diff --git a/manifests/compute/libvirt/secret_ceph.pp b/manifests/compute/libvirt/secret_ceph.pp
new file mode 100644
index 000000000..039bb24d9
--- /dev/null
+++ b/manifests/compute/libvirt/secret_ceph.pp
@@ -0,0 +1,85 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Define: nova::compute::libvirt::secret_ceph
+#
+# Configure a libvirt secret with ceph type.
+#
+# === Parameters
+#
+# [*uuid*]
+# (Required) The UUID of the libvirt secret.
+#
+# [*value*]
+# (Required) The value to store in the secret.
+#
+# [*secret_name*]
+# (Optional) The name of the libvirt secret.
+# Defaults to $name
+#
+# [*secret_path*]
+# (Optional) Directory to store files related to secrets.
+# Defaults to /etc/nova
+#
+define nova::compute::libvirt::secret_ceph(
+ String $uuid,
+ String $value,
+ String[1] $secret_name = $name,
+ Stdlib::Absolutepath $secret_path = '/etc/nova',
+) {
+
+ $xml_file = "${secret_path}/libvirt-secret-${uuid}.xml"
+ file { $xml_file:
+ ensure => 'present',
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => epp('nova/libvirt-secret-ceph.xml.epp', {
+ 'secret_name' => $secret_name,
+ 'uuid' => $uuid,
+ }),
+ require => Anchor['nova::config::begin'],
+ }
+
+ $secret_file = "${secret_path}/libvirt-secret-${uuid}.secret"
+ file { $secret_file:
+ ensure => 'present',
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $value,
+ show_diff => false,
+ require => Anchor['nova::config::begin'],
+ }
+
+ exec { "get-or-set virsh secret ${uuid}":
+ command => [
+ '/usr/bin/virsh', 'secret-define', '--file', $xml_file,
+ ],
+ unless => "/usr/bin/virsh secret-list | grep -i ${uuid}",
+ require => File[$xml_file],
+ }
+ Service<| tag == 'libvirt-service' |> -> Exec["get-or-set virsh secret ${uuid}"]
+
+ exec { "set-secret-value virsh secret ${uuid}":
+ command => [
+ '/usr/bin/virsh', 'secret-set-value', '--secret', $uuid,
+ '--file', $secret_file,
+ ],
+ unless => "/usr/bin/virsh secret-get-value ${uuid} | grep -f ${secret_file}",
+ logoutput => false,
+ require => [
+ File[$secret_file],
+ Exec["get-or-set virsh secret ${uuid}"],
+ ],
+ }
+}
diff --git a/manifests/compute/rbd.pp b/manifests/compute/rbd.pp
index db173bc4c..96ec86bee 100644
--- a/manifests/compute/rbd.pp
+++ b/manifests/compute/rbd.pp
@@ -84,6 +84,10 @@
# only in Ubuntu/Debian.
# Defaults to 'present'
#
+# [*manage_libvirt_secret*]
+# (optional) Manage the libvirt secret
+# Defaults to true
+#
class nova::compute::rbd (
$libvirt_rbd_user,
$libvirt_rbd_secret_uuid = false,
@@ -98,6 +102,7 @@ class nova::compute::rbd (
Boolean $manage_ceph_client = true,
$ceph_client_ensure = 'present',
$package_ensure = 'present',
+ Boolean $manage_libvirt_secret = true,
) {
include nova::deps
@@ -128,33 +133,38 @@ class nova::compute::rbd (
'libvirt/rbd_secret_uuid': value => $libvirt_rbd_secret_uuid;
}
- file { '/etc/nova/secret.xml':
- content => template('nova/secret.xml-compute.erb'),
- require => Anchor['nova::config::begin'],
- }
+ if $manage_libvirt_secret {
+ file { '/etc/nova/secret.xml':
+ content => epp('nova/libvirt-secret-ceph.xml.epp', {
+ 'secret_name' => "${rbd_keyring} secret",
+ 'uuid' => $libvirt_rbd_secret_uuid,
+ }),
+ require => Anchor['nova::config::begin'],
+ }
- #Variable name shrunk in favor of removing
- #the more than 140 chars puppet-lint warning.
- #variable used in the get-or-set virsh secret
- #resource.
- $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
- exec { 'get-or-set virsh secret':
- command => $cm,
- unless => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
- require => File['/etc/nova/secret.xml'],
- }
- Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
+ #Variable name shrunk in favor of removing
+ #the more than 140 chars puppet-lint warning.
+ #variable used in the get-or-set virsh secret
+ #resource.
