Add Vault Secret Store Plugin
Barbican can utilize Hashicorp Vault software as a secret store backend. Added a new plugin manifest to configure the vault_plugin section. Change-Id: Idef1bdfd20b4820963e084657b46e07660be248c
This commit is contained in:
parent
ae7dbe4526
commit
7ab351d8d5
|
@ -0,0 +1,61 @@
|
|||
# == Class: barbican::plugins::vault
|
||||
#
|
||||
# Sets up Barbican vault plugin
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*vault_url*]
|
||||
# (optional) The Vault URL.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*root_token_id*]
|
||||
# (optional) Vault Root Token ID.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*approle_role_id*]
|
||||
# (optional) Set the approle role ID.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*approle_secret_id*]
|
||||
# (optional) Set the approle secret ID.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*kv_mountpoint*]
|
||||
# (optional) Set the mountpoint of the KV.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*use_ssl*]
|
||||
# (optional) Enable or disable SSL
|
||||
# Defaults to false
|
||||
#
|
||||
# [*ssl_ca_crt_file*]
|
||||
# (optional) Set the ssl CA cert file
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*global_default*]
|
||||
# (optional) set plugin as global default
|
||||
# Defaults to false
|
||||
#
|
||||
class barbican::plugins::vault (
|
||||
$vault_url = $::os_service_default,
|
||||
$root_token_id = $::os_service_default,
|
||||
$approle_role_id = $::os_service_default,
|
||||
$approle_secret_id = $::os_service_default,
|
||||
$kv_mountpoint = $::os_service_default,
|
||||
$use_ssl = false,
|
||||
$ssl_ca_crt_file = $::os_service_default,
|
||||
$global_default = false,
|
||||
) {
|
||||
|
||||
barbican_config {
|
||||
'secretstore:vault/secret_store_plugin': value => 'vault_plugin';
|
||||
'secretstore:vault/global_default': value => $global_default;
|
||||
'vault_plugin/vault_url': value => $vault_url;
|
||||
'vault_plugin/root_token_id': value => $root_token_id;
|
||||
'vault_plugin/approle_role_id': value => $approle_role_id;
|
||||
'vault_plugin/approle_secret_id': value => $approle_secret_id;
|
||||
'vault_plugin/kv_mountpoint': value => $kv_mountpoint;
|
||||
'vault_plugin/use_ssl': value => $use_ssl;
|
||||
'vault_plugin/ssl_ca_crt_file': value => $ssl_ca_crt_file;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
features:
|
||||
- Added vault secret store plugin
|
|
@ -0,0 +1,122 @@
|
|||
#
|
||||
# Copyright (C) 2019 Matthew J. Black
|
||||
#
|
||||
# Author: Matthew J. Black <mjblack@gmail.com>
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for barbican::plugins::vault class
|
||||
#
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'barbican::plugins::vault' do
|
||||
|
||||
shared_examples_for 'barbican plugins vault' do
|
||||
describe 'with minimal parameters passed into vault plugin' do
|
||||
let :params do
|
||||
{
|
||||
:vault_url => 'http://127.0.0.1:8200',
|
||||
:root_token_id => 'barbican_root_token_id',
|
||||
:global_default => true,
|
||||
}
|
||||
end
|
||||
|
||||
it 'is_expected.to set vault plugin parameters' do
|
||||
is_expected.to contain_barbican_config('vault_plugin/vault_url') \
|
||||
.with_value(params[:vault_url])
|
||||
is_expected.to contain_barbican_config(
|
||||
'secretstore:vault/secret_store_plugin') \
|
||||
.with_value('vault_plugin')
|
||||
is_expected.to contain_barbican_config(
|
||||
'secretstore:vault/global_default') \
|
||||
.with_value('true')
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with approle parameters passed into vault plugin' do
|
||||
let :params do
|
||||
{
|
||||
:vault_url => 'https://127.0.0.1:8200',
|
||||
:use_ssl => true,
|
||||
:approle_role_id => 'barbican_approle_role_id',
|
||||
:approle_secret_id => 'barbican_approle_secret_id',
|
||||
:kv_mountpoint => 'barbican_secrets',
|
||||
}
|
||||
end
|
||||
|
||||
it 'is_expected.to set vault plugin parameters' do
|
||||
is_expected.to contain_barbican_config('vault_plugin/vault_url') \
|
||||
.with_value(params[:vault_url])
|
||||
is_expected.to contain_barbican_config('vault_plugin/use_ssl') \
|
||||
.with_value(params[:use_ssl])
|
||||
is_expected.to contain_barbican_config('vault_plugin/approle_role_id') \
|
||||
.with_value(params[:approle_role_id])
|
||||
is_expected.to contain_barbican_config('vault_plugin/approle_secret_id') \
|
||||
.with_value(params[:approle_secret_id])
|
||||
is_expected.to contain_barbican_config('vault_plugin/kv_mountpoint') \
|
||||
.with_value(params[:kv_mountpoint])
|
||||
is_expected.to contain_barbican_config(
|
||||
'secretstore:vault/secret_store_plugin') \
|
||||
.with_value('vault_plugin')
|
||||
is_expected.to contain_barbican_config(
|
||||
'secretstore:vault/global_default') \
|
||||
.with_value('false')
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with no parameter passed into vault plugin' do
|
||||
let :params do
|
||||
{}
|
||||
end
|
||||
|
||||
it 'is_expected.to set default vault parameters' do
|
||||
is_expected.to contain_barbican_config('vault_plugin/vault_url') \
|
||||
.with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_barbican_config('vault_plugin/root_token_id') \
|
||||
.with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_barbican_config('vault_plugin/approle_role_id') \
|
||||
.with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_barbican_config('vault_plugin/approle_secret_id') \
|
||||
.with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_barbican_config('vault_plugin/kv_mountpoint') \
|
||||
.with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_barbican_config('vault_plugin/use_ssl') \
|
||||
.with_value('false')
|
||||
is_expected.to contain_barbican_config('vault_plugin/ssl_ca_crt_file') \
|
||||
.with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_barbican_config(
|
||||
'secretstore:vault/secret_store_plugin') \
|
||||
.with_value('vault_plugin')
|
||||
is_expected.to contain_barbican_config(
|
||||
'secretstore:vault/global_default') \
|
||||
.with_value('false')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge(OSDefaults.get_facts({
|
||||
:processorcount => 8,
|
||||
:fqdn => 'some.host.tld',
|
||||
:concat_basedir => '/var/lib/puppet/concat',
|
||||
}))
|
||||
end
|
||||
|
||||
it_configures 'barbican plugins vault'
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue