From 7ab351d8d5cbc4c83bfd2ac2c93b960ce5f2e2c4 Mon Sep 17 00:00:00 2001 From: "Matthew J. Black" Date: Wed, 29 May 2019 09:51:38 -0400 Subject: [PATCH] Add Vault Secret Store Plugin Barbican can utilize Hashicorp Vault software as a secret store backend. Added a new plugin manifest to configure the vault_plugin section. Change-Id: Idef1bdfd20b4820963e084657b46e07660be248c --- manifests/plugins/vault.pp | 61 +++++++++ .../add_vault_plugin-ba10e2519dbf247c.yaml | 3 + spec/classes/barbican_plugins_vault_spec.rb | 122 ++++++++++++++++++ 3 files changed, 186 insertions(+) create mode 100644 manifests/plugins/vault.pp create mode 100644 releasenotes/notes/add_vault_plugin-ba10e2519dbf247c.yaml create mode 100644 spec/classes/barbican_plugins_vault_spec.rb diff --git a/manifests/plugins/vault.pp b/manifests/plugins/vault.pp new file mode 100644 index 00000000..74989b37 --- /dev/null +++ b/manifests/plugins/vault.pp @@ -0,0 +1,61 @@ +# == Class: barbican::plugins::vault +# +# Sets up Barbican vault plugin +# +# === Parameters +# +# [*vault_url*] +# (optional) The Vault URL. +# Defaults to $::os_service_default +# +# [*root_token_id*] +# (optional) Vault Root Token ID. +# Defaults to $::os_service_default +# +# [*approle_role_id*] +# (optional) Set the approle role ID. +# Defaults to $::os_service_default +# +# [*approle_secret_id*] +# (optional) Set the approle secret ID. +# Defaults to $::os_service_default +# +# [*kv_mountpoint*] +# (optional) Set the mountpoint of the KV. +# Defaults to $::os_service_default +# +# [*use_ssl*] +# (optional) Enable or disable SSL +# Defaults to false +# +# [*ssl_ca_crt_file*] +# (optional) Set the ssl CA cert file +# Defaults to $::os_service_default +# +# [*global_default*] +# (optional) set plugin as global default +# Defaults to false +# +class barbican::plugins::vault ( + $vault_url = $::os_service_default, + $root_token_id = $::os_service_default, + $approle_role_id = $::os_service_default, + $approle_secret_id = $::os_service_default, + $kv_mountpoint = $::os_service_default, + $use_ssl = false, + $ssl_ca_crt_file = $::os_service_default, + $global_default = false, +) { + + barbican_config { + 'secretstore:vault/secret_store_plugin': value => 'vault_plugin'; + 'secretstore:vault/global_default': value => $global_default; + 'vault_plugin/vault_url': value => $vault_url; + 'vault_plugin/root_token_id': value => $root_token_id; + 'vault_plugin/approle_role_id': value => $approle_role_id; + 'vault_plugin/approle_secret_id': value => $approle_secret_id; + 'vault_plugin/kv_mountpoint': value => $kv_mountpoint; + 'vault_plugin/use_ssl': value => $use_ssl; + 'vault_plugin/ssl_ca_crt_file': value => $ssl_ca_crt_file; + } +} diff --git a/releasenotes/notes/add_vault_plugin-ba10e2519dbf247c.yaml b/releasenotes/notes/add_vault_plugin-ba10e2519dbf247c.yaml new file mode 100644 index 00000000..0958a65b --- /dev/null +++ b/releasenotes/notes/add_vault_plugin-ba10e2519dbf247c.yaml @@ -0,0 +1,3 @@ +--- +features: + - Added vault secret store plugin diff --git a/spec/classes/barbican_plugins_vault_spec.rb b/spec/classes/barbican_plugins_vault_spec.rb new file mode 100644 index 00000000..b9af54bb --- /dev/null +++ b/spec/classes/barbican_plugins_vault_spec.rb @@ -0,0 +1,122 @@ +# +# Copyright (C) 2019 Matthew J. Black +# +# Author: Matthew J. Black +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for barbican::plugins::vault class +# +require 'spec_helper' + +describe 'barbican::plugins::vault' do + + shared_examples_for 'barbican plugins vault' do + describe 'with minimal parameters passed into vault plugin' do + let :params do + { + :vault_url => 'http://127.0.0.1:8200', + :root_token_id => 'barbican_root_token_id', + :global_default => true, + } + end + + it 'is_expected.to set vault plugin parameters' do + is_expected.to contain_barbican_config('vault_plugin/vault_url') \ + .with_value(params[:vault_url]) + is_expected.to contain_barbican_config( + 'secretstore:vault/secret_store_plugin') \ + .with_value('vault_plugin') + is_expected.to contain_barbican_config( + 'secretstore:vault/global_default') \ + .with_value('true') + end + end + + describe 'with approle parameters passed into vault plugin' do + let :params do + { + :vault_url => 'https://127.0.0.1:8200', + :use_ssl => true, + :approle_role_id => 'barbican_approle_role_id', + :approle_secret_id => 'barbican_approle_secret_id', + :kv_mountpoint => 'barbican_secrets', + } + end + + it 'is_expected.to set vault plugin parameters' do + is_expected.to contain_barbican_config('vault_plugin/vault_url') \ + .with_value(params[:vault_url]) + is_expected.to contain_barbican_config('vault_plugin/use_ssl') \ + .with_value(params[:use_ssl]) + is_expected.to contain_barbican_config('vault_plugin/approle_role_id') \ + .with_value(params[:approle_role_id]) + is_expected.to contain_barbican_config('vault_plugin/approle_secret_id') \ + .with_value(params[:approle_secret_id]) + is_expected.to contain_barbican_config('vault_plugin/kv_mountpoint') \ + .with_value(params[:kv_mountpoint]) + is_expected.to contain_barbican_config( + 'secretstore:vault/secret_store_plugin') \ + .with_value('vault_plugin') + is_expected.to contain_barbican_config( + 'secretstore:vault/global_default') \ + .with_value('false') + end + end + + describe 'with no parameter passed into vault plugin' do + let :params do + {} + end + + it 'is_expected.to set default vault parameters' do + is_expected.to contain_barbican_config('vault_plugin/vault_url') \ + .with_value('') + is_expected.to contain_barbican_config('vault_plugin/root_token_id') \ + .with_value('') + is_expected.to contain_barbican_config('vault_plugin/approle_role_id') \ + .with_value('') + is_expected.to contain_barbican_config('vault_plugin/approle_secret_id') \ + .with_value('') + is_expected.to contain_barbican_config('vault_plugin/kv_mountpoint') \ + .with_value('') + is_expected.to contain_barbican_config('vault_plugin/use_ssl') \ + .with_value('false') + is_expected.to contain_barbican_config('vault_plugin/ssl_ca_crt_file') \ + .with_value('') + is_expected.to contain_barbican_config( + 'secretstore:vault/secret_store_plugin') \ + .with_value('vault_plugin') + is_expected.to contain_barbican_config( + 'secretstore:vault/global_default') \ + .with_value('false') + end + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge(OSDefaults.get_facts({ + :processorcount => 8, + :fqdn => 'some.host.tld', + :concat_basedir => '/var/lib/puppet/concat', + })) + end + + it_configures 'barbican plugins vault' + end + end +end