Merge "Barbican: Add ability to specify KEK for simple crypto plugin"

environments/barbican-backend-simple-crypto.yaml

@@ -0,0 +1,11 @@
+# A Heat environment file to enable the barbican simple crypto backend. Note
+# that barbican needs to be enabled in order to use this.
+parameter_defaults:
+  # In order to use this backend, you need to uncomment this value and
+  # provide an appropriate KEK that barbican will use to encrypt secrets
+  # in the database.
+  #
+  # SimpleCryptoKek: The Key-Encryption-Key goes here.
+
+resource_registry:
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml

overcloud-resource-registry-puppet.j2.yaml

@@ -248,6 +248,7 @@ resource_registry:
   OS::TripleO::Services::ComputeNeutronL3Agent: OS::Heat::None
   OS::TripleO::Services::ComputeNeutronMetadataAgent: OS::Heat::None
   OS::TripleO::Services::BarbicanApi: OS::Heat::None
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: OS::Heat::None
   OS::TripleO::Services::AodhApi: puppet/services/aodh-api.yaml
   OS::TripleO::Services::AodhEvaluator: puppet/services/aodh-evaluator.yaml
   OS::TripleO::Services::AodhNotifier: puppet/services/aodh-notifier.yaml

puppet/services/barbican-backend-simple-crypto.yaml

@@ -0,0 +1,45 @@
+heat_template_version: pike
+
+description: >
+  Barbican API simple crypto backend configured with Puppet
+
+parameters:
+  # Required default parameters
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  SimpleCryptoKek:
+    description: KEK used to encrypt secrets
+    type: string
+    hidden: true
+
+outputs:
+  role_data:
+    description: Role data for the Barbican simple crypto backend.
+    value:
+      service_name: barbican_backend_simple_crypto
+      config_settings:
+        barbican::plugins::simple_crypto::simple_crypto_plugin_kek: {get_param: SimpleCryptoKek}

roles/Controller.yaml

@@ -29,6 +29,7 @@
     - OS::TripleO::Services::AodhNotifier
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BarbicanApi
+    - OS::TripleO::Services::BarbicanBackendSimpleCrypto
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CeilometerAgentCentral
     - OS::TripleO::Services::CeilometerAgentNotification

roles/ControllerOpenstack.yaml

@@ -23,6 +23,7 @@
     - OS::TripleO::Services::AodhNotifier
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BarbicanApi
+    - OS::TripleO::Services::BarbicanBackendSimpleCrypto
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CeilometerAgentCentral
     - OS::TripleO::Services::CeilometerAgentNotification

roles_data.yaml

@@ -32,6 +32,7 @@
     - OS::TripleO::Services::AodhNotifier
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BarbicanApi
+    - OS::TripleO::Services::BarbicanBackendSimpleCrypto
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CeilometerAgentCentral
     - OS::TripleO::Services::CeilometerAgentNotification