From e9a898f2f0c90b7386c81aa267c9bc6d5e11fcd4 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Thu, 6 Jan 2022 13:42:49 +0900
Subject: [PATCH] key_manager: Add service user options for Barbican key
 manager

This change introduces some parameters to set up the service user token
feature for Barbican key manager, which was implemented during the Xena
cycle[1].

[1] 162039467ad0dfc5e25a16b75d9072d607690702

Depends-on: https://review.opendev.org/810451
Change-Id: I96ab0932788737f5e37125fecc0e48357a595030
---
 manifests/key_manager/barbican.pp             | 34 ++++---
 .../key_manager/barbican/service_user.pp      | 94 +++++++++++++++++++
 ...arbican_service_user-606ee71dc0940e2a.yaml |  8 ++
 ..._key_manager_barbican_service_user_spec.rb | 79 ++++++++++++++++
 .../glance_key_manager_barbican_spec.rb       | 45 ++++-----
 5 files changed, 225 insertions(+), 35 deletions(-)
 create mode 100644 manifests/key_manager/barbican/service_user.pp
 create mode 100644 releasenotes/notes/barbican_service_user-606ee71dc0940e2a.yaml
 create mode 100644 spec/classes/glance_key_manager_barbican_service_user_spec.rb

diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp
index f6f10aec..b9c92c8f 100644
--- a/manifests/key_manager/barbican.pp
+++ b/manifests/key_manager/barbican.pp
@@ -33,14 +33,19 @@
 #   (Optional) Specifies the region of the chosen endpoint.
 #   Defaults to $::os_service_default
 #
+# [*send_service_user_token*]
+#   (Optional) The service uses service token feature when this is set as true.
+#   Defaults to $::os_service_default
+#
 class glance::key_manager::barbican (
-  $barbican_endpoint      = $::os_service_default,
-  $barbican_api_version   = $::os_service_default,
-  $auth_endpoint          = $::os_service_default,
-  $retry_delay            = $::os_service_default,
-  $number_of_retries      = $::os_service_default,
-  $barbican_endpoint_type = $::os_service_default,
-  $barbican_region_name   = $::os_service_default,
+  $barbican_endpoint       = $::os_service_default,
+  $barbican_api_version    = $::os_service_default,
+  $auth_endpoint           = $::os_service_default,
+  $retry_delay             = $::os_service_default,
+  $number_of_retries       = $::os_service_default,
+  $barbican_endpoint_type  = $::os_service_default,
+  $barbican_region_name    = $::os_service_default,
+  $send_service_user_token = $::os_service_default,
 ) {
 
   include glance::deps
@@ -49,12 +54,13 @@ class glance::key_manager::barbican (
   $auth_endpoint_real = pick($glance::api::keymgr_encryption_auth_url, $auth_endpoint)
 
