Merge "key_manager: Add service user options for Barbican key manager"

2021-09-23 19:59:33 +00:00 · 2021-09-23 19:59:33 +00:00 · ff8ac7fb2e
commit ff8ac7fb2e
parent aab7e10ff3 bdf0c6f1b4
5 changed files with 230 additions and 22 deletions
--- a/manifests/key_manager/barbican.pp
+++ b/manifests/key_manager/barbican.pp
@ -37,25 +37,31 @@
 #   (Optional) Specifies the region of the chosen endpoint.
 #   Defaults to $::os_service_default
 #
+# [*send_service_user_token*]
+#   (Optional) The service uses service token feature when this is set as true.
+#   Defaults to $::os_service_default
+#
 define oslo::key_manager::barbican (
-  $config                 = $name,
-  $barbican_endpoint      = $::os_service_default,
-  $barbican_api_version   = $::os_service_default,
-  $auth_endpoint          = $::os_service_default,
-  $retry_delay            = $::os_service_default,
-  $number_of_retries      = $::os_service_default,
-  $barbican_endpoint_type = $::os_service_default,
-  $barbican_region_name   = $::os_service_default,
+  $config                  = $name,
+  $barbican_endpoint       = $::os_service_default,
+  $barbican_api_version    = $::os_service_default,
+  $auth_endpoint           = $::os_service_default,
+  $retry_delay             = $::os_service_default,
+  $number_of_retries       = $::os_service_default,
+  $barbican_endpoint_type  = $::os_service_default,
+  $barbican_region_name    = $::os_service_default,
+  $send_service_user_token = $::os_service_default,
 ) {

  $barbican_options = {
-    'barbican/barbican_endpoint'      => { value => $barbican_endpoint },
-    'barbican/barbican_api_version'   => { value => $barbican_api_version },
-    'barbican/auth_endpoint'          => { value => $auth_endpoint },
-    'barbican/retry_delay'            => { value => $retry_delay },
-    'barbican/number_of_retries'      => { value => $number_of_retries },
-    'barbican/barbican_endpoint_type' => { value => $barbican_endpoint_type },
-    'barbican/barbican_region_name'   => { value => $barbican_region_name },
+    'barbican/barbican_endpoint'       => { value => $barbican_endpoint },
+    'barbican/barbican_api_version'    => { value => $barbican_api_version },
+    'barbican/auth_endpoint'           => { value => $auth_endpoint },
+    'barbican/retry_delay'             => { value => $retry_delay },
+    'barbican/number_of_retries'       => { value => $number_of_retries },
+    'barbican/barbican_endpoint_type'  => { value => $barbican_endpoint_type },
+    'barbican/barbican_region_name'    => { value => $barbican_region_name },
+    'barbican/send_service_user_token' => { value => $send_service_user_token },
  }

