key_manager: Add service user options for Barbican key manager
This change introduces some parameters to set up the service user token feature for Barbican key manager, which was implemented during the Xena cycle[1]. [1] 162039467ad0dfc5e25a16b75d9072d607690702 Depends-on: https://review.opendev.org/810451 Change-Id: I83bfbddbbc6cd98aa90621c3db2afc9afde16859
This commit is contained in:
parent
3a0408b4ae
commit
899e01f7ff
|
@ -33,14 +33,19 @@
|
|||
# (Optional) Specifies the region of the chosen endpoint.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*send_service_user_token*]
|
||||
# (Optional) The service uses service token feature when this is set as true.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
class cinder::key_manager::barbican (
|
||||
$barbican_endpoint = $::os_service_default,
|
||||
$barbican_api_version = $::os_service_default,
|
||||
$auth_endpoint = $::os_service_default,
|
||||
$retry_delay = $::os_service_default,
|
||||
$number_of_retries = $::os_service_default,
|
||||
$barbican_endpoint_type = $::os_service_default,
|
||||
$barbican_region_name = $::os_service_default,
|
||||
$barbican_endpoint = $::os_service_default,
|
||||
$barbican_api_version = $::os_service_default,
|
||||
$auth_endpoint = $::os_service_default,
|
||||
$retry_delay = $::os_service_default,
|
||||
$number_of_retries = $::os_service_default,
|
||||
$barbican_endpoint_type = $::os_service_default,
|
||||
$barbican_region_name = $::os_service_default,
|
||||
$send_service_user_token = $::os_service_default,
|
||||
) {
|
||||
|
||||
include cinder::deps
|
||||
|
@ -49,12 +54,13 @@ class cinder::key_manager::barbican (
|
|||
$auth_endpoint_real = pick($cinder::keymgr_encryption_auth_url, $auth_endpoint)
|
||||
|
||||
oslo::key_manager::barbican { 'cinder_config':
|
||||
barbican_endpoint => $barbican_endpoint_real,
|
||||
barbican_api_version => $barbican_api_version,
|
||||
auth_endpoint => $auth_endpoint_real,
|
||||
retry_delay => $retry_delay,
|
||||
number_of_retries => $number_of_retries,
|
||||
barbican_endpoint_type => $barbican_endpoint_type,
|
||||
barbican_region_name => $barbican_region_name,
|
||||
barbican_endpoint => $barbican_endpoint_real,
|
||||
barbican_api_version => $barbican_api_version,
|
||||
auth_endpoint => $auth_endpoint_real,
|
||||
retry_delay => $retry_delay,
|
||||
number_of_retries => $number_of_retries,
|
||||
barbican_endpoint_type => $barbican_endpoint_type,
|
||||
barbican_region_name => $barbican_region_name,
|
||||
send_service_user_token => $send_service_user_token,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
# == Class: cinder::key_manager::barbican::service_user
|
||||
#
|
||||
# Setup and configure the service token feature for Barbican Key Manager
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*password*]
|
||||
# (Required) Password to create for the service user
|
||||
#
|
||||
# [*username*]
|
||||
# (Optional) The name of the service user
|
||||
# Defaults to 'cinder'
|
||||
#
|
||||
# [*auth_url*]
|
||||
# (Optional) The URL to use for authentication.
|
||||
# Defaults to 'http://localhost:5000'
|
||||
#
|
||||
# [*project_name*]
|
||||
# (Optional) Service project name
|
||||
# Defaults to 'services'
|
||||
#
|
||||
# [*user_domain_name*]
|
||||
# (Optional) Name of domain for $username
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*project_domain_name*]
|
||||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
# caution.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*auth_type*]
|
||||
# (Optional) Authentication type to load
|
||||
# Defaults to 'password'
|
||||
#
|
||||
# [*auth_version*]
|
||||
# (Optional) API version of the admin Identity API endpoint.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*cafile*]
|
||||
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
|
||||
# connections.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*certfile*]
|
||||
# (Optional) Required if identity server requires client certificate
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*keyfile*]
|
||||
# (Optional) Required if identity server requires client certificate
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*region_name*]
|
||||
# (Optional) The region in which the identity server can be found.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
class cinder::key_manager::barbican::service_user(
|
||||
$password,
|
||||
$username = 'cinder',
|
||||
$auth_url = 'http://localhost:5000',
|
||||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$insecure = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
$auth_version = $::os_service_default,
|
||||
$cafile = $::os_service_default,
|
||||
$certfile = $::os_service_default,
|
||||
$keyfile = $::os_service_default,
|
||||
$region_name = $::os_service_default,
|
||||
) {
|
||||
|
||||
include cinder::deps
|
||||
|
||||
oslo::key_manager::barbican::service_user { 'cinder_config':
|
||||
username => $username,
|
||||
password => $password,
|
||||
auth_url => $auth_url,
|
||||
project_name => $project_name,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
insecure => $insecure,
|
||||
auth_type => $auth_type,
|
||||
auth_version => $auth_version,
|
||||
cafile => $cafile,
|
||||
certfile => $certfile,
|
||||
keyfile => $keyfile,
|
||||
region_name => $region_name,
|
||||
}
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The following parameter and class have been added, to support usage of
|
||||
the service token feature with the Barbican key manager.
