diff --git a/manifests/compute.pp b/manifests/compute.pp index 18cf4d1c5..69d45a73f 100644 --- a/manifests/compute.pp +++ b/manifests/compute.pp @@ -104,6 +104,11 @@ # for virtual machine processes # Defaults to $::os_service_default # +# [*keymgr_api_class*] +# (optional) Key Manager service. +# Example of valid value: nova.keymgr.barbican.BarbicanKeyManager +# Defaults to $::os_service_default +# # DEPRECATED PARAMETERS # # [*default_availability_zone*] @@ -151,6 +156,7 @@ class nova::compute ( $config_drive_format = $::os_service_default, $allow_resize_to_same_host = false, $vcpu_pin_set = $::os_service_default, + $keymgr_api_class = $::os_service_default, # DEPRECATED PARAMETERS $default_availability_zone = undef, $default_schedule_zone = undef, @@ -182,6 +188,14 @@ class nova::compute ( warning('compute_manager is marked as deprecated in Nova but still needed when Ironic is used. It will be removed once Nova removes it.') } + # cryptsetup is required when Barbican is encrypting volumes + if $keymgr_api_class =~ /barbican/ { + ensure_packages('cryptsetup', { + ensure => present, + tag => 'openstack', + }) + } + include ::nova::availability_zone nova_config { @@ -190,6 +204,7 @@ class nova::compute ( 'DEFAULT/heal_instance_info_cache_interval': value => $heal_instance_info_cache_interval; 'DEFAULT/allow_resize_to_same_host': value => $allow_resize_to_same_host; 'DEFAULT/vcpu_pin_set': value => join(any2array($vcpu_pin_set), ','); + 'keymgr/api_class': value => $keymgr_api_class; } if ($vnc_enabled) { diff --git a/releasenotes/notes/barbican-356c86ac7a7a327c.yaml b/releasenotes/notes/barbican-356c86ac7a7a327c.yaml new file mode 100644 index 000000000..115163d7c --- /dev/null +++ b/releasenotes/notes/barbican-356c86ac7a7a327c.yaml @@ -0,0 +1,4 @@ +--- +features: + - Allow to configure Key Manager api class parameter to communicate with Barbican. + If Barbican is enabled, cryptsetup will be deployed on compute nodes. diff --git a/spec/classes/nova_compute_spec.rb b/spec/classes/nova_compute_spec.rb index 83458f0ed..395f2d448 100644 --- a/spec/classes/nova_compute_spec.rb +++ b/spec/classes/nova_compute_spec.rb @@ -27,7 +27,9 @@ describe 'nova::compute' do it { is_expected.to contain_nova_config('DEFAULT/allow_resize_to_same_host').with(:value => 'false') } it { is_expected.to contain_nova_config('DEFAULT/vcpu_pin_set').with(:value => '') } it { is_expected.to_not contain_nova_config('vnc/novncproxy_base_url') } + it { is_expected.to contain_nova_config('keymgr/api_class').with_value('') } + it { is_expected.to_not contain_package('cryptsetup').with( :ensure => 'present' )} it { is_expected.to_not contain_package('bridge-utils').with( :ensure => 'present', @@ -68,6 +70,7 @@ describe 'nova::compute' do :pci_passthrough => "[{\"vendor_id\":\"8086\",\"product_id\":\"0126\"},{\"vendor_id\":\"9096\",\"product_id\":\"1520\",\"physical_network\":\"physnet1\"}]", :config_drive_format => 'vfat', :vcpu_pin_set => ['4-12','^8','15'], + :keymgr_api_class => 'nova.keymgr.barbican.BarbicanKeyManager', } end @@ -91,6 +94,11 @@ describe 'nova::compute' do is_expected.to contain_nova_config('DEFAULT/compute_manager').with_value('ironic.nova.compute.manager.ClusteredComputeManager') end + it 'configures barbican service' do + is_expected.to contain_nova_config('keymgr/api_class').with_value('nova.keymgr.barbican.BarbicanKeyManager') + is_expected.to contain_package('cryptsetup').with( :ensure => 'present' ) + end + it 'configures vnc in nova.conf' do is_expected.to contain_nova_config('vnc/enabled').with_value(true) is_expected.to contain_nova_config('vnc/vncserver_proxyclient_address').with_value('127.0.0.1')