This is a mostely complete solution. Ideally we could use the stevedore
entry point name 'barbican' instead of the full class name for cinder, but
I87926d6c95ac82b6f74c263c7441614f80348c1e needs to merge first.
Change-Id: I32ed528f585e790bc771473504ab7e4bfeb63de9
In Barbican stable branches, we run a gate job on Fedora 26.
devstack needs FORCE=yes flag to run on f26 for Pike and
earlier releases.
Change-Id: I9de812991c4476af4010cd6ecebb8e3c912abf52
Castellan unintentionally can't handle a barbican URL that has a path in
addition to the hostname, such as http://ip-address/key-manager, unless
it is followed by a forward slash (http://ip-address/key-manager/ ). We
should either revert this change before rc1 or merge
https://review.openstack.org/#/c/491942/, make a new release of
Castellan, and beg for a change in upper-constraints for castellan to
handle the new release.
This reverts commit 508a34e23c05013a7ba1f33120c78e0da5cc8f28.
Change-Id: Iceb3a5fa890d64468cd6e7f5dec297d11a274d20
This commit switches barbican to use the devstack common functions for
deploying a wsgi app under uwsgi and apache. This will make the barbican
deployment consistent with the other services.
Change-Id: I8429e9a8f0db98c5f5a345190be71cae862af845
This patch updated some points that it will use
openstack command instead of barbican command.
Change-Id: I164f57eae4cc5df18bfe5a95465a617870924759
Closes-Bug: #1697333
DevStack Ocata version and master use different default images
(Ocata:uec and master:qcow2), this will lead to tempest encrypt test
failure in grenade gate.
This patch hard-code default images in base version and will be
removed if devstack master and ocata patches are proposed.
Change-Id: I997c759fc026366fe48de9ac7e8c58941622c9cd
Co-Authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
TEMPEST_CONFIG options should be set in the test-config section,
otherwise they get overridden.
Also adds the creator role to the tempest user.
Change-Id: I6816c1b699e140600e5bb47a251cd0788125f8d0
In the old version of the gates, we already set DEVSTACK_LOCAL_CONFIG
47d2d8e9ec/jenkins/jobs/barbican.yaml (L21)
In the new (experimental) version of the gates (see
I68810330dbee4033f8198f39aba5b75cd3357399), we use thew new recommended
local_conf instead of DEVSTACK_LOCAL_CONFIG (see
http://lists.openstack.org/pipermail/openstack-dev/2017-February/112872.html)
When we use local_conf in the new gates, DEVSTACK_LOCAL_CONFIG is not
needed and is not set. Thus, when test_hook.sh also sets
"enable_plugin barbican" in DEVSTACK_LOCAL_CONFIG, DevStack attempts to
use both DEVSTACK_LOCAL_CONFIG and local_conf, and a duplicate config
error is thrown during the stacking.
Change-Id: Idd94b900b238c865a4074ec7d1f9c1c16ef8d434
There is a bug [1] where installing requests via pip breaks the rpm
installation. So we remove it manually to address the dogtag gate
breakage.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1352554
Change-Id: I9cab4c579e6aab381394dc5ce1246906e0ac2a54
Devstack moved to using systemd instead of screen by default[1],
but the barbican devstack plugin starts uwsgi without a full path.
This patch fixes that.
[1] https://review.openstack.org/#/c/460062/
Change-Id: Ib12cc9ac5b7f2acbb94ccca1baf4200c47fc275f
We were relying on the dogtag configuration from the default
barbican.conf file. However, we have now moved away from using that. So
these configurations were lost. This enables them again setting them up
in the devstack script, like we should have done initially.
Change-Id: I0b91fac237af567f3afe87b6010680a3382236cb
Currently etc/barbican/barbican.conf is maintained by hand and can not
be regenerated based on the config settings defined in the code.
A common pattern for OpenStack projects is to use oslo-config-generator
for that task.
