From 950dbd08d34d09944a5c090a1c85f21345d5ac09 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Thu, 18 Sep 2025 00:52:18 +0900
Subject: [PATCH] Fix missing session options for Barbican key manager

Depends-on: https://review.opendev.org/960389
Change-Id: I13f86c0210ed5af39804bb5a4016f27c396ac53d
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
---
 manifests/key_manager/barbican.pp             | 33 +++++++++++++++++++
 ...ager-session-options-a3cf6f292d5d0879.yaml | 15 +++++++++
 .../classes/nova_key_manager_barbican_spec.rb | 15 +++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 releasenotes/notes/key-manager-session-options-a3cf6f292d5d0879.yaml

diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp
index b1655727b..478340f0a 100644
--- a/manifests/key_manager/barbican.pp
+++ b/manifests/key_manager/barbican.pp
@@ -37,6 +37,29 @@
 #   (Optional) The service uses service token feature when this is set as true.
 #   Defaults to $facts['os_service_default']
 #
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
+#   Defaults to $facts['os_service_default']
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $facts['os_service_default'].
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*timeout*]
+#   (Optional) Timeout value for connecting to barbican in seconds.
+#   Defaults to $facts['os_service_default']
+#
 class nova::key_manager::barbican (
   $barbican_endpoint       = $facts['os_service_default'],
   $barbican_api_version    = $facts['os_service_default'],
@@ -46,6 +69,11 @@ class nova::key_manager::barbican (
   $barbican_endpoint_type  = $facts['os_service_default'],
   $barbican_region_name    = $facts['os_service_default'],
   $send_service_user_token = $facts['os_service_default'],
+  $insecure                = $facts['os_service_default'],
+  $cafile                  = $facts['os_service_default'],
+  $certfile                = $facts['os_service_default'],
+  $keyfile                 = $facts['os_service_default'],
+  $timeout                 = $facts['os_service_default'],
 ) {
   include nova::deps
 
@@ -64,5 +92,10 @@ class nova::key_manager::barbican (
     barbican_endpoint_type  => $barbican_endpoint_type,
     barbican_region_name    => $barbican_region_name,
     send_service_user_token => $send_service_user_token,
+    insecure                => $insecure,
+    cafile                  => $cafile,
+    certfile                => $certfile,
+    keyfile                 => $keyfile,
+    timeout                 => $timeout,
   }
 }
diff --git a/releasenotes/notes/key-manager-session-options-a3cf6f292d5d0879.yaml b/releasenotes/notes/key-manager-session-options-a3cf6f292d5d0879.yaml
new file mode 100644
index 000000000..480d39e59
--- /dev/null
+++ b/releasenotes/notes/key-manager-session-options-a3cf6f292d5d0879.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The following parameters have been added to
+    the ``nova::key_manager::barbican`` class.
+
+    - ``insecure``
+    - ``cafile``
+    - ``certfile``
+    - ``keyfile``
+    - ``timeout``
+
+  - |
+    The new ``nova::key_manager::barbican::service_user::timeout`` parameter
+    has been added.
diff --git a/spec/classes/nova_key_manager_barbican_spec.rb b/spec/classes/nova_key_manager_barbican_spec.rb
index 7daad30ba..20b0b1b5e 100644
--- a/spec/classes/nova_key_manager_barbican_spec.rb
+++ b/spec/classes/nova_key_manager_barbican_spec.rb
@@ -13,6 +13,11 @@ describe 'nova::key_manager::barbican' do
           :barbican_endpoint_type  => '<SERVICE DEFAULT>',
           :barbican_region_name    => '<SERVICE DEFAULT>',
           :send_service_user_token => '<SERVICE DEFAULT>',
+          :insecure                => '<SERVICE DEFAULT>',
+          :cafile                  => '<SERVICE DEFAULT>',
+          :certfile                => '<SERVICE DEFAULT>',
+          :keyfile                 => '<SERVICE DEFAULT>',
+          :timeout                 => '<SERVICE DEFAULT>',
         )
 
         is_expected.to contain_package('cryptsetup').with(
@@ -33,6 +38,11 @@ describe 'nova::key_manager::barbican' do
           :barbican_endpoint_type  => 'public',
           :barbican_region_name    => 'regionOne',
           :send_service_user_token => true,
+          :insecure                => false,
+          :cafile                  => 'cafile.pem',
+          :certfile                => 'certfile.crt',
+          :keyfile                 => 'somekey.key',
+          :timeout                 => 60,
         }
       end
 
@@ -46,6 +56,11 @@ describe 'nova::key_manager::barbican' do
           :barbican_endpoint_type  => 'public',
           :barbican_region_name    => 'regionOne',
           :send_service_user_token => true,
+          :insecure                => false,
+          :cafile                  => 'cafile.pem',
+          :certfile                => 'certfile.crt',
+          :keyfile                 => 'somekey.key',
+          :timeout                 => 60,
         )
 
         is_expected.to contain_package('cryptsetup').with(