openstack
/
puppet-cinder
Code Issues Proposed changes

key_manager: Add service user options for Barbican key manager 

This change introduces some parameters to set up the service user token
feature for Barbican key manager, which was implemented during the Xena
cycle[1].

[1] 162039467ad0dfc5e25a16b75d9072d607690702

Depends-on: https://review.opendev.org/810451
Change-Id: I83bfbddbbc6cd98aa90621c3db2afc9afde16859
This commit is contained in:
Takashi Kajinami 2022-01-06 13:32:54 +09:00
parent 3a0408b4ae
commit 899e01f7ff
5 changed files with 225 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
manifests/key_manager/barbican.pp
View File

@ -33,14 +33,19 @@
# (Optional) Specifies the region of the chosen endpoint.
# Defaults to $::os_service_default
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true.
# Defaults to $::os_service_default
#
class cinder::key_manager::barbican (
$barbican_endpoint = $::os_service_default,
$barbican_api_version = $::os_service_default,
$auth_endpoint = $::os_service_default,
$retry_delay = $::os_service_default,
$number_of_retries = $::os_service_default,
$barbican_endpoint_type = $::os_service_default,
$barbican_region_name = $::os_service_default,
$barbican_endpoint = $::os_service_default,
$barbican_api_version = $::os_service_default,
$auth_endpoint = $::os_service_default,
$retry_delay = $::os_service_default,
$number_of_retries = $::os_service_default,
$barbican_endpoint_type = $::os_service_default,
$barbican_region_name = $::os_service_default,
$send_service_user_token = $::os_service_default,
) {
include cinder::deps
@ -49,12 +54,13 @@ class cinder::key_manager::barbican (
$auth_endpoint_real = pick($cinder::keymgr_encryption_auth_url, $auth_endpoint)
oslo::key_manager::barbican { 'cinder_config':
barbican_endpoint => $barbican_endpoint_real,
barbican_api_version => $barbican_api_version,
auth_endpoint => $auth_endpoint_real,
retry_delay => $retry_delay,
number_of_retries => $number_of_retries,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
barbican_endpoint => $barbican_endpoint_real,
barbican_api_version => $barbican_api_version,
auth_endpoint => $auth_endpoint_real,
retry_delay => $retry_delay,
number_of_retries => $number_of_retries,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
send_service_user_token => $send_service_user_token,
}
}

94
manifests/key_manager/barbican/service_user.pp Normal file
View File

@ -0,0 +1,94 @@
# == Class: cinder::key_manager::barbican::service_user
#
# Setup and configure the service token feature for Barbican Key Manager
#
# === Parameters
#
# [*password*]
# (Required) Password to create for the service user
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'cinder'
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http://localhost:5000'
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to 'Default'
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $::os_service_default
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
class cinder::key_manager::barbican::service_user(
$password,
$username = 'cinder',
$auth_url = 'http://localhost:5000',
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$insecure = $::os_service_default,
$auth_type = 'password',
$auth_version = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$keyfile = $::os_service_default,
$region_name = $::os_service_default,
) {
include cinder::deps
oslo::key_manager::barbican::service_user { 'cinder_config':
username => $username,
password => $password,
auth_url => $auth_url,
project_name => $project_name,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
insecure => $insecure,
auth_type => $auth_type,
auth_version => $auth_version,
cafile => $cafile,
certfile => $certfile,
keyfile => $keyfile,
region_name => $region_name,
}
}

8
releasenotes/notes/barbican_service_user-7c554403b68cbcaa.yaml Normal file
View File

@ -0,0 +1,8 @@
---
features:
- |
The following parameter and class have been added, to support usage of
the service token feature with the Barbican key manager.
- The ``cinder::key_manager::barbican::send_service_user_token`` parameter
- The ``cinder::key_manager::barbican::service_user`` class

79
spec/classes/cinder_key_manager_barbican_service_user_spec.rb Normal file
View File

@ -0,0 +1,79 @@
require 'spec_helper'
describe 'cinder::key_manager::barbican::service_user' do
shared_examples 'cinder::key_manager::barbican::service_user' do
let :params do
{ :password => 'secret' }
end
context 'with default parameters' do
it {
is_expected.to contain_oslo__key_manager__barbican__service_user('cinder_config').with(
:username => 'cinder',
:password => 'secret',
:auth_url => 'http://localhost:5000',
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:insecure => '<SERVICE DEFAULT>',
:auth_type => 'password',
:auth_version => '<SERVICE DEFAULT>',
:cafile => '<SERVICE DEFAULT>',
:certfile => '<SERVICE DEFAULT>',
:keyfile => '<SERVICE DEFAULT>',
:region_name => '<SERVICE DEFAULT>',
)
}
end
context 'with specified parameters' do
before :each do
params.merge!({
:username => 'alt_cinder',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'alt_services',
:user_domain_name => 'Domain1',
:project_domain_name => 'Domain2',
:insecure => false,
:auth_type => 'v3password',
:auth_version => 'v3',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'keyfile',
:region_name => 'regionOne',
})
end
it {
is_expected.to contain_oslo__key_manager__barbican__service_user('cinder_config').with(
:username => 'alt_cinder',
:password => 'secret',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'alt_services',
:user_domain_name => 'Domain1',
:project_domain_name => 'Domain2',
:insecure => false,
:auth_type => 'v3password',
:auth_version => 'v3',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'keyfile',
:region_name => 'regionOne',
)
}
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge(OSDefaults.get_facts())
end
it_behaves_like 'cinder::key_manager::barbican::service_user'
end
end
end

45
spec/classes/cinder_key_manager_barbican_spec.rb
View File

@ -5,13 +5,14 @@ describe 'cinder::key_manager::barbican' do
context 'with default parameters' do
it {
is_expected.to contain_oslo__key_manager__barbican('cinder_config').with(
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:retry_delay => '<SERVICE DEFAULT>',
:number_of_retries => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:retry_delay => '<SERVICE DEFAULT>',
:number_of_retries => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:send_service_user_token => '<SERVICE DEFAULT>',
)
}
end
@ -19,25 +20,27 @@ describe 'cinder::key_manager::barbican' do
context 'with specified parameters' do
let :params do
{
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
}
end
it {
is_expected.to contain_oslo__key_manager__barbican('cinder_config').with(
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
)
}
end