Add multiple secret store backends for barbican

Change-Id: I7aaa242ee1ecbfcbcc7502b0ce8e5a9191d307f2
Depends-On: I07e52897897f453382f74aa4fdaa98c37e6eca30

environments/barbican-backend-dogtag.yaml

@@ -0,0 +1,17 @@
+# A Heat environment file to enable the barbican Dogtag backend. Note
+# that barbican needs to be enabled in order to use this.
+parameter_defaults:
+  # In order to use this backend, you need to uncomment these values and
+  # provide an appropriate data
+  #
+  # BarbicanDogtagStoreHost: Hostname of the Dogtag server
+  # BarbicanDogtagStorePort: Port for the Dogtag server
+  # BarbicanDogtagStorePEMPath: Path for the PEM file used to authenticate requests
+  #     - defaults to /etc/barbican/kra_admin_cert.pem
+  # BarbicanDogtagStoreNSSPassword: Password for the NSS DB
+  # BarbicanDogtagStoreGlobalDefault: Whether this plugin is the global default plugin
+  #     - defaults to false
+
+
+resource_registry:
+  OS::TripleO::Services::BarbicanBackendDogtag: ../puppet/services/barbican-backend-dogtag.yaml

environments/barbican-backend-kmip.yaml

@@ -0,0 +1,15 @@
+# A Heat environment file to enable the barbican KMIP backend. Note
+# that barbican needs to be enabled in order to use this.
+parameter_defaults:
+  # In order to use this backend, you need to uncomment this value and
+  # provide an appropriate KEK that barbican will use to encrypt secrets
+  # in the database.
+  #
+  # BarbicanKmipStoreUsername: Username to connect to KMIP device
+  # BarbicanKmipStorePassword: Password to connect to KMIP device
+  # BarbicanKmipStoreHost: Host for KMIP device
+  # BarbicanKmipStorePort: Port for KMIP device
+  # BarbicanKmipStoreGlobalDefault: Whether this plugin is the global default plugin
+
+resource_registry:
+  OS::TripleO::Services::BarbicanBackendKmip: ../puppet/services/barbican-backend-kmip.yaml

environments/barbican-backend-pkcs11.yaml

@@ -0,0 +1,16 @@
+# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
+# that barbican needs to be enabled in order to use this.
+parameter_defaults:
+  # In order to use this backend, you need to uncomment these values and
+  # provide the appropriate values.
+  #
+  # BarbicanPkcs11CryptoLibraryPath: Path to vendor PKCS11 library
+  # BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
+  # BarbicanPkcs11CryptoMKEKLabel: Label for Master KEK
+  # BarbicanPkcs11CryptoMKEKLength: Length of Master KEK in bytes
+  # BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
+  # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
+  # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
+
+resource_registry:
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

environments/barbican-backend-simple-crypto.yaml

@@ -9,6 +9,5 @@ parameter_defaults:
   # BarbicanSimpleCryptoGlobalDefault : whether this plugin is the global default
   #     -- defaults to false
 
-
 resource_registry:
   OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml

overcloud-resource-registry-puppet.j2.yaml

@@ -249,6 +249,9 @@ resource_registry:
   OS::TripleO::Services::ComputeNeutronMetadataAgent: OS::Heat::None
   OS::TripleO::Services::BarbicanApi: OS::Heat::None
   OS::TripleO::Services::BarbicanBackendSimpleCrypto: OS::Heat::None
+  OS::TripleO::Services::BarbicanBackendDogtag: OS::Heat::None
+  OS::TripleO::Services::BarbicanBackendKmip: OS::Heat::None
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: OS::Heat::None
   OS::TripleO::Services::AodhApi: puppet/services/aodh-api.yaml
   OS::TripleO::Services::AodhEvaluator: puppet/services/aodh-evaluator.yaml
   OS::TripleO::Services::AodhNotifier: puppet/services/aodh-notifier.yaml

puppet/services/barbican-backend-dogtag.yaml

@@ -0,0 +1,65 @@
+heat_template_version: queens
+
+description: >
+  Barbican API Dogtag backend configured with Puppet
+
+parameters:
+  # Required default parameters
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  BarbicanDogtagStoreHost:
+    description: Hostname of the Dogtag server
+    type: string
+  BarbicanDogtagStorePort:
+    description: Port for the Dogtag server
+    default: 8443
+    type: number
+  BarbicanDogtagStorePEMPath:
+    description: Path for the PEM file used to authenticate requests
+    type: string
+    default: '/etc/barbican/kra_admin_cert.pem'
+    hidden: true
+  BarbicanDogtagStoreNSSPassword:
+    description: Password for the NSS DB
+    type: string
+    hidden: true
+  BarbicanDogtagStoreGlobalDefault:
+    description: Whether this plugin is the global default plugin
+    type: boolean
+    default: false
+
+outputs:
+  role_data:
+    description: Role data for the Barbican Dogtag backend.
+    value:
+      service_name: barbican_backend_dogtag
+      config_settings:
+        barbican::plugins::dogtag::dogtag_plugin_dogtag_host: {get_param: BarbicanDogtagStoreHost}
+        barbican::plugins::dogtag::dogtag_plugin_dogtag_port: {get_param: BarbicanDogtagStorePort}
+        barbican::plugins::dogtag::dogtag_plugin_pem_path: {get_param: BarbicanDogtagStorePEMPath}
+        barbican::plugins::dogtag::dogtag_plugin_nss_password: {get_param: BarbicanDogtagStoreNSSPassword}
+        barbican::plugins::dogtag::global_default: {get_param: BarbicanDogtagStoreGlobalDefault}

