Add multiple secret store backends for barbican
Change-Id: I7aaa242ee1ecbfcbcc7502b0ce8e5a9191d307f2 Depends-On: I07e52897897f453382f74aa4fdaa98c37e6eca30
This commit is contained in:
parent
18282387c0
commit
f8decc73fc
17
environments/barbican-backend-dogtag.yaml
Normal file
17
environments/barbican-backend-dogtag.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# A Heat environment file to enable the barbican Dogtag backend. Note
|
||||||
|
# that barbican needs to be enabled in order to use this.
|
||||||
|
parameter_defaults:
|
||||||
|
# In order to use this backend, you need to uncomment these values and
|
||||||
|
# provide an appropriate data
|
||||||
|
#
|
||||||
|
# BarbicanDogtagStoreHost: Hostname of the Dogtag server
|
||||||
|
# BarbicanDogtagStorePort: Port for the Dogtag server
|
||||||
|
# BarbicanDogtagStorePEMPath: Path for the PEM file used to authenticate requests
|
||||||
|
# - defaults to /etc/barbican/kra_admin_cert.pem
|
||||||
|
# BarbicanDogtagStoreNSSPassword: Password for the NSS DB
|
||||||
|
# BarbicanDogtagStoreGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
# - defaults to false
|
||||||
|
|
||||||
|
|
||||||
|
resource_registry:
|
||||||
|
OS::TripleO::Services::BarbicanBackendDogtag: ../puppet/services/barbican-backend-dogtag.yaml
|
15
environments/barbican-backend-kmip.yaml
Normal file
15
environments/barbican-backend-kmip.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# A Heat environment file to enable the barbican KMIP backend. Note
|
||||||
|
# that barbican needs to be enabled in order to use this.
|
||||||
|
parameter_defaults:
|
||||||
|
# In order to use this backend, you need to uncomment this value and
|
||||||
|
# provide an appropriate KEK that barbican will use to encrypt secrets
|
||||||
|
# in the database.
|
||||||
|
#
|
||||||
|
# BarbicanKmipStoreUsername: Username to connect to KMIP device
|
||||||
|
# BarbicanKmipStorePassword: Password to connect to KMIP device
|
||||||
|
# BarbicanKmipStoreHost: Host for KMIP device
|
||||||
|
# BarbicanKmipStorePort: Port for KMIP device
|
||||||
|
# BarbicanKmipStoreGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
|
||||||
|
resource_registry:
|
||||||
|
OS::TripleO::Services::BarbicanBackendKmip: ../puppet/services/barbican-backend-kmip.yaml
|
16
environments/barbican-backend-pkcs11.yaml
Normal file
16
environments/barbican-backend-pkcs11.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
|
||||||
|
# that barbican needs to be enabled in order to use this.
|
||||||
|
parameter_defaults:
|
||||||
|
# In order to use this backend, you need to uncomment these values and
|
||||||
|
# provide the appropriate values.
|
||||||
|
#
|
||||||
|
# BarbicanPkcs11CryptoLibraryPath: Path to vendor PKCS11 library
|
||||||
|
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
|
||||||
|
# BarbicanPkcs11CryptoMKEKLabel: Label for Master KEK
|
||||||
|
# BarbicanPkcs11CryptoMKEKLength: Length of Master KEK in bytes
|
||||||
|
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
|
||||||
|
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
||||||
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
|
||||||
|
resource_registry:
|
||||||
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
|
@ -9,6 +9,5 @@ parameter_defaults:
|
|||||||
# BarbicanSimpleCryptoGlobalDefault : whether this plugin is the global default
|
# BarbicanSimpleCryptoGlobalDefault : whether this plugin is the global default
|
||||||
# -- defaults to false
|
# -- defaults to false
|
||||||
|
|
||||||
|
|
||||||
resource_registry:
|
resource_registry:
|
||||||
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml
|
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml
|
||||||
|
@ -249,6 +249,9 @@ resource_registry:
|
|||||||
OS::TripleO::Services::ComputeNeutronMetadataAgent: OS::Heat::None
|
OS::TripleO::Services::ComputeNeutronMetadataAgent: OS::Heat::None
|
||||||
OS::TripleO::Services::BarbicanApi: OS::Heat::None
|
OS::TripleO::Services::BarbicanApi: OS::Heat::None
|
||||||
OS::TripleO::Services::BarbicanBackendSimpleCrypto: OS::Heat::None
|
OS::TripleO::Services::BarbicanBackendSimpleCrypto: OS::Heat::None
