openstack/puppet-manila
Code Issues Proposed changes

Fix missing session options for Barbican key manager

Browse Source 
... and also [barbican] send_service_user_token .

The support for these key manager options was added during this cycle
so no release note is added for this specific update.

Depends-on: https://review.opendev.org/960389
Change-Id: Ie06fd34bd912399f0ca5be3e965f325145886d8e
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This commit is contained in:
Takashi Kajinami
2025-09-18 01:06:56 +09:00
parent 5e2b50d296
commit 3a121484c1
3 changed files with 106 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
manifests/key_manager/barbican.pp
View File

@@ -27,6 +27,33 @@
# (Optional) Specifies the region of the chosen endpoint.
# Defaults to $facts['os_service_default']
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true.
# Defaults to $facts['os_service_default']
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $facts['os_service_default']
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $facts['os_service_default'].
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $facts['os_service_default'].
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $facts['os_service_default'].
#
# [*timeout*]
# (Optional) Timeout value for connecting to barbican in seconds.
# Defaults to $facts['os_service_default']
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http://localhost:5000'
@@ -60,48 +87,47 @@
# looking up in the keystone catalog.
# Defaults to $facts['os_service_default']
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $facts['os_service_default']
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $facts['os_service_default'].
#
class manila::key_manager::barbican (
$password,
$barbican_endpoint = $facts['os_service_default'],
$barbican_api_version = $facts['os_service_default'],
$auth_endpoint = $facts['os_service_default'],
$barbican_endpoint_type = $facts['os_service_default'],
$barbican_region_name = $facts['os_service_default'],
$auth_url = 'http://localhost:5000',
$username = 'manila',
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
$endpoint_type = $facts['os_service_default'],
$insecure = $facts['os_service_default'],
$auth_type = 'password',
$cafile = $facts['os_service_default'],
$barbican_endpoint = $facts['os_service_default'],
$barbican_api_version = $facts['os_service_default'],
$auth_endpoint = $facts['os_service_default'],
$barbican_endpoint_type = $facts['os_service_default'],
$barbican_region_name = $facts['os_service_default'],
$send_service_user_token = $facts['os_service_default'],
$insecure = $facts['os_service_default'],
$cafile = $facts['os_service_default'],
$certfile = $facts['os_service_default'],
$keyfile = $facts['os_service_default'],
$timeout = $facts['os_service_default'],
$auth_url = 'http://localhost:5000',
$username = 'manila',
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
$endpoint_type = $facts['os_service_default'],
$auth_type = 'password',
) {
include manila::deps
oslo::key_manager::barbican { 'manila_config':
barbican_endpoint => $barbican_endpoint,
barbican_api_version => $barbican_api_version,
auth_endpoint => $auth_endpoint,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
barbican_endpoint => $barbican_endpoint,
barbican_api_version => $barbican_api_version,
auth_endpoint => $auth_endpoint,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
send_service_user_token => $send_service_user_token,
insecure => $insecure,
cafile => $cafile,
certfile => $certfile,
keyfile => $keyfile,
timeout => $timeout,
}
if is_service_default($system_scope) {
@@ -122,8 +148,6 @@ class manila::key_manager::barbican (
'barbican/system_scope': value => $system_scope;
'barbican/region_name': value => $region_name;
'barbican/endpoint_type': value => $endpoint_type;
'barbican/insecure': value => $insecure;
'barbican/auth_type': value => $auth_type;
'barbican/cafile': value => $cafile;
}
}

6
manifests/key_manager/barbican/service_user.pp
View File

@@ -58,6 +58,10 @@
# (Optional) Required if identity server requires client certificate
# Defaults to $facts['os_service_default'].
#
# [*timeout*]
# (Optional) Timeout value for connecting to keystone in seconds.
# Defaults to $facts['os_service_default']
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $facts['os_service_default'].
@@ -76,6 +80,7 @@ class manila::key_manager::barbican::service_user (
$cafile = $facts['os_service_default'],
$certfile = $facts['os_service_default'],
$keyfile = $facts['os_service_default'],
$timeout = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
) {
include manila::deps
@@ -94,6 +99,7 @@ class manila::key_manager::barbican::service_user (
cafile => $cafile,
certfile => $certfile,
keyfile => $keyfile,
timeout => $timeout,
region_name => $region_name,
}
}

72
spec/classes/manila_key_manager_barbican_spec.rb
View File

@@ -9,11 +9,17 @@ describe 'manila::key_manager::barbican' do
it {
is_expected.to contain_oslo__key_manager__barbican('manila_config').with(
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:send_service_user_token => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:cafile => '<SERVICE DEFAULT>',
:certfile => '<SERVICE DEFAULT>',
:keyfile => '<SERVICE DEFAULT>',
:timeout => '<SERVICE DEFAULT>',
)
is_expected.to contain_manila_config('barbican/username').with_value('manila')
@@ -25,41 +31,49 @@ describe 'manila::key_manager::barbican' do
is_expected.to contain_manila_config('barbican/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('barbican/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('barbican/endpoint_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('barbican/insecure').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('barbican/auth_type').with_value('password')
is_expected.to contain_manila_config('barbican/cafile').with_value('<SERVICE DEFAULT>')
}
end
context 'with specified parameters' do
let :params do
{
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:auth_url => 'http://127.0.0.1:5000',
:username => 'alt_manila',
:password => 'manilapassword',
:project_name => 'alt_services',
:user_domain_name => 'UserDomain',
:project_domain_name => 'ProjectDomain',
:region_name => 'regionOne',
:endpoint_type => 'publicURL',
:insecure => false,
:auth_type => 'v3password',
:cafile => 'cafile',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
:insecure => false,
:cafile => 'cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'somekey.key',
:timeout => 60,
:auth_url => 'http://127.0.0.1:5000',
:username => 'alt_manila',
:password => 'manilapassword',
:project_name => 'alt_services',
:user_domain_name => 'UserDomain',
:project_domain_name => 'ProjectDomain',
:region_name => 'regionOne',
:endpoint_type => 'publicURL',
:auth_type => 'v3password',
}
end
it {
is_expected.to contain_oslo__key_manager__barbican('manila_config').with(
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
:insecure => false,
:cafile => 'cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'somekey.key',
:timeout => 60,
)
is_expected.to contain_manila_config('barbican/username').with_value('alt_manila')
@@ -71,9 +85,7 @@ describe 'manila::key_manager::barbican' do
is_expected.to contain_manila_config('barbican/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('barbican/region_name').with_value('regionOne')
is_expected.to contain_manila_config('barbican/endpoint_type').with_value('publicURL')
is_expected.to contain_manila_config('barbican/insecure').with_value(false)
is_expected.to contain_manila_config('barbican/auth_type').with_value('v3password')
is_expected.to contain_manila_config('barbican/cafile').with_value('cafile')
}
end