puppet-barbican: Initial commit

This is the initial commit for puppet-barbican.
It has been automatically generated using cookiecutter[1] and msync[2]

[1] https://github.com/openstack/puppet-openstack-cookiecutter
[2] https://github.com/openstack/puppet-modulesync-configs

Change-Id: I52b10cb17701bba20ad64d3f4cc15950c1038c54
This commit is contained in:
Emilien Macchi 2015-10-01 08:12:28 -04:00
parent f8f681a3cb
commit 18e92427eb
35 changed files with 1570 additions and 0 deletions

13
.fixtures.yml Normal file
View File

@ -0,0 +1,13 @@
fixtures:
repositories:
'concat':
'repo': 'git://github.com/puppetlabs/puppetlabs-concat.git'
'ref': '1.2.2'
'inifile': 'git://github.com/puppetlabs/puppetlabs-inifile'
'keystone': 'git://github.com/openstack/puppet-keystone.git'
'mysql': 'git://github.com/puppetlabs/puppetlabs-mysql.git'
'openstacklib': 'git://github.com/openstack/puppet-openstacklib.git'
'postgresql': 'git://github.com/puppetlabs/puppetlabs-postgresql.git'
'stdlib': 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
symlinks:
barbican: "#{source_dir}"

10
.gitignore vendored Normal file
View File

@ -0,0 +1,10 @@
pkg/
Gemfile.lock
vendor/
spec/fixtures/
.vagrant/
.bundle/
coverage/
.idea/
*.swp
*.iml

36
Gemfile Normal file
View File

@ -0,0 +1,36 @@
source ENV['GEM_SOURCE'] || "https://rubygems.org"
group :development, :test do
gem 'puppetlabs_spec_helper', :require => 'false'
gem 'rspec-puppet', '~> 2.2.0', :require => 'false'
gem 'metadata-json-lint', :require => 'false'
gem 'puppet-lint-param-docs', :require => 'false'
gem 'puppet-lint-absolute_classname-check', :require => 'false'
gem 'puppet-lint-absolute_template_path', :require => 'false'
gem 'puppet-lint-trailing_newline-check', :require => 'false'
gem 'puppet-lint-unquoted_string-check', :require => 'false'
gem 'puppet-lint-leading_zero-check', :require => 'false'
gem 'puppet-lint-variable_contains_upcase', :require => 'false'
gem 'puppet-lint-numericvariable', :require => 'false'
gem 'json', :require => 'false'
gem 'webmock', :require => 'false'
end
group :system_tests do
gem 'beaker-rspec', :require => 'false'
gem 'beaker-puppet_install_helper', :require => 'false'
end
if facterversion = ENV['FACTER_GEM_VERSION']
gem 'facter', facterversion, :require => false
else
gem 'facter', :require => false
end
if puppetversion = ENV['PUPPET_GEM_VERSION']
gem 'puppet', puppetversion, :require => false
else
gem 'puppet', :require => false
end
# vim:ft=ruby

13
LICENSE Normal file
View File

@ -0,0 +1,13 @@
Copyright 2015 OpenStack Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

78
README.md Normal file
View File

@ -0,0 +1,78 @@
barbican
=======
#### Table of Contents
1. [Overview - What is the barbican module?](#overview)
2. [Module Description - What does the module do?](#module-description)
3. [Setup - The basics of getting started with barbican](#setup)
4. [Implementation - An under-the-hood peek at what the module is doing](#implementation)
5. [Limitations - OS compatibility, etc.](#limitations)
6. [Development - Guide for contributing to the module](#development)
7. [Contributors - Those with commits](#contributors)
Overview
--------
The barbican module is a part of [OpenStack](https://github.com/openstack), an effort by the Openstack infrastructure team to provide continuous integration testing and code review for Openstack and Openstack community projects not part of the core software. The module its self is used to flexibly configure and manage the Key management service for Openstack.
Module Description
------------------
The barbican module is a thorough attempt to make Puppet capable of managing the entirety of barbican. This includes manifests to provision region specific endpoint and database connections. Types are shipped as part of the barbican module to assist in manipulation of configuration files.
Setup
-----
**What the barbican module affects**
* [Barbican](https://wiki.openstack.org/wiki/Barbican), the Key management service for Openstack.
### Installing barbican
barbican is not currently in Puppet Forge, but is anticipated to be added soon. Once that happens, you'll be able to install barbican with:
puppet module install openstack/barbican
### Beginning with barbican
To utilize the barbican module's functionality you will need to declare multiple resources. The following is a modified excerpt from the [openstack module](https://github.com/stackfoge/puppet-openstack). This is not an exhaustive list of all the components needed, we recommend you consult and understand the [openstack module](https://github.com/stackforge/puppet-openstack) and the [core openstack](http://docs.openstack.org) documentation.
Implementation
--------------
### barbican
barbican is a combination of Puppet manifest and ruby code to delivery configuration and extra functionality through types and providers.
Limitations
------------
* All the barbican types use the CLI tools and so need to be ran on the barbican node.
Beaker-Rspec
------------
This module has beaker-rspec tests
To run the tests on the default vagrant node:
```shell
bundle install
bundle exec rake acceptance
```
For more information on writing and running beaker-rspec tests visit the documentation:
* https://github.com/puppetlabs/beaker/wiki/How-to-Write-a-Beaker-Test-for-a-Module
Development
-----------
Developer documentation for the entire puppet-openstack project.
* https://wiki.openstack.org/wiki/Puppet
Contributors
------------
* https://github.com/openstack/puppet-barbican/graphs/contributors