|
||||||
|
OS::TripleO::Services::BarbicanBackendDogtag: OS::Heat::None
|
||||||
|
OS::TripleO::Services::BarbicanBackendKmip: OS::Heat::None
|
||||||
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: OS::Heat::None
|
||||||
OS::TripleO::Services::AodhApi: puppet/services/aodh-api.yaml
|
OS::TripleO::Services::AodhApi: puppet/services/aodh-api.yaml
|
||||||
OS::TripleO::Services::AodhEvaluator: puppet/services/aodh-evaluator.yaml
|
OS::TripleO::Services::AodhEvaluator: puppet/services/aodh-evaluator.yaml
|
||||||
OS::TripleO::Services::AodhNotifier: puppet/services/aodh-notifier.yaml
|
OS::TripleO::Services::AodhNotifier: puppet/services/aodh-notifier.yaml
|
||||||
|
65
puppet/services/barbican-backend-dogtag.yaml
Normal file
65
puppet/services/barbican-backend-dogtag.yaml
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
heat_template_version: queens
|
||||||
|
|
||||||
|
description: >
|
||||||
|
Barbican API Dogtag backend configured with Puppet
|
||||||
|
|
||||||
|
parameters:
|
||||||
|
# Required default parameters
|
||||||
|
ServiceData:
|
||||||
|
default: {}
|
||||||
|
description: Dictionary packing service data
|
||||||
|
type: json
|
||||||
|
ServiceNetMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service_name -> network name. Typically set
|
||||||
|
via parameter_defaults in the resource registry. This
|
||||||
|
mapping overrides those in ServiceNetMapDefaults.
|
||||||
|
type: json
|
||||||
|
DefaultPasswords:
|
||||||
|
default: {}
|
||||||
|
type: json
|
||||||
|
RoleName:
|
||||||
|
default: ''
|
||||||
|
description: Role name on which the service is applied
|
||||||
|
type: string
|
||||||
|
RoleParameters:
|
||||||
|
default: {}
|
||||||
|
description: Parameters specific to the role
|
||||||
|
type: json
|
||||||
|
EndpointMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
|
via parameter_defaults in the resource registry.
|
||||||
|
type: json
|
||||||
|
BarbicanDogtagStoreHost:
|
||||||
|
description: Hostname of the Dogtag server
|
||||||
|
type: string
|
||||||
|
BarbicanDogtagStorePort:
|
||||||
|
description: Port for the Dogtag server
|
||||||
|
default: 8443
|
||||||
|
type: number
|
||||||
|
BarbicanDogtagStorePEMPath:
|
||||||
|
description: Path for the PEM file used to authenticate requests
|
||||||
|
type: string
|
||||||
|
default: '/etc/barbican/kra_admin_cert.pem'
|
||||||
|
hidden: true
|
||||||
|
BarbicanDogtagStoreNSSPassword:
|
||||||
|
description: Password for the NSS DB
|
||||||
|
type: string
|
||||||
|
hidden: true
|
||||||
|
BarbicanDogtagStoreGlobalDefault:
|
||||||
|
description: Whether this plugin is the global default plugin
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
role_data:
|
||||||
|
description: Role data for the Barbican Dogtag backend.
|
||||||
|
value:
|
||||||
|
service_name: barbican_backend_dogtag
|
||||||
|
config_settings:
|
||||||
|
barbican::plugins::dogtag::dogtag_plugin_dogtag_host: {get_param: BarbicanDogtagStoreHost}
|
||||||
|
barbican::plugins::dogtag::dogtag_plugin_dogtag_port: {get_param: BarbicanDogtagStorePort}
|
||||||
|
barbican::plugins::dogtag::dogtag_plugin_pem_path: {get_param: BarbicanDogtagStorePEMPath}
|
||||||
|
barbican::plugins::dogtag::dogtag_plugin_nss_password: {get_param: BarbicanDogtagStoreNSSPassword}
|
||||||
|
barbican::plugins::dogtag::global_default: {get_param: BarbicanDogtagStoreGlobalDefault}
|
62
puppet/services/barbican-backend-kmip.yaml
Normal file
62
puppet/services/barbican-backend-kmip.yaml
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
heat_template_version: queens
|
||||||
|
|
||||||
|
description: >
|
||||||
|
Barbican API KMIP backend configured with Puppet
|
||||||
|
|
||||||
|
parameters:
|
||||||
|
# Required default parameters
|
||||||
|
ServiceData:
|
||||||
|
default: {}
|
||||||
|
description: Dictionary packing service data
|
||||||
|
type: json
|
||||||
|
ServiceNetMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service_name -> network name. Typically set
|
||||||
|
via parameter_defaults in the resource registry. This
|
||||||
|
mapping overrides those in ServiceNetMapDefaults.
