diff --git a/README.md b/README.md index fe622228c..0b21c9937 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ scenario](#All-In-One). | horizon | | | X | X | | ironic | | X | | | | zaqar | | X | | | +| barbican | | X | | | | ceph | X | | | | | mongodb | | X | | | diff --git a/fixtures/scenario002.pp b/fixtures/scenario002.pp index 6ae38c67e..507a005c4 100644 --- a/fixtures/scenario002.pp +++ b/fixtures/scenario002.pp @@ -16,13 +16,17 @@ case $::osfamily { 'Debian': { - $ipv6 = false + $ipv6 = false # zaqar is not packaged in Ubuntu Trusty - $zaqar_enabled = false + $zaqar_enabled = false + # we'll start testing barbican after Newton stable, Ubuntu packaging is not + # updated enough. + $barbican_enabled = false } 'RedHat': { - $ipv6 = true - $zaqar_enabled = true + $ipv6 = true + $zaqar_enabled = true + $barbican_enabled = true } default: { fail("Unsupported osfamily (${::osfamily})") @@ -49,18 +53,28 @@ class { '::openstack_integration::glance': backend => 'swift', } include ::openstack_integration::neutron -include ::openstack_integration::nova -include ::openstack_integration::cinder include ::openstack_integration::swift include ::openstack_integration::ironic include ::openstack_integration::zaqar include ::openstack_integration::mongodb include ::openstack_integration::provision +class { '::openstack_integration::nova': + volume_encryption => $barbican_enabled, +} + +class { '::openstack_integration::cinder': + volume_encryption => $barbican_enabled, +} + +if $barbican_enabled { + include ::openstack_integration::barbican +} class { '::openstack_integration::tempest': - cinder => true, - swift => true, - ironic => true, - zaqar => $zaqar_enabled, + cinder => true, + swift => true, + ironic => true, + zaqar => $zaqar_enabled, + attach_encrypted_volume => $barbican_enabled, } diff --git a/manifests/barbican.pp b/manifests/barbican.pp new file mode 100644 index 000000000..ed07a557b --- /dev/null +++ b/manifests/barbican.pp @@ -0,0 +1,74 @@ +class openstack_integration::barbican { + + include ::openstack_integration::config + include ::openstack_integration::params + + rabbitmq_user { 'barbican': + admin => true, + password => 'an_even_bigger_secret', + provider => 'rabbitmqctl', + require => Class['::rabbitmq'], + } + rabbitmq_user_permissions { 'barbican@/': + configure_permission => '.*', + write_permission => '.*', + read_permission => '.*', + provider => 'rabbitmqctl', + require => Class['::rabbitmq'], + } + Rabbitmq_user_permissions['barbican@/'] -> Service<| tag == 'barbican-service' |> + + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'barbican': + notify => Service['httpd'], + require => Package['barbican-api'], + } + Exec['update-ca-certificates'] ~> Service['httpd'] + } + + include ::barbican + class { '::barbican::db::mysql': + password => 'barbican', + } + class { '::barbican::db': + database_connection => 'mysql+pymysql://barbican:barbican@127.0.0.1/barbican?charset=utf8', + } + class { '::barbican::keystone::auth': + public_url => "${::openstack_integration::config::base_url}:9311", + internal_url => "${::openstack_integration::config::base_url}:9311", + admin_url => "${::openstack_integration::config::base_url}:9311", + password => 'a_big_secret', + } + include ::barbican::quota + include ::barbican::keystone::notification + class { '::barbican::api::logging': + debug => true, + } + class { '::barbican::api': + host_href => "${::openstack_integration::config::base_url}:9311", + auth_type => 'keystone', + keystone_password => 'a_big_secret', + service_name => 'httpd', + enabled_certificate_plugins => ['simple_certificate'], + db_auto_create => false, + auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3", + rabbit_userid => 'barbican', + rabbit_password => 'an_even_bigger_secret', + rabbit_port => $::openstack_integration::config::rabbit_port, + rabbit_use_ssl => $::openstack_integration::config::ssl, + rabbit_host => $::openstack_integration::config::ip_for_url, + } + # add me in puppet-barbican + barbican_config { + 'keystone_authtoken/auth_uri': value => "${::openstack_integration::config::keystone_auth_uri}/v3"; + } + include ::apache + class { '::barbican::wsgi::apache': + bind_host => $::openstack_integration::config::ip_for_url, + ssl => $::openstack_integration::config::ssl, + ssl_key => "/etc/barbican/ssl/private/${::fqdn}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + workers => 2, + } + +} diff --git a/manifests/cinder.pp b/manifests/cinder.pp index 98a2acffa..24922ee31 100644 --- a/manifests/cinder.pp +++ b/manifests/cinder.pp @@ -5,8 +5,13 @@ # Can be 'iscsi' or 'rbd'. # Defaults to 'iscsi'. # +# [*volume_encryption*] +# (optional) Boolean to configure or not volume encryption +# Defaults to false. +# class openstack_integration::cinder ( - $backend = 'iscsi', + $backend = 'iscsi', + $volume_encryption = false, ) { include ::openstack_integration::config @@ -57,13 +62,29 @@ class openstack_integration::cinder ( rabbit_use_ssl => $::openstack_integration::config::ssl, debug => true, } - class { '::cinder::api': - keystone_password => 'a_big_secret', + if $volume_encryption { + $keymgr_api_class = 'cinder.keymgr.barbican.BarbicanKeyManager' + $keymgr_encryption_api_url = "${::openstack_integration::config::base_url}:9311/v1" + $keymgr_encryption_auth_url = "${::openstack_integration::config::keystone_auth_uri}/v3" + } else { + $keymgr_api_class = undef + $keymgr_encryption_api_url = undef + $keymgr_encryption_auth_url = undef + } + class { '::cinder::keystone::authtoken': + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, auth_uri => $::openstack_integration::config::keystone_auth_uri, - identity_uri => $::openstack_integration::config::keystone_admin_uri, - default_volume_type => 'BACKEND_1', - public_endpoint => "${::openstack_integration::config::base_url}:8776", - service_name => 'httpd', + } + class { '::cinder::api': + default_volume_type => 'BACKEND_1', + public_endpoint => "${::openstack_integration::config::base_url}:8776", + service_name => 'httpd', + keymgr_api_class => $keymgr_api_class, + keymgr_encryption_api_url => $keymgr_encryption_api_url, + keymgr_encryption_auth_url => $keymgr_encryption_auth_url, } include ::apache class { '::cinder::wsgi::apache': @@ -81,7 +102,7 @@ class openstack_integration::cinder ( } class { '::cinder::cron::db_purge': } class { '::cinder::glance': - glance_api_servers => "${::openstack_integration::config::base_url}:9292", + glance_api_servers => "${::openstack_integration::config::base_url}:9292", } case $backend { 'iscsi': { diff --git a/manifests/keystone.pp b/manifests/keystone.pp index 64d63b35a..0af3d4a40 100644 --- a/manifests/keystone.pp +++ b/manifests/keystone.pp @@ -97,4 +97,19 @@ class openstack_integration::keystone ( user_domain => 'default', auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/", } + + # We need tempest users to have the creator role to be able to store + # secrets in barbican. We do this by adding the creator role to the + # tempest_roles list in tempest.conf. + # We also need the Member role for some swift container tests. + # Ordinarily tempest code in dynamic_creds.py would create + # this role and assign users to it. This code is not executed, however, + # when tempest_roles is defined. Therefore we need to make sure this + # role is created here, and added to tempest_roles. + keystone_role { 'creator': + ensure => present, + } + keystone_role { 'Member': + ensure => present, + } } diff --git a/manifests/nova.pp b/manifests/nova.pp index 95a31ad98..311c67fe0 100644 --- a/manifests/nova.pp +++ b/manifests/nova.pp @@ -5,8 +5,13 @@ # to use Libvirt RBD backend. # Defaults to false. # +# [*volume_encryption*] +# (optional) Boolean to configure or not volume encryption +# Defaults to false. +# class openstack_integration::nova ( - $libvirt_rbd = false, + $libvirt_rbd = false, + $volume_encryption = false, ) { include ::openstack_integration::config @@ -83,10 +88,22 @@ class openstack_integration::nova ( class { '::nova::conductor': } class { '::nova::consoleauth': } class { '::nova::cron::archive_deleted_rows': } + if $volume_encryption { + $keymgr_api_class = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager' + $keymgr_auth_endpoint = "${::openstack_integration::config::keystone_auth_uri}/v3" + $barbican_endpoint = "${::openstack_integration::config::base_url}:9311" + } else { + $keymgr_api_class = undef + $keymgr_auth_endpoint = undef + $barbican_endpoint = undef + } class { '::nova::compute': vnc_enabled => true, instance_usage_audit => true, instance_usage_audit_period => 'hour', + keymgr_api_class => $keymgr_api_class, + barbican_auth_endpoint => $keymgr_auth_endpoint, + barbican_endpoint => $barbican_endpoint, } class { '::nova::compute::libvirt': libvirt_virt_type => 'qemu', diff --git a/manifests/tempest.pp b/manifests/tempest.pp index c3bd683c2..a039e3619 100644 --- a/manifests/tempest.pp +++ b/manifests/tempest.pp @@ -60,22 +60,27 @@ # (optional) Define if Zaqar needs to be tested. # Default to false. # +# [*attach_encrypted_volume*] +# (optional) Define if Encrypted Volumes need to be tested. +# Default to false. +# class openstack_integration::tempest ( - $aodh = false, - $ceilometer = false, - $cinder = false, - $glance = true, - $gnocchi = false, - $heat = false, - $horizon = false, - $ironic = false, - $mistral = false, - $neutron = true, - $nova = true, - $sahara = false, - $swift = false, - $trove = false, - $zaqar = false, + $aodh = false, + $ceilometer = false, + $cinder = false, + $glance = true, + $gnocchi = false, + $heat = false, + $horizon = false, + $ironic = false, + $mistral = false, + $neutron = true, + $nova = true, + $sahara = false, + $swift = false, + $trove = false, + $zaqar = false, + $attach_encrypted_volume = false, ) { include ::openstack_integration::config @@ -107,6 +112,7 @@ class openstack_integration::tempest ( admin_password => 'a_big_secret', admin_domain_name => 'Default', auth_version => 'v3', + tempest_roles => ['Member', 'creator'], # needed to use barbican. image_name => 'cirros', image_name_alt => 'cirros_alt', cinder_available => $cinder, @@ -136,6 +142,7 @@ class openstack_integration::tempest ( compute_build_interval => 10, ca_certificates_file => $::openstack_integration::params::ca_bundle_cert_path, manage_tests_packages => true, + attach_encrypted_volume => $attach_encrypted_volume, # TODO(emilien) optimization by 1/ using Hiera to configure Glance image source # and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image. # img_dir => '/home/jenkins/cache/files', diff --git a/run_tests.sh b/run_tests.sh index 75c23d026..6a73deede 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -190,6 +190,9 @@ TESTS="${TESTS} api.baremetal.admin.test_drivers" # Zaqar TESTS="${TESTS} TestManageQueue" +# Cinder encrypted volumes +TESTS="${TESTS} TestEncryptedCinderVolumes" + print_header 'Running Tempest' cd /tmp/openstack/tempest