Merge "key_manager: Add service user options for Barbican key manager"

This commit is contained in:
Zuul 2022-01-08 19:09:48 +00:00 committed by Gerrit Code Review
commit 44b3a2b331
5 changed files with 225 additions and 35 deletions

View File

@ -33,14 +33,19 @@
# (Optional) Specifies the region of the chosen endpoint.
# Defaults to $::os_service_default
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true.
# Defaults to $::os_service_default
#
class nova::key_manager::barbican (
$barbican_endpoint = $::os_service_default,
$barbican_api_version = $::os_service_default,
$auth_endpoint = $::os_service_default,
$retry_delay = $::os_service_default,
$number_of_retries = $::os_service_default,
$barbican_endpoint_type = $::os_service_default,
$barbican_region_name = $::os_service_default,
$barbican_endpoint = $::os_service_default,
$barbican_api_version = $::os_service_default,
$auth_endpoint = $::os_service_default,
$retry_delay = $::os_service_default,
$number_of_retries = $::os_service_default,
$barbican_endpoint_type = $::os_service_default,
$barbican_region_name = $::os_service_default,
$send_service_user_token = $::os_service_default,
) {
include nova::deps
@ -56,12 +61,13 @@ class nova::key_manager::barbican (
})
oslo::key_manager::barbican { 'nova_config':
barbican_endpoint => $barbican_endpoint_real,
barbican_api_version => $barbican_api_version_real,
auth_endpoint => $auth_endpoint_real,
retry_delay => $retry_delay,
number_of_retries => $number_of_retries,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
barbican_endpoint => $barbican_endpoint_real,
barbican_api_version => $barbican_api_version_real,
auth_endpoint => $auth_endpoint_real,
retry_delay => $retry_delay,
number_of_retries => $number_of_retries,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
send_service_user_token => $send_service_user_token,
}
}

View File

@ -0,0 +1,94 @@
# == Class: nova::key_manager::barbican::service_user
#
# Setup and configure the service token feature for Barbican Key Manager
#
# === Parameters
#
# [*password*]
# (Required) Password to create for the service user
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'nova'
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http://localhost:5000'
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to 'Default'
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $::os_service_default
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
class nova::key_manager::barbican::service_user(
$password,
$username = 'nova',
$auth_url = 'http://localhost:5000',
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$insecure = $::os_service_default,
$auth_type = 'password',
$auth_version = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$keyfile = $::os_service_default,
$region_name = $::os_service_default,
) {
include nova::deps
oslo::key_manager::barbican::service_user { 'nova_config':
username => $username,
password => $password,
auth_url => $auth_url,
project_name => $project_name,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
insecure => $insecure,
auth_type => $auth_type,
auth_version => $auth_version,
cafile => $cafile,
certfile => $certfile,
keyfile => $keyfile,
region_name => $region_name,
}
}

View File

@ -0,0 +1,8 @@
---
features:
- |
The following parameter and class have been added, to support usage of
the service token feature with the Barbican key manager.
- The ``nova::key_manager::barbican::send_service_user_token`` parameter
- The ``nova::key_manager::barbican::service_user`` class

View File

@ -0,0 +1,79 @@
require 'spec_helper'
describe 'nova::key_manager::barbican::service_user' do
shared_examples 'nova::key_manager::barbican::service_user' do
let :params do
{ :password => 'secret' }
end
context 'with default parameters' do
it {
is_expected.to contain_oslo__key_manager__barbican__service_user('nova_config').with(
:username => 'nova',
:password => 'secret',
:auth_url => 'http://localhost:5000',
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:insecure => '<SERVICE DEFAULT>',
:auth_type => 'password',
:auth_version => '<SERVICE DEFAULT>',
:cafile => '<SERVICE DEFAULT>',
:certfile => '<SERVICE DEFAULT>',
:keyfile => '<SERVICE DEFAULT>',
:region_name => '<SERVICE DEFAULT>',
)
}
end
context 'with specified parameters' do
before :each do
params.merge!({
:username => 'alt_nova',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'alt_services',
:user_domain_name => 'Domain1',
:project_domain_name => 'Domain2',
:insecure => false,
:auth_type => 'v3password',
:auth_version => 'v3',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'keyfile',
:region_name => 'regionOne',
})
end
it {
is_expected.to contain_oslo__key_manager__barbican__service_user('nova_config').with(
:username => 'alt_nova',
:password => 'secret',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'alt_services',
:user_domain_name => 'Domain1',
:project_domain_name => 'Domain2',
:insecure => false,
:auth_type => 'v3password',
:auth_version => 'v3',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'keyfile',
:region_name => 'regionOne',
)
}
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge(OSDefaults.get_facts())
end
it_behaves_like 'nova::key_manager::barbican::service_user'
end
end
end

View File

@ -5,13 +5,14 @@ describe 'nova::key_manager::barbican' do
context 'with default parameters' do
it {
is_expected.to contain_oslo__key_manager__barbican('nova_config').with(
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:retry_delay => '<SERVICE DEFAULT>',
:number_of_retries => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:retry_delay => '<SERVICE DEFAULT>',
:number_of_retries => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:send_service_user_token => '<SERVICE DEFAULT>',
)
is_expected.to contain_package('cryptsetup').with(
@ -24,25 +25,27 @@ describe 'nova::key_manager::barbican' do
context 'with specified parameters' do
let :params do
{
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
}
end
it {
is_expected.to contain_oslo__key_manager__barbican('nova_config').with(
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
)
is_expected.to contain_package('cryptsetup').with(