21
Rakefile Normal file
View File

@ -0,0 +1,21 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'puppet-syntax/tasks/puppet-syntax'
PuppetSyntax.exclude_paths ||= []
PuppetSyntax.exclude_paths << "spec/fixtures/**/*"
PuppetSyntax.exclude_paths << "pkg/**/*"
PuppetSyntax.exclude_paths << "vendor/**/*"
Rake::Task[:lint].clear
PuppetLint::RakeTask.new :lint do |config|
config.ignore_paths = ["spec/**/*.pp", "vendor/**/*.pp"]
config.fail_on_warnings = true
config.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}'
config.disable_checks = ["80chars", "class_inherits_from_params_class", "class_parameter_defaults", "only_variable_string"]
end
desc "Run acceptance tests"
RSpec::Core::RakeTask.new(:acceptance) do |t|
t.pattern = 'spec/acceptance'
end

View File

@ -0,0 +1,10 @@
Puppet::Type.type(:barbican_config).provide(
:ini_setting,
:parent => Puppet::Type.type(:openstack_config).provider(:ini_setting)
) do
def self.file_path
'/etc/barbican/barbican.conf'
end
end

View File

@ -0,0 +1,51 @@
Puppet::Type.newtype(:barbican_config) do
ensurable
newparam(:name, :namevar => true) do
desc 'Section/setting name to manage from barbican.conf'
newvalues(/\S+\/\S+/)
end
newproperty(:value) do
desc 'The value of the setting to be defined.'
munge do |value|
value = value.to_s.strip
value.capitalize! if value =~ /^(true|false)$/i
value
end
newvalues(/^[\S ]*$/)
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
newparam(:ensure_absent_val) do
desc 'A value that is specified as the value property will behave as if ensure => absent was specified'
defaultto('<SERVICE DEFAULT>')
end
autorequire(:package) do
'barbican'
end
end

30
manifests/config.pp Normal file
View File

@ -0,0 +1,30 @@
# == Class: barbican::config
#
# This class is used to manage arbitrary barbican configurations.
#
# === Parameters
#
# [*barbican_config*]
# (optional) Allow configuration of arbitrary barbican configurations.
# The value is an hash of barbican_config resources. Example:
# { 'DEFAULT/foo' => { value => 'fooValue'},
# 'DEFAULT/bar' => { value => 'barValue'}
# }
# In yaml format, Example:
# barbican_config:
# DEFAULT/foo:
# value: fooValue
# DEFAULT/bar:
# value: barValue
#
# NOTE: The configuration MUST NOT be already handled by this module
# or Puppet catalog compilation will fail with duplicate resources.
#
class barbican::config (
$barbican_config = {},
) {
validate_hash($barbican_config)
create_resources('barbican_config', $barbican_config)
}

94
manifests/db.pp Normal file
View File

@ -0,0 +1,94 @@
# == Class: barbican::db
#
# Configure the barbican database
#
# === Parameters
#
# [*database_connection*]
# Url used to connect to database.
# (Optional) Defaults to "sqlite:////var/lib/barbican/barbican.sqlite".
#
# [*database_idle_timeout*]
# Timeout when db connections should be reaped.
# (Optional) Defaults to 3600.
#
# [*database_max_retries*]
# Maximum number of database connection retries during startup.
# Setting -1 implies an infinite retry count.
# (Optional) Defaults to 10.
#
# [*database_retry_interval*]
# Interval between retries of opening a database connection.
# (Optional) Defaults to 10.
#
# [*database_min_pool_size*]
# Minimum number of SQL connections to keep open in a pool.
# (Optional) Defaults to 1.
#
# [*database_max_pool_size*]
# Maximum number of SQL connections to keep open in a pool.
# (Optional) Defaults to 10.
#
# [*database_max_overflow*]
# If set, use this value for max_overflow with sqlalchemy.
# (Optional) Defaults to 20.
#
class barbican::db (
$database_connection = 'sqlite:////var/lib/barbican/barbican.sqlite',
$database_idle_timeout = 3600,
$database_min_pool_size = 1,
$database_max_pool_size = 10,
$database_max_retries = 10,
$database_retry_interval = 10,
$database_max_overflow = 20,
) {
$database_connection_real = pick($::barbican::database_connection, $database_connection)
$database_idle_timeout_real = pick($::barbican::database_idle_timeout, $database_idle_timeout)
$database_min_pool_size_real = pick($::barbican::database_min_pool_size, $database_min_pool_size)
$database_max_pool_size_real = pick($::barbican::database_max_pool_size, $database_max_pool_size)
$database_max_retries_real = pick($::barbican::database_max_retries, $database_max_retries)
$database_retry_interval_real = pick($::barbican::database_retry_interval, $database_retry_interval)
$database_max_overflow_real = pick($::barbican::database_max_overflow, $database_max_overflow)
validate_re($database_connection_real,
'(sqlite|mysql|postgresql):\/\/(\S+:\S+@\S+\/\S+)?')
if $database_connection_real {
case $database_connection_real {
/^mysql:\/\//: {
$backend_package = false
require 'mysql::bindings'
require 'mysql::bindings::python'
}
/^postgresql:\/\//: {
$backend_package = $::barbican::params::psycopg_package_name
}
/^sqlite:\/\//: {
$backend_package = $::barbican::params::sqlite_package_name
}
default: {
fail('Unsupported backend configured')
}
}
if $backend_package and !defined(Package[$backend_package]) {
package {'barbican-backend-package':
ensure => present,
name => $backend_package,
tag => 'openstack',
}
}
barbican_config {
'database/connection': value => $database_connection_real, secret => true;
'database/idle_timeout': value => $database_idle_timeout_real;
'database/min_pool_size': value => $database_min_pool_size_real;
'database/max_retries': value => $database_max_retries_real;
'database/retry_interval': value => $database_retry_interval_real;
'database/max_pool_size': value => $database_max_pool_size_real;
'database/max_overflow': value => $database_max_overflow_real;
}
}
}