Co-Authored-By: Randall Burt <randall.burt@rackspace.com>
Depends-On: I90870dcb49cd96f6bf0fe353fa6e779ffd87a5af
Closes-Bug: #1584789
Change-Id: I5f3dcd2fc982f1178ef7dd662c24d3166f91b266
The environment variable DEVSTACK_LOCAL_CONFIG can be set by the
gate directly or through the gate_hook.sh script. This patch
changes gate_hook.sh to append to that variable, instead of settting
that variable, so not to overwrite any changes made by the gate
startup scripts.
Also, set the PYTHON environment variable to indicate python3
is used if indicated by the DEVSTACK_GATE variable.
Change-Id: I28f2fc0bc0a97bf52fa2ba4851a90e87ef22e992
There are two bugs during implement
blueprint support-upgrade.
Change-Id: Ic4c20a830a06d7fee4d186e182c45ed7cb457233
Closes-Bug: #1678967
Depends-On: I9d8c64217d622fd36bf8a8e5cd2f89aecc358fb9
Partially-Implements: blueprint support-upgrade
Alters barbican-api.conf to barbican.conf in barbican's
devstack plugin for the barbican-retry scheduler.
Change-Id: Ia6ea1aaf24b746406946aed1106401b251a3bd00
Switches KMIP server configuration and KMIP plugin to use TLSv1.2
by default. This is the most secure option. In case the system is
older and does not have TLSv1.2, an error message is printed out.
Removes the behavior of switching to TLSv1.2 despite
the user's configuration that was added with
I7018262cb74a95dfa24d6b94d49f1ebd62bdeebd. This behavior was
confusing -- it is much clearer to have the user-configurable options
default to TLSv1.2.
Sets KMIP_PLUGIN_ENABLED before running the tests, so that the
tests that won't work for KMIP will be skipped.
See Id908bf57233af84bff56d90c75d175b04ccd4373 for more details.
Cleans up the quotes around the paths to the log files and server
conf files when they are passed to the pykmip server.
Depends-On: I9fe7b156c4a825c8bfe94a3c48ce686ce0dee01e
Change-Id: I64e27a26dfe02d794b725763c55d0197bc2c46bd
The barbican-tempest-plugin should be installed through the gate
configuration rather than when barbican devstack plugin is enabled.
Removes some of the changes added in I376d58cad9a33dc90afdd0bf01e1e73bdd5a8b28
Co-Authored-By: Brianna Poulos <Brianna.Poulos@jhuapl.edu>
Depends-On: Ibef3f9a135f14727bf57c29e766f838d7da56c68
Change-Id: I87bd021f08f381c5319ee7ffa08fb8026a22a16c
stable/liberty is eol. Change the default to use the latest master
branch, since that is most likely the desired behavior if you are
using DevStack anyway.
Change-Id: I9d800d123b952073823e2327b8739d9d73636b47
In the screen window there isn't anything visible
form the application logs. This enables logging to
stdout/stderr.
Change-Id: I6793dd84d2add56db520f1c0f19e868264e19c71
Closes-bug: #1649505
When configuring devstack, use the predefined function to configure
the keystone authtoken middleware in barbican.conf . This is what
other projects do.
Change-Id: I3a3b118c3ebac7b6121fe0e3c6bb29460189d0ce
In case tempest is enabled we need to install the barbican tempest
repo and register the plugin endpoint.
Change-Id: I376d58cad9a33dc90afdd0bf01e1e73bdd5a8b28
Depends-On: I7a861dcc800cf3a49da2e317e4780aa5c5027733
Unbreak barbican gate with recent devstack commit [1].
Fix it by removing dependency on deleted env var in the same way
as it is done in devstack (see [2]).
[1] I7c66e1d8d65f562596543ed8ca402dba8c8ea271
[2] I4e5c7e86aefe72fc21c77d423033e9b169318fec
Change-Id: I351f90a60e4693300cc3d3bbd1183bd8fa6acc9a
Closes-Bug: #1644194
This change adds an override-defaults file which
configures Nova, Cinder and Glance to use Barbican for
key management when the Barbican plugin is
installed.
