From 572baa50c62014420dacd73f0b7d207b50aa0fbe Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Thu, 10 Jul 2025 23:26:10 +0900
Subject: [PATCH] Add support for castellan library options

These options are used when castellan cert manager is used.

Change-Id: I07824ef319409c8611c9900b3c778d6ed1852f93
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
---
 manifests/key_manager.pp                      |  20 ++++
 manifests/key_manager/barbican.pp             |  63 +++++++++++
 .../key_manager/barbican/service_user.pp      | 100 ++++++++++++++++++
 .../castellan-opts-5a213e523d149586.yaml      |   9 ++
 ..._key_manager_barbican_service_user_spec.rb |  82 ++++++++++++++
 .../octavia_key_manager_barbican_spec.rb      |  60 +++++++++++
 spec/classes/octavia_key_manager_spec.rb      |  39 +++++++
 7 files changed, 373 insertions(+)
 create mode 100644 manifests/key_manager.pp
 create mode 100644 manifests/key_manager/barbican.pp
 create mode 100644 manifests/key_manager/barbican/service_user.pp
 create mode 100644 releasenotes/notes/castellan-opts-5a213e523d149586.yaml
 create mode 100644 spec/classes/octavia_key_manager_barbican_service_user_spec.rb
 create mode 100644 spec/classes/octavia_key_manager_barbican_spec.rb
 create mode 100644 spec/classes/octavia_key_manager_spec.rb

diff --git a/manifests/key_manager.pp b/manifests/key_manager.pp
new file mode 100644
index 00000000..00bb5476
--- /dev/null
+++ b/manifests/key_manager.pp
@@ -0,0 +1,20 @@
+# == Class: octavia::key_manager
+#
+# Setup and configure Key Manager options
+#
+# === Parameters
+#
+# [*backend*]
+#   (Optional) Specify the key manager implementation.
+#   Defaults to $facts['os_service_default']
+#
+class octavia::key_manager (
+  $backend = $facts['os_service_default'],
+) {
+
+  include octavia::deps
+
+  oslo::key_manager { 'octavia_config':
+    backend => $backend,
+  }
+}
diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp
new file mode 100644
index 00000000..b857cc66
--- /dev/null
+++ b/manifests/key_manager/barbican.pp
@@ -0,0 +1,63 @@
+# == Class: octavia::key_manager::barbican
+#
+# Setup and configure Barbican Key Manager options
+#
+# === Parameters
+#
+# [*barbican_endpoint*]
+#   (Optional) Use this endpoint to connect to Barbican.
+#   Defaults to $facts['os_service_default']
+#
+# [*barbican_api_version*]
+#   (Optional) Version of the Barbican API.
+#   Defaults to $facts['os_service_default']
+#
+# [*auth_endpoint*]
+#   (Optional) Use this endpoint to connect to Keystone.
+#   Defaults to $facts['os_service_default']
+#
+# [*retry_delay*]
+#   (Optional) Number of seconds to wait before retrying poll for key creation
+#   completion.
+#   Defaults to $facts['os_service_default']
+#
+# [*number_of_retries*]
+#   (Optional) Number of times to retry poll fo key creation completion.
+#   Defaults to $facts['os_service_default']
+#
+# [*barbican_endpoint_type*]
+#   (Optional) Specifies the type of endpoint.
+#   Defaults to $facts['os_service_default']
+#
+# [*barbican_region_name*]
+#   (Optional) Specifies the region of the chosen endpoint.
+#   Defaults to $facts['os_service_default']
+#
+# [*send_service_user_token*]
+#   (Optional) The service uses service token feature when this is set as true.
+#   Defaults to $facts['os_service_default']
+#
+class octavia::key_manager::barbican (
+  $barbican_endpoint       = $facts['os_service_default'],
+  $barbican_api_version    = $facts['os_service_default'],
+  $auth_endpoint           = $facts['os_service_default'],
+  $retry_delay             = $facts['os_service_default'],
+  $number_of_retries       = $facts['os_service_default'],
+  $barbican_endpoint_type  = $facts['os_service_default'],
+  $barbican_region_name    = $facts['os_service_default'],
+  $send_service_user_token = $facts['os_service_default'],
+) {
+
+  include octavia::deps
+
+  oslo::key_manager::barbican { 'octavia_config':
+    barbican_endpoint       => $barbican_endpoint,
+    barbican_api_version    => $barbican_api_version,
+    auth_endpoint           => $auth_endpoint,
+    retry_delay             => $retry_delay,
+    number_of_retries       => $number_of_retries,
+    barbican_endpoint_type  => $barbican_endpoint_type,
+    barbican_region_name    => $barbican_region_name,
+    send_service_user_token => $send_service_user_token,
+  }
+}
diff --git a/manifests/key_manager/barbican/service_user.pp b/manifests/key_manager/barbican/service_user.pp
new file mode 100644
index 00000000..03138a7a
--- /dev/null
+++ b/manifests/key_manager/barbican/service_user.pp
@@ -0,0 +1,100 @@
+# == Class: octavia::key_manager::barbican::service_user
+#
+# Setup and configure the service token feature for Barbican Key Manager
+#
+# === Parameters
+#
+# [*password*]
+#  (Required) Password to create for the service user
+#
+# [*username*]
+#  (Optional) The name of the service user
+#  Defaults to 'octavia'
+#
+# [*auth_url*]
+#  (Optional) The URL to use for authentication.
+#  Defaults to 'http://localhost:5000'
+#
+# [*project_name*]
+#  (Optional) Service project name
+#  Defaults to 'services'
+#
+# [*user_domain_name*]
+#  (Optional) Name of domain for $username
+#  Defaults to 'Default'
+#
+# [*project_domain_name*]
+#  (Optional) Name of domain for $project_name
+#  Defaults to 'Default'
+#
+# [*system_scope*]
+#  (Optional) Scope for system operations.
+#  Defaults to $facts['os_service_default']
+#
+# [*insecure*]
+#  (Optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.  WARNING: not recommended.  Use with
+#  caution.
+#  Defaults to $facts['os_service_default']
+#
+# [*auth_type*]
+#  (Optional) Authentication type to load
+#  Defaults to 'password'
+#
+# [*auth_version*]
+#  (Optional) API version of the admin Identity API endpoint.
+#  Defaults to $facts['os_service_default'].
+#
+# [*cafile*]
+#  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections.
+#  Defaults to $facts['os_service_default'].
+#
+# [*certfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $facts['os_service_default'].
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $facts['os_service_default'].
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $facts['os_service_default'].
+#
+class octavia::key_manager::barbican::service_user(
+  $password,
+  $username            = 'octavia',
+  $auth_url            = 'http://localhost:5000',
+  $project_name        = 'services',
+  $user_domain_name    = 'Default',
+  $project_domain_name = 'Default',
+  $system_scope        = $facts['os_service_default'],
+  $insecure            = $facts['os_service_default'],
+  $auth_type           = 'password',
+  $auth_version        = $facts['os_service_default'],
+  $cafile              = $facts['os_service_default'],
+  $certfile            = $facts['os_service_default'],
+  $keyfile             = $facts['os_service_default'],
+  $region_name         = $facts['os_service_default'],
+) {
+
+  include octavia::deps
+
+  oslo::key_manager::barbican::service_user { 'octavia_config':
+    username            => $username,
+    password            => $password,
+    auth_url            => $auth_url,
+    project_name        => $project_name,
+    user_domain_name    => $user_domain_name,
+    project_domain_name => $project_domain_name,
+    system_scope        => $system_scope,
+    insecure            => $insecure,
+    auth_type           => $auth_type,
+    auth_version        => $auth_version,
+    cafile              => $cafile,
+    certfile            => $certfile,
+    keyfile             => $keyfile,
+    region_name         => $region_name,
+  }
+}
diff --git a/releasenotes/notes/castellan-opts-5a213e523d149586.yaml b/releasenotes/notes/castellan-opts-5a213e523d149586.yaml
new file mode 100644
index 00000000..5d91c9ad
--- /dev/null
+++ b/releasenotes/notes/castellan-opts-5a213e523d149586.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The following classes have been added, to support configuring options used
+    by the castellan library.
