diff --git a/openstack_controller/admission/validators/__init__.py b/openstack_controller/admission/validators/__init__.py index 6933d56f5..660178fa7 100644 --- a/openstack_controller/admission/validators/__init__.py +++ b/openstack_controller/admission/validators/__init__.py @@ -8,6 +8,7 @@ from openstack_controller.admission.validators import openstack from openstack_controller.admission.validators import nodes from openstack_controller.admission.validators import cinder +from openstack_controller.admission.validators import manila __all__ = [ barbican.BarbicanValidator, @@ -20,4 +21,5 @@ glance.GlanceValidator, ironic.IronicValidator, cinder.CinderValidator, + manila.ManilaValidator, ] diff --git a/openstack_controller/admission/validators/manila.py b/openstack_controller/admission/validators/manila.py new file mode 100644 index 000000000..255af38ab --- /dev/null +++ b/openstack_controller/admission/validators/manila.py @@ -0,0 +1,57 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from openstack_controller.admission.validators import base +from openstack_controller import exception + + +class ManilaValidator(base.BaseValidator): + service = "shared-file-system" + + def validate(self, review_request): + spec = review_request.get("object", {}).get("spec", {}) + manila_section = spec.get("features", {}).get("manila", {}) + + self._check_share_backend(manila_section) + + def _check_share_backend(self, manila_section): + backend_section = manila_section.get("share", {}).get("backends", {}) + for name, opts in backend_section.items(): + if opts.get("enabled", True): + enabled_backends = [ + x + for x in ( + opts["values"]["conf"] + .get("manila", {}) + .get("DEFAULT", {}) + .get("enabled_share_backends", "") + .split(",") + ) + if x + ] + if not enabled_backends: + raise exception.OsDplValidationFailed( + f"Param 'enabled_share_backends' should be specified in DEFAULT section for Manila backend {name}." + ) + for backend in enabled_backends: + backend_conf = opts["values"]["conf"]["manila"].get( + backend, {} + ) + if backend_conf.get("share_backend_name") is None: + raise exception.OsDplValidationFailed( + f"Param 'share_backend_name' should be specified in {backend} section for Manila backend {name}." + ) + if backend_conf.get("share_driver") is None: + raise exception.OsDplValidationFailed( + f"Param 'share_driver' should be specified in {backend} section for Manila backend {name}." + ) diff --git a/openstack_controller/admission/validators/schemas/osdpl.yaml b/openstack_controller/admission/validators/schemas/osdpl.yaml index 63722efa4..ca23d390f 100644 --- a/openstack_controller/admission/validators/schemas/osdpl.yaml +++ b/openstack_controller/admission/validators/schemas/osdpl.yaml @@ -1740,6 +1740,56 @@ properties: then: required: - backup_share + manila: + type: object + additionalProperties: false + properties: + share: + type: object + additionalProperties: false + properties: + backends: + type: object + description: | + Manila backends configuration + additionalProperties: False + patternProperties: + ".*": + description: | + Backend name + additionalProperties: False + type: object + required: + - type + - values + properties: + enabled: + type: boolean + description: | + Enable Manila backend to deploy + default: True + type: + type: string + enum: + - statefulset + values: + type: object + additionalProperties: False + required: + - conf + properties: + conf: + type: object + additionalProperties: True + images: + type: object + additionalProperties: True + labels: + type: object + additionalProperties: True + pod: + type: object + additionalProperties: True logging: type: object additionalProperties: false diff --git a/openstack_controller/ceph_api.py b/openstack_controller/ceph_api.py index 294d7bd71..38f4e347f 100644 --- a/openstack_controller/ceph_api.py +++ b/openstack_controller/ceph_api.py @@ -23,6 +23,7 @@ "cinder": ["volumes", "backup"], "nova": ["ephemeral", "vms"], "glance": ["images"], + "manila": [], } @@ -30,6 +31,7 @@ class OSUser(Enum): nova = auto() cinder = auto() glance = auto() + manila = auto() class PoolRole(Enum): diff --git a/openstack_controller/services/__init__.py b/openstack_controller/services/__init__.py index e767f97a1..85963152e 100644 --- a/openstack_controller/services/__init__.py +++ b/openstack_controller/services/__init__.py @@ -2204,13 +2204,38 @@ class Masakari(OpenStackService): available_releases = ["openstack-masakari-rabbitmq", "openstack-masakari"] -class Manila(OpenStackService): +class Manila(OpenStackServiceWithCeph): service = "shared-file-system" openstack_chart = "manila" available_releases = [ "openstack-manila", ] + @property + def is_ceph_enabled(self): + manila_backends = utils.get_in( + self.mspec, ["features", "manila", "share", "backends"], {} + ) + for opts in manila_backends.values(): + if opts.get("enabled", True): + enabled_backends = utils.get_in( + opts["values"], + ["conf", "manila", "DEFAULT", "enabled_share_backends"], + "", + ).split(",") + for