|
||||||
|
type: json
|
||||||
|
DefaultPasswords:
|
||||||
|
default: {}
|
||||||
|
type: json
|
||||||
|
RoleName:
|
||||||
|
default: ''
|
||||||
|
description: Role name on which the service is applied
|
||||||
|
type: string
|
||||||
|
RoleParameters:
|
||||||
|
default: {}
|
||||||
|
description: Parameters specific to the role
|
||||||
|
type: json
|
||||||
|
EndpointMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
|
via parameter_defaults in the resource registry.
|
||||||
|
type: json
|
||||||
|
BarbicanKmipStoreUsername:
|
||||||
|
description: Username to connect to KMIP device
|
||||||
|
type: string
|
||||||
|
BarbicanKmipStorePassword:
|
||||||
|
description: Password to connect to KMIP device
|
||||||
|
type: string
|
||||||
|
hidden: true
|
||||||
|
BarbicanKmipStoreHost:
|
||||||
|
description: Host for KMIP device
|
||||||
|
type: string
|
||||||
|
BarbicanKmipStorePort:
|
||||||
|
description: Port for KMIP device
|
||||||
|
type: number
|
||||||
|
BarbicanKmipStoreGlobalDefault:
|
||||||
|
description: Whether this plugin is the global default plugin
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
role_data:
|
||||||
|
description: Role data for the Barbican KMIP crypto backend.
|
||||||
|
value:
|
||||||
|
service_name: barbican_backend_kmip
|
||||||
|
config_settings:
|
||||||
|
barbican::plugins::kmip::kmip_plugin_username: {get_param: BarbicanKmipStoreUsername}
|
||||||
|
barbican::plugins::kmip::kmip_plugin_password: {get_param: BarbicanKmipStorePassword}
|
||||||
|
barbican::plugins::kmip::kmip_plugin_host: {get_param: BarbicanKmipStoreHost}
|
||||||
|
barbican::plugins::kmip::kmip_plugin_port: {get_param: BarbicanKmipStorePort}
|
||||||
|
barbican::plugins::kmip::global_default: {get_param: BarbicanKmipStoreGlobalDefault}
|
70
puppet/services/barbican-backend-pkcs11-crypto.yaml
Normal file
70
puppet/services/barbican-backend-pkcs11-crypto.yaml
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
heat_template_version: queens
|
||||||
|
|
||||||
|
description: >
|
||||||
|
Barbican API PKCS#11 crypto backend configured with Puppet
|
||||||
|
|
||||||
|
parameters:
|
||||||
|
# Required default parameters
|
||||||
|
ServiceData:
|
||||||
|
default: {}
|
||||||
|
description: Dictionary packing service data
|
||||||
|
type: json
|
||||||
|
ServiceNetMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service_name -> network name. Typically set
|
||||||
|
via parameter_defaults in the resource registry. This
|
||||||
|
mapping overrides those in ServiceNetMapDefaults.
|
||||||
|
type: json
|
||||||
|
DefaultPasswords:
|
||||||
|
default: {}
|
||||||
|
type: json
|
||||||
|
RoleName:
|
||||||
|
default: ''
|
||||||
|
description: Role name on which the service is applied
|
||||||
|
type: string
|
||||||
|
RoleParameters:
|
||||||
|
default: {}
|
||||||
|
description: Parameters specific to the role
|
||||||
|
type: json
|
||||||
|
EndpointMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
|
via parameter_defaults in the resource registry.
