Support rocky version
Change-Id: I605efa14c612b2ed8561fdb9eb601a7ef9a86fbc
Related-Prod: PROD-23719
diff --git a/.kitchen.yml b/.kitchen.yml
index b55fdc7..ad94a5c 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -18,16 +18,115 @@
- name: apache
repo: git
source: https://gerrit.mcp.mirantis.com/salt-formulas/apache
+ - name: oslo_templates
+ repo: git
+ source: https://gerrit.mcp.mirantis.com/salt-formulas/oslo-templates
state_top:
base:
"*":
- apache
- barbican
pillars:
+ ssl.sls:
+ barbican:
+ server:
+ identity:
+ engine: keystone
+ host: 10.0.106.20
+ port: 35357
+ domain: default
+ tenant: service
+ user: barbican
+ password: password
+ database:
+ engine: "mysql+pymysql"
+ host: 10.0.106.20
+ port: 3306
+ name: barbican
+ user: barbican
+ password: password
+ x509:
+ enabled: True
+ ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ key_file: /etc/barbican/ssl/mysql/client-key.pem
+ cert_file: /etc/barbican/ssl/mysql/client-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIGSjCCBDKgAwIBAgIJAIHRPs2rZbLvMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ -----END CERTIFICATE-----
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIJKQIBAAKCAgEAq0m4kOIITliYea07yJnlSRNY0o6NaykiteSfHGauiub4lNQJ
+ -----END RSA PRIVATE KEY-----
+ ssl:
+ enabled: True
+ cacert_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
+ message_queue:
+ engine: rabbitmq
+ user: openstack
+ password: password
+ virtual_host: '/openstack'
+ members:
+ - host: 10.10.10.10
+ port: 5672
+ - host: 10.10.10.11
+ port: 5672
+ - host: 10.10.10.12
+ port: 5672
+ port: 5671
+ ssl:
+ # Case #1: specify cacert file and ca cert body explicitly
+ enabled: True
+ cacert_file: /etc/barbican/ssl/rabbitmq_cacert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIF0TCCA7mgAwIBAgIJAMHIQpWZYGDTMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ BAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0GA1UEBwwGUHJhZ3Vl
+ MREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MTQxMTI2MDdaFw0yNzA4MTIxMTI2
+ MDdaMEoxCzAJBgNVBAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0G
+ A1UEBwwGUHJhZ3VlMREwDwYDVQQKDAhNaXJhbnRpczCCAiIwDQYJKoZIhvcNAQEB
+ BQADggIPADCCAgoCggIBAL596jeUmim5bo0J52vPylX8xZOCaCvW9wlSYbk143dU
+ x7sqlAbPePvN6jj44BrYV01F4rCn9uxuaFLrbjF4rUDp81F0yMqghwyLmlTgJBOq
+ AMNiEtrBUwmenJPuM55IYeO9OFbPeBvZyqKy2IG18GbK35QE85rOgaEfgDIkVeV9
+ yNB8b+yftn3ebRZCceU5lx/o+w2eQkuyloy1F5QC7U2MhGF2ekLX79s8x+LNlbiO
+ EF1D/FWFor3HY9DwNlg7U99mVID2Bj8lPPt4dW8JDMKkghh+S797l3H6RYKHhIvs
+ wi+50ljhk5nHl+qCooGKuGZ2WokrGXWkoDfrrpl//7FFRPwauoU/akDVfoWYffqx
+ jnvlQFkAlI3S5F/vwJGI1JGvPv5p5uRxPJEeMI0Sp9bVrznHGCgaJyY+vIBoZCwS
+ i0t16gsgeezcu44Y65crv4XNOBKOS+KqvMwdzzukOj9YsYwNnlLly0VvTEdxTwwI
+ 7NopRglUQrLusjZ5wwe23kf07xVxC98e1LRQzR5oEAUKkDrQzjmXBfcV92GrE3s7
+ 1L4dvfXUE1mVxabhBCoS6kO3JQGPK+1LJDIs/F0uVVtOy/oz6mIdV2scCteFRAbm
+ BhfEoVbaYNlUxlNGno2I/HEep4P0DrFPQi0ZmGfvNO6t3EvTSnWcsUL9h55wZ3Pl
+ AgMBAAGjgbkwgbYwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
+ FN2inIsMteL9vxR8Lo0yHI+4KaDGMHoGA1UdIwRzMHGAFN2inIsMteL9vxR8Lo0y
+ HI+4KaDGoU6kTDBKMQswCQYDVQQGEwJjejEXMBUGA1UEAwwOU2FsdCBNYXN0ZXIg
+ Q0ExDzANBgNVBAcMBlByYWd1ZTERMA8GA1UECgwITWlyYW50aXOCCQDByEKVmWBg
+ 0zANBgkqhkiG9w0BAQsFAAOCAgEAq8yv5IZWHyZuySpe85GCfdn4VFfSw6O1tdOZ
+ 7PnCNGqkLie3D0X5VIymDkEwSGrvRtAKvtRajej/1/T2lNJNzQaqQObMK9UpXMmu
+ g0qjAjYjbYMRS+4V1FJiyxxqyvE//XO+Jznj3jnF6IDnTYJp3tCUswvUYRSpAErP
