diff --git a/manifests/compute/rbd.pp b/manifests/compute/rbd.pp
index 96ec86bee..492f1a216 100644
--- a/manifests/compute/rbd.pp
+++ b/manifests/compute/rbd.pp
@@ -53,7 +53,7 @@
# [*libvirt_rbd_secret_uuid*]
# (optional) The libvirt uuid of the secret for the rbd_user.
# Required to use cephx.
-# Default to false.
+# Default to undef.
#
# [*libvirt_rbd_secret_key*]
# (optional) The cephx key to use as key for the libvirt secret,
@@ -62,10 +62,6 @@
# provided of the client.admin keyring as well.
# Default to undef.
#
-# [*rbd_keyring*]
-# (optional) The keyring name to use when retrieving the RBD secret
-# Default to 'client.nova'
-#
# [*ephemeral_storage*]
# (optional) Whether or not to use the rbd driver for the nova
# ephemeral storage or for the cinder volumes only.
@@ -88,26 +84,37 @@
# (optional) Manage the libvirt secret
# Defaults to true
#
+# == Deprecated parameters
+#
+# [*rbd_keyring*]
+# (optional) The keyring name to use when retrieving the RBD secret
+# Default to undef
+#
class nova::compute::rbd (
$libvirt_rbd_user,
- $libvirt_rbd_secret_uuid = false,
+ $libvirt_rbd_secret_uuid = undef,
$libvirt_rbd_secret_key = undef,
$libvirt_images_rbd_pool = 'rbd',
$libvirt_images_rbd_ceph_conf = '/etc/ceph/ceph.conf',
$libvirt_images_rbd_glance_store_name = $facts['os_service_default'],
$libvirt_images_rbd_glance_copy_poll_interval = $facts['os_service_default'],
$libvirt_images_rbd_glance_copy_timeout = $facts['os_service_default'],
- $rbd_keyring = 'client.nova',
Boolean $ephemeral_storage = true,
Boolean $manage_ceph_client = true,
$ceph_client_ensure = 'present',
$package_ensure = 'present',
Boolean $manage_libvirt_secret = true,
+ ## DEPRECATED PARAMETERS
+ $rbd_keyring = undef,
) {
include nova::deps
include nova::params
+ if $rbd_keyring != undef {
+ warning('The rbd_keyring parameter is deprecated and has no effect')
+ }
+
if $manage_ceph_client {
# Install ceph client libraries
package { 'ceph-client-package':
@@ -128,42 +135,27 @@ class nova::compute::rbd (
'libvirt/rbd_user': value => $libvirt_rbd_user;
}
- if $libvirt_rbd_secret_uuid {
+ if $libvirt_rbd_secret_uuid != undef {
nova_config {
'libvirt/rbd_secret_uuid': value => $libvirt_rbd_secret_uuid;
}
+ # TODO(tobias-urdin): Remove these two when propagated
+ file { '/etc/nova/secret.xml':
+ ensure => 'absent',
+ }
+ file { '/etc/nova/virsh.secret':
+ ensure => 'absent',
+ }
+
if $manage_libvirt_secret {
- file { '/etc/nova/secret.xml':
- content => epp('nova/libvirt-secret-ceph.xml.epp', {
- 'secret_name' => "${rbd_keyring} secret",
- 'uuid' => $libvirt_rbd_secret_uuid,
- }),
- require => Anchor['nova::config::begin'],
+ if $libvirt_rbd_secret_key == undef {
+ fail('libvirt_rbd_secret_key is required when libvirt_rbd_secret_uuid is set')
}
- #Variable name shrunk in favor of removing
- #the more than 140 chars puppet-lint warning.
- #variable used in the get-or-set virsh secret
- #resource.
- $cm = '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret'
- exec { 'get-or-set virsh secret':
- command => $cm,
- unless => "/usr/bin/virsh secret-list | grep -i ${libvirt_rbd_secret_uuid}",
- require => File['/etc/nova/secret.xml'],
- }
- Service<| tag == 'libvirt-service' |> -> Exec['get-or-set virsh secret']
-
- if $libvirt_rbd_secret_key {
- $libvirt_key = $libvirt_rbd_secret_key
- } else {
- $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
- }
- exec { 'set-secret-value virsh':
- command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
- unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
- logoutput => false,
- require => Exec['get-or-set virsh secret'],
+ nova::compute::libvirt::secret_ceph { $libvirt_rbd_secret_uuid:
+ uuid => $libvirt_rbd_secret_uuid,
+ value => $libvirt_rbd_secret_key,
}
}
} else {
diff --git a/releasenotes/notes/nova-compute-rbd-libvirt-secret-2c78325557a27411.yaml b/releasenotes/notes/nova-compute-rbd-libvirt-secret-2c78325557a27411.yaml
new file mode 100644
index 000000000..3f1fbc990
--- /dev/null
+++ b/releasenotes/notes/nova-compute-rbd-libvirt-secret-2c78325557a27411.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+ - |
+ If you are setting ``libvirt_rbd_secret_uuid`` in the ``nova::compute::rbd``
+ class you MUST now set ``libvirt_rbd_secret_key`` as well if the
+ ``manage_libvirt_secret`` parameters is set to true (the default) because
+ the ``rbd_keyring`` parameter is deprecated and has no effect, we no longer
+ get the Ceph authx key automatically if ``libvirt_rbd_secret_key`` is not set.
