openstack/tripleo-heat-templates
Code Issues Proposed changes

Barbican: Add ability to specify KEK for simple crypto plugin

Browse Source 
It adds the profile to enable the backend and a relevant environment
file that will be used.

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I44391b91b01bc03c9773410152e117ec6bbba491
Change-Id: I39ce9f203af0dea20f7c14ba8b484f600f4aad49
This commit is contained in:
Ade Lee
2017-10-31 11:26:38 -04:00
parent 326147f193
commit 2089a53afd
6 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
environments/barbican-backend-simple-crypto.yaml Normal file
View File

@@ -0,0 +1,11 @@
# A Heat environment file to enable the barbican simple crypto backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment this value and
# provide an appropriate KEK that barbican will use to encrypt secrets
# in the database.
#
# SimpleCryptoKek: The Key-Encryption-Key goes here.
resource_registry:
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml

1
overcloud-resource-registry-puppet.j2.yaml
View File

@@ -247,6 +247,7 @@ resource_registry:
OS::TripleO::Services::ComputeNeutronL3Agent: OS::Heat::None
OS::TripleO::Services::ComputeNeutronMetadataAgent: OS::Heat::None
OS::TripleO::Services::BarbicanApi: OS::Heat::None
OS::TripleO::Services::BarbicanBackendSimpleCrypto: OS::Heat::None
OS::TripleO::Services::AodhApi: puppet/services/aodh-api.yaml
OS::TripleO::Services::AodhEvaluator: puppet/services/aodh-evaluator.yaml
OS::TripleO::Services::AodhNotifier: puppet/services/aodh-notifier.yaml

45
puppet/services/barbican-backend-simple-crypto.yaml Normal file
View File

@@ -0,0 +1,45 @@
heat_template_version: pike
description: >
Barbican API simple crypto backend configured with Puppet
parameters:
# Required default parameters
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
SimpleCryptoKek:
description: KEK used to encrypt secrets
type: string
hidden: true
outputs:
role_data:
description: Role data for the Barbican simple crypto backend.
value:
service_name: barbican_backend_simple_crypto
config_settings:
barbican::plugins::simple_crypto::simple_crypto_plugin_kek: {get_param: SimpleCryptoKek}

1
roles/Controller.yaml
View File

@@ -29,6 +29,7 @@
- OS::TripleO::Services::AodhNotifier
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BarbicanApi
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CeilometerAgentCentral
- OS::TripleO::Services::CeilometerAgentNotification

1
roles/ControllerOpenstack.yaml
View File

@@ -23,6 +23,7 @@
- OS::TripleO::Services::AodhNotifier
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BarbicanApi
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CeilometerAgentCentral
- OS::TripleO::Services::CeilometerAgentNotification

1
roles_data.yaml
View File

@@ -32,6 +32,7 @@
- OS::TripleO::Services::AodhNotifier
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BarbicanApi
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CeilometerAgentCentral
- OS::TripleO::Services::CeilometerAgentNotification