Add queens support
This patch adds initial support for queens.
Change-Id: Icc6022115bbc6ab1d2422a18b3708394a649cbba
Related-Prod: PROD-20387
diff --git a/_modules/barbicanv1/acl.py b/_modules/barbicanv1/acl.py
index 8f3c024..82792ea 100644
--- a/_modules/barbicanv1/acl.py
+++ b/_modules/barbicanv1/acl.py
@@ -5,14 +5,14 @@
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('get')
def secret_acl_get(secret_uuid, **kwargs):
- url = '/v1/secrets/{}/acl'.format(secret_uuid)
+ url = '/secrets/{}/acl'.format(secret_uuid)
return url, {}
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('put')
def secret_acl_put(secret_uuid, **kwargs):
- url = '/v1/secrets/{}/acl'.format(secret_uuid)
+ url = '/secrets/{}/acl'.format(secret_uuid)
json = {
'read': kwargs,
}
@@ -22,7 +22,7 @@
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('patch')
def secret_acl_patch(secret_uuid, **kwargs):
- url = 'v1/secrets/{}/acl'.format(secret_uuid)
+ url = '/secrets/{}/acl'.format(secret_uuid)
json = {
'read': kwargs,
}
@@ -32,5 +32,5 @@
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('delete')
def secret_acl_delete(secret_uuid, **kwargs):
- url = 'v1/secrets/{}/acl'.format(secret_uuid)
+ url = '/secrets/{}/acl'.format(secret_uuid)
return url, {}
diff --git a/_modules/barbicanv1/common.py b/_modules/barbicanv1/common.py
index dd32025..83fd6ff 100644
--- a/_modules/barbicanv1/common.py
+++ b/_modules/barbicanv1/common.py
@@ -48,12 +48,15 @@
def _get_raw_client(cloud_name):
service_type = 'key-manager'
- adapter = os_client_config.make_rest_client(service_type,
- cloud=cloud_name)
+ config = os_client_config.OpenStackConfig()
+ cloud = config.get_one_cloud(cloud_name)
+ adapter = cloud.get_session_client(service_type)
+ adapter.version = '1'
try:
access_info = adapter.session.auth.get_access(adapter.session)
endpoints = access_info.service_catalog.get_endpoints()
- except (AttributeError, ValueError):
+ except (AttributeError, ValueError) as exc:
+ log.exception('%s' % exc)
e = NoAuthPluginConfigured()
log.exception('%s' % e)
raise e
diff --git a/_modules/barbicanv1/secrets.py b/_modules/barbicanv1/secrets.py
index eda7382..d85c08a 100644
--- a/_modules/barbicanv1/secrets.py
+++ b/_modules/barbicanv1/secrets.py
@@ -10,27 +10,27 @@
@send('get')
def secret_list(**kwargs):
- url = '/v1/secrets?{}'.format(urlencode(kwargs))
+ url = '/secrets?{}'.format(urlencode(kwargs))
return url, {}
@send('post')
def secret_create(**kwargs):
- url = '/v1/secrets'
+ url = '/secrets'
return url, {'json': kwargs}
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('get')
def secret_get_details(secret_uuid, **kwargs):
- url = '/v1/secrets/{}'.format(secret_uuid)
+ url = '/secrets/{}'.format(secret_uuid)
return url, {}
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('delete')
def secret_delete(secret_uuid, **kwargs):
- url = '/v1/secrets/{}'.format(secret_uuid)
+ url = '/secrets/{}'.format(secret_uuid)
return url, {}
# NOTE::
@@ -41,7 +41,7 @@
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('put')
def secret_payload_set(secret_uuid, payload, **kwargs):
- url = '/v1/secrets/{}'.format(secret_uuid)
+ url = '/secrets/{}'.format(secret_uuid)
# Work around content headers
content_type = 'payload_content_type'
content_encoding = 'payload_content_encoding'
@@ -57,5 +57,5 @@
@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
@send('get')
def secret_payload_get(secret_uuid, **kwargs):
- url = '/v1/secrets/{}/payload'.format(secret_uuid)
+ url = '/secrets/{}/payload'.format(secret_uuid)
return url, {}
diff --git a/barbican/files/queens/barbican.conf.Debian b/barbican/files/queens/barbican.conf.Debian
new file mode 100644
index 0000000..eff5d37
--- /dev/null
+++ b/barbican/files/queens/barbican.conf.Debian
@@ -0,0 +1,415 @@
+{%- from "barbican/map.jinja" import server with context -%}
+[DEFAULT]
+
+#
+# From barbican.common.config
+#
+
+# Role used to identify an authenticated user as administrator.