Blueprint: image-signing-experimental-gate
Change-Id: Ibc3b017596a3d401fd62adb07f2d12913c2cef9a
KEYSTONE_AUTH_URI and KEYSTONE_SERVICE_URI are not only used by barbican
but around all openstack services during the devstack installation.
Barbican should use these shared variables in an consistent manner as other
services, we should use KEYSTONE_*_V3 directly.
Change-Id: Ie1e7e37406f353047a64ed2c779918e27d085d7b
Modified policy and tests to verify this change.
As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.
There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.
Updated role docs to reflect this behavior.
Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
keystonemiddleware admin settings are deprecated
so we should stop using them in favor of a keystone
auth plugin. This patch updates the config file
to use keystone API v3 by default.
Change-Id: I9d10ac29ab33cbdd845573106960e5f181afdb69
Closes-Bug: 1579801
Added code to devstack libraries to allow KMIP secret store to be
enabled. This edits barbican.conf to enable the KMIP secret store.
The Barbican PyKMIP client can be configured to connect to an existing
KMIP device or use PyKMIP's server. If the client configuration is all
that is needed then enable the 'barbican-pykmip' service in the
devstack configuration and set the appropriate key, certificate, and
CA path variables. This will allow the Barbican KMIP secret store to
connect to an existing KMIP server.
If a KMIP server is requested then also enable the 'pykmip-server'
service in the devstack configuration. This will install, configure,
and start the KMIP server. This option requires the 'barbican-pykmip'
service be configured as well.
Added passenv command to tox to allow the KMIP_PLUGIN_ENABLED
environment variable to be passed to the underlying command. Without
this the environment variable will not be seen by the tox command.
Change-Id: Ib804fa97545f14ed866bfd73bb251e85923a2e4e
Depends-On: Ifda13a84607bb199b794dc24f5dbba0ee8108dbf
Changes devstack to deploy the barbican database using the
alembic migrations instead of the auto-migrate feature. This allows
us to make sure any migrations do not break barbican-manage.
Closes-Bug: #1500629
Change-Id: Ia68698311c8e6ec84672701f38967d8d0016b784
Barbican API Paste has a commented line which should not be there
and when using devstack the pipeline "barbican-api-keystone"
should be provided instead of individual components.
Change-Id: I517b651113ef1d3c0837f9ba85a70e6959fae764
Option "verbose" from group "DEFAULT" is deprecated from the oslo.log
library. Its value may be silently ignored in the future. If this option
is not set explicitly, there is no such warning.
Furthermore, the default value of verbose is true, so there is no
need to set this value in config files.
Change-Id: If760c42da26aefe49ae52415941e6146bcbccb6a
for the devstack gate, python-nss was being installed with pip. This was
problematic since that already is a dependency for dogtag, and when
trying to install it with yum/dnf it was resulting in an error message.
Change-Id: I88626f0cc21b0cd23fb23ed8266e8330a2a5969d
Adds a warning to the vagrant setup section of the devstack setup
documentation. The warning states that tox will not be able to run
if the user sets up shared folders. It also provides instructions
on disabling shared folders.
Change-Id: I776004da8ab86760eaeaef7957c9bfba111d2f36
Move the devstack files inside Barbican tree. Also updates
the devstack documentation for installing barbican via
vagrant or manually.
Closes-bug: #1499112
Change-Id: Ifd09aa3c120033f4043d1a0c106a5ea653ee3c68
I919487f3490f769ffdad036024033e1f991a7ecd correctly removed the extra
barbican clone, but I was overzealous in removing the
python-barbicanclient clone which IS still necessary, because it is not
pulled in by zuul automatically.
Change-Id: Ic28852572f4e2adab9a0e775f82269c588a2a138
