Merge "Optimize kitchen tests for Travis CI"
diff --git a/README.rst b/README.rst
index 1dc3850..d3f0672 100644
--- a/README.rst
+++ b/README.rst
@@ -25,6 +25,7 @@
cinder_internal_tenant_user_id: f46924c112a14c80ab0a24a613d95eef
cinder_internal_tenant_project_id: b7455b8974bb4064ad247c8f375eae6c
default_volume_type: 7k2SaS
+ enable_force_upload: true
availability_zone_fallback: True
database:
engine: mysql
@@ -76,6 +77,7 @@
cinder_internal_tenant_user_id: f46924c112a14c80ab0a24a613d95eef
cinder_internal_tenant_project_id: b7455b8974bb4064ad247c8f375eae6c
default_volume_type: 7k2SaS
+ nable_force_upload: true
database:
engine: mysql
host: 127.0.0.1
@@ -166,58 +168,52 @@
....
-**Client-side RabbitMQ TLS configuration.**
+Configuring TLS communications
+------------------------------
-|
-To enable TLS for oslo.messaging you need to provide the CA certificate.
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+- **RabbitMQ TLS**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
+ cinder:
+ controller, volume:
message_queue:
+ port: 5671
ssl:
enabled: True
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+ (optional) version: TLSv1_2
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
- message_queue:
+ cinder:
+ controller:
+ database:
ssl:
enabled: True
- cacert_file: /etc/ssl/rabbitmq-ca.pem
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/mysql-ca.pem
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
- message_queue:
- ssl:
- enabled: True
- cacert: |
-
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-------
-
- cacert_file: /etc/openstack/rabbitmq-ca.pem
-
-
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+ cinder:
+ controller, volume:
+ identity:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ glance:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
diff --git a/cinder/client.sls b/cinder/client.sls
index bdb3765..52b3042 100644
--- a/cinder/client.sls
+++ b/cinder/client.sls
@@ -19,7 +19,7 @@
'protocol': identity.get('protocol', 'http'),
'region_name': identity.get('region_name', 'RegionOne'),
'endpoint_type': identity.get('endpoint_type', 'internalURL'),
- 'certificate': identity.get('certificate', 'None')} %}
+ 'certificate': identity.get('certificate', client.cacert_file)} %}
{%- for backend_name, backend in client.get('backend', {}).iteritems() %}
diff --git a/cinder/controller.sls b/cinder/controller.sls
index bfb36b0..b5620b9 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import controller with context %}
{%- if controller.get('enabled', False) %}
{%- set user = controller %}
@@ -64,7 +64,7 @@
{%- endif %}
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca
+ - file: rabbitmq_ca_cinder_controller
{%- endif %}
{%- if controller.database.get('ssl',{}).get('enabled', False) %}
- file: mysql_ca_cinder_controller
@@ -84,7 +84,7 @@
{%- endif %}
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca
+ - file: rabbitmq_ca_cinder_controller
{%- endif %}
{%- if controller.database.get('ssl',{}).get('enabled', False) %}
- file: mysql_ca_cinder_controller
@@ -115,7 +115,7 @@
{%- endif %}
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca
+ - file: rabbitmq_ca_cinder_controller
{%- endif %}
{%- if controller.database.get('ssl',{}).get('enabled', False) %}
- file: mysql_ca_cinder_controller
@@ -143,7 +143,7 @@
'protocol': identity.get('protocol', 'http'),
'region_name': identity.get('region_name', 'RegionOne'),
'endpoint_type': identity.get('endpoint_type', 'internalURL'),
- 'certificate': identity.get('certificate', 'None')} %}
+ 'certificate': identity.get('certificate', controller.cacert_file)} %}
{%- for backend_name, backend in controller.get('backend', {}).iteritems() %}
@@ -205,7 +205,7 @@
- enable: true
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca
+ - file: rabbitmq_ca_cinder_controller
{%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
@@ -213,7 +213,7 @@
{%- endif %}
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
-rabbitmq_ca:
+rabbitmq_ca_cinder_controller:
{%- if controller.message_queue.ssl.cacert is defined %}
file.managed:
- name: {{ controller.message_queue.ssl.cacert_file }}
@@ -222,7 +222,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ controller.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
{%- endif %}
@@ -237,7 +237,7 @@
{%- else %}
file.exists:
- - name: {{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
{%- endif %}
diff --git a/cinder/files/liberty/cinder.conf.controller.Debian b/cinder/files/liberty/cinder.conf.controller.Debian
index 4e86745..e263513 100644
--- a/cinder/files/liberty/cinder.conf.controller.Debian
+++ b/cinder/files/liberty/cinder.conf.controller.Debian
@@ -71,6 +71,10 @@
default_availability_zone={{controller.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ controller.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
diff --git a/cinder/files/liberty/cinder.conf.volume.Debian b/cinder/files/liberty/cinder.conf.volume.Debian
index 7d8c9d3..98fc66e 100644
--- a/cinder/files/liberty/cinder.conf.volume.Debian
+++ b/cinder/files/liberty/cinder.conf.volume.Debian
@@ -57,6 +57,10 @@
default_availability_zone={{volume.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ volume.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
diff --git a/cinder/files/mitaka/cinder.conf.controller.Debian b/cinder/files/mitaka/cinder.conf.controller.Debian
index 7451507..852e974 100644
--- a/cinder/files/mitaka/cinder.conf.controller.Debian
+++ b/cinder/files/mitaka/cinder.conf.controller.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import controller with context %}
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
@@ -59,6 +59,10 @@
default_availability_zone={{controller.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ controller.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
@@ -142,11 +146,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if controller.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
rabbit_userid = {{ controller.message_queue.user }}
@@ -174,7 +174,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
{%- if controller.backend is defined %}
diff --git a/cinder/files/mitaka/cinder.conf.volume.Debian b/cinder/files/mitaka/cinder.conf.volume.Debian
index 537d8bd..b52aded 100644
--- a/cinder/files/mitaka/cinder.conf.volume.Debian
+++ b/cinder/files/mitaka/cinder.conf.volume.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import volume with context %}
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
@@ -50,6 +50,10 @@
default_availability_zone={{volume.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ volume.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
@@ -127,11 +131,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if volume.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ volume.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ volume.message_queue.ssl.get('cacert_file', volume.cacert_file) }}
{%- endif %}
rabbit_userid = {{ volume.message_queue.user }}
@@ -159,7 +159,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', volume.cacert_file) }}{% endif %}
{%- if volume.backend is defined %}
diff --git a/cinder/files/newton/cinder.conf.controller.Debian b/cinder/files/newton/cinder.conf.controller.Debian
index 2badf88..701f78f 100644
--- a/cinder/files/newton/cinder.conf.controller.Debian
+++ b/cinder/files/newton/cinder.conf.controller.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import controller with context %}
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
@@ -60,6 +60,10 @@
default_availability_zone={{controller.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ controller.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
@@ -151,11 +155,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if controller.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
@@ -187,7 +187,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
{%- if controller.backend is defined %}
diff --git a/cinder/files/newton/cinder.conf.volume.Debian b/cinder/files/newton/cinder.conf.volume.Debian
index d814522..88a2944 100644
--- a/cinder/files/newton/cinder.conf.volume.Debian
+++ b/cinder/files/newton/cinder.conf.volume.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import volume with context %}
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
@@ -57,6 +57,10 @@
default_availability_zone={{volume.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ volume.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
@@ -140,11 +144,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if volume.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ volume.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ volume.message_queue.ssl.get('cacert_file', volume.cacert_file) }}
{%- endif %}
[keystone_authtoken]
@@ -175,7 +175,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', volume.cacert_file) }}{% endif %}
{%- if volume.backend is defined %}
diff --git a/cinder/files/ocata/cinder.conf.controller.Debian b/cinder/files/ocata/cinder.conf.controller.Debian
index 27febf4..8bc04ef 100644
--- a/cinder/files/ocata/cinder.conf.controller.Debian
+++ b/cinder/files/ocata/cinder.conf.controller.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import controller with context %}
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
@@ -29,7 +29,11 @@
osapi_volume_listen={{ controller.osapi.host }}
-glance_api_servers = http://{{ controller.glance.host }}:{{ controller.glance.port }}
+glance_api_servers = {{ controller.glance.get('protocol','http') }}://{{ controller.glance.host }}:{{ controller.glance.port }}
+{%- if controller.glance.get('protocol','http') == 'https' %}
