From d2625af949e7ac65174b7158afc1bfab532a925e Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 8 Mar 2024 13:39:50 +0900 Subject: [PATCH] Deprecate parameters for certificate plugins ... because certificate plugins were deprecated some time ago in Barbican and are being removed in this cycle. Depends-on: https://review.opendev.org/c/openstack/barbican/+/909640 Change-Id: Ie2dacb037a3d5ba8f1732ddb8f4b8ea8ded1e5ed --- manifests/api.pp | 42 ++++++++++------- manifests/plugins/dogtag.pp | 45 ++++++++++++------- ...tificate-plugin-opts-cfecb5a4692fa7fc.yaml | 11 +++++ spec/classes/barbican_api_spec.rb | 8 ---- spec/classes/barbican_plugins_dogtag_spec.rb | 33 +++++--------- 5 files changed, 80 insertions(+), 59 deletions(-) create mode 100644 releasenotes/notes/deprecate-certificate-plugin-opts-cfecb5a4692fa7fc.yaml diff --git a/manifests/api.pp b/manifests/api.pp index 5930e8a0..50981d0f 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -157,15 +157,6 @@ # are defined in a list eg. ['simple_crypto','p11_crypto'] # Defaults to false # -# [*enabled_certificate_plugins*] -# (optional) Enabled certificate plugins as a list. -# e.g. ['snakeoil_ca', 'dogtag'] -# Defaults to $facts['os_service_default'] -# -# [*enabled_certificate_event_plugins*] -# (optional) Enabled certificate event plugins as a list -# Defaults to $facts['os_service_default'] -# # [*kombu_ssl_ca_certs*] # (optional) SSL certification authority file (valid only if SSL enabled). # Defaults to $facts['os_service_default'] @@ -248,6 +239,16 @@ # (Optional) Default page size for the 'limit' paging URL parameter. # Defaults to $facts['os_service_default'] # +# DEPRECATED PARAMETERS +# +# [*enabled_certificate_plugins*] +# (optional) Enabled certificate plugins as a list. +# Defaults to undef +# +# [*enabled_certificate_event_plugins*] +# (optional) Enabled certificate event plugins as a list +# Defaults to undef +# class barbican::api ( $package_ensure = 'present', $bind_host = '0.0.0.0', @@ -280,8 +281,6 @@ class barbican::api ( $enabled_crypto_plugins = $facts['os_service_default'], $enabled_secret_stores = 'simple_crypto', Boolean $multiple_secret_stores_enabled = false, - $enabled_certificate_plugins = $facts['os_service_default'], - $enabled_certificate_event_plugins = $facts['os_service_default'], $kombu_ssl_ca_certs = $facts['os_service_default'], $kombu_ssl_certfile = $facts['os_service_default'], $kombu_ssl_keyfile = $facts['os_service_default'], @@ -299,6 +298,9 @@ class barbican::api ( $max_request_body_size = $facts['os_service_default'], $max_limit_paging = $facts['os_service_default'], $default_limit_paging = $facts['os_service_default'], + # DEPRECATED PARAMETERS + $enabled_certificate_plugins = undef, + $enabled_certificate_event_plugins = undef, ) inherits barbican::params { include barbican::deps @@ -306,6 +308,12 @@ class barbican::api ( include barbican::client include barbican::policy + ['enabled_certificate_plugins', 'enabled_certificate_event_plugins'].each |String $opt| { + if getvar($opt) != undef { + warning("The ${opt} parameter has been deprecated and has no effect.") + } + } + package { 'barbican-api': ensure => $package_ensure, name => $::barbican::params::api_package_name, @@ -379,10 +387,14 @@ class barbican::api ( # enabled plugins barbican_config { - 'secretstore/enabled_secretstore_plugins': value => $enabled_secretstore_plugins; - 'crypto/enabled_crypto_plugins': value => $enabled_crypto_plugins; - 'certificate/enabled_certificate_plugins': value => $enabled_certificate_plugins; - 'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins; + 'secretstore/enabled_secretstore_plugins': value => $enabled_secretstore_plugins; + 'crypto/enabled_crypto_plugins': value => $enabled_crypto_plugins; + } + + # TODO(tkajinam): Remove this after 2024.1 release + barbican_config { + 'certificate/enabled_certificate_plugins': ensure => absent; + 'certificate_event/enabled_certificate_event_plugins': ensure => absent; } # enabled plugins when multiple plugins is enabled diff --git a/manifests/plugins/dogtag.pp b/manifests/plugins/dogtag.pp index 78db92cb..58f38e0f 