Refactor using new style

* use new logic for heat.conf template
* move all attributes that are used in heat.conf to
  attributes/heat_conf.rb
* remove all attributes that are just setting default values
* add new default attributes so that the authorisation setup will be
  functional again
* refactored endpoint and bind_service logic to fit the new common
  cookbook
* adapt specs accordingly
* removed qpid as a messaging option (can be included in a wrapper)
* removed fedora as supported platform
* removed deprecated Gemfile
* removed logic for setting up a dedicated domain for Heat, should be
  done in a wrapper
* update README.md accordingly (still incomplete)

Implements: blueprint cookbook-refactoring
Change-Id: I16a29e28068d106f0edcbe04cb529aabbbed1ac5
This commit is contained in:
Jens Rosenboom 2016-03-01 17:00:03 +01:00
parent 9fe64485f5
commit 5d70ac53fa
11 changed files with 202 additions and 2435 deletions

14
Gemfile
View File

@ -1,14 +0,0 @@
## THIS GEMFILE IS DEPRECATED AND WILL BE REMOVED AFTER THE NEXT RELEASE
## THERE WON'T BE ANY UPDATES TO THIS FILE DURING THIS RELEASE CYCLE
## WE SWITCHED TO CHEFDK AS THE BUNDLE FOR THE NEEDED GEMS
source 'https://rubygems.org'
gem 'chef', '~> 11.18.6'
gem 'json', '<= 1.7.7' # chef 11 dependency
gem 'berkshelf', '~> 3.2.1'
gem 'hashie', '~> 2.0'
gem 'chefspec', '~> 4.0.0'
gem 'rspec', '~> 3.0.0'
gem 'foodcritic', '~> 4.0'
gem 'rubocop', '~> 0.29.1'