69
manifests/db/mysql.pp Normal file
View File

@ -0,0 +1,69 @@
# The barbican::db::mysql class implements mysql backend for barbican
#
# This class can be used to create tables, users and grant
# privelege for a mysql barbican database.
#
# == parameters
#
# [*password*]
# (Mandatory) Password to connect to the database.
# Defaults to 'false'.
#
# [*dbname*]
# (Optional) Name of the database.
# Defaults to 'barbican'.
#
# [*user*]
# (Optional) User to connect to the database.
# Defaults to 'barbican'.
#
# [*host*]
# (Optional) The default source host user is allowed to connect from.
# Defaults to '127.0.0.1'
#
# [*allowed_hosts*]
# (Optional) Other hosts the user is allowed to connect from.
# Defaults to 'undef'.
#
# [*charset*]
# (Optional) The database charset.
# Defaults to 'utf8'
#
# [*collate*]
# (Optional) The database collate.
# Only used with mysql modules >= 2.2.
# Defaults to 'utf8_general_ci'
#
# == Dependencies
# Class['mysql::server']
#
# == Examples
#
# == Authors
#
# == Copyright
#
class barbican::db::mysql(
$password,
$dbname = 'barbican',
$user = 'barbican',
$host = '127.0.0.1',
$charset = 'utf8',
$collate = 'utf8_general_ci',
$allowed_hosts = undef
) {
validate_string($password)
::openstacklib::db::mysql { 'barbican':
user => $user,
password_hash => mysql_password($password),
dbname => $dbname,
host => $host,
charset => $charset,
collate => $collate,
allowed_hosts => $allowed_hosts,
}
::Openstacklib::Db::Mysql['barbican'] ~> Exec<| title == 'barbican-manage db_sync' |>
}

View File

@ -0,0 +1,55 @@
# == Class: barbican::db::postgresql
#
# Class that configures postgresql for barbican
# Requires the Puppetlabs postgresql module.
#
# === Parameters
#
# [*password*]
# (Required) Password to connect to the database.
#
# [*dbname*]
# (Optional) Name of the database.
# Defaults to 'barbican'.
#
# [*user*]
# (Optional) User to connect to the database.
# Defaults to 'barbican'.
#
# [*encoding*]
# (Optional) The charset to use for the database.
# Default to undef.
#
# [*privileges*]
# (Optional) Privileges given to the database user.
# Default to 'ALL'
#
# == Dependencies
#
# == Examples
#
# == Authors
#
# == Copyright
#
class barbican::db::postgresql(
$password,
$dbname = 'barbican',
$user = 'barbican',
$encoding = undef,
$privileges = 'ALL',
) {
Class['barbican::db::postgresql'] -> Service<| title == 'barbican' |>
::openstacklib::db::postgresql { 'barbican':
password_hash => postgresql_password($user, $password),
dbname => $dbname,
user => $user,
encoding => $encoding,
privileges => $privileges,
}
::Openstacklib::Db::Postgresql['barbican'] ~> Exec<| title == 'barbican-manage db_sync' |>
}

23
manifests/db/sync.pp Normal file
View File

@ -0,0 +1,23 @@
#
# Class to execute barbican-db-manage upgrade
#
# == Parameters
#
# [*extra_params*]
# (optional) String of extra command line parameters to append
# to the barbican-db-manage command.
# Defaults to undef
#
class barbican::db::sync(
$extra_params = undef,
) {
exec { 'barbican-db-manage':
command => "barbican-db-manage upgrade ${extra_params}",
path => '/usr/bin',
user => 'barbican',
refreshonly => true,
subscribe => [Package['barbican'], Barbican_config['database/connection']],
}
Exec['barbican-db-manage'] ~> Service<| title == 'barbican' |>
}

14
manifests/init.pp Normal file
View File

@ -0,0 +1,14 @@
# == Class: barbican
#
# Full description of class barbican here.
#
# === Parameters
#
# [*sample_parameter*]
# Explanation of what this parameter affects and what it defaults to.
#
class barbican {
include ::barbican::params
}