|
||||
|
||||
- The ``cinder::key_manager::barbican::send_service_user_token`` parameter
|
||||
- The ``cinder::key_manager::barbican::service_user`` class
|
|
@ -0,0 +1,79 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'cinder::key_manager::barbican::service_user' do
|
||||
shared_examples 'cinder::key_manager::barbican::service_user' do
|
||||
|
||||
let :params do
|
||||
{ :password => 'secret' }
|
||||
end
|
||||
|
||||
context 'with default parameters' do
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican__service_user('cinder_config').with(
|
||||
:username => 'cinder',
|
||||
:password => 'secret',
|
||||
:auth_url => 'http://localhost:5000',
|
||||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
:auth_version => '<SERVICE DEFAULT>',
|
||||
:cafile => '<SERVICE DEFAULT>',
|
||||
:certfile => '<SERVICE DEFAULT>',
|
||||
:keyfile => '<SERVICE DEFAULT>',
|
||||
:region_name => '<SERVICE DEFAULT>',
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
context 'with specified parameters' do
|
||||
before :each do
|
||||
params.merge!({
|
||||
:username => 'alt_cinder',
|
||||
:auth_url => 'http://127.0.0.1:5000',
|
||||
:project_name => 'alt_services',
|
||||
:user_domain_name => 'Domain1',
|
||||
:project_domain_name => 'Domain2',
|
||||
:insecure => false,
|
||||
:auth_type => 'v3password',
|
||||
:auth_version => 'v3',
|
||||
:cafile => '/opt/stack/data/cafile.pem',
|
||||
:certfile => 'certfile.crt',
|
||||
:keyfile => 'keyfile',
|
||||
:region_name => 'regionOne',
|
||||
})
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican__service_user('cinder_config').with(
|
||||
:username => 'alt_cinder',
|
||||
:password => 'secret',
|
||||
:auth_url => 'http://127.0.0.1:5000',
|
||||
:project_name => 'alt_services',
|
||||
:user_domain_name => 'Domain1',
|
||||
:project_domain_name => 'Domain2',
|
||||
:insecure => false,
|
||||
:auth_type => 'v3password',
|
||||
:auth_version => 'v3',
|
||||
:cafile => '/opt/stack/data/cafile.pem',
|
||||
:certfile => 'certfile.crt',
|
||||
:keyfile => 'keyfile',
|
||||
:region_name => 'regionOne',
|
||||
)
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
it_behaves_like 'cinder::key_manager::barbican::service_user'
|
||||
end
|
||||
end
|
||||
end
|
|
@ -5,13 +5,14 @@ describe 'cinder::key_manager::barbican' do
|
|||
context 'with default parameters' do
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican('cinder_config').with(
|
||||
:barbican_endpoint => '<SERVICE DEFAULT>',
|
||||
:barbican_api_version => '<SERVICE DEFAULT>',
|
||||
:auth_endpoint => '<SERVICE DEFAULT>',
|
||||
:retry_delay => '<SERVICE DEFAULT>',
|
||||
:number_of_retries => '<SERVICE DEFAULT>',
|
||||
:barbican_endpoint_type => '<SERVICE DEFAULT>',
|
||||
:barbican_region_name => '<SERVICE DEFAULT>',
|
||||
:barbican_endpoint => '<SERVICE DEFAULT>',
|
||||
:barbican_api_version => '<SERVICE DEFAULT>',
|
||||
:auth_endpoint => '<SERVICE DEFAULT>',
|
||||
:retry_delay => '<SERVICE DEFAULT>',
|
||||
:number_of_retries => '<SERVICE DEFAULT>',
|
||||
:barbican_endpoint_type => '<SERVICE DEFAULT>',
|
||||
:barbican_region_name => '<SERVICE DEFAULT>',
|
||||
:send_service_user_token => '<SERVICE DEFAULT>',
|
||||
)
|
||||
}
|
||||
end
|
||||
|
@ -19,25 +20,27 @@ describe 'cinder::key_manager::barbican' do
|
|||
context 'with specified parameters' do
|
||||
let :params do
|
||||
{
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:send_service_user_token => true,
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican('cinder_config').with(
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:send_service_user_token => true,
|
||||
)
|
||||
}
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue