scenario002: enable Barbican and Volume Encryption testing

Start testing Barbican for real.

Depends-On: I7a51c1a3baae5fd96b75cc73acd4c8c3e2c4ade5
Change-Id: I034a38bb7adde9f39db99b1a82715ce11e8ca63b

README.md

@@ -52,6 +52,7 @@ scenario](#All-In-One).
 | horizon    |             |             |       X     |       X      |
 | ironic     |             |       X     |             |              |
 | zaqar      |             |       X     |             |              |
+| barbican   |             |       X     |             |              |
 | ceph       |      X      |             |             |              |
 | mongodb    |             |       X     |             |              |
 

fixtures/scenario002.pp

@@ -16,13 +16,17 @@
 
 case $::osfamily {
   'Debian': {
-    $ipv6           = false
+    $ipv6             = false
     # zaqar is not packaged in Ubuntu Trusty
-    $zaqar_enabled  = false
+    $zaqar_enabled    = false
+    # we'll start testing barbican after Newton stable, Ubuntu packaging is not
+    # updated enough.
+    $barbican_enabled = false
   }
   'RedHat': {
-    $ipv6           = true
-    $zaqar_enabled  = true
+    $ipv6               = true
+    $zaqar_enabled      = true
+    $barbican_enabled   = true
   }
   default: {
     fail("Unsupported osfamily (${::osfamily})")
@@ -49,18 +53,28 @@ class { '::openstack_integration::glance':
   backend => 'swift',
 }
 include ::openstack_integration::neutron
-include ::openstack_integration::nova
-include ::openstack_integration::cinder
 include ::openstack_integration::swift
 include ::openstack_integration::ironic
 include ::openstack_integration::zaqar
 include ::openstack_integration::mongodb
 include ::openstack_integration::provision
 
+class { '::openstack_integration::nova':
+  volume_encryption => $barbican_enabled,
+}
+
+class { '::openstack_integration::cinder':
+  volume_encryption => $barbican_enabled,
+}
+
+if $barbican_enabled {
+  include ::openstack_integration::barbican
+}
 
 class { '::openstack_integration::tempest':
-  cinder => true,
-  swift  => true,
-  ironic => true,
-  zaqar  => $zaqar_enabled,
+  cinder                  => true,
+  swift                   => true,
+  ironic                  => true,
+  zaqar                   => $zaqar_enabled,
+  attach_encrypted_volume => $barbican_enabled,
 }

manifests/barbican.pp

@@ -0,0 +1,74 @@
+class openstack_integration::barbican {
+
+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
+  rabbitmq_user { 'barbican':
+    admin    => true,
+    password => 'an_even_bigger_secret',
+    provider => 'rabbitmqctl',
+    require  => Class['::rabbitmq'],
+  }
+  rabbitmq_user_permissions { 'barbican@/':
+    configure_permission => '.*',
+    write_permission     => '.*',
+    read_permission      => '.*',
+    provider             => 'rabbitmqctl',
+    require              => Class['::rabbitmq'],
+  }
+  Rabbitmq_user_permissions['barbican@/'] -> Service<| tag == 'barbican-service' |>
+
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'barbican':
+      notify  => Service['httpd'],
+      require => Package['barbican-api'],
+    }
+    Exec['update-ca-certificates'] ~> Service['httpd']
+  }
+
+  include ::barbican
+  class { '::barbican::db::mysql':
+    password => 'barbican',
+  }
+  class { '::barbican::db':
+    database_connection => 'mysql+pymysql://barbican:barbican@127.0.0.1/barbican?charset=utf8',
+  }
+  class { '::barbican::keystone::auth':
+    public_url   => "${::openstack_integration::config::base_url}:9311",
+    internal_url => "${::openstack_integration::config::base_url}:9311",
+    admin_url    => "${::openstack_integration::config::base_url}:9311",
+    password     => 'a_big_secret',
+  }
+  include ::barbican::quota
+  include ::barbican::keystone::notification
+  class { '::barbican::api::logging':
+    debug => true,
+  }
+  class { '::barbican::api':
+    host_href                   => "${::openstack_integration::config::base_url}:9311",
+    auth_type                   => 'keystone',
+    keystone_password           => 'a_big_secret',
+    service_name                => 'httpd',
+    enabled_certificate_plugins => ['simple_certificate'],
+    db_auto_create              => false,
+    auth_url                    => "${::openstack_integration::config::keystone_admin_uri}/v3",
+    rabbit_userid               => 'barbican',
+    rabbit_password             => 'an_even_bigger_secret',
+    rabbit_port                 => $::openstack_integration::config::rabbit_port,
+    rabbit_use_ssl              => $::openstack_integration::config::ssl,
+    rabbit_host                 => $::openstack_integration::config::ip_for_url,
+  }
+  # add me in puppet-barbican
+  barbican_config {
+    'keystone_authtoken/auth_uri': value => "${::openstack_integration::config::keystone_auth_uri}/v3";
+  }
+  include ::apache
+  class { '::barbican::wsgi::apache':
+    bind_host => $::openstack_integration::config::ip_for_url,
+    ssl       => $::openstack_integration::config::ssl,
+    ssl_key   => "/etc/barbican/ssl/private/${::fqdn}.pem",
+    ssl_cert  => $::openstack_integration::params::cert_path,
+    workers   => 2,
+  }
+
+}

manifests/cinder.pp

@@ -5,8 +5,13 @@
 #   Can be 'iscsi' or 'rbd'.
 #   Defaults to 'iscsi'.
 #
+# [*volume_encryption*]
+#   (optional) Boolean to configure or not volume encryption
+#   Defaults to false.
+#
 class openstack_integration::cinder (
-  $backend = 'iscsi',
+  $backend           = 'iscsi',
+  $volume_encryption = false,
 ) {
 
   include ::openstack_integration::config
@@ -57,13 +62,29 @@ class openstack_integration::cinder (
     rabbit_use_ssl      => $::openstack_integration::config::ssl,
     debug               => true,
   }
-  class { '::cinder::api':
-    keystone_password   => 'a_big_secret',
+  if $volume_encryption {
+    $keymgr_api_class           = 'cinder.keymgr.barbican.BarbicanKeyManager'
+    $keymgr_encryption_api_url  = "${::openstack_integration::config::base_url}:9311/v1"
+    $keymgr_encryption_auth_url = "${::openstack_integration::config::keystone_auth_uri}/v3"
+  } else {
+    $keymgr_api_class           = undef
+    $keymgr_encryption_api_url  = undef
+    $keymgr_encryption_auth_url = undef
+  }
+  class { '::cinder::keystone::authtoken':
+    password            => 'a_big_secret',
+    user_domain_name    => 'Default',
+    project_domain_name => 'Default',
+    auth_url            => $::openstack_integration::config::keystone_admin_uri,
     auth_uri            => $::openstack_integration::config::keystone_auth_uri,
-    identity_uri        => $::openstack_integration::config::keystone_admin_uri,
-    default_volume_type => 'BACKEND_1',
-    public_endpoint     => "${::openstack_integration::config::base_url}:8776",
-    service_name        => 'httpd',
+  }
+  class { '::cinder::api':
+    default_volume_type        => 'BACKEND_1',
+    public_endpoint            => "${::openstack_integration::config::base_url}:8776",
+    service_name               => 'httpd',
+    keymgr_api_class           => $keymgr_api_class,
+    keymgr_encryption_api_url  => $keymgr_encryption_api_url,
+    keymgr_encryption_auth_url => $keymgr_encryption_auth_url,
   }
   include ::apache
   class { '::cinder::wsgi::apache':
@@ -81,7 +102,7 @@ class openstack_integration::cinder (
   }
   class { '::cinder::cron::db_purge': }
   class { '::cinder::glance':
-    glance_api_servers  => "${::openstack_integration::config::base_url}:9292",
+    glance_api_servers => "${::openstack_integration::config::base_url}:9292",
   }
   case $backend {
     'iscsi': {

manifests/keystone.pp

@@ -97,4 +97,19 @@ class openstack_integration::keystone (
     user_domain    => 'default',
     auth_url       => "${::openstack_integration::config::keystone_auth_uri}/v3/",
   }
+
+  # We need tempest users to have the creator role to be able to store
+  # secrets in barbican.  We do this by adding the creator role to the
+  # tempest_roles list in tempest.conf.
+  # We also need the Member role for some swift container tests.
+  # Ordinarily tempest code in dynamic_creds.py would create
+  # this role and assign users to it.  This code is not executed, however,
+  # when tempest_roles is defined.  Therefore we need to make sure this
+  # role is created here, and added to tempest_roles.
+  keystone_role { 'creator':
+    ensure => present,
+  }
+  keystone_role { 'Member':
+    ensure => present,
+  }
 }