146
README.md
View File

@ -54,150 +54,46 @@ Attributes
Attributes for the Heat service are in the ['openstack']['orchestration'] namespace.
* `openstack['orchestration']['verbose']` - Enables/disables verbose output for heat services.
* `openstack['orchestration']['debug']` - Enables/disables debug output for heat services.
* `openstack['orchestration']['identity_service_chef_role']` - The name of the Chef role that installs the Keystone Service API
* `openstack['orchestration']['rabbit_server_chef_role']` - The name of the Chef role that knows about the message queue server
* `openstack['orchestration']['user']` - User heat runs as
* `openstack['orchestration']['group']` - Group heat runs as
* `openstack['orchestration']['num_engine_workers']` - Number of heat-engine processes to fork and run.
* `openstack['orchestration']['api']['workers']` - Number of workers for Heat api service.
* `openstack['orchestration']['api_cfn']['workers']` - Number of workers for Heat api cfn service.
* `openstack['orchestration']['api_cloudwatch']['workers']` - Number of workers for Heat api cloudwatch service.
* `openstack['orchestration']['db']['username']` - Username for heat database access
* `openstack['orchestration']['api']['adminURL']` - Used when registering heat endpoint with keystone
* `openstack['orchestration']['api']['internalURL']` - Used when registering heat endpoint with keystone
* `openstack['orchestration']['api']['publicURL']` - Used when registering heat endpoint with keystone
* `openstack['orchestration']['service_tenant_name']` - Tenant name used by heat when interacting with keystone - used in the API and registry paste.ini files
* `openstack['orchestration']['service_user']` - User name used by heat when interacting with keystone - used in the API and registry paste.ini files
* `openstack['orchestration']['service_role']` - User role used by heat when interacting with keystone - used in the API and registry paste.ini files
* `openstack['orchestration']['api']['auth']['cache_dir']` - Defaults to `/var/cache/heat`. Directory where `auth_token` middleware writes certificates for heat
* `openstack['db']['orchestration']['username']` - Username for heat database access
* `openstack['orchestration']['service_role']` - User role used by heat when interacting with keystone, defaults to 'service'. Used in the API and registry paste.ini files
* `openstack['orchestration']['syslog']['use']` - Should heat log to syslog?
* `openstack['orchestration']['syslog']['facility']` - Which facility heat should use when logging in python style (for example, `LOG_LOCAL1`)
* `openstack['orchestration']['syslog']['config_facility']` - Which facility heat should use when logging in rsyslog style (for example, local1)
* `openstack['orchestration']['rpc_thread_pool_size']` - size of RPC thread pool
* `openstack['orchestration']['rpc_conn_pool_size']` - size of RPC connection pool
* `openstack['orchestration']['rpc_response_timeout']` - seconds to wait for a response from call or multicall
* `openstack['orchestration']['platform']` - hash of platform specific package/service names and options
* `openstack['orchestration']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with identity service.
* `openstack['orchestration']['api']['auth']['memcached_servers']` - A list of memcached server(s) for caching
* `openstack['orchestration']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.
* `openstack['orchestration']['api']['auth']['memcache_secret_key']` - This string is used for key derivation.
* `openstack['orchestration']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens.
* `openstack['orchestration']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections.
* `openstack['orchestration']['api']['auth']['insecure']` - Whether to allow the client to perform insecure SSL (https) requests.
* `openstack['orchestration']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with the identity service.
Clients configurations
----------------------
* `openstack['orchestration']['clients']['ca_file']` - A PEM encoded Certificate Authority to use for clients when verifying HTTPs connections.
* `openstack['orchestration']['clients']['cert_file']` - Cert file to use for clients when verifying HTTPs connections.
* `openstack['orchestration']['clients']['key_file']` - Private key file to use for clients when verifying HTTPs connections.
* `openstack['orchestration']['clients']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients.
clients_ceilometer configurations
---------------------------------
* `openstack['orchestration']['clients_ceilometer']['ca_file']` - A PEM encoded Certificate Authority to use for clients_ceilometer when verifying HTTPs connections.
* `openstack['orchestration']['clients_ceilometer']['cert_file']` - Cert file to use for clients_ceilometer when verifying HTTPs connections.
* `openstack['orchestration']['clients_ceilometer']['key_file']` - Private key file to use for clients_ceilometer when verifying HTTPs connections.
* `openstack['orchestration']['clients_ceilometer']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients_ceilometer.
clients_cinder configurations
-----------------------------
* `openstack['orchestration']['clients_cinder']['ca_file']` - A PEM encoded Certificate Authority to use for clients_cinder when verifying HTTPs connections.
* `openstack['orchestration']['clients_cinder']['cert_file']` - Cert file to use for clients_cinder when verifying HTTPs connections.
* `openstack['orchestration']['clients_cinder']['key_file']` - Private key file to use for clients_cinder when verifying HTTPs connections.
* `openstack['orchestration']['clients_cinder']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients_cinder.
clients_glance configurations
-----------------------------
* `openstack['orchestration']['clients_glance']['ca_file']` - A PEM encoded Certificate Authority to use for clients_glance when verifying HTTPs connections.
* `openstack['orchestration']['clients_glance']['cert_file']` - Cert file to use for clients_glance when verifying HTTPs connections.
* `openstack['orchestration']['clients_glance']['key_file']` - Private key file to use for clients_glance when verifying HTTPs connections.
* `openstack['orchestration']['clients_glance']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients_glance.
clients_heat configurations
---------------------------
* `openstack['orchestration']['clients_heat']['ca_file']` - A PEM encoded Certificate Authority to use for clients_heat when verifying HTTPs connections.
* `openstack['orchestration']['clients_heat']['cert_file']` - Cert file to use for clients_heat when verifying HTTPs connections.
* `openstack['orchestration']['clients_heat']['key_file']` - Private key file to use for clients_heat when verifying HTTPs connections.
* `openstack['orchestration']['clients_heat']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients_heat.
clients_keystone configurations
-------------------------------
* `openstack['orchestration']['clients_keystone']['ca_file']` - A PEM encoded Certificate Authority to use for clients_keystone when verifying HTTPs connections.
* `openstack['orchestration']['clients_keystone']['cert_file']` - Cert file to use for clients_keystone when verifying HTTPs connections.
* `openstack['orchestration']['clients_keystone']['key_file']` - Private key file to use for clients_keystone when verifying HTTPs connections.
* `openstack['orchestration']['clients_keystone']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients_keystone.
clients_neutron configurations
------------------------------
* `openstack['orchestration']['clients_neutron']['ca_file']` - A PEM encoded Certificate Authority to use for clients_neutron when verifying HTTPs connections.
* `openstack['orchestration']['clients_neutron']['cert_file']` - Cert file to use for clients_neutron when verifying HTTPs connections.
* `openstack['orchestration']['clients_neutron']['key_file']` - Private key file to use for clients_neutron when verifying HTTPs connections.
* `openstack['orchestration']['clients_neutron']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients_neutron.
clients_nova configurations
---------------------------------
* `openstack['orchestration']['clients_nova']['ca_file']` - A PEM encoded Certificate Authority to use for clients_nova when verifying HTTPs connections.
* `openstack['orchestration']['clients_nova']['cert_file']` - Cert file to use for clients_nova when verifying HTTPs connections.
* `openstack['orchestration']['clients_nova']['key_file']` - Private key file to use for clients_nova when verifying HTTPs connections.
* `openstack['orchestration']['clients_nova']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients_nova.
Notification definitions
------------------------
* `openstack['orchestration']['notification_driver']` - driver
* `openstack['orchestration']['default_notification_level']` - level
* `openstack['orchestration']['default_publisher_id']` - publisher id
* `openstack['orchestration']['list_notifier_drivers']` - list of drivers
* `openstack['orchestration']['notification_topics']` - notifications topics
TODO: update this section adding new attributes
MQ attributes
-------------
* `openstack["orchestration"]["mq"]["service_type"]` - Select qpid or rabbitmq. default rabbitmq
TODO: move rabbit parameters under openstack["orchestration"]["mq"]
* `openstack["orchestration"]["rabbit"]["username"]` - Username for nova rabbit access
* `openstack["orchestration"]["rabbit"]["vhost"]` - The rabbit vhost to use
* `openstack["orchestration"]["rabbit"]["port"]` - The rabbit port to use
* `openstack["orchestration"]["rabbit"]["host"]` - The rabbit host to use (must set when `openstack["orchestration"]["rabbit"]["ha"]` false).
* `openstack["orchestration"]["rabbit"]["ha"]` - Whether or not to use rabbit ha
* `openstack["orchestration"]["mq"]["qpid"]["host"]` - The qpid host to use
* `openstack["orchestration"]["mq"]["qpid"]["port"]` - The qpid port to use
* `openstack["orchestration"]["mq"]["qpid"]["qpid_hosts"]` - Qpid hosts. TODO. use only when ha is specified.
* `openstack["orchestration"]["mq"]["qpid"]["username"]` - Username for qpid connection
* `openstack["orchestration"]["mq"]["qpid"]["password"]` - Password for qpid connection
* `openstack["orchestration"]["mq"]["qpid"]["sasl_mechanisms"]` - Space separated list of SASL mechanisms to use for auth
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_timeout"]` - The number of seconds to wait before deciding that a reconnect attempt has failed.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_limit"]` - The limit for the number of times to reconnect before considering the connection to be failed.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_interval_min"]` - Minimum number of seconds between connection attempts.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_interval_max"]` - Maximum number of seconds between connection attempts.
* `openstack["orchestration"]["mq"]["qpid"]["reconnect_interval"]` - Equivalent to setting qpid_reconnect_interval_min and qpid_reconnect_interval_max to the same value.
* `openstack["orchestration"]["mq"]["qpid"]["heartbeat"]` - Seconds between heartbeat messages sent to ensure that the connection is still alive.
* `openstack["orchestration"]["mq"]["qpid"]["protocol"]` - Protocol to use. Default tcp.
* `openstack["orchestration"]["mq"]["qpid"]["tcp_nodelay"]` - Disable the Nagle algorithm. default disabled.
TODO: update this section with the new attributes
The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
Service bindings
----------------
* `openstack['endpoints']['orchestration-api-bind']['host']` - The IP address to bind the service to
* `openstack['endpoints']['orchestration-api-bind']['port']` - The port to bind the service to
* `openstack['endpoints']['orchestration-api-bind']['bind_interface']` - The interface name to bind the service to
* `openstack['bind_service']['all']['orchestration-api']['host']` - The IP address to bind the service to
* `openstack['bind_service']['all']['orchestration-api']['port']` - The port to bind the service to
* `openstack['bind_service']['all']['orchestration-api']['interface']` - The interface to bind the service to
* `openstack['endpoints']['orchestration-api-cfn-bind']['host']` - The IP address to bind the service to
* `openstack['endpoints']['orchestration-api-cfn-bind']['port']` - The port to bind the service to
* `openstack['endpoints']['orchestration-api-cfn-bind']['bind_interface']` - The interface name to bind the-cfn service to
* `openstack['bind_service']['all']['orchestration-api-cfn']['host']` - The IP address to bind the service to
* `openstack['bind_service']['all']['orchestration-api-cfn']['port']` - The port to bind the service to
* `openstack['bind_service']['all']['orchestration-api-cfn']['interface']` - The interface to bind the service to
* `openstack['endpoints']['orchestration-api-cloudwatch-bind']['host']` - The IP address to bind the service to
* `openstack['endpoints']['orchestration-api-cloudwatch-bind']['port']` - The port to bind the service to
* `openstack['endpoints']['orchestration-api-cloudwatch-bind']['bind_interface']` - The interface name to bind the-cloudwatch service to
* `openstack['bind_service']['all']['orchestration-api-cloudwatch']['host']` - The IP address to bind the service to
* `openstack['bind_service']['all']['orchestration-api-cloudwatch']['port']` - The port to bind the service to
* `openstack['bind_service']['all']['orchestration-api-cloudwatch']['interface']` - The interface to bind the service to
If the value of the 'bind_interface' attribute is non-nil, then the service will be bound to the first IP address on that interface. If the value of the 'bind_interface' attribute is nil, then the service will be bound to the IP address specifie>
If the value of the 'interface' attribute is non-nil, then the service will be bound to the first IP address on that interface and
the 'host' attribute will be ignored.
If the value of the 'interface' attribute is nil (which is the default), then the service will be bound to the IP address specified
in the 'host' attribute.
Miscellaneous Options
---------------------
Arrays whose elements will be copied exactly into the respective config files (contents e.g. ['option1=value1', 'option2=value2']).
* `openstack["orchestration"]["misc_heat"]` - Array of bare options for `heat.conf`.
* `orchestration_auth_encryption_key` - Key used to encrypt authentication info in the database. Length of this key must be 16, 24 or 32 characters. Comes from secrets databag.
Testing
@ -215,9 +111,11 @@ License and Author
| **Author** | Ionut Artarisi (<iartarisi@suse.cz>) |
| **Author** | Mark Vanderwiel (<vanderwl@us.ibm.com>) |
| **Author** | Jan Klare (<j.klare@x-ion.de>) |
| **Author** | Dr. Jens Rosenboom (<j.rosenboom@x-ion.de>) |
| | |
| **Copyright** | Copyright (c) 2013-2014, IBM Corp. |
| **Copyright** | Copyright (c) 2014, SUSE Linux, GmbH. |
| **Copyright** | Copyright (c) 2016, x-ion GmbH. |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