|
||||||
|
type: json
|
||||||
|
BarbicanPkcs11CryptoLibraryPath:
|
||||||
|
description: Path to vendor PKCS11 library
|
||||||
|
type: string
|
||||||
|
BarbicanPkcs11CryptoLogin:
|
||||||
|
description: Password to login to PKCS11 session
|
||||||
|
type: string
|
||||||
|
hidden: true
|
||||||
|
BarbicanPkcs11CryptoMKEKLabel:
|
||||||
|
description: Label for Master KEK
|
||||||
|
type: string
|
||||||
|
BarbicanPkcs11CryptoMKEKLength:
|
||||||
|
description: Length of Master KEK in bytes
|
||||||
|
type: number
|
||||||
|
BarbicanPkcs11CryptoHMACLabel:
|
||||||
|
description: Label for the HMAC key
|
||||||
|
type: string
|
||||||
|
BarbicanPkcs11CryptoSlotId:
|
||||||
|
description: Slot Id for the HSM
|
||||||
|
type: number
|
||||||
|
BarbicanPkcs11CryptoGlobalDefault:
|
||||||
|
description: Whether this plugin is the global default plugin
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
role_data:
|
||||||
|
description: Role data for the Barbican PKCS#11 backend.
|
||||||
|
value:
|
||||||
|
service_name: barbican_backend_pkcs11_crypto
|
||||||
|
config_settings:
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||||
|
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
@ -30,6 +30,9 @@
|
|||||||
- OS::TripleO::Services::AuditD
|
- OS::TripleO::Services::AuditD
|
||||||
- OS::TripleO::Services::BarbicanApi
|
- OS::TripleO::Services::BarbicanApi
|
||||||
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
|
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
|
||||||
|
- OS::TripleO::Services::BarbicanBackendDogtag
|
||||||
|
- OS::TripleO::Services::BarbicanBackendKmip
|
||||||
|
- OS::TripleO::Services::BarbicanBackendPkcs11Crypto
|
||||||
- OS::TripleO::Services::CACerts
|
- OS::TripleO::Services::CACerts
|
||||||
- OS::TripleO::Services::CeilometerAgentCentral
|
- OS::TripleO::Services::CeilometerAgentCentral
|
||||||
- OS::TripleO::Services::CeilometerAgentNotification
|
- OS::TripleO::Services::CeilometerAgentNotification
|
||||||
|
@ -24,6 +24,9 @@
|
|||||||
- OS::TripleO::Services::AuditD
|
- OS::TripleO::Services::AuditD
|
||||||
- OS::TripleO::Services::BarbicanApi
|
- OS::TripleO::Services::BarbicanApi
|
||||||
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
|
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
|
||||||
|
- OS::TripleO::Services::BarbicanBackendDogtag
|
||||||
|
- OS::TripleO::Services::BarbicanBackendKmip
|
||||||
|
- OS::TripleO::Services::BarbicanBackendPkcs11Crypto
|
||||||
- OS::TripleO::Services::CACerts
|
- OS::TripleO::Services::CACerts
|
||||||
- OS::TripleO::Services::CeilometerAgentCentral
|
- OS::TripleO::Services::CeilometerAgentCentral
|
||||||
- OS::TripleO::Services::CeilometerAgentNotification
|
- OS::TripleO::Services::CeilometerAgentNotification
|
||||||
|
@ -33,6 +33,9 @@
|
|||||||
- OS::TripleO::Services::AuditD
|
- OS::TripleO::Services::AuditD
|
||||||
- OS::TripleO::Services::BarbicanApi
|
- OS::TripleO::Services::BarbicanApi
|
||||||
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
|
- OS::TripleO::Services::BarbicanBackendSimpleCrypto
|
||||||
|
- OS::TripleO::Services::BarbicanBackendDogtag
|
||||||
|
- OS::TripleO::Services::BarbicanBackendKmip
|
||||||
|
- OS::TripleO::Services::BarbicanBackendPkcs11Crypto
|
||||||
- OS::TripleO::Services::CACerts
|
- OS::TripleO::Services::CACerts
|
||||||
- OS::TripleO::Services::CeilometerAgentCentral
|
- OS::TripleO::Services::CeilometerAgentCentral
|
||||||
- OS::TripleO::Services::CeilometerAgentNotification
|
- OS::TripleO::Services::CeilometerAgentNotification
|
||||||
|
Loading…
Reference in New Issue
Block a user