diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp index 1c434fe..d2abddc 100644 --- a/manifests/key_manager/barbican.pp +++ b/manifests/key_manager/barbican.pp @@ -37,25 +37,31 @@ # (Optional) Specifies the region of the chosen endpoint. # Defaults to $::os_service_default # +# [*send_service_user_token*] +# (Optional) The service uses service token feature when this is set as true. +# Defaults to $::os_service_default +# define oslo::key_manager::barbican ( - $config = $name, - $barbican_endpoint = $::os_service_default, - $barbican_api_version = $::os_service_default, - $auth_endpoint = $::os_service_default, - $retry_delay = $::os_service_default, - $number_of_retries = $::os_service_default, - $barbican_endpoint_type = $::os_service_default, - $barbican_region_name = $::os_service_default, + $config = $name, + $barbican_endpoint = $::os_service_default, + $barbican_api_version = $::os_service_default, + $auth_endpoint = $::os_service_default, + $retry_delay = $::os_service_default, + $number_of_retries = $::os_service_default, + $barbican_endpoint_type = $::os_service_default, + $barbican_region_name = $::os_service_default, + $send_service_user_token = $::os_service_default, ) { $barbican_options = { - 'barbican/barbican_endpoint' => { value => $barbican_endpoint }, - 'barbican/barbican_api_version' => { value => $barbican_api_version }, - 'barbican/auth_endpoint' => { value => $auth_endpoint }, - 'barbican/retry_delay' => { value => $retry_delay }, - 'barbican/number_of_retries' => { value => $number_of_retries }, - 'barbican/barbican_endpoint_type' => { value => $barbican_endpoint_type }, - 'barbican/barbican_region_name' => { value => $barbican_region_name }, + 'barbican/barbican_endpoint' => { value => $barbican_endpoint }, + 'barbican/barbican_api_version' => { value => $barbican_api_version }, + 'barbican/auth_endpoint' => { value => $auth_endpoint }, + 'barbican/retry_delay' => { value => $retry_delay }, + 'barbican/number_of_retries' => { value => $number_of_retries }, + 'barbican/barbican_endpoint_type' => { value => $barbican_endpoint_type }, + 'barbican/barbican_region_name' => { value => $barbican_region_name }, + 'barbican/send_service_user_token' => { value => $send_service_user_token }, } create_resources($config, $barbican_options) diff --git a/manifests/key_manager/barbican/service_user.pp b/manifests/key_manager/barbican/service_user.pp new file mode 100644 index 0000000..0773c97 --- /dev/null +++ b/manifests/key_manager/barbican/service_user.pp @@ -0,0 +1,97 @@ +# == Definition: oslo::key_manager::barbican::service_user +# +# Setup and configure the service token feature for Barbican Key Manager +# +# == Parameters: +# +# [*name*] +# (Required) The name of the resource corresponding to the config file. +# For example, oslo::key_manager::barbican::service_user { 'nova_config': ... } +# Where 'nova_config' is the name of the resource used to manage +# the nova configuration. +# +# [*username*] +# (Required) The name of the service user +# +# [*password*] +# (Required) Password to create for the service user +# +# [*auth_url*] +# (Required) The URL to use for authentication. +# +# [*project_name*] +# (Required) Service project name +# +# [*user_domain_name*] +# (Optional) Name of domain for $username +# Defaults to $::os_service_default +# +# [*project_domain_name*] +# (Optional) Name of domain for $project_name +# Defaults to $::os_service_default +# +# [*insecure*] +# (Optional) If true, explicitly allow TLS without checking server cert +# against any certificate authorities. WARNING: not recommended. Use with +# caution. +# Defaults to $::os_service_default +# +# [*auth_type*] +# (Optional) Authentication type to load +# Defaults to $::os_service_default +# +# [*auth_version*] +# (Optional) API version of the admin Identity API endpoint. +# Defaults to $::os_service_default. +# +# [*cafile*] +# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to $::os_service_default. +# +# [*certfile*] +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. +# +# [*keyfile*] +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. +# +# [*region_name*] +# (Optional) The region in which the identity server can be found. +# Defaults to $::os_service_default. +# +define oslo::key_manager::barbican::service_user( + $username, + $password, + $auth_url, + $project_name, + $user_domain_name = $::os_service_default, + $project_domain_name = $::os_service_default, + $insecure = $::os_service_default, + $auth_type = $::os_service_default, + $auth_version = $::os_service_default, + $cafile = $::os_service_default, + $certfile = $::os_service_default, + $keyfile = $::os_service_default, + $region_name = $::os_service_default, +) { + + $service_user_options = { + 'barbican_service_user/auth_type' => {'value' => $auth_type}, + 'barbican_service_user/auth_version' => {'value' => $auth_version}, + 'barbican_service_user/cafile' => {'value' => $cafile}, + 'barbican_service_user/certfile' => {'value' => $certfile}, + 'barbican_service_user/keyfile' => {'value' => $keyfile}, + 'barbican_service_user/region_name' => {'value' => $region_name}, + 'barbican_service_user/auth_url' => {'value' => $auth_url}, + 'barbican_service_user/username' => {'value' => $username}, + 'barbican_service_user/password' => {'value' => $password, 'secret' => true}, + 'barbican_service_user/user_domain_name' => {'value' => $user_domain_name}, + 'barbican_service_user/project_name' => {'value' => $project_name}, + 'barbican_service_user/project_domain_name' => {'value' => $project_domain_name}, + 'barbican_service_user/insecure' => {'value' => $insecure}, + } + + create_resources($name, $service_user_options) +} diff --git a/releasenotes/notes/barbican_service_user-a8ac0abd364927d8.yaml b/releasenotes/notes/barbican_service_user-a8ac0abd364927d8.yaml new file mode 100644 index 0000000..38d76c5 --- /dev/null +++ b/releasenotes/notes/barbican_service_user-a8ac0abd364927d8.