Merge "Fix missing session options for Barbican key manager"

2025-09-17 15:17:43 +00:00
parent 9b6f986bfb e449a0bb21
commit cb7705ac59
5 changed files with 75 additions and 4 deletions
--- a/manifests/key_manager/barbican.pp
+++ b/manifests/key_manager/barbican.pp
@@ -41,6 +41,29 @@
 #   (Optional) The service uses service token feature when this is set as true.
 #   Defaults to $facts['os_service_default']
 #
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
+#   Defaults to $facts['os_service_default']
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $facts['os_service_default'].
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $facts['os_service_default'].
+#
+# [*timeout*]
+#   (Optional) Timeout value for connecting to barbican in seconds.
+#   Defaults to $facts['os_service_default']
+#
 define oslo::key_manager::barbican (
  $config                  = $name,
  $barbican_endpoint       = $facts['os_service_default'],
@@ -51,6 +74,11 @@ define oslo::key_manager::barbican (
  $barbican_endpoint_type  = $facts['os_service_default'],
  $barbican_region_name    = $facts['os_service_default'],
  $send_service_user_token = $facts['os_service_default'],
+  $insecure                = $facts['os_service_default'],
+  $cafile                  = $facts['os_service_default'],
+  $certfile                = $facts['os_service_default'],
+  $keyfile                 = $facts['os_service_default'],
+  $timeout                 = $facts['os_service_default'],
 ) {
  $barbican_options = {
    'barbican/barbican_endpoint'       => { value => $barbican_endpoint },
@@ -61,6 +89,11 @@ define oslo::key_manager::barbican (
    'barbican/barbican_endpoint_type'  => { value => $barbican_endpoint_type },
    'barbican/barbican_region_name'    => { value => $barbican_region_name },
    'barbican/send_service_user_token' => { value => $send_service_user_token },
+    'barbican/insecure'                => { value => $insecure },
+    'barbican/cafile'                  => { value => $cafile },
+    'barbican/certfile'                => { value => $certfile },
+    'barbican/keyfile'                 => { value => $keyfile },
+    'barbican/timeout'                 => { value => $timeout },
  }

  create_resources($config, $barbican_options)
--- a/manifests/key_manager/barbican/service_user.pp
+++ b/manifests/key_manager/barbican/service_user.pp
@@ -62,6 +62,10 @@
 #  (Optional) Required if identity server requires client certificate
 #  Defaults to $facts['os_service_default'].
 #
+# [*timeout*]
+#  (Optional) Timeout value for connecting to keystone in seconds.
+#  Defaults to $facts['os_service_default']
+#
 # [*region_name*]
 #  (Optional) The region in which the identity server can be found.
 #  Defaults to $facts['os_service_default'].
@@ -80,6 +84,7 @@ define oslo::key_manager::barbican::service_user (
  $cafile                  = $facts['os_service_default'],
  $certfile                = $facts['os_service_default'],
  $keyfile                 = $facts['os_service_default'],
+  $timeout                 = $facts['os_service_default'],
  $region_name             = $facts['os_service_default'],
 ) {
  if is_service_default($system_scope) {
@@ -95,10 +100,6 @@ define oslo::key_manager::barbican::service_user (
  $service_user_options = {
    'barbican_service_user/auth_type'           => { 'value' => $auth_type },
    'barbican_service_user/auth_version'        => { 'value' => $auth_version },
-    'barbican_service_user/cafile'              => { 'value' => $cafile },
-    'barbican_service_user/certfile'            => { 'value' => $certfile },
-    'barbican_service_user/keyfile'             => { 'value' => $keyfile },
-    'barbican_service_user/region_name'         => { 'value' => $region_name },
    'barbican_service_user/auth_url'            => { 'value' => $auth_url },
    'barbican_service_user/username'            => { 'value' => $username },
    'barbican_service_user/password'            => { 'value' => $password, 'secret' => true },
@@ -107,6 +108,11 @@ define oslo::key_manager::barbican::service_user (
    'barbican_service_user/project_domain_name' => { 'value' => $project_domain_name_real },
    'barbican_service_user/system_scope'        => { 'value' => $system_scope },
    'barbican_service_user/insecure'            => { 'value' => $insecure },
+    'barbican_service_user/cafile'              => { 'value' => $cafile },
+    'barbican_service_user/certfile'            => { 'value' => $certfile },
+    'barbican_service_user/keyfile'             => { 'value' => $keyfile },
+    'barbican_service_user/timeout'             => { 'value' => $timeout },
+    'barbican_service_user/region_name'         => { 'value' => $region_name },
  }

  create_resources($name, $service_user_options)
--- a/releasenotes/notes/key-manager-session-options-859bddc410a85798.yaml
+++ b/releasenotes/notes/key-manager-session-options-859bddc410a85798.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    The following parameters have been added to
+    the ``oslo::key_manager::barbican`` defined resource type.
+
+    - ``insecure``
+    - ``cafile``
+    - ``certfile``
+    - ``keyfile``
+
+  - |
+    The new ``oslo::key_manager::barbican::service_type::timeout`` parameter
+    has been added.
--- a/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
+++ b/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
@@ -26,6 +26,7 @@ describe 'oslo::key_manager::barbican::service_user' do
        is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/timeout').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value('<SERVICE DEFAULT>')
      end
    end
@@ -45,6 +46,7 @@ describe 'oslo::key_manager::barbican::service_user' do
          :cafile              => 'cafile.pem',
          :certfile            => 'certfile.crt',
          :keyfile             => 'somekey.key',
+          :timeout             => 60,
          :region_name         => 'MyRegion',
        })
      end
@@ -61,6 +63,7 @@ describe 'oslo::key_manager::barbican::service_user' do
        is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
        is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value(params[:certfile])
        is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_keystone_config('barbican_service_user/timeout').with_value(params[:timeout])
        is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value(params[:region_name])
      end
    end
--- a/spec/defines/oslo_key_manager_barbican_spec.rb
+++ b/spec/defines/oslo_key_manager_barbican_spec.rb
@@ -20,6 +20,11 @@ describe 'oslo::key_manager::barbican' do
        is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/timeout').with_value('<SERVICE DEFAULT>')
      end
    end

@@ -34,6 +39,11 @@ describe 'oslo::key_manager::barbican' do
          :barbican_endpoint_type  => 'public',
          :barbican_region_name    => 'regionOne',
          :send_service_user_token => true,
+          :insecure                => false,
+          :cafile                  => 'cafile.pem',
+          :certfile                => 'certfile.crt',
+          :keyfile                 => 'somekey.key',
+          :timeout                 => 60,
        }
      end

@@ -46,6 +56,11 @@ describe 'oslo::key_manager::barbican' do
        is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('public')
        is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('regionOne')
        is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value(true)
+        is_expected.to contain_keystone_config('barbican/insecure').with_value(false)
+        is_expected.to contain_keystone_config('barbican/cafile').with_value('cafile.pem')
+        is_expected.to contain_keystone_config('barbican/certfile').with_value('certfile.crt')
+        is_expected.to contain_keystone_config('barbican/keyfile').with_value('somekey.key')
+        is_expected.to contain_keystone_config('barbican/timeout').with_value(60)
      end
    end
  end