Fix legacy nova/cinder encryption key manager configuration

Recent changes in Nova [0] and Cinder [1] result in Barbican being selected
as the default encryption key manager, even when TripleO is not deploying
Barbican.

This change ensures the legacy key manager is enabled when no key manager
(such as Barbican) has been specified. This restores the previous behavior,
where the legacy key manager was enabled by default.

[0] https://review.openstack.org/484501
[1] https://review.openstack.org/485322

Closes-Bug: #1706389
Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
This commit is contained in:
Alan Bishop 2017-07-28 10:30:27 -04:00
parent ab81679785
commit 5ae3fab743
5 changed files with 46 additions and 7 deletions

View File

@ -43,6 +43,12 @@
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
# [*keymgr_api_class*]
# (Optional) The encryption key manager API class. The default value
# ensures Cinder's legacy key manager is enabled when no hiera value is
# specified.
# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager')
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api (
$certificates_specs = hiera('apache_certificates_specs', {}),
$cinder_api_network = hiera('cinder_api_network', undef),
$enable_internal_tls = hiera('enable_internal_tls', false),
$keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'),
$step = Integer(hiera('step')),
) {
if $::hostname == downcase($bootstrap_node) {
@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api (
}
if $step >= 4 or ($step >= 3 and $sync_db) {
include ::cinder::api
class { '::cinder::api':
keymgr_api_class => $keymgr_api_class,
}
include ::apache::mod::ssl
class { '::cinder::wsgi::apache':
ssl_cert => $tls_certfile,

View File

@ -27,9 +27,16 @@
# (Optional) Whether or not Cinder is backed by NFS.
# Defaults to hiera('cinder_enable_nfs_backend', false)
#
# [*keymgr_api_class*]
# (Optional) The encryption key manager API class. The default value
# ensures Nova's legacy key manager is enabled when no hiera value is
# specified.
# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager')
#
class tripleo::profile::base::nova::compute (
$step = Integer(hiera('step')),
$cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false),
$keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'),
) {
if $step >= 4 {
@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute (
include ::tripleo::profile::base::nova
# deploy basic bits for nova-compute
include ::nova::compute
class { '::nova::compute':
keymgr_api_class => $keymgr_api_class,
}
# If Service['nova-conductor'] is in catalog, make sure we start it
# before nova-compute.
Service<| title == 'nova-conductor' |> -> Service['nova-compute']

View File

@ -18,6 +18,10 @@ require 'spec_helper'
describe 'tripleo::profile::base::cinder::api' do
shared_examples_for 'tripleo::profile::base::cinder::api' do
before :each do
facts.merge!({ :step => params[:step] })
end
let(:pre_condition) do
"class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }"
end
@ -40,7 +44,10 @@ describe 'tripleo::profile::base::cinder::api' do
} }
it 'should trigger complete configuration' do
is_expected.to contain_class('cinder::api')
is_expected.to contain_class('cinder::api').with(
# Verify legacy key manager is enabled when none is set in hiera.
:keymgr_api_class => 'cinder.keymgr.conf_key_mgr.ConfKeyManager',
)
is_expected.to contain_class('cinder::ceilometer')
end
end
@ -63,7 +70,10 @@ describe 'tripleo::profile::base::cinder::api' do
} }
it 'should trigger complete configuration' do
is_expected.to contain_class('cinder::api')
is_expected.to contain_class('cinder::api').with(
# Verify proper key manager is enabled when value is set in hiera.
:keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
)
is_expected.to contain_class('cinder::ceilometer')
end
end

View File

@ -18,12 +18,19 @@ require 'spec_helper'
describe 'tripleo::profile::base::nova::compute' do
shared_examples_for 'tripleo::profile::base::nova::compute' do
before :each do
facts.merge!({ :step => params[:step] })
end
context 'with step less than 5' do
let(:params) { { :step => 1, } }
it {
is_expected.to contain_class('tripleo::profile::base::nova::compute')
is_expected.to contain_class('tripleo::profile::base::nova::compute').with(
# Verify legacy key manager is enabled when none is set in hiera.
:keymgr_api_class => 'nova.keymgr.conf_key_mgr.ConfKeyManager',
)
is_expected.to_not contain_class('tripleo::profile::base::nova')
is_expected.to_not contain_class('nova::compute')
is_expected.to_not contain_class('nova::network::neutron')
@ -50,7 +57,10 @@ eos
let(:params) { { :step => 4, } }
it {
is_expected.to contain_class('tripleo::profile::base::nova::compute')
is_expected.to contain_class('tripleo::profile::base::nova::compute').with(
# Verify proper key manager is enabled when value is set in hiera.
:keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
)
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova::compute')

View File

@ -1,9 +1,10 @@
---
step: 4
cinder::api::keymgr_api_class: 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
nova::compute::keymgr_api_class: 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
# items needed for tripleo::profile::base::cinder::volume
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: '127.0.0.1'
tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers:
- '127.0.0.1'
cinder::backend::eqlx::eqlx_chap_login: 'user'
cinder::backend::eqlx::eqlx_chap_password: 'user'