+# (string value)
+#admin_role = admin
+
+# Allow unauthenticated users to access the API with read-only
+# privileges. This only applies when using ContextMiddleware. (boolean
+# value)
+#allow_anonymous_access = false
+
+# Maximum allowed http request size against the barbican-api. (integer
+# value)
+#max_allowed_request_size_in_bytes = 15000
+max_allowed_request_size_in_bytes = 1000000
+
+# Maximum allowed secret size in bytes. (integer value)
+#max_allowed_secret_in_bytes = 10000
+max_allowed_secret_in_bytes = 10000
+
+# Host name, for use in HATEOAS-style references Note: Typically this
+# would be the load balanced endpoint that clients would use to
+# communicate back with this service. If a deployment wants to derive
+# host from wsgi request instead then make this blank. Blank is needed
+# to override default config value which is 'http://localhost:9311'
+# (string value)
+#host_href = http://localhost:9311
+{%- if server.host_href is defined %}
+host_href = {{ server.host_href }}
+{%- endif %}
+
+# SQLAlchemy connection string for the reference implementation
+# registry server. Any valid SQLAlchemy connection string is fine.
+# See:
+# http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine.
+# Note: For absolute addresses, use '////' slashes after 'sqlite:'.
+# (string value)
+#sql_connection = sqlite:///barbican.sqlite
+sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.ssl.enabled %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+
+# Period in seconds after which SQLAlchemy should reestablish its
+# connection to the database. MySQL uses a default `wait_timeout` of 8
+# hours, after which it will drop idle connections. This can result in
+# 'MySQL Gone Away' exceptions. If you notice this, you can lower this
+# value to ensure that SQLAlchemy reconnects before MySQL can drop the
+# connection. (integer value)
+#sql_idle_timeout = 3600
+sql_idle_timeout = {{ server.database.get('sql_idle_timeout', 3600) }}
+
+# Maximum number of database connection retries during startup. Set to
+# -1 to specify an infinite retry count. (integer value)
+#sql_max_retries = 60
+
+# Interval between retries of opening a SQL connection. (integer
+# value)
+#sql_retry_interval = 1
+
+# Create the Barbican database on service startup. (boolean value)
+#db_auto_create = true
+db_auto_create = False
+
+# Maximum page size for the 'limit' paging URL parameter. (integer
+# value)
+#max_limit_paging = 100
+max_limit_paging = 100
+
+# Default page size for the 'limit' paging URL parameter. (integer
+# value)
+#default_limit_paging = 10
+default_limit_paging = 10
+
+# Accepts a class imported from the sqlalchemy.pool module, and
+# handles the details of building the pool for you. If commented out,
+# SQLAlchemy will select based on the database dialect. Other options
+# are QueuePool (for SQLAlchemy-managed connections) and NullPool (to
+# disabled SQLAlchemy management of connections). See
+# http://docs.sqlalchemy.org/en/latest/core/pooling.html for more
+# details (string value)
+#sql_pool_class = QueuePool
+
+# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG
+# log level output) if specified. (boolean value)
+#sql_pool_logging = false
+
+# Size of pool used by SQLAlchemy. This is the largest number of
+# connections that will be kept persistently in the pool. Can be set
+# to 0 to indicate no size limit. To disable pooling, use a NullPool
+# with sql_pool_class instead. Comment out to allow SQLAlchemy to
+# select the default. (integer value)
+#sql_pool_size = 5
+
+# # The maximum overflow size of the pool used by SQLAlchemy. When the
+# number of checked-out connections reaches the size set in
+# sql_pool_size, additional connections will be returned up to this
+# limit. It follows then that the total number of simultaneous
+# connections the pool will allow is sql_pool_size +
+# sql_pool_max_overflow. Can be set to -1 to indicate no overflow
+# limit, so no limit will be placed on the total number of concurrent
+# connections. Comment out to allow SQLAlchemy to select the default.
