openstack/puppet-ironic
Code Issues Proposed changes

Configure keystone authtoken options

Browse Source 
Add ironic api and inspector authtoken classes to
configure keystone authtoken related parameters.
Unit tests are updated accordingly.

Deprecate some parameters in api and inspectore classes:
  - ironic::api|inspector::admin_tenant_name is deprecated
    in favor of ironic::api|inspector::authtoken::project_name.
  - ironic::api|inspector::admin_user is deprecated
    in favor of ironic::api|inspector::authtoken::username.
  - ironic::api|inspector::admin_password is deprecated
    in favor of ironic::api|inspector::authtoken::password.
  - ironic::api|inspector::identity_uri is deprecated
    in favor of ironic::api|inspector::authtoken::auth_uri.
  - ironic::api|inspector::auth_uri is deprecated
    in favor of ironic::api|inspector::authtoken::auth_uri.
  - ironic::api::memcached_servers is deprecated
    in favor of ironic::api::authtoken::memcached_servers.

Closes-bug: #1604463

Change-Id: Idcb9557ab0b42b2a0dba7cf2ab6a5ccf52dd1d23
This commit is contained in:
iberezovskiy
2016-07-22 16:08:07 +03:00
parent d9a7a53115
commit eef5b11679
11 changed files with 1050 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
lib/puppet/provider/ironic.rb
View File

@@ -26,13 +26,23 @@ class Puppet::Provider::Ironic < Puppet::Provider
end end
def self.get_ironic_credentials def self.get_ironic_credentials
auth_keys = ['auth_host', 'auth_port', 'auth_protocol', auth_keys = ['auth_uri', 'project_name', 'username', 'password']
'admin_tenant_name', 'admin_user', 'admin_password']
conf = ironic_conf conf = ironic_conf
if conf and conf['keystone_authtoken'] and if conf and conf['keystone_authtoken'] and
auth_keys.all?{|k| !conf['keystone_authtoken'][k].nil?} auth_keys.all?{|k| !conf['keystone_authtoken'][k].nil?}
return Hash[ auth_keys.map \ creds = Hash[ auth_keys.map \
{ |k| [k, conf['keystone_authtoken'][k].strip] } ] { |k| [k, conf['keystone_authtoken'][k].strip] } ]
if !conf['keystone_authtoken']['project_domain_name'].nil?
creds['project_domain_name'] = conf['keystone_authtoken']['project_domain_name'].strip
else
creds['project_domain_name'] = 'Default'
end
if !conf['keystone_authtoken']['user_domain_name'].nil?
creds['user_domain_name'] = conf['keystone_authtoken']['user_domain_name'].strip
else
creds['user_domain_name'] = 'Default'
end
return creds
else else
raise(Puppet::Error, "File: #{conf_filename} does not contain all \ raise(Puppet::Error, "File: #{conf_filename} does not contain all \
required sections. Ironic types will not work if ironic is not \ required sections. Ironic types will not work if ironic is not \
@@ -44,15 +54,6 @@ correctly configured.")
self.class.ironic_credentials self.class.ironic_credentials
end end
def self.auth_endpoint
@auth_endpoint ||= get_auth_endpoint
end
def self.get_auth_endpoint
q = ironic_credentials
"#{q['auth_protocol']}://#{q['auth_host']}:#{q['auth_port']}/v2.0/"
end
def self.ironic_conf def self.ironic_conf
return @ironic_conf if @ironic_conf return @ironic_conf if @ironic_conf
@ironic_conf = Puppet::Util::IniConfig::File.new @ironic_conf = Puppet::Util::IniConfig::File.new
@@ -63,10 +64,12 @@ correctly configured.")
def self.auth_ironic(*args) def self.auth_ironic(*args)
q = ironic_credentials q = ironic_credentials
authenv = { authenv = {
:OS_AUTH_URL => self.auth_endpoint, :OS_AUTH_URL => q['auth_uri'],
:OS_USERNAME => q['admin_user'], :OS_USERNAME => q['username'],
:OS_TENANT_NAME => q['admin_tenant_name'], :OS_PROJECT_NAME => q['project_name'],
:OS_PASSWORD => q['admin_password'] :OS_PASSWORD => q['password'],
:OS_PROJECT_DOMAIN_NAME => q['project_domain_name'],
:OS_USER_DOMAIN_NAME => q['user_domain_name'],
} }
begin begin
withenv authenv do withenv authenv do

