Add Vault Secret Store Plugin

Barbican can utilize Hashicorp Vault software as a secret store backend. Added a new plugin manifest to configure the vault_plugin section. Change-Id: Idef1bdfd20b4820963e084657b46e07660be248c
2019-05-29 09:51:38 -04:00 · 2019-05-29 09:51:38 -04:00 · 7ab351d8d5
parent ae7dbe4526
commit 7ab351d8d5
3 changed files with 186 additions and 0 deletions
--- a/manifests/plugins/vault.pp
+++ b/manifests/plugins/vault.pp
@ -0,0 +1,61 @@
+# == Class: barbican::plugins::vault
+#
+# Sets up Barbican vault plugin
+#
+# === Parameters
+#
+# [*vault_url*]
+#   (optional) The Vault URL.
+#   Defaults to $::os_service_default
+#
+# [*root_token_id*]
+#   (optional) Vault Root Token ID.
+#   Defaults to $::os_service_default
+#
+# [*approle_role_id*]
+#   (optional) Set the approle role ID.
+#   Defaults to $::os_service_default
+#
+# [*approle_secret_id*]
+#   (optional) Set the approle secret ID.
+#   Defaults to $::os_service_default
+#
+# [*kv_mountpoint*]
+#   (optional) Set the mountpoint of the KV.
+#   Defaults to $::os_service_default
+#
+# [*use_ssl*]
+#   (optional) Enable or disable SSL
+#   Defaults to false
+#
+# [*ssl_ca_crt_file*]
+#   (optional) Set the ssl CA cert file
+#   Defaults to $::os_service_default
+#
+# [*global_default*]
+#   (optional) set plugin as global default
+#   Defaults to false
+#
+class barbican::plugins::vault (
+  $vault_url         = $::os_service_default,
+  $root_token_id     = $::os_service_default,
+  $approle_role_id   = $::os_service_default,
+  $approle_secret_id = $::os_service_default,
+  $kv_mountpoint     = $::os_service_default,
+  $use_ssl           = false,
+  $ssl_ca_crt_file   = $::os_service_default,
+  $global_default    = false,
+) {
+
+  barbican_config {
+    'secretstore:vault/secret_store_plugin':  value => 'vault_plugin';
+    'secretstore:vault/global_default':       value => $global_default;
+    'vault_plugin/vault_url':                 value => $vault_url;
+    'vault_plugin/root_token_id':             value => $root_token_id;
+    'vault_plugin/approle_role_id':           value => $approle_role_id;
+    'vault_plugin/approle_secret_id':         value => $approle_secret_id;
+    'vault_plugin/kv_mountpoint':             value => $kv_mountpoint;
+    'vault_plugin/use_ssl':                   value => $use_ssl;
+    'vault_plugin/ssl_ca_crt_file':           value => $ssl_ca_crt_file;
+  }
+}
--- a/releasenotes/notes/add_vault_plugin-ba10e2519dbf247c.yaml
+++ b/releasenotes/notes/add_vault_plugin-ba10e2519dbf247c.yaml
@ -0,0 +1,3 @@
+---
+features:
+  - Added vault secret store plugin
--- a/spec/classes/barbican_plugins_vault_spec.rb
+++ b/spec/classes/barbican_plugins_vault_spec.rb
@ -0,0 +1,122 @@
+#
+# Copyright (C) 2019 Matthew J. Black
+#
+# Author: Matthew J. Black <mjblack@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for barbican::plugins::vault class
+#
+require 'spec_helper'
+
+describe 'barbican::plugins::vault' do
+
+  shared_examples_for 'barbican plugins vault' do
+    describe 'with minimal parameters passed into vault plugin' do
+      let :params do
+        {
+          :vault_url       => 'http://127.0.0.1:8200',
+          :root_token_id   => 'barbican_root_token_id',
+          :global_default  => true,
+        }
+      end
+
+      it 'is_expected.to set vault plugin parameters' do
+        is_expected.to contain_barbican_config('vault_plugin/vault_url') \
+          .with_value(params[:vault_url])
+        is_expected.to contain_barbican_config(
+          'secretstore:vault/secret_store_plugin') \
+          .with_value('vault_plugin')
+        is_expected.to contain_barbican_config(
+          'secretstore:vault/global_default') \
+          .with_value('true')
+      end
+    end
+
+    describe 'with approle parameters passed into vault plugin' do
+      let :params do
+        {
+          :vault_url         => 'https://127.0.0.1:8200',
+          :use_ssl           => true,
+          :approle_role_id   => 'barbican_approle_role_id',
+          :approle_secret_id => 'barbican_approle_secret_id',
+          :kv_mountpoint     => 'barbican_secrets',
+        }
+      end
+
+      it 'is_expected.to set vault plugin parameters' do
+        is_expected.to contain_barbican_config('vault_plugin/vault_url') \
+          .with_value(params[:vault_url])
+        is_expected.to contain_barbican_config('vault_plugin/use_ssl') \
+          .with_value(params[:use_ssl])
+        is_expected.to contain_barbican_config('vault_plugin/approle_role_id') \
+          .with_value(params[:approle_role_id])
+        is_expected.to contain_barbican_config('vault_plugin/approle_secret_id') \
+          .with_value(params[:approle_secret_id])
+        is_expected.to contain_barbican_config('vault_plugin/kv_mountpoint') \
+          .with_value(params[:kv_mountpoint])
+        is_expected.to contain_barbican_config(
+          'secretstore:vault/secret_store_plugin') \
+          .with_value('vault_plugin')
+        is_expected.to contain_barbican_config(
+          'secretstore:vault/global_default') \
+          .with_value('false')
+      end
+    end
+
+    describe 'with no parameter passed into vault plugin' do
+      let :params do
+        {}
+      end
+
+      it 'is_expected.to set default vault parameters' do
+        is_expected.to contain_barbican_config('vault_plugin/vault_url') \
+          .with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_barbican_config('vault_plugin/root_token_id') \
+          .with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_barbican_config('vault_plugin/approle_role_id') \
+          .with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_barbican_config('vault_plugin/approle_secret_id') \
+          .with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_barbican_config('vault_plugin/kv_mountpoint') \
+          .with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_barbican_config('vault_plugin/use_ssl') \
+          .with_value('false')
+        is_expected.to contain_barbican_config('vault_plugin/ssl_ca_crt_file') \
+          .with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_barbican_config(
+          'secretstore:vault/secret_store_plugin') \
+          .with_value('vault_plugin')
+        is_expected.to contain_barbican_config(
+          'secretstore:vault/global_default') \
+          .with_value('false')
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts({
+          :processorcount => 8,
+          :fqdn           => 'some.host.tld',
+          :concat_basedir => '/var/lib/puppet/concat',
+        }))
+      end
+
+      it_configures 'barbican plugins vault'
+    end
+  end
+end