manifests/nova.pp

@@ -5,8 +5,13 @@
 #   to use Libvirt RBD backend.
 #   Defaults to false.
 #
+# [*volume_encryption*]
+#   (optional) Boolean to configure or not volume encryption
+#   Defaults to false.
+#
 class openstack_integration::nova (
-  $libvirt_rbd = false,
+  $libvirt_rbd       = false,
+  $volume_encryption = false,
 ) {
 
   include ::openstack_integration::config
@@ -83,10 +88,22 @@ class openstack_integration::nova (
   class { '::nova::conductor': }
   class { '::nova::consoleauth': }
   class { '::nova::cron::archive_deleted_rows': }
+  if $volume_encryption {
+    $keymgr_api_class     = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
+    $keymgr_auth_endpoint = "${::openstack_integration::config::keystone_auth_uri}/v3"
+    $barbican_endpoint    = "${::openstack_integration::config::base_url}:9311"
+  } else {
+    $keymgr_api_class     = undef
+    $keymgr_auth_endpoint = undef
+    $barbican_endpoint    = undef
+  }
   class { '::nova::compute':
     vnc_enabled                 => true,
     instance_usage_audit        => true,
     instance_usage_audit_period => 'hour',
+    keymgr_api_class            => $keymgr_api_class,
+    barbican_auth_endpoint      => $keymgr_auth_endpoint,
+    barbican_endpoint           => $barbican_endpoint,
   }
   class { '::nova::compute::libvirt':
     libvirt_virt_type     => 'qemu',

manifests/tempest.pp

@@ -60,22 +60,27 @@
 #   (optional) Define if Zaqar needs to be tested.
 #   Default to false.
 #
+# [*attach_encrypted_volume*]
+#   (optional) Define if Encrypted Volumes need to be tested.
+#   Default to false.
+#
 class openstack_integration::tempest (
-  $aodh       = false,
-  $ceilometer = false,
-  $cinder     = false,
-  $glance     = true,
-  $gnocchi    = false,
-  $heat       = false,
-  $horizon    = false,
-  $ironic     = false,
-  $mistral    = false,
-  $neutron    = true,
-  $nova       = true,
-  $sahara     = false,
-  $swift      = false,
-  $trove      = false,
-  $zaqar      = false,
+  $aodh                    = false,
+  $ceilometer              = false,
+  $cinder                  = false,
+  $glance                  = true,
+  $gnocchi                 = false,
+  $heat                    = false,
+  $horizon                 = false,
+  $ironic                  = false,
+  $mistral                 = false,
+  $neutron                 = true,
+  $nova                    = true,
+  $sahara                  = false,
+  $swift                   = false,
+  $trove                   = false,
+  $zaqar                   = false,
+  $attach_encrypted_volume = false,
 ) {
 
   include ::openstack_integration::config
@@ -107,6 +112,7 @@ class openstack_integration::tempest (
     admin_password          => 'a_big_secret',
     admin_domain_name       => 'Default',
     auth_version            => 'v3',
+    tempest_roles           => ['Member', 'creator'], # needed to use barbican.
     image_name              => 'cirros',
     image_name_alt          => 'cirros_alt',
     cinder_available        => $cinder,
@@ -136,6 +142,7 @@ class openstack_integration::tempest (
     compute_build_interval  => 10,
     ca_certificates_file    => $::openstack_integration::params::ca_bundle_cert_path,
     manage_tests_packages   => true,
+    attach_encrypted_volume => $attach_encrypted_volume,
     # TODO(emilien) optimization by 1/ using Hiera to configure Glance image source
     # and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image.
     # img_dir               => '/home/jenkins/cache/files',

run_tests.sh

@@ -190,6 +190,9 @@ TESTS="${TESTS} api.baremetal.admin.test_drivers"
 # Zaqar
 TESTS="${TESTS} TestManageQueue"
 
+# Cinder encrypted volumes
+TESTS="${TESTS} TestEncryptedCinderVolumes"
+
 print_header 'Running Tempest'
 cd /tmp/openstack/tempest