Fix legacy nova/cinder encryption key manager configuration
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected as the default encryption key manager, even when TripleO is not deploying Barbican. This change ensures the legacy key manager is enabled when no key manager (such as Barbican) has been specified. This restores the previous behavior, where the legacy key manager was enabled by default. [0] https://review.openstack.org/484501 [1] https://review.openstack.org/485322 Closes-Bug: #1706389 Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
This commit is contained in:
parent
ab81679785
commit
5ae3fab743
|
@ -43,6 +43,12 @@
|
|||
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||
# Defaults to hiera('enable_internal_tls', false)
|
||||
#
|
||||
# [*keymgr_api_class*]
|
||||
# (Optional) The encryption key manager API class. The default value
|
||||
# ensures Cinder's legacy key manager is enabled when no hiera value is
|
||||
# specified.
|
||||
# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager')
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api (
|
|||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||
$cinder_api_network = hiera('cinder_api_network', undef),
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'),
|
||||
$step = Integer(hiera('step')),
|
||||
) {
|
||||
if $::hostname == downcase($bootstrap_node) {
|
||||
|
@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api (
|
|||
}
|
||||
|
||||
if $step >= 4 or ($step >= 3 and $sync_db) {
|
||||
include ::cinder::api
|
||||
class { '::cinder::api':
|
||||
keymgr_api_class => $keymgr_api_class,
|
||||
}
|
||||
include ::apache::mod::ssl
|
||||
class { '::cinder::wsgi::apache':
|
||||
ssl_cert => $tls_certfile,
|
||||
|
|
|
@ -27,9 +27,16 @@
|
|||
# (Optional) Whether or not Cinder is backed by NFS.
|
||||
# Defaults to hiera('cinder_enable_nfs_backend', false)
|
||||
#
|
||||
# [*keymgr_api_class*]
|
||||
# (Optional) The encryption key manager API class. The default value
|
||||
# ensures Nova's legacy key manager is enabled when no hiera value is
|
||||
# specified.
|
||||
# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager')
|
||||
#
|
||||
class tripleo::profile::base::nova::compute (
|
||||
$step = Integer(hiera('step')),
|
||||
$cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false),
|
||||
$keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'),
|
||||
) {
|
||||
|
||||
if $step >= 4 {
|
||||
|
@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute (
|
|||
include ::tripleo::profile::base::nova
|
||||
|
||||
# deploy basic bits for nova-compute
|
||||
include ::nova::compute
|
||||
class { '::nova::compute':
|
||||
keymgr_api_class => $keymgr_api_class,
|
||||
}
|
||||
# If Service['nova-conductor'] is in catalog, make sure we start it
|
||||
# before nova-compute.
|
||||
Service<| title == 'nova-conductor' |> -> Service['nova-compute']
|
||||
|
|
|
@ -18,6 +18,10 @@ require 'spec_helper'
|
|||
|
||||
describe 'tripleo::profile::base::cinder::api' do
|
||||
shared_examples_for 'tripleo::profile::base::cinder::api' do
|
||||
before :each do
|
||||
facts.merge!({ :step => params[:step] })
|
||||
end
|
||||
|
||||
let(:pre_condition) do
|
||||
"class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }"
|
||||
end
|
||||
|
@ -40,7 +44,10 @@ describe 'tripleo::profile::base::cinder::api' do
|
|||
} }
|
||||
|
||||
it 'should trigger complete configuration' do
|
||||
is_expected.to contain_class('cinder::api')
|
||||
is_expected.to contain_class('cinder::api').with(
|
||||
# Verify legacy key manager is enabled when none is set in hiera.
|
||||
:keymgr_api_class => 'cinder.keymgr.conf_key_mgr.ConfKeyManager',
|
||||
)
|
||||
is_expected.to contain_class('cinder::ceilometer')
|
||||
end
|
||||
end
|
||||
|
@ -63,7 +70,10 @@ describe 'tripleo::profile::base::cinder::api' do
|
|||
} }
|
||||
|
||||
it 'should trigger complete configuration' do
|
||||
is_expected.to contain_class('cinder::api')
|
||||
is_expected.to contain_class('cinder::api').with(
|
||||
# Verify proper key manager is enabled when value is set in hiera.
|
||||
:keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
|
||||
)
|
||||
is_expected.to contain_class('cinder::ceilometer')
|
||||
end
|
||||
end
|
||||
|
|
|
@ -18,12 +18,19 @@ require 'spec_helper'
|
|||
|
||||
describe 'tripleo::profile::base::nova::compute' do
|
||||
shared_examples_for 'tripleo::profile::base::nova::compute' do
|
||||
before :each do
|
||||
facts.merge!({ :step => params[:step] })
|
||||
end
|
||||
|
||||
context 'with step less than 5' do
|
||||
let(:params) { { :step => 1, } }
|
||||
|
||||
it {
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::compute')
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::compute').with(
|
||||
# Verify legacy key manager is enabled when none is set in hiera.
|
||||
:keymgr_api_class => 'nova.keymgr.conf_key_mgr.ConfKeyManager',
|
||||
)
|
||||
|
||||
is_expected.to_not contain_class('tripleo::profile::base::nova')
|
||||
is_expected.to_not contain_class('nova::compute')
|
||||
is_expected.to_not contain_class('nova::network::neutron')
|
||||
|
@ -50,7 +57,10 @@ eos
|
|||
let(:params) { { :step => 4, } }
|
||||
|
||||
it {
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::compute')
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::compute').with(
|
||||
# Verify proper key manager is enabled when value is set in hiera.
|
||||
:keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
|
||||
)
|
||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||
is_expected.to contain_class('nova::compute')
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
---
|
||||
step: 4
|
||||
cinder::api::keymgr_api_class: 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
|
||||
nova::compute::keymgr_api_class: 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
|
||||
# items needed for tripleo::profile::base::cinder::volume
|
||||
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: '127.0.0.1'
|
||||
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers:
|
||||
- '127.0.0.1'
|
||||
cinder::backend::eqlx::eqlx_chap_login: 'user'
|
||||
cinder::backend::eqlx::eqlx_chap_password: 'user'
|
||||
|
||||
|
|
Loading…
Reference in New Issue