+ $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
+ exec { 'get-or-set virsh secret':
+ command => $cm,
+ unless => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
+ require => File['/etc/nova/secret.xml'],
+ }
+ Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
- if $libvirt_rbd_secret_key {
- $libvirt_key = $libvirt_rbd_secret_key
- } else {
- $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
- }
- exec { 'set-secret-value virsh':
- command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
- unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
- logoutput => false,
- require => Exec['get-or-set virsh secret'],
+ if $libvirt_rbd_secret_key {
+ $libvirt_key = $libvirt_rbd_secret_key
+ } else {
+ $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
+ }
+ exec { 'set-secret-value virsh':
+ command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
+ unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
+ logoutput => false,
+ require => Exec['get-or-set virsh secret'],
+ }
}
} else {
nova_config {
diff --git a/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml b/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml
new file mode 100644
index 000000000..2e7fd1c9f
--- /dev/null
+++ b/releasenotes/notes/libvirt-secret-ceph-b4b11706463f13c6.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Added new ``nova::compute::libvirt::secret_ceph`` resource definition that
+ can be used to create a libvirt secret of type ceph.
+ - |
+ Added new ``manage_libvirt_secret`` parameter defaulting to true in the
+ ``nova::compute::rbd`` class.
diff --git a/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb b/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb
new file mode 100644
index 000000000..d3873f71a
--- /dev/null
+++ b/spec/defines/nova_compute_libvirt_secret_ceph_spec.rb
@@ -0,0 +1,91 @@
+require 'spec_helper'
+
+describe 'nova::compute::libvirt::secret_ceph' do
+ shared_examples 'nova::compute::libvirt::secret_ceph' do
+ describe 'with required parameters' do
+ let :pre_condition do
+ "include nova"
+ end
+
+ let :params do
+ {
+ :uuid => '4f515eff-47e4-425c-b24d-9c6adc56401c',
+ :value => 'AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==',
+ :secret_name => 'client.openstack',
+ :secret_path => '/tmp',
+ }
+ end
+
+ let :title do
+ 'random'
+ end
+
+ it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml').with(
+ :ensure => 'present',
+ :owner => 'root',
+ :group => 'root',
+ :mode => '0600',
+ :require => 'Anchor[nova::config::begin]',
+ )}
+
+ it {
+ verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml', [
+ "",
+ " ",
+ " client.openstack",
+ " ",
+ " 4f515eff-47e4-425c-b24d-9c6adc56401c",
+ ""
+ ])
+ }
+
+ it { is_expected.to contain_file('/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret').with(
+ :ensure => 'present',
+ :owner => 'root',
+ :group => 'root',
+ :mode => '0600',
+ :show_diff => false,
+ :require => 'Anchor[nova::config::begin]',
+ )}
+
+ it {
+ verify_contents(catalogue, '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret', [
+ "AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==",
+ ])
+ }
+
+ it { is_expected.to contain_exec('get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with(
+ :command => [
+ '/usr/bin/virsh', 'secret-define', '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml',
+ ],
+ :unless => "/usr/bin/virsh secret-list | grep -i 4f515eff-47e4-425c-b24d-9c6adc56401c",
+ :require => 'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.xml]',
+ )}
+
+ it { is_expected.to contain_exec('set-secret-value virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c').with(
+ :command => [
+ '/usr/bin/virsh', 'secret-set-value', '--secret', '4f515eff-47e4-425c-b24d-9c6adc56401c',
+ '--file', '/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret',
+ ],
+ :unless => "/usr/bin/virsh secret-get-value 4f515eff-47e4-425c-b24d-9c6adc56401c | grep -f /tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret",
+ :logoutput => false,
+ :require => [
+ 'File[/tmp/libvirt-secret-4f515eff-47e4-425c-b24d-9c6adc56401c.secret]',
+ 'Exec[get-or-set virsh secret 4f515eff-47e4-425c-b24d-9c6adc56401c]',
+ ],
+ )}
+ end
+ end
+
+ on_supported_os({
+ :supported_os => OSDefaults.get_supported_os
+ }).each do |os,facts|
+ context "on #{os}" do
+ let (:facts) do
+ facts.merge!(OSDefaults.get_facts())
+ end
+
+ it_behaves_like 'nova::compute::libvirt::secret_ceph'
+ end
+ end
+end
diff --git a/templates/libvirt-secret-ceph.xml.epp b/templates/libvirt-secret-ceph.xml.epp
new file mode 100644
index 000000000..fa9f9bc0e
--- /dev/null
+++ b/templates/libvirt-secret-ceph.xml.epp
@@ -0,0 +1,6 @@
+
+
+ <%= $secret_name -%>
+
+ <%= $uuid -%>
+
diff --git a/templates/secret.xml-compute.erb b/templates/secret.xml-compute.erb
deleted file mode 100644
index c772552b3..000000000
--- a/templates/secret.xml-compute.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
- <%= @rbd_keyring %> secret
-
- <%= @libvirt_rbd_secret_uuid %>
-