View File

@ -17,192 +17,54 @@
# limitations under the License.
#
%w(public internal admin).each do |ep_type|
# openstack orchestration-api service endpoints (used by users and services)
default['openstack']['endpoints'][ep_type]['orchestration-api']['host'] = '127.0.0.1'
default['openstack']['endpoints'][ep_type]['orchestration-api']['scheme'] = 'http'
default['openstack']['endpoints'][ep_type]['orchestration-api']['path'] = '/v1/%(tenant_id)s'
default['openstack']['endpoints'][ep_type]['orchestration-api']['port'] = 8004
# openstack orchestration-api-cfn service endpoints (used by users and services)
default['openstack']['endpoints'][ep_type]['orchestration-api-cfn']['host'] = '127.0.0.1'
default['openstack']['endpoints'][ep_type]['orchestration-api-cfn']['scheme'] = 'http'
default['openstack']['endpoints'][ep_type]['orchestration-api-cfn']['path'] = '/v1'
default['openstack']['endpoints'][ep_type]['orchestration-api-cfn']['port'] = 8000
# openstack orchestration-api-cloudwatch service endpoints (used by users and services)
default['openstack']['endpoints'][ep_type]['orchestration-api-cloudwatch']['host'] = '127.0.0.1'
default['openstack']['endpoints'][ep_type]['orchestration-api-cloudwatch']['scheme'] = 'http'
default['openstack']['endpoints'][ep_type]['orchestration-api-cloudwatch']['path'] = '/v1'
default['openstack']['endpoints'][ep_type]['orchestration-api-cloudwatch']['port'] = 8003
end
default['openstack']['bind_service']['all']['orchestration-api']['host'] = '127.0.0.1'
default['openstack']['bind_service']['all']['orchestration-api']['port'] = 8004
default['openstack']['bind_service']['all']['orchestration-api-cfn']['host'] = '127.0.0.1'
default['openstack']['bind_service']['all']['orchestration-api-cfn']['port'] = 8000
default['openstack']['bind_service']['all']['orchestration-api-cloudwatch']['host'] = '127.0.0.1'
default['openstack']['bind_service']['all']['orchestration-api-cloudwatch']['port'] = 8003
# Set to some text value if you want templated config files
# to contain a custom banner at the top of the written file
default['openstack']['orchestration']['custom_template_banner'] = '
# This file autogenerated by Chef
# This file was autogenerated by Chef
# Do not edit, changes will be overwritten
'
default['openstack']['orchestration']['verbose'] = 'False'
default['openstack']['orchestration']['debug'] = 'False'
default['openstack']['orchestration']['log_dir'] = '/var/log/heat'
default['openstack']['orchestration']['syslog']['use']
# This is the name of the Chef role that will install the Keystone Service API
default['openstack']['orchestration']['identity_service_chef_role'] = 'os-identity'
# Number of heat-engine processes to fork and run.
default['openstack']['orchestration']['num_engine_workers'] = nil
# Number of workers for Heat api service.
default['openstack']['orchestration']['api']['workers'] = 0
# Number of workers for Heat api cfn service.
default['openstack']['orchestration']['api_cfn']['workers'] = 0
# Number of workers for Heat api cloudwatch service.
default['openstack']['orchestration']['api_cloudwatch']['workers'] = 0
# Gets set in the Heat Endpoint when registering with Keystone
default['openstack']['orchestration']['region'] = node['openstack']['region']
# The name of the Chef role that knows about the message queue server
# that Heat uses
default['openstack']['orchestration']['rabbit_server_chef_role'] = 'os-ops-messaging'
default['openstack']['orchestration']['service_tenant_name'] = 'service'
default['openstack']['orchestration']['service_user'] = 'heat'
default['openstack']['orchestration']['service_role'] = 'service'
default['openstack']['orchestration']['ec2authtoken']['auth']['version'] = 'v2.0'
default['openstack']['orchestration']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
# A PEM encoded Certificate Authority to use for clients when verifying HTTPs connections.
default['openstack']['orchestration']['clients']['ca_file'] = nil
# Cert file to use for clients when verifying HTTPs connections.
default['openstack']['orchestration']['clients']['cert_file'] = nil
# Private key file to use for clients when verifying HTTPs connections.
default['openstack']['orchestration']['clients']['key_file'] = nil
# Whether to allow insecure SSL (https) requests when calling clients.
default['openstack']['orchestration']['clients']['insecure'] = false
# A PEM encoded Certificate Authority to use for clients_ceilometer when verifying HTTPs connections.
default['openstack']['orchestration']['clients_ceilometer']['ca_file'] = node['openstack']['orchestration']['clients']['ca_file']
# Cert file to use for clients_ceilometer when verifying HTTPs connections.
default['openstack']['orchestration']['clients_ceilometer']['cert_file'] = node['openstack']['orchestration']['clients']['cert_file']
# Private key file to use for clients_ceilometer when verifying HTTPs connections.
default['openstack']['orchestration']['clients_ceilometer']['key_file'] = node['openstack']['orchestration']['clients']['key_file']
# Whether to allow insecure SSL (https) requests when calling clients_ceilometer.
default['openstack']['orchestration']['clients_ceilometer']['insecure'] = node['openstack']['orchestration']['clients']['insecure']
# A PEM encoded Certificate Authority to use for clients_cinder when verifying HTTPs connections.
default['openstack']['orchestration']['clients_cinder']['ca_file'] = node['openstack']['orchestration']['clients']['ca_file']
# Cert file to use for clients_cinder when verifying HTTPs connections.
default['openstack']['orchestration']['clients_cinder']['cert_file'] = node['openstack']['orchestration']['clients']['cert_file']
# Private key file to use for clients_cinder when verifying HTTPs connections.
default['openstack']['orchestration']['clients_cinder']['key_file'] = node['openstack']['orchestration']['clients']['key_file']
# Whether to allow insecure SSL (https) requests when calling clients_cinder.
default['openstack']['orchestration']['clients_cinder']['insecure'] = node['openstack']['orchestration']['clients']['insecure']
# A PEM encoded Certificate Authority to use for clients_glance when verifying HTTPs connections.
default['openstack']['orchestration']['clients_glance']['ca_file'] = node['openstack']['orchestration']['clients']['ca_file']
# Cert file to use for clients_glance when verifying HTTPs connections.
default['openstack']['orchestration']['clients_glance']['cert_file'] = node['openstack']['orchestration']['clients']['cert_file']
# Private key file to use for clients_glance when verifying HTTPs connections.
default['openstack']['orchestration']['clients_glance']['key_file'] = node['openstack']['orchestration']['clients']['key_file']
# Whether to allow insecure SSL (https) requests when calling clients_glance.
default['openstack']['orchestration']['clients_glance']['insecure'] = node['openstack']['orchestration']['clients']['insecure']
# A PEM encoded Certificate Authority to use for clients_heat when verifying HTTPs connections.
default['openstack']['orchestration']['clients_heat']['ca_file'] = node['openstack']['orchestration']['clients']['ca_file']
# Cert file to use for clients_heat when verifying HTTPs connections.
default['openstack']['orchestration']['clients_heat']['cert_file'] = node['openstack']['orchestration']['clients']['cert_file']
# Private key file to use for clients_heat when verifying HTTPs connections.
default['openstack']['orchestration']['clients_heat']['key_file'] = node['openstack']['orchestration']['clients']['key_file']
# Whether to allow insecure SSL (https) requests when calling clients_heat.
default['openstack']['orchestration']['clients_heat']['insecure'] = node['openstack']['orchestration']['clients']['insecure']
# A PEM encoded Certificate Authority to use for clients_keystone when verifying HTTPs connections.
default['openstack']['orchestration']['clients_keystone']['ca_file'] = node['openstack']['orchestration']['clients']['ca_file']
# Cert file to use for clients_keystone when verifying HTTPs connections.
default['openstack']['orchestration']['clients_keystone']['cert_file'] = node['openstack']['orchestration']['clients']['cert_file']
# Private key file to use for clients_keystone when verifying HTTPs connections.
default['openstack']['orchestration']['clients_keystone']['key_file'] = node['openstack']['orchestration']['clients']['key_file']
# Whether to allow insecure SSL (https) requests when calling clients_keystone.
default['openstack']['orchestration']['clients_keystone']['insecure'] = node['openstack']['orchestration']['clients']['insecure']
# A PEM encoded Certificate Authority to use for clients_neutron when verifying HTTPs connections.
default['openstack']['orchestration']['clients_neutron']['ca_file'] = node['openstack']['orchestration']['clients']['ca_file']
# Cert file to use for clients_neutron when verifying HTTPs connections.
default['openstack']['orchestration']['clients_neutron']['cert_file'] = node['openstack']['orchestration']['clients']['cert_file']
# Private key file to use for clients_neutron when verifying HTTPs connections.
default['openstack']['orchestration']['clients_neutron']['key_file'] = node['openstack']['orchestration']['clients']['key_file']
# Whether to allow insecure SSL (https) requests when calling clients_neutron.
default['openstack']['orchestration']['clients_neutron']['insecure'] = node['openstack']['orchestration']['clients']['insecure']
# A PEM encoded Certificate Authority to use for clients_nova when verifying HTTPs connections.
default['openstack']['orchestration']['clients_nova']['ca_file'] = node['openstack']['orchestration']['clients']['ca_file']
# Cert file to use for clients_nova when verifying HTTPs connections.
default['openstack']['orchestration']['clients_nova']['cert_file'] = node['openstack']['orchestration']['clients']['cert_file']
# Private key file to use for clients_nova when verifying HTTPs connections.
default['openstack']['orchestration']['clients_nova']['key_file'] = node['openstack']['orchestration']['clients']['key_file']
# Whether to allow insecure SSL (https) requests when calling clients_nova.
default['openstack']['orchestration']['clients_nova']['insecure'] = node['openstack']['orchestration']['clients']['insecure']
# A list of memcached server(s) for caching
default['openstack']['orchestration']['api']['auth']['memcached_servers'] = nil
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
default['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] = nil
# This string is used for key derivation
default['openstack']['orchestration']['api']['auth']['memcache_secret_key'] = nil
# Hash algorithms to use for hashing PKI tokens
default['openstack']['orchestration']['api']['auth']['hash_algorithms'] = 'md5'
# A PEM encoded Certificate Authority to use when verifying HTTPs connections
default['openstack']['orchestration']['api']['auth']['cafile'] = nil
# Whether to allow the client to perform insecure SSL (https) requests
default['openstack']['orchestration']['api']['auth']['insecure'] = false
# Keystone role for heat template-defined users. (string value)
default['openstack']['orchestration']['heat_stack_user_role'] = nil
# Keystone domain id which contains heat template-defined users.
# If this option is set, stack_user_domain_name option
# will be ignored. (string value)
default['openstack']['orchestration']['stack_user_domain_id'] = nil
# Keystone domain name which contains heat template-defined users. (string value)
default['openstack']['orchestration']['stack_user_domain_name'] = nil
# Keystone username, a user with roles sufficient to manage
# users and projects in the stack_user_domain. (string value)
default['openstack']['orchestration']['stack_domain_admin'] = nil
# Select deferred auth method, stored password or trusts.
default['openstack']['orchestration']['deferred_auth_method'] = 'trusts'
# If true, will passing stack information to scheduler hints when creating instances.
default['openstack']['orchestration']['stack_scheduler_hints'] = false
# If set, heat API service will bind to the address on this interface,
# otherwise it will bind to the API endpoint's host.
default['openstack']['orchestration']['api']['bind_interface'] = nil
# If set, heat api-cfn service will bind to the address on this interface,
# otherwise it will bind to the API endpoint's host.
default['openstack']['orchestration']['api-cfn']['bind_interface'] = nil
# If set, heat api-cloudwatch service will bind to the address on this interface,
# otherwise it will bind to the API endpoint's host.
default['openstack']['orchestration']['api-cloudwatch']['bind_interface'] = nil
# Keystone PKI signing directory. Only written to the filter:authtoken section
# of the api-paste.ini when node['openstack']['auth']['strategy'] == 'pki'
default['openstack']['orchestration']['api']['auth']['cache_dir'] = '/var/cache/heat'
# logging attribute
default['openstack']['orchestration']['syslog']['use'] = false
default['openstack']['orchestration']['syslog']['facility'] = 'LOG_LOCAL2'
default['openstack']['orchestration']['syslog']['config_facility'] = 'local2'
# Common rpc definitions
default['openstack']['orchestration']['rpc_thread_pool_size'] = 64
default['openstack']['orchestration']['rpc_conn_pool_size'] = 30
default['openstack']['orchestration']['rpc_response_timeout'] = 60
# Notification definitions
default['openstack']['orchestration']['notification_driver'] = 'heat.openstack.common.notifier.rpc_notifier'
default['openstack']['orchestration']['default_notification_level'] = 'INFO'
default['openstack']['orchestration']['default_publisher_id'] = ''
default['openstack']['orchestration']['list_notifier_drivers'] = 'heat.openstack.common.notifier.no_op_notifier'
default['openstack']['orchestration']['notification_topics'] = 'notifications'
# Array of options for `heat.conf` (e.g. ['option1=value1', 'option2=value2'])
default['openstack']['orchestration']['misc_heat'] = nil
# platform-specific settings
case platform_family
when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
when 'rhel'
default['openstack']['orchestration']['user'] = 'heat'
default['openstack']['orchestration']['group'] = 'heat'
default['openstack']['orchestration']['platform'] = {

