Create a separate class for watcher_clients_auth parameters

This change introduces a separate class for watcher_clients_auth
parameters, which are currently managed by watcher::api, so that
we follow the best practise to create a class per config section.

Change-Id: I5fb1bb6ceca65c53c6d513db6683dc11f9b42635

manifests/api.pp

@@ -8,18 +8,7 @@
 # All options defaults to $::os_service_default and
 # the default values from the service are used.
 #
-# === Watcher configuration section: watcher_clients_auth
-#
-# [*watcher_client_password*]
-#   (required) User's password
-#
-# [*watcher_client_username*]
-#   (optional) The name of the auth user
-#   Defaults to watcher.
-#
-# [*watcher_client_auth_url*]
-#   Specifies the admin Identity URI for Watcher to use.
-#   Default 'http://localhost:5000/'
+# === Watcher configuration
 #
 # [*package_ensure*]
 #   (Optional)Ensure state of the openstackclient package.
@@ -57,39 +46,6 @@
 #   API endpoint to represent SSL termination URL with 'public_endpoint' option.
 #   Defaults to $::os_service_default.
 #
-# [*watcher_client_project_name*]
-#   (Optional) Service project name.
-#   Defaults to 'services'
-#
-# [*watcher_client_certfile*]
-#   (Optional) PEM encoded client certificate cert file.
-#   Defaults to $::os_service_default
-#
-# [*watcher_client_cafile*]
-#   (Optional)PEM encoded Certificate Authority to use when verifying HTTPs
-#   connections.
-#   Defaults to $::os_service_default
-#
-# [*watcher_client_project_domain_name*]
-#   (Optional) Domain name containing project.
-#   Defaults to $::os_service_default
-#
-# [*watcher_client_user_domain_name*]
-#   (Optional) User Domain name.
-#   Defaults to $::os_service_default
-#
-# [*watcher_client_insecure*]
-#   (Optional) Verify HTTPS connections.
-#   Defaults to $::os_service_default
-#
-# [*watcher_client_keyfile*]
-#   (Optional) PEM encoded client certificate key file.
-#   Defaults to $::os_service_default
-#
-# [*watcher_client_auth_type*]
-#   (Optional) Authentication type to load.
-#   Defaults to 'password'
-#
 # [*service_name*]
 #   (optional) Name of the service that will be providing the
 #   server functionality of watcher-api.
@@ -163,10 +119,52 @@
 #   authentication.
 #   Defaults to undef
 #
+# [*watcher_client_password*]
+#   (optional) User's password
+#   Defaults to undef
+#
+# [*watcher_client_username*]
+#   (optional) The name of the auth user
+#   Defaults to undef
+#
+# [*watcher_client_auth_url*]
+#   Specifies the admin Identity URI for Watcher to use.
+#   Defaults to undef
+#
+# [*watcher_client_project_name*]
+#   (Optional) Service project name.
+#   Defaults to undef
+#
+# [*watcher_client_certfile*]
+#   (Optional) PEM encoded client certificate cert file.
+#   Defaults to undef
+#
+# [*watcher_client_cafile*]
+#   (Optional)PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to undef
+#
+# [*watcher_client_project_domain_name*]
+#   (Optional) Domain name containing project.
+#   Defaults to undef
+#
+# [*watcher_client_user_domain_name*]
+#   (Optional) User Domain name.
+#   Defaults to undef
+#
+# [*watcher_client_insecure*]
+#   (Optional) Verify HTTPS connections.
+#   Defaults to undef
+#
+# [*watcher_client_keyfile*]
+#   (Optional) PEM encoded client certificate key file.
+#   Defaults to undef
+#
+# [*watcher_client_auth_type*]
+#   (Optional) Authentication type to load.
+#   Defaults to undef
+#
 class watcher::api (
-  $watcher_client_password,
-  $watcher_client_username            = 'watcher',
-  $watcher_client_auth_url            = 'http://localhost:5000/',
   $package_ensure                     = 'present',
   $enabled                            = true,
   $manage_service                     = true,
@@ -175,14 +173,6 @@ class watcher::api (
   $bind_host                          = '0.0.0.0',
   $workers                            = $::os_workers,
   $enable_ssl_api                     = $::os_service_default,
-  $watcher_client_project_name        = 'services',
-  $watcher_client_certfile            = $::os_service_default,
-  $watcher_client_cafile              = $::os_service_default,
-  $watcher_client_project_domain_name = $::os_service_default,
-  $watcher_client_user_domain_name    = $::os_service_default,
-  $watcher_client_insecure            = $::os_service_default,
-  $watcher_client_keyfile             = $::os_service_default,
-  $watcher_client_auth_type           = 'password',
   $service_name                       = $::watcher::params::api_service_name,
   $create_db_schema                   = false,
   $upgrade_db                         = false,
@@ -197,6 +187,17 @@ class watcher::api (
   $watcher_api_enable_ssl_api         = undef,
   $watcher_client_auth_uri            = undef,
   $watcher_client_default_domain_name = undef,
+  $watcher_client_password            = undef,
+  $watcher_client_username            = undef,
+  $watcher_client_auth_url            = undef,
+  $watcher_client_project_name        = undef,
+  $watcher_client_certfile            = undef,
+  $watcher_client_cafile              = undef,
+  $watcher_client_project_domain_name = undef,
+  $watcher_client_user_domain_name    = undef,
+  $watcher_client_insecure            = undef,
+  $watcher_client_keyfile             = undef,
+  $watcher_client_auth_type           = undef,
 ) inherits watcher::params {
 