View File

@ -0,0 +1,92 @@
# == Class: barbican::keystone::auth
#
# Configures barbican user, service and endpoint in Keystone.
#
# === Parameters
#
# [*password*]
# (required) Password for barbican user.
#
# [*auth_name*]
# Username for barbican service. Defaults to 'barbican'.
#
# [*email*]
# Email for barbican user. Defaults to 'barbican@localhost'.
#
# [*tenant*]
# Tenant for barbican user. Defaults to 'services'.
#
# [*configure_endpoint*]
# Should barbican endpoint be configured? Defaults to 'true'.
#
# [*configure_user*]
# (Optional) Should the service user be configured?
# Defaults to 'true'.
#
# [*configure_user_role*]
# (Optional) Should the admin role be configured for the service user?
# Defaults to 'true'.
#
# [*service_type*]
# Type of service. Defaults to 'key-manager'.
#
# [*region*]
# Region for endpoint. Defaults to 'RegionOne'.
#
# [*service_name*]
# (optional) Name of the service.
# Defaults to the value of auth_name.
#
# [*public_url*]
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:9311')
# This url should *not* contain any trailing '/'.
#
# [*admin_url*]
# (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:9311')
# This url should *not* contain any trailing '/'.
#
# [*internal_url*]
# (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:9311')
# This url should *not* contain any trailing '/'.
#
class barbican::keystone::auth (
$password,
$auth_name = 'barbican',
$email = 'barbican@localhost',
$tenant = 'services',
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
$service_name = undef,
$service_type = 'key-manager',
$region = 'RegionOne',
$public_url = 'http://127.0.0.1:9311',
$internal_url = 'http://127.0.0.1:9311',
$admin_url = 'http://127.0.0.1:9311',
) {
$real_service_name = pick($service_name, $auth_name)
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barbican-server' |>
}
Keystone_endpoint["${region}/${real_service_name}"] ~> Service <| name == 'barbican-server' |>
keystone::resource::service_identity { 'barbican':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
configure_endpoint => $configure_endpoint,
service_name => $real_service_name,
service_type => $service_type,
service_description => 'Key management Service',
region => $region,
auth_name => $auth_name,
password => $password,
email => $email,
tenant => $tenant,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,
}
}

211
manifests/logging.pp Normal file
View File

@ -0,0 +1,211 @@
# Class barbican::logging
#
# barbican extended logging configuration
#
# == parameters
#
# [*logging_context_format_string*]
# (optional) Format string to use for log messages with context.
# Defaults to undef.
# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
# [%(request_id)s %(user_identity)s] %(instance)s%(message)s'
#
# [*logging_default_format_string*]
# (optional) Format string to use for log messages without context.
# Defaults to undef.
# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
# [-] %(instance)s%(message)s'
#
# [*logging_debug_format_suffix*]
# (optional) Formatted data to append to log format when level is DEBUG.
# Defaults to undef.
# Example: '%(funcName)s %(pathname)s:%(lineno)d'
#
# [*logging_exception_prefix*]
# (optional) Prefix each line of exception output with this format.
# Defaults to undef.
# Example: '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s'
#
# [*log_config_append*]
# The name of an additional logging configuration file.
# Defaults to undef.
# See https://docs.python.org/2/howto/logging.html
#
# [*default_log_levels*]
# (optional) Hash of logger (keys) and level (values) pairs.
# Defaults to undef.
# Example:
# { 'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
# 'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO',
# 'oslo.messaging' => 'INFO', 'iso8601' => 'WARN',
# 'requests.packages.urllib3.connectionpool' => 'WARN',
# 'urllib3.connectionpool' => 'WARN',
# 'websocket' => 'WARN', 'barbicanmiddleware' => 'WARN',
# 'routes.middleware' => 'WARN', stevedore => 'WARN' }
#
# [*publish_errors*]
# (optional) Publish error events (boolean value).
# Defaults to undef (false if unconfigured).
#
# [*fatal_deprecations*]
# (optional) Make deprecations fatal (boolean value)
# Defaults to undef (false if unconfigured).
#
# [*instance_format*]
# (optional) If an instance is passed with the log message, format it
# like this (string value).
# Defaults to undef.
# Example: '[instance: %(uuid)s] '
#
# [*instance_uuid_format*]
# (optional) If an instance UUID is passed with the log message, format
# it like this (string value).
# Defaults to undef.
# Example: instance_uuid_format='[instance: %(uuid)s] '
# [*log_date_format*]
# (optional) Format string for %%(asctime)s in log records.
# Defaults to undef.
# Example: 'Y-%m-%d %H:%M:%S'
class barbican::logging(
$logging_context_format_string = undef,
$logging_default_format_string = undef,
$logging_debug_format_suffix = undef,
$logging_exception_prefix = undef,
$log_config_append = undef,
$default_log_levels = undef,
$publish_errors = undef,
$fatal_deprecations = undef,
$instance_format = undef,
$instance_uuid_format = undef,
$log_date_format = undef,
) {
if $logging_context_format_string {
barbican_config {
'DEFAULT/logging_context_format_string' :
value => $logging_context_format_string;
}
}
else {
barbican_config {
'DEFAULT/logging_context_format_string' : ensure => absent;
}
}
if $logging_default_format_string {
barbican_config {
'DEFAULT/logging_default_format_string' :
value => $logging_default_format_string;
}
}
else {
barbican_config {
'DEFAULT/logging_default_format_string' : ensure => absent;
}
}
if $logging_debug_format_suffix {
barbican_config {
'DEFAULT/logging_debug_format_suffix' :
value => $logging_debug_format_suffix;
}
}
else {
barbican_config {
'DEFAULT/logging_debug_format_suffix' : ensure => absent;
}
}
if $logging_exception_prefix {
barbican_config {
'DEFAULT/logging_exception_prefix' : value => $logging_exception_prefix;
}
}
else {
barbican_config {
'DEFAULT/logging_exception_prefix' : ensure => absent;
}
}
if $log_config_append {
barbican_config {
'DEFAULT/log_config_append' : value => $log_config_append;
}
}
else {
barbican_config {
'DEFAULT/log_config_append' : ensure => absent;
}
}
if $default_log_levels {
barbican_config {
'DEFAULT/default_log_levels' :
value => join(sort(join_keys_to_values($default_log_levels, '=')), ',');
}
}
else {
barbican_config {
'DEFAULT/default_log_levels' : ensure => absent;
}
}
if $publish_errors {
barbican_config {
'DEFAULT/publish_errors' : value => $publish_errors;
}
}
else {
barbican_config {
'DEFAULT/publish_errors' : ensure => absent;
}
}
if $fatal_deprecations {
barbican_config {
'DEFAULT/fatal_deprecations' : value => $fatal_deprecations;
}
}
else {
barbican_config {
'DEFAULT/fatal_deprecations' : ensure => absent;
}
}
if $instance_format {
barbican_config {
'DEFAULT/instance_format' : value => $instance_format;
}
}
else {
barbican_config {
'DEFAULT/instance_format' : ensure => absent;
}
}
if $instance_uuid_format {
barbican_config {
'DEFAULT/instance_uuid_format' : value => $instance_uuid_format;
}
}
else {
barbican_config {
'DEFAULT/instance_uuid_format' : ensure => absent;
}
}
if $log_date_format {
barbican_config {
'DEFAULT/log_date_format' : value => $log_date_format;
}
}
else {
barbican_config {
'DEFAULT/log_date_format' : ensure => absent;
}
}
}

