Merge "Fix missing session options for Barbican key manager"

manifests/key_manager/barbican.pp

@@ -41,6 +41,29 @@
 #   (Optional) The service uses service token feature when this is set as true.
 #   Defaults to $facts['os_service_default']
 #
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
+#   Defaults to $facts['os_service_default']
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $facts['os_service_default'].
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*timeout*]
+#   (Optional) Timeout value for connecting to barbican in seconds.
+#   Defaults to $facts['os_service_default']
+#
 define oslo::key_manager::barbican (
   $config                  = $name,
   $barbican_endpoint       = $facts['os_service_default'],
@@ -51,6 +74,11 @@ define oslo::key_manager::barbican (
   $barbican_endpoint_type  = $facts['os_service_default'],
   $barbican_region_name    = $facts['os_service_default'],
   $send_service_user_token = $facts['os_service_default'],
+  $insecure                = $facts['os_service_default'],
+  $cafile                  = $facts['os_service_default'],
+  $certfile                = $facts['os_service_default'],
+  $keyfile                 = $facts['os_service_default'],
+  $timeout                 = $facts['os_service_default'],
 ) {
   $barbican_options = {
     'barbican/barbican_endpoint'       => { value => $barbican_endpoint },
@@ -61,6 +89,11 @@ define oslo::key_manager::barbican (
     'barbican/barbican_endpoint_type'  => { value => $barbican_endpoint_type },
     'barbican/barbican_region_name'    => { value => $barbican_region_name },
     'barbican/send_service_user_token' => { value => $send_service_user_token },
+    'barbican/insecure'                => { value => $insecure },
+    'barbican/cafile'                  => { value => $cafile },
+    'barbican/certfile'                => { value => $certfile },
+    'barbican/keyfile'                 => { value => $keyfile },
+    'barbican/timeout'                 => { value => $timeout },
   }
 
   create_resources($config, $barbican_options)

manifests/key_manager/barbican/service_user.pp

@@ -62,6 +62,10 @@
 #  (Optional) Required if identity server requires client certificate
 #  Defaults to $facts['os_service_default'].
 #
+# [*timeout*]
+#  (Optional) Timeout value for connecting to keystone in seconds.
+#  Defaults to $facts['os_service_default']
+#
 # [*region_name*]
 #  (Optional) The region in which the identity server can be found.
 #  Defaults to $facts['os_service_default'].
@@ -80,6 +84,7 @@ define oslo::key_manager::barbican::service_user (
   $cafile                  = $facts['os_service_default'],
   $certfile                = $facts['os_service_default'],
   $keyfile                 = $facts['os_service_default'],
+  $timeout                 = $facts['os_service_default'],
   $region_name             = $facts['os_service_default'],
 ) {
   if is_service_default($system_scope) {
@@ -95,10 +100,6 @@ define oslo::key_manager::barbican::service_user (
   $service_user_options = {
     'barbican_service_user/auth_type'           => { 'value' => $auth_type },
     'barbican_service_user/auth_version'        => { 'value' => $auth_version },
-    'barbican_service_user/cafile'              => { 'value' => $cafile },
-    'barbican_service_user/certfile'            => { 'value' => $certfile },
-    'barbican_service_user/keyfile'             => { 'value' => $keyfile },
-    'barbican_service_user/region_name'         => { 'value' => $region_name },
     'barbican_service_user/auth_url'            => { 'value' => $auth_url },
     'barbican_service_user/username'            => { 'value' => $username },
     'barbican_service_user/password'            => { 'value' => $password, 'secret' => true },
@@ -107,6 +108,11 @@ define oslo::key_manager::barbican::service_user (
     'barbican_service_user/project_domain_name' => { 'value' => $project_domain_name_real },
     'barbican_service_user/system_scope'        => { 'value' => $system_scope },
     'barbican_service_user/insecure'            => { 'value' => $insecure },
+    'barbican_service_user/cafile'              => { 'value' => $cafile },
+    'barbican_service_user/certfile'            => { 'value' => $certfile },
+    'barbican_service_user/keyfile'             => { 'value' => $keyfile },
+    'barbican_service_user/timeout'             => { 'value' => $timeout },
+    'barbican_service_user/region_name'         => { 'value' => $region_name },
   }
 
   create_resources($name, $service_user_options)

releasenotes/notes/key-manager-session-options-859bddc410a85798.yaml

@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    The following parameters have been added to
+    the ``oslo::key_manager::barbican`` defined resource type.
+
+    - ``insecure``
+    - ``cafile``
+    - ``certfile``
+    - ``keyfile``
+
+  - |
+    The new ``oslo::key_manager::barbican::service_type::timeout`` parameter
+    has been added.

spec/defines/oslo_key_manager_barbican_service_user_spec.rb

@@ -26,6 +26,7 @@ describe 'oslo::key_manager::barbican::service_user' do
         is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value('<SERVICE DEFAULT>')
       end
     end
@@ -45,6 +46,7 @@ describe 'oslo::key_manager::barbican::service_user' do
           :cafile              => 'cafile.pem',
           :certfile            => 'certfile.crt',
           :keyfile             => 'somekey.key',
+          :timeout             => 60,
           :region_name         => 'MyRegion',
         })
       end
@@ -61,6 +63,7 @@ describe 'oslo::key_manager::barbican::service_user' do
         is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
         is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value(params[:certfile])
         is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_keystone_config('barbican_service_user/timeout').with_value(params[:timeout])
         is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value(params[:region_name])
       end
     end

spec/defines/oslo_key_manager_barbican_spec.rb

@@ -20,6 +20,11 @@ describe 'oslo::key_manager::barbican' do
         is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/timeout').with_value('<SERVICE DEFAULT>')
       end
     end
 
@@ -34,6 +39,11 @@ describe 'oslo::key_manager::barbican' do
           :barbican_endpoint_type  => 'public',
           :barbican_region_name    => 'regionOne',
           :send_service_user_token => true,
+          :insecure                => false,
+          :cafile                  => 'cafile.pem',
+          :certfile                => 'certfile.crt',
+          :keyfile                 => 'somekey.key',
+          :timeout                 => 60,
         }
       end
 
@@ -46,6 +56,11 @@ describe 'oslo::key_manager::barbican' do
         is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('public')
         is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('regionOne')
         is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value(true)
+        is_expected.to contain_keystone_config('barbican/insecure').with_value(false)
+        is_expected.to contain_keystone_config('barbican/cafile').with_value('cafile.pem')
+        is_expected.to contain_keystone_config('barbican/certfile').with_value('certfile.crt')
+        is_expected.to contain_keystone_config('barbican/keyfile').with_value('somekey.key')
+        is_expected.to contain_keystone_config('barbican/timeout').with_value(60)
       end
     end
   end