   oslo::key_manager::barbican { 'glance_api_config':
-    barbican_endpoint      => $barbican_endpoint_real,
-    barbican_api_version   => $barbican_api_version,
-    auth_endpoint          => $auth_endpoint_real,
-    retry_delay            => $retry_delay,
-    number_of_retries      => $number_of_retries,
-    barbican_endpoint_type => $barbican_endpoint_type,
-    barbican_region_name   => $barbican_region_name,
+    barbican_endpoint       => $barbican_endpoint_real,
+    barbican_api_version    => $barbican_api_version,
+    auth_endpoint           => $auth_endpoint_real,
+    retry_delay             => $retry_delay,
+    number_of_retries       => $number_of_retries,
+    barbican_endpoint_type  => $barbican_endpoint_type,
+    barbican_region_name    => $barbican_region_name,
+    send_service_user_token => $send_service_user_token,
   }
 }
diff --git a/manifests/key_manager/barbican/service_user.pp b/manifests/key_manager/barbican/service_user.pp
new file mode 100644
index 00000000..1d17d564
--- /dev/null
+++ b/manifests/key_manager/barbican/service_user.pp
@@ -0,0 +1,94 @@
+# == Class: glance::key_manager::barbican::service_user
+#
+# Setup and configure the service token feature for Barbican Key Manager
+#
+# === Parameters
+#
+# [*password*]
+#  (Required) Password to create for the service user
+#
+# [*username*]
+#  (Optional) The name of the service user
+#  Defaults to 'glance'
+#
+# [*auth_url*]
+#  (Optional) The URL to use for authentication.
+#  Defaults to 'http://localhost:5000'
+#
+# [*project_name*]
+#  (Optional) Service project name
+#  Defaults to 'services'
+#
+# [*user_domain_name*]
+#  (Optional) Name of domain for $username
+#  Defaults to 'Default'
+#
+# [*project_domain_name*]
+#  (Optional) Name of domain for $project_name
+#  Defaults to 'Default'
+#
+# [*insecure*]
+#  (Optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.  WARNING: not recommended.  Use with
+#  caution.
+#  Defaults to $::os_service_default
+#
+# [*auth_type*]
+#  (Optional) Authentication type to load
+#  Defaults to 'password'
+#
+# [*auth_version*]
+#  (Optional) API version of the admin Identity API endpoint.
+#  Defaults to $::os_service_default.
+#
+# [*cafile*]
+#  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections.
+#  Defaults to $::os_service_default.
+#
+# [*certfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $::os_service_default.
+#
+class glance::key_manager::barbican::service_user(
+  $password,
+  $username            = 'glance',
+  $auth_url            = 'http://localhost:5000',
+  $project_name        = 'services',
+  $user_domain_name    = 'Default',
+  $project_domain_name = 'Default',
+  $insecure            = $::os_service_default,
+  $auth_type           = 'password',
+  $auth_version        = $::os_service_default,
+  $cafile              = $::os_service_default,
+  $certfile            = $::os_service_default,
+  $keyfile             = $::os_service_default,
+  $region_name         = $::os_service_default,
+) {
+
+  include glance::deps
+
+  oslo::key_manager::barbican::service_user { 'glance_api_config':
+    username            => $username,
+    password            => $password,
+    auth_url            => $auth_url,
+    project_name        => $project_name,
+    user_domain_name    => $user_domain_name,
+    project_domain_name => $project_domain_name,
+    insecure            => $insecure,
+    auth_type           => $auth_type,
+    auth_version        => $auth_version,
+    cafile              => $cafile,
+    certfile            => $certfile,
+    keyfile             => $keyfile,
+    region_name         => $region_name,
+  }
+}
diff --git a/releasenotes/notes/barbican_service_user-606ee71dc0940e2a.yaml b/releasenotes/notes/barbican_service_user-606ee71dc0940e2a.yaml
new file mode 100644
index 00000000..7b7fb7e6
--- /dev/null
+++ b/releasenotes/notes/barbican_service_user-606ee71dc0940e2a.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The following parameter and class have been added, to support usage of
+    the service token feature with the Barbican key manager.
+
+    - The ``glance::key_manager::barbican::send_service_user_token`` parameter
+    - The ``glance::key_manager::barbican::service_user`` class
diff --git a/spec/classes/glance_key_manager_barbican_service_user_spec.rb b/spec/classes/glance_key_manager_barbican_service_user_spec.rb
new file mode 100644
index 00000000..4665450a
--- /dev/null
+++ b/spec/classes/glance_key_manager_barbican_service_user_spec.rb
@@ -0,0 +1,79 @@
+require 'spec_helper'
+
+describe 'glance::key_manager::barbican::service_user' do
+  shared_examples 'glance::key_manager::barbican::service_user' do
+
+    let :params do
+      { :password => 'secret' }
+    end
+
+    context 'with default parameters' do
+      it {
