diff --git a/manifests/api.pp b/manifests/api.pp index 26d5ab52..6071de28 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -4,16 +4,6 @@ # # === Parameters # -# [*keymgr_encryption_api_url*] -# (optional) Key Manager service URL -# Example of valid value: https://localhost:9311/v1 -# Defaults to $::os_service_default -# -# [*keymgr_encryption_auth_url*] -# (optional) Auth URL for keymgr authentication. Should be in format -# http://auth_url:5000/v3 -# Defaults to $::os_service_default. -# # [*service_workers*] # (optional) Number of cinder-api workers # Defaults to $::os_workers @@ -114,12 +104,22 @@ # will also need to be changed to match. # Defaults to $::os_service_default # +# DEPRECATED PARAMETERS +# +# [*keymgr_encryption_api_url*] +# (optional) Key Manager service URL +# Example of valid value: https://localhost:9311/v1 +# Defaults to undef +# +# [*keymgr_encryption_auth_url*] +# (optional) Auth URL for keymgr authentication. Should be in format +# http://auth_url:5000/v3 +# Defaults to undef +# # [*keymgr_backend*] # (optional) Key Manager service class. # Example of valid value: barbican -# Defaults to $::os_service_default -# -# DEPRECATED PARAMETERS +# Defaults to undef # # [*os_region_name*] # (optional) Some operations require cinder to make API requests @@ -128,8 +128,6 @@ # Defaults to undef # class cinder::api ( - $keymgr_encryption_api_url = $::os_service_default, - $keymgr_encryption_auth_url = $::os_service_default, $service_workers = $::os_workers, $package_ensure = 'present', $bind_host = '0.0.0.0', @@ -153,8 +151,10 @@ class cinder::api ( $ca_file = $::os_service_default, $auth_strategy = 'keystone', $osapi_volume_listen_port = $::os_service_default, - $keymgr_backend = $::os_service_default, # DEPRECATED PARAMETERS + $keymgr_backend = undef, + $keymgr_encryption_api_url = undef, + $keymgr_encryption_auth_url = undef, $os_region_name = undef ) inherits cinder::params { @@ -162,6 +162,12 @@ class cinder::api ( include cinder::params include cinder::policy + ['keymgr_backend', 'keymgr_encryption_api_url', 'keymgr_encryption_auth_url'].each |String $keymgr_var| { + if getvar("${keymgr_var}") != undef { + warning("cinder::api::${keymgr_var} is deprecated, use cinder::${keymgr_var} instead.") + } + } + if $os_region_name != undef { warning('cinder::api::os_region_name is deprecated and has no effect. \ Use cinder::nova::region_name instead') @@ -243,12 +249,6 @@ running as a standalone service, or httpd for being run by a httpd server") max_request_body_size => $max_request_body_size, } - cinder_config { - 'key_manager/backend': value => $keymgr_backend; - 'barbican/barbican_endpoint': value => $keymgr_encryption_api_url; - 'barbican/auth_endpoint': value => $keymgr_encryption_auth_url; - } - if $auth_strategy == 'keystone' { include cinder::keystone::authtoken } diff --git a/manifests/init.pp b/manifests/init.pp index de215c8e..15ff36f2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -182,6 +182,21 @@ # (Optional) Password for message broker authentication # Defaults to $::os_service_default. # +# [*keymgr_backend*] +# (Optional) Key Manager service class. +# Example of valid value: barbican +# Defaults to $::os_service_default. +# +# [*keymgr_encryption_api_url*] +# (Optional) Key Manager service URL +# Example of valid value: https://localhost:9311/v1 +# Defaults to $::os_service_default. +# +# [*keymgr_encryption_auth_url*] +# (Optional) Auth URL for keymgr authentication. Should be in format +# http://auth_url:5000/v3 +# Defaults to $::os_service_default. +# # [*database_connection*] # Url used to connect to database. # (Optional) Defaults to undef. @@ -309,6 +324,9 @@ class cinder ( $amqp_sasl_config_name = $::os_service_default, $amqp_username = $::os_service_default, $amqp_password = $::os_service_default, + $keymgr_backend = $::os_service_default, + $keymgr_encryption_api_url = $::os_service_default, + $keymgr_encryption_auth_url = $::os_service_default, $package_ensure = 'present', $api_paste_config = '/etc/cinder/api-paste.ini', $storage_availability_zone = 'nova', @@ -399,6 +417,13 @@ class cinder ( $default_availability_zone_real = $default_availability_zone } + # NOTE(abishop): Remove the picks when cinder::api::keymgr_* are removed. + $keymgr_backend_real = pick($cinder::api::keymgr_backend, $keymgr_backend) + $keymgr_encryption_api_url_real = pick($cinder::api::keymgr_encryption_api_url, + $keymgr_encryption_api_url) + $keymgr_encryption_auth_url_real = pick($cinder::api::keymgr_encryption_auth_url, + $keymgr_encryption_auth_url) + cinder_config { 'DEFAULT/report_interval': value => $report_interval; 'DEFAULT/service_down_time': value => $service_down_time; @@ -409,6 +434,9 @@ class cinder ( 'DEFAULT/image_conversion_dir': value => $image_conversion_dir; 'DEFAULT/host': value => $host; 'DEFAULT/enable_new_services': value => $enable_new_services; + 'key_manager/backend': value => $keymgr_backend_real; + 'barbican/barbican_endpoint': value => $keymgr_encryption_api_url_real; + 'barbican/auth_endpoint': value => $keymgr_encryption_auth_url_real; # NOTE(abishop): $backend_host is not written here because it is not a valid # DEFAULT option. It is only recognized in the backend sections. Instead, diff --git a/releasenotes/notes/move-keymgr-params-to-init-a745c0eed3062392.yaml b/releasenotes/notes/move-keymgr-params-to-init-a745c0eed3062392.yaml new file mode 100644 index 00000000..ef35e039 --- /dev/null +++ b/releasenotes/notes/move-keymgr-params-to-init-a745c0eed3062392.yaml @@ -0,0 +1,18 @@ +--- +deprecations: + - | + Cinder's Key Manager parameters have moved from cinder::api to + the cinder class. The following parameters are deprecated: + * cinder::api::keymgr_backend + * cinder::api::keymgr_encryption_api_url + * cinder::api::keymgr_encryption_auth_url + They are replaced by the following new parameters: + * cinder::keymgr_backend + * cinder::keymgr_encryption_api_url + * cinder::keymgr_encryption_auth_url +fixes: + - | + Cinder's Key Manager parameters are no longer associated with just the + cinder-api service. The parameters are always configured so that the + cinder-volume and cinder-backup services can also access the Key Manager. + Fixes `bug 1886081 ` diff --git a/spec/classes/cinder_api_spec.rb b/spec/classes/cinder_api_spec.rb index 5d30cef9..226e50c6 100644 --- a/spec/classes/cinder_api_spec.rb +++ b/spec/classes/cinder_api_spec.rb @@ -31,9 +31,6 @@ describe 'cinder::api' do is_expected.to contain_cinder_config('DEFAULT/osapi_volume_base_URL').with_value('') is_expected.to contain_cinder_config('DEFAULT/osapi_max_limit').with_value('') is_expected.to contain_cinder_config('DEFAULT/auth_strategy').with_value('keystone') - is_expected.to contain_cinder_config('key_manager/backend').with_value('') - is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('') - is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('') is_expected.to contain_cinder_config('DEFAULT/osapi_volume_listen_port').with('value' => '') is_expected.to contain_oslo__middleware('cinder_config').with( @@ -120,16 +117,6 @@ describe 'cinder::api' do )} end - context 'with encryption_auth_url' do - let :params do - req_params.merge({ :keymgr_encryption_auth_url => 'http://localhost:5000/v3' }) - end - - it { is_expected.to contain_cinder_config('barbican/auth_endpoint').with( - :value => 'http://localhost:5000/v3' - )} - end - context 'while validating the service with default command' do let :params do req_params.merge({ @@ -227,22 +214,6 @@ describe 'cinder::api' do it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/ end - - context 'with barbican parameters' do - let :params do - req_params.merge!({ - :keymgr_backend => 'barbican', - :keymgr_encryption_api_url => 'https://localhost:9311/v1', - :keymgr_encryption_auth_url => 'https://localhost:5000/v3', - }) - end - it 'should set keymgr parameters' do - is_expected.to contain_cinder_config('key_manager/backend').with_value('barbican') - is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1') - is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3') - end - end - end on_supported_os({ diff --git a/spec/classes/cinder_init_spec.rb b/spec/classes/cinder_init_spec.rb index 4fdd4e7a..04b80af8 100644 --- a/spec/classes/cinder_init_spec.rb +++ b/spec/classes/cinder_init_spec.rb @@ -48,6 +48,9 @@ describe 'cinder' do is_expected.to contain_cinder_config('DEFAULT/host').with_value('') is_expected.to contain_cinder_config('DEFAULT/enable_new_services').with_value('') is_expected.to contain_cinder_config('oslo_concurrency/lock_path').with(:value => '/var/lock/cinder') + is_expected.to contain_cinder_config('key_manager/backend').with_value('') + is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('') + is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('') # backend_host should not be written to DEFAULT section is_expected.not_to contain_cinder_config('DEFAULT/backend_host') @@ -274,6 +277,21 @@ describe 'cinder' do :topics => params[:notification_topics], )} end + + context 'with keymgr parameters' do + let :params do + req_params.merge!({ + :keymgr_backend => 'barbican', + :keymgr_encryption_api_url => 'https://localhost:9311/v1', + :keymgr_encryption_auth_url => 'https://localhost:5000/v3', + }) + end + it 'should set keymgr parameters' do + is_expected.to contain_cinder_config('key_manager/backend').with_value('barbican') + is_expected.to contain_cinder_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1') + is_expected.to contain_cinder_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3') + end + end end on_supported_os({