+glance_ca_certificates_file = {{ controller.glance.get('cacert_file', controller.cacert_file) }}
+{%- endif %}
+
glance_host={{ controller.glance.host }}
glance_port={{ controller.glance.port }}
@@ -40,7 +44,7 @@
os_privileged_user_name={{ controller.identity.user }}
os_privileged_user_password={{ controller.identity.password }}
os_privileged_user_tenant={{ controller.identity.tenant }}
-os_privileged_user_auth_url=http://{{ controller.identity.host }}:5000/v3/
+os_privileged_user_auth_url={{ controller.identity.get('protocol','http') }}://{{ controller.identity.host }}:5000/v3/
volume_backend_name=DEFAULT
@@ -60,6 +64,10 @@
default_availability_zone={{controller.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ controller.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
@@ -151,11 +159,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if controller.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
@@ -169,8 +173,12 @@
username = {{ controller.identity.user }}
password = {{ controller.identity.password }}
-auth_uri=http://{{ controller.identity.host }}:5000
-auth_url=http://{{ controller.identity.host }}:35357
+auth_uri={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.host }}:5000
+auth_url={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.host }}:35357
+{%- if controller.identity.get('protocol', 'http') == 'https' %}
+cafile={{ controller.identity.get('cacert_file', controller.cacert_file) }}
+{%- endif %}
+
# Temporary disabled for backward compataiblity
#auth_uri=http://{{ controller.identity.host }}/identity
#auth_url=http://{{ controller.identity.host }}/identity_v2_admin
@@ -182,8 +190,12 @@
{%- if controller.get('barbican', {}).get('enabled', False) %}
[key_manager]
api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+
[barbican]
auth_endpoint = {{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.get('host', 'localhost') }}:{{ controller.identity.get('port', '5000') }}/v3
+{%- if controller.barbican.get('protocol', 'http') == 'https' %}
+cafile={{ controller.barbican.get('cacert_file', controller.cacerts_file) }}
+{%- endif %}
{%- endif %}
[database]
@@ -191,7 +203,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
{%- if controller.backend is defined %}
diff --git a/cinder/files/ocata/cinder.conf.volume.Debian b/cinder/files/ocata/cinder.conf.volume.Debian
index b7dc395..f999860 100644
--- a/cinder/files/ocata/cinder.conf.volume.Debian
+++ b/cinder/files/ocata/cinder.conf.volume.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import volume with context %}
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
@@ -28,7 +28,11 @@
osapi_volume_listen={{ volume.osapi.host }}
-glance_api_servers = http://{{ volume.glance.host }}:{{ volume.glance.port }}
+glance_api_servers = {{ volume.glance.get('protocol','http') }}://{{ volume.glance.host }}:{{ volume.glance.port }}
+{%- if volume.glance.get('protocol','http') == 'https' %}
+glance_ca_certificates_file = {{ volume.glance.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
+
glance_host={{ volume.glance.host }}
glance_port={{ volume.glance.port }}
@@ -37,7 +41,7 @@
os_privileged_user_name={{ volume.identity.user }}
os_privileged_user_password={{ volume.identity.password }}
os_privileged_user_tenant={{ volume.identity.tenant }}
-os_privileged_user_auth_url=http://{{ volume.identity.host }}:5000/v3/
+os_privileged_user_auth_url={{ volume.identity.get('protocol','http') }}://{{ volume.identity.host }}:5000/v3/
volume_backend_name=DEFAULT
@@ -57,6 +61,10 @@
default_availability_zone={{volume.default_availability_zone}}
{%- endif %}
+# Enables the Force option on upload_to_image. This enables running
+# upload_volume on in-use volumes for backends that support it. (boolean value)
+#enable_force_upload = false
+enable_force_upload = {{ volume.get('enable_force_upload', False)|lower }}
#RPC response timeout recommended by Hitachi
rpc_response_timeout=3600
@@ -140,11 +148,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if volume.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ volume.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ volume.message_queue.ssl.get('cacert_file', volume.cacert_file) }}
{%- endif %}
[keystone_authtoken]
@@ -156,9 +160,12 @@
project_name = {{ volume.identity.tenant }}
username = {{ volume.identity.user }}
password = {{ volume.identity.password }}
+auth_uri={{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.host }}:5000
+auth_url={{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.host }}:35357
+{%- if volume.identity.get('protocol', 'http') == 'https' %}
+cafile={{ volume.identity.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
-auth_uri=http://{{ volume.identity.host }}:5000/v3
-auth_url=http://{{ volume.identity.host }}:35357/v3
# Temporary disabled for backward compataiblity
#auth_uri=http://{{ volume.identity.host }}/identity