   include watcher::policy
@@ -280,24 +281,6 @@ as a standalone service, or httpd for being run by a httpd server")
     'api/enable_ssl_api': value => pick($watcher_api_enable_ssl_api, $enable_ssl_api);
   }
 
-  # NOTE(danpawlik) Watcher and other core Openstack services are using
-  # keystone_authtoken section and also another similar section used to
-  # configure client auth credentials. So these parameters are similar to
-  # parameters in watcher::keystone::authtoken.
-  watcher_config {
-    'watcher_clients_auth/username':            value => $watcher_client_username;
-    'watcher_clients_auth/password':            value => $watcher_client_password, secret => true;
-    'watcher_clients_auth/auth_url':            value => $watcher_client_auth_url;
-    'watcher_clients_auth/project_name':        value => $watcher_client_project_name;
-    'watcher_clients_auth/project_domain_name': value => $watcher_client_project_domain_name;
-    'watcher_clients_auth/user_domain_name':    value => $watcher_client_user_domain_name;
-    'watcher_clients_auth/insecure':            value => $watcher_client_insecure;
-    'watcher_clients_auth/auth_type':           value => $watcher_client_auth_type;
-    'watcher_clients_auth/cafile':              value => $watcher_client_cafile;
-    'watcher_clients_auth/certfile':            value => $watcher_client_certfile;
-    'watcher_clients_auth/keyfile':             value => $watcher_client_keyfile;
-  }
-
   if $watcher_client_auth_uri != undef {
     warning('The watcher_client_auth_uri is deprecated and has no effect.')
   }
@@ -309,4 +292,14 @@ as a standalone service, or httpd for being run by a httpd server")
     warning('The watcher_client_default_domain_name parameter is deprecated and has no effect.')
   }
 