backend in enabled_backends: + driver = utils.get_in( + opts["values"], + ["conf", "manila", backend, "share_driver"], + "", + ) + if ( + driver + == "manila.share.drivers.cephfs.driver.CephFSDriver" + ): + return True + return False + def template_args(self): template_args = super().template_args() ssh_secret = secrets.SSHSecret(self.namespace, self.service) diff --git a/openstack_controller/templates/services/shared-file-system.yaml b/openstack_controller/templates/services/shared-file-system.yaml index 73dc8f0d3..2f3eedbe3 100644 --- a/openstack_controller/templates/services/shared-file-system.yaml +++ b/openstack_controller/templates/services/shared-file-system.yaml @@ -16,6 +16,30 @@ {%- from 'macros/etcd3.j2' import get_etcd3_endpoint %} {%- set cadf_audit = spec.get('features', {}).get('logging', {}).get('cadf', {'enabled': false}) %} {%- set cadf_audit_driver = spec.get('features', {}).get('logging', {}).get('cadf', {}).get('driver', 'messagingv2') %} +{%- set share_sts = {} %} +{%- set share_backends = spec.get('features', {}).get('manila', {}).get('share', {}).get('backends', {}) %} + +{%- for sts_name, sts_opts in share_backends.items() %} +{%- if sts_opts.get('enabled', True) %} +{%- for backend in sts_opts['values']['conf']['manila']['DEFAULT']['enabled_share_backends'].split(',') %} +{%- set sts_backend_opts = sts_opts['values']['conf']['manila'][backend] %} +{%- set share_driver = sts_backend_opts['share_driver'] %} +{%- set opts = {} %} +{%- if share_driver == 'manila.share.drivers.cephfs.driver.CephFSDriver' %} +{%- do opts.update({'cephfs_auth_id': ceph.manila.username, + 'cephfs_protocol_helper_type': 'CEPHFS', + 'driver_handles_share_servers': false + }) %} +{%- endif %} + {# merge default options and user provided options #} +{%- do opts.update(sts_backend_opts) %} + {# put result back into the values #} +{%- do sts_backend_opts.update(opts) %} +{%- endfor %} + {# overwrite default options by user defined #} +{%- do share_sts.update({sts_name: {'values': sts_opts['values']}}) %} +{%- endif %} +{%- endfor %} spec: releases: @@ -45,6 +69,10 @@ spec: {{ image }}: {{ images[image] }} {%- endif %} {%- endfor %} + bootstrap: + share_types: + default: + driver_handles_share_servers: {{ not is_ceph_enabled }} endpoints: cluster_domain_suffix: {{ spec.internal_domain_name }} {% include 'base/_admin_identity.yaml' %} @@ -98,10 +126,23 @@ spec: default: http public: https conf: +{%- if is_ceph_enabled %} + ceph: + keyrings: + {{ ceph.manila.username }}: + key: {{ ceph.manila.keyring }} + config: + global: + mon_host: {{ ceph.mon_host }} +{%- endif %} policy.d: 01-controller-default.yaml: {{ service_policy }} 02-custom.yaml: {{ spec.get("features", {}).get("policies", {}).get("manila", {}) }} manila: +{%- if is_ceph_enabled %} + DEFAULT: + enabled_share_protocols: CEPHFS +{%- endif %} keystone_authtoken: memcache_security_strategy: ENCRYPT memcache_secret_key: {{ credentials[0].memcached }} @@ -141,6 +182,7 @@ spec: prometheus_exporter: rabbit_exporters: "overview,exchange,node" {%- endif %} + {%- if not share_backends %} standalone_backends: daemonset: conf: @@ -157,9 +199,15 @@ spec: path_to_private_key: /etc/manila/ssh/manila DEFAULT: enabled_share_backends: generic + {%- endif %} logging: logger_manila: level: {{ spec.get('features', {}).get('logging', {}).get('manila', {}).get('level', 'INFO') }} + {%- if share_sts %} + overrides: + manila_share_sts: + {{ share_sts | toyaml | indent(10) }} + {%- endif %} jobs: {% include 'base/_ks_jobs.yaml' %} db_purge: @@ -186,6 +234,7 @@ spec: manifests: secret_ca_bundle: true cron_job_db_purge: {{ manila_db_cleanup.enabled }} - daemonset_share: true + daemonset_share: {{ not share_backends }} service_instance_ssh_key: true network_policy: {{ spec.features.network_policies.enabled }} + ceph_conf: {{ is_ceph_enabled }} diff --git a/tests/fixtures/render_service_template/input/antelope_ceph_local_non_dvr/context_template_args.yaml b/tests/fixtures/render_service_template/input/antelope_ceph_local_non_dvr/context_template_args.yaml index 609261e74..3c102cc66 100644 --- a/tests/fixtures/render_service_template/input/antelope_ceph_local_non_dvr/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/antelope_ceph_local_non_dvr/context_template_args.yaml @@ -414,6 +414,7 @@ baremetal: password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr username: neutronLeRjiDsyT shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/input/caracal_ceph_local_non_dvr_manila_cephfs/context_spec.yaml b/tests/fixtures/render_service_template/input/caracal_ceph_local_non_dvr_manila_cephfs/context_spec.yaml new file mode 100644 index 000000000..da3293e7e --- /dev/null +++ b/tests/fixtures/render_service_template/input/caracal_ceph_local_non_dvr_manila_cephfs/context_spec.yaml @@ -0,0 +1,148 @@ +openstack_version: caracal +features: + network_policies: + enabled: true + barbican: + backends: + vault: + approle_role_id: e5e97952-cf82-e7fd-da71-c568f18cea5e + approle_secret_id: e33841c6-f175-1ea1-87ba-2dd49df6f776 + enabled: true + use_ssl: false + vault_url: http://vault.openstack-vault.svc:8200 + cloudprober: + discovery: + interval: 900 + database: + local_volumes: + enabled: true + messaging: + components_with_dedicated_messaging: + - networking + keystone: + domain_specific_configuration: + enabled: true + ks_domains: + domain.with.ldap: + enabled: true + config: + assignment: + driver: keystone.assignment.backends.sql.Assignment + identity: + driver: ldap + ldap: + chase_referrals: false + group_desc_attribute: description + group_id_attribute: cn + group_member_attribute: member + group_name_attribute: ou + group_objectclass: groupOfNames + page_size: 0 + password: ar4DtqGDBQ2xEGvw + query_scope: sub + suffix: dc=mydomain,dc=com + url: ldap://ldap01.mydomain.com,ldap://ldap02.mydomain.com + user: uid=openstack,ou=people,o=mydomain,dc=com + user_enabled_attribute: enabled + user_enabled_default: false + user_enabled_invert: true + user_enabled_mask: 0 + user_id_attribute: uid + user_mail_attribute: mail + user_name_attribute: uid + user_objectclass: inetOrgPerson + neutron: + backend: ml2 + dns_servers: + - 10.172.1.100 + external_networks: + - bridge: br-ex + interface: veth-phy + mtu: null + network_types: + - flat + physnet: physnet1 + vlan_ranges: null + floating_network: + enabled: true + physnet: physnet1 + subnet: + gateway: 10.11.12.39 + pool_end: 10.11.12.200 + pool_start: 10.11.12.100 + range: 10.11.12.0/24 + tunnel_interface: ens3 + octavia: + lb_network: + subnets: + - range: '192.168.0.0/24' + pool_start: '192.168.0.1' + pool_end: '192.168.0.254' + nova: + console: + novnc: + enabled: false + spice: + enabled: true + images: + backend: local + live_migration_interface: ens3 + manila: + share: + backends: + cephfs: + values: + conf: + manila: + DEFAULT: + enabled_share_backends: cephfs + cephfs: + share_backend_name: cephfs + share_driver: manila.share.drivers.cephfs.driver.CephFSDriver + services: + - block-storage + - cloudprober + - compute + - dns + - identity + - dashboard + - image + - ingress + - database + - descheduler + - memcached + - networking + - orchestration + - messaging + - load-balancer + - placement + - coordination + - key-manager + - redis + - instance-ha + - shared-file-system + - dynamic-resource-balancer + ssl: + public_endpoints: + api_cert: "TEST CRT" + api_key: "TEST KEY" + ca_cert: "TEST CA" + enabled: true + stacklight: + enabled: true + user: + password: stacklight + username: stacklight +artifacts: + binary_base_url: https://artifactory.mcp.mirantis.net/binary-dev-kaas-local + images_base_url: docker-dev-kaas-local.docker.mirantis.net +common: + charts: {} + infra: + repo: osh-infra + openstack: + repo: osh +persistent_volume_storage_class: mirablock-k8s-block-hdd +public_domain_name: it.just.works +internal_domain_name: cluster.local +local_volume_storage_class: lvp-fake-root diff --git a/tests/fixtures/render_service_template/input/caracal_ceph_local_non_dvr_manila_cephfs/context_template_args.yaml b/tests/fixtures/render_service_template/input/caracal_ceph_local_non_dvr_manila_cephfs/context_template_args.yaml new file mode 100644 index 000000000..7972ded06 --- /dev/null +++ b/tests/fixtures/render_service_template/input/caracal_ceph_local_non_dvr_manila_cephfs/context_template_args.yaml @@ -0,0 +1,509 @@ +block-storage: + ceph: + cinder: + keyring: 'AQDLZLJfNPtTOxAAQm248Q9AyoirvELaSyPz5w== + + ' + pools: + backup-hdd: + name: backup-hdd + role: backup + volumes-hdd: + name: volumes-hdd + role: volumes + secrets: cinder-rbd-keyring + username: cinder + credentials: &credentials_block-storage + - database: + user: + password: 8xckAGB149FBiBsPfawjSqRNNF7lvXmM + username: cinder1rKIan + memcached: 76HsSsABaJvTQU6I + messaging: + user: + password: KgjY6ghlVbGSKJL6DH2jQXH50EtBVsiC + username: cinder0Jhxmf + notifications: + user: + password: ptehSf4lZxF0TAs16INhV9XmuVXHbL6R + username: cinderU5dqXt + identity: + cinder: + password: 7SJvTD3HZ4gm3eU2UDGdjrcZC4wyj2zA + username: cinderJCh8Iz + test: + password: 55Y1R3QdGFvuntBCtD2iNZQcZiQUnsTJ + username: testtFQE + keystone_creds: {} +cloudprober: + keystone_creds: + cloudprober: + password: QXH50EtBVsiCptehSf4l55Y1R3QdGFv8xc + username: osctlQECh8 +dynamic-resource-balancer: + credentials: + - identity: + drb-controller: + password: iCptehQXf4l55GFv8xc50EtBVY1HSR3Qds + username: drbcontrollerJhd + keystone_creds: {} +compute: + ceph: + nova: + keyring: 'AQDNZLJf8S+fORAA6hg50Jo+vBq07kxtBXB9PQ== + + ' + pools: + vms-hdd: + name: vms-hdd + role: vms + secrets: nova-rbd-keyring + username: nova + credentials: &credentials_compute + - database: + user: + password: sZ43nXhtf9PEV0UaNBk5VITz0FTwDAM8 + username: novaQvW6 + memcached: JinzIdQzLdIslgxu + messaging: + user: + password: tuzgvismPceyDLXGeq1cpQcDIQDwIyhr + username: nova27zb + notifications: + user: + password: 55HghKuwQUTPlVFt8UKM6JhIGQ8egSLP + username: novauvhH + identity: + nova: + password: BLFKrb8JhAMBb1v9BnRGDckMaYY7XUbq + username: novaZzHG + test: + password: YJh7cWqBdT8R5ylm3LD0aKw4V3DtlS8p + username: testb2yA + metadata_secret: mN0aLDTcg1AVqyLWNDjCd2Jz6DA61cZJ + keystone_creds: + neutron: + password: 9d4CIP5ismqTa7l5N5FdD8MAuFMXx9EV + username: neutronnmAhFsr + placement: + password: AEYVXR3LFUbLcePQlkxSFvbQ1WyWtaiY + username: placementR3AqaC4te + ssh_credentials: + private: COMPUTE TEST SSH PRIVATE KEY + public: COMPUTE TEST SSH PUBLIC KEY +coordination: + credentials: null + keystone_creds: {} +dashboard: + os_policy_services: ['cinder', 'nova', 'designate', 'keystone', 'glance', 'neutron', 'heat', 'octavia', 'barbican', 'placement', 'ironic', 'aodh', 'panko', 'gnocchi', 'masakari'] + rgw_internal_cacert: "RGW CRT" + credentials: &credentials_dashboard + - database: + user: + password: rBJDRdVaBH92I8zKHuBeKvtYSq8661ZE + username: horizonf2AZh0J + memcached: KsksRIzFV8aQzEcL + messaging: + user: + password: RcRa3Te0yKZEUlAemKhHEbe6fUNYqDgB + username: horizonqddV2Jv + notifications: + user: + password: yaZ2s3GLtcuT7rKHenxFUMCr3ZNumHvA + username: horizonJnVdJYu + identity: + horizon: + password: MNysGxHJy8xYI8LmZjS3QrJC6N10XsFZ + username: horizonhGcF8rA + test: + password: 5Q52SdTD0ern0aJ6AMcraLqh0rbUbGJr + username: test5JeB + secret_key: kQt7XsbPVNDABuHyngdJuppnzP5i82Mz + keystone_creds: {} +database: + galera_creds: + audit: + password: FLrW91FwKgBvunCRdbvLAHYGJ5zTC6tk + username: auditfHeBI + backup: + password: HxPZlfzlEkk4GKUNFyDs4JeNa8gtlPFn + username: backup0LlWwe + exporter: + password: 7STInCAmfXhY01JfYd293nhewuQxG10m + username: exportergr8suIPh + sst: + password: RbLblzhS7yNE8WQ4nY829uRQpvTegI87 + username: sstybw +dns: + credentials: &credentials_dns + - database: + user: + password: UYBLfmPtWfLqWw3rgcR0Jf4NTqzWtTIG + username: designate9fbxYXW1E + memcached: zdLlg6VAsGH6E7tX + messaging: + user: + password: tBFq4j3X2PdA5Jh9x2kkR0Hgs7FZhdFE + username: designatePLbJrH4JP + notifications: + user: + password: nzsKJHIGHIwsildBgpfmZQDan7Cexzc1 + username: designateUMq5w6Q7G + identity: + designate: + password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr + username: designateLeRjiDsyT + test: + password: YspSgibZuHb2lFBxM8kzDDtstsrEqbWM + username: testQuxr + powerdns: + api_key: '"YiXHHuH21qlTtdv7"' + database: + password: EMG3I4EUNat5buHSUW9kmzFIdiCMSZRZ + username: powerdns4TuEzVpk + keystone_creds: {} +identity: + rgw_internal_cacert: "RGW CRT" + credentials: &credentials_identity + - database: + user: + password: GW4MBjKLshsGdLI38kKUpR2gm3SQiHFp + username: keystonemzhwDmzj + memcached: x2CRuwvJytT5kAv7 + messaging: + user: + password: i1LUJuYCIEeUdpKbztpemVvIQhmJ56cn + username: keystoneeYwYK03G + notifications: + user: + password: TzLbvAXVJKzX4klDdVWEuYnWf35hVBTf + username: keystonefz7wkYYH + identity: + keystone: + password: CZTF3XgNSfbahGGcx0EnjzqTQspr9aPi + username: keystonesCHMyIkz + test: + password: lIaVpAA3RiymRzerAWbNYFj5XfSitjcL + username: testQALi + keystone_creds: {} + credentials_secret_name: keystone-credential-data + fernet_secret_name: keystone-fernet-data +image: + ceph: + glance: + keyring: 'AQDKZLJfoTtgAhAA7f9e8GriyIpFbj8Ez88l2A== + + ' + pools: + images-hdd: + name: images-hdd + role: images + secrets: glance-rbd-keyring + username: glance + credentials: &credentials_image + - database: + user: + password: vwAUndcvyeKBi455lrWGkB8NAUXEeWVn + username: glanceFEVFCm + memcached: yXjj5J8Ad1hHdCCh + messaging: + user: + password: a1tgZk2bR7f5WyweUt2a4PuFYEty6Igv + username: glanceFjTBUv + notifications: + user: + password: uYRL35JdXg39DumFdDG8xdJeqvL0cswM + username: glancejdih0V + identity: + glance: + password: tAXKyhKBuNVBHlbRPvC1C24f3U4wqbhm + username: glancefVB5ZF + test: + password: UBCA8WZMUg3PDSAD5ppiLNNZrNjWAEBI + username: test5RyH + keystone_creds: {} +ingress: + credentials: null + keystone_creds: {} +key-manager: + credentials: &credentials_key-manager + - database: + user: + password: R441HIJxfNF8iAfAfwxASnndFXqSBfVn + username: barbicanteW3kGBC + kek: SDJTR0lEQVFXeFhkMjdyS05WVGxnR3MxbHkxWlNIaWg= + memcached: 3vySYJq0rDZ32KGG + messaging: + user: + password: iHMN1WsAMxAi8G4d0r64iggSdedSRR1p + username: barbicanVuqCvFid + notifications: + user: + password: acH2p6deh90bDJWlRDzFE7wptqgQgVc7 + username: barbicanyfHtXhiq + identity: + barbican: + password: fUPlF2xntwICHH8KDYEjuc4Seb1TNQ8d + username: barbican8Xfl6MhP + test: + password: KI40mJVQ9fZP3MBZLpgrFSf2nqZIbbqg + username: testC7BY + keystone_creds: {} +load-balancer: + credentials: &credentials_load-balancer + - database: + user: + password: jBxCDfusABmmmeBcY7ZUb6pVtTX2ip9s + username: octaviaFEzC0Qa + memcached: cAZLeChP79lxHJ1Z + messaging: + user: + password: P4tAIFt2fRzEddPyPmfCmBcInbNdCI9S + username: octaviaGrHbrrp + notifications: + user: + password: xcKEJVAYZflpAmEWcyzTKpvNlJycCLvc + username: octaviadRDTSj1 + identity: + octavia: + password: VdeaqYEJb5UWW3TCxCMBNWIlzkcy94W7 + username: octaviafgirF49 + test: + password: Y6tYdn0ShRF69ZrXKeaa3sNYT8Y7AlP8 + username: testcnVC + redis_namespace: openstack-redis + redis_secret: cfLDYSsNbuCywa6VmBvZ8h2sJXuZnvqW + keystone_creds: {} + ssh_credentials: + private: "LOAD BALANCER TEST SSH PRIVATE KEY" + public: "LOAD BALANCER TEST SSH PUBLIC KEY" +memcached: + credentials: null + keystone_creds: {} +networking: + credentials: &credentials_networking + - database: + user: + password: knwFGHdZ6KCqcKqBidXXEqiEpZhBD7h4 + username: neutrondrGjrFm + memcached: 4zDhycwch09UPx4j + messaging: + user: + password: TRRhbnUMsepnqSzyJngJtgZD9gRu0Fwy + username: neutronx7uHpit + metadata_secret: mN0aLDTcg1AVqyLWNDjCd2Jz6DA61cZJ + notifications: + user: + password: hL3STFyPBLCdR2qUCdaGEUeRB5jRIFPf + username: neutrontvAcFA3 + identity: + neutron: + password: 9d4CIP5ismqTa7l5N5FdD8MAuFMXx9EV + username: neutronnmAhFsr + test: + password: q38BqVBqRH8mwfvI3uZeTmwe7JhKm3q1 + username: testLJtA + keystone_creds: + nova: + password: BLFKrb8JhAMBb1v9BnRGDckMaYY7XUbq + username: novaZzHG + designate: + password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr + username: designateLeRjiDsyT +orchestration: + credentials: &credentials_orchestration + - database: + user: + password: nCaJwL99CRHY0gPNfEmihxtVAbrNGgCD + username: heatuQjt + memcached: 7JNLzlMydG5nxe80 + messaging: + user: + password: BY5CvE9aGG3jUkQghTCACvcDZbp6VcUI + username: heatekEb + notifications: + user: + password: GPQzkiL39fEDGEWn6DIZGBxkjXBuDpQe + username: heatKQF7 + identity: + heat_trustee: + password: Y2Lue7K2AP7MSqZBcFDlsaCbdBMaW612 + username: heat_trustee2Z9xQdWPIsCJ + heat_stack_user: + password: NcS3SPS193Kzn6thbf3z4NgaQhnQJvd0 + username: heat_stack_useraPNg9FUFALHAHdG + heat: + password: u21jJUD1Gfy1aJ0aLmP9vZCHwc6KP1Ct + username: heatJAfw + test: + password: nDsJytWemY6VcFv0jxqsg7QHBRgetQF7 + username: testyRGH + keystone_creds: {} +placement: + credentials: &credentials_placement + - database: + user: + password: FdmszFTEuCvADMYGShqdBqLzuczyZf4c + username: placementEqEMt8aUc + memcached: 0NZmrV1NcBFwzDmv + messaging: + user: + password: fHqGcwsr7qzdy0taDQliyRMzA7S6xgYg + username: placementwB77qXfl0 + notifications: + user: + password: UBrmnWdChvZA5gEFum07AM7Ba6nExCc2 + username: placement9lrJ9dNfe + identity: + placement: + password: AEYVXR3LFUbLcePQlkxSFvbQ1WyWtaiY + username: placementR3AqaC4te + test: + password: b1szm2wvF9n2tdCvDQQZEZM5GzpVtQkP + username: testXByW + keystone_creds: {} +redis: + redis_creds: + password: | + Y2ZMRFlTc05idUN5d2E2Vm1Cdlo4aDJzSlh1Wm52cVc= +instance-ha: + credentials: &credentials_instance-ha + - database: + user: + password: R441HIJxfNF8iAfAfwxASnndFXqSBfVn + username: masakariteW3kGBC + memcached: 3vySYJq0rDZ32KGG + messaging: + user: + password: iHMN1WsAMxAi8G4d0r64iggSdedSRR1p + username: masakariVuqCvFid + notifications: + user: + password: acH2p6deh90bDJWlRDzFE7wptqgQgVc7 + username: masakariyfHtXhiq + identity: + masakari: + password: fUPlF2xntwICHH8KDYEjuc4Seb1TNQ8d + username: masakari8Xfl6MhP + test: + password: KI40mJVQ9fZP3MBZLpgrFSf2nqZIbbqg + username: testC7BY + keystone_creds: {} +baremetal: + credentials: &credentials_baremetal + - database: + user: + password: knwFGHdZ6KCqcKqBidXXEqiEpZhBD7h4 + username: ironicdrGjrFm + memcached: 4zDhycwch09UPx4j + messaging: + user: + password: TRRhbnUMsepnqSzyJngJtgZD9gRu0Fwy + username: ironicx7uHpit + metadata_secret: mN0aLDTcg1AVqyLWNDjCd2Jz6DA61cZJ + notifications: + user: + password: hL3STFyPBLCdR2qUCdaGEUeRB5jRIFPf + username: ironictvAcFA3 + identity: + ironic: + password: 9d4CIP5ismqTa7l5N5FdD8MAuFMXx9EV + username: ironicAhFsr + test: + password: q38BqVBqRH8mwfvI3uZeTmwe7JhKm3q1 + username: testLJtA + keystone_creds: + nova: + password: BLFKrb8JhAMBb1v9BnRGDckMaYY7XUbq + username: novaZzHG + neutron: + password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr + username: neutronLeRjiDsyT +shared-file-system: + is_ceph_enabled: true + ceph: + manila: + keyring: 'AQDLZLJfNPtTOxAAQm248Q9AyoirvELaSyPy1w== + + ' + pools: {} + secrets: manila-rbd-keyring + username: manila + mon_host: + - "10.10.10.1:6789" + - "10.10.10.2:6789" + - "10.10.10.3:6789" + credentials: &credentials_shared-file-system + - database: + user: + password: 8xckAGB149FBiBsPfawjSqRNNF7lvXmM + username: manilapn3iEA + messaging: + user: + password: BY5CvE9aGG3jUkQghTCACvcDZbp6VcUI + username: manilaHcMEmb + notifications: + user: + password: ptehSf4lZxF0TAs16INhV9XmuVXHbL6R + username: manilaYTrhf + identity: + manila: + password: r2YNrW8yvGwtcl9KDY0zSDgE45SZls8b + username: manilaUfGLay + test: + password: FfYMQLEZJ5fLRz32VzawQ9I7ezMJGVw6 + username: testFrbP + memcached: JinzIdQzLdIslgxu + keystone_creds: + cinder: + password: Heh1rJglWv6gZ7DbbemCQEEZedy9eEYa + username: cinderAc6HLU + glance: + password: uk1dAWaEMMH7CE7b3Da6fTjExmLTCaFE + username: glancevjNVQP + neutron: + password: idJHmYN0KNt9hfG9WTkePz8ewZivABm3 + username: neutronSQgdY7N + nova: + password: xyE6HLcM9rk815HMIbIcaFCm7HeAPjxR + username: novadbtY + ssh_credentials: + private: MANILA