26
attributes/heat_conf.rb Normal file
View File

@ -0,0 +1,26 @@
# encoding: UTF-8
#
# Cookbook Name:: openstack-orchestration
# Attributes:: default
#
# Copyright 2013, IBM Corp.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
default['openstack']['orchestration']['conf']['DEFAULT']['log_dir'] = '/var/log/heat'
default['openstack']['orchestration']['conf']['DEFAULT']['notification_driver'] = 'heat.openstack.common.notifier.rpc_notifier'
default['openstack']['orchestration']['conf']['keystone_authtoken']['auth_plugin'] = 'v2password'
default['openstack']['orchestration']['conf']['keystone_authtoken']['username'] = 'heat'
default['openstack']['orchestration']['conf']['keystone_authtoken']['tenant_name'] = 'service'
default['openstack']['orchestration']['conf']['trustee']['auth_plugin'] = 'v2password'
default['openstack']['orchestration']['conf']['trustee']['username'] = 'heat'

View File

@ -5,7 +5,7 @@ maintainer_email 'openstack-dev@lists.openstack.org'
license 'Apache 2.0'
description 'Installs and configures the Heat Service'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '12.0.0'
version '13.0.0'
recipe 'openstack-orchestration::api', 'Start and configure the Heat API service'
recipe 'openstack-orchestration::api-cfn', 'Start and configure the Heat API CloudFormation service'
recipe 'openstack-orchestration::api-cloudwatch', 'Start and configure the Heat API CloudWatch service'
@ -14,9 +14,9 @@ recipe 'openstack-orchestration::common', 'Installs packages and configures a He
recipe 'openstack-orchestration::engine', 'Sets up Heat database and starts Heat Engine service'
recipe 'openstack-orchestration::identity_registration', 'Registers Heat service, user and endpoints with Keystone'
%w(ubuntu fedora redhat centos).each do |os|
%w(ubuntu redhat centos).each do |os|
supports os
end
depends 'openstack-common', '>= 12.0.0'
depends 'openstack-identity', '>= 12.0.0'
depends 'openstack-common', '>= 13.0.0'
depends 'openstack-identity', '>= 13.0.0'