puppet/services/barbican-backend-kmip.yaml

@@ -0,0 +1,62 @@
+heat_template_version: queens
+
+description: >
+  Barbican API KMIP backend configured with Puppet
+
+parameters:
+  # Required default parameters
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  BarbicanKmipStoreUsername:
+    description: Username to connect to KMIP device
+    type: string
+  BarbicanKmipStorePassword:
+    description: Password to connect to KMIP device
+    type: string
+    hidden: true
+  BarbicanKmipStoreHost:
+    description: Host for KMIP device
+    type: string
+  BarbicanKmipStorePort:
+    description: Port for KMIP device
+    type: number
+  BarbicanKmipStoreGlobalDefault:
+    description: Whether this plugin is the global default plugin
+    type: boolean
+    default: false
+
+outputs:
+  role_data:
+    description: Role data for the Barbican KMIP crypto backend.
+    value:
+      service_name: barbican_backend_kmip
+      config_settings:
+        barbican::plugins::kmip::kmip_plugin_username: {get_param: BarbicanKmipStoreUsername}
+        barbican::plugins::kmip::kmip_plugin_password: {get_param: BarbicanKmipStorePassword}
+        barbican::plugins::kmip::kmip_plugin_host: {get_param: BarbicanKmipStoreHost}
+        barbican::plugins::kmip::kmip_plugin_port: {get_param: BarbicanKmipStorePort}
+        barbican::plugins::kmip::global_default: {get_param: BarbicanKmipStoreGlobalDefault}

puppet/services/barbican-backend-pkcs11-crypto.yaml

@@ -0,0 +1,70 @@
+heat_template_version: queens
+
+description: >
+  Barbican API PKCS#11 crypto backend configured with Puppet
+
+parameters:
+  # Required default parameters
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  BarbicanPkcs11CryptoLibraryPath:
+    description: Path to vendor PKCS11 library
+    type: string
+  BarbicanPkcs11CryptoLogin:
+    description: Password to login to PKCS11 session
+    type: string
+    hidden: true
+  BarbicanPkcs11CryptoMKEKLabel:
+    description: Label for Master KEK
+    type: string
+  BarbicanPkcs11CryptoMKEKLength:
+    description: Length of Master KEK in bytes
+    type: number
+  BarbicanPkcs11CryptoHMACLabel:
+    description: Label for the HMAC key
+    type: string
+  BarbicanPkcs11CryptoSlotId:
+    description: Slot Id for the HSM
+    type: number
+  BarbicanPkcs11CryptoGlobalDefault:
+    description: Whether this plugin is the global default plugin
+    type: boolean
+    default: false
+
+outputs:
+  role_data:
+    description: Role data for the Barbican PKCS#11 backend.
+    value:
+      service_name: barbican_backend_pkcs11_crypto
+      config_settings:
+        barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath}
+        barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin}
+        barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
+        barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
+        barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
+        barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
+        barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

roles/Controller.yaml

@@ -30,6 +30,9 @@
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BarbicanApi
     - OS::TripleO::Services::BarbicanBackendSimpleCrypto
+    - OS::TripleO::Services::BarbicanBackendDogtag
+    - OS::TripleO::Services::BarbicanBackendKmip
+    - OS::TripleO::Services::BarbicanBackendPkcs11Crypto
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CeilometerAgentCentral
     - OS::TripleO::Services::CeilometerAgentNotification

roles/ControllerOpenstack.yaml

@@ -24,6 +24,9 @@
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BarbicanApi
     - OS::TripleO::Services::BarbicanBackendSimpleCrypto
+    - OS::TripleO::Services::BarbicanBackendDogtag
+    - OS::TripleO::Services::BarbicanBackendKmip
+    - OS::TripleO::Services::BarbicanBackendPkcs11Crypto
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CeilometerAgentCentral
     - OS::TripleO::Services::CeilometerAgentNotification

roles_data.yaml

@@ -33,6 +33,9 @@
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BarbicanApi
     - OS::TripleO::Services::BarbicanBackendSimpleCrypto
+    - OS::TripleO::Services::BarbicanBackendDogtag
+    - OS::TripleO::Services::BarbicanBackendKmip
+    - OS::TripleO::Services::BarbicanBackendPkcs11Crypto
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CeilometerAgentCentral
     - OS::TripleO::Services::CeilometerAgentNotification