Browse Source

Add multiple secret store backends for barbican

Change-Id: I7aaa242ee1ecbfcbcc7502b0ce8e5a9191d307f2
Depends-On: I07e52897897f453382f74aa4fdaa98c37e6eca30
changes/39/523539/6
Ade Lee 4 years ago
parent
commit
f8decc73fc
  1. 17
      environments/barbican-backend-dogtag.yaml
  2. 15
      environments/barbican-backend-kmip.yaml
  3. 16
      environments/barbican-backend-pkcs11.yaml
  4. 1
      environments/barbican-backend-simple-crypto.yaml
  5. 3
      overcloud-resource-registry-puppet.j2.yaml
  6. 65
      puppet/services/barbican-backend-dogtag.yaml
  7. 62
      puppet/services/barbican-backend-kmip.yaml
  8. 70
      puppet/services/barbican-backend-pkcs11-crypto.yaml
  9. 3
      roles/Controller.yaml
  10. 3
      roles/ControllerOpenstack.yaml
  11. 3
      roles_data.yaml

17
environments/barbican-backend-dogtag.yaml

@ -0,0 +1,17 @@
# A Heat environment file to enable the barbican Dogtag backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide an appropriate data
#
# BarbicanDogtagStoreHost: Hostname of the Dogtag server
# BarbicanDogtagStorePort: Port for the Dogtag server
# BarbicanDogtagStorePEMPath: Path for the PEM file used to authenticate requests
# - defaults to /etc/barbican/kra_admin_cert.pem
# BarbicanDogtagStoreNSSPassword: Password for the NSS DB
# BarbicanDogtagStoreGlobalDefault: Whether this plugin is the global default plugin
# - defaults to false
resource_registry:
OS::TripleO::Services::BarbicanBackendDogtag: ../puppet/services/barbican-backend-dogtag.yaml

15
environments/barbican-backend-kmip.yaml

@ -0,0 +1,15 @@
# A Heat environment file to enable the barbican KMIP backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment this value and
# provide an appropriate KEK that barbican will use to encrypt secrets
# in the database.
#
# BarbicanKmipStoreUsername: Username to connect to KMIP device
# BarbicanKmipStorePassword: Password to connect to KMIP device
# BarbicanKmipStoreHost: Host for KMIP device
# BarbicanKmipStorePort: Port for KMIP device
# BarbicanKmipStoreGlobalDefault: Whether this plugin is the global default plugin
resource_registry:
OS::TripleO::Services::BarbicanBackendKmip: ../puppet/services/barbican-backend-kmip.yaml

16
environments/barbican-backend-pkcs11.yaml

@ -0,0 +1,16 @@
# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLibraryPath: Path to vendor PKCS11 library
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
# BarbicanPkcs11CryptoMKEKLabel: Label for Master KEK
# BarbicanPkcs11CryptoMKEKLength: Length of Master KEK in bytes
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

1
environments/barbican-backend-simple-crypto.yaml

@ -9,6 +9,5 @@ parameter_defaults:
# BarbicanSimpleCryptoGlobalDefault : whether this plugin is the global default
# -- defaults to false
resource_registry:
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml

3
overcloud-resource-registry-puppet.j2.yaml

@ -249,6 +249,9 @@ resource_registry:
OS::TripleO::Services::ComputeNeutronMetadataAgent: OS::Heat::None
OS::TripleO::Services::BarbicanApi: OS::Heat::None
OS::TripleO::Services::BarbicanBackendSimpleCrypto: OS::Heat::None
OS::TripleO::Services::BarbicanBackendDogtag: OS::Heat::None
OS::TripleO::Services::BarbicanBackendKmip: OS::Heat::None
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: OS::Heat::None
OS::TripleO::Services::AodhApi: puppet/services/aodh-api.yaml
OS::TripleO::Services::AodhEvaluator: puppet/services/aodh-evaluator.yaml
OS::TripleO::Services::AodhNotifier: puppet/services/aodh-notifier.yaml