+ CwtvBLzPhF9t3W+ElcrgM7UNDPRoVlun0q6FH4WAAKuuqXfJaEbe9XrkR+cBlP4O
+ 7utdveEREw0cONoFtHM/yVwb9ovaitMEA/b6qH286cJ59zXJbhMe7+n9dFlMnAAh
+ WfayyLzlaOjxicGMPcmUMRh9n8fml7bR3mekL1BGZt451kH3+FSfjPpF3hqVqb3c
+ 8LZsCrD10UYUOOQ1zyE8YaeQ6UgNW7LFJlngvNLAZKxRupc0FNGgDTMr8sgdBBeR
+ gH0cp+h4mDusEzYpaPIqci5+UOMelK/SMIYzMtD1ogZp/c9qIGh5nXwRkspHGrtk
+ ay6yizlPyY4QS1dOD/8nhGRbp5OQF1o5ZUtXlnaFHeLK7zl9iddqSvBVUNFdpDz+
+ uVYHAw4O2T7J7ge+gGgmjRPQjW1+O+jFWlSkO+7iFjdIOTZ6tpqYEglh0khgM8b5
+ V0MAVuww51/1DqirRG6Ge/3Sw44eDZID22jjCwLrDH0GSX76cDTe6Bx/WS0Wg7y/
+ /86PB1o=
+ -----END CERTIFICATE-----
top.sls:
base:
"*":
- barbican
+ - linux_repo_openstack
+ - release
verifier:
name: inspec
@@ -49,18 +148,63 @@
platform: ubuntu
suites:
- - name: ssl
- provisioner:
- pillars-from-files:
- barbican.sls: tests/pillar/ssl.sls
-
- - name: control_single
+<% for os_version in ['ocata','pike', 'queens', 'rocky'] %>
+ - name: control_single_<%=os_version%>
provisioner:
pillars-from-files:
barbican.sls: tests/pillar/control_single.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
- - name: control_cluster
+ - name: control_cluster_<%=os_version%>
provisioner:
pillars-from-files:
barbican.sls: tests/pillar/control_cluster.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
+
+ - name: control_single_ssl_<%=os_version%>
+ provisioner:
+ pillars-from-files:
+ barbican.sls: tests/pillar/control_single.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ - ssl
+
+ - name: control_cluster_ssl_<%=os_version%>
+ provisioner:
+ pillars-from-files:
+ barbican.sls: tests/pillar/control_cluster.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ - ssl
+<% end %>
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/barbican/files/rocky/barbican.conf.Debian b/barbican/files/rocky/barbican.conf.Debian
new file mode 100644
index 0000000..9bc41f2
--- /dev/null
+++ b/barbican/files/rocky/barbican.conf.Debian
@@ -0,0 +1,420 @@
+{%- from "barbican/map.jinja" import server with context -%}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
+[DEFAULT]
+
+#
+# From barbican.common.config
+#
+
+# Role used to identify an authenticated user as administrator.
+# (string value)
+#admin_role = admin
+
+# Allow unauthenticated users to access the API with read-only
+# privileges. This only applies when using ContextMiddleware. (boolean
+# value)
+#allow_anonymous_access = false
+
+# Maximum allowed http request size against the barbican-api. (integer
+# value)
+max_allowed_request_size_in_bytes = 1000000
+
+# Maximum allowed secret size in bytes. (integer value)
+max_allowed_secret_in_bytes = 10000
+
+# Host name, for use in HATEOAS-style references Note: Typically this
+# would be the load balanced endpoint that clients would use to
+# communicate back with this service. If a deployment wants to derive
+# host from wsgi request instead then make this blank. Blank is needed
+# to override default config value which is 'http://localhost:9311'
+# (string value)
+#host_href = http://localhost:9311
+{%- if server.host_href is defined %}
+host_href = {{ server.host_href }}
+{%- endif %}
+
+# SQLAlchemy connection string for the reference implementation
+# registry server. Any valid SQLAlchemy connection string is fine.
+# See:
+# http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine.
+# Note: For absolute addresses, use '////' slashes after 'sqlite:'.
