openstack/puppet-cinder
Code Issues Proposed changes
puppet-cinder/manifests/api.pp
Matt Fischer bb1e3e67dc Cinder hooks support 
This code moves all deps to an external class so that Cinder can be
installed with mechanisms besides packages (like venv or docker). This
also cleans-up the dependency tree by removing false or confusing
dependencies.

Co-Author: Craig Delatte <craig.delatte@twcable.com>

Change-Id: I55a62f6173fe463fb8fb65df6729c9f509a0fb04
2016-09-13 09:18:41 -06:00

411 lines
14 KiB
Puppet
Raw Blame History

# == Class: cinder::api
#
# Setup and configure the cinder API endpoint
#
# === Parameters
#
# [*privileged_user*]
# (optional) Enables OpenStack privileged account.
# Defaults to false.
#
# [*os_privileged_user_name*]
# (optional) OpenStack privileged account username. Used for requests to
# other services (such as Nova) that require an account with
# special rights.
# Defaults to $::os_service_default.
#
# [*os_privileged_user_password*]
# (optional) Password associated with the OpenStack privileged account.
# Defaults to $::os_service_default.
#
# [*os_privileged_user_tenant*]
# (optional) Tenant name associated with the OpenStack privileged account.
# Defaults to $::os_service_default.
#
# [*os_privileged_user_auth_url*]
# (optional) Auth URL associated with the OpenStack privileged account.
# Defaults to $::os_service_default.
#
# [*keymgr_api_class*]
# (optional) Key Manager service class.
# Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
# Defaults to $::os_service_default
#
# [*keymgr_encryption_api_url*]
# (optional) Key Manager service URL
# Example of valid value: https://localhost:9311/v1
# Defaults to $::os_service_default
#
# [*keymgr_encryption_auth_url*]
# (optional) Auth URL for keymgr authentication. Should be in format
# http://auth_url:5000/v3
# Defaults to $::os_service_default.
#
# [*os_region_name*]
# (optional) Some operations require cinder to make API requests
# to Nova. This sets the keystone region to be used for these
# requests. For example, boot-from-volume.
# Defaults to $::os_service_default
#
# [*nova_catalog_info*]
# (optional) Match this value when searching for nova in the service
# catalog.
# Defaults to 'compute:Compute Service:publicURL'
#
# [*nova_catalog_admin_info*]
# (optional) Same as nova_catalog_info, but for admin endpoint.
# Defaults to 'compute:Compute Service:adminURL'
#
# [*service_workers*]
# (optional) Number of cinder-api workers
# Defaults to $::processorcount
#
# [*package_ensure*]
# (optional) The state of the package
# Defaults to present
#
# [*bind_host*]
# (optional) The cinder api bind address
# Defaults to 0.0.0.0
#
# [*enabled*]
# (optional) The state of the service (boolean value)
# Defaults to true
#
# [*manage_service*]
# (optional) Whether to start/stop the service (boolean value)
# Defaults to true
#
# [*ratelimits*]
# (optional) The state of the service
# Defaults to $::os_service_default. If undefined the default ratelimiting values are used.
#
# [*ratelimits_factory*]
# (optional) Factory to use for ratelimiting
# Defaults to 'cinder.api.v1.limits:RateLimitingMiddleware.factory'
#
# [*default_volume_type*]
# (optional) default volume type to use.
# This should contain the name of the default volume type to use.
# If not configured, it produces an error when creating a volume
# without specifying a type.
# Defaults to $::os_service_default.
#
# [*validate*]
# (optional) Whether to validate the service is working after any service refreshes
# Defaults to false
#
# [*sync_db*]
# (Optional) Run db sync on the node.
# Defaults to true
#
# [*public_endpoint*]
# (Optional) Public url to use for versions endpoint.
# Defaults to $::os_service_default
#
# [*osapi_volume_base_url*]
# (Optional) Base URL that will be presented to users in links to the OpenStack Volume API.
# Defaults to $::os_service_default
#
# [*osapi_max_limit*]
# (Optional) The maximum number of items that a collection resource
# returns in a single response (integer value)
# Defaults to $::os_service_default
#
# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of cinder-api.