110
manifests/api.pp
View File

@@ -43,32 +43,6 @@
# Should be an valid interger # Should be an valid interger
# Defaults to '1000'. # Defaults to '1000'.
# #
# [*auth_uri*]
# (optional) Complete public Identity API endpoint.
# Defaults to 'http://127.0.0.1:5000/'.
#
# [*identity_uri*]
# (optional) Complete admin Identity API endpoint.
# Defaults to 'http://127.0.0.1:35357/'.
#
# [*auth_version*]
# (optional) DEPRECATED. API version of the admin Identity API endpoint
# for example, use 'v3.0' for the keystone version 3.0 api
# Defaults to false
#
# [*admin_tenant_name*]
# (optional) The name of the tenant to create in keystone for use by the ironic services
# Defaults to 'services'
#
# [*admin_user*]
# (optional) The name of the user to create in keystone for use by the ironic services
# Defaults to 'ironic'
#
# [*memcached_servers*]
# (optinal) a list of memcached server(s) to use for caching. If left
# undefined, tokens will instead be cached in-process.
# Defaults to $::os_service_default.
#
# [*neutron_url*] # [*neutron_url*]
# (optional) The Neutron URL to be used for requests from ironic # (optional) The Neutron URL to be used for requests from ironic
# Defaults to 'http://127.0.0.1:9696/' # Defaults to 'http://127.0.0.1:9696/'
@@ -93,7 +67,33 @@
# (Optional) Public URL to use when building the links to the API resources # (Optional) Public URL to use when building the links to the API resources
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# DEPRECATED PARAMETERS
#
# [*identity_uri*]
# (optional) Complete admin Identity API endpoint.
# Defaults to undef.
#
# [*admin_tenant_name*]
# (optional) The name of the tenant to create in keystone for use by the ironic services
# Defaults to undef.
#
# [*admin_user*]
# (optional) The name of the user to create in keystone for use by the ironic services
# Defaults to undef.
#
# [*admin_password*]
# (optional) The password to set for the ironic admin user in keystone.
# Defaults to undef.
#
# [*auth_uri*]
# (optional) Complete public Identity API endpoint.
# Defaults to undef.
#
# [*memcached_servers*]
# (optinal) a list of memcached server(s) to use for caching. If left
# undefined, tokens will instead be cached in-process.
# Defaults to undef.
#
class ironic::api ( class ironic::api (
$package_ensure = 'present', $package_ensure = 'present',
$enabled = true, $enabled = true,
@@ -102,21 +102,46 @@ class ironic::api (
$port = '6385', $port = '6385',
$max_limit = '1000', $max_limit = '1000',
$workers = $::os_service_default, $workers = $::os_service_default,
$auth_uri = 'http://127.0.0.1:5000/',
$identity_uri = 'http://127.0.0.1:35357/',
$admin_tenant_name = 'services',
$admin_user = 'ironic',
$memcached_servers = $::os_service_default,
$neutron_url = 'http://127.0.0.1:9696/', $neutron_url = 'http://127.0.0.1:9696/',
$public_endpoint = $::os_service_default, $public_endpoint = $::os_service_default,
$admin_password, # DEPRECATED PARAMETERS
# DEPRECATED PARAMETER $identity_uri = undef,
$auth_version = false, $admin_tenant_name = undef,
$admin_user = undef,
$admin_password = undef,
$auth_uri = undef,
$memcached_servers = undef,
) inherits ironic::params { ) inherits ironic::params {
include ::ironic::params include ::ironic::params
include ::ironic::policy include ::ironic::policy
if $admin_tenant_name {
warning('Parameter "ironic::api::admin_tenant_name" is deprecated and will be removed in O release. Use "ironic::api::authtoken::project_name" parameter instead.')
}
if $admin_user {
warning('Parameter "ironic::api::admin_user" is deprecated will be removed in O release. Use "ironic::api::authtoken::username" parameter instead.')
}
if $admin_password {
warning('Parameter "ironic::api::admin_password" is deprecated and will be removed in O release. Use "ironic::api::authtoken::password" parameter instead.')
}
if $identity_uri {
warning('Parameter "ironic::api::identity_uri" is deprecated and will be removed in O release. Use "ironic::api::authtoken::auth_url" parameter instead.')
}
if $auth_uri {
warning('Parameter "ironic::api::auth_uri" is deprecated and will be removed in O release. Use "ironic::api::authtoken::auth_uri" parameter instead.')
}
if $memcached_servers {
warning('Parameter "ironic::api::memcached_servers" is deprecated and will be removed in O release. Use "ironic::api::authtoken::memcached_servers" parameter instead.')
}
include ::ironic::api::authtoken
Ironic_config<||> ~> Service[$service_name] Ironic_config<||> ~> Service[$service_name]
Class['ironic::policy'] ~> Service[$service_name] Class['ironic::policy'] ~> Service[$service_name]
@@ -127,6 +152,7 @@ class ironic::api (
'api/max_limit': value => $max_limit; 'api/max_limit': value => $max_limit;
'api/api_workers': value => $workers; 'api/api_workers': value => $workers;
'api/public_endpoint': value => $public_endpoint; 'api/public_endpoint': value => $public_endpoint;
'neutron/url': value => $neutron_url;
} }
# Install package # Install package
@@ -170,18 +196,4 @@ class ironic::api (
fail('Invalid service_name. Either ironic-api/openstack-ironic-api for running as a standalone service, or httpd for being run by a httpd server') fail('Invalid service_name. Either ironic-api/openstack-ironic-api for running as a standalone service, or httpd for being run by a httpd server')
} }
if $auth_version {
warning('auth_version parameter is deprecated and has no effect during Mitaka and will be dropped during N cycle.')
}
ironic_config {
'keystone_authtoken/admin_tenant_name': value => $admin_tenant_name;
'keystone_authtoken/admin_user': value => $admin_user;
'keystone_authtoken/admin_password': value => $admin_password, secret => true;
'keystone_authtoken/auth_uri': value => $auth_uri;
'keystone_authtoken/identity_uri': value => $identity_uri;
'keystone_authtoken/memcached_servers': value => join(any2array($memcached_servers), ',');
'neutron/url': value => $neutron_url;
}
} }