  create_resources($config, $barbican_options)
--- a/manifests/key_manager/barbican/service_user.pp
+++ b/manifests/key_manager/barbican/service_user.pp
@ -0,0 +1,97 @@
+# == Definition: oslo::key_manager::barbican::service_user
+#
+# Setup and configure the service token feature for Barbican Key Manager
+#
+# == Parameters:
+#
+# [*name*]
+#  (Required) The name of the resource corresponding to the config file.
+#  For example, oslo::key_manager::barbican::service_user { 'nova_config': ... }
+#  Where 'nova_config' is the name of the resource used to manage
+#  the nova configuration.
+#
+# [*username*]
+#  (Required) The name of the service user
+#
+# [*password*]
+#  (Required) Password to create for the service user
+#
+# [*auth_url*]
+#  (Required) The URL to use for authentication.
+#
+# [*project_name*]
+#  (Required) Service project name
+#
+# [*user_domain_name*]
+#  (Optional) Name of domain for $username
+#  Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#  (Optional) Name of domain for $project_name
+#  Defaults to $::os_service_default
+#
+# [*insecure*]
+#  (Optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.  WARNING: not recommended.  Use with
+#  caution.
+#  Defaults to $::os_service_default
+#
+# [*auth_type*]
+#  (Optional) Authentication type to load
+#  Defaults to $::os_service_default
+#
+# [*auth_version*]
+#  (Optional) API version of the admin Identity API endpoint.
+#  Defaults to $::os_service_default.
+#
+# [*cafile*]
+#  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections.
+#  Defaults to $::os_service_default.
+#
+# [*certfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $::os_service_default.
+#
+define oslo::key_manager::barbican::service_user(
+  $username,
+  $password,
+  $auth_url,
+  $project_name,
+  $user_domain_name        = $::os_service_default,
+  $project_domain_name     = $::os_service_default,
+  $insecure                = $::os_service_default,
+  $auth_type               = $::os_service_default,
+  $auth_version            = $::os_service_default,
+  $cafile                  = $::os_service_default,
+  $certfile                = $::os_service_default,
+  $keyfile                 = $::os_service_default,
+  $region_name             = $::os_service_default,
+) {
+
+  $service_user_options = {
+    'barbican_service_user/auth_type'           => {'value' => $auth_type},
+    'barbican_service_user/auth_version'        => {'value' => $auth_version},
+    'barbican_service_user/cafile'              => {'value' => $cafile},
+    'barbican_service_user/certfile'            => {'value' => $certfile},
+    'barbican_service_user/keyfile'             => {'value' => $keyfile},
+    'barbican_service_user/region_name'         => {'value' => $region_name},
+    'barbican_service_user/auth_url'            => {'value' => $auth_url},
+    'barbican_service_user/username'            => {'value' => $username},
+    'barbican_service_user/password'            => {'value' => $password, 'secret' => true},
+    'barbican_service_user/user_domain_name'    => {'value' => $user_domain_name},
+    'barbican_service_user/project_name'        => {'value' => $project_name},
+    'barbican_service_user/project_domain_name' => {'value' => $project_domain_name},
+    'barbican_service_user/insecure'            => {'value' => $insecure},
+  }
+
+  create_resources($name, $service_user_options)
+}
--- a/releasenotes/notes/barbican_service_user-a8ac0abd364927d8.yaml
+++ b/releasenotes/notes/barbican_service_user-a8ac0abd364927d8.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The following parameter and resource type have been added, to support usage
+    of the service token feature with the Barbican key manager.
+
+    - The ``oslo::key_manager::barbican::send_service_user_token`` parameter
+    - The ``oslo::key_manager::barbican::service_user`` resource type
--- a/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
+++ b/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
@ -0,0 +1,94 @@
+require 'spec_helper'
+
+describe 'oslo::key_manager::barbican::service_user' do
+
+  let (:title) { 'keystone_config' }
+
+  let :params do
+    { :username     => 'keystone',
+      :password     => 'secret',
+      :auth_url     => 'http://127.0.0.1:5000',
+      :project_name => 'services' }
+  end
+
+  shared_examples 'oslo::key_manager::barbican::service_user' do
+    context 'with only required parameters' do
+      it 'configures keystone service_user' do
+        is_expected.to contain_keystone_config('barbican_service_user/username').with_value('keystone')
+        is_expected.to contain_keystone_config('barbican_service_user/password').with_value('secret').with_secret(true)
+        is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/auth_type').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'set all keystone service_user parameters' do
+      before do
+        params.merge! ({
+          :username            => 'username',
+          :password            => 'hardpassword',
+          :auth_url            => 'http://127.1.1.127:5000/',
+          :project_name        => 'NoProject',
+          :user_domain_name    => 'MyDomain',
+          :project_domain_name => 'OurDomain',
+          :insecure            =>  true,
+          :auth_type           => 'password',
+          :auth_version        => '3',
+          :cafile              => 'cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'somekey.key',
+          :region_name         => 'MyRegion',
+        })
+      end
+      it 'override keystone service_user parameters' do
+        is_expected.to contain_keystone_config('barbican_service_user/username').with_value(params[:username])
+        is_expected.to contain_keystone_config('barbican_service_user/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value(params[:insecure])
+        is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
+        is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value(params[:certfile])
+        is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value(params[:region_name])
+      end
+    end
+
+    context 'without password required parameter' do
+      let :params do
+        params.delete(:password)
+      end
+      it { expect { is_expected.to raise_error(Puppet::Error) } }
+    end
+
+    context 'without specify project' do
+      let :params do
+        params.delete(:project_name)
+      end
+      it { expect { is_expected.to raise_error(Puppet::Error) } }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      include_examples 'oslo::key_manager::barbican::service_user'
+    end
+  end
+
+end
--- a/spec/defines/oslo_key_manager_barbican_spec.rb
+++ b/spec/defines/oslo_key_manager_barbican_spec.rb
@ -19,19 +19,21 @@ describe 'oslo::key_manager::barbican' do
        is_expected.to contain_keystone_config('barbican/number_of_retries').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value('<SERVICE DEFAULT>')
      end
    end

    context 'with parameters overridden' do
      let :params do
        {
-          :barbican_endpoint      => 'http://localhost:9311/',
-          :barbican_api_version   => 'v1',
-          :auth_endpoint          => 'http://localhost:5000',
-          :retry_delay            => 1,
-          :number_of_retries      => 60,
-          :barbican_endpoint_type => 'public',
-          :barbican_region_name   => 'regionOne',
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
        }
      end

@ -43,6 +45,7 @@ describe 'oslo::key_manager::barbican' do
        is_expected.to contain_keystone_config('barbican/number_of_retries').with_value(60)
        is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('public')
        is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('regionOne')
+        is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value(true)
      end
    end
  end