
$ca_file = $::os_service_default,
|
$ca_file = $::os_service_default,
|
||||||
$auth_strategy = 'keystone',
|
$auth_strategy = 'keystone',
|
||||||
$osapi_volume_listen_port = $::os_service_default,
|
$osapi_volume_listen_port = $::os_service_default,
|
||||||
|
$keymgr_backend = 'cinder.keymgr.conf_key_mgr.ConfKeyManager',
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
$validation_options = {},
|
$validation_options = {},
|
||||||
|
$keymgr_api_class = undef,
|
||||||
) inherits cinder::params {
|
) inherits cinder::params {
|
||||||
|
|
||||||
include ::cinder::deps
|
include ::cinder::deps
|
||||||
|
@ -229,6 +235,13 @@ class cinder::api (
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if $keymgr_api_class {
|
||||||
|
warning('The keymgr_api_class parameter is deprecated, use keymgr_backend')
|
||||||
|
$keymgr_backend_real = $keymgr_api_class
|
||||||
|
} else {
|
||||||
|
$keymgr_backend_real = $keymgr_backend
|
||||||
|
}
|
||||||
|
|
||||||
if $::cinder::params::api_package {
|
if $::cinder::params::api_package {
|
||||||
package { 'cinder-api':
|
package { 'cinder-api':
|
||||||
ensure => $package_ensure,
|
ensure => $package_ensure,
|
||||||
|
@ -317,7 +330,7 @@ running as a standalone service, or httpd for being run by a httpd server")
|
||||||
}
|
}
|
||||||
|
|
||||||
cinder_config {
|
cinder_config {
|
||||||
'key_manager/api_class': value => $keymgr_api_class;
|
'key_manager/backend': value => $keymgr_backend_real;
|
||||||
'barbican/barbican_endpoint': value => $keymgr_encryption_api_url;
|
'barbican/barbican_endpoint': value => $keymgr_encryption_api_url;
|
||||||
'barbican/auth_endpoint': value => $keymgr_encryption_auth_url;
|
'barbican/auth_endpoint': value => $keymgr_encryption_auth_url;
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
keymgr_api_class is now deprecated in favor of keymgr_backend, with
|
||||||
|
full backward compatibility for users.
|
||||||
|
keymgr_backend is set to cinder.keymgr.conf_key_mgr.ConfKeyManager
|
||||||
|
by default and configure key_manager/backend instead of
|
||||||
|
key_manager/api_class. It reflects what openstack/cinder did in Queens
|
||||||
|
cycle.
|
|
@ -60,7 +60,7 @@ describe 'cinder::api' do
|
||||||
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('key_manager/api_class').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('key_manager/backend').with_value('cinder.keymgr.conf_key_mgr.ConfKeyManager')
|
||||||
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_cinder_config('oslo_middleware/enable_proxy_headers_parsing').with('value' => '<SERVICE DEFAULT>')
|
is_expected.to contain_cinder_config('oslo_middleware/enable_proxy_headers_parsing').with('value' => '<SERVICE DEFAULT>')
|
||||||
|
@ -360,18 +360,29 @@ describe 'cinder::api' do
|
||||||
describe 'with barbican parameters' do
|
describe 'with barbican parameters' do
|
||||||
let :params do
|
let :params do
|
||||||
req_params.merge!({
|
req_params.merge!({
|
||||||
:keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
|
:keymgr_backend => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
|
||||||
:keymgr_encryption_api_url => 'https://localhost:9311/v1',
|
:keymgr_encryption_api_url => 'https://localhost:9311/v1',
|
||||||
:keymgr_encryption_auth_url => 'https://localhost:5000/v3',
|
:keymgr_encryption_auth_url => 'https://localhost:5000/v3',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
it 'should set keymgr parameters' do
|
it 'should set keymgr parameters' do
|
||||||
is_expected.to contain_cinder_config('key_manager/api_class').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
|
is_expected.to contain_cinder_config('key_manager/backend').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
|
||||||
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1')
|
is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1')
|
||||||
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3')
|
is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'with barbican deprecated parameters' do
|
||||||
|
let :params do
|
||||||
|
req_params.merge!({
|
||||||
|
:keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
it 'should set keymgr parameter' do
|
||||||
|
is_expected.to contain_cinder_config('key_manager/backend').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
on_supported_os({
|
on_supported_os({
|
||||||
|
|
Loading…
Reference in New Issue