This patch is adding the configuration of the number of workers,
threads, and the size of the listen queue in Debian, which uses
uwsgi to run Nova API. Therefore, this patch adds a new
barbican_api_uwsgi_config provider as well as a new
barbican::wsgi::uwsgi class.
Change-Id: I3acdc3021e787ae1bc5e4ed3c464d530bfbde50a
This patch makes it possible to override the current service default,
which is /etc/<service>/policy.d .
Change-Id: Ib8f71445a680d845a3434c127daa202a3a75269b
The p11_crypto_plugin_token_labels parameter takes a list value, thus
it would be useful if a list value is accepted at puppet layer as well.
Change-Id: I52e08326079619049e2d436cc468829f8721257f
This change is a follow-up of the previous commit[1] and add a unit
test case to validate the new parameter and a release note explaining
the change.
[1] 27b1cc2735
Change-Id: Ie7099bdf32a12fa85109279b576ff5ab126b59e0
This patch adds support for a couple of new new options in the
PCKS#11 backends. Namely 'token_labels' and 'os_locking_ok'.
Change-Id: Iba7013dd6e1b1e4650b25cd4dd8dc1f355ceb538
If the supported_os fact is missing, the test will not run on the
default supported systems (debian, ubuntu, centos).
Change-Id: Ifaa3da741778f3f2af00e82934235f44dd0cf24e
As Openstack projects continue to have longer database migration
chains, the Puppet default timeout of 300 seconds for an execution
is becoming too short a duration on some hardware, leading to timeouts.
As projects continue to add more migration scripts without pruning
the base, timeouts will continue to become more frequent unless
this time can be expanded.
Change-Id: I1c0896d9b729fe0d2aeeed02386b48fb9e6debe5
Closes-Bug: #1904962
This patch adds support for two new options in the
p11_crypto_plugin section of the config file.
Depends-On: I115cf1a7006a6c85f37c5e50ded13134a3dfd1a3
Change-Id: I84b66d56a0914ea9e10eebb44c99ba2951ddba61
This change adds the 'params' hash in authtoken class, to implement
the same functionality as the one recently introduced into
puppet-nova[1].
[1] 5c38281e1b698f157f03bf1815733277c541c30b
Change-Id: I1ee5f6f36dce3429261b77a4c91b4732ced4a591
It is provided by the Puppet class 'openstacklib::wsgi::apache'.
This change exposes it for the Barbican service.
Change-Id: I3baa7af29970b4da25ff67a54e473c32ee6ad40f
Signed-off-by: Luke Short <ekultails@gmail.com>
This patch adds support for [keystone_authtoken] interface parameter,
so that operators can define which endpoint should be used by authtoken
middleware.
Change-Id: I5068505afbaf57e66d28f7cf472ab09bb8355f04
Currently the other puppet modules accept actual service name on the
platfomr for api service_name, while puppet-barbican always require
'barbican-api' and doesn't accept 'openstack-barbican-api' even in
Red Hat based OS.
This patch makes sure that we accept actual service name for api
service name, so that the accepted values are consistent among all
puppet modules.
Change-Id: I3ff64113e19a7c784d03afe3cb34865b88f8e39a
... and migrate it to openstacklib so that all logics about database
configuration are implemented in one common place.
Depends-on: https://review.opendev.org/#/c/728595/
Change-Id: Ia676438c5c91da73a9fe196baaff9170991c487a
In CentOS, we expect to have python3 client package in 8.x while we
expect to have python2 in 7.x .
Fix unit tests to expect the correct version according to os major
version.
Change-Id: Ib30f166bcda403fdf26fe05ed0a63a546974c442
oslo.messaging RabbitMQ driver have now a new option that allow user to
run the RabbitMQ heartbeat over a native python thread.
These change allow user to use this new option.
Change-Id: I3debab140115a91f3df7aabf00c87eb1842b293b
Closes-Bug: #1840868
This patch introduces a new hieradata to configure service_token_roles
in keystone authtoken middleware configuration, so that we can use
a customized role for user who uses service token feature.
Change-Id: Ife07d55390390e9dd62fe4df0393010b9aa40030
So that we can increase it from the default 114688
Useful in case for example the OS-Federation mapping is too large.
If this limit is breached barbican will return a 413 Entity Too Large
and not log anything to barbican.log.
Change-Id: I2beb72f1ab37130eca340e691ca2dfd15cb5aa61
Closes-Bug: #1835161
Barbican can utilize Hashicorp Vault software
as a secret store backend. Added a new plugin
manifest to configure the vault_plugin section.
Change-Id: Idef1bdfd20b4820963e084657b46e07660be248c
The dogtag secretstore entrypoint is `dogtag_crypto`[1], thus the value
configured for secretstore:dogtag/secret_store_plugin needs to be
`dogtag_crypto` as well.
[1] https://github.com/openstack/barbican/blob/master/setup.cfg#L55
Change-Id: I14aa6d2f327b5f0af36ec07c574aa8eeccfdf55e
Service_token_roles_required missing in the server config file which
allows backwards compatibility to ensure that the service tokens are
compared against a list of possible roles for validity.
Change-Id: I654cf1564607f6c4ac47db0987d2a86e335a3f89
Closes-Bug: 1778198
Remove code that is redundantly tested.
This should not be tested here but in puppet-oslo
where this logic resides.
If we keep this and we do changes in puppet-oslo we
will break these unit tests, this is something we need
to sort out for all modules.
Change-Id: Idb97ddf08144a8350635ed2a7221477960e17c92
check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.
Change-Id: I5a0a697afbabe6312e2a2b46f70f51964649a9da
Closes-Bug: #1804562
Closes-Bug: #1804720
Added HSM related parameters to pkcs11 plugin manifest.
Change-Id: I08fafe1bc7bce02ad8eda6c4edd7a437d240d999
Co-Authored-By: Douglas Mendizabal <dmendiza@redhat.com>
Adds new barbican::worker class that can be used to manage
the package and service for barbican-worker.
Change-Id: Ifb9104523f5f4c44bf14d150a7189ccfebafb6bf
Thomas Goirand
Takashi Kajinami
Douglas Mendizábal
ZhongShengping
Tobias Urdin
Luke Short
Matthew J. Black
David Gurtner
Lee Yarwood
Ade Lee
Tobias Urdin