19
manifests/params.pp Normal file
View File

@ -0,0 +1,19 @@
# Parameters for puppet-barbican
#
class barbican::params {
case $::osfamily {
'RedHat': {
$psycopg_package_name = 'python-psycopg2'
$sqlite_package_name = undef
}
'Debian': {
$psycopg_package_name = 'python-psycopg2'
$sqlite_package_name = 'python-pysqlite2'
}
default: {
fail("Unsupported osfamily: ${::osfamily} operatingsystem")
}
} # Case $::osfamily
}

39
manifests/policy.pp Normal file
View File

@ -0,0 +1,39 @@
# == Class: barbican::policy
#
# Configure the barbican policies
#
# === Parameters
#
# [*policies*]
# (optional) Set of policies to configure for barbican
# Example :
# {
# 'barbican-context_is_admin' => {
# 'key' => 'context_is_admin',
# 'value' => 'true'
# },
# 'barbican-default' => {
# 'key' => 'default',
# 'value' => 'rule:admin_or_owner'
# }
# }
# Defaults to empty hash.
#
# [*policy_path*]
# (optional) Path to the nova policy.json file
# Defaults to /etc/barbican/policy.json
#
class barbican::policy (
$policies = {},
$policy_path = '/etc/barbican/policy.json',
) {
validate_hash($policies)
Openstacklib::Policy::Base {
file_path => $policy_path,
}
create_resources('openstacklib::policy::base', $policies)
}

34
metadata.json Normal file
View File

@ -0,0 +1,34 @@
{
"name": "puppet-barbican",
"version": "0.0.1",
"author": "OpenStack Contributors",
"summary": "Puppet module for OpenStack Barbican",
"license": "Apache-2.0",
"source": "git://github.com/openstack/puppet-barbican.git",
"project_page": "https://launchpad.net/puppet-barbican",
"issues_url": "https://bugs.launchpad.net/puppet-barbican",
"description": "Installs and configures OpenStack Barbican.",
"operatingsystem_support": [
{
"operatingsystem": "Debian",
"operatingsystemrelease": ["8"]
},
{
"operatingsystem": "Fedora",
"operatingsystemrelease": ["21","22"]
},
{
"operatingsystem": "RedHat",
"operatingsystemrelease": ["7"]
},
{
"operatingsystem": "Ubuntu",
"operatingsystemrelease": ["14.04"]
}
],
"dependencies": [
{ "name": "puppetlabs/inifile", "version_requirement": ">=1.0.0 <2.0.0" },
{ "name": "puppetlabs/stdlib", "version_requirement": ">= 4.2.0 <5.0.0" },
{ "name": "stackforge/openstacklib", "version_requirement": ">=5.0.0 <6.0.0" }
]
}

View File

@ -0,0 +1,11 @@
HOSTS:
centos-server-70-x64:
roles:
- master
platform: el-7-x86_64
box: puppetlabs/centos-7.0-64-nocm
box_url: https://vagrantcloud.com/puppetlabs/centos-7.0-64-nocm
hypervisor: vagrant
CONFIG:
log_level: debug
type: foss

View File

@ -0,0 +1,10 @@
HOSTS:
ubuntu-server-14.04-amd64:
roles:
- master
platform: ubuntu-14.04-amd64
box: puppetlabs/ubuntu-14.04-64-nocm
box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
hypervisor: vagrant
CONFIG:
type: foss

View File

@ -0,0 +1,10 @@
HOSTS:
centos-70-x64:
roles:
- master
platform: el-7-x86_64
hypervisor: none
ip: 127.0.0.1
CONFIG:
type: foss
set_env: false

View File

@ -0,0 +1,10 @@
HOSTS:
ubuntu-14.04-amd64:
roles:
- master
platform: ubuntu-14.04-amd64
hypervisor: none
ip: 127.0.0.1
CONFIG:
type: foss
set_env: false

