openstack/puppet-openstack-integration
Code Issues Proposed changes
puppet-openstack-integration/manifests/cinder.pp
Gorka Eguileor b78f3fc900 Use service token in nova's requests 
This patch makes Nova send service tokens to other OpenStack services
and tells Cinder to expect and validate them.

This is necessary because in the recent CVE fix it has become mandatory
for Nova to send service tokens to Cinder to be able to detach volumes.

Related-Bug: #2004555
Change-Id: Ib39ec8738f56b381d9fe22f41c54b14e796a66c3
2023-05-19 23:06:26 +09:00

172 lines
5.9 KiB
Puppet
Raw Blame History

# Configure the Cinder service
#
# [*backend*]
# (optional) Cinder backend to use.
# Can be 'iscsi' or 'rbd'.
# Defaults to 'iscsi'.
#
# [*volume_encryption*]
# (optional) Boolean to configure or not volume encryption
# Defaults to false.
#
# [*cinder_backup*]
# (optional) Set type of cinder backup
# Possible values: false, swift
# defaults to false.
#
# [*notification_topics*]
# (optional) AMQP topic used for OpenStack notifications
# Defaults to $facts['os_service_default'].
#
class openstack_integration::cinder (
$backend = 'iscsi',
$volume_encryption = false,
$cinder_backup = false,
$notification_topics = $facts['os_service_default'],
) {
include openstack_integration::config
include openstack_integration::params
openstack_integration::mq_user { 'cinder':
password => 'an_even_bigger_secret',
before => Anchor['cinder::service::begin'],
}
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'cinder':
notify => Service['httpd'],
require => Package['cinder'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
include cinder::client
class { 'cinder::db::mysql':
charset => $::openstack_integration::params::mysql_charset,
collate => $::openstack_integration::params::mysql_collate,
password => 'cinder',
host => $::openstack_integration::config::host,
}
class { 'cinder::keystone::auth':
public_url_v3 => "${::openstack_integration::config::base_url}:8776/v3",
internal_url_v3 => "${::openstack_integration::config::base_url}:8776/v3",
admin_url_v3 => "${::openstack_integration::config::base_url}:8776/v3",
password => 'a_big_secret',
}
class { 'cinder::logging':
debug => true,
}
if $volume_encryption {
class { 'cinder::key_manager':
backend => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
}
class { 'cinder::key_manager::barbican':
barbican_endpoint => "${::openstack_integration::config::base_url}:9311",
auth_endpoint => "${::openstack_integration::config::keystone_auth_uri}/v3"
}
}
class { 'cinder::db':
database_connection => os_database_connection({
'dialect' => 'mysql+pymysql',
'host' => $::openstack_integration::config::ip_for_url,
'username' => 'cinder',
'password' => 'cinder',
'database' => 'cinder',
'charset' => 'utf8',
'extra' => $::openstack_integration::config::db_extra,
}),
}
class { 'cinder':
default_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_default_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_default_port,
'username' => 'cinder',
'password' => 'an_even_bigger_secret',
}),
notification_transport_url => os_transport_url({
'transport' => $::openstack_integration::config::messaging_notify_proto,
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::messaging_notify_port,
'username' => 'cinder',
'password' => 'an_even_bigger_secret',
}),
notification_topics => $notification_topics,
notification_driver => 'messagingv2',
rabbit_use_ssl => $::openstack_integration::config::ssl,
amqp_sasl_mechanisms => 'PLAIN',
}
class { 'cinder::keystone::authtoken':
password => 'a_big_secret',
user_domain_name => 'Default',
project_domain_name => 'Default',
auth_url => $::openstack_integration::config::keystone_admin_uri,
www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri,
memcached_servers => $::openstack_integration::config::memcached_servers,
service_token_roles_required => true,
}
class { 'cinder::api':
default_volume_type => 'BACKEND_1',
public_endpoint => "${::openstack_integration::config::base_url}:8776",
service_name => 'httpd',
}
include apache
class { 'cinder::wsgi::apache':
bind_host => $::openstack_integration::config::host,
ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/cinder/ssl/private/${facts['networking']['fqdn']}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => 2,
}
class { 'cinder::quota': }
class { 'cinder::scheduler': }
class { 'cinder::scheduler::filter': }
class { 'cinder::volume':
volume_clear => 'none',
}
class { 'cinder::backup': }
class { 'cinder::cron::db_purge': }
class { 'cinder::glance':
glance_api_servers => "http://${::openstack_integration::config::ip_for_url}:9292",
}
case $backend {
'iscsi': {
class { 'cinder::setup_test_volume':
size => '15G',
}
cinder::backend::iscsi { 'BACKEND_1':
target_ip_address => $::openstack_integration::config::host,
manage_volume_type => true,
}
include openstacklib::iscsid
Service['iscsid'] -> Service['cinder-volume']
}
'rbd': {
cinder::backend::rbd { 'BACKEND_1':
rbd_user => 'openstack',
rbd_pool => 'cinder',
rbd_secret_uuid => '7200aea0-2ddd-4a32-aa2a-d49f66ab554c',
manage_volume_type => true,
}
# make sure ceph pool exists before running Cinder API & Volume
Exec['create-cinder'] -> Service['httpd']
Exec['create-cinder'] -> Service['cinder-volume']
}
default: {
fail("Unsupported backend (${backend})")
}
}
class { 'cinder::backends':
enabled_backends => ['BACKEND_1'],
}
if $cinder_backup == swift {
class { 'cinder::backup::swift':
backup_swift_user_domain => 'Default',
backup_swift_project_domain => 'Default',
backup_swift_project => 'Default',
}
}
}
View Git Blame Copy Permalink