280
manifests/api/authtoken.pp Normal file
View File

@@ -0,0 +1,280 @@
# class: ironic::api::authtoken
#
# Configure the keystone_authtoken section in the configuration file
#
# === Parameters
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'ironic'
#
# [*password*]
# (Optional) Password to create for the service user
# Defaults to $::os_service_default
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http://127.0.0.1:35357'.
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to $::os_service_default
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $:os_service_default
#
# [*auth_section*]
# (Optional) Config Section from which to load plugin specific options
# Defaults to $::os_service_default.
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'.
#
# [*auth_uri*]
# (Optional) Complete public Identity API endpoint.
# Defaults to 'http://127.0.0.1:5000'.
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cache*]
# (Optional) Env key for the swift cache.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to $::os_service_default.
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean
# value
# Defaults to $::os_service_default.
#
# [*enforce_token_bind*]
# (Optional) Used to control the use and type of token binding. Can be set
# to: "disabled" to not check token binding. "permissive" (default) to
# validate binding information if the bind type is of a form known to the
# server and ignore it if not. "strict" like "permissive" but if the bind
# type is unknown the token will be rejected. "required" any form of token
# binding is needed to be allowed. Finally the name of a binding method that
# must be present in tokens. String value.
# Defaults to $::os_service_default.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API
# server.
# Defaults to $::os_service_default.
#
# [*http_request_max_retries*]
# (Optional) How many times are we trying to reconnect when communicating
# with Identity API Server. Integer value
# Defaults to $::os_service_default.
#
# [*include_service_catalog*]
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will
# not
# set the X-Service-Catalog header. Boolean value.
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*memcache_pool_conn_get_timeout*]
# (Optional) Number of seconds that an operation will wait to get a memcached
# client connection from the pool. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_dead_retry*]
# (Optional) Number of seconds memcached server is considered dead before it
# is tried again. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_maxsize*]
# (Optional) Maximum total number of open connections to every memcached
# server. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_socket_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in
# the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_unused_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in
# the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_secret_key*]
# (Optional, mandatory if memcache_security_strategy is defined) This string
# is used for key derivation.
# Defaults to $::os_service_default.
#
# [*memcache_security_strategy*]
# (Optional) If defined, indicate whether token data should be authenticated
# or
# authenticated and encrypted. If MAC, token data is authenticated (with
# HMAC)
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
# cache. If the value is not one of these options or empty, auth_token will
# raise an exception on initialization.
# Defaults to $::os_service_default.
#
# [*memcache_use_advanced_pool*]
# (Optional) Use the advanced (eventlet safe) memcached client pool. The
# advanced pool will only work under python 2.x Boolean value
# Defaults to $::os_service_default.
#
# [*memcached_servers*]
# (Optional) Optionally specify a list of memcached server(s) to use for
# caching. If left undefined, tokens will instead be cached in-process.
# Defaults to $::os_service_default.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
# [*revocation_cache_time*]
# (Optional) Determines the frequency at which the list of revoked tokens is
# retrieved from the Identity service (in seconds). A high number of
# revocation events combined with a low cache duration may significantly
# reduce performance. Only valid for PKI tokens. Integer value
# Defaults to $::os_service_default.
#
# [*signing_dir*]
# (Optional) Directory used to cache files related to PKI tokens.
# Defaults to $::os_service_default.
#
# [*token_cache_time*]
# (Optional) In order to prevent excessive effort spent validating tokens,
# the middleware caches previously-seen tokens for a configurable duration
# (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default.
#
class ironic::api::authtoken(
$username = 'ironic',
$password = $::os_service_default,
$auth_url = 'http://127.0.0.1:35357',
$project_name = 'services',
$user_domain_name = $::os_service_default,
$project_domain_name = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
$auth_uri = 'http://127.0.0.1:5000',
$auth_version = $::os_service_default,
$cache = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$check_revocations_for_cached = $::os_service_default,
$delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default,
$hash_algorithms = $::os_service_default,
$http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default,
$keyfile = $::os_service_default,
$memcache_pool_conn_get_timeout = $::os_service_default,
$memcache_pool_dead_retry = $::os_service_default,
$memcache_pool_maxsize = $::os_service_default,
$memcache_pool_socket_timeout = $::os_service_default,
$memcache_pool_unused_timeout = $::os_service_default,
$memcache_secret_key = $::os_service_default,
$memcache_security_strategy = $::os_service_default,
$memcache_use_advanced_pool = $::os_service_default,
$memcached_servers = $::os_service_default,
$region_name = $::os_service_default,
$revocation_cache_time = $::os_service_default,
$signing_dir = $::os_service_default,
$token_cache_time = $::os_service_default,
) {
if is_service_default($password) and ! $::ironic::api::admin_password {
fail('Please set password for Ironic API service user')
}
$username_real = pick($::ironic::api::admin_user, $username)
$password_real = pick($::ironic::api::admin_password, $password)
$project_name_real = pick($::ironic::api::admin_tenant_name, $project_name)
$auth_uri_real = pick($::ironic::api::auth_uri, $auth_uri)
$auth_url_real = pick($::ironic::api::identity_uri, $auth_url)
$memcached_servers_real = pick($::ironic::api::memcached_servers, $memcached_servers)
keystone::resource::authtoken { 'ironic_config':
username => $username_real,
password => $password_real,
project_name => $project_name_real,
auth_url => $auth_url_real,
auth_uri => $auth_uri_real,
auth_version => $auth_version,
auth_type => $auth_type,
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
insecure => $insecure,
cache => $cache,
cafile => $cafile,
certfile => $certfile,
check_revocations_for_cached => $check_revocations_for_cached,
delay_auth_decision => $delay_auth_decision,
enforce_token_bind => $enforce_token_bind,
hash_algorithms => $hash_algorithms,
http_connect_timeout => $http_connect_timeout,
http_request_max_retries => $http_request_max_retries,
include_service_catalog => $include_service_catalog,
keyfile => $keyfile,
memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
memcache_pool_dead_retry => $memcache_pool_dead_retry,
memcache_pool_maxsize => $memcache_pool_maxsize,
memcache_pool_socket_timeout => $memcache_pool_socket_timeout,
memcache_secret_key => $memcache_secret_key,
memcache_security_strategy => $memcache_security_strategy,
memcache_use_advanced_pool => $memcache_use_advanced_pool,
memcache_pool_unused_timeout => $memcache_pool_unused_timeout,
memcached_servers => $memcached_servers_real,
region_name => $region_name,
revocation_cache_time => $revocation_cache_time,
signing_dir => $signing_dir,
token_cache_time => $token_cache_time,
}
}

