Allow keymgr attributes to be configured.

The keymgr section attributes 'api_class' 'fixed_key' should be configured to be used for encryption. Change-Id: I9e6c91bb67243b839bc10f7d906f8a3bf73ed791 Closes-Bug: 1468171
2015-06-24 16:18:38 +08:00 · 2015-06-24 16:18:38 +08:00 · 01678f7513
parent 2efe3277a1
commit 01678f7513
4 changed files with 41 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -295,6 +295,12 @@ Bare Metal Configuration Attributes
  `openstack['compute']['config']['reserved_host_memory_mb']`
 * `openstack['compute']['scheduler']['baremetal_default_filters']` A list of filters enabled for baremetal schedulers that support them.

+Keymgr Configuration Attributes
+-------------------------------
+
+* `openstack["compute"]["keymgr"]["api_class"] - the full class name of the key manager API class.
+* `openstack["compute"]["keymgr"]["fixed_key"] - the fixed key returned by key manager, specified in hex (string value).
+
 Scheduler Configuration Attributes
 ----------------------------------

--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -634,6 +634,10 @@ default['openstack']['compute']['vmware']['integration_bridge'] = 'br-int'
 default['openstack']['compute']['bare-metal']['admin_username'] = 'ironic'
 default['openstack']['compute']['bare-metal']['admin_tenant_name'] = 'service'

+# Keymgr options
+default['openstack']['compute']['keymgr']['api_class'] = 'nova.keymgr.conf_key_mgr.ConfKeyManager'
+default['openstack']['compute']['keymgr']['fixed_key'] = nil
+
 # Boolean to decide whether to use baremetal_scheduler_default_filters or not.
 default['openstack']['compute']['scheduler']['use_baremetal_filters'] = false

--- a/spec/nova-common_spec.rb
+++ b/spec/nova-common_spec.rb
@ -602,6 +602,20 @@ describe 'openstack-compute::nova-common' do
          .with_section_content('libvirt', /^disk_cachemodes=disk:writethrough$/)
      end

+      it 'has keymgr api_class attribute default set' do
+        expect(chef_run).to render_config_file(file.name).with_section_content('keymgr', /^api_class=nova.keymgr.conf_key_mgr.ConfKeyManager$/)
+      end
+
+      it 'does not have keymgr attribute fixed_key set by default' do
+        expect(chef_run).not_to render_file(file.name).with_content(/^fixed_key=$/)
+      end
+
+      it 'allow override for keymgr attribute fixed_key' do
+        chef_run.node.set['openstack']['compute']['keymgr']['fixed_key'] = '1111111111111111111111111111111111111111111111111111111111111111'
+        expect(chef_run).to render_config_file(file.name)\
+          .with_section_content('keymgr', /^fixed_key=1111111111111111111111111111111111111111111111111111111111111111$/)
+      end
+
      context 'metering' do
        describe 'metering disabled' do
          it 'leaves default audit options' do
--- a/templates/default/nova.conf.erb
+++ b/templates/default/nova.conf.erb
@ -798,6 +798,23 @@ admin_url=<%= @identity_endpoint.to_s %>
 # Ironic keystone tenant name. (string value)
 admin_tenant_name=<%= node['openstack']['compute']['bare-metal']['admin_tenant_name'] %>

+[keymgr]
+
+#
+#Options defined in nova.keymgr
+#
+
+#The full class name of the key manager API class (string value)
+api_class=<%= node["openstack"]["compute"]["keymgr"]["api_class"] %>
+
+#
+# Options defined in nova.keymgr.conf_key_mgr
+#
+
+# Fixed key returned by key manager, specified in hex (string value)
+<% if node["openstack"]["compute"]["keymgr"]["fixed_key"] -%>
+fixed_key=<%= node["openstack"]["compute"]["keymgr"]["fixed_key"] %>
+<% end -%>

 [oslo_concurrency]