From 16bcc44238bd018c527c87c4cd0542f5cadc5774 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 4 Mar 2022 09:05:06 +0900 Subject: [PATCH] Create a separate class for watcher_clients_auth parameters This change introduces a separate class for watcher_clients_auth parameters, which are currently managed by watcher::api, so that we follow the best practise to create a class per config section. Change-Id: I5fb1bb6ceca65c53c6d513db6683dc11f9b42635 --- manifests/api.pp | 141 +++++++++--------- manifests/watcher_clients_auth.pp | 96 ++++++++++++ ...watcher_clients_auth-49c8642cf6384a95.yaml | 20 +++ spec/classes/watcher_api_spec.rb | 4 +- .../watcher_watcher_clients_auth_spec.rb | 65 ++++++++ 5 files changed, 250 insertions(+), 76 deletions(-) create mode 100644 manifests/watcher_clients_auth.pp create mode 100644 releasenotes/notes/watcher_clients_auth-49c8642cf6384a95.yaml create mode 100644 spec/classes/watcher_watcher_clients_auth_spec.rb diff --git a/manifests/api.pp b/manifests/api.pp index ccd445f..b5878f6 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -8,18 +8,7 @@ # All options defaults to $::os_service_default and # the default values from the service are used. # -# === Watcher configuration section: watcher_clients_auth -# -# [*watcher_client_password*] -# (required) User's password -# -# [*watcher_client_username*] -# (optional) The name of the auth user -# Defaults to watcher. -# -# [*watcher_client_auth_url*] -# Specifies the admin Identity URI for Watcher to use. -# Default 'http://localhost:5000/' +# === Watcher configuration # # [*package_ensure*] # (Optional)Ensure state of the openstackclient package. @@ -57,39 +46,6 @@ # API endpoint to represent SSL termination URL with 'public_endpoint' option. # Defaults to $::os_service_default. # -# [*watcher_client_project_name*] -# (Optional) Service project name. -# Defaults to 'services' -# -# [*watcher_client_certfile*] -# (Optional) PEM encoded client certificate cert file. -# Defaults to $::os_service_default -# -# [*watcher_client_cafile*] -# (Optional)PEM encoded Certificate Authority to use when verifying HTTPs -# connections. -# Defaults to $::os_service_default -# -# [*watcher_client_project_domain_name*] -# (Optional) Domain name containing project. -# Defaults to $::os_service_default -# -# [*watcher_client_user_domain_name*] -# (Optional) User Domain name. -# Defaults to $::os_service_default -# -# [*watcher_client_insecure*] -# (Optional) Verify HTTPS connections. -# Defaults to $::os_service_default -# -# [*watcher_client_keyfile*] -# (Optional) PEM encoded client certificate key file. -# Defaults to $::os_service_default -# -# [*watcher_client_auth_type*] -# (Optional) Authentication type to load. -# Defaults to 'password' -# # [*service_name*] # (optional) Name of the service that will be providing the # server functionality of watcher-api. @@ -163,10 +119,52 @@ # authentication. # Defaults to undef # +# [*watcher_client_password*] +# (optional) User's password +# Defaults to undef +# +# [*watcher_client_username*] +# (optional) The name of the auth user +# Defaults to undef +# +# [*watcher_client_auth_url*] +# Specifies the admin Identity URI for Watcher to use. +# Defaults to undef +# +# [*watcher_client_project_name*] +# (Optional) Service project name. +# Defaults to undef +# +# [*watcher_client_certfile*] +# (Optional) PEM encoded client certificate cert file. +# Defaults to undef +# +# [*watcher_client_cafile*] +# (Optional)PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to undef +# +# [*watcher_client_project_domain_name*] +# (Optional) Domain name containing project. +# Defaults to undef +# +# [*watcher_client_user_domain_name*] +# (Optional) User Domain name. +# Defaults to undef +# +# [*watcher_client_insecure*] +# (Optional) Verify HTTPS connections. +# Defaults to undef +# +# [*watcher_client_keyfile*] +# (Optional) PEM encoded client certificate key