View File

@ -0,0 +1,11 @@
HOSTS:
ubuntu-server-14.04-amd64:
roles:
- master
platform: ubuntu-14.04-amd64
box: puppetlabs/ubuntu-14.04-64-nocm
box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
hypervisor: vagrant
CONFIG:
log_level: debug
type: foss

View File

@ -0,0 +1,62 @@
require 'spec_helper'
describe 'barbican::db::mysql' do
let :pre_condition do
[
'include mysql::server',
'include barbican::db::sync'
]
end
let :facts do
{ :osfamily => 'Debian' }
end
let :params do
{
'password' => 'fooboozoo_default_password',
}
end
describe 'with only required params' do
it { is_expected.to contain_openstacklib__db__mysql('barbican').with(
'user' => 'barbican',
'password_hash' => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
'dbname' => 'barbican',
'host' => '127.0.0.1',
'charset' => 'utf8',
:collate => 'utf8_general_ci',
)}
end
describe "overriding allowed_hosts param to array" do
let :params do
{
:password => 'barbicanpass',
:allowed_hosts => ['127.0.0.1','%']
}
end
end
describe "overriding allowed_hosts param to string" do
let :params do
{
:password => 'barbicanpass2',
:allowed_hosts => '192.168.1.1'
}
end
end
describe "overriding allowed_hosts param equals to host param " do
let :params do
{
:password => 'barbicanpass2',
:allowed_hosts => '127.0.0.1'
}
end
end
end

View File

@ -0,0 +1,58 @@
require 'spec_helper'
describe 'barbican::db::postgresql' do
let :req_params do
{ :password => 'pw' }
end
let :pre_condition do
'include postgresql::server'
end
context 'on a RedHat osfamily' do
let :facts do
{
:osfamily => 'RedHat',
:operatingsystemrelease => '7.0',
:concat_basedir => '/var/lib/puppet/concat'
}
end
context 'with only required parameters' do
let :params do
req_params
end
it { is_expected.to contain_postgresql__server__db('barbican').with(
:user => 'barbican',
:password => 'md5699e09b3c7579f59869b882716fd7299'
)}
end
end
context 'on a Debian osfamily' do
let :facts do
{
:operatingsystemrelease => '7.8',
:operatingsystem => 'Debian',
:osfamily => 'Debian',
:concat_basedir => '/var/lib/puppet/concat'
}
end
context 'with only required parameters' do
let :params do
req_params
end
it { is_expected.to contain_postgresql__server__db('barbican').with(
:user => 'barbican',
:password => 'md5699e09b3c7579f59869b882716fd7299'
)}
end
end
end

View File

@ -0,0 +1,124 @@
#
# Unit tests for barbican::keystone::auth
#
require 'spec_helper'
describe 'barbican::keystone::auth' do
let :facts do
{ :osfamily => 'Debian' }
end
describe 'with default class parameters' do
let :params do
{ :password => 'barbican_password',
:tenant => 'foobar' }
end
it { is_expected.to contain_keystone_user('barbican').with(
:ensure => 'present',
:password => 'barbican_password',
:tenant => 'foobar'
) }
it { is_expected.to contain_keystone_user_role('barbican@foobar').with(
:ensure => 'present',
:roles => ['admin']
)}
it { is_expected.to contain_keystone_service('barbican').with(
:ensure => 'present',
:type => 'key-manager',
:description => 'Key management Service'
) }
it { is_expected.to contain_keystone_endpoint('RegionOne/barbican').with(
:ensure => 'present',
:public_url => 'http://127.0.0.1:9311',
:admin_url => 'http://127.0.0.1:9311',
:internal_url => 'http://127.0.0.1:9311',
) }
end
describe 'when overriding URL parameters' do
let :params do
{ :password => 'barbican_password',
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81' }
end
it { is_expected.to contain_keystone_endpoint('RegionOne/barbican').with(
:ensure => 'present',
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81'
) }
end
describe 'when overriding auth name' do
let :params do
{ :password => 'foo',
:auth_name => 'barbicany' }
end
it { is_expected.to contain_keystone_user('barbicany') }
it { is_expected.to contain_keystone_user_role('barbicany@services') }
it { is_expected.to contain_keystone_service('barbicany') }
it { is_expected.to contain_keystone_endpoint('RegionOne/barbicany') }
end
describe 'when overriding service name' do
let :params do
{ :service_name => 'barbican_service',
:auth_name => 'barbican',
:password => 'barbican_password' }
end
it { is_expected.to contain_keystone_user('barbican') }
it { is_expected.to contain_keystone_user_role('barbican@services') }
it { is_expected.to contain_keystone_service('barbican_service') }
it { is_expected.to contain_keystone_endpoint('RegionOne/barbican_service') }
end
describe 'when disabling user configuration' do
let :params do
{
:password => 'barbican_password',
:configure_user => false
}
end
it { is_expected.not_to contain_keystone_user('barbican') }
it { is_expected.to contain_keystone_user_role('barbican@services') }
it { is_expected.to contain_keystone_service('barbican').with(
:ensure => 'present',
:type => 'key-manager',
:description => 'Key management Service'
) }
end
describe 'when disabling user and user role configuration' do
let :params do
{
:password => 'barbican_password',
:configure_user => false,
:configure_user_role => false
}
end
it { is_expected.not_to contain_keystone_user('barbican') }
it { is_expected.not_to contain_keystone_user_role('barbican@services') }
it { is_expected.to contain_keystone_service('barbican').with(
:ensure => 'present',
:type => 'key-manager',
:description => 'Key management Service'
) }
end
end

