From 2089a53afd2951f4682460aeec0214ab15dc1d46 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 31 Oct 2017 11:26:38 -0400 Subject: [PATCH] Barbican: Add ability to specify KEK for simple crypto plugin It adds the profile to enable the backend and a relevant environment file that will be used. Co-Authored-By: Juan Antonio Osorio Robles Depends-On: I44391b91b01bc03c9773410152e117ec6bbba491 Change-Id: I39ce9f203af0dea20f7c14ba8b484f600f4aad49 --- .../barbican-backend-simple-crypto.yaml | 11 +++++ overcloud-resource-registry-puppet.j2.yaml | 1 + .../barbican-backend-simple-crypto.yaml | 45 +++++++++++++++++++ roles/Controller.yaml | 1 + roles/ControllerOpenstack.yaml | 1 + roles_data.yaml | 1 + 6 files changed, 60 insertions(+) create mode 100644 environments/barbican-backend-simple-crypto.yaml create mode 100644 puppet/services/barbican-backend-simple-crypto.yaml diff --git a/environments/barbican-backend-simple-crypto.yaml b/environments/barbican-backend-simple-crypto.yaml new file mode 100644 index 0000000000..e8c3624eb2 --- /dev/null +++ b/environments/barbican-backend-simple-crypto.yaml @@ -0,0 +1,11 @@ +# A Heat environment file to enable the barbican simple crypto backend. Note +# that barbican needs to be enabled in order to use this. +parameter_defaults: + # In order to use this backend, you need to uncomment this value and + # provide an appropriate KEK that barbican will use to encrypt secrets + # in the database. + # + # SimpleCryptoKek: The Key-Encryption-Key goes here. + +resource_registry: + OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 179b5c914a..0747e10e3d 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -247,6 +247,7 @@ resource_registry: OS::TripleO::Services::ComputeNeutronL3Agent: OS::Heat::None OS::TripleO::Services::ComputeNeutronMetadataAgent: OS::Heat::None OS::TripleO::Services::BarbicanApi: OS::Heat::None + OS::TripleO::Services::BarbicanBackendSimpleCrypto: OS::Heat::None OS::TripleO::Services::AodhApi: puppet/services/aodh-api.yaml OS::TripleO::Services::AodhEvaluator: puppet/services/aodh-evaluator.yaml OS::TripleO::Services::AodhNotifier: puppet/services/aodh-notifier.yaml diff --git a/puppet/services/barbican-backend-simple-crypto.yaml b/puppet/services/barbican-backend-simple-crypto.yaml new file mode 100644 index 0000000000..af7dfd99df --- /dev/null +++ b/puppet/services/barbican-backend-simple-crypto.yaml @@ -0,0 +1,45 @@ +heat_template_version: pike + +description: > + Barbican API simple crypto backend configured with Puppet + +parameters: + # Required default parameters + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + SimpleCryptoKek: + description: KEK used to encrypt secrets + type: string + hidden: true + +outputs: + role_data: + description: Role data for the Barbican simple crypto backend. + value: + service_name: barbican_backend_simple_crypto + config_settings: + barbican::plugins::simple_crypto::simple_crypto_plugin_kek: {get_param: SimpleCryptoKek} diff --git a/roles/Controller.yaml b/roles/Controller.yaml index f092c9732f..cc7745d7e8 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -29,6 +29,7 @@ - OS::TripleO::Services::AodhNotifier - OS::TripleO::Services::AuditD - OS::TripleO::Services::BarbicanApi + - OS::TripleO::Services::BarbicanBackendSimpleCrypto - OS::TripleO::Services::CACerts - OS::TripleO::Services::CeilometerAgentCentral - OS::TripleO::Services::CeilometerAgentNotification diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index ed3851ad3c..7e3b12810e 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -23,6 +23,7 @@ - OS::TripleO::Services::AodhNotifier - OS::TripleO::Services::AuditD - OS::TripleO::Services::BarbicanApi + - OS::TripleO::Services::BarbicanBackendSimpleCrypto - OS::TripleO::Services::CACerts - OS::TripleO::Services::CeilometerAgentCentral - OS::TripleO::Services::CeilometerAgentNotification diff --git a/roles_data.yaml b/roles_data.yaml index b4bd9422eb..f928e1b43d 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -32,6 +32,7 @@ - OS::TripleO::Services::AodhNotifier - OS::TripleO::Services::AuditD - OS::TripleO::Services::BarbicanApi + - OS::TripleO::Services::BarbicanBackendSimpleCrypto - OS::TripleO::Services::CACerts - OS::TripleO::Services::CeilometerAgentCentral - OS::TripleO::Services::CeilometerAgentNotification