View File

@ -49,91 +49,98 @@ node['openstack']['db']['python_packages'][db_type].each do |pkg|
end
end
unless node['openstack']['orchestration']['conf']['DEFAULT']['rpc_backend'].nil? &&
node['openstack']['orchestration']['conf']['DEFAULT']['rpc_backend'] == 'rabbit'
user = node['openstack']['mq']['orchestration']['rabbit']['userid']
node.default['openstack']['orchestration']['conf']
.[]('oslo_messaging_rabbit')['rabbit_userid'] = user
node.default['openstack']['orchestration']['conf_secrets']
.[]('oslo_messaging_rabbit')['rabbit_password'] =
get_password 'user', user
end
db_user = node['openstack']['db']['orchestration']['username']
db_pass = get_password 'db', 'heat'
sql_connection = db_uri('orchestration', db_user, db_pass)
identity_endpoint = internal_endpoint 'identity-internal'
identity_admin_endpoint = admin_endpoint 'identity-admin'
heat_api_bind = internal_endpoint 'orchestration-api-bind'
heat_api_endpoint = internal_endpoint 'orchestration-api'
heat_api_cfn_bind = internal_endpoint 'orchestration-api-cfn-bind'
heat_api_cfn_endpoint = internal_endpoint 'orchestration-api-cfn'
heat_api_cloudwatch_bind = internal_endpoint 'orchestration-api-cloudwatch-bind'
heat_api_cloudwatch_endpoint = internal_endpoint 'orchestration-api-cloudwatch'
identity_endpoint = internal_endpoint 'identity'
identity_admin_endpoint = admin_endpoint 'identity'
service_pass = get_password 'service', 'openstack-orchestration'
auth_encryption_key = get_password 'token', 'orchestration_auth_encryption_key'
stack_domain_admin_password = nil
if node['openstack']['orchestration']['stack_domain_admin']
stack_domain_admin_password = get_password 'user', node['openstack']['orchestration']['stack_domain_admin']
end
bind_services = node['openstack']['bind_service']['all']
api_bind = bind_services['orchestration-api']
api_cfn_bind = bind_services['orchestration-api-cfn']
api_cfn_endpoint = internal_endpoint 'orchestration-api-cfn'
api_cw_bind = bind_services['orchestration-api-cloudwatch']
api_cw_endpoint = internal_endpoint 'orchestration-api-cloudwatch'
ec2_auth_uri = auth_uri_transform identity_endpoint.to_s, node['openstack']['orchestration']['ec2authtoken']['auth']['version']
auth_uri = auth_uri_transform identity_endpoint.to_s, node['openstack']['orchestration']['api']['auth']['version']
identity_uri = identity_uri_transform(identity_admin_endpoint)
mq_service_type = node['openstack']['mq']['orchestration']['service_type']
# We need these URIs without their default path
metadata_uri = "#{api_cfn_endpoint.scheme}://#{api_cfn_endpoint.host}:#{api_cfn_endpoint.port}"
watch_uri = "#{api_cw_endpoint.scheme}://#{api_cw_endpoint.host}:#{api_cw_endpoint.port}"
if mq_service_type == 'rabbitmq'
if node['openstack']['mq']['orchestration']['rabbit']['ha']
rabbit_hosts = rabbit_servers
end
mq_password = get_password 'user', node['openstack']['mq']['orchestration']['rabbit']['userid']
elsif mq_service_type == 'qpid'
mq_password = get_password 'user', node['openstack']['mq']['orchestration']['qpid']['username']
# define attributes that are needed in the heat.conf
node.default['openstack']['orchestration']['conf'].tap do |conf|
conf['DEFAULT']['heat_metadata_server_url'] = metadata_uri
conf['DEFAULT']['heat_waitcondition_server_url'] = "#{api_cfn_endpoint}/waitcondition"
conf['DEFAULT']['heat_watch_server_url'] = watch_uri
conf['DEFAULT']['region_name_for_services'] = node['openstack']['region']
conf['clients_keystone']['auth_uri'] = auth_uri
conf['ec2authtoken']['auth_uri'] = ec2_auth_uri
conf['heat_api']['bind_host'] = bind_address api_bind
conf['heat_api']['bind_port'] = api_bind.port
conf['heat_api_cfn']['bind_host'] = bind_address api_cfn_bind
conf['heat_api_cfn']['bind_port'] = api_cfn_bind.port
conf['heat_api_cloudwatch']['bind_host'] = bind_address api_cw_bind
conf['heat_api_cloudwatch']['bind_port'] = api_cw_bind.port
conf['keystone_authtoken']['auth_url'] = auth_uri
conf['trustee']['auth_url'] = identity_admin_endpoint
end
# define secrets that are needed in the heat.conf
node.default['openstack']['orchestration']['conf_secrets'].tap do |conf_secrets|
conf_secrets['DEFAULT']['auth_encryption_key'] =
get_password 'token', 'orchestration_auth_encryption_key'
conf_secrets['database']['connection'] =
db_uri('orchestration', db_user, db_pass)
conf_secrets['keystone_authtoken']['password'] =
get_password 'service', 'openstack-orchestration'
conf_secrets['trustee']['password'] =
get_password 'service', 'openstack-orchestration'
end
# merge all config options and secrets to be used in the heat.conf
heat_conf_options = merge_config_options 'orchestration'
directory '/etc/heat' do
group node['openstack']['orchestration']['group']
owner node['openstack']['orchestration']['user']
mode 00700
group node['openstack']['orchestration']['group']
mode 00750
action :create
end
directory '/etc/heat/environment.d' do
group node['openstack']['orchestration']['group']
owner node['openstack']['orchestration']['user']
mode 00700
group node['openstack']['orchestration']['group']
mode 00750
action :create
end
directory node['openstack']['orchestration']['api']['auth']['cache_dir'] do
owner node['openstack']['orchestration']['user']
group node['openstack']['orchestration']['group']
mode 00700
end
template '/etc/heat/heat.conf' do
source 'heat.conf.erb'
group node['openstack']['orchestration']['group']
source 'openstack-service.conf.erb'
cookbook 'openstack-common'
owner node['openstack']['orchestration']['user']
group node['openstack']['orchestration']['group']
mode 00640
variables(
stack_domain_admin_password: stack_domain_admin_password,
mq_service_type: mq_service_type,
mq_password: mq_password,
rabbit_hosts: rabbit_hosts,
ec2_auth_uri: ec2_auth_uri,
auth_uri: auth_uri,
identity_uri: identity_uri,
service_pass: service_pass,
auth_encryption_key: auth_encryption_key,
sql_connection: sql_connection,
heat_api_bind: heat_api_bind,
heat_api_endpoint: heat_api_endpoint,
heat_api_cfn_bind: heat_api_cfn_bind,
heat_api_cfn_endpoint: heat_api_cfn_endpoint,
heat_api_cloudwatch_bind: heat_api_cloudwatch_bind,
heat_api_cloudwatch_endpoint: heat_api_cloudwatch_endpoint
service_config: heat_conf_options
)
end
template '/etc/heat/environment.d/default.yaml' do
source 'default.yaml.erb'
group node['openstack']['orchestration']['group']
owner node['openstack']['orchestration']['user']
group node['openstack']['orchestration']['group']
mode 00644
end

View File

@ -24,7 +24,7 @@ class ::Chef::Recipe # rubocop:disable Documentation
include ::Openstack
end
identity_admin_endpoint = admin_endpoint 'identity-admin'
identity_admin_endpoint = admin_endpoint 'identity'
token = get_password 'token', 'openstack_identity_bootstrap_token'
auth_url = ::URI.decode identity_admin_endpoint.to_s
@ -37,11 +37,10 @@ internal_heat_cfn_endpoint = internal_endpoint 'orchestration-api-cfn'
public_heat_cfn_endpoint = public_endpoint 'orchestration-api-cfn'
service_pass = get_password 'service', 'openstack-orchestration'
service_tenant_name = node['openstack']['orchestration']['service_tenant_name']
service_user = node['openstack']['orchestration']['service_user']
service_tenant_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['tenant_name']
service_user = node['openstack']['orchestration']['conf']['keystone_authtoken']['username']
service_role = node['openstack']['orchestration']['service_role']
region = node['openstack']['orchestration']['region']
stack_user_role = node['openstack']['orchestration']['heat_stack_user_role']
region = node['openstack']['orchestration']['conf']['DEFAULT']['region_name_for_services']
# Do not configure a service/endpoint in keystone for heat-api-cloudwatch(Bug #1167927),
# See discussions on https://bugs.launchpad.net/heat/+bug/1167927
@ -133,39 +132,3 @@ openstack_identity_register "Grant '#{service_role}' Role to #{service_user} Use
action :grant_role
end
## Create role for heat template defined users ##
openstack_identity_register "Create '#{stack_user_role}' Role for template defined users" do
auth_uri auth_url
bootstrap_token token
role_name stack_user_role
action :create_role
not_if { stack_user_role.nil? }
end
stack_user_domain_name = node['openstack']['orchestration']['stack_user_domain_name']
stack_domain_admin = node['openstack']['orchestration']['stack_domain_admin']
if !stack_user_role.nil? && !stack_user_domain_name.nil? && !stack_domain_admin.nil?
stack_domain_admin_password = get_password 'user', stack_domain_admin
admin_user = node['openstack']['identity']['admin_user']
admin_pass = get_password 'user', admin_user
ca_cert = node['openstack']['orchestration']['clients']['ca_file']
cert_file = node['openstack']['orchestration']['clients']['cert_file']
key_file = node['openstack']['orchestration']['clients']['key_file']
insecure = node['openstack']['orchestration']['clients']['insecure'] && '--insecure' || ''
execute 'heat-keystone-setup-domain' do
environment 'OS_USERNAME' => admin_user,
'OS_PASSWORD' => admin_pass,
'OS_AUTH_URL' => auth_url,
'OS_CACERT' => ca_cert,
'OS_CERT' => cert_file,
'OS_KEY' => key_file,
'HEAT_DOMAIN' => stack_user_domain_name,
'HEAT_DOMAIN_ADMIN' => stack_domain_admin,
'HEAT_DOMAIN_PASSWORD' => stack_domain_admin_password
command "heat-keystone-setup-domain #{insecure}"
end
end