+# (integer value)
+#sql_pool_max_overflow = 10
+
+# Enable eventlet backdoor. Acceptable values are 0, <port>, and
+# <start>:<end>, where 0 results in listening on a random tcp port
+# number; <port> results in listening on the specified port number
+# (and not enabling backdoor if that port is in use); and
+# <start>:<end> results in listening on the smallest unused port
+# number within the specified range of port numbers. The chosen port
+# is displayed in the service's log file. (string value)
+#backdoor_port = <None>
+
+# Enable eventlet backdoor, using the provided path as a unix socket
+# that can receive connections. This option is mutually exclusive with
+# 'backdoor_port' in that only one should be provided. If both are
+# provided then the existence of this option overrides the usage of
+# that option. (string value)
+#backdoor_socket = <None>
+
+
+{%- set _data = server.get('logging', {}) %}
+{%- include "oslo_templates/files/queens/oslo/_log.conf" %}
+
+{%- set _data = server.message_queue %}
+{%- include "oslo_templates/files/queens/oslo/messaging/_default.conf" %}
+
+#
+# From oslo.service.periodic_task
+#
+
+# Some periodic tasks can be run in a separate process. Should we run
+# them here? (boolean value)
+#run_external_periodic_tasks = true
+
+{%- include "oslo_templates/files/queens/oslo/service/_wsgi_default.conf" %}
+
+[certificate]
+
+#
+# From barbican.certificate.plugin
+#
+
+# Extension namespace to search for plugins. (string value)
+#namespace = barbican.certificate.plugin
+
+# List of certificate plugins to load. (multi valued)
+#enabled_certificate_plugins = simple_certificate
+
+
+[certificate_event]
+
+#
+# From barbican.certificate.plugin
+#
+
+# Extension namespace to search for eventing plugins. (string value)
+#namespace = barbican.certificate.event.plugin
+
+# List of certificate plugins to load. (multi valued)
+#enabled_certificate_event_plugins = simple_certificate_event
+
+
+[cors]
+{%- if server.cors is defined %}
+{%- set _data = server.cors %}
+{%- include "oslo_templates/files/queens/oslo/_cors.conf" %}
+{%- endif %}
+
+
+[crypto]
+
+#
+# From barbican.plugin.crypto
+#
+
+# Extension namespace to search for plugins. (string value)
+#namespace = barbican.crypto.plugin
+namespace = barbican.crypto.plugin
+
+# List of crypto plugins to load. (multi valued)
+#enabled_crypto_plugins = simple_crypto
+
+{% for store_name, store in server.get('store', {}).iteritems() %}
+[secretstore:{{ store_name }}]
+{%- if store.store_plugin is defined %}
+secret_store_plugin = {{ store.store_plugin }}
+{%- endif %}
+{%- if store.crypto_plugin is defined %}
+crypto_plugin = {{ store.crypto_plugin }}
+{%- endif %}
+{%- if store.global_default is defined %}
+global_default = {{ store.global_default }}
+{%- endif %}
+{% endfor %}
+
+{% for plugin_name, plugin in server.get('plugin', {}).iteritems() %}
+{%- set plugin_fragment = "barbican/files/" + server.version + "/plugin/_" + plugin_name +".conf" %}
+[{{ plugin_name }}_plugin]
+{%- include plugin_fragment %}
+{% endfor %}
+
+[keystone_authtoken]
+{%- set _data = server.identity %}
+{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- include "oslo_templates/files/queens/keystonemiddleware/_auth_token.conf" %}
+{%- include "oslo_templates/files/queens/keystoneauth/_type_" + auth_type + ".conf" %}
+
+[keystone_notifications]
+
+#
+# From barbican.common.config
+#
+
+# True enables keystone notification listener functionality. (boolean
+# value)
+#enable = false
+enable = {{ server.get('ks_notifications_enable', 'False') }}
+
+# The default exchange under which topics are scoped. May be
+# overridden by an exchange name specified in the transport_url
+# option. (string value)
+#control_exchange = openstack
+
+# Keystone notification queue topic name. This name needs to match one
+# of values mentioned in Keystone deployment's 'notification_topics'