+  [ 'password', 'auth_url', 'username', 'project_name', 'project_domain_name',
+    'user_domain_anme', 'auth_type', 'insecure', 'keyfile', 'certfile',
+    'cafile' ].each |String $client_opt|{
+    if getvar("watcher_client_${client_opt}") != undef {
+      warning("The watcher_client_${client_opt} parameter is deprecated. \
+Use the watcher_clients_auth class instead.")
+    }
+    include watcher::watcher_clients_auth
+  }
+
 }

manifests/watcher_clients_auth.pp

@@ -0,0 +1,96 @@
+# == Class: watcher::watcher_clients_auth
+#
+# Configure the watcher_clients_auth options
+#
+# === Parameters
+#
+# [*password*]
+#   (required) User's password
+#
+# [*auth_url*]
+#   (optional) Specifies the admin Identity URI for Watcher to use.
+#   Defaults to 'http://localhost:5000/'
+#
+# [*username*]
+#   (optional) The name of the auth user
+#   Defaults to watcher.
+#
+# [*project_name*]
+#   (Optional) Service project name.
+#   Defaults to 'services'
+#
+# [*project_domain_name*]
+#   (Optional) Domain name containing project.
+#   Defaults to 'Default'
+#
+# [*user_domain_name*]
+#   (Optional) User Domain name.
+#   Defaults to 'Default'
+#
+# [*auth_type*]
+#   (Optional) Authentication type to load.
+#   Defaults to 'password'
+#
+# [*insecure*]
+#   (Optional) Verify HTTPS connections.
+#   Defaults to $::os_service_default
+#
+# [*keyfile*]
+#   (Optional) PEM encoded client certificate key file.
+#   Defaults to $::os_service_default
+#
+# [*certfile*]
+#   (Optional) PEM encoded client certificate cert file.
+#   Defaults to $::os_service_default
+#
+# [*cafile*]
+#   (Optional)PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $::os_service_default
+#
+class watcher::watcher_clients_auth (
+  $password            = false,
+  $auth_url            = 'http://localhost:5000/',
+  $username            = 'watcher',
+  $project_name        = 'services',
+  $project_domain_name = 'Default',
+  $user_domain_name    = 'Default',
+  $auth_type           = 'password',
+  $insecure            = $::os_service_default,
+  $certfile            = $::os_service_default,
+  $cafile              = $::os_service_default,
+  $keyfile             = $::os_service_default,
+) {
+
+  include watcher::deps
+
+  $password_real = pick($::watcher::api::watcher_client_password, $password)
+  if ! $password_real {
+    fail('password is required')
+  }
+
+  $auth_url_real = pick($::watcher::api::watcher_client_auth_url, $auth_url)
+  $username_real = pick($::watcher::api::watcher_client_username, $username)
+  $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name)
+  $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name)
+  $user_domain_name_real = pick($::watcher::api::watcher_client_user_domain_name, $user_domain_name)
+  $auth_type_real = pick($::watcher::api::watcher_client_auth_type, $auth_type)
+  $insecure_real = pick($::watcher::api::watcher_client_insecure, $insecure)
+  $certfile_real = pick($::watcher::api::watcher_client_certfile, $certfile)
+  $cafile_real = pick($::watcher::api::watcher_client_cafile, $cafile)
+  $keyfile_real = pick($::watcher::api::watcher_client_keyfile, $keyfile)
+
+  watcher_config {
+    'watcher_clients_auth/password':            value => $password_real, secret => true;
+    'watcher_clients_auth/username':            value => $username_real;
+    'watcher_clients_auth/auth_url':            value => $auth_url_real;
+    'watcher_clients_auth/project_name':        value => $project_name_real;
+    'watcher_clients_auth/project_domain_name': value => $project_domain_name_real;
+    'watcher_clients_auth/user_domain_name':    value => $user_domain_name_real;
+    'watcher_clients_auth/insecure':            value => $insecure_real;
+    'watcher_clients_auth/auth_type':           value => $auth_type_real;
+    'watcher_clients_auth/cafile':              value => $cafile_real;
+    'watcher_clients_auth/certfile':            value => $certfile_real;
+    'watcher_clients_auth/keyfile':             value => $keyfile_real;
+  }
+}