# If the value is 'httpd', this means cinder-api will be a web
# service, and you must use another class to configure that
# web service. For example, use class { 'cinder::wsgi::apache'...}
# to make cinder-api be a web app using apache mod_wsgi.
# Defaults to '$::cinder::params::api_service'
#
# [*enable_proxy_headers_parsing*]
# (optional) This determines if the HTTPProxyToWSGI
# middleware should parse the proxy headers or not.(boolean value)
# Defaults to $::os_service_default
#
# [*use_ssl*]
# (optional) Enable SSL on the API server
# Defaults to false
#
# [*cert_file*]
# (optional) Certificate file to use when starting API server securely
# Defaults to $::os_service_default
#
# [*key_file*]
# (optional) Private key file to use when starting API server securely
# Defaults to $::os_service_default
#
# [*ca_file*]
# (optional) CA certificate file to use to verify connecting clients
# Defaults to $::os_service_default
#
# [*auth_strategy*]
# (optional) Type of authentication to be used.
# Defaults to 'keystone'
#
# DEPRECATED PARAMETERS
#
# [*keystone_enabled*]
# (optional) Deprecated. Use auth_strategy instead.
# Defaults to undef
#
# [*keystone_tenant*]
# (optional) Deprecated. Use cinder::keystone::authtoken::project_name instead.
# Defaults to undef.
#
# [*keystone_user*]
# (optional) Deprecated. Use cinder::keystone::authtoken::username instead.
# Defaults to undef.
#
# [*keystone_password*]
# (optional) Deprecated. Use cinder::keystone::authtoken::password instead.
# Defaults to undef.
#
# [*identity_uri*]
# (optional) Deprecated. Use cinder::keystone::authtoken::auth_url instead.
# Defaults to undef.
#
# [*auth_uri*]
# (optional) Deprecated. Use cinder::keystone::authtoken::auth_uri instead.
# Defaults to undef.
#
# [*memcached_servers*]
# (Optional) Deprecated. Use cinder::keystone::authtoken::memcached_servers.
# Defaults to undef.
#
# [*validation_options*]
# (optional) Service validation options
# Should be a hash of options defined in openstacklib::service_validation
# If empty, defaults values are taken from openstacklib function.
# Default command list volumes.
# Require validate set at True.
# Example:
# glance::api::validation_options:
# glance-api:
# command: check_cinder-api.py
# path: /usr/bin:/bin:/usr/sbin:/sbin
# provider: shell
# tries: 5
# try_sleep: 10
# Defaults to {}
#
class cinder::api (
$keystone_enabled = true,
$nova_catalog_info = 'compute:Compute Service:publicURL',
$nova_catalog_admin_info = 'compute:Compute Service:adminURL',
$os_region_name = $::os_service_default,
$privileged_user = false,
$os_privileged_user_name = $::os_service_default,
$os_privileged_user_password = $::os_service_default,
$os_privileged_user_tenant = $::os_service_default,
$os_privileged_user_auth_url = $::os_service_default,
$keymgr_api_class = $::os_service_default,
$keymgr_encryption_api_url = $::os_service_default,
$keymgr_encryption_auth_url = $::os_service_default,
$service_workers = $::processorcount,
$package_ensure = 'present',
$bind_host = '0.0.0.0',
$enabled = true,
$manage_service = true,
$ratelimits = $::os_service_default,
$default_volume_type = $::os_service_default,
$ratelimits_factory =
'cinder.api.v1.limits:RateLimitingMiddleware.factory',
$validate = false,
$sync_db = true,
$public_endpoint = $::os_service_default,
$osapi_volume_base_url = $::os_service_default,
$osapi_max_limit = $::os_service_default,
$service_name = $::cinder::params::api_service,
$enable_proxy_headers_parsing = $::os_service_default,
$use_ssl = false,
$cert_file = $::os_service_default,
$key_file = $::os_service_default,
$ca_file = $::os_service_default,
$auth_strategy = 'keystone',
# DEPRECATED PARAMETERS
$validation_options = {},
$keystone_tenant = undef,
$keystone_user = undef,
$keystone_password = undef,
$identity_uri = undef,
$auth_uri = undef,
$memcached_servers = undef,
) inherits cinder::params {
include ::cinder::deps
include ::cinder::params
include ::cinder::policy
validate_bool($manage_service)
validate_bool($enabled)
# Keep backwards compatibility with SSL values being set in init.pp
$use_ssl_real = pick($::cinder::use_ssl, $use_ssl)
$cert_file_real = pick($::cinder::cert_file, $cert_file)
$key_file_real = pick($::cinder::key_file, $key_file)
$ca_file_real = pick($::cinder::ca_file, $ca_file)
if $identity_uri {
warning('cinder::api::identity_uri is deprecated, use cinder::keystone::authtoken::auth_url instead.')
}
if $auth_uri {
warning('cinder::api::auth_uri is deprecated, use cinder::keystone::authtoken::auth_uri instead.')
}
if $keystone_tenant {
warning('cinder::api::keystone_tenant is deprecated, use cinder::keystone::authtoken::project_name instead.')
}
if $keystone_user {
warning('cinder::api::keystone_user is deprecated, use cinder::keystone::authtoken::username instead.')
}
if $keystone_password {
warning('cinder::api::keystone_password is deprecated, use cinder::keystone::authtoken::password instead.')