#auth_url=http://{{ volume.identity.host }}/identity_v2_admin
@@ -172,6 +179,9 @@
api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
[barbican]
auth_endpoint = {{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.get('host', 'localhost') }}:{{ volume.identity.get('port', '5000') }}/v3
+{%- if volume.barbican.get('protocol', 'https') %}
+cafile={{ volume.identity.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
{%- endif %}
[database]
@@ -179,7 +189,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', volume.cacert_file) }}{% endif %}
{%- if volume.backend is defined %}
diff --git a/cinder/map.jinja b/cinder/map.jinja
index b8806e6..e04b232 100644
--- a/cinder/map.jinja
+++ b/cinder/map.jinja
@@ -1,9 +1,12 @@
-{%- set system_cacerts_file = salt['grains.filter_by']({
- 'Debian': '/etc/ssl/certs/ca-certificates.crt',
- 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
-})%}
+{%- set default_params = {
+ 'cacert_file': salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+ })}
+%}
{% set controller = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['cinder-api', 'cinder-scheduler', 'lvm2', 'python-cinder', 'gettext-base', 'python-memcache', 'python-pycadf'],
'services': ['cinder-scheduler'],
@@ -13,8 +16,8 @@
'audit': {
'enabled': false
},
- 'cinder_uid': 304,
- 'cinder_gid': 304,
+ 'cinder_uid': 304,
+ 'cinder_gid': 304,
'backup': {
'pkgs': ['cinder-backup'],
'services': ['cinder-backup'],
@@ -30,8 +33,8 @@
'audit': {
'enabled': false
},
- 'cinder_uid': 304,
- 'cinder_gid': 304,
+ 'cinder_uid': 304,
+ 'cinder_gid': 304,
'backup': {
'pkgs': ['cinder-backup'],
'services': ['cinder-backup'],
@@ -39,9 +42,10 @@
}
},
-}, merge=pillar.cinder.get('controller', {})) %}
+}, merge=pillar.cinder.get('controller', {}), base='BaseDefaults') %}
{% set volume = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['cinder-volume', 'lvm2', 'sysfsutils', 'sg3-utils', 'python-cinder','python-mysqldb','p7zip', 'gettext-base', 'python-memcache', 'python-pycadf'],
'services': ['cinder-volume'],
@@ -50,8 +54,8 @@
'audit': {
'enabled': false
},
- 'cinder_uid': 304,
- 'cinder_gid': 304,
+ 'cinder_uid': 304,
+ 'cinder_gid': 304,
'backup': {
'pkgs': ['cinder-backup'],
'services': ['cinder-backup'],
@@ -67,24 +71,25 @@
'audit': {
'enabled': false
},
- 'cinder_uid': 304,
- 'cinder_gid': 304,
+ 'cinder_uid': 304,
+ 'cinder_gid': 304,
'backup': {
'pkgs': ['cinder-backup'],
'services': ['cinder-backup'],
'engine': None
}
},
-}, merge=pillar.cinder.get('volume', {})) %}
+}, merge=pillar.cinder.get('volume', {}), base='BaseDefaults') %}
{% set client = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['python-cinderclient']
},
'RedHat': {
'pkgs': ['python-cinderclient']
},
-}, merge=pillar.cinder.get('client', {})) %}
+}, merge=pillar.cinder.get('client', {}), base='BaseDefaults') %}
{% set monitoring = salt['grains.filter_by']({
'default': {
diff --git a/cinder/volume.sls b/cinder/volume.sls
index 1fcd7a8..8fee662 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
+{%- from "cinder/map.jinja" import volume with context %}
{%- if volume.enabled %}
{%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
@@ -20,10 +20,8 @@
- require_in:
- service: cinder_volume_services
-{%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
-
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
-rabbitmq_ca:
+rabbitmq_ca_cinder_volume:
{%- if volume.message_queue.ssl.cacert is defined %}
file.managed:
- name: {{ volume.message_queue.ssl.cacert_file }}
@@ -32,7 +30,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ volume.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ volume.message_queue.ssl.get('cacert_file', volume.cacert_file) }}
{%- endif %}
{%- endif %}
@@ -46,10 +44,12 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ volume.database.ssl.get('cacert_file', volume.cacert_file) }}
{%- endif %}
{%- endif %}
+{%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
+
/etc/cinder/cinder.conf:
file.managed:
- source: salt://cinder/files/{{ volume.version }}/cinder.conf.volume.{{ grains.os_family }}
@@ -79,7 +79,7 @@
{%- endif %}
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca
+ - file: rabbitmq_ca_cinder_volume
{%- endif %}
{%- if volume.database.get('ssl',{}).get('enabled', False) %}
- file: mysql_ca_cinder_volume
@@ -100,7 +100,7 @@
{%- endif %}
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca
+ - file: rabbitmq_ca_cinder_volume
{%- endif %}
{%- if volume.database.get('ssl',{}).get('enabled', False) %}
- file: mysql_ca_cinder_volume
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
index 688643f..4aecca6 100755
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -111,7 +111,7 @@
}
salt_run() {
- [ -e ${VEN_DIR}/bin/activate ] && source ${VENV_DIR}/bin/activate
+ [ -e ${VENV_DIR}/bin/activate ] && source ${VENV_DIR}/bin/activate
salt-call ${SALT_OPTS} $*
}