TEST SSH PRIVATE KEY + public: MANILA TEST SSH PUBLIC KEY +messaging: + credentials: + block-storage: *credentials_block-storage + compute: *credentials_compute + dashboard: *credentials_dashboard + dns: *credentials_dns + identity: *credentials_identity + image: *credentials_image + key-manager: *credentials_key-manager + load-balancer: *credentials_load-balancer + networking: *credentials_networking + orchestration: *credentials_orchestration + placement: *credentials_placement + instance-ha: *credentials_instance-ha + barmetal: *credentials_baremetal + stacklight: + username: stacklight123456 + password: ptehSf4lZxF0TAs16INhV9XmuVXHbL6R + services: + block-storage: null + compute: null + coordination: null + dashboard: null + database: null + dns: null + identity: null + image: null + ingress: null + key-manager: null + load-balancer: null + memcached: null + messaging: null + networking: null + orchestration: null + placement: null + redis: null + instance-ha: null diff --git a/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr/context_template_args.yaml b/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr/context_template_args.yaml index 1cff54808..33f2afda0 100644 --- a/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr/context_template_args.yaml @@ -421,6 +421,7 @@ baremetal: password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr username: neutronLeRjiDsyT shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_cinder_extra_backend/context_template_args.yaml b/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_cinder_extra_backend/context_template_args.yaml index 1db876cb6..d2d20663e 100644 --- a/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_cinder_extra_backend/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_cinder_extra_backend/context_template_args.yaml @@ -426,6 +426,7 @@ baremetal: password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr username: neutronLeRjiDsyT shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_telemetry/context_template_args.yaml b/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_telemetry/context_template_args.yaml index c43907d6f..3849b05f0 100644 --- a/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_telemetry/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/yoga_ceph_local_non_dvr_telemetry/context_template_args.yaml @@ -483,6 +483,7 @@ instance-ha: username: testC7BY keystone_creds: {} shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_amphora/context_template_args.yaml b/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_amphora/context_template_args.yaml index 742df2e6c..c572f2b7d 100644 --- a/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_amphora/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_amphora/context_template_args.yaml @@ -410,6 +410,7 @@ baremetal: password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr username: neutronLeRjiDsyT shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_driver_tf/context_template_args.yaml b/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_driver_tf/context_template_args.yaml index 742df2e6c..c572f2b7d 100644 --- a/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_driver_tf/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/yoga_ceph_local_tf_driver_tf/context_template_args.yaml @@ -410,6 +410,7 @@ baremetal: password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr username: neutronLeRjiDsyT shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr/context_template_args.yaml b/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr/context_template_args.yaml index 770a031e2..bfc0688dc 100644 --- a/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr/context_template_args.yaml @@ -415,6 +415,7 @@ baremetal: password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr username: neutronLeRjiDsyT shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr_backup_nfs/context_template_args.yaml b/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr_backup_nfs/context_template_args.yaml index 770a031e2..bfc0688dc 100644 --- a/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr_backup_nfs/context_template_args.yaml +++ b/tests/fixtures/render_service_template/input/yoga_lvm_lvm_non_dvr_backup_nfs/context_template_args.yaml @@ -415,6 +415,7 @@ baremetal: password: KBecvsPZsWBFzDqYnevHWArm7tFycZKr username: neutronLeRjiDsyT shared-file-system: + is_ceph_enabled: false credentials: &credentials_shared-file-system - database: user: diff --git a/tests/fixtures/render_service_template/output/shared-file-system/caracal_ceph_local_non_dvr_manila_cephfs.yaml b/tests/fixtures/render_service_template/output/shared-file-system/caracal_ceph_local_non_dvr_manila_cephfs.yaml new file mode 100644 index 000000000..6d16ccfba --- /dev/null +++ b/tests/fixtures/render_service_template/output/shared-file-system/caracal_ceph_local_non_dvr_manila_cephfs.yaml @@ -0,0 +1,268 @@ +spec: + releases: + - chart: manila + name: openstack-manila + values: + bootstrap: + share_types: + default: + driver_handles_share_servers: false + overrides: + manila_share_sts: + cephfs: + values: + conf: + manila: + DEFAULT: + enabled_share_backends: cephfs + cephfs: + cephfs_auth_id: manila + cephfs_protocol_helper_type: CEPHFS + driver_handles_share_servers: false + share_backend_name: cephfs + share_driver: manila.share.drivers.cephfs.driver.CephFSDriver + conf: + ceph: + config: + global: + mon_host: + - "10.10.10.1:6789" + - "10.10.10.2:6789" + - "10.10.10.3:6789" + keyrings: + manila: + key: AQDLZLJfNPtTOxAAQm248Q9AyoirvELaSyPy1w== + aux_conf: + policies: + - definition: + message-ttl: 120000 + expires: 600000 + name: default-policy + pattern: ^(?!amq\.).