Merge "Fix missing session options for Barbican key manager"

2025-09-20 00:18:56 +00:00
parent f1a688820b 950dbd08d3
commit 2984b808dc
3 changed files with 63 additions and 0 deletions
--- a/manifests/key_manager/barbican.pp
+++ b/manifests/key_manager/barbican.pp
@@ -37,6 +37,29 @@
 #   (Optional) The service uses service token feature when this is set as true.
 #   Defaults to $facts['os_service_default']
 #
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
+#   Defaults to $facts['os_service_default']
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $facts['os_service_default'].
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*timeout*]
+#   (Optional) Timeout value for connecting to barbican in seconds.
+#   Defaults to $facts['os_service_default']
+#
 class nova::key_manager::barbican (
  $barbican_endpoint       = $facts['os_service_default'],
  $barbican_api_version    = $facts['os_service_default'],
@@ -46,6 +69,11 @@ class nova::key_manager::barbican (
  $barbican_endpoint_type  = $facts['os_service_default'],
  $barbican_region_name    = $facts['os_service_default'],
  $send_service_user_token = $facts['os_service_default'],
+  $insecure                = $facts['os_service_default'],
+  $cafile                  = $facts['os_service_default'],
+  $certfile                = $facts['os_service_default'],
+  $keyfile                 = $facts['os_service_default'],
+  $timeout                 = $facts['os_service_default'],
 ) {
  include nova::deps

@@ -64,5 +92,10 @@ class nova::key_manager::barbican (
    barbican_endpoint_type  => $barbican_endpoint_type,
    barbican_region_name    => $barbican_region_name,
    send_service_user_token => $send_service_user_token,
+    insecure                => $insecure,
+    cafile                  => $cafile,
+    certfile                => $certfile,
+    keyfile                 => $keyfile,
+    timeout                 => $timeout,
  }
 }
--- a/releasenotes/notes/key-manager-session-options-a3cf6f292d5d0879.yaml
+++ b/releasenotes/notes/key-manager-session-options-a3cf6f292d5d0879.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The following parameters have been added to
+    the ``nova::key_manager::barbican`` class.
+
+    - ``insecure``
+    - ``cafile``
+    - ``certfile``
+    - ``keyfile``
+    - ``timeout``
+
+  - |
+    The new ``nova::key_manager::barbican::service_user::timeout`` parameter
+    has been added.
--- a/spec/classes/nova_key_manager_barbican_spec.rb
+++ b/spec/classes/nova_key_manager_barbican_spec.rb
@@ -13,6 +13,11 @@ describe 'nova::key_manager::barbican' do
          :barbican_endpoint_type  => '<SERVICE DEFAULT>',
          :barbican_region_name    => '<SERVICE DEFAULT>',
          :send_service_user_token => '<SERVICE DEFAULT>',
+          :insecure                => '<SERVICE DEFAULT>',
+          :cafile                  => '<SERVICE DEFAULT>',
+          :certfile                => '<SERVICE DEFAULT>',
+          :keyfile                 => '<SERVICE DEFAULT>',
+          :timeout                 => '<SERVICE DEFAULT>',
        )

        is_expected.to contain_package('cryptsetup').with(
@@ -33,6 +38,11 @@ describe 'nova::key_manager::barbican' do
          :barbican_endpoint_type  => 'public',
          :barbican_region_name    => 'regionOne',
          :send_service_user_token => true,
+          :insecure                => false,
+          :cafile                  => 'cafile.pem',
+          :certfile                => 'certfile.crt',
+          :keyfile                 => 'somekey.key',
+          :timeout                 => 60,
        }
      end

@@ -46,6 +56,11 @@ describe 'nova::key_manager::barbican' do
          :barbican_endpoint_type  => 'public',
          :barbican_region_name    => 'regionOne',
          :send_service_user_token => true,
+          :insecure                => false,
+          :cafile                  => 'cafile.pem',
+          :certfile                => 'certfile.crt',
+          :keyfile                 => 'somekey.key',
+          :timeout                 => 60,
        )

        is_expected.to contain_package('cryptsetup').with(