View File

@ -0,0 +1,107 @@
require 'spec_helper'
describe 'barbican::logging' do
let :params do
{
}
end
let :log_params do
{
:logging_context_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s',
:logging_default_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s',
:logging_debug_format_suffix => '%(funcName)s %(pathname)s:%(lineno)d',
:logging_exception_prefix => '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s',
:log_config_append => '/etc/barbican/logging.conf',
:publish_errors => true,
:default_log_levels => {
'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO',
'iso8601' => 'WARN',
'requests.packages.urllib3.connectionpool' => 'WARN' },
:fatal_deprecations => true,
:instance_format => '[instance: %(uuid)s] ',
:instance_uuid_format => '[instance: %(uuid)s] ',
:log_date_format => '%Y-%m-%d %H:%M:%S',
}
end
shared_examples_for 'barbican-logging' do
context 'with extended logging options' do
before { params.merge!( log_params ) }
it_configures 'logging params set'
end
context 'without extended logging options' do
it_configures 'logging params unset'
end
end
shared_examples_for 'logging params set' do
it 'enables logging params' do
is_expected.to contain_barbican_config('DEFAULT/logging_context_format_string').with_value(
'%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s')
is_expected.to contain_barbican_config('DEFAULT/logging_default_format_string').with_value(
'%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s')
is_expected.to contain_barbican_config('DEFAULT/logging_debug_format_suffix').with_value(
'%(funcName)s %(pathname)s:%(lineno)d')
is_expected.to contain_barbican_config('DEFAULT/logging_exception_prefix').with_value(
'%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s')
is_expected.to contain_barbican_config('DEFAULT/log_config_append').with_value(
'/etc/barbican/logging.conf')
is_expected.to contain_barbican_config('DEFAULT/publish_errors').with_value(
true)
is_expected.to contain_barbican_config('DEFAULT/default_log_levels').with_value(
'amqp=WARN,amqplib=WARN,boto=WARN,iso8601=WARN,qpid=WARN,requests.packages.urllib3.connectionpool=WARN,sqlalchemy=WARN,suds=INFO')
is_expected.to contain_barbican_config('DEFAULT/fatal_deprecations').with_value(
true)
is_expected.to contain_barbican_config('DEFAULT/instance_format').with_value(
'[instance: %(uuid)s] ')
is_expected.to contain_barbican_config('DEFAULT/instance_uuid_format').with_value(
'[instance: %(uuid)s] ')
is_expected.to contain_barbican_config('DEFAULT/log_date_format').with_value(
'%Y-%m-%d %H:%M:%S')
end
end
shared_examples_for 'logging params unset' do
[ :logging_context_format_string, :logging_default_format_string,
:logging_debug_format_suffix, :logging_exception_prefix,
:log_config_append, :publish_errors,
:default_log_levels, :fatal_deprecations,
:instance_format, :instance_uuid_format,
:log_date_format, ].each { |param|
it { is_expected.to contain_barbican_config("DEFAULT/#{param}").with_ensure('absent') }
}
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_configures 'barbican-logging'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'barbican-logging'
end
end

View File

@ -0,0 +1,41 @@
require 'spec_helper'
describe 'barbican::policy' do
shared_examples_for 'barbican policies' do
let :params do
{
:policy_path => '/etc/barbican/policy.json',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
}
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
:key => 'context_is_admin',
:value => 'foo:bar'
})
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_configures 'barbican policies'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'barbican policies'
end
end

5
spec/shared_examples.rb Normal file
View File

@ -0,0 +1,5 @@
shared_examples_for "a Puppet::Error" do |description|
it "with message matching #{description.inspect}" do
expect { is_expected.to have_class_count(1) }.to raise_error(Puppet::Error, description)
end
end

10
spec/spec_helper.rb Normal file
View File

@ -0,0 +1,10 @@
require 'puppetlabs_spec_helper/module_spec_helper'
require 'shared_examples'
require 'webmock/rspec'
RSpec.configure do |c|
c.alias_it_should_behave_like_to :it_configures, 'configures'
c.alias_it_should_behave_like_to :it_raises, 'raises'
end
at_exit { RSpec::Puppet::Coverage.report! }

View File

@ -0,0 +1,56 @@
require 'beaker-rspec'
require 'beaker/puppet_install_helper'
run_puppet_install_helper
RSpec.configure do |c|
# Project root
proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
modname = JSON.parse(open('metadata.json').read)['name'].split('-')[1]
# Readable test descriptions
c.formatter = :documentation
# Configure all nodes in nodeset
c.before :suite do
# Install module and dependencies
hosts.each do |host|
# install git
install_package host, 'git'
zuul_ref = ENV['ZUUL_REF']
zuul_branch = ENV['ZUUL_BRANCH']
zuul_url = ENV['ZUUL_URL']
repo = 'openstack/puppet-openstack-integration'
# Start out with clean moduledir, don't trust r10k to purge it
on host, "rm -rf /etc/puppet/modules/*"
# Install dependent modules via git or zuul
r = on host, "test -e /usr/zuul-env/bin/zuul-cloner", { :acceptable_exit_codes => [0,1] }
if r.exit_code == 0
zuul_clone_cmd = '/usr/zuul-env/bin/zuul-cloner '
zuul_clone_cmd += '--cache-dir /opt/git '
zuul_clone_cmd += "--zuul-ref #{zuul_ref} "
zuul_clone_cmd += "--zuul-branch #{zuul_branch} "
zuul_clone_cmd += "--zuul-url #{zuul_url} "
zuul_clone_cmd += "git://git.openstack.org #{repo}"
on host, zuul_clone_cmd
else
on host, "git clone https://git.openstack.org/#{repo} #{repo}"
end
on host, "ZUUL_REF=#{zuul_ref} ZUUL_BRANCH=#{zuul_branch} ZUUL_URL=#{zuul_url} bash #{repo}/install_modules.sh"
# Install the module being tested
on host, "rm -fr /etc/puppet/modules/#{modname}"
puppet_module_install(:source => proj_root, :module_name => modname)
on host, "rm -fr #{repo}"
# List modules installed to help with debugging
on host, puppet('module','list'), { :acceptable_exit_codes => 0 }
end
end
end

