openstack/puppet-ironic
Code Issues Proposed changes

Accept system scope credential for Inspector API request

Browse Source 
Currently Ironic uses the user credential in [inspector] section to
start introspection but this API is available only for system admin
when SRBAC is enforced.

This change allows usage of system-scoped credential instead of
project-scoped one.

Change-Id: I4b1c88f36c948c45e87c5d0587589648e8d5d2a4
This commit is contained in:
Takashi Kajinami
2022-01-25 16:51:42 +09:00
committed by Tobias Urdin
parent f017521d93
commit 193498c953
3 changed files with 48 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
manifests/drivers/inspector.pp
View File

@@ -42,6 +42,10 @@
# The name of project's domain (required for Identity V3).
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to ironic-inspector in admin context
# through the OpenStack Identity service.
@@ -77,6 +81,7 @@ class ironic::drivers::inspector (
$password = $::os_service_default,
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_override = $::os_service_default,
$callback_endpoint_override = $::os_service_default,
@@ -93,14 +98,23 @@ class ironic::drivers::inspector (
has no effect. Please use ironic::drivers::inspector::endpoint_override instead.")
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_config {
'inspector/auth_type': value => $auth_type;
'inspector/username': value => $username;
'inspector/password': value => $password, secret => true;
'inspector/auth_url': value => $auth_url;
'inspector/project_name': value => $project_name;
'inspector/project_name': value => $project_name_real;
'inspector/user_domain_name': value => $user_domain_name;
'inspector/project_domain_name': value => $project_domain_name;
'inspector/project_domain_name': value => $project_domain_name_real;
'inspector/system_scope': value => $system_scope;
'inspector/region_name': value => $region_name;
'inspector/endpoint_override': value => $endpoint_override;
'inspector/callback_endpoint_override': value => $callback_endpoint_override;

5
releasenotes/notes/system_scope-inspector-61259d1e1f37d866.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
features:
- |
The new ``sysem_scope`` parameter has been added to
the ``ironic::drivers::inspector`` class.

39
spec/classes/ironic_drivers_inspector_spec.rb
View File

@@ -41,6 +41,7 @@ describe 'ironic::drivers::inspector' do
is_expected.to contain_ironic_config('inspector/password').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_ironic_config('inspector/user_domain_name').with_value('Default')
is_expected.to contain_ironic_config('inspector/project_domain_name').with_value('Default')
is_expected.to contain_ironic_config('inspector/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('inspector/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('inspector/endpoint_override').with_value('<SERVICE DEFAULT>')
end
@@ -48,18 +49,18 @@ describe 'ironic::drivers::inspector' do
context 'when overriding parameters' do
before :each do
params.merge!(
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:callback_endpoint_override => 'http://10.0.0.1/v1/continue',
:power_off => false,
:extra_kernel_params => 'ipa-inspection-collectors=a,b,c',
:auth_type => 'noauth',
:auth_url => 'http://example.com',
:project_name => 'project1',
:username => 'admin',
:password => 'pa$$w0rd',
:user_domain_name => 'NonDefault',
:project_domain_name => 'NonDefault',
:region_name => 'regionTwo',
:endpoint_override => 'http://example2.com',
:callback_endpoint_override => 'http://10.0.0.1/v1/continue',
:power_off => false,
:extra_kernel_params => 'ipa-inspection-collectors=a,b,c',
)
end
@@ -71,6 +72,7 @@ describe 'ironic::drivers::inspector' do
is_expected.to contain_ironic_config('inspector/password').with_value(p[:password]).with_secret(true)
is_expected.to contain_ironic_config('inspector/user_domain_name').with_value(p[:user_domain_name])
is_expected.to contain_ironic_config('inspector/project_domain_name').with_value(p[:project_domain_name])
is_expected.to contain_ironic_config('inspector/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('inspector/region_name').with_value(p[:region_name])
is_expected.to contain_ironic_config('inspector/endpoint_override').with_value(p[:endpoint_override])
is_expected.to contain_ironic_config('inspector/callback_endpoint_override').with_value(p[:callback_endpoint_override])
@@ -79,6 +81,19 @@ describe 'ironic::drivers::inspector' do
end
end
context 'when system_scope is set' do
before :each do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_ironic_config('inspector/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('inspector/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('inspector/system_scope').with_value('all')
end
end
end
on_supported_os({