file. +# Defaults to undef +# +# [*watcher_client_auth_type*] +# (Optional) Authentication type to load. +# Defaults to undef +# class watcher::api ( - $watcher_client_password, - $watcher_client_username = 'watcher', - $watcher_client_auth_url = 'http://localhost:5000/', $package_ensure = 'present', $enabled = true, $manage_service = true, @@ -175,14 +173,6 @@ class watcher::api ( $bind_host = '0.0.0.0', $workers = $::os_workers, $enable_ssl_api = $::os_service_default, - $watcher_client_project_name = 'services', - $watcher_client_certfile = $::os_service_default, - $watcher_client_cafile = $::os_service_default, - $watcher_client_project_domain_name = $::os_service_default, - $watcher_client_user_domain_name = $::os_service_default, - $watcher_client_insecure = $::os_service_default, - $watcher_client_keyfile = $::os_service_default, - $watcher_client_auth_type = 'password', $service_name = $::watcher::params::api_service_name, $create_db_schema = false, $upgrade_db = false, @@ -197,6 +187,17 @@ class watcher::api ( $watcher_api_enable_ssl_api = undef, $watcher_client_auth_uri = undef, $watcher_client_default_domain_name = undef, + $watcher_client_password = undef, + $watcher_client_username = undef, + $watcher_client_auth_url = undef, + $watcher_client_project_name = undef, + $watcher_client_certfile = undef, + $watcher_client_cafile = undef, + $watcher_client_project_domain_name = undef, + $watcher_client_user_domain_name = undef, + $watcher_client_insecure = undef, + $watcher_client_keyfile = undef, + $watcher_client_auth_type = undef, ) inherits watcher::params { include watcher::policy @@ -280,24 +281,6 @@ as a standalone service, or httpd for being run by a httpd server") 'api/enable_ssl_api': value => pick($watcher_api_enable_ssl_api, $enable_ssl_api); } - # NOTE(danpawlik) Watcher and other core Openstack services are using - # keystone_authtoken section and also another similar section used to - # configure client auth credentials. So these parameters are similar to - # parameters in watcher::keystone::authtoken. - watcher_config { - 'watcher_clients_auth/username': value => $watcher_client_username; - 'watcher_clients_auth/password': value => $watcher_client_password, secret => true; - 'watcher_clients_auth/auth_url': value => $watcher_client_auth_url; - 'watcher_clients_auth/project_name': value => $watcher_client_project_name; - 'watcher_clients_auth/project_domain_name': value => $watcher_client_project_domain_name; - 'watcher_clients_auth/user_domain_name': value => $watcher_client_user_domain_name; - 'watcher_clients_auth/insecure': value => $watcher_client_insecure; - 'watcher_clients_auth/auth_type': value => $watcher_client_auth_type; - 'watcher_clients_auth/cafile': value => $watcher_client_cafile; - 'watcher_clients_auth/certfile': value => $watcher_client_certfile; - 'watcher_clients_auth/keyfile': value => $watcher_client_keyfile; - } - if $watcher_client_auth_uri != undef { warning('The watcher_client_auth_uri is deprecated and has no effect.') } @@ -309,4 +292,14 @@ as a standalone service, or httpd for being run by a httpd server") warning('The watcher_client_default_domain_name parameter is deprecated and has no effect.') } + [ 'password', 'auth_url', 'username', 'project_name', 'project_domain_name', + 'user_domain_anme', 'auth_type', 'insecure', 'keyfile', 'certfile', + 'cafile' ].each |String $client_opt|{ + if getvar("watcher_client_${client_opt}") != undef { + warning("The watcher_client_${client_opt} parameter is deprecated. \ +Use the watcher_clients_auth class instead.") + } + include watcher::watcher_clients_auth + } + } diff --git a/manifests/watcher_clients_auth.pp b/manifests/watcher_clients_auth.pp new file mode 100644 index 0000000..6985cb8 --- /dev/null +++ b/manifests/watcher_clients_auth.pp @@ -0,0 +1,96 @@ +# == Class: watcher::watcher_clients_auth +# +# Configure the watcher_clients_auth options +# +# === Parameters +# +# [*password*] +# (required) User's password +# +# [*auth_url*] +# (optional) Specifies the admin Identity URI for Watcher to use. +# Defaults to 'http://localhost:5000/' +# +# [*username*] +# (optional) The name of the auth user +# Defaults to watcher. +# +# [*project_name*] +# (Optional) Service project name. +# Defaults to 'services' +# +# [*project_domain_name*] +# (Optional) Domain name containing project. +# Defaults to 'Default' +# +# [*user_domain_name*] +# (Optional) User Domain name. +# Defaults to 'Default' +# +# [*auth_type*] +# (Optional) Authentication type to load. +# Defaults to 'password' +# +# [*insecure*] +# (Optional) Verify HTTPS connections. +# Defaults to $::os_service_default +# +# [*keyfile*] +# (Optional) PEM encoded client certificate key file. +# Defaults to $::os_service_default +# +# [*certfile*] +# (Optional) PEM encoded client certificate cert file. +# Defaults to $::os_service_default +# +# [*cafile*] +# (Optional)PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to $::os_service_default +# +class watcher::watcher_clients_auth ( + $password = false, + $auth_url = 'http://localhost:5000/', + $username = 'watcher', + $project_name = 'services', + $project_domain_name = 'Default', + $user_domain_name = 'Default', + $auth_type = 'password', + $insecure = $::os_service_default, + $certfile = $::os_service_default, + $cafile = $::os_service_default, + $keyfile = $::os_service_default, +) { + + include watcher::deps + + $password_real = pick($::watcher::api::watcher_client_password, $password) + if ! $password_real { + fail('password is required') + } + + $auth_url_real = pick($::watcher::api::watcher_client_auth_url, $auth_url) + $username_real = pick($::watcher::api::watcher_client_username, $username) + $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name) + $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name) + $user_domain_name_real = pick($::watcher::api::watcher_client_user_domain_name, $user_domain_name) + $auth_type_real = pick($::watcher::api::watcher_client_auth_type, $auth_type) + $insecure_real = pick($::watcher::api::watcher_client_insecure, $insecure) + $certfile_real = pick($::watcher::api::watcher_client_certfile, $certfile) + $cafile_real = pick($::watcher::api::watcher_client_cafile, $cafile) + $keyfile_real = pick($::watcher::api::watcher_client_keyfile, $keyfile) + + watcher_config { + 'watcher_clients_auth/password': value => $password_real, secret => true; + 'watcher_clients_auth/username': value => $username_real; + 'watcher_clients_auth/auth_url': value => $auth_url_real; + 'watcher_clients_auth/project_name': value => $project_name_real; + 'watcher_clients_auth/project_domain_name': value => $project_domain_name_real; + 'watcher_clients_auth/user_domain_name': value => $user_domain_name_real; + 'watcher_clients_auth/insecure': value => $insecure_real; + 'watcher_clients_auth/auth_type': value => $auth_type_real; + 'watcher_clients_auth/cafile': value => $cafile_real; + 'watcher_clients_auth/certfile': value => $certfile_real; + 'watcher_clients_auth/keyfile': value => $keyfile_real; + } +} diff --git a/releasenotes/notes/watcher_clients_auth-49c8642cf6384a95.yaml b/releasenotes/notes/watcher_clients_auth-49c8642cf6384a95.yaml new file mode 100644 index 0000000..795ae27 --- /dev/null +++ b/releasenotes/notes/watcher_clients_auth-49c8642cf6384a95.yaml @@ -0,0 +1,20 @@ +--- +features: + - | + The new ``watcher::watcher_clients_auth`` class has been added. + +deprecations: + - | + The following parameters of the ``watcher::api`` class have been + deprecated in favor of the new ``watcher::watcher_clients_auth`` class. + + - ``watcher_client_password`` + - ``watcher_client_username`` + - ``watcher_client_auth_url`` + - ``watcher_client_user_domain_name`` + - ``watcher_client_project_domain_name`` + - ``watcher_client_insecure`` + - ``watcher_client_keyfile`` + - ``watcher_client_certfile`` + - ``watcher_client_cafile`` + - ``watcher_client_auth_type`` diff --git a/spec/classes/watcher_api_spec.rb b/spec/classes/watcher_api_spec.rb index ed7032d..5f38fb8 100644 --- a/spec/classes/watcher_api_spec.rb +++ b/spec/classes/watcher_api_spec.rb @@ -76,8 +76,8 @@ describe 'watcher::api' do is_expected.to contain_watcher_config('watcher_clients_auth/password').with_value( params[:watcher_client_password] ) is_expected.to contain_watcher_config('watcher_clients_auth/auth_url').with_value('http://localhost:5000/') is_expected.to contain_watcher_config('watcher_clients_auth/project_name').with_value('services') - is_expected.to contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('') - is_expected.to contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('') + is_expected.to contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('Default') + is_expected.to contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('Default') is_expected.to contain_watcher_config('watcher_clients_auth/insecure').with_value('') is_expected.to contain_watcher_config('watcher_clients_auth/auth_type').with_value('password') is_expected.to contain_watcher_config('watcher_clients_auth/cafile').with_value('') diff --git a/spec/classes/watcher_watcher_clients_auth_spec.rb b/spec/classes/watcher_watcher_clients_auth_spec.rb new file mode 100644 index 0000000..a35e904 --- /dev/null +++ b/spec/classes/watcher_watcher_clients_auth_spec.rb @@ -0,0 +1,65 @@ +require 'spec_helper' + +describe 'watcher::watcher_clients_auth' do + + shared_examples 'watcher::watcher_clients_auth' do + let :params do + { :password => 'watcher_password' } + end + + context 'with defaults' do + it 'should set the defaults' do + should contain_watcher_config('watcher_clients_auth/password').with_value('watcher_password').with_secret(true) + should contain_watcher_config('watcher_clients_auth/auth_url').with_value('http://localhost:5000/') + should contain_watcher_config('watcher_clients_auth/username').with_value('watcher') + should contain_watcher_config('watcher_clients_auth/project_name').with_value('services') + should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('Default') + should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('Default') + should contain_watcher_config('watcher_clients_auth/insecure').with_value('') + should contain_watcher_config('watcher_clients_auth/certfile').with_value('') + should contain_watcher_config('watcher_clients_auth/cafile').with_value('') + should contain_watcher_config('watcher_clients_auth/keyfile').with_value('') + end + end + + context 'with parameters overridden' do + before do + params.merge!({ + :auth_url => 'http://127.0.0.1:5000/', + :username => 'alt_watcher', + :project_name => 'alt_services', + :project_domain_name => 'project_domain', + :user_domain_name => 'user_domain', + :insecure => false, + :certfile => 'path_to_cert', + :cafile => 'path_to_ca', + :keyfile => 'path_to_key', + }) + end + + it 'should set the parameters' do + should contain_watcher_config('watcher_clients_auth/auth_url').with_value('http://127.0.0.1:5000/') + should contain_watcher_config('watcher_clients_auth/username').with_value('alt_watcher') + should contain_watcher_config('watcher_clients_auth/project_name').with_value('alt_services') + should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('user_domain') + should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('project_domain') + should contain_watcher_config('watcher_clients_auth/insecure').with_value(false) + should contain_watcher_config('watcher_clients_auth/certfile').with_value('path_to_cert') + should contain_watcher_config('watcher_clients_auth/cafile').with_value('path_to_ca') + should contain_watcher_config('watcher_clients_auth/keyfile').with_value('path_to_key') + end + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + it_behaves_like 'watcher::watcher_clients_auth' + end + end + +end