+# (string value)
+sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
+
+# Period in seconds after which SQLAlchemy should reestablish its
+# connection to the database. MySQL uses a default `wait_timeout` of 8
+# hours, after which it will drop idle connections. This can result in
+# 'MySQL Gone Away' exceptions. If you notice this, you can lower this
+# value to ensure that SQLAlchemy reconnects before MySQL can drop the
+# connection. (integer value)
+sql_idle_timeout = {{ server.database.get('sql_idle_timeout', 3600) }}
+
+# Maximum number of database connection retries during startup. Set to
+# -1 to specify an infinite retry count. (integer value)
+#sql_max_retries = 60
+
+# Interval between retries of opening a SQL connection. (integer
+# value)
+#sql_retry_interval = 1
+
+# Create the Barbican database on service startup. (boolean value)
+db_auto_create = false
+
+# Maximum page size for the 'limit' paging URL parameter. (integer
+# value)
+max_limit_paging = 100
+
+# Default page size for the 'limit' paging URL parameter. (integer
+# value)
+default_limit_paging = 10
+
+# Accepts a class imported from the sqlalchemy.pool module, and
+# handles the details of building the pool for you. If commented out,
+# SQLAlchemy will select based on the database dialect. Other options
+# are QueuePool (for SQLAlchemy-managed connections) and NullPool (to
+# disabled SQLAlchemy management of connections). See
+# http://docs.sqlalchemy.org/en/latest/core/pooling.html for more
+# details (string value)
+#sql_pool_class = QueuePool
+
+# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG
+# log level output) if specified. (boolean value)
+#sql_pool_logging = false
+
+# Size of pool used by SQLAlchemy. This is the largest number of
+# connections that will be kept persistently in the pool. Can be set
+# to 0 to indicate no size limit. To disable pooling, use a NullPool
+# with sql_pool_class instead. Comment out to allow SQLAlchemy to
+# select the default. (integer value)
+#sql_pool_size = 5
+
+# # The maximum overflow size of the pool used by SQLAlchemy. When the
+# number of checked-out connections reaches the size set in
+# sql_pool_size, additional connections will be returned up to this
+# limit. It follows then that the total number of simultaneous
+# connections the pool will allow is sql_pool_size +
+# sql_pool_max_overflow. Can be set to -1 to indicate no overflow
+# limit, so no limit will be placed on the total number of concurrent
+# connections. Comment out to allow SQLAlchemy to select the default.
+# (integer value)
+#sql_pool_max_overflow = 10
+
+# Enable eventlet backdoor. Acceptable values are 0, <port>, and
+# <start>:<end>, where 0 results in listening on a random tcp port
+# number; <port> results in listening on the specified port number
+# (and not enabling backdoor if that port is in use); and
+# <start>:<end> results in listening on the smallest unused port
+# number within the specified range of port numbers. The chosen port
+# is displayed in the service's log file. (string value)
+#backdoor_port = <None>
+
+# Enable eventlet backdoor, using the provided path as a unix socket
+# that can receive connections. This option is mutually exclusive with
+# 'backdoor_port' in that only one should be provided. If both are
+# provided then the existence of this option overrides the usage of
+# that option. (string value)
+#backdoor_socket = <None>
+
+{%- set _data = server.get('logging', {}) %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/_log.conf" %}
+
+{%- set _data = server.message_queue %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/messaging/_default.conf" %}
+
+#
+# From oslo.service.periodic_task
+#
+
+# Some periodic tasks can be run in a separate process. Should we run
+# them here? (boolean value)
+#run_external_periodic_tasks = true
+
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/service/_wsgi_default.conf" %}
+
+
+[certificate]
+
+#
+# From barbican.certificate.plugin
+#
+
+# Extension namespace to search for plugins. (string value)
+#namespace = barbican.certificate.plugin
+
+# List of certificate plugins to load. (multi valued)
+#enabled_certificate_plugins = simple_certificate
+
+
+[certificate_event]
+
+#
+# From barbican.certificate.plugin
+#
+
+# Extension namespace to search for eventing plugins. (string value)
+#namespace = barbican.certificate.event.plugin
+
+# List of certificate plugins to load. (multi valued)
+#enabled_certificate_event_plugins = simple_certificate_event
+
+
+[cors]