* + vhost: manila + - definition: + expires: 600000 + name: results_expire + pattern: ^results\. + priority: 1 + vhost: manila + - definition: + expires: 600000 + name: tasks_expire + pattern: ^tasks\. + priority: 1 + vhost: manila + logging: + logger_manila: + level: INFO + manila: + DEFAULT: + enabled_share_protocols: CEPHFS + keystone_authtoken: + memcache_security_strategy: ENCRYPT + memcache_secret_key: JinzIdQzLdIslgxu + coordination: + backend_url: etcd3+http://etcd:2379?api_version=auto + audit_middleware_notifications: + driver: + noop + oslo_messaging_notifications: + topics: notifications,stacklight_notifications + oslo_policy: + enforce_new_defaults: false + enforce_scope: false + policy.d: + 01-controller-default.yaml: + shared-file-system_rule1: shared-file-system_value1 + 02-custom.yaml: {} + prometheus_exporter: + rabbit_exporters: overview,exchange,node + dependencies: + static: + db_init: + jobs: + - openstack-mariadb-cluster-wait + endpoints: + cluster_domain_suffix: cluster.local + identity: + auth: + admin: + default_domain_id: default + password: ZUqTyP2XwsgEGKZ7qNhhecYyq9NLkGE6 + project_domain_name: default + project_name: admin + region_name: RegionOne + user_domain_name: default + username: admin + cinder: + password: Heh1rJglWv6gZ7DbbemCQEEZedy9eEYa + region_name: RegionOne + username: cinderAc6HLU + glance: + password: uk1dAWaEMMH7CE7b3Da6fTjExmLTCaFE + region_name: RegionOne + username: glancevjNVQP + manila: + password: r2YNrW8yvGwtcl9KDY0zSDgE45SZls8b + region_name: RegionOne + username: manilaUfGLay + neutron: + password: idJHmYN0KNt9hfG9WTkePz8ewZivABm3 + region_name: RegionOne + username: neutronSQgdY7N + nova: + password: xyE6HLcM9rk815HMIbIcaFCm7HeAPjxR + region_name: RegionOne + username: novadbtY + test: + password: FfYMQLEZJ5fLRz32VzawQ9I7ezMJGVw6 + region_name: RegionOne + username: testFrbP + oslo_db: + auth: + admin: + password: QACDSM6FBTH2LuXjTuRQ6DXhD8bSgPbn + username: root + manila: + password: 8xckAGB149FBiBsPfawjSqRNNF7lvXmM + username: manilapn3iEA + oslo_messaging: + auth: + admin: + password: 2tnAuP0j9MsgaVHErehZkC5HCK3ZxYLr + username: rabbitmq + guest: + password: 7TnAuP0dKMsgaVHErehZkC5HCK3ZxOi4 + username: guest + manila: + password: BY5CvE9aGG3jUkQghTCACvcDZbp6VcUI + username: manilaHcMEmb + user: + password: 2tnAuP0j9MsgaVHErehZkC5HCK3ZxYLr + username: rabbitmq + hosts: + default: rabbitmq + path: /manila + statefulset: + name: openstack-rabbitmq-rabbitmq + replicas: 1 + oslo_messaging_notifications: + auth: + manila: + password: ptehSf4lZxF0TAs16INhV9XmuVXHbL6R + username: manilaYTrhf + host_fqdn_override: {} + hosts: + default: rabbitmq + path: /openstack + port: + amqp: + default: 5672 + http: + default: 15672 + scheme: rabbit + statefulset: + name: openstack-rabbitmq-rabbitmq + replicas: 1 + sharev2: + host_fqdn_override: + public: + host: manila.it.just.works + tls: + ca: | + TEST CA + crt: | + TEST CRT + key: | + TEST KEY + hosts: + admin: + host: manila-api + default: manila + internal: manila-api + public: + host: manila + tls: + ca: | + TEST CA + crt: | + TEST CRT + key: | + TEST KEY + port: + api: + admin: 8786 + default: 80 + internal: 8786 + public: 443 + scheme: + default: http + public: https + images: + tags: + bootstrap: bootstrap:latest + db_drop: db-drop:latest + db_init: db-init:latest + dep_check: dep-check:latest + image_repo_sync: image-repo-sync:latest + ks_endpoints: ks-endpoints:latest + ks_service: ks-service:latest + ks_user: ks-user:latest + manila_api: manila:latest + manila_db_sync: manila:latest + manila_scheduler: manila:latest + manila_share: manila:latest + manila_db_purge: manila:latest + manila-uuids-init: heat:latest + test: test:latest + jobs: + db_purge: + cron: '1 7 * * 1' + enabled: True + script: + config: + age: 30 + ks_endpoints: + restartPolicy: Never + ks_service: + restartPolicy: Never + ks_user: + restartPolicy: Never + network_policy: + api: + spec: + ingress: + - from: + - default: selector + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: osh-system + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: stacklight + ports: + - port: 8786 + protocol: TCP + podSelector: + matchLabels: + application: manila + component: api + policyTypes: + - Ingress + manifests: + secret_ca_bundle: True + cron_job_db_purge: True + daemonset_share: False + network_policy: True + service_instance_ssh_key: True + ceph_conf: True + daemonset_share: False + secrets: + service_instance_ssh_key: + private: 'MANILA TEST SSH PRIVATE KEY + + ' + public: 'MANILA TEST SSH PUBLIC KEY + + ' diff --git a/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr.yaml b/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr.yaml index db174923c..885a64616 100644 --- a/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr.yaml +++ b/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr.yaml @@ -3,6 +3,10 @@ spec: - chart: manila name: openstack-manila values: + bootstrap: + share_types: + default: + driver_handles_share_servers: true conf: aux_conf: policies: @@ -242,6 +246,8 @@ spec: daemonset_share: True network_policy: True service_instance_ssh_key: True + ceph_conf: False + daemonset_share: True secrets: service_instance_ssh_key: private: 'MANILA TEST SSH PRIVATE KEY diff --git a/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr_telemetry.yaml b/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr_telemetry.yaml index db174923c..885a64616 100644 --- a/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr_telemetry.yaml +++ b/tests/fixtures/render_service_template/output/shared-file-system/yoga_ceph_local_non_dvr_telemetry.yaml @@ -3,6 +3,10 @@ spec: - chart: manila name: openstack-manila values: + bootstrap: + share_types: + default: + driver_handles_share_servers: true conf: aux_conf: policies: @@ -242,6 +246,8 @@ spec: daemonset_share: True network_policy: True service_instance_ssh_key: True + ceph_conf: False + daemonset_share: True secrets: service_instance_ssh_key: private: 'MANILA TEST SSH PRIVATE KEY diff --git a/tests/fixtures/render_service_template/output/shared-file-system/yoga_lvm_lvm_non_dvr_backup_nfs.yaml b/tests/fixtures/render_service_template/output/shared-file-system/yoga_lvm_lvm_non_dvr_backup_nfs.yaml index e03402a9f..32d8ba003 100644 --- a/tests/fixtures/render_service_template/output/shared-file-system/yoga_lvm_lvm_non_dvr_backup_nfs.yaml +++ b/tests/fixtures/render_service_template/output/shared-file-system/yoga_lvm_lvm_non_dvr_backup_nfs.yaml @@ -3,6 +3,10 @@ spec: - chart: manila name: openstack-manila values: + bootstrap: + share_types: + default: + driver_handles_share_servers: true conf: aux_conf: policies: @@ -220,6 +224,8 @@ spec: daemonset_share: True network_policy: False service_instance_ssh_key: True + ceph_conf: False + daemonset_share: True secrets: service_instance_ssh_key: private: 'MANILA TEST SSH PRIVATE KEY diff --git a/tests/unit/test_admission.py b/tests/unit/test_admission.py index 09df0a537..d30aa5826 100644 --- a/tests/unit/test_admission.py +++ b/tests/unit/test_admission.py @@ -2446,6 +2446,113 @@ def test_cinder_extra_backends_sts(client): ) +def _manila_backend_specific_request(client, backends_conf, result): + req = copy.deepcopy(ADMISSION_REQ) + req["request"]["object"]["spec"]["features"]["manila"] = { + "share": {"backends": backends_conf} + } + req["request"]["object"]["spec"]["features"]["services"].append( + "shared-file-system" + ) + req["request"]["object"]["spec"]["openstack_version"] = "caracal" + response = client.simulate_post("/validate", json=req) + assert response.status == falcon.HTTP_OK + if result: + assert response.json["response"]["allowed"] + else: + assert response.json["response"]["allowed"] is False + + +def test_manila_backends_sts(client): + # Configs are valid + _manila_backend_specific_request( + client, + { + "backend-1": { + "values": { + "conf": { + "manila": { + "DEFAULT": {"enabled_share_backends": "foo"}, + "foo": { + "share_backend_name": "bar", + "share_driver": "drv", + }, + }, + }, + "images": {"foo": "bar"}, + "labels": {"foo": "bar"}, + "pod": {"foo": "bar"}, + }, + "enabled": True, + "type": "statefulset", + }, + }, + True, + ) + + # Configs are invalid + # Extra key in values + _manila_backend_specific_request( + client, + { + "backend-1": { + "values": { + "bootstrap": {"foo": "bar"}, + "conf": {"foo": "bar"}, + "labels": {"foo": "bar"}, + "pod": {"foo": "bar"}, + }, + "enabled": True, + "type": "statefulset", + }, + }, + False, + ) + + # unsupported backend type + _manila_backend_specific_request( + client, + { + "backend-1": { + "values": { + "conf": {"foo": "bar"}, + "labels": {"foo": "bar"}, + "pod": {"foo": "bar"}, + }, + "enabled": True, + "type": "deployment", + }, + }, + False, + ) + + # incorrect backend configuration + _manila_backend_specific_request( + client, + { + "backend-1": { + "values": { + "conf": { + "manila": { + "DEFAULT": {"enabled_share_backends": "baz"}, + "foo": { + "share_backend_name": "bar", + "share_driver": "drv", + }, + }, + }, + "images": {"foo": "bar"}, + "labels": {"foo": "bar"}, + "pod": {"foo": "bar"}, + }, + "enabled": True, + "type": "statefulset", + }, + }, + False, + ) + + def test_openstack_keystone_keycloak_providers_not_allowed( client, federation_provider ):