Add some authtoken related attributes

This change adds some attributes into the cookbook so
that they are configurable. It mainly includes:
cafile, memcached_servers, memcache_security_strategy,
memcache_secret_key, insecure and hash_algorithms.

Change-Id: I97877cf5ce48bd70b9cb2ff12b1fdffbd5a7a69d
Closes-Bug: #1371438

CHANGELOG.md

@@ -7,6 +7,7 @@ This file is used to list changes made in each version of cookbook-openstack-com
 * Sync conf files with Juno
 * Upgrading berkshelf from 2.0.18 to 3.1.5
 * rng_dev_path in nova.conf configured from node attribute
+* Add cafile, memcached_servers, memcache_security_strategy, memcache_secret_key, insecure and hash_algorithms so that they are configurable.
 
 ## 9.3.1
 * Move auth configuration from api-paste.ini to nova.conf

README.md

@@ -144,6 +144,12 @@ Openstack Compute attributes are in the attribute namespace ["openstack"]["compu
 TODO: Add DB2 support on other platforms
 * `openstack["compute"]["platform"]["db2_python_packages"]` - Array of DB2 python packages, only available on redhat platform
 * `openstack['compute']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with identity service.
+* `openstack['compute']['api']['auth']['memcached_servers']` - A list of memcached server(s) for caching
+* `openstack['compute']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.
+* `openstack['compute']['api']['auth']['memcache_secret_key']` - This string is used for key derivation.
+* `openstack['compute']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens.
+* `openstack['compute']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+* `openstack['compute']['api']['auth']['insecure']` - Whether to allow the client to perform insecure SSL (https) requests.
 * `openstack['compute']['conductor']['workers']` = Number of conductor workers
 
 

attributes/default.rb

@@ -325,6 +325,24 @@ default['openstack']['compute']['api']['auth_strategy'] = 'keystone'
 
 default['openstack']['compute']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
 
+# A list of memcached server(s) for caching
+default['openstack']['compute']['api']['auth']['memcached_servers'] = nil
+
+# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.
+default['openstack']['compute']['api']['auth']['memcache_security_strategy'] = nil
+
+# This string is used for key derivation.
+default['openstack']['compute']['api']['auth']['memcache_secret_key'] = nil
+
+# Hash algorithms to use for hashing PKI tokens.
+default['openstack']['compute']['api']['auth']['hash_algorithms'] = 'md5'
+
+# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+default['openstack']['compute']['api']['auth']['cafile'] = nil
+
+# Whether to allow the client to perform insecure SSL (https) requests
+default['openstack']['compute']['api']['auth']['insecure'] = false
+
 # Keystone PKI signing directories
 default['openstack']['compute']['api']['auth']['cache_dir'] = '/var/cache/nova/api'
 

spec/nova-common_spec.rb

@@ -228,6 +228,49 @@ describe 'openstack-compute::nova-common' do
         end
       end
 
+      it 'uses default values for attributes' do
+        expect(chef_run).not_to render_file(file.name).with_content(
+          /^memcached_servers =/)
+        expect(chef_run).not_to render_file(file.name).with_content(
+          /^memcache_security_strategy =/)
+        expect(chef_run).not_to render_file(file.name).with_content(
+          /^memcache_secret_key =/)
+        expect(chef_run).not_to render_file(file.name).with_content(
+          /^cafile =/)
+        expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = md5$/)
+        expect(chef_run).to render_file(file.name).with_content(/^insecure = false$/)
+      end
+
+      it 'sets memcached server(s)' do
+        node.set['openstack']['compute']['api']['auth']['memcached_servers'] = 'localhost:11211'
+        expect(chef_run).to render_file(file.name).with_content(/^memcached_servers = localhost:11211$/)
+      end
+
+      it 'sets memcache security strategy' do
+        node.set['openstack']['compute']['api']['auth']['memcache_security_strategy'] = 'MAC'
+        expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy = MAC$/)
+      end
+
+      it 'sets memcache secret key' do
+        node.set['openstack']['compute']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
+        expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key = 0123456789ABCDEF$/)
+      end
+
+      it 'sets cafile' do
+        node.set['openstack']['compute']['api']['auth']['cafile'] = 'dir/to/path'
+        expect(chef_run).to render_file(file.name).with_content(%r{^cafile = dir/to/path$})
+      end
+
+      it 'sets token hash algorithms' do
+        node.set['openstack']['compute']['api']['auth']['hash_algorithms'] = 'sha2'
+        expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = sha2$/)
+      end
+
+      it 'sets insecure' do
+        node.set['openstack']['compute']['api']['auth']['insecure'] = true
+        expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/)
+      end
+
       context 'rabbit mq backend' do
         before do
           node.set['openstack']['mq']['compute']['service_type'] = 'rabbitmq'

templates/default/nova.conf.erb

@@ -605,3 +605,17 @@ admin_tenant_name = <%= node["openstack"]["compute"]["service_tenant_name"] %>
 admin_user = <%= node["openstack"]["compute"]["service_user"] %>
 admin_password = <%= @service_pass %>
 signing_dir = <%= node["openstack"]["compute"]["api"]["auth"]["cache_dir"] %>
+<% unless node['openstack']['compute']['api']['auth']['cafile'].nil? %>
+cafile = <%= node['openstack']['compute']['api']['auth']['cafile'] %>
+<% end %>
+<% unless node['openstack']['compute']['api']['auth']['memcached_servers'].nil? %>
+memcached_servers = <%= node['openstack']['compute']['api']['auth']['memcached_servers'] %>
+<% end %>
+<% unless node['openstack']['compute']['api']['auth']['memcache_security_strategy'].nil? %>
+memcache_security_strategy = <%= node['openstack']['compute']['api']['auth']['memcache_security_strategy'] %>
+<% end %>
+<% unless node['openstack']['compute']['api']['auth']['memcache_secret_key'].nil? %>
+memcache_secret_key = <%= node['openstack']['compute']['api']['auth']['memcache_secret_key'] %>
+<% end %>
+hash_algorithms = <%= node['openstack']['compute']['api']['auth']['hash_algorithms'] %>
+insecure = <%= node['openstack']['compute']['api']['auth']['insecure'] %>