+{%- if server.cors is defined %}
+{%- set _data = server.cors %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/_cors.conf" %}
+{%- endif %}
+
+
+[crypto]
+
+#
+# From barbican.plugin.crypto
+#
+
+# Extension namespace to search for plugins. (string value)
+namespace = barbican.crypto.plugin
+
+# List of crypto plugins to load. (multi valued)
+#enabled_crypto_plugins = simple_crypto
+
+
+{% for store_name, store in server.get('store', {}).iteritems() %}
+[secretstore:{{ store_name }}]
+{%- if store.store_plugin is defined %}
+secret_store_plugin = {{ store.store_plugin }}
+{%- endif %}
+{%- if store.crypto_plugin is defined %}
+crypto_plugin = {{ store.crypto_plugin }}
+{%- endif %}
+{%- if store.global_default is defined %}
+global_default = {{ store.global_default }}
+{%- endif %}
+{% endfor %}
+
+{% for plugin_name, plugin in server.get('plugin', {}).iteritems() %}
+{%- set plugin_fragment = "barbican/files/" ~ server.version ~ "/plugin/_" ~ plugin_name ~ ".conf" %}
+[{{ plugin_name }}_plugin]
+{%- include plugin_fragment %}
+{% endfor %}
+
+
+[keystone_authtoken]
+{%- set _data = server.identity %}
+{%- if 'cacert_file' not in _data.keys() %}{% do _data.update({'cacert_file': server.cacert_file}) %}{% endif %}
+{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- if server.get('cache',{}).members is defined and 'cache' not in _data.keys() %}
+{% do _data.update({'cache': server.cache}) %}
+{% endif %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/keystonemiddleware/_auth_token.conf" %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/keystoneauth/_type_" + auth_type + ".conf" %}
+
+
+[keystone_notifications]
+
+#
+# From barbican.common.config
+#
+
+# True enables keystone notification listener functionality. (boolean
+# value)
+enable = {{ server.get('ks_notifications_enable', 'false') }}
+
+# The default exchange under which topics are scoped. May be
+# overridden by an exchange name specified in the transport_url
+# option. (string value)
+#control_exchange = keystone
+
+# Keystone notification queue topic name. This name needs to match one
+# of values mentioned in Keystone deployment's 'notification_topics'
+# configuration e.g. notification_topics=notifications,
+# barbican_notificationsMultiple servers may listen on a topic and
+# messages will be dispatched to one of the servers in a round-robin
+# fashion. That's why Barbican service should have its own dedicated
+# notification queue so that it receives all of Keystone
+# notifications. (string value)
+#topic = notifications
+
+# True enables requeue feature in case of notification processing
+# error. Enable this only when underlying transport supports this
+# feature. (boolean value)
+allow_requeue = {{ server.get('ks_notifications_allow_requeue', 'false') }}
+
+# Version of tasks invoked via notifications (string value)
+#version = 1.0
+
+# Define the number of max threads to be used for notification server
+# processing functionality. (integer value)
+#thread_pool_size = 10
+
+
+[matchmaker_redis]
+
+#
+# From oslo.messaging
+#
+
+# DEPRECATED: Host to locate redis. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#host = 127.0.0.1
+
+# DEPRECATED: Use this port to connect to redis host. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#port = 6379
+
+# DEPRECATED: Password for Redis server (optional). (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#password =
+
+# DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode),
+# e.g., [host:port, host1:port ... ] (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#sentinel_hosts =
+
+# Redis replica set name. (string value)
+#sentinel_group_name = oslo-messaging-zeromq
+
+# Time in ms to wait between connection attempts. (integer value)
+#wait_timeout = 2000
+
+# Time in ms to wait before the transaction is killed. (integer value)
+#check_timeout = 20000
+
+# Timeout in ms on blocking socket operations. (integer value)
+#socket_timeout = 10000
+
+
+{%- if server.message_queue is defined %}
+{%- set _data = server.message_queue %}
+{%- if _data.engine == 'rabbitmq' %}
+ {%- set messaging_engine = 'rabbit' %}
+{%- else %}
+ {%- set messaging_engine = _data.engine %}
+{%- endif %}
+[oslo_messaging_{{ messaging_engine }}]
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/messaging/_" + messaging_engine + ".conf" %}
+{%- endif %}
+
+
+[oslo_messaging_notifications]
+{%- set _data = server.get('notification', {}) %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/messaging/_notifications.conf" %}
+
+
+[oslo_middleware]
