openstack
/
puppet-tripleo
Code Issues Proposed changes

Add multiple backends for barbican 

Depends-On: I8cb8d3cd745fbf7ddba1ce8e5347b38342afd58d
Change-Id: I07e52897897f453382f74aa4fdaa98c37e6eca30
This commit is contained in:
Ade Lee 2017-11-28 16:11:32 -05:00
parent ce3432da8c
commit 37d64357d6
4 changed files with 151 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
manifests/profile/base/barbican/api.pp
View File

@ -134,8 +134,8 @@ class tripleo::profile::base::barbican::api (
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
class { '::barbican::api':
sync_db => $sync_db,
default_transport_url => os_transport_url({
sync_db => $sync_db,
default_transport_url => os_transport_url({
'transport' => $oslomsg_rpc_proto,
'hosts' => $oslomsg_rpc_hosts,
'port' => $oslomsg_rpc_port,
@ -143,7 +143,7 @@ class tripleo::profile::base::barbican::api (
'password' => $oslomsg_rpc_password,
'ssl' => $oslomsg_use_ssl_real,
}),
notification_transport_url => os_transport_url({
notification_transport_url => os_transport_url({
'transport' => $oslomsg_notify_proto,
'hosts' => $oslomsg_notify_hosts,
'port' => $oslomsg_notify_port,
@ -151,8 +151,8 @@ class tripleo::profile::base::barbican::api (
'password' => $oslomsg_notify_password,
'ssl' => $oslomsg_use_ssl_real,
}),
enabled_crypto_plugins => $::tripleo::profile::base::barbican::backends::enabled_crypto_plugins,
enabled_secretstore_plugins => $::tripleo::profile::base::barbican::backends::enabled_secretstore_plugins
multiple_secret_stores_enabled => true,
enabled_secret_stores => $::tripleo::profile::base::barbican::backends::enabled_secret_stores,
}
include ::barbican::keystone::authtoken
include ::barbican::api::logging

54
manifests/profile/base/barbican/backends.pp
View File

@ -14,7 +14,7 @@
#
# == Class: tripleo::profile::base::barbican::backends
#
# Barbican's simple crypto plugin profile for tripleo
# Barbican's secret store plugin profile for tripleo
#
# === Parameters
#
@ -32,17 +32,55 @@
# dynamically set via t-h-t.
# Defaults to hiera('barbican_backend_simple_crypto_enabled', false)
#
# [*dogtag_backend_enabled*]
# (Optional) Whether the Dogtag backend is enabled or not. This is
# dynamically set via t-h-t.
# Defaults to hiera('barbican_backend_dogtag_enabled', false)
#
# [*p11_crypto_backend_enabled*]
# (Optional) Whether the pkcs11 crypto backend is enabled or not. This is
# dynamically set via t-h-t.
# Defaults to hiera('barbican_backend_pkcs11_crypto_enabled', false)
#
# [*kmip_backend_enabled*]
# (Optional) Whether the KMIP backend is enabled or not. This is
# dynamically set via t-h-t.
# Defaults to hiera('barbican_backend_kmip_enabled', false)
#
class tripleo::profile::base::barbican::backends (
$simple_crypto_backend_enabled = hiera('barbican_backend_simple_crypto_enabled', false)
$simple_crypto_backend_enabled = hiera('barbican_backend_simple_crypto_enabled', false),
$dogtag_backend_enabled = hiera('barbican_backend_dogtag_enabled', false),
$p11_crypto_backend_enabled = hiera('barbican_backend_pkcs11_crypto_enabled', false),
$kmip_backend_enabled = hiera('barbican_backend_kmip_enabled', false),
) {
if $simple_crypto_backend_enabled {
include ::barbican::plugins::simple_crypto
# Note that once we start adding more backends, this will be refactored to
# create a proper lits from all the enabled plugins.
$enabled_secretstore_plugins = 'store_crypto'
$enabled_crypto_plugins = 'simple_crypto'
$backend1 = 'simple_crypto'
} else {
$enabled_secretstore_plugins = ''
$enabled_crypto_plugins = ''
$backend1 = undef
}
if $dogtag_backend_enabled {
include ::barbican::plugins::dogtag
$backend2 = 'dogtag'
} else {
$backend2 = undef
}
if $p11_crypto_backend_enabled {
include ::barbican::plugins::p11_crypto
$backend3 = 'pkcs11'
} else {
$backend3 = undef
}
if $kmip_backend_enabled {
include ::barbican::plugins::kmip
$backend4 = 'kmip'
} else {
$backend4 = undef
}
$enabled_backends_list = [$backend1, $backend2, $backend3, $backend4].filter |$items| { $items != undef }
$enabled_secret_stores = join($enabled_backends_list, ',')
}