100644 --- a/manifests/plugins/dogtag.pp +++ b/manifests/plugins/dogtag.pp @@ -27,6 +27,12 @@ # (optional) Path to plugin NSS DB # Defaults to $facts['os_service_default'] # +# [*global_default*] +# (optional) set plugin as global default +# Defaults to false +# +# DEPRECATED PARAMETERS +# # [*dogtag_plugin_simple_cmc_profile*] # (optional) Profile for simple CMC enrollment. # Defaults to $facts['os_service_default'] @@ -39,10 +45,6 @@ # (optional) Working directory for Dogtag plugin # Defaults to $facts['os_service_default'] # -# [*global_default*] -# (optional) set plugin as global default -# Defaults to false -# class barbican::plugins::dogtag ( $dogtag_plugin_nss_password, $dogtag_plugin_ensure_package = 'present', @@ -50,15 +52,24 @@ class barbican::plugins::dogtag ( $dogtag_plugin_dogtag_host = $facts['os_service_default'], $dogtag_plugin_dogtag_port = $facts['os_service_default'], $dogtag_plugin_nss_db_path = $facts['os_service_default'], - $dogtag_plugin_simple_cmc_profile = $facts['os_service_default'], - $dogtag_plugin_ca_expiration_time = $facts['os_service_default'], - $dogtag_plugin_plugin_working_dir = $facts['os_service_default'], $global_default = false, + # DEPRECATED PARAMETERS + $dogtag_plugin_simple_cmc_profile = undef, + $dogtag_plugin_ca_expiration_time = undef, + $dogtag_plugin_plugin_working_dir = undef, ) { include barbican::deps include barbican::params + [ + 'simple_cmc_profile', 'ca_expiration_time', 'plugin_working_dir' + ].each |String $opt| { + if getvar("dogtag_plugin_${opt}") != undef { + warning("The dogtag_plugin_${opt} parameter has been deprecated and has no effect") + } + } + package {'dogtag-client': ensure => $dogtag_plugin_ensure_package, name => $::barbican::params::dogtag_client_package, @@ -71,13 +82,17 @@ class barbican::plugins::dogtag ( } barbican_config { - 'dogtag_plugin/pem_path': value => $dogtag_plugin_pem_path; - 'dogtag_plugin/dogtag_host': value => $dogtag_plugin_dogtag_host; - 'dogtag_plugin/dogtag_port': value => $dogtag_plugin_dogtag_port; - 'dogtag_plugin/nss_db_path': value => $dogtag_plugin_nss_db_path; - 'dogtag_plugin/nss_password': value => $dogtag_plugin_nss_password, secret => true; - 'dogtag_plugin/simple_cmc_profile': value => $dogtag_plugin_simple_cmc_profile; - 'dogtag_plugin/ca_expiration_time': value => $dogtag_plugin_ca_expiration_time; - 'dogtag_plugin/plugin_working_dir': value => $dogtag_plugin_plugin_working_dir; + 'dogtag_plugin/pem_path': value => $dogtag_plugin_pem_path; + 'dogtag_plugin/dogtag_host': value => $dogtag_plugin_dogtag_host; + 'dogtag_plugin/dogtag_port': value => $dogtag_plugin_dogtag_port; + 'dogtag_plugin/nss_db_path': value => $dogtag_plugin_nss_db_path; + 'dogtag_plugin/nss_password': value => $dogtag_plugin_nss_password, secret => true; + } + + # TODO(tkajinam): Remove this after 2024.1 release + barbican_config { + 'dogtag_plugin/simple_cmc_profile': ensure => absent; + 'dogtag_plugin/ca_expiration_time': ensure => absent; + 'dogtag_plugin/plugin_working_dir': ensure => absent; } } diff --git a/releasenotes/notes/deprecate-certificate-plugin-opts-cfecb5a4692fa7fc.yaml b/releasenotes/notes/deprecate-certificate-plugin-opts-cfecb5a4692fa7fc.yaml new file mode 100644 index 00000000..d7fd0c95 --- /dev/null +++ b/releasenotes/notes/deprecate-certificate-plugin-opts-cfecb5a4692fa7fc.yaml @@ -0,0 +1,11 @@ +--- +deprecations: + - | + The following parameters have been deprecated and have no effect now, + because certificate plugins have beeen removed from barbican. + + - ``barbican::api::enabled_certificate_plugins`` + - ``barbican::api::enabled_certificate_event_plugins`` + - ``barbican::plugins::dogtag::dogtag_plugin_simple_cmc_profile`` + - ``barbican::plugins::dogtag::dogtag_plugin_ca_expiration_time`` + - ``barbican::plugins::dogtag::dogtag_plugin_plugin_working_dir`` diff --git a/spec/classes/barbican_api_spec.rb b/spec/classes/barbican_api_spec.rb index 6595115e..76295df0 100644 --- a/spec/classes/barbican_api_spec.rb +++ b/spec/classes/barbican_api_spec.rb @@ -59,8 +59,6 @@ describe 'barbican::api' do :enabled => true, :enabled_secretstore_plugins => [''], :enabled_crypto_plugins => [''], - :enabled_certificate_plugins => [''], - :enabled_certificate_event_plugins => [''], :auth_strategy => 'keystone', :service_name => platform_params[:service_name], :enable_proxy_headers_parsing => '', @@ -107,8 +105,6 @@ describe 'barbican::api' do :kombu_compression => 'gzip', :enabled_secretstore_plugins => ['dogtag_crypto', 'store_crypto', 'kmip'], :enabled_crypto_plugins => ['simple_crypto'], - :enabled_certificate_plugins => ['simple_certificate', 'dogtag'], - :enabled_certificate_event_plugins => ['simple_certificate_event', 'foo_event'], :max_allowed_secret_in_bytes => 20000, :max_allowed_request_size_in_bytes => 2000000, :enable_proxy_headers_parsing => false, @@ -195,10 +191,6 @@ describe 'barbican::api' do .with_value(param_hash[:enabled_secretstore_plugins]) is_expected.to contain_barbican_config('crypto/enabled_crypto_plugins') \ .with_value(param_hash[:enabled_crypto_plugins]) - is_expected.to contain_barbican_config('certificate/enabled_certificate_plugins') \ - .with_value(param_hash[:enabled_certificate_plugins]) - is_expected.to contain_barbican_config('certificate_event/enabled_certificate_event_plugins') \ - .with_value(param_hash[:enabled_certificate_event_plugins]) end it 'configures plugins in multiple plugin config' do diff --git a/spec/classes/barbican_plugins_dogtag_spec.rb b/spec/classes/barbican_plugins_dogtag_spec.rb index 3a5832c3..2868c682 100644 --- a/spec/classes/barbican_plugins_dogtag_spec.rb +++ b/spec/classes/barbican_plugins_dogtag_spec.rb @@ -22,15 +22,12 @@ require 'spec_helper' describe 'barbican::plugins::dogtag' do let :default_params do { - :dogtag_plugin_ensure_package => 'present', - :dogtag_plugin_pem_path => '', - :dogtag_plugin_dogtag_host => '', - :dogtag_plugin_dogtag_port => '', - :dogtag_plugin_nss_db_path => '', - :dogtag_plugin_simple_cmc_profile => '', - :dogtag_plugin_ca_expiration_time => '', - :dogtag_plugin_plugin_working_dir => '', - :global_default => false, + :dogtag_plugin_ensure_package => 'present', + :dogtag_plugin_pem_path => '', + :dogtag_plugin_dogtag_host => '', + :dogtag_plugin_dogtag_port => '', + :dogtag_plugin_nss_db_path => '', + :global_default => false, } end @@ -39,15 +36,12 @@ describe 'barbican::plugins::dogtag' do :dogtag_plugin_nss_password => 'password', }, { - :dogtag_plugin_pem_path => 'path_to_pem_file', - :dogtag_plugin_dogtag_host => 'dogtag_host', - :dogtag_plugin_dogtag_port => '1234', - :dogtag_plugin_nss_db_path => 'path_to_nss_db', - :dogtag_plugin_nss_password => 'password', - :dogtag_plugin_simple_cmc_profile => 'caServerCert', - :dogtag_plugin_ca_expiration_time => '100', - :dogtag_plugin_plugin_working_dir => 'path_to_working_dir', - :global_default => true, + :dogtag_plugin_pem_path => 'path_to_pem_file', + :dogtag_plugin_dogtag_host => 'dogtag_host', + :dogtag_plugin_dogtag_port => '1234', + :dogtag_plugin_nss_db_path => 'path_to_nss_db', + :dogtag_plugin_nss_password => 'password', + :global_default => true, } ].each do |param_set| context "when #{param_set == {} ? "using default" : "specifying"} class parameters" do @@ -71,9 +65,6 @@ describe 'barbican::plugins::dogtag' do should contain_barbican_config('dogtag_plugin/dogtag_port').with_value(param_hash[:dogtag_plugin_dogtag_port]) should contain_barbican_config('dogtag_plugin/nss_db_path').with_value(param_hash[:dogtag_plugin_nss_db_path]) should contain_barbican_config('dogtag_plugin/nss_password').with_value(param_hash[:dogtag_plugin_nss_password]).with_secret(true) - should contain_barbican_config('dogtag_plugin/simple_cmc_profile').with_value(param_hash[:dogtag_plugin_simple_cmc_profile]) - should contain_barbican_config('dogtag_plugin/ca_expiration_time').with_value(param_hash[:dogtag_plugin_ca_expiration_time]) - should contain_barbican_config('dogtag_plugin/plugin_working_dir').with_value(param_hash[:dogtag_plugin_plugin_working_dir]) should contain_barbican_config('secretstore:dogtag/secret_store_plugin').with_value('dogtag_crypto') should contain_barbican_config('secretstore:dogtag/global_default').with_value(param_hash[:global_default]) }