+{%- set _data = server %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/_middleware.conf" %}
+
+
+[oslo_policy]
+{%- if server.policy is defined %}
+{%- set _data = server.policy %}
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/_policy.conf" %}
+{%- endif %}
+
+
+[queue]
+
+#
+# From barbican.common.config
+#
+
+# True enables queuing, False invokes workers synchronously (boolean
+# value)
+#enable = false
+{% if server.async_queues_enable is defined %}
+enable = {{ server.async_queues_enable }}
+{%- endif %}
+
+# Queue namespace (string value)
+#namespace = barbican
+
+# Queue topic name (string value)
+#topic = barbican.workers
+
+# Version of tasks invoked via queue (string value)
+#version = 1.1
+
+# Server name for RPC task processing server (string value)
+#server_name = barbican.queue
+
+# Number of asynchronous worker processes (integer value)
+#asynchronous_workers = 1
+
+
+[quotas]
+
+#
+# From barbican.common.config
+#
+
+# Number of secrets allowed per project (integer value)
+#quota_secrets = -1
+
+# Number of orders allowed per project (integer value)
+#quota_orders = -1
+
+# Number of containers allowed per project (integer value)
+#quota_containers = -1
+
+# Number of consumers allowed per project (integer value)
+#quota_consumers = -1
+
+# Number of CAs allowed per project (integer value)
+#quota_cas = -1
+
+
+[retry_scheduler]
+
+#
+# From barbican.common.config
+#
+
+# Seconds (float) to wait before starting retry scheduler (floating
+# point value)
+#initial_delay_seconds = 10.0
+
+# Seconds (float) to wait between periodic schedule events (floating
+# point value)
+#periodic_interval_max_seconds = 10.0
+
+
+[secretstore]
+
+#
+# From barbican.plugin.secret_store
+#
+
+# Extension namespace to search for plugins. (string value)
+#namespace = barbican.secretstore.plugin
+
+# List of secret store plugins to load. (multi valued)
+#enabled_secretstore_plugins = store_crypto
+
+# Flag to enable multiple secret store plugin backend support. Default
+# is False (boolean value)
+enable_multiple_secret_stores = true
+
+# List of suffix to use for looking up plugins which are supported
+# with multiple backend support. (list value)
+stores_lookup_suffix = {{ server.get('store', {}).keys()|join(', ') }}
+
+
+[ssl]
+{%- include "oslo_templates/files/" ~ server.version ~ "/oslo/service/_ssl.conf" %}
diff --git a/barbican/files/rocky/plugin/_dogtag.conf b/barbican/files/rocky/plugin/_dogtag.conf
new file mode 100644
index 0000000..cf5f51f
--- /dev/null
+++ b/barbican/files/rocky/plugin/_dogtag.conf
@@ -0,0 +1,39 @@
+
+#
+# From barbican.plugin.dogtag
+#
+
+# Path to PEM file for authentication (string value)
+pem_path = {{ plugin.get('pem_path', '/etc/barbican/kra_admin_cert.pem') }}
+
+# Hostname for the Dogtag instance (string value)
+dogtag_host = {{ plugin.get('dogtag_host', 'localhost') }}
+
+# Port for the Dogtag instance (port value)
+# Minimum value: 0
+# Maximum value: 65535
+dogtag_port = {{ plugin.get('dogtag_port', '8443') }}
+
+# Path to the NSS certificate database (string value)
+nss_db_path = {{ plugin.get('nss_db_path', '/etc/barbican/alias') }}
+
+# Password for the NSS certificate databases (string value)
+nss_password = {{ plugin.nss_password|e }}
+
+# Profile for simple CMC requests (string value)
+#simple_cmc_profile = caOtherCert
+
+# List of automatically approved enrollment profiles (string value)
+#auto_approved_profiles = caServerCert
+
+# Time in days for CA entries to expire (string value)
+ca_expiration_time = {{ plugin.get('ca_expiration_time', '1') }}
+
+# Working directory for Dogtag plugin (string value)
+plugin_working_dir = {{ plugin.get('plugin_working_dir', '/etc/barbican/dogtag') }}
+
+# User friendly plugin name (string value)
+#plugin_name = Dogtag KRA
+
+# Retries when storing or generating secrets (integer value)
+#retries = 3
diff --git a/barbican/files/rocky/plugin/_kmip.conf b/barbican/files/rocky/plugin/_kmip.conf
new file mode 100644
index 0000000..bdd42e6
--- /dev/null
+++ b/barbican/files/rocky/plugin/_kmip.conf
@@ -0,0 +1,38 @@
+[kmip_plugin]
+
+#
+# From barbican.plugin.secret_store.kmip
+#
+
+# Username for authenticating with KMIP server (string value)
+username = {{ plugin.get('username', 'admin') }}
+
+# Password for authenticating with KMIP server (string value)
+password = {{ plugin.password|e }}
+
+# Address of the KMIP server (string value)
+host = {{ plugin.get('host', 'localhost') }}
+
+# Port for the KMIP server (port value)
+# Minimum value: 0
+# Maximum value: 65535