88
manifests/inspector.pp
View File

@@ -46,26 +46,6 @@
# (optional) API authentication strategy: keystone or noauth # (optional) API authentication strategy: keystone or noauth
# Defaults to 'keystone' # Defaults to 'keystone'
# #
# [*auth_uri*]
# (optional) Complete public Identity API endpoint
# Defaults to 'http://127.0.0.1:5000/v2.0'
#
# [*identity_uri*]
# (optional) Complete admin Identity API endpoint
# Defaults to 'http://127.0.0.1:35357'
#
# [*admin_user*]
# (optional) The name of the auth user
# Defaults to 'ironic'
#
# [*admin_password*]
# (optional) The password to use for authentication (keystone)
# Defaults to undef. Set a value unless you are using noauth
#
# [*admin_tenant_name*]
# (optional) The tenant of the auth user
# Defaults to 'services'
#
# [*dnsmasq_interface*] # [*dnsmasq_interface*]
# (optional) The interface for the ironic-inspector dnsmasq process # (optional) The interface for the ironic-inspector dnsmasq process
# to listen on # to listen on
@@ -171,6 +151,28 @@
# (optional) port used by the HTTP service serving introspection images. # (optional) port used by the HTTP service serving introspection images.
# Defaults to 8088. # Defaults to 8088.
# #
# DEPRECATED PARAMETERS
#
# [*identity_uri*]
# (optional) Complete admin Identity API endpoint.
# Defaults to undef.
#
# [*admin_tenant_name*]
# (optional) The name of the tenant to create in keystone for use by the ironic services
# Defaults to undef.
#
# [*admin_user*]
# (optional) The name of the user to create in keystone for use by the ironic services
# Defaults to undef.
#
# [*admin_password*]
# (optional) The password to set for the ironic admin user in keystone.
# Defaults to undef.
#
# [*auth_uri*]
# (optional) Complete public Identity API endpoint.
# Defaults to undef.
#
class ironic::inspector ( class ironic::inspector (
$package_ensure = 'present', $package_ensure = 'present',
$enabled = true, $enabled = true,
@@ -179,11 +181,6 @@ class ironic::inspector (
$enable_uefi = false, $enable_uefi = false,
$debug = undef, $debug = undef,
$auth_strategy = 'keystone', $auth_strategy = 'keystone',
$auth_uri = 'http://127.0.0.1:5000/v2.0',
$identity_uri = 'http://127.0.0.1:35357',
$admin_user = 'ironic',
$admin_password = undef,
$admin_tenant_name = 'services',
$dnsmasq_interface = 'br-ctlplane', $dnsmasq_interface = 'br-ctlplane',
$db_connection = 'sqlite:////var/lib/ironic-inspector/inspector.sqlite', $db_connection = 'sqlite:////var/lib/ironic-inspector/inspector.sqlite',
$ramdisk_logs_dir = '/var/log/ironic-inspector/ramdisk/', $ramdisk_logs_dir = '/var/log/ironic-inspector/ramdisk/',
@@ -210,11 +207,41 @@ class ironic::inspector (
$ramdisk_kernel_args = undef, $ramdisk_kernel_args = undef,
$ipxe_timeout = 0, $ipxe_timeout = 0,
$http_port = 8088, $http_port = 8088,
# DEPRECATED PARAMETERS
$identity_uri = undef,
$admin_tenant_name = undef,
$admin_user = undef,
$admin_password = undef,
$auth_uri = undef,
) { ) {
include ::ironic::params include ::ironic::params
include ::ironic::inspector::logging include ::ironic::inspector::logging
if $admin_tenant_name {
warning('Parameter "ironic::inspector::admin_tenant_name" is deprecated and will be removed in O release. Use "ironic::inspector::authtoken::project_name" parameter instead.')
}
if $admin_user {
warning('Parameter "ironic::inspector::admin_user" is deprecated will be removed in O release. Use "ironic::inspector::authtoken::username" parameter instead.')
}
if $admin_password {
warning('Parameter "ironic::inspector::admin_password" is deprecated and will be removed in O release. Use "ironic::inspector::authtoken::password" parameter instead.')
}
if $identity_uri {
warning('Parameter "ironic::inspector::identity_uri" is deprecated and will be removed in O release. Use "ironic::inspector::authtoken::auth_url" parameter instead.')
}
if $auth_uri {
warning('Parameter "ironic::inspector::auth_uri" is deprecated and will be removed in O release. Use "ironic::inspector::authtoken::auth_uri" parameter instead.')
}
if $auth_strategy == 'keystone' {
include ::ironic::inspector::authtoken
}
Ironic_inspector_config<||> ~> Service['ironic-inspector'] Ironic_inspector_config<||> ~> Service['ironic-inspector']
file { '/etc/ironic-inspector/inspector.conf': file { '/etc/ironic-inspector/inspector.conf':
@@ -278,17 +305,6 @@ class ironic::inspector (
# Configure inspector.conf # Configure inspector.conf
if $auth_strategy == 'keystone' {
ironic_inspector_config {
'keystone_authtoken/auth_type': value => 'password';
'keystone_authtoken/auth_uri': value => $auth_uri;
'keystone_authtoken/auth_url': value => $identity_uri;
'keystone_authtoken/username': value => $admin_user;
'keystone_authtoken/password': value => $admin_password, secret => true;
'keystone_authtoken/project_name': value => $admin_tenant_name;
}
}
ironic_inspector_config { ironic_inspector_config {
'DEFAULT/listen_address': value => $listen_address; 'DEFAULT/listen_address': value => $listen_address;
'DEFAULT/auth_strategy': value => $auth_strategy; 'DEFAULT/auth_strategy': value => $auth_strategy;

