openstack/puppet-neutron
Code Issues Proposed changes
49c163c2ac
puppet-neutron/manifests/designate.pp
Takashi Kajinami 71711d8031 Accept system scope credential for Designate API request 
Currently Neutron uses the user credential in [designate] section to
create a zone and PTR record. When SRBAC is enforced is Designate,
the former API call is available for both project member and system
admin but the latter API call is limited for system admin.

This change allows usage of system-scoped credential instead of
project-scoped one, so that the required API calls are permitted when
Designate enforces SRBAC.

Change-Id: I620b49937d01cae5b9a5af74fac8bb4e91ab3e86
2022-01-17 21:52:18 +09:00

115 lines
4.0 KiB
Puppet
Raw Blame History

# == Class: neutron::designate
#
# Configure the Neutron designate DNS driver
#
# === Parameters
#
# [*password*]
# (required) Password for connection to designate in admin context.
#
# [*url*]
# (required) URL to the designate service.
#
# [*auth_type*]
# (optional) An authentication type to use with an OpenStack Identity server.
# The value should contain auth plugin name
# Defaults to 'password'
#
# [*username*]
# (optional) Username for connection to designate in admin context
# Defaults to 'neutron'
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to 'Default'
#
# [*project_name*]
# (optional) The name of the admin project
# Defaults to 'services'
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*auth_url*]
# (optional) Authorization URI for connection to designate in admin context.
# If version independent identity plugin is used available versions will be
# determined using auth_url
# Defaults to 'http://127.0.0.1:5000'
#
# [*allow_reverse_dns_lookup*]
# (optional) Enable or not the creation of reverse lookup (PTR) records.
#
# [*ipv4_ptr_zone_prefix_size*]
# (optional) Enable or not the creation of reverse lookup (PTR) records.
#
# [*ipv6_ptr_zone_prefix_size*]
# (optional) Enable or not the creation of reverse lookup (PTR) records.
#
# [*ptr_zone_email*]
# (optional) The email address to be used when creating PTR zones.
#
# DEPRECATED PARAMETERS
#
# [*project_id*]
# (optional) The UUID of the admin designate project. If provided this takes
# precedence over project_name.
# defaults to undef
#
class neutron::designate (
$password,
$url,
$auth_type = 'password',
$username = 'neutron',
$user_domain_name = 'Default',
$project_name = 'services',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$auth_url = 'http://127.0.0.1:5000',
$allow_reverse_dns_lookup = $::os_service_default,
$ipv4_ptr_zone_prefix_size = $::os_service_default,
$ipv6_ptr_zone_prefix_size = $::os_service_default,
$ptr_zone_email = $::os_service_default,
# DEPRECATED PARAMETERS
$project_id = undef,
) {
include neutron::deps
include neutron::params
if $project_id != undef {
warning('The neutron::designate::project_id parmaeter is deprecated. Use the project_name parameter.')
}
if is_service_default($system_scope){
$project_id_real = pick($project_id, $::os_service_default)
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_id_real = $::os_service_default
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
neutron_config {
'DEFAULT/external_dns_driver': value => 'designate';
'designate/password': value => $password, secret => true;
'designate/url': value => $url;
'designate/auth_type': value => $auth_type;
'designate/username': value => $username;
'designate/user_domain_name': value => $user_domain_name;
'designate/project_id': value => $project_id_real;
'designate/project_name': value => $project_name_real;
'designate/project_domain_name': value => $project_domain_name_real;
'designate/system_scope': value => $system_scope;
'designate/auth_url': value => $auth_url;
'designate/allow_reverse_dns_lookup': value => $allow_reverse_dns_lookup;
'designate/ipv4_ptr_zone_prefix_size': value => $ipv4_ptr_zone_prefix_size;
'designate/ipv6_ptr_zone_prefix_size': value => $ipv6_ptr_zone_prefix_size;
'designate/ptr_zone_email': value => $ptr_zone_email;
}
}
View Git Blame Copy Permalink