+port = {{ plugin.get('port', '5696') }}
+
+# SSL version, maps to the module ssl's constants (string value)
+#ssl_version = PROTOCOL_TLSv1_2
+
+# File path to concatenated "certification authority" certificates
+# (string value)
+ca_certs = {{ plugin.get('ca_certs', '/etc/barbican/kmip/LocalCA.crt') }}
+
+# File path to local client certificate (string value)
+certfile = {{ plugin.get('certfile', '/etc/barbican/kmip/cert.crt') }}
+
+# File path to local client certificate keyfile (string value)
+keyfile = {{ plugin.get('keyfile', '/etc/barbican/kmip/cert.key') }}
+
+# Only support PKCS#1 encoding of asymmetric keys (boolean value)
+#pkcs1_only = false
+
+# User friendly plugin name (string value)
+#plugin_name = KMIP HSM
diff --git a/barbican/files/rocky/plugin/_p11_crypto.conf b/barbican/files/rocky/plugin/_p11_crypto.conf
new file mode 100644
index 0000000..07bf959
--- /dev/null
+++ b/barbican/files/rocky/plugin/_p11_crypto.conf
@@ -0,0 +1,48 @@
+#
+# From barbican.plugin.crypto.p11
+#
+
+# Path to vendor PKCS11 library (string value)
+library_path = {{ plugin.get('library_path', '/usr/lib/libCryptoki2_64.so') }}
+
+# Password to login to PKCS11 session (string value)
+login = {{ plugin.login }}
+
+# Master KEK label (used in the HSM) (string value)
+mkek_label = {{ plugin.mkek_label }}
+
+# Master KEK length in bytes. (integer value)
+mkek_length = {{ plugin.get('mkek_length', 32) }}
+
+# HMAC label (used in the HSM) (string value)
+hmac_label = {{ plugin.hmac_label }}
+
+# HSM Slot ID (integer value)
+#slot_id = 1
+
+# Flag for Read/Write Sessions (boolean value)
+#rw_session = true
+
+# Project KEK length in bytes. (integer value)
+#pkek_length = 32
+
+# Project KEK Cache Time To Live, in seconds (integer value)
+#pkek_cache_ttl = 900
+
+# Project KEK Cache Item Limit (integer value)
+#pkek_cache_limit = 100
+
+# Secret encryption algorithm (string value)
+#algorithm = VENDOR_SAFENET_CKM_AES_GCM
+
+# File to pull entropy for seeding RNG (string value)
+#seed_file =
+
+# Amount of data to read from file for seed (integer value)
+#seed_length = 32
+
+# User friendly plugin name (string value)
+#plugin_name = PKCS11 HSM
+
+# Flag for plugin generated iv case (boolean value)
+#generate_iv = false
diff --git a/barbican/files/rocky/plugin/_simple_crypto.conf b/barbican/files/rocky/plugin/_simple_crypto.conf
new file mode 100644
index 0000000..02ddd3b
--- /dev/null
+++ b/barbican/files/rocky/plugin/_simple_crypto.conf
@@ -0,0 +1,10 @@
+
+#
+# From barbican.plugin.crypto.simple
+#
+
+# Key encryption key to be used by Simple Crypto Plugin (string value)
+kek = {{ plugin.kek }}
+
+# User friendly plugin name (string value)
+#plugin_name = Software Only Crypto
diff --git a/barbican/files/rocky/plugin/_snakeoil_ca.conf b/barbican/files/rocky/plugin/_snakeoil_ca.conf
new file mode 100644
index 0000000..378b07d
--- /dev/null
+++ b/barbican/files/rocky/plugin/_snakeoil_ca.conf
@@ -0,0 +1,20 @@
+[snakeoil_ca_plugin]
+
+#
+# From barbican.certificate.plugin.snakeoil
+#
+
+# Path to CA certificate file (string value)
+#ca_cert_path = <None>
+
+# Path to CA certificate key file (string value)
+#ca_cert_key_path = <None>
+
+# Path to CA certificate chain file (string value)
+#ca_cert_chain_path = <None>
+
+# Path to CA chain pkcs7 file (string value)
+#ca_cert_pkcs7_path = <None>
+
+# Directory in which to store certs/keys for subcas (string value)
+#subca_cert_key_directory = /etc/barbican/snakeoil-cas
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 45af5ad..7dd138d 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -93,7 +93,7 @@
log_appender: false
log_handlers:
watchedfile:
- enabled: true
+ enabled: false
fluentd:
enabled: false
ossyslog:
@@ -113,3 +113,42 @@
max_requests: 0
max_clients: 20
limit: 20
+ site:
+ barbican:
+ enabled: false
+ available: true
+ type: wsgi
+ name: barbican
+ wsgi:
+ daemon_process: barbican-api
+ processes: 3
+ threads: 10
+ user: barbican
+ group: barbican
+ display_name: '%{GROUP}'
+ script_alias: '/ /usr/bin/barbican-wsgi-api'
+ application_group: '%{GLOBAL}'
+ authorization: 'On'
+ host:
+ address: 127.0.0.1
+ name: 127.0.0.1
+ port: 9311
+ barbican_admin:
+ enabled: false
+ available: true
+ type: wsgi
+ name: barbican_admin
+ wsgi:
+ daemon_process: barbican-api-admin
+ processes: 3
+ threads: 10
+ user: barbican
+ group: barbican
+ display_name: '%{GROUP}'
+ script_alias: '/ /usr/bin/barbican-wsgi-api'
+ application_group: '%{GLOBAL}'
+ authorization: 'On'
+ host:
+ address: 127.0.0.1
+ name: 127.0.0.1
+ port: 9312
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 7dde92d..515a2b0 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -89,7 +89,7 @@
log_appender: false
log_handlers:
watchedfile:
- enabled: true
+ enabled: false
fluentd:
enabled: false
ossyslog:
diff --git a/tests/pillar/repo_mcp_openstack_ocata.sls b/tests/pillar/repo_mcp_openstack_ocata.sls
new file mode 100644
index 0000000..e601208
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_ocata.sls
@@ -0,0 +1,44 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_hotfix:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-hotfix main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-hotfix'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_security:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-security main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-security'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_updates:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-updates main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-uptades'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_holdback:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-holdback main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-holdback'
+ priority: 1050
+ package: '*'
diff --git a/tests/pillar/repo_mcp_openstack_pike.sls b/tests/pillar/repo_mcp_openstack_pike.sls
new file mode 100644
index 0000000..789b907
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_pike.sls
@@ -0,0 +1,12 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/pike/{{ grains.get('oscodename') }} pike main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/pike/{{ grains.get('oscodename') }}/archive-mcppike.key"
+ pin:
+ - pin: 'release a=pike'
+ priority: 1050
+ package: '*'
\ No newline at end of file
diff --git a/tests/pillar/repo_mcp_openstack_queens.sls b/tests/pillar/repo_mcp_openstack_queens.sls
new file mode 100644
index 0000000..65fb320
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_queens.sls
@@ -0,0 +1,12 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.mirantis.com/nightly/openstack-queens/{{ grains.get('oscodename') }} {{ grains.get('oscodename') }} main"
+ architectures: amd64
+ key_url: "http://mirror.mirantis.com/nightly/openstack-queens/{{ grains.get('oscodename') }}/archive-queens.key"
+ pin:
+ - pin: 'release l=queens'
+ priority: 1050
+ package: '*'
diff --git a/tests/pillar/repo_mcp_openstack_rocky.sls b/tests/pillar/repo_mcp_openstack_rocky.sls
new file mode 100644
index 0000000..cb1c5b1
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_rocky.sls
@@ -0,0 +1,12 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.mirantis.com/nightly/openstack-rocky/{{ grains.get('oscodename') }} {{ grains.get('oscodename') }} main"
+ architectures: amd64
+ key_url: "http://mirror.mirantis.com/nightly/openstack-rocky/{{ grains.get('oscodename') }}/archive-openstack-rocky.key"
+ pin:
+ - pin: 'release l=rocky'
+ priority: 1050
+ package: '*'
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
deleted file mode 100644
index b8b1398..0000000
--- a/tests/pillar/ssl.sls
+++ /dev/null
@@ -1,205 +0,0 @@
-barbican:
- server:
- enabled: true
- version: ocata
- host_href: ''
- is_proxied: true
- dogtag_admin_cert:
- engine: manual
- key: 'some dogtag key'
- plugin:
- simple_crypto:
- kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
- p11_crypto:
- library_path: '/usr/lib/libCryptoki2_64.so'
- login: 'mypassword'
- mkek_label: 'an_mkek'
- mkek_length: 32
- hmac_label: 'my_hmac_label'
- kmip:
- username: 'admin'
- password: 'password'
- host: localhost
- port: 5696
- keyfile: '/path/to/certs/cert.key'
- certfile: '/path/to/certs/cert.crt'
- ca_certs: '/path/to/certs/LocalCA.crt'
- dogtag:
- pem_path: '/etc/barbican/kra_admin_cert.pem'
- dogtag_host: localhost
- dogtag_port: 8443
- nss_db_path: '/etc/barbican/alias'
- nss_db_path_ca: '/etc/barbican/alias-ca'
- nss_password: 'password123'
- simple_cmc_profile: 'caOtherCert'
- ca_expiration_time: 1
- plugin_working_dir: '/etc/barbican/dogtag'
- store:
- software:
- crypto_plugin: simple_crypto
- store_plugin: store_crypto
- global_default: True
- kmip:
- store_plugin: kmip_plugin
- dogtag:
- store_plugin: dogtag_crypto
- pkcs11:
- store_plugin: store_crypto
- crypto_plugin: p11_crypto
- database:
- engine: "mysql+pymysql"
- host: 10.0.106.20
- port: 3306
- name: barbican
- user: barbican
- password: password
- x509:
- enabled: True
- ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
- key_file: /etc/barbican/ssl/mysql/client-key.pem
