From c978ba07e77bb347fe88e9219438a117a9d3d1b6 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 21 Jun 2019 10:12:14 +0900
Subject: [PATCH] Implement class to configure parameters to use service token

This patch introduces cinder::keystone::service_user class
to configure parameters to enable service token feature
in Cinder.

Depends-on: https://review.opendev.org/#/c/666467
Change-Id: I79362b30107826e67f0bf6dce9371a24bc3ef2dd
---
 manifests/keystone/service_user.pp            | 101 ++++++++++++++++++
 .../notes/service_token-94dd15b7ee9af228.yaml |   5 +
 .../cinder_keystone_service_user_spec.rb      |  80 ++++++++++++++
 3 files changed, 186 insertions(+)
 create mode 100644 manifests/keystone/service_user.pp
 create mode 100644 releasenotes/notes/service_token-94dd15b7ee9af228.yaml
 create mode 100644 spec/classes/cinder_keystone_service_user_spec.rb

diff --git a/manifests/keystone/service_user.pp b/manifests/keystone/service_user.pp
new file mode 100644
index 00000000..cf34edd1
--- /dev/null
+++ b/manifests/keystone/service_user.pp
@@ -0,0 +1,101 @@
+# class: cinder::keystone::service_user
+#
+# Configure the service_user section in the configuration file
+#
+# === Parameters
+#
+# [*username*]
+#   (Optional) The name of the service user
+#   Defaults to 'cinder'
+#
+# [*password*]
+#   (Optional) Password to create for the service user
+#   Defaults to $::os_service_default
+#
+# [*auth_url*]
+#   (Optional) The URL to use for authentication.
+#   Defaults to 'http://localhost:5000'.
+#
+# [*project_name*]
+#   (Optional) Service project name
+#   Defaults to 'services'
+#
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to 'Default'
+#
+# [*project_domain_name*]
+#   (Optional) Name of domain for $project_name
+#   Defaults to 'Default'
+#
+# [*send_service_user_token*]
+#   (Optional) The service uses service token feature when this is set as true
+#   Defaults to 'false'
+#
+# [*insecure*]
+#  (Optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.  WARNING: not recommended.  Use with
+#  caution.
+#  Defaults to $::os_service_default
+#
+# [*auth_type*]
+#  (Optional) Authentication type to load
+#  Defaults to 'password'
+#
+# [*auth_version*]
+#  (Optional) API version of the admin Identity API endpoint.
+#  Defaults to $::os_service_default.
+#
+# [*cafile*]
+#  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections.
+#  Defaults to $::os_service_default.
+#
+# [*certfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $::os_service_default.
+#
+class cinder::keystone::service_user(
+  $username                = 'cinder',
+  $password                = $::os_service_default,
+  $auth_url                = 'http://localhost:5000',
+  $project_name            = 'services',
+  $user_domain_name        = 'Default',
+  $project_domain_name     = 'Default',
+  $send_service_user_token = false,
+  $insecure                = $::os_service_default,
+  $auth_type               = 'password',
+  $auth_version            = $::os_service_default,
+  $cafile                  = $::os_service_default,
+  $certfile                = $::os_service_default,
+  $keyfile                 = $::os_service_default,
+  $region_name             = $::os_service_default,
+) {
+
+  include ::cinder::deps
+
+  keystone::resource::service_user { 'cinder_config':
+    username                => $username,
+    password                => $password,
+    project_name            => $project_name,
+    auth_url                => $auth_url,
+    auth_version            => $auth_version,
+    auth_type               => $auth_type,
+    user_domain_name        => $user_domain_name,
+    project_domain_name     => $project_domain_name,
+    send_service_user_token => $send_service_user_token,
+    insecure                => $insecure,
+    cafile                  => $cafile,
+    certfile                => $certfile,
+    keyfile                 => $keyfile,
+    region_name             => $region_name,
+  }
+}
diff --git a/releasenotes/notes/service_token-94dd15b7ee9af228.yaml b/releasenotes/notes/service_token-94dd15b7ee9af228.yaml
new file mode 100644
index 00000000..89c3a7af
--- /dev/null
+++ b/releasenotes/notes/service_token-94dd15b7ee9af228.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    New class, cinder::keystone::service_user, is introduced to configure
+    parameters to service token feature.
diff --git a/spec/classes/cinder_keystone_service_user_spec.rb b/spec/classes/cinder_keystone_service_user_spec.rb
new file mode 100644
index 00000000..5f503e5d
--- /dev/null
+++ b/spec/classes/cinder_keystone_service_user_spec.rb
@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+describe 'cinder::keystone::service_user' do
+  let :params do
+    {
+      :password => 'cinder_password',
+    }
+  end
+
+  shared_examples 'cinder service_user' do
+    context 'with default parameters' do
+      it 'configure service_user' do
+        is_expected.to contain_cinder_config('service_user/username').with_value('cinder')
+        is_expected.to contain_cinder_config('service_user/password').with_value('cinder_password')
+        is_expected.to contain_cinder_config('service_user/auth_url').with_value('http://localhost:5000')
+        is_expected.to contain_cinder_config('service_user/project_name').with_value('services')
+        is_expected.to contain_cinder_config('service_user/user_domain_name').with_value('Default')
+        is_expected.to contain_cinder_config('service_user/project_domain_name').with_value('Default')
+        is_expected.to contain_cinder_config('service_user/send_service_user_token').with_value(false)
+        is_expected.to contain_cinder_config('service_user/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('service_user/auth_type').with_value('password')
+        is_expected.to contain_cinder_config('service_user/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('service_user/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('service_user/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('service_user/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('service_user/region_name').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'when overriding parameters' do
+      before do
+        params.merge!({
+          :username                             => 'myuser',
+          :password                             => 'mypasswd',
+          :auth_url                             => 'https://127.0.0.1:5000',
+          :project_name                         => 'service_project',
+          :user_domain_name                     => 'domainX',
+          :project_domain_name                  => 'domainX',
+          :send_service_user_token              => true,
+          :insecure                             => false,
+          :auth_type                            => 'password',
+          :auth_version                         => 'v3',
+          :cafile                               => '/opt/stack/data/cafile.pem',
+          :certfile                             => 'certfile.crt',
+          :keyfile                              => 'keyfile',
+          :region_name                          => 'region2',
+        })
+      end
+
+      it 'configure service_user' do
+        is_expected.to contain_cinder_config('service_user/username').with_value(params[:username])
+        is_expected.to contain_cinder_config('service_user/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_cinder_config('service_user/auth_url').with_value(params[:auth_url])
+        is_expected.to contain_cinder_config('service_user/project_name').with_value(params[:project_name])
+        is_expected.to contain_cinder_config('service_user/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_cinder_config('service_user/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_cinder_config('service_user/send_service_user_token').with_value(params[:send_service_user_token])
+        is_expected.to contain_cinder_config('service_user/insecure').with_value(params[:insecure])
+        is_expected.to contain_cinder_config('service_user/auth_type').with_value(params[:auth_type])
+        is_expected.to contain_cinder_config('service_user/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_cinder_config('service_user/cafile').with_value(params[:cafile])
+        is_expected.to contain_cinder_config('service_user/certfile').with_value(params[:certfile])
+        is_expected.to contain_cinder_config('service_user/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_cinder_config('service_user/region_name').with_value(params[:region_name])
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'cinder service_user'
+    end
+  end
+end