View File

@ -31,14 +31,5 @@ describe 'openstack-orchestration::common' do
expect(chef_run).not_to upgrade_package 'python-ibm-db'
expect(chef_run).not_to upgrade_package 'python-ibm-db-sa'
end
describe 'heat.conf' do
let(:file) { chef_run.template('/etc/heat/heat.conf') }
it 'adds misc_heat array correctly' do
node.set['openstack']['orchestration']['misc_heat'] = ['MISC_OPTION=FOO']
expect(chef_run).to render_file(file.name).with_content('MISC_OPTION=FOO')
end
end
end
end

View File

@ -68,83 +68,14 @@ describe 'openstack-orchestration::identity_registration' do
)
end
it 'register heat-api endpoint with different admin url' do
it 'registers heat-api endpoint with different urls' do
admin_url = 'https://admin.host:123/admin_path'
general_url = 'http://general.host:456/general_path'
# Set the general endpoint
node.set['openstack']['endpoints']['orchestration-api']['uri'] = general_url
# Set the admin endpoint override
node.set['openstack']['endpoints']['admin']['orchestration-api']['uri'] = admin_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Orchestration Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'orchestration',
endpoint_region: 'RegionOne',
endpoint_adminurl: admin_url,
endpoint_internalurl: general_url,
endpoint_publicurl: general_url,
action: [:create_endpoint]
)
end
it 'register heat-api endpoint with different public url' do
public_url = 'https://public.host:789/public_path'
general_url = 'http://general.host:456/general_path'
# Set the general endpoint
node.set['openstack']['endpoints']['orchestration-api']['uri'] = general_url
# Set the public endpoint override
node.set['openstack']['endpoints']['public']['orchestration-api']['uri'] = public_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Orchestration Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'orchestration',
endpoint_region: 'RegionOne',
endpoint_adminurl: general_url,
endpoint_internalurl: general_url,
endpoint_publicurl: public_url,
action: [:create_endpoint]
)
end
it 'register heat-api endpoint with different internal url' do
public_url = 'http://public.host:456/public_path'
internal_url = 'http://internal.host:456/internal_path'
general_url = 'http://general.host:456/general_path'
# Set general endpoint
node.set['openstack']['endpoints']['orchestration-api']['uri'] = general_url
# Set the internal endpoint override
node.set['openstack']['endpoints']['internal']['orchestration-api']['uri'] = internal_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Orchestration Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'orchestration',
endpoint_region: 'RegionOne',
endpoint_adminurl: general_url,
endpoint_internalurl: internal_url,
endpoint_publicurl: general_url,
action: [:create_endpoint]
)
end
it 'register heat-api endpoint with all different urls' do
admin_url = 'https://admin.host:123/admin_path'
internal_url = 'http://internal.host:456/internal_path'
public_url = 'https://public.host:789/public_path'
node.set['openstack']['endpoints']['admin']['orchestration-api']['uri'] = admin_url
node.set['openstack']['endpoints']['internal']['orchestration-api']['uri'] = internal_url
node.set['openstack']['endpoints']['public']['orchestration-api']['uri'] = public_url
node.set['openstack']['endpoints']['internal']['orchestration-api']['uri'] = internal_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Orchestration Endpoint'
@ -175,69 +106,6 @@ describe 'openstack-orchestration::identity_registration' do
)
end
it 'register heat-cfn endpoint with different admin url' do
admin_url = 'https://admin.host:123/admin_path'
general_url = 'http://general.host:456/general_path'
# Set the general endpoint
node.set['openstack']['endpoints']['orchestration-api-cfn']['uri'] = general_url
# Set the admin endpoint override
node.set['openstack']['endpoints']['admin']['orchestration-api-cfn']['uri'] = admin_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Cloudformation Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'cloudformation',
endpoint_region: 'RegionOne',
endpoint_adminurl: admin_url,
endpoint_internalurl: general_url,
endpoint_publicurl: general_url,
action: [:create_endpoint]
)
end
it 'register heat-cfn endpoint with different public url' do
public_url = 'https://public.host:789/public_path'
general_url = 'http://general.host:456/general_path'
# Set the general endpoint
node.set['openstack']['endpoints']['orchestration-api-cfn']['uri'] = general_url
# Set the public endpoint override
node.set['openstack']['endpoints']['public']['orchestration-api-cfn']['uri'] = public_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Cloudformation Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'cloudformation',
endpoint_region: 'RegionOne',
endpoint_adminurl: general_url,
endpoint_internalurl: general_url,
endpoint_publicurl: public_url,
action: [:create_endpoint]
)
end
it 'register heat-cfn endpoint with different internal url' do
internal_url = 'http://internal.host:456/internal_path'
general_url = 'http://general.host:456/general_path'
# Set the general endpoint
node.set['openstack']['endpoints']['orchestration-api-cfn']['uri'] = general_url
# Set the internal endpoint override
node.set['openstack']['endpoints']['internal']['orchestration-api-cfn']['uri'] = internal_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Cloudformation Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'cloudformation',
endpoint_region: 'RegionOne',
endpoint_adminurl: general_url,
endpoint_internalurl: internal_url,
endpoint_publicurl: general_url,
action: [:create_endpoint]
)
end
it 'register heat-cfn endpoint with all different urls' do
admin_url = 'https://admin.host:123/admin_path'
internal_url = 'http://internal.host:456/internal_path'
@ -308,68 +176,5 @@ describe 'openstack-orchestration::identity_registration' do
action: [:create_role]
)
end
it 'creates role for template defined users' do
node.set['openstack']['orchestration']['heat_stack_user_role'] = 'heat_stack_user'
expect(chef_run).to create_role_openstack_identity_register(
"Create 'heat_stack_user' Role for template defined users"
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
role_name: 'heat_stack_user',
action: [:create_role]
)
end
it 'does not call domain setup script by default' do
expect(chef_run).not_to run_execute('heat-keystone-setup-domain')
end
it 'calls domain setup script with insecure mode' do
node.set['openstack']['orchestration']['heat_stack_user_role'] = 'heat_stack_user'
node.set['openstack']['orchestration']['stack_user_domain_name'] = 'stack_user_domain_name'
node.set['openstack']['orchestration']['stack_domain_admin'] = 'stack_domain_admin'
node.set['openstack']['orchestration']['clients']['insecure'] = true
node.set['openstack']['endpoints']['identity-admin']['scheme'] = 'https'
expect(chef_run).to run_execute('heat-keystone-setup-domain --insecure')
.with(
environment: { 'OS_USERNAME' => 'admin',
'OS_PASSWORD' => 'admin_pass',
'OS_AUTH_URL' => 'https://127.0.0.1:35357/v2.0',
'OS_CACERT' => nil,
'OS_CERT' => nil,
'OS_KEY' => nil,
'HEAT_DOMAIN' => 'stack_user_domain_name',
'HEAT_DOMAIN_ADMIN' => 'stack_domain_admin',
'HEAT_DOMAIN_PASSWORD' => 'stack_domain_admin_pass'
}
)
end
it 'calls domain setup script with secure mode' do
node.set['openstack']['orchestration']['heat_stack_user_role'] = 'heat_stack_user'
node.set['openstack']['orchestration']['stack_user_domain_name'] = 'stack_user_domain_name'
node.set['openstack']['orchestration']['stack_domain_admin'] = 'stack_domain_admin'
node.set['openstack']['orchestration']['clients']['insecure'] = false
node.set['openstack']['orchestration']['clients']['ca_file'] = 'path/cacert'
node.set['openstack']['orchestration']['clients']['cert_file'] = 'path/cert_file'
node.set['openstack']['orchestration']['clients']['key_file'] = 'path/key_file'
node.set['openstack']['endpoints']['identity-admin']['scheme'] = 'https'
expect(chef_run).to run_execute('heat-keystone-setup-domain ')
.with(
environment: { 'OS_USERNAME' => 'admin',
'OS_PASSWORD' => 'admin_pass',
'OS_AUTH_URL' => 'https://127.0.0.1:35357/v2.0',
'OS_CACERT' => 'path/cacert',
'OS_CERT' => 'path/cert_file',
'OS_KEY' => 'path/key_file',
'HEAT_DOMAIN' => 'stack_user_domain_name',
'HEAT_DOMAIN_ADMIN' => 'stack_domain_admin',
'HEAT_DOMAIN_PASSWORD' => 'stack_domain_admin_pass'
}
)
end
end
end

