Allow multibackend support for Barbican

This patch introduces 2 new variables that are designed to help deployer with barbican configuration. They are designed to support multibackend caonfiguration of the barbican while default behavior should not change. Change-Id: I3369c4254f3b48f12ed9731f18d980044e6d0b43
2020-11-13 18:51:15 +02:00 · 2020-11-13 18:51:15 +02:00 · 50c983e034
parent 76b72c0975
commit 50c983e034
3 changed files with 44 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -47,6 +47,20 @@ barbican_keystone_listener_enable: false
 barbican_worker_enable: false
 barbican_retry_enable: false

+# Variable defines barbican store backends configuration. It supports multibackend scenario
+# in case list length > 1. Then additional key global_default should be present, otherwise
+# first element would be set as global default. For multibackend one backend should be set
+# as global_default: True
+barbican_backends_config:
+  software:
+    secret_store_plugin: store_crypto
+    crypto_plugin: simple_crypto
+
+# Variable defines barbican crypto configuration.
+barbican_plugins_config:
+  simple_crypto_plugin:
+    kek: "{{ barbican_simple_crypto_key | b64encode }}"
+
 ## Service Name-Group Mapping
 barbican_services:
  barbican-api:
--- a/releasenotes/notes/barbican_backends-7d070edd33401f35.yaml
+++ b/releasenotes/notes/barbican_backends-7d070edd33401f35.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added new variables `barbican_backends_config` and
+    `barbican_plugins_config` along with barbican.conf cleanup to
+    support multibackend scenario and more handy Barbican backends
+    configuration.
--- a/templates/barbican.conf.j2
+++ b/templates/barbican.conf.j2
@ -51,15 +51,34 @@ memcache_secret_key = {{ memcached_encryption_key }}

 # ================= Secret Store Plugin ===================
 [secretstore]
-enabled_secretstore_plugins = store_crypto
+{% if barbican_backends_config | length > 1 %}
+enable_multiple_secret_stores = True
+stores_lookup_suffix = {{ barbican_backends_config.keys() | join(',') }}

+{%   for section, config in barbican_backends_config.items() %}
+[secretstore:{{ section }}]
+{%     for key, value in config.items() %}
+{{ key }} = {{ value }}
+{%     endfor %}
+{%   endfor %}
+{% else %}
+{% for config in barbican_backends_config.values() %}
+enabled_secretstore_plugins = {{ config['secret_store_plugin'] }}
+
+{%   if 'crypto_plugin' in config %}
 # ================= Crypto plugin ===================
 [crypto]
 enabled_crypto_plugins = simple_crypto
+{%   endif %}
+{% endfor %}
+{% endif %}

-[simple_crypto_plugin]
-# the kek should be a 32-byte value which is base64 encoded
-kek = '{{ barbican_simple_crypto_key | b64encode }}'
+{% for section, config in barbican_plugins_config.items() %}
+[{{ section }}]
+{%   for key, value in config.items() %}
+{{ key }} = '{{ value }}'
+{%   endfor %}
+{% endfor %}

 [certificate]
 enabled_certificate_plugins = simple_certificate