releasenotes/notes/watcher_clients_auth-49c8642cf6384a95.yaml

@@ -0,0 +1,20 @@
+---
+features:
+  - |
+    The new ``watcher::watcher_clients_auth`` class has been added.
+
+deprecations:
+  - |
+    The following parameters of the ``watcher::api`` class have been
+    deprecated in favor of the new ``watcher::watcher_clients_auth`` class.
+
+    - ``watcher_client_password``
+    - ``watcher_client_username``
+    - ``watcher_client_auth_url``
+    - ``watcher_client_user_domain_name``
+    - ``watcher_client_project_domain_name``
+    - ``watcher_client_insecure``
+    - ``watcher_client_keyfile``
+    - ``watcher_client_certfile``
+    - ``watcher_client_cafile``
+    - ``watcher_client_auth_type``

spec/classes/watcher_api_spec.rb

@@ -76,8 +76,8 @@ describe 'watcher::api' do
         is_expected.to contain_watcher_config('watcher_clients_auth/password').with_value( params[:watcher_client_password] )
         is_expected.to contain_watcher_config('watcher_clients_auth/auth_url').with_value('http://localhost:5000/')
         is_expected.to contain_watcher_config('watcher_clients_auth/project_name').with_value('services')
-        is_expected.to contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('Default')
+        is_expected.to contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('Default')
         is_expected.to contain_watcher_config('watcher_clients_auth/insecure').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_watcher_config('watcher_clients_auth/auth_type').with_value('password')
         is_expected.to contain_watcher_config('watcher_clients_auth/cafile').with_value('<SERVICE DEFAULT>')

spec/classes/watcher_watcher_clients_auth_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+describe 'watcher::watcher_clients_auth' do
+
+  shared_examples 'watcher::watcher_clients_auth' do
+    let :params do
+      { :password => 'watcher_password' }
+    end
+
+    context 'with defaults' do
+      it 'should set the defaults' do
+        should contain_watcher_config('watcher_clients_auth/password').with_value('watcher_password').with_secret(true)
+        should contain_watcher_config('watcher_clients_auth/auth_url').with_value('http://localhost:5000/')
+        should contain_watcher_config('watcher_clients_auth/username').with_value('watcher')
+        should contain_watcher_config('watcher_clients_auth/project_name').with_value('services')
+        should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('Default')
+        should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('Default')
+        should contain_watcher_config('watcher_clients_auth/insecure').with_value('<SERVICE DEFAULT>')
+        should contain_watcher_config('watcher_clients_auth/certfile').with_value('<SERVICE DEFAULT>')
+        should contain_watcher_config('watcher_clients_auth/cafile').with_value('<SERVICE DEFAULT>')
+        should contain_watcher_config('watcher_clients_auth/keyfile').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'with parameters overridden' do
+      before do
+        params.merge!({
+          :auth_url            => 'http://127.0.0.1:5000/',
+          :username            => 'alt_watcher',
+          :project_name        => 'alt_services',
+          :project_domain_name => 'project_domain',
+          :user_domain_name    => 'user_domain',
+          :insecure            => false,
+          :certfile            => 'path_to_cert',
+          :cafile              => 'path_to_ca',
+          :keyfile             => 'path_to_key',
+        })
+      end
+
+      it 'should set the parameters' do
+        should contain_watcher_config('watcher_clients_auth/auth_url').with_value('http://127.0.0.1:5000/')
+        should contain_watcher_config('watcher_clients_auth/username').with_value('alt_watcher')
+        should contain_watcher_config('watcher_clients_auth/project_name').with_value('alt_services')
+        should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('user_domain')
+        should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('project_domain')
+        should contain_watcher_config('watcher_clients_auth/insecure').with_value(false)
+        should contain_watcher_config('watcher_clients_auth/certfile').with_value('path_to_cert')
+        should contain_watcher_config('watcher_clients_auth/cafile').with_value('path_to_ca')
+        should contain_watcher_config('watcher_clients_auth/keyfile').with_value('path_to_key')
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+      it_behaves_like 'watcher::watcher_clients_auth'
+    end
+  end
+
+end