From 12443e738168f501bed411e030bad354bdaf1e85 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 12 Apr 2018 11:32:17 +0300 Subject: [PATCH] Enable Swift encryption for the containerized undercloud This adds a new parameter to undercloud.conf for the containerized case. It determines whether or not we should enable Swift Object encryption. If we do enable it, it will add the Barbican service and configure encryption for Swift. Depends-On: I9c5e07a2eb764168670d5de7bdeb4b6362f9bfb5 Change-Id: I7826cc00023e2d24865d752d4c9bbb3cc4c8614f --- ...n-for-the-undercloud-9d9e62205fc54531.yaml | 6 ++ .../tests/v1/undercloud/test_undercloud.py | 55 ++++++++++++++++++- tripleoclient/v1/undercloud_config.py | 14 +++++ 3 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml diff --git a/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml b/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml new file mode 100644 index 000000000..b35b81901 --- /dev/null +++ b/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + The option `enable_swift_encryption` was added to the containerized + undercloud configuration options (undercloud.conf). If enabled, it will + deploy Barbican, which will be used to enable Swift Object encryption. diff --git a/tripleoclient/tests/v1/undercloud/test_undercloud.py b/tripleoclient/tests/v1/undercloud/test_undercloud.py index 5587db101..18912b0c2 100644 --- a/tripleoclient/tests/v1/undercloud/test_undercloud.py +++ b/tripleoclient/tests/v1/undercloud/test_undercloud.py @@ -35,8 +35,8 @@ class TestUndercloudInstall(TestPluginV1): def setUp(self): super(TestUndercloudInstall, self).setUp() - conf = self.useFixture(oslo_fixture.Config(cfg.CONF)) - conf.config(container_images_file='/home/stack/foo.yaml') + self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF)) + self.conf.config(container_images_file='/home/stack/foo.yaml') # Get the command object to test app_args = mock.Mock() app_args.verbose_level = 1 @@ -148,6 +148,57 @@ class TestUndercloudInstall(TestPluginV1): 'undercloud.yaml', '-e', '/tmp/undercloud_parameters.yaml', mock.ANY, '--debug']) + @mock.patch('subprocess.check_call', autospec=True) + def test_undercloud_install_with_swift_encryption(self, mock_subprocess): + arglist = ['--use-heat', '--no-validations'] + verifylist = [] + self.conf.set_default('enable_swift_encryption', True) + parsed_args = self.check_parser(self.cmd, arglist, verifylist) + + # DisplayCommandBase.take_action() returns two tuples + self.cmd.take_action(parsed_args) + + mock_subprocess.assert_called_with( + ['sudo', 'openstack', 'undercloud', + 'deploy', '--local-domain=localdomain', + '--local-ip=192.168.24.1/24', + '--templates=/usr/share/openstack-tripleo-heat-templates/', + '--heat-native', '-e', '/home/stack/foo.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/ironic.yaml', + '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/ironic-inspector.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/mistral.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/zaqar.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/tripleo-ui.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/barbican.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'barbican-backend-simple-crypto.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'public-tls-undercloud.yaml', + '--public-virtual-ip', '192.168.24.2', + '--control-virtual-ip', '192.168.24.3', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'tls-endpoints-public-ip.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'use-dns-for-vips.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/undercloud-haproxy.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'services/undercloud-keepalived.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'docker.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'config-download-environment.yaml', '-e', + '/usr/share/openstack-tripleo-heat-templates/environments/' + 'undercloud.yaml', '-e', '/tmp/undercloud_parameters.yaml', + mock.ANY]) + class TestUndercloudUpgrade(TestPluginV1): def setUp(self): diff --git a/tripleoclient/v1/undercloud_config.py b/tripleoclient/v1/undercloud_config.py index e59592019..28d3da2b1 100644 --- a/tripleoclient/v1/undercloud_config.py +++ b/tripleoclient/v1/undercloud_config.py @@ -395,6 +395,9 @@ _opts = [ cfg.BoolOpt('enable_routed_networks', default=False, help=('Enable support for routed ctlplane networks.')), + cfg.BoolOpt('enable_swift_encryption', + default=False, + help=('Whether to enable Swift encryption at-rest or not.')), ] # Routed subnets @@ -724,6 +727,17 @@ def prepare_undercloud_deploy(upgrade=False, no_validations=False, tht_templates, "environments/services/undercloud-cinder.yaml")] + if CONF.get('enable_swift_encryption'): + deploy_args += [ + '-e', os.path.join(tht_templates, + "environments/services/barbican.yaml"), + '-e', os.path.join( + tht_templates, + "environments/barbican-backend-simple-crypto.yaml") + ] + env_data['BarbicanSimpleCryptoGlobalDefault'] = True + env_data['SwiftEncryptionEnabled'] = True + if CONF.get('generate_service_certificate'): deploy_args += ['-e', os.path.join( tht_templates,