}
if $memcached_servers {
warning('cinder::api::memcached_servers is deprecated, use cinder::keystone::authtoken::memcached_servers instead.')
}
if $keystone_enabled {
warning('keystone_enabled is deprecated, use auth_strategy instead.')
$auth_strategy_real = $keystone_enabled
} else {
$auth_strategy_real = $auth_strategy
}
if $use_ssl_real {
if is_service_default($cert_file_real) {
fail('The cert_file parameter is required when use_ssl is set to true')
}
if is_service_default($key_file_real) {
fail('The key_file parameter is required when use_ssl is set to true')
}
}
if $::cinder::params::api_package {
package { 'cinder-api':
ensure => $package_ensure,
name => $::cinder::params::api_package,
tag => ['openstack', 'cinder-package'],
}
}
if $sync_db {
include ::cinder::db::sync
}
if $enabled {
if $manage_service {
$ensure = 'running'
}
} else {
if $manage_service {
$ensure = 'stopped'
}
}
if $service_name == $::cinder::params::api_service {
service { 'cinder-api':
ensure => $ensure,
name => $::cinder::params::api_service,
enable => $enabled,
hasstatus => true,
tag => 'cinder-service',
}
} elsif $service_name == 'httpd' {
include ::apache::params
service { 'cinder-api':
ensure => 'stopped',
name => $::cinder::params::api_service,
enable => false,
tag => ['cinder-service'],
}
# we need to make sure cinder-api/eventlet is stopped before trying to start apache
Service['cinder-api'] -> Service[$service_name]
} else {
fail('Invalid service_name. Either cinder-api/openstack-cinder-api for running as a standalone service, or httpd for being run by a httpd server')
}
cinder_config {
'DEFAULT/osapi_volume_listen': value => $bind_host;
'DEFAULT/osapi_volume_workers': value => $service_workers;
'DEFAULT/os_region_name': value => $os_region_name;
'DEFAULT/default_volume_type': value => $default_volume_type;
'DEFAULT/public_endpoint': value => $public_endpoint;
'DEFAULT/osapi_volume_base_URL': value => $osapi_volume_base_url;
'DEFAULT/osapi_max_limit': value => $osapi_max_limit;
}
cinder_config {
'DEFAULT/nova_catalog_info': value => $nova_catalog_info;
'DEFAULT/nova_catalog_admin_info': value => $nova_catalog_admin_info;
}
oslo::middleware {'cinder_config':
enable_proxy_headers_parsing => $enable_proxy_headers_parsing,
}
if $privileged_user {
if is_service_default($os_privileged_user_name) {
fail('The os_privileged_user_name parameter is required when privileged_user is set to true')
}
if is_service_default($os_privileged_user_password) {
fail('The os_privileged_user_password parameter is required when privileged_user is set to true')
}
if is_service_default($os_privileged_user_tenant) {
fail('The os_privileged_user_tenant parameter is required when privileged_user is set to true')
}
}
cinder_config {
'DEFAULT/os_privileged_user_password': value => $os_privileged_user_password;
'DEFAULT/os_privileged_user_tenant': value => $os_privileged_user_tenant;
'DEFAULT/os_privileged_user_name': value => $os_privileged_user_name;
'DEFAULT/os_privileged_user_auth_url': value => $os_privileged_user_auth_url;
}
cinder_config {
'key_manager/api_class': value => $keymgr_api_class;
'barbican/barbican_endpoint': value => $keymgr_encryption_api_url;
'barbican/auth_endpoint': value => $keymgr_encryption_auth_url;
}
if $auth_strategy_real {
include ::cinder::keystone::authtoken
}
# SSL Options
if $use_ssl_real {
cinder_config {
'ssl/cert_file' : value => $cert_file_real;
'ssl/key_file' : value => $key_file_real;
'ssl/ca_file' : value => $ca_file_real;
}
}
if (!is_service_default($ratelimits)) {
cinder_api_paste_ini {
'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory;
'filter:ratelimit/limits': value => $ratelimits;
}
}
if $validate {
$keystone_tenant_real = pick($keystone_tenant, $::cinder::keystone::authtoken::project_name)
$keystone_username_real = pick($keystone_user, $::cinder::keystone::authtoken::username)
$keystone_password_real = pick($keystone_password, $::cinder::keystone::authtoken::password)
$defaults = {
'cinder-api' => {
'command' => "cinder --os-auth-url ${::cinder::keystone::authtoken::auth_uri} --os-project-name ${keystone_tenant_real} --os-username ${keystone_username_real} --os-password ${keystone_password_real} list",
}
}
$validation_options_hash = merge ($defaults, $validation_options)
create_resources('openstacklib::service_validation', $validation_options_hash, {'subscribe' => 'Service[cinder-api]'})
}
}
View Git Blame Copy Permalink