+
+    - ``octavia::key_manager``
+    - ``octavia::key_manager::barbican``
+    - ``octavia::key_manager::barbican::service_user``
diff --git a/spec/classes/octavia_key_manager_barbican_service_user_spec.rb b/spec/classes/octavia_key_manager_barbican_service_user_spec.rb
new file mode 100644
index 00000000..fce5e3b5
--- /dev/null
+++ b/spec/classes/octavia_key_manager_barbican_service_user_spec.rb
@@ -0,0 +1,82 @@
+require 'spec_helper'
+
+describe 'octavia::key_manager::barbican::service_user' do
+  shared_examples 'octavia::key_manager::barbican::service_user' do
+
+    let :params do
+      { :password => 'secret' }
+    end
+
+    context 'with default parameters' do
+      it {
+        is_expected.to contain_oslo__key_manager__barbican__service_user('octavia_config').with(
+          :username            => 'octavia',
+          :password            => 'secret',
+          :auth_url            => 'http://localhost:5000',
+          :project_name        => 'services',
+          :user_domain_name    => 'Default',
+          :project_domain_name => 'Default',
+          :system_scope        => '<SERVICE DEFAULT>',
+          :insecure            => '<SERVICE DEFAULT>',
+          :auth_type           => 'password',
+          :auth_version        => '<SERVICE DEFAULT>',
+          :cafile              => '<SERVICE DEFAULT>',
+          :certfile            => '<SERVICE DEFAULT>',
+          :keyfile             => '<SERVICE DEFAULT>',
+          :region_name         => '<SERVICE DEFAULT>',
+        )
+      }
+    end
+
+    context 'with specified parameters' do
+      before :each do
+        params.merge!({
+          :username            => 'alt_octavia',
+          :auth_url            => 'http://127.0.0.1:5000',
+          :project_name        => 'alt_services',
+          :user_domain_name    => 'Domain1',
+          :project_domain_name => 'Domain2',
+          :system_scope        => 'all',
+          :insecure            => false,
+          :auth_type           => 'v3password',
+          :auth_version        => 'v3',
+          :cafile              => '/opt/stack/data/cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'keyfile',
+          :region_name         => 'regionOne',
+        })
+      end
+
+      it {
+        is_expected.to contain_oslo__key_manager__barbican__service_user('octavia_config').with(
+          :username            => 'alt_octavia',
+          :password            => 'secret',
+          :auth_url            => 'http://127.0.0.1:5000',
+          :project_name        => 'alt_services',
+          :user_domain_name    => 'Domain1',
+          :project_domain_name => 'Domain2',
+          :system_scope        => 'all',
+          :insecure            => false,
+          :auth_type           => 'v3password',
+          :auth_version        => 'v3',
+          :cafile              => '/opt/stack/data/cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'keyfile',
+          :region_name         => 'regionOne',
+        )
+      }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'octavia::key_manager::barbican::service_user'
+    end
+  end
+end
diff --git a/spec/classes/octavia_key_manager_barbican_spec.rb b/spec/classes/octavia_key_manager_barbican_spec.rb
new file mode 100644
index 00000000..e71b86ed
--- /dev/null
+++ b/spec/classes/octavia_key_manager_barbican_spec.rb
@@ -0,0 +1,60 @@
+require 'spec_helper'
+
+describe 'octavia::key_manager::barbican' do
+  shared_examples 'octavia::key_manager::barbican' do
+    context 'with default parameters' do
+      it {
+        is_expected.to contain_oslo__key_manager__barbican('octavia_config').with(
+          :barbican_endpoint       => '<SERVICE DEFAULT>',
+          :barbican_api_version    => '<SERVICE DEFAULT>',
+          :auth_endpoint           => '<SERVICE DEFAULT>',
+          :retry_delay             => '<SERVICE DEFAULT>',
+          :number_of_retries       => '<SERVICE DEFAULT>',
+          :barbican_endpoint_type  => '<SERVICE DEFAULT>',
+          :barbican_region_name    => '<SERVICE DEFAULT>',
+          :send_service_user_token => '<SERVICE DEFAULT>',
+        )
+      }
+    end
+
+    context 'with specified parameters' do
+      let :params do
+        {
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
+        }
+      end
+
+      it {
+        is_expected.to contain_oslo__key_manager__barbican('octavia_config').with(
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
+        )
+      }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'octavia::key_manager::barbican'
+    end
+  end
+end
diff --git a/spec/classes/octavia_key_manager_spec.rb b/spec/classes/octavia_key_manager_spec.rb
new file mode 100644
index 00000000..00751bf2
--- /dev/null
+++ b/spec/classes/octavia_key_manager_spec.rb
@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe 'octavia::key_manager' do
+  shared_examples 'octavia::key_manager' do
+    context 'with default parameters' do
+      it {
+        is_expected.to contain_oslo__key_manager('octavia_config').with(
+          :backend => '<SERVICE DEFAULT>'
+        )
+      }
+    end
+
+    context 'with specified parameters' do
+      let :params do
+        {
+          :backend => 'barbican'
+        }
+      end
+
+      it {
+        is_expected.to contain_oslo__key_manager('octavia_config').with(
+          :backend => 'barbican'
+        )
+      }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'octavia::key_manager'
+    end
+  end
+end