5
releasenotes/notes/add-barbican-backends-2412df7eef07038e.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- Added code to select plugin configuration based on tripleo heat
template dynamic variables for each backend, depending on if the
backend is enabled. Multiple backends can now be configured.

95
spec/classes/tripleo_profile_base_barbican_backends_spec.rb Normal file
View File

@ -0,0 +1,95 @@
#
# Copyright (C) 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
require 'spec_helper'
describe 'tripleo::profile::base::barbican::backends' do
shared_examples_for 'tripleo::profile::base::barbican::backends' do
context 'with simple_crypto plugin only enabled' do
let(:params) { { :simple_crypto_backend_enabled => true } }
it 'should configure simple_crypto' do
is_expected.to contain_class('barbican::plugins::simple_crypto')
expect('tripleo::profile::base::barbican::backends::enabled_secret_stores').to be('simple_crypto')
end
end
context 'with dogtag plugin only enabled' do
let(:params) { { :dogtag_backend_enabled => true } }
it 'should configure dogtag backend' do
is_expected.to contain_class('barbican::plugins::dogtag')
expect('tripleo::profile::base::barbican::backends::enabled_secret_stores').to be('dogtag')
end
end
context 'with p11_crypto plugin only enabled' do
let(:params) { { :p11_crypto_backend_enabled => true } }
it 'should configure p11_crypto' do
is_expected.to contain_class('barbican::plugins::p11_crypto')
expect('tripleo::profile::base::barbican::backends::enabled_secret_stores').to be('pkcs11')
end
end
context 'with kmip plugin only enabled' do
let(:params) { { :kmip_backend_enabled => true } }
it 'should configure kmip' do
is_expected.to contain_class('barbican::plugins::kmip')
expect('tripleo::profile::base::barbican::backends::enabled_secret_stores').to be('kmip')
end
end
context 'with simple_crypto and dogtag enabled' do
let(:params) { {
:simple_crypto_backend_enabled => true,
:dogtag_backend_enabled => true,
} }
it 'should configure simple_crypto and dogtag' do
is_expected.to contain_class('barbican::plugins::simple_crypto')
is_expected.to contain_class('barbican::plugins::dogtag')
expect('tripleo::profile::base::barbican::backends::enabled_secret_stores').to be('simple_crypto,dogtag')
end
end
context 'with simple_crypto plugin and p11_crypto enabled' do
let(:params) { {
:simple_crypto_backend_enabled => true,
:p11_crypto_backend_enabled => true,
} }
it 'should configure simple_crypto and p11_crypto' do
is_expected.to contain_class('barbican::plugins::simple_crypto')
is_expected.to contain_class('barbican::plugins::p11_crypto')
expect('tripleo::profile::base::barbican::backends::enabled_secret_stores').to be('simple_crypto,pkcs11')
end
end
context 'with all plugins enabled' do
let(:params) { {
:simple_crypto_backend_enabled => true,
:p11_crypto_backend_enabled => true,
:dogtag_backend_enabled => true,
:kmip_backend_enabled => true,
} }
it 'should configure all plugins' do
is_expected.to contain_class('barbican::plugins::simple_crypto')
is_expected.to contain_class('barbican::plugins::p11_crypto')
is_expected.to contain_class('barbican::plugins::dogtag')
is_expected.to contain_class('barbican::plugins::kmip')
expect('tripleo::profile::base::barbican::backends::enabled_secret_stores').to be(
'simple_crypto,dogtag,pkcs11,kmip')
end
end
end
end