65
puppet/services/barbican-backend-dogtag.yaml

@ -0,0 +1,65 @@
heat_template_version: queens
description: >
Barbican API Dogtag backend configured with Puppet
parameters:
# Required default parameters
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
BarbicanDogtagStoreHost:
description: Hostname of the Dogtag server
type: string
BarbicanDogtagStorePort:
description: Port for the Dogtag server
default: 8443
type: number
BarbicanDogtagStorePEMPath:
description: Path for the PEM file used to authenticate requests
type: string
default: '/etc/barbican/kra_admin_cert.pem'
hidden: true
BarbicanDogtagStoreNSSPassword:
description: Password for the NSS DB
type: string
hidden: true
BarbicanDogtagStoreGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
default: false
outputs:
role_data:
description: Role data for the Barbican Dogtag backend.
value:
service_name: barbican_backend_dogtag
config_settings:
barbican::plugins::dogtag::dogtag_plugin_dogtag_host: {get_param: BarbicanDogtagStoreHost}
barbican::plugins::dogtag::dogtag_plugin_dogtag_port: {get_param: BarbicanDogtagStorePort}
barbican::plugins::dogtag::dogtag_plugin_pem_path: {get_param: BarbicanDogtagStorePEMPath}
barbican::plugins::dogtag::dogtag_plugin_nss_password: {get_param: BarbicanDogtagStoreNSSPassword}
barbican::plugins::dogtag::global_default: {get_param: BarbicanDogtagStoreGlobalDefault}

62
puppet/services/barbican-backend-kmip.yaml

@ -0,0 +1,62 @@
heat_template_version: queens
description: >
Barbican API KMIP backend configured with Puppet
parameters:
# Required default parameters
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
BarbicanKmipStoreUsername:
description: Username to connect to KMIP device
type: string
BarbicanKmipStorePassword:
description: Password to connect to KMIP device
type: string
hidden: true
BarbicanKmipStoreHost:
description: Host for KMIP device
type: string
BarbicanKmipStorePort:
description: Port for KMIP device
type: number
BarbicanKmipStoreGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
default: false
outputs:
role_data:
description: Role data for the Barbican KMIP crypto backend.
value:
service_name: barbican_backend_kmip
config_settings:
barbican::plugins::kmip::kmip_plugin_username: {get_param: BarbicanKmipStoreUsername}
barbican::plugins::kmip::kmip_plugin_password: {get_param: BarbicanKmipStorePassword}
barbican::plugins::kmip::kmip_plugin_host: {get_param: BarbicanKmipStoreHost}
barbican::plugins::kmip::kmip_plugin_port: {get_param: BarbicanKmipStorePort}
barbican::plugins::kmip::global_default: {get_param: BarbicanKmipStoreGlobalDefault}

70
puppet/services/barbican-backend-pkcs11-crypto.yaml

@ -0,0 +1,70 @@
heat_template_version: queens
description: >
Barbican API PKCS#11 crypto backend configured with Puppet
parameters:
# Required default parameters
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session
type: string
hidden: true
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes
type: number
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM
type: number
BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
default: false
outputs:
role_data:
description: Role data for the Barbican PKCS#11 backend.
value:
service_name: barbican_backend_pkcs11_crypto
config_settings:
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath}
barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

3
roles/Controller.yaml

@ -30,6 +30,9 @@
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BarbicanApi
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
- OS::TripleO::Services::BarbicanBackendDogtag
- OS::TripleO::Services::BarbicanBackendKmip
- OS::TripleO::Services::BarbicanBackendPkcs11Crypto
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CeilometerAgentCentral
- OS::TripleO::Services::CeilometerAgentNotification

3
roles/ControllerOpenstack.yaml

@ -24,6 +24,9 @@
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BarbicanApi
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
- OS::TripleO::Services::BarbicanBackendDogtag
- OS::TripleO::Services::BarbicanBackendKmip
- OS::TripleO::Services::BarbicanBackendPkcs11Crypto
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CeilometerAgentCentral
- OS::TripleO::Services::CeilometerAgentNotification

3
roles_data.yaml

@ -33,6 +33,9 @@
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BarbicanApi
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
- OS::TripleO::Services::BarbicanBackendDogtag
- OS::TripleO::Services::BarbicanBackendKmip
- OS::TripleO::Services::BarbicanBackendPkcs11Crypto
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CeilometerAgentCentral
- OS::TripleO::Services::CeilometerAgentNotification

Loading…
Cancel
Save