Enable Swift encryption for the containerized undercloud

This adds a new parameter to undercloud.conf for the containerized case. It determines whether or not we should enable Swift Object encryption. If we do enable it, it will add the Barbican service and configure encryption for Swift. Depends-On: I9c5e07a2eb764168670d5de7bdeb4b6362f9bfb5 Change-Id: I7826cc00023e2d24865d752d4c9bbb3cc4c8614f
2018-04-12 11:32:17 +03:00 · 2018-04-12 11:32:17 +03:00 · 12443e7381
parent 026601229b
commit 12443e7381
3 changed files with 73 additions and 2 deletions
--- a/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml
+++ b/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The option `enable_swift_encryption` was added to the containerized
+    undercloud configuration options (undercloud.conf). If enabled, it will
+    deploy Barbican, which will be used to enable Swift Object encryption.
--- a/tripleoclient/tests/v1/undercloud/test_undercloud.py
+++ b/tripleoclient/tests/v1/undercloud/test_undercloud.py
@ -35,8 +35,8 @@ class TestUndercloudInstall(TestPluginV1):
    def setUp(self):
        super(TestUndercloudInstall, self).setUp()

-        conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
-        conf.config(container_images_file='/home/stack/foo.yaml')
+        self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
+        self.conf.config(container_images_file='/home/stack/foo.yaml')
        # Get the command object to test
        app_args = mock.Mock()
        app_args.verbose_level = 1
@ -148,6 +148,57 @@ class TestUndercloudInstall(TestPluginV1):
             'undercloud.yaml', '-e', '/tmp/undercloud_parameters.yaml',
             mock.ANY, '--debug'])

+    @mock.patch('subprocess.check_call', autospec=True)
+    def test_undercloud_install_with_swift_encryption(self, mock_subprocess):
+        arglist = ['--use-heat', '--no-validations']
+        verifylist = []
+        self.conf.set_default('enable_swift_encryption', True)
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        # DisplayCommandBase.take_action() returns two tuples
+        self.cmd.take_action(parsed_args)
+
+        mock_subprocess.assert_called_with(
+            ['sudo', 'openstack', 'undercloud',
+             'deploy', '--local-domain=localdomain',
+             '--local-ip=192.168.24.1/24',
+             '--templates=/usr/share/openstack-tripleo-heat-templates/',
+             '--heat-native', '-e', '/home/stack/foo.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/ironic.yaml',
+             '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/ironic-inspector.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/mistral.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/zaqar.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/tripleo-ui.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/barbican.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'barbican-backend-simple-crypto.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'public-tls-undercloud.yaml',
+             '--public-virtual-ip', '192.168.24.2',
+             '--control-virtual-ip', '192.168.24.3', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'tls-endpoints-public-ip.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'use-dns-for-vips.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/undercloud-haproxy.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/undercloud-keepalived.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'docker.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'config-download-environment.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'undercloud.yaml', '-e', '/tmp/undercloud_parameters.yaml',
+             mock.ANY])
+

 class TestUndercloudUpgrade(TestPluginV1):
    def setUp(self):
--- a/tripleoclient/v1/undercloud_config.py
+++ b/tripleoclient/v1/undercloud_config.py
@ -395,6 +395,9 @@ _opts = [
    cfg.BoolOpt('enable_routed_networks',
                default=False,
                help=('Enable support for routed ctlplane networks.')),
+    cfg.BoolOpt('enable_swift_encryption',
+                default=False,
+                help=('Whether to enable Swift encryption at-rest or not.')),
 ]

 # Routed subnets
@ -724,6 +727,17 @@ def prepare_undercloud_deploy(upgrade=False, no_validations=False,
            tht_templates,
            "environments/services/undercloud-cinder.yaml")]

+    if CONF.get('enable_swift_encryption'):
+        deploy_args += [
+            '-e', os.path.join(tht_templates,
+                               "environments/services/barbican.yaml"),
+            '-e', os.path.join(
+                tht_templates,
+                "environments/barbican-backend-simple-crypto.yaml")
+            ]
+        env_data['BarbicanSimpleCryptoGlobalDefault'] = True
+        env_data['SwiftEncryptionEnabled'] = True
+
    if CONF.get('generate_service_certificate'):
        deploy_args += ['-e', os.path.join(
            tht_templates,