+# configuration e.g. notification_topics=notifications,
+# barbican_notificationsMultiple servers may listen on a topic and
+# messages will be dispatched to one of the servers in a round-robin
+# fashion. That's why Barbican service should have its own dedicated
+# notification queue so that it receives all of Keystone
+# notifications. (string value)
+#topic = notifications
+
+# True enables requeue feature in case of notification processing
+# error. Enable this only when underlying transport supports this
+# feature. (boolean value)
+#allow_requeue = false
+allow_requeue = {{ server.get('ks_notifications_allow_requeue', 'False') }}
+
+# Version of tasks invoked via notifications (string value)
+#version = 1.0
+
+# Define the number of max threads to be used for notification server
+# processing functionality. (integer value)
+#thread_pool_size = 10
+
+
+[matchmaker_redis]
+
+#
+# From oslo.messaging
+#
+
+# DEPRECATED: Host to locate redis. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#host = 127.0.0.1
+
+# DEPRECATED: Use this port to connect to redis host. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#port = 6379
+
+# DEPRECATED: Password for Redis server (optional). (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#password =
+
+# DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode),
+# e.g., [host:port, host1:port ... ] (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#sentinel_hosts =
+
+# Redis replica set name. (string value)
+#sentinel_group_name = oslo-messaging-zeromq
+
+# Time in ms to wait between connection attempts. (integer value)
+#wait_timeout = 2000
+
+# Time in ms to wait before the transaction is killed. (integer value)
+#check_timeout = 20000
+
+# Timeout in ms on blocking socket operations. (integer value)
+#socket_timeout = 10000
+
+{%- if server.message_queue is defined %}
+{%- set _data = server.message_queue %}
+{%- if _data.engine == 'rabbitmq' %}
+ {%- set messaging_engine = 'rabbit' %}
+{%- else %}
+ {%- set messaging_engine = _data.engine %}
+{%- endif %}
+[oslo_messaging_{{ messaging_engine }}]
+{%- include "oslo_templates/files/queens/oslo/messaging/_" + messaging_engine + ".conf" %}
+{%- endif %}
+
+
+[oslo_messaging_notifications]
+{%- set _data = server.get('notification', {}) %}
+{%- include "oslo_templates/files/queens/oslo/messaging/_notifications.conf" %}
+
+
+[oslo_middleware]
+{%- set _data = server %}
+{%- include "oslo_templates/files/queens/oslo/_middleware.conf" %}
+
+[oslo_policy]
+{%- if server.policy is defined %}
+{%- set _data = server.policy %}
+{%- include "oslo_templates/files/queens/oslo/_policy.conf" %}
+{%- endif %}
+
+
+[queue]
+
+#
+# From barbican.common.config
+#
+
+# True enables queuing, False invokes workers synchronously (boolean
+# value)
+#enable = false
+{% if server.async_queues_enable is defined %}
+enable = {{ server.async_queues_enable }}
+{%- endif %}
+
+# Queue namespace (string value)
+#namespace = barbican
+
+# Queue topic name (string value)
+#topic = barbican.workers
+
+# Version of tasks invoked via queue (string value)
+#version = 1.1
+
+# Server name for RPC task processing server (string value)
+#server_name = barbican.queue
+
+# Number of asynchronous worker processes (integer value)
+#asynchronous_workers = 1
+
+
+[quotas]
+
+#
+# From barbican.common.config
+#
+
+# Number of secrets allowed per project (integer value)
+#quota_secrets = -1
+
+# Number of orders allowed per project (integer value)
+#quota_orders = -1
+
+# Number of containers allowed per project (integer value)
+#quota_containers = -1
+
+# Number of consumers allowed per project (integer value)
+#quota_consumers = -1
+
+# Number of CAs allowed per project (integer value)
+#quota_cas = -1
+
+
+[retry_scheduler]
+
+#
+# From barbican.common.config
+#
+
+# Seconds (float) to wait before starting retry scheduler (floating
+# point value)
+#initial_delay_seconds = 10.0
+