View File

@ -0,0 +1,68 @@
#
# these tests are a little concerning b/c they are hacking around the
# modulepath, so these tests will not catch issues that may eventually arise
# related to loading these plugins.
# I could not, for the life of me, figure out how to programatcally set the modulepath
$LOAD_PATH.push(
File.join(
File.dirname(__FILE__),
'..',
'..',
'..',
'fixtures',
'modules',
'inifile',
'lib')
)
$LOAD_PATH.push(
File.join(
File.dirname(__FILE__),
'..',
'..',
'..',
'fixtures',
'modules',
'openstacklib',
'lib')
)
require 'spec_helper'
provider_class = Puppet::Type.type(:barbican_config).provider(:ini_setting)
describe provider_class do
it 'should default to the default setting when no other one is specified' do
resource = Puppet::Type::Barbican_config.new(
{:name => 'DEFAULT/foo', :value => 'bar'}
)
provider = provider_class.new(resource)
expect(provider.section).to eq('DEFAULT')
expect(provider.setting).to eq('foo')
end
it 'should allow setting to be set explicitly' do
resource = Puppet::Type::Barbican_config.new(
{:name => 'dude/foo', :value => 'bar'}
)
provider = provider_class.new(resource)
expect(provider.section).to eq('dude')
expect(provider.setting).to eq('foo')
end
it 'should ensure absent when <SERVICE DEFAULT> is specified as a value' do
resource = Puppet::Type::Barbican_config.new(
{:name => 'dude/foo', :value => '<SERVICE DEFAULT>'}
)
provider = provider_class.new(resource)
provider.exists?
expect(resource[:ensure]).to eq :absent
end
it 'should ensure absent when value matches ensure_absent_val' do
resource = Puppet::Type::Barbican_config.new(
{:name => 'dude/foo', :value => 'foo', :ensure_absent_val => 'foo' }
)
provider = provider_class.new(resource)
provider.exists?
expect(resource[:ensure]).to eq :absent
end
end

View File

@ -0,0 +1,63 @@
require 'puppet'
require 'puppet/type/barbican_config'
describe 'Puppet::Type.type(:barbican_config)' do
before :each do
@barbican_config = Puppet::Type.type(:barbican_config).new(:name => 'DEFAULT/foo', :value => 'bar')
end
it 'should require a name' do
expect {
Puppet::Type.type(:barbican_config).new({})
}.to raise_error(Puppet::Error, 'Title or name must be provided')
end
it 'should not expect a name with whitespace' do
expect {
Puppet::Type.type(:barbican_config).new(:name => 'f oo')
}.to raise_error(Puppet::Error, /Parameter name failed/)
end
it 'should fail when there is no section' do
expect {
Puppet::Type.type(:barbican_config).new(:name => 'foo')
}.to raise_error(Puppet::Error, /Parameter name failed/)
end
it 'should not require a value when ensure is absent' do
Puppet::Type.type(:barbican_config).new(:name => 'DEFAULT/foo', :ensure => :absent)
end
it 'should accept a valid value' do
@barbican_config[:value] = 'bar'
expect(@barbican_config[:value]).to eq('bar')
end
it 'should not accept a value with whitespace' do
@barbican_config[:value] = 'b ar'
expect(@barbican_config[:value]).to eq('b ar')
end
it 'should accept valid ensure values' do
@barbican_config[:ensure] = :present
expect(@barbican_config[:ensure]).to eq(:present)
@barbican_config[:ensure] = :absent
expect(@barbican_config[:ensure]).to eq(:absent)
end
it 'should not accept invalid ensure values' do
expect {
@barbican_config[:ensure] = :latest
}.to raise_error(Puppet::Error, /Invalid value/)
end
it 'should autorequire the package that install the file' do
catalog = Puppet::Resource::Catalog.new
package = Puppet::Type.type(:package).new(:name => 'barbican')
catalog.add_resource package, @barbican_config
dependency = @barbican_config.autorequire
expect(dependency.size).to eq(1)
expect(dependency[0].target).to eq(@barbican_config)
expect(dependency[0].source).to eq(package)
end
end

12
tests/init.pp Normal file
View File

@ -0,0 +1,12 @@
# The baseline for module testing used by Puppet Labs is that each manifest
# should have a corresponding test manifest that declares that class or defined
# type.
#
# Tests are then run by using puppet apply --noop (to check for compilation
# errors and view a log of events) or by fully applying the test in a virtual
# environment (to compare the resulting system state to the desired state).
#
# Learn more about module testing here:
# http://docs.puppetlabs.com/guides/tests_smoke.html
#
include ::barbican