- cert_file: /etc/barbican/ssl/mysql/client-cert.pem
- cacert: |
- -----BEGIN CERTIFICATE-----
- MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
- -----END CERTIFICATE-----
- cert: |
- -----BEGIN CERTIFICATE-----
- MIIGSjCCBDKgAwIBAgIJAIHRPs2rZbLvMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
- -----END CERTIFICATE-----
- key: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIJKQIBAAKCAgEAq0m4kOIITliYea07yJnlSRNY0o6NaykiteSfHGauiub4lNQJ
- -----END RSA PRIVATE KEY-----
- ssl:
- enabled: True
- cacert_file: /etc/barbican/ssl/mysql/ca-cert.pem
- cacert: |
- -----BEGIN CERTIFICATE-----
- MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
- -----END CERTIFICATE-----
- bind:
- address: 10.0.106.20
- port: 9311
- admin_port: 9312
- identity:
- engine: keystone
- host: 10.0.106.20
- port: 35357
- domain: default
- tenant: service
- user: barbican
- password: password
- message_queue:
- engine: rabbitmq
- user: openstack
- password: password
- virtual_host: '/openstack'
- members:
- - host: 10.10.10.10
- port: 5672
- - host: 10.10.10.11
- port: 5672
- - host: 10.10.10.12
- port: 5672
- port: 5671
- ssl:
- # Case #1: specify cacert file and ca cert body explicitly
- enabled: True
- cacert_file: /etc/barbican/ssl/rabbitmq_cacert.pem
- cacert: |
- -----BEGIN CERTIFICATE-----
- MIIF0TCCA7mgAwIBAgIJAMHIQpWZYGDTMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
- BAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0GA1UEBwwGUHJhZ3Vl
- MREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MTQxMTI2MDdaFw0yNzA4MTIxMTI2
- MDdaMEoxCzAJBgNVBAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0G
- A1UEBwwGUHJhZ3VlMREwDwYDVQQKDAhNaXJhbnRpczCCAiIwDQYJKoZIhvcNAQEB
- BQADggIPADCCAgoCggIBAL596jeUmim5bo0J52vPylX8xZOCaCvW9wlSYbk143dU
- x7sqlAbPePvN6jj44BrYV01F4rCn9uxuaFLrbjF4rUDp81F0yMqghwyLmlTgJBOq
- AMNiEtrBUwmenJPuM55IYeO9OFbPeBvZyqKy2IG18GbK35QE85rOgaEfgDIkVeV9
- yNB8b+yftn3ebRZCceU5lx/o+w2eQkuyloy1F5QC7U2MhGF2ekLX79s8x+LNlbiO
- EF1D/FWFor3HY9DwNlg7U99mVID2Bj8lPPt4dW8JDMKkghh+S797l3H6RYKHhIvs
- wi+50ljhk5nHl+qCooGKuGZ2WokrGXWkoDfrrpl//7FFRPwauoU/akDVfoWYffqx
- jnvlQFkAlI3S5F/vwJGI1JGvPv5p5uRxPJEeMI0Sp9bVrznHGCgaJyY+vIBoZCwS
- i0t16gsgeezcu44Y65crv4XNOBKOS+KqvMwdzzukOj9YsYwNnlLly0VvTEdxTwwI
- 7NopRglUQrLusjZ5wwe23kf07xVxC98e1LRQzR5oEAUKkDrQzjmXBfcV92GrE3s7
- 1L4dvfXUE1mVxabhBCoS6kO3JQGPK+1LJDIs/F0uVVtOy/oz6mIdV2scCteFRAbm
- BhfEoVbaYNlUxlNGno2I/HEep4P0DrFPQi0ZmGfvNO6t3EvTSnWcsUL9h55wZ3Pl
- AgMBAAGjgbkwgbYwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
- FN2inIsMteL9vxR8Lo0yHI+4KaDGMHoGA1UdIwRzMHGAFN2inIsMteL9vxR8Lo0y
- HI+4KaDGoU6kTDBKMQswCQYDVQQGEwJjejEXMBUGA1UEAwwOU2FsdCBNYXN0ZXIg
- Q0ExDzANBgNVBAcMBlByYWd1ZTERMA8GA1UECgwITWlyYW50aXOCCQDByEKVmWBg
- 0zANBgkqhkiG9w0BAQsFAAOCAgEAq8yv5IZWHyZuySpe85GCfdn4VFfSw6O1tdOZ
- 7PnCNGqkLie3D0X5VIymDkEwSGrvRtAKvtRajej/1/T2lNJNzQaqQObMK9UpXMmu
- g0qjAjYjbYMRS+4V1FJiyxxqyvE//XO+Jznj3jnF6IDnTYJp3tCUswvUYRSpAErP
- CwtvBLzPhF9t3W+ElcrgM7UNDPRoVlun0q6FH4WAAKuuqXfJaEbe9XrkR+cBlP4O
- 7utdveEREw0cONoFtHM/yVwb9ovaitMEA/b6qH286cJ59zXJbhMe7+n9dFlMnAAh
- WfayyLzlaOjxicGMPcmUMRh9n8fml7bR3mekL1BGZt451kH3+FSfjPpF3hqVqb3c
- 8LZsCrD10UYUOOQ1zyE8YaeQ6UgNW7LFJlngvNLAZKxRupc0FNGgDTMr8sgdBBeR
- gH0cp+h4mDusEzYpaPIqci5+UOMelK/SMIYzMtD1ogZp/c9qIGh5nXwRkspHGrtk
- ay6yizlPyY4QS1dOD/8nhGRbp5OQF1o5ZUtXlnaFHeLK7zl9iddqSvBVUNFdpDz+
- uVYHAw4O2T7J7ge+gGgmjRPQjW1+O+jFWlSkO+7iFjdIOTZ6tpqYEglh0khgM8b5
- V0MAVuww51/1DqirRG6Ge/3Sw44eDZID22jjCwLrDH0GSX76cDTe6Bx/WS0Wg7y/
- /86PB1o=
- -----END CERTIFICATE-----
- cache:
- members:
- - host: 10.10.10.10
- port: 11211
- - host: 10.10.10.11
- port: 11211
- - host: 10.10.10.12
- port: 11211
-apache:
- server:
- enabled: true
- default_mpm: event
- mpm:
- prefork:
- enabled: true
- servers:
- start: 5
- spare:
- min: 2
- max: 10
- max_requests: 0
- max_clients: 20
- limit: 20
- site:
- barbican:
- enabled: false
- available: true
- type: wsgi
- name: barbican
- wsgi:
- daemon_process: barbican-api
- processes: 3
- threads: 10
- user: barbican
- group: barbican
- display_name: '%{GROUP}'
- script_alias: '/ /usr/bin/barbican-wsgi-api'
- application_group: '%{GLOBAL}'
- authorization: 'On'
- host:
- address: 127.0.0.1
- name: 127.0.0.1
- port: 9311
- barbican_admin:
- enabled: false
- available: true
- type: wsgi
- name: barbican_admin
- wsgi:
- daemon_process: barbican-api-admin
- processes: 3
- threads: 10
- user: barbican
- group: barbican
- display_name: '%{GROUP}'
- script_alias: '/ /usr/bin/barbican-wsgi-api'
- application_group: '%{GLOBAL}'
- authorization: 'On'
- host:
- address: 127.0.0.1
- name: 127.0.0.1
- port: 9312