View File

@ -43,15 +43,9 @@ shared_context 'orchestration_stubs' do
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'admin-user')
.and_return 'admin-pass'
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'heat_stack_admin')
.and_return 'heat_stack_domain_admin_password'
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('service', 'openstack-orchestration')
.and_return 'heat-pass'
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'stack_domain_admin')
.and_return 'stack_domain_admin_pass'
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'admin')
.and_return 'admin_pass'
@ -103,7 +97,7 @@ shared_examples 'expects to create heat directories' do
expect(chef_run).to create_directory('/etc/heat').with(
owner: 'heat',
group: 'heat',
mode: 0700
mode: 0750
)
end
@ -111,15 +105,7 @@ shared_examples 'expects to create heat directories' do
expect(chef_run).to create_directory('/etc/heat/environment.d').with(
owner: 'heat',
group: 'heat',
mode: 0700
)
end
it 'creates /var/cache/heat' do
expect(chef_run).to create_directory('/var/cache/heat').with(
owner: 'heat',
group: 'heat',
mode: 0700
mode: 0750
)
end
end
@ -136,356 +122,105 @@ shared_examples 'expects to create heat conf' do
)
end
describe 'workers' do
it 'has default worker values' do
[
'heat_api',
'heat_api_cfn',
'heat_api_cloudwatch'
].each do |section|
expect(chef_run).to render_config_file(file.name).with_section_content(section, /^workers=0$/)
end
end
it 'has engine workers not set by default' do
expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', /^num_engine_workers=/)
end
it 'allows engine workers override' do
node.set['openstack']['orchestration']['num_engine_workers'] = 5
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^num_engine_workers=5$/)
end
end
it 'uses default values for these attributes and they are not set' do
expect(chef_run).not_to render_file(file.name).with_content(
/^memcached_servers=/)
expect(chef_run).not_to render_file(file.name).with_content(
/^memcache_security_strategy=/)
expect(chef_run).not_to render_file(file.name).with_content(
/^memcache_secret_key=/)
expect(chef_run).not_to render_file(file.name).with_content(
/^cafile=/)
end
it 'sets memcached server(s)' do
node.set['openstack']['orchestration']['api']['auth']['memcached_servers'] = 'localhost:11211'
expect(chef_run).to render_file(file.name).with_content(/^memcached_servers=localhost:11211$/)
end
it 'sets memcache security strategy' do
node.set['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] = 'MAC'
expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy=MAC$/)
end
it 'sets memcache secret key' do
node.set['openstack']['orchestration']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key=0123456789ABCDEF$/)
end
it 'sets cafile' do
node.set['openstack']['orchestration']['api']['auth']['cafile'] = 'dir/to/path'
expect(chef_run).to render_file(file.name).with_content(%r{^cafile=dir/to/path$})
end
it 'sets token hash algorithms' do
node.set['openstack']['orchestration']['api']['auth']['hash_algorithms'] = 'sha2'
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms=sha2$/)
end
it 'sets insecure' do
node.set['openstack']['orchestration']['api']['auth']['insecure'] = false
expect(chef_run).to render_file(file.name).with_content(/^insecure=false$/)
end
it 'sets auth_encryption_key' do
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^auth_encryption_key=auth_encryption_key_secret$/)
end
describe 'default values for certificates files' do
it 'has no such values' do
[
/^ca_file=/,
/^cert_file=/,
/^key_file=/
].each do |line|
expect(chef_run).not_to render_file(file.name).with_content(line)
end
end
it 'sets clients ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
it 'sets clients_ceilometer ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients_ceilometer']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_ceilometer']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_ceilometer']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_ceilometer']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
it 'sets clients_cinder ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients_cinder']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_cinder']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_cinder']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_cinder']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
it 'sets clients_glance ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients_glance']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_glance']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_glance']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_glance']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
it 'sets clients_heat ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients_heat']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_heat']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_heat']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_heat']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
it 'sets clients_keystone ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients_keystone']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_keystone']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_keystone']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_keystone']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
it 'sets clients_neutron ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients_neutron']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_neutron']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_neutron']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_neutron']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
it 'sets clients_nova ca_file cert_file key_file insecure' do
node.set['openstack']['orchestration']['clients_nova']['ca_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_nova']['cert_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_nova']['key_file'] = 'dir/to/path'
node.set['openstack']['orchestration']['clients_nova']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
end
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^auth_encryption_key = auth_encryption_key_secret$/)
end
describe 'default values' do
it 'has default conf values' do
[
%r{^connection=mysql://heat:heat@127.0.0.1:3306/heat\?charset=utf8$},
%r{^heat_metadata_server_url=http://127.0.0.1:8000$},
%r{^heat_waitcondition_server_url=http://127.0.0.1:8000/v1/waitcondition$},
%r{^heat_watch_server_url=http://127.0.0.1:8003$},
%r{^signing_dir=/var/cache/heat$},
/^debug=False$/,
/^verbose=False$/,
%r{^log_dir=/var/log/heat$},
%r{^heat_metadata_server_url = http://127.0.0.1:8000$},
%r{^heat_waitcondition_server_url = http://127.0.0.1:8000/v1/waitcondition$},
%r{^heat_watch_server_url = http://127.0.0.1:8003$},
%r{^log_dir = /var/log/heat$},
/^notification_driver = heat.openstack.common.notifier.rpc_notifier$/,
/^default_notification_level = INFO$/,
/^default_publisher_id = $/,
/^list_notifier_drivers = heat.openstack.common.notifier.no_op_notifier$/,
/^notification_topics = notifications$/,
/^rpc_thread_pool_size=64$/,
/^rpc_response_timeout=60$/,
/^bind_host=127.0.0.1$/,
/^bind_port=8004$/,
%r{^auth_uri=http://127.0.0.1:5000/v2.0$},
%r{^identity_uri=http://127.0.0.1:35357/$},
/^auth_version=v2.0$/,
/^hash_algorithms=md5$/,