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + The following parameter and resource type have been added, to support usage + of the service token feature with the Barbican key manager. + + - The ``oslo::key_manager::barbican::send_service_user_token`` parameter + - The ``oslo::key_manager::barbican::service_user`` resource type diff --git a/spec/defines/oslo_key_manager_barbican_service_user_spec.rb b/spec/defines/oslo_key_manager_barbican_service_user_spec.rb new file mode 100644 index 0000000..b4ad3bf --- /dev/null +++ b/spec/defines/oslo_key_manager_barbican_service_user_spec.rb @@ -0,0 +1,94 @@ +require 'spec_helper' + +describe 'oslo::key_manager::barbican::service_user' do + + let (:title) { 'keystone_config' } + + let :params do + { :username => 'keystone', + :password => 'secret', + :auth_url => 'http://127.0.0.1:5000', + :project_name => 'services' } + end + + shared_examples 'oslo::key_manager::barbican::service_user' do + context 'with only required parameters' do + it 'configures keystone service_user' do + is_expected.to contain_keystone_config('barbican_service_user/username').with_value('keystone') + is_expected.to contain_keystone_config('barbican_service_user/password').with_value('secret').with_secret(true) + is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] ) + is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] ) + is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/auth_type').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value('') + is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value('') + end + end + + context 'set all keystone service_user parameters' do + before do + params.merge! ({ + :username => 'username', + :password => 'hardpassword', + :auth_url => 'http://127.1.1.127:5000/', + :project_name => 'NoProject', + :user_domain_name => 'MyDomain', + :project_domain_name => 'OurDomain', + :insecure => true, + :auth_type => 'password', + :auth_version => '3', + :cafile => 'cafile.pem', + :certfile => 'certfile.crt', + :keyfile => 'somekey.key', + :region_name => 'MyRegion', + }) + end + it 'override keystone service_user parameters' do + is_expected.to contain_keystone_config('barbican_service_user/username').with_value(params[:username]) + is_expected.to contain_keystone_config('barbican_service_user/password').with_value(params[:password]).with_secret(true) + is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] ) + is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] ) + is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value(params[:user_domain_name]) + is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value(params[:project_domain_name]) + is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value(params[:insecure]) + is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value(params[:auth_version]) + is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile]) + is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value(params[:certfile]) + is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value(params[:keyfile]) + is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value(params[:region_name]) + end + end + + context 'without password required parameter' do + let :params do + params.delete(:password) + end + it { expect { is_expected.to raise_error(Puppet::Error) } } + end + + context 'without specify project' do + let :params do + params.delete(:project_name) + end + it { expect { is_expected.to raise_error(Puppet::Error) } } + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + + include_examples 'oslo::key_manager::barbican::service_user' + end + end + +end diff --git a/spec/defines/oslo_key_manager_barbican_spec.rb b/spec/defines/oslo_key_manager_barbican_spec.rb index c650305..1623e71 100644 --- a/spec/defines/oslo_key_manager_barbican_spec.rb +++ b/spec/defines/oslo_key_manager_barbican_spec.rb @@ -19,19 +19,21 @@ describe 'oslo::key_manager::barbican' do is_expected.to contain_keystone_config('barbican/number_of_retries').with_value('') is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('') is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('') + is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value('') end end context 'with parameters overridden' do let :params do { - :barbican_endpoint => 'http://localhost:9311/', - :barbican_api_version => 'v1', - :auth_endpoint => 'http://localhost:5000', - :retry_delay => 1, - :number_of_retries => 60, - :barbican_endpoint_type => 'public', - :barbican_region_name => 'regionOne', + :barbican_endpoint => 'http://localhost:9311/', + :barbican_api_version => 'v1', + :auth_endpoint => 'http://localhost:5000', + :retry_delay => 1, + :number_of_retries => 60, + :barbican_endpoint_type => 'public', + :barbican_region_name => 'regionOne', + :send_service_user_token => true, } end @@ -43,6 +45,7 @@ describe 'oslo::key_manager::barbican' do is_expected.to contain_keystone_config('barbican/number_of_retries').with_value(60) is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('public') is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('regionOne') + is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value(true) end end end