+        is_expected.to contain_oslo__key_manager__barbican__service_user('glance_api_config').with(
+          :username            => 'glance',
+          :password            => 'secret',
+          :auth_url            => 'http://localhost:5000',
+          :project_name        => 'services',
+          :user_domain_name    => 'Default',
+          :project_domain_name => 'Default',
+          :insecure            => '<SERVICE DEFAULT>',
+          :auth_type           => 'password',
+          :auth_version        => '<SERVICE DEFAULT>',
+          :cafile              => '<SERVICE DEFAULT>',
+          :certfile            => '<SERVICE DEFAULT>',
+          :keyfile             => '<SERVICE DEFAULT>',
+          :region_name         => '<SERVICE DEFAULT>',
+        )
+      }
+    end
+
+    context 'with specified parameters' do
+      before :each do
+        params.merge!({
+          :username            => 'alt_glance',
+          :auth_url            => 'http://127.0.0.1:5000',
+          :project_name        => 'alt_services',
+          :user_domain_name    => 'Domain1',
+          :project_domain_name => 'Domain2',
+          :insecure            => false,
+          :auth_type           => 'v3password',
+          :auth_version        => 'v3',
+          :cafile              => '/opt/stack/data/cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'keyfile',
+          :region_name         => 'regionOne',
+        })
+      end
+
+      it {
+        is_expected.to contain_oslo__key_manager__barbican__service_user('glance_api_config').with(
+          :username            => 'alt_glance',
+          :password            => 'secret',
+          :auth_url            => 'http://127.0.0.1:5000',
+          :project_name        => 'alt_services',
+          :user_domain_name    => 'Domain1',
+          :project_domain_name => 'Domain2',
+          :insecure            => false,
+          :auth_type           => 'v3password',
+          :auth_version        => 'v3',
+          :cafile              => '/opt/stack/data/cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'keyfile',
+          :region_name         => 'regionOne',
+        )
+      }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'glance::key_manager::barbican::service_user'
+    end
+  end
+end
diff --git a/spec/classes/glance_key_manager_barbican_spec.rb b/spec/classes/glance_key_manager_barbican_spec.rb
index fd3c1f1b..5046a500 100644
--- a/spec/classes/glance_key_manager_barbican_spec.rb
+++ b/spec/classes/glance_key_manager_barbican_spec.rb
@@ -5,13 +5,14 @@ describe 'glance::key_manager::barbican' do
     context 'with default parameters' do
       it {
         is_expected.to contain_oslo__key_manager__barbican('glance_api_config').with(
-          :barbican_endpoint      => '<SERVICE DEFAULT>',
-          :barbican_api_version   => '<SERVICE DEFAULT>',
-          :auth_endpoint          => '<SERVICE DEFAULT>',
-          :retry_delay            => '<SERVICE DEFAULT>',
-          :number_of_retries      => '<SERVICE DEFAULT>',
-          :barbican_endpoint_type => '<SERVICE DEFAULT>',
-          :barbican_region_name   => '<SERVICE DEFAULT>',
+          :barbican_endpoint       => '<SERVICE DEFAULT>',
+          :barbican_api_version    => '<SERVICE DEFAULT>',
+          :auth_endpoint           => '<SERVICE DEFAULT>',
+          :retry_delay             => '<SERVICE DEFAULT>',
+          :number_of_retries       => '<SERVICE DEFAULT>',
+          :barbican_endpoint_type  => '<SERVICE DEFAULT>',
+          :barbican_region_name    => '<SERVICE DEFAULT>',
+          :send_service_user_token => '<SERVICE DEFAULT>',
         )
       }
     end
@@ -19,25 +20,27 @@ describe 'glance::key_manager::barbican' do
     context 'with specified parameters' do
       let :params do
         {
-          :barbican_endpoint      => 'http://localhost:9311/',
-          :barbican_api_version   => 'v1',
-          :auth_endpoint          => 'http://localhost:5000',
-          :retry_delay            => 1,
-          :number_of_retries      => 60,
-          :barbican_endpoint_type => 'public',
-          :barbican_region_name   => 'regionOne',
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
         }
       end
 
       it {
         is_expected.to contain_oslo__key_manager__barbican('glance_api_config').with(
-          :barbican_endpoint      => 'http://localhost:9311/',
-          :barbican_api_version   => 'v1',
-          :auth_endpoint          => 'http://localhost:5000',
-          :retry_delay            => 1,
-          :number_of_retries      => 60,
-          :barbican_endpoint_type => 'public',
-          :barbican_region_name   => 'regionOne',
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
         )
       }
     end