280
manifests/inspector/authtoken.pp Normal file
View File

@@ -0,0 +1,280 @@
# class: ironic::inspector::authtoken
#
# Configure the keystone_authtoken section in the configuration file
#
# === Parameters
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'ironic'
#
# [*password*]
# (Optional) Password to create for the service user
# Defaults to $::os_service_default
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http://127.0.0.1:35357'.
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to $::os_service_default
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $:os_service_default
#
# [*auth_section*]
# (Optional) Config Section from which to load plugin specific options
# Defaults to $::os_service_default.
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'.
#
# [*auth_uri*]
# (Optional) Complete public Identity API endpoint.
# Defaults to 'http://127.0.0.1:5000'.
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cache*]
# (Optional) Env key for the swift cache.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to $::os_service_default.
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean
# value
# Defaults to $::os_service_default.
#
# [*enforce_token_bind*]
# (Optional) Used to control the use and type of token binding. Can be set
# to: "disabled" to not check token binding. "permissive" (default) to
# validate binding information if the bind type is of a form known to the
# server and ignore it if not. "strict" like "permissive" but if the bind
# type is unknown the token will be rejected. "required" any form of token
# binding is needed to be allowed. Finally the name of a binding method that
# must be present in tokens. String value.
# Defaults to $::os_service_default.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API
# server.
# Defaults to $::os_service_default.
#
# [*http_request_max_retries*]
# (Optional) How many times are we trying to reconnect when communicating
# with Identity API Server. Integer value
# Defaults to $::os_service_default.
#
# [*include_service_catalog*]
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will
# not
# set the X-Service-Catalog header. Boolean value.
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*memcache_pool_conn_get_timeout*]
# (Optional) Number of seconds that an operation will wait to get a memcached
# client connection from the pool. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_dead_retry*]
# (Optional) Number of seconds memcached server is considered dead before it
# is tried again. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_maxsize*]
# (Optional) Maximum total number of open connections to every memcached
# server. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_socket_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in
# the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_unused_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in
# the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_secret_key*]
# (Optional, mandatory if memcache_security_strategy is defined) This string
# is used for key derivation.
# Defaults to $::os_service_default.
#
# [*memcache_security_strategy*]
# (Optional) If defined, indicate whether token data should be authenticated
# or
# authenticated and encrypted. If MAC, token data is authenticated (with
# HMAC)
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
# cache. If the value is not one of these options or empty, auth_token will
# raise an exception on initialization.
# Defaults to $::os_service_default.
#
# [*memcache_use_advanced_pool*]
# (Optional) Use the advanced (eventlet safe) memcached client pool. The
# advanced pool will only work under python 2.x Boolean value
# Defaults to $::os_service_default.
#
# [*memcached_servers*]
# (Optional) Optionally specify a list of memcached server(s) to use for
# caching. If left undefined, tokens will instead be cached in-process.
# Defaults to $::os_service_default.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
# [*revocation_cache_time*]
# (Optional) Determines the frequency at which the list of revoked tokens is
# retrieved from the Identity service (in seconds). A high number of
# revocation events combined with a low cache duration may significantly
# reduce performance. Only valid for PKI tokens. Integer value
# Defaults to $::os_service_default.
#
# [*signing_dir*]
# (Optional) Directory used to cache files related to PKI tokens.
# Defaults to $::os_service_default.
#
# [*token_cache_time*]
# (Optional) In order to prevent excessive effort spent validating tokens,
# the middleware caches previously-seen tokens for a configurable duration
# (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default.
#
class ironic::inspector::authtoken(
$username = 'ironic',
$password = $::os_service_default,
$auth_url = 'http://127.0.0.1:35357',
$project_name = 'services',
$user_domain_name = $::os_service_default,
$project_domain_name = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
$auth_uri = 'http://127.0.0.1:5000',
$auth_version = $::os_service_default,
$cache = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$check_revocations_for_cached = $::os_service_default,
$delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default,
$hash_algorithms = $::os_service_default,
$http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default,
$keyfile = $::os_service_default,
$memcache_pool_conn_get_timeout = $::os_service_default,
$memcache_pool_dead_retry = $::os_service_default,
$memcache_pool_maxsize = $::os_service_default,
$memcache_pool_socket_timeout = $::os_service_default,
$memcache_pool_unused_timeout = $::os_service_default,
$memcache_secret_key = $::os_service_default,
$memcache_security_strategy = $::os_service_default,
$memcache_use_advanced_pool = $::os_service_default,
$memcached_servers = $::os_service_default,
$region_name = $::os_service_default,
$revocation_cache_time = $::os_service_default,
$signing_dir = $::os_service_default,
$token_cache_time = $::os_service_default,
) {
if is_service_default($password) and ! $::ironic::inspector::admin_password {
fail('Please set password for Ironic Inspector service user')
}
$username_real = pick($::ironic::inspector::admin_user, $username)
$password_real = pick($::ironic::inspector::admin_password, $password)
$project_name_real = pick($::ironic::inspector::admin_tenant_name, $project_name)
$auth_uri_real = pick($::ironic::inspector::auth_uri, $auth_uri)
$auth_url_real = pick($::ironic::inspector::identity_uri, $auth_url)
$memcached_servers_real = pick($::ironic::inspector::memcached_servers, $memcached_servers)
keystone::resource::authtoken { 'ironic_inspector_config':
username => $username_real,
password => $password_real,
project_name => $project_name_real,
auth_url => $auth_url_real,
auth_uri => $auth_uri_real,
auth_version => $auth_version,
auth_type => $auth_type,
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
insecure => $insecure,
cache => $cache,
cafile => $cafile,
certfile => $certfile,
check_revocations_for_cached => $check_revocations_for_cached,
delay_auth_decision => $delay_auth_decision,
enforce_token_bind => $enforce_token_bind,
hash_algorithms => $hash_algorithms,
http_connect_timeout => $http_connect_timeout,
http_request_max_retries => $http_request_max_retries,
include_service_catalog => $include_service_catalog,
keyfile => $keyfile,
memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
memcache_pool_dead_retry => $memcache_pool_dead_retry,
memcache_pool_maxsize => $memcache_pool_maxsize,
memcache_pool_socket_timeout => $memcache_pool_socket_timeout,
memcache_secret_key => $memcache_secret_key,
memcache_security_strategy => $memcache_security_strategy,
memcache_use_advanced_pool => $memcache_use_advanced_pool,
memcache_pool_unused_timeout => $memcache_pool_unused_timeout,
memcached_servers => $memcached_servers_real,
region_name => $region_name,
revocation_cache_time => $revocation_cache_time,
signing_dir => $signing_dir,
token_cache_time => $token_cache_time,
}
}

17
releasenotes/notes/authtoken-6daf653ffcd619c5.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
features:
- Configure keystonemiddleware in a consistent
way with all options required for Keystone v3.
deprecations:
- ironic::api|inspector::admin_tenant_name is deprecated
in favor of ironic::api|inspector::authtoken::project_name.
- ironic::api|inspector::admin_user is deprecated
in favor of ironic::api|inspector::authtoken::username.
- ironic::api|inspector::admin_password is deprecated
in favor of ironic::api|inspector::authtoken::password.
- ironic::api|inspector::identity_uri is deprecated
in favor of ironic::api|inspector::authtoken::auth_uri.
- ironic::api|inspector::auth_uri is deprecated
in favor of ironic::api|inspector::authtoken::auth_uri.
- ironic::api::memcached_servers is deprecated
in favor of ironic::api::authtoken::memcached_servers.

145
spec/classes/ironic_api_authtoken_spec.rb Normal file
View File

@@ -0,0 +1,145 @@
require 'spec_helper'
describe 'ironic::api::authtoken' do
let :params do
{ :password => 'ironic_password', }
end
shared_examples 'ironic api authtoken' do
context 'with default parameters' do
it 'configure keystone_authtoken' do
is_expected.to contain_ironic_config('keystone_authtoken/username').with_value('ironic')
is_expected.to contain_ironic_config('keystone_authtoken/password').with_value('ironic_password')
is_expected.to contain_ironic_config('keystone_authtoken/auth_url').with_value('http://127.0.0.1:35357')
is_expected.to contain_ironic_config('keystone_authtoken/project_name').with_value('services')
is_expected.to contain_ironic_config('keystone_authtoken/user_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/auth_type').with_value('password')
is_expected.to contain_ironic_config('keystone_authtoken/auth_uri').with_value('http://127.0.0.1:5000')
is_expected.to contain_ironic_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/revocation_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/signing_dir').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
end
end
context 'when overriding parameters' do
before do
params.merge!({
:auth_uri => 'https://10.0.0.1:9999/',
:username => 'myuser',
:password => 'mypasswd',
:auth_url => 'http://:127.0.0.1:35357',
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
:auth_version => 'v3',
:cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:check_revocations_for_cached => false,
:delay_auth_decision => false,
:enforce_token_bind => 'permissive',
:hash_algorithms => 'md5',
:http_connect_timeout => '300',
:http_request_max_retries => '3',
:include_service_catalog => true,
:keyfile => 'keyfile',
:memcache_pool_conn_get_timeout => '9',
:memcache_pool_dead_retry => '302',
:memcache_pool_maxsize => '11',
:memcache_pool_socket_timeout => '2',
:memcache_pool_unused_timeout => '61',
:memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true,
:memcached_servers => ['memcached01:11211','memcached02:11211'],
:region_name => 'region2',
:revocation_cache_time => '11',
:signing_dir => '/var/cache',
:token_cache_time => '301',
})
end
it 'configure keystone_authtoken' do
is_expected.to contain_ironic_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
is_expected.to contain_ironic_config('keystone_authtoken/username').with_value(params[:username])
is_expected.to contain_ironic_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
is_expected.to contain_ironic_config('keystone_authtoken/auth_url').with_value(params[:auth_url])
is_expected.to contain_ironic_config('keystone_authtoken/project_name').with_value(params[:project_name])
is_expected.to contain_ironic_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
is_expected.to contain_ironic_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
is_expected.to contain_ironic_config('keystone_authtoken/insecure').with_value(params[:insecure])
is_expected.to contain_ironic_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
is_expected.to contain_ironic_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
is_expected.to contain_ironic_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
is_expected.to contain_ironic_config('keystone_authtoken/cache').with_value(params[:cache])
is_expected.to contain_ironic_config('keystone_authtoken/cafile').with_value(params[:cafile])
is_expected.to contain_ironic_config('keystone_authtoken/certfile').with_value(params[:certfile])
is_expected.to contain_ironic_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
is_expected.to contain_ironic_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
is_expected.to contain_ironic_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
is_expected.to contain_ironic_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
is_expected.to contain_ironic_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
is_expected.to contain_ironic_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
is_expected.to contain_ironic_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
is_expected.to contain_ironic_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value(params[:memcache_pool_conn_get_timeout])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_dead_retry').with_value(params[:memcache_pool_dead_retry])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_maxsize').with_value(params[:memcache_pool_maxsize])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_socket_timeout').with_value(params[:memcache_pool_socket_timeout])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_pool_unused_timeout').with_value(params[:memcache_pool_unused_timeout])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_secret_key').with_value(params[:memcache_secret_key])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_security_strategy').with_value(params[:memcache_security_strategy])
is_expected.to contain_ironic_config('keystone_authtoken/memcache_use_advanced_pool').with_value(params[:memcache_use_advanced_pool])
is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
is_expected.to contain_ironic_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_ironic_config('keystone_authtoken/revocation_cache_time').with_value(params[:revocation_cache_time])
is_expected.to contain_ironic_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir])
is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
end
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
it_configures 'ironic api authtoken'
end
end
end

37
spec/classes/ironic_api_spec.rb
View File

@@ -22,23 +22,23 @@ require 'spec_helper'
describe 'ironic::api' do describe 'ironic::api' do
let :default_params do
{ :package_ensure => 'present',
:enabled => true,
:port => '6385',
:max_limit => '1000',
:host_ip => '0.0.0.0',
:admin_user => 'ironic',
}
end
let :params do let :params do
{ :admin_password => 'thepassword' } { :package_ensure => 'present',
:enabled => true,
:port => '6385',
:max_limit => '1000',
:host_ip => '0.0.0.0',
:admin_user => 'ironic',
:admin_password => 'password',
:admin_tenant_name => 'admin_tenant',
:auth_uri => 'http://127.0.0.1:5000/v2.0',
:identity_uri => 'http://127.0.0.1:35357/v2.0',
}
end end
shared_examples_for 'ironic api' do shared_examples_for 'ironic api' do
let :p do let :p do
default_params.merge(params) params
end end
it { is_expected.to contain_class('ironic::params') } it { is_expected.to contain_class('ironic::params') }
@@ -68,12 +68,13 @@ describe 'ironic::api' do
is_expected.to contain_ironic_config('api/max_limit').with_value(p[:max_limit]) is_expected.to contain_ironic_config('api/max_limit').with_value(p[:max_limit])
is_expected.to contain_ironic_config('api/api_workers').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('api/api_workers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('api/public_endpoint').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('api/public_endpoint').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/admin_password').with_value(p[:admin_password]) is_expected.to contain_ironic_config('keystone_authtoken/password').with_value(p[:admin_password])
is_expected.to contain_ironic_config('keystone_authtoken/admin_user').with_value(p[:admin_user]) is_expected.to contain_ironic_config('keystone_authtoken/username').with_value(p[:admin_user])
is_expected.to contain_ironic_config('keystone_authtoken/auth_uri').with_value('http://127.0.0.1:5000/') is_expected.to contain_ironic_config('keystone_authtoken/auth_uri').with_value(p[:auth_uri])
is_expected.to contain_ironic_config('keystone_authtoken/identity_uri').with_value('http://127.0.0.1:35357/') is_expected.to contain_ironic_config('keystone_authtoken/auth_url').with_value(p[:identity_uri])
is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('neutron/url').with_value('http://127.0.0.1:9696/') is_expected.to contain_ironic_config('neutron/url').with_value('http://127.0.0.1:9696/')
is_expected.to contain_ironic_config('keystone_authtoken/project_name').with_value(p[:admin_tenant_name])
end end
context 'when overriding parameters' do context 'when overriding parameters' do
@@ -87,6 +88,7 @@ describe 'ironic::api' do
:identity_uri => 'https://1.2.3.4:35357/', :identity_uri => 'https://1.2.3.4:35357/',
:public_endpoint => 'https://1.2.3.4:6385/', :public_endpoint => 'https://1.2.3.4:6385/',
:memcached_servers => '1.1.1.1:11211', :memcached_servers => '1.1.1.1:11211',
:admin_tenant_name => 'ironic_tenant',
) )
end end
it 'should replace default parameter with new value' do it 'should replace default parameter with new value' do
@@ -96,7 +98,8 @@ describe 'ironic::api' do
is_expected.to contain_ironic_config('api/api_workers').with_value(p[:workers]) is_expected.to contain_ironic_config('api/api_workers').with_value(p[:workers])
is_expected.to contain_ironic_config('api/public_endpoint').with_value(p[:public_endpoint]) is_expected.to contain_ironic_config('api/public_endpoint').with_value(p[:public_endpoint])
is_expected.to contain_ironic_config('keystone_authtoken/auth_uri').with_value('https://1.2.3.4:5000/') is_expected.to contain_ironic_config('keystone_authtoken/auth_uri').with_value('https://1.2.3.4:5000/')
is_expected.to contain_ironic_config('keystone_authtoken/identity_uri').with_value('https://1.2.3.4:35357/') is_expected.to contain_ironic_config('keystone_authtoken/auth_url').with_value('https://1.2.3.4:35357/')
is_expected.to contain_ironic_config('keystone_authtoken/project_name').with_value('ironic_tenant')
is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('1.1.1.1:11211') is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('1.1.1.1:11211')
end end
end end

145
spec/classes/ironic_inspector_authtoken_spec.rb Normal file
View File

@@ -0,0 +1,145 @@
require 'spec_helper'
describe 'ironic::inspector::authtoken' do
let :params do
{ :password => 'ironic_password', }
end
shared_examples 'ironic inspector authtoken' do
context 'with default parameters' do
it 'configure keystone_authtoken' do
is_expected.to contain_ironic_inspector_config('keystone_authtoken/username').with_value('ironic')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/password').with_value('ironic_password')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_url').with_value('http://127.0.0.1:35357')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/project_name').with_value('services')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/user_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_type').with_value('password')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_uri').with_value('http://127.0.0.1:5000')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/revocation_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/signing_dir').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
end
end
context 'when overriding parameters' do
before do
params.merge!({
:auth_uri => 'https://10.0.0.1:9999/',
:username => 'myuser',
:password => 'mypasswd',
:auth_url => 'http://:127.0.0.1:35357',
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
:auth_version => 'v3',
:cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:check_revocations_for_cached => false,
:delay_auth_decision => false,
:enforce_token_bind => 'permissive',
:hash_algorithms => 'md5',
:http_connect_timeout => '300',
:http_request_max_retries => '3',
:include_service_catalog => true,
:keyfile => 'keyfile',
:memcache_pool_conn_get_timeout => '9',
:memcache_pool_dead_retry => '302',
:memcache_pool_maxsize => '11',
:memcache_pool_socket_timeout => '2',
:memcache_pool_unused_timeout => '61',
:memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true,
:memcached_servers => ['memcached01:11211','memcached02:11211'],
:region_name => 'region2',
:revocation_cache_time => '11',
:signing_dir => '/var/cache',
:token_cache_time => '301',
})
end
it 'configure keystone_authtoken' do
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/username').with_value(params[:username])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_url').with_value(params[:auth_url])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/project_name').with_value(params[:project_name])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/insecure').with_value(params[:insecure])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cache').with_value(params[:cache])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cafile').with_value(params[:cafile])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/certfile').with_value(params[:certfile])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value(params[:memcache_pool_conn_get_timeout])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_dead_retry').with_value(params[:memcache_pool_dead_retry])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_maxsize').with_value(params[:memcache_pool_maxsize])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_socket_timeout').with_value(params[:memcache_pool_socket_timeout])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_pool_unused_timeout').with_value(params[:memcache_pool_unused_timeout])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_secret_key').with_value(params[:memcache_secret_key])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_security_strategy').with_value(params[:memcache_security_strategy])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcache_use_advanced_pool').with_value(params[:memcache_use_advanced_pool])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/revocation_cache_time').with_value(params[:revocation_cache_time])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
end
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
it_configures 'ironic inspector authtoken'
end
end
end

39
spec/classes/ironic_inspector_spec.rb
View File

@@ -20,16 +20,17 @@ require 'spec_helper'
describe 'ironic::inspector' do describe 'ironic::inspector' do
let :default_params do let :params do
{ :package_ensure => 'present', { :package_ensure => 'present',
:enabled => true, :enabled => true,
:pxe_transfer_protocol => 'tftp', :pxe_transfer_protocol => 'tftp',
:enable_uefi => false, :enable_uefi => false,
:auth_strategy => 'keystone', :auth_strategy => 'keystone',
:auth_uri => 'http://127.0.0.1:5000/v2.0', :auth_uri => 'http://127.0.0.1:5000/v2.0',
:identity_uri => 'http://127.0.0.1:35357',
:admin_user => 'ironic', :admin_user => 'ironic',
:admin_password => 'password',
:admin_tenant_name => 'services', :admin_tenant_name => 'services',
:identity_uri => 'http://127.0.0.1:35357/v2.0',
:dnsmasq_interface => 'br-ctlplane', :dnsmasq_interface => 'br-ctlplane',
:db_connection => 'sqlite:////var/lib/ironic-inspector/inspector.sqlite', :db_connection => 'sqlite:////var/lib/ironic-inspector/inspector.sqlite',
:ramdisk_logs_dir => '/var/log/ironic-inspector/ramdisk/', :ramdisk_logs_dir => '/var/log/ironic-inspector/ramdisk/',
@@ -52,13 +53,10 @@ describe 'ironic::inspector' do
:http_port => 8088, } :http_port => 8088, }
end end
let :params do
{}
end
shared_examples_for 'ironic inspector' do shared_examples_for 'ironic inspector' do
let :p do let :p do
default_params.merge(params) params
end end
it { is_expected.to contain_class('ironic::params') } it { is_expected.to contain_class('ironic::params') }
@@ -96,6 +94,7 @@ describe 'ironic::inspector' do
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_uri').with_value(p[:auth_uri]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_uri').with_value(p[:auth_uri])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_url').with_value(p[:identity_uri]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/auth_url').with_value(p[:identity_uri])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/username').with_value(p[:admin_user]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/username').with_value(p[:admin_user])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/password').with_value(p[:admin_password])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/project_name').with_value(p[:admin_tenant_name]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/project_name').with_value(p[:admin_tenant_name])
is_expected.to contain_ironic_inspector_config('firewall/dnsmasq_interface').with_value(p[:dnsmasq_interface]) is_expected.to contain_ironic_inspector_config('firewall/dnsmasq_interface').with_value(p[:dnsmasq_interface])
is_expected.to contain_ironic_inspector_config('database/connection').with_value(p[:db_connection]) is_expected.to contain_ironic_inspector_config('database/connection').with_value(p[:db_connection])
@@ -151,20 +150,20 @@ describe 'ironic::inspector' do
context 'when overriding parameters' do context 'when overriding parameters' do
before :each do before :each do
params.merge!( params.merge!(
:debug => true, :debug => true,
:listen_address => '127.0.0.1', :listen_address => '127.0.0.1',
:auth_uri => 'http://192.168.0.1:5000/v2.0', :auth_uri => 'http://192.168.0.1:5000/v2.0',
:identity_uri => 'http://192.168.0.1:35357', :identity_uri => 'http://192.168.0.1:35357',
:admin_password => 'password', :admin_password => 'password',
:ironic_password => 'password', :ironic_password => 'password',
:ironic_auth_url => 'http://192.168.0.1:5000/v2.0', :ironic_auth_url => 'http://192.168.0.1:5000/v2.0',
:swift_password => 'password', :swift_password => 'password',
:swift_auth_url => 'http://192.168.0.1:5000/v2.0', :swift_auth_url => 'http://192.168.0.1:5000/v2.0',
:pxe_transfer_protocol => 'http', :pxe_transfer_protocol => 'http',
:additional_processing_hooks => 'hook1,hook2', :additional_processing_hooks => 'hook1,hook2',
:ramdisk_kernel_args => 'foo=bar', :ramdisk_kernel_args => 'foo=bar',
:enable_uefi => true, :enable_uefi => true,
:http_port => 3816, :http_port => 3816,
) )
end end
it 'should replace default parameter with new value' do it 'should replace default parameter with new value' do

32
spec/unit/provider/ironic_spec.rb
View File

@@ -11,19 +11,15 @@ describe Puppet::Provider::Ironic do
let :credential_hash do let :credential_hash do
{ {
'auth_host' => '192.168.56.210', 'project_name' => 'admin_tenant',
'auth_port' => '35357', 'username' => 'admin',
'auth_protocol' => 'https', 'password' => 'password',
'admin_tenant_name' => 'admin_tenant', 'auth_uri' => 'https://192.168.56.210:35357/',
'admin_user' => 'admin', 'project_domain_name' => 'admin_tenant_domain',
'admin_password' => 'password', 'user_domain_name' => 'admin_domain',
} }
end end
let :auth_endpoint do
'https://192.168.56.210:35357/v2.0/'
end
let :credential_error do let :credential_error do
/Ironic types will not work/ /Ironic types will not work/
end end
@@ -58,22 +54,18 @@ describe Puppet::Provider::Ironic do
end.to raise_error(Puppet::Error, credential_error) end.to raise_error(Puppet::Error, credential_error)
end end
it 'should use specified host/port/protocol in the auth endpoint' do
conf = {'keystone_authtoken' => credential_hash}
klass.expects(:ironic_conf).returns(conf)
expect(klass.get_auth_endpoint).to eq(auth_endpoint)
end
end end
describe 'when invoking the ironic cli' do describe 'when invoking the ironic cli' do
it 'should set auth credentials in the environment' do it 'should set auth credentials in the environment' do
authenv = { authenv = {
:OS_AUTH_URL => auth_endpoint, :OS_AUTH_URL => credential_hash['auth_uri'],
:OS_USERNAME => credential_hash['admin_user'], :OS_USERNAME => credential_hash['username'],
:OS_TENANT_NAME => credential_hash['admin_tenant_name'], :OS_PROJECT_NAME => credential_hash['project_name'],
:OS_PASSWORD => credential_hash['admin_password'], :OS_PASSWORD => credential_hash['password'],
:OS_PROJECT_DOMAIN_NAME => credential_hash['project_domain_name'],
:OS_USER_DOMAIN_NAME => credential_hash['user_domain_name'],
} }
klass.expects(:get_ironic_credentials).with().returns(credential_hash) klass.expects(:get_ironic_credentials).with().returns(credential_hash)
klass.expects(:withenv).with(authenv) klass.expects(:withenv).with(authenv)