/^insecure=false$/,
/^admin_user=heat$/,
/^admin_password=heat-pass$/,
/^admin_tenant_name=service$/,
/^deferred_auth_method=trusts$/,
/^stack_scheduler_hints=false$/,
/^region_name_for_services=RegionOne$/
/^region_name_for_services = RegionOne$/
].each do |line|
expect(chef_run).to render_file(file.name).with_content(line)
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', line)
end
end
it 'overrides the schemes' do
node.set['openstack']['endpoints']['orchestration-api-cfn']['scheme'] = 'https'
node.set['openstack']['endpoints']['orchestration-api-cloudwatch']['scheme'] = 'https'
expect(chef_run).to render_file(file.name).with_content(%r{^heat_metadata_server_url=https://127.0.0.1:8000$})
expect(chef_run).to render_file(file.name).with_content(%r{^heat_waitcondition_server_url=https://127.0.0.1:8000/v1/waitcondition$})
expect(chef_run).to render_file(file.name).with_content(%r{^heat_watch_server_url=https://127.0.0.1:8003$})
end
end
describe 'domain values' do
it 'has no default domain values' do
it 'has heat_api binding' do
[
/^heat_stack_user_role=/,
/^stack_user_domain_name=/,
/^stack_user_domain_id=/,
/^stack_domain_admin=/,
/^stack_domain_admin_password=/
/^bind_host = 127.0.0.1$/,
/^bind_port = 8004$/
].each do |line|
expect(chef_run).not_to render_file(file.name).with_content(line)
expect(chef_run).to render_config_file(file.name).with_section_content('heat_api', line)
end
end
it 'has domain override values' do
node.set['openstack']['orchestration']['heat_stack_user_role'] = 'heat_stack_user'
node.set['openstack']['orchestration']['stack_user_domain_name'] = 'heat'
node.set['openstack']['orchestration']['stack_user_domain_id'] = '123'
node.set['openstack']['orchestration']['stack_domain_admin'] = 'heat_stack_admin'
it 'has heat_api_cfn binding' do
[
/^heat_stack_user_role=heat_stack_user$/,
/^stack_user_domain_name=heat$/,
/^stack_user_domain_id=123$/,
/^stack_domain_admin=heat_stack_admin$/,
/^stack_domain_admin_password=heat_stack_domain_admin_password$/
/^bind_host = 127.0.0.1$/,
/^bind_port = 8000$/
].each do |line|
expect(chef_run).to render_file(file.name).with_content(line)
expect(chef_run).to render_config_file(file.name).with_section_content('heat_api_cfn', line)
end
end
end
describe 'has qpid values' do
it 'has default qpid_* values' do
node.set['openstack']['mq']['orchestration']['service_type'] = 'qpid'
it 'has heat_api_cloudwatch binding' do
[
/^rpc_conn_pool_size=30$/,
/^amqp_durable_queues=false$/,
/^amqp_auto_delete=false$/,
/^qpid_hostname=127.0.0.1$/,
/^qpid_port=5672$/,
/^qpid_username=guest$/,
/^qpid_password=mq-pass$/,
/^qpid_sasl_mechanisms=$/,
/^qpid_heartbeat=60$/,
/^qpid_protocol=tcp$/,
/^qpid_tcp_nodelay=true$/,
/^qpid_reconnect_timeout=0$/,
/^qpid_reconnect_limit=0$/,
/^qpid_reconnect_interval_min=0$/,
/^qpid_reconnect_interval_max=0$/,
/^qpid_reconnect_interval=0$/,
/^qpid_topology_version=1$/
/^bind_host = 127.0.0.1$/,
/^bind_port = 8003$/
].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('oslo_messaging_qpid', line)
expect(chef_run).to render_config_file(file.name).with_section_content('heat_api_cloudwatch', line)
end
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^rpc_backend=heat.openstack.common.rpc.impl_qpid$/)
end
it 'sets database connection value' do
expect(chef_run).to render_config_file(file.name).with_section_content(
'database', %r{^connection = mysql://heat:heat@127.0.0.1:3306/heat\?charset=utf8$})
end
end
describe 'has ec2authtoken values' do
it 'has default ec2authtoken values' do
expect(chef_run).to render_config_file(file.name).with_section_content('ec2authtoken', %r{^auth_uri=http://127.0.0.1:5000/v2.0$})
expect(chef_run).to render_config_file(file.name).with_section_content('ec2authtoken', %r{^auth_uri = http://127.0.0.1:5000/v2.0$})
end
end
describe 'has rabbit values' do
before do
node.set['openstack']['mq']['orchestration']['service_type'] = 'rabbitmq'
describe 'has clients_keystone values' do
it 'has default clients_keystone values' do
expect(chef_run).to render_config_file(file.name).with_section_content('clients_keystone', %r{^auth_uri = http://127.0.0.1:5000/v2.0$})
end
end
it 'has default rabbit values' do
[/^rpc_conn_pool_size=30$/,
/^amqp_durable_queues=false$/,
/^amqp_auto_delete=false$/,
/^heartbeat_timeout_threshold=0$/,
/^heartbeat_rate=2$/
].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('oslo_messaging_rabbit', line)
end
end
it 'does not have rabbit ha values' do
describe 'has oslo_messaging_rabbit values' do
it 'has default oslo_messaging_rabbit values' do
[
/^rabbit_host=127.0.0.1$/,
/^rabbit_port=5672$/,
/^rabbit_ha_queues=False$/
/^rabbit_userid = guest$/,
/^rabbit_password = mq-pass$/
].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('oslo_messaging_rabbit', line)
end
end
end
it 'has rabbit ha values' do
node.set['openstack']['mq']['orchestration']['rabbit']['ha'] = true
describe 'has keystone_authtoken values' do
it 'has default keystone_authtoken values' do
[
/^rabbit_hosts=1.1.1.1:5672,2.2.2.2:5672$/,
/^rabbit_ha_queues=True$/
%r{^auth_url = http://127.0.0.1:5000/v2.0$},
/^auth_plugin = v2password$/,
/^username = heat$/,
/^tenant_name = service$/,
/^password = heat-pass$/
].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('oslo_messaging_rabbit', line)
expect(chef_run).to render_config_file(file.name).with_section_content('keystone_authtoken', line)
end
end
end
it 'does not have ssl config set' do
[/^rabbit_use_ssl=/,
/^kombu_ssl_version=/,
/^kombu_ssl_keyfile=/,
/^kombu_ssl_certfile=/,
/^kombu_ssl_ca_certs=/,
/^kombu_reconnect_delay=/,
/^kombu_reconnect_timeout=/].each do |line|
expect(chef_run).not_to render_config_file(file.name).with_section_content('oslo_messaging_rabbit', line)
describe 'has trustee values' do
it 'has default trustee values' do
[
%r{^auth_url = http://127.0.0.1:35357/v2.0$},
/^auth_plugin = v2password$/,
/^username = heat$/,
/^password = heat-pass$/
].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('trustee', line)
end
end
it 'sets ssl config' do
node.set['openstack']['mq']['orchestration']['rabbit']['use_ssl'] = true
node.set['openstack']['mq']['orchestration']['rabbit']['kombu_ssl_version'] = 'TLSv1.2'
node.set['openstack']['mq']['orchestration']['rabbit']['kombu_ssl_keyfile'] = 'keyfile'
node.set['openstack']['mq']['orchestration']['rabbit']['kombu_ssl_certfile'] = 'certfile'
node.set['openstack']['mq']['orchestration']['rabbit']['kombu_ssl_ca_certs'] = 'certsfile'
node.set['openstack']['mq']['orchestration']['rabbit']['kombu_reconnect_delay'] = 123.123
node.set['openstack']['mq']['orchestration']['rabbit']['kombu_reconnect_timeout'] = 123
[/^rabbit_use_ssl=true/,
/^kombu_ssl_version=TLSv1.2$/,
/^kombu_ssl_keyfile=keyfile$/,
/^kombu_ssl_certfile=certfile$/,
/^kombu_ssl_ca_certs=certsfile$/,
/^kombu_reconnect_delay=123.123$/,
/^kombu_reconnect_timeout=123$/].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('oslo_messaging_rabbit', line)
end
end
it 'has the default rabbit_retry_interval set' do
expect(chef_run).to render_config_file(file.name).with_section_content('oslo_messaging_rabbit', /^rabbit_retry_interval=1$/)
end
it 'has the default rabbit_max_retries set' do
expect(chef_run).to render_config_file(file.name).with_section_content('oslo_messaging_rabbit', /^rabbit_max_retries=0$/)
end
end
end
end

File diff suppressed because it is too large Load Diff