+# Seconds (float) to wait between periodic schedule events (floating
+# point value)
+#periodic_interval_max_seconds = 10.0
+
+
+[secretstore]
+
+#
+# From barbican.plugin.secret_store
+#
+
+# Extension namespace to search for plugins. (string value)
+#namespace = barbican.secretstore.plugin
+
+# List of secret store plugins to load. (multi valued)
+#enabled_secretstore_plugins = store_crypto
+
+# Flag to enable multiple secret store plugin backend support. Default
+# is False (boolean value)
+#enable_multiple_secret_stores = false
+enable_multiple_secret_stores = True
+
+# List of suffix to use for looking up plugins which are supported
+# with multiple backend support. (list value)
+#stores_lookup_suffix = <None>
+stores_lookup_suffix = {{ server.get('store', {}).keys() | join(', ') }}
+
+
+[ssl]
+{%- include "oslo_templates/files/queens/oslo/service/_ssl.conf" %}
diff --git a/barbican/files/queens/plugin/_dogtag.conf b/barbican/files/queens/plugin/_dogtag.conf
new file mode 100644
index 0000000..c099549
--- /dev/null
+++ b/barbican/files/queens/plugin/_dogtag.conf
@@ -0,0 +1,46 @@
+
+#
+# From barbican.plugin.dogtag
+#
+
+# Path to PEM file for authentication (string value)
+#pem_path = /etc/barbican/kra_admin_cert.pem
+pem_path = '{{ plugin.get('pem_path', '/etc/barbican/kra_admin_cert.pem') }}'
+
+# Hostname for the Dogtag instance (string value)
+#dogtag_host = localhost
+dogtag_host = {{ plugin.get('dogtag_host', 'localhost') }}
+
+# Port for the Dogtag instance (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#dogtag_port = 8443
+dogtag_port = {{ plugin.get('dogtag_port', '8443') }}
+
+# Path to the NSS certificate database (string value)
+#nss_db_path = /etc/barbican/alias
+nss_db_path = '{{ plugin.get('nss_db_path', '/etc/barbican/alias') }}'
+
+# Password for the NSS certificate databases (string value)
+#nss_password = <None>
+nss_password = '{{ plugin.nss_password }}'
+
+# Profile for simple CMC requests (string value)
+#simple_cmc_profile = caOtherCert
+
+# List of automatically approved enrollment profiles (string value)
+#auto_approved_profiles = caServerCert
+
+# Time in days for CA entries to expire (string value)
+#ca_expiration_time = 1
+ca_expiration_time = {{ plugin.get('ca_expiration_time', '1') }}
+
+# Working directory for Dogtag plugin (string value)
+#plugin_working_dir = /etc/barbican/dogtag
+plugin_working_dir = '{{ plugin.get('plugin_working_dir', '/etc/barbican/dogtag') }}'
+
+# User friendly plugin name (string value)
+#plugin_name = Dogtag KRA
+
+# Retries when storing or generating secrets (integer value)
+#retries = 3
diff --git a/barbican/files/queens/plugin/_kmip.conf b/barbican/files/queens/plugin/_kmip.conf
new file mode 100644
index 0000000..3468717
--- /dev/null
+++ b/barbican/files/queens/plugin/_kmip.conf
@@ -0,0 +1,45 @@
+[kmip_plugin]
+
+#
+# From barbican.plugin.secret_store.kmip
+#
+
+# Username for authenticating with KMIP server (string value)
+#username = <None>
+username = '{{ plugin.get('username', 'admin') }}'
+
+# Password for authenticating with KMIP server (string value)
+#password = <None>
+password = '{{ plugin.password }}'
+
+# Address of the KMIP server (string value)
+#host = localhost
+host = {{ plugin.get('host', 'localhost') }}
+
+# Port for the KMIP server (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#port = 5696
+port = {{ plugin.get('port', '5696') }}
+
+# SSL version, maps to the module ssl's constants (string value)
+#ssl_version = PROTOCOL_TLSv1_2
+
+# File path to concatenated "certification authority" certificates
+# (string value)
+#ca_certs = <None>
+ca_certs = '{{ plugin.get('ca_certs', '/etc/barbican/kmip/LocalCA.crt') }}'
+
+# File path to local client certificate (string value)
+#certfile = <None>
+certfile = '{{ plugin.get('certfile', '/etc/barbican/kmip/cert.crt') }}'
+
+# File path to local client certificate keyfile (string value)
+#keyfile = <None>