+deprecations:
+ - |
+ The ``nova::compute::rbd::rbd_keyring`` parameter is deprecated and has
+ no effect.
diff --git a/spec/classes/nova_compute_rbd_spec.rb b/spec/classes/nova_compute_rbd_spec.rb
index 9d5bf5fc5..ac60c9eae 100644
--- a/spec/classes/nova_compute_rbd_spec.rb
+++ b/spec/classes/nova_compute_rbd_spec.rb
@@ -52,7 +52,6 @@ describe 'nova::compute::rbd' do
before :each do
params.merge!(
:libvirt_rbd_user => 'joe',
- :libvirt_rbd_secret_uuid => false,
:libvirt_images_rbd_pool => 'AnotherPool',
:libvirt_images_rbd_ceph_conf => '/tmp/ceph.conf',
:libvirt_images_rbd_glance_store_name => 'glance_rbd_store',
@@ -72,60 +71,25 @@ describe 'nova::compute::rbd' do
end
context 'when using cephx' do
- before :each do
- params.merge!(
- :libvirt_rbd_secret_uuid => 'UUID',
- :rbd_keyring => 'client.rbd_test'
- )
- end
-
- it 'configure nova.conf with RBD secret UUID' do
- is_expected.to contain_nova_config('libvirt/rbd_secret_uuid').with_value('UUID')
- end
-
- it 'configure ceph on compute nodes' do
- verify_contents(catalogue, '/etc/nova/secret.xml', [
- "",
- " ",
- " client.rbd_test secret",
- " ",
- " UUID",
- ""
- ])
- is_expected.to contain_exec('get-or-set virsh secret').with(
- :command => '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
- :unless => '/usr/bin/virsh secret-list | grep -i UUID',
- :require => 'File[/etc/nova/secret.xml]',
- )
- is_expected.to contain_exec('set-secret-value virsh').with(
- :command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
- :logoutput => false,
- )
- end
- end
-
- context 'when using cephx and passing libvirt_rbd_secret_key' do
- before :each do
+ before do
params.merge!(
:libvirt_rbd_secret_uuid => 'UUID',
:libvirt_rbd_secret_key => 'LIBVIRT/SECRET/KEY',
)
end
- it 'set libvirt secret key from passed key' do
- is_expected.to contain_exec('set-secret-value virsh').with(
- :command => "/usr/bin/virsh secret-set-value --secret #{params[:libvirt_rbd_secret_uuid]} --base64 #{params[:libvirt_rbd_secret_key]}",
- :logoutput => false,
- )
- end
+ it { is_expected.to contain_nova__compute__libvirt__secret_ceph('UUID').with(
+ :uuid => params[:libvirt_rbd_secret_uuid],
+ :value => params[:libvirt_rbd_secret_key],
+ )}
end
context 'when using cephx but disabling ephemeral storage' do
- before :each do
+ before do
params.merge!(
- :libvirt_rbd_secret_uuid => 'UUID',
- :rbd_keyring => 'client.rbd_test',
- :ephemeral_storage => false
+ :libvirt_rbd_secret_uuid => 'UUID',
+ :libvirt_rbd_secret_key => 'LIBVIRT/SECRET/KEY',
+ :ephemeral_storage => false
)
end
@@ -139,25 +103,10 @@ describe 'nova::compute::rbd' do
is_expected.to contain_nova_config('libvirt/rbd_secret_uuid').with_value('UUID')
end
- it 'configure ceph on compute nodes' do
- verify_contents(catalogue, '/etc/nova/secret.xml', [
- "",
- " ",
- " client.rbd_test secret",
- " ",
- " UUID",
- ""
- ])
- is_expected.to contain_exec('get-or-set virsh secret').with(
- :command => '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
- :unless => '/usr/bin/virsh secret-list | grep -i UUID',
- :require => 'File[/etc/nova/secret.xml]',
- )
- is_expected.to contain_exec('set-secret-value virsh').with(
- :command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
- :logoutput => false,
- )
- end
+ it { is_expected.to contain_nova__compute__libvirt__secret_ceph('UUID').with(
+ :uuid => params[:libvirt_rbd_secret_uuid],
+ :value => params[:libvirt_rbd_secret_key],
+ )}
end
context 'when not managing ceph client' do