+keyfile = '{{ plugin.get('keyfile', '/etc/barbican/kmip/cert.key') }}'
+
+# Only support PKCS#1 encoding of asymmetric keys (boolean value)
+#pkcs1_only = false
+
+# User friendly plugin name (string value)
+#plugin_name = KMIP HSM
diff --git a/barbican/files/queens/plugin/_p11_crypto.conf b/barbican/files/queens/plugin/_p11_crypto.conf
new file mode 100644
index 0000000..701be88
--- /dev/null
+++ b/barbican/files/queens/plugin/_p11_crypto.conf
@@ -0,0 +1,53 @@
+#
+# From barbican.plugin.crypto.p11
+#
+
+# Path to vendor PKCS11 library (string value)
+#library_path = <None>
+library_path = '{{ plugin.get('library_path', '/usr/lib/libCryptoki2_64.so') }}'
+
+# Password to login to PKCS11 session (string value)
+#login = <None>
+login = '{{ plugin.login }}'
+
+# Master KEK label (used in the HSM) (string value)
+#mkek_label = <None>
+mkek_label = '{{ plugin.mkek_label }}'
+
+# Master KEK length in bytes. (integer value)
+#mkek_length = <None>
+mkek_length = {{ plugin.get('mkek_length', 32) }}
+
+# HMAC label (used in the HSM) (string value)
+#hmac_label = <None>
+hmac_label = '{{ plugin.hmac_label }}'
+
+# HSM Slot ID (integer value)
+#slot_id = 1
+
+# Flag for Read/Write Sessions (boolean value)
+#rw_session = true
+
+# Project KEK length in bytes. (integer value)
+#pkek_length = 32
+
+# Project KEK Cache Time To Live, in seconds (integer value)
+#pkek_cache_ttl = 900
+
+# Project KEK Cache Item Limit (integer value)
+#pkek_cache_limit = 100
+
+# Secret encryption algorithm (string value)
+#algorithm = VENDOR_SAFENET_CKM_AES_GCM
+
+# File to pull entropy for seeding RNG (string value)
+#seed_file =
+
+# Amount of data to read from file for seed (integer value)
+#seed_length = 32
+
+# User friendly plugin name (string value)
+#plugin_name = PKCS11 HSM
+
+# Flag for plugin generated iv case (boolean value)
+#generate_iv = false
diff --git a/barbican/files/queens/plugin/_simple_crypto.conf b/barbican/files/queens/plugin/_simple_crypto.conf
new file mode 100644
index 0000000..3c187a8
--- /dev/null
+++ b/barbican/files/queens/plugin/_simple_crypto.conf
@@ -0,0 +1,11 @@
+
+#
+# From barbican.plugin.crypto.simple
+#
+
+# Key encryption key to be used by Simple Crypto Plugin (string value)
+#kek = dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=
+kek = '{{ plugin.kek }}'
+
+# User friendly plugin name (string value)
+#plugin_name = Software Only Crypto
diff --git a/barbican/files/queens/plugin/_snakeoil_ca.conf b/barbican/files/queens/plugin/_snakeoil_ca.conf
new file mode 100644
index 0000000..378b07d
--- /dev/null
+++ b/barbican/files/queens/plugin/_snakeoil_ca.conf
@@ -0,0 +1,20 @@
+[snakeoil_ca_plugin]
+
+#
+# From barbican.certificate.plugin.snakeoil
+#
+
+# Path to CA certificate file (string value)
+#ca_cert_path = <None>
+
+# Path to CA certificate key file (string value)
+#ca_cert_key_path = <None>
+
+# Path to CA certificate chain file (string value)
+#ca_cert_chain_path = <None>
+
+# Path to CA chain pkcs7 file (string value)
+#ca_cert_pkcs7_path = <None>
+
+# Directory in which to store certs/keys for subcas (string value)
+#subca_cert_key_directory = /etc/barbican/snakeoil-cas
diff --git a/barbican/server.sls b/barbican/server.sls
index 9cea2e6..c094ae3 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -26,6 +26,16 @@
- file: /etc/barbican/barbican.conf
- pkg: barbican_server_packages
+barbican_sync_secret_stores:
+ cmd.run:
+ - name: barbican-manage db sync_secret_stores
+ {%- if grains.get('noservices') or server.version in ['ocata', 'pike'] %}
+ - onlyif: /bin/false
+ {%- endif %}
+ - require:
+ - file: /etc/barbican/barbican.conf
+ - pkg: barbican_server_packages
+ - cmd: barbican_syncdb
{#- Creation of sites using templates is deprecated, sites should be generated by apache pillar, and enabled by barbican formula #}
{%- if pillar.get('apache', {}).get('server', {}).get('site', {}).barbican is not defined %}