Add a feature to import DogTag root cert from Salt Mine
This patch adds a posibility to export DogTag root cert
from Salt Mine
Change-Id: I5d565dd0e516b42f1bcd120708dcbd7a55031cb0
Related-PROD: PROD-16384
diff --git a/README.rst b/README.rst
index dd2b3d1..e92ff23 100644
--- a/README.rst
+++ b/README.rst
@@ -214,6 +214,35 @@
ca_expiration_time: 1
plugin_working_dir: '/etc/barbican/dogtag'
+There are few sources (engines) to define KRA admin cert:
+Engine #1: Define KRA admin cert by pillar.
+To define KRA admin cert by pillar need to define the following:
+.. code block:: yaml
+ barbican:
+ server:
+ dogtag_admin_cert:
+ engine: manual
+ key: |
+ ... key data ...
+Engine #2: Receive DogTag cert from Salt Mine.
+DogTag formula sends KRA cert to dogtag_admin_cert mine function.
+.. code block:: yaml
+ barbican:
+ server:
+ dogtag_admin_cert:
+ engine: mine
+ minion: ...name of minion which has installed DogTag..
+Engine #3: No operations.
+In case of some additional steps to install KRA certificate which
+are out of scope for the formula, the formula has 'noop' engine
+to perform no operations. If 'noop' engine is defined the formula will
+do nothing to install KRA admin cert.
+.. code block:: yaml
+ barbican:
+ server:
+ dogtag_admin_cert:
+ engine: noop
+
KMIP HSM
.. code block:: yaml
diff --git a/barbican/map.jinja b/barbican/map.jinja
index 1910c0b..33ca3c1 100644
--- a/barbican/map.jinja
+++ b/barbican/map.jinja
@@ -1,4 +1,3 @@
-
{%- load_yaml as server_defaults %}
default:
bind:
@@ -12,6 +11,8 @@
database:
ssl:
enabled: False
+ dogtag_admin_cert:
+ engine: noop
Debian:
pkgs:
- barbican-api
@@ -32,5 +33,15 @@
{%- endload %}
{%- set server = salt['grains.filter_by'](server_defaults, merge=salt['pillar.get']('barbican:server'), base='default') %}
+{# Dogtag cert source case #2: Cert from Mine. #}
+{%- if server.dogtag_admin_cert.engine == 'mine' %}
+{%- set dogtag_mine_admin_certs = salt['mine.get']('I@dogtag:server', 'dogtag_admin_cert', 'compound') %}
+{%- if dogtag_mine_admin_certs.get(server.dogtag_admin_cert.minion) == None %}
+{%- do server.dogtag_admin_cert.pop('key', None) %}
+{%- else %}
+{%- do server.dogtag_admin_cert.update({'key': dogtag_mine_admin_certs.get(server.dogtag_admin_cert.minion) }) %}
+{%- endif %}
+{%- endif %}
+
{%- set client = salt['grains.filter_by'](client_defaults, merge=salt['pillar.get']('barbican:client')) %}
{%- set system_cacerts_file = salt['grains.filter_by']({'Debian': '/etc/ssl/certs/ca-certificates.crt','RedHat': '/etc/pki/tls/certs/ca-bundle.crt'})%}
diff --git a/barbican/server.sls b/barbican/server.sls
index 5880053..ad2adce 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -80,6 +80,18 @@
- names: {{ server.dogtag_pkgs }}
- watch_in:
- service: barbican_server_services
+
+{%- if 'dogtag' in server.get('plugin', {}) %}
+{%- if server.dogtag_admin_cert.engine != 'noop' %}
+{# For some cases dogtag_admin_cert can be undefined. It is done to rise an exception during the state below. #}
+{{ server.plugin.dogtag.get('pem_path', '/etc/barbican/kra_admin_cert.pem') }}:
+ file.managed:
+ - contents: {{ server.dogtag_admin_cert.key | yaml }}
+ - mode: 600
+ - user: barbican
+ - group: barbican
+{%- endif %}
{%- endif %}
{%- endif %}
+{%- endif %}
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 581ede3..0a94c8e 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -4,6 +4,9 @@
version: ocata
host_href: ''
is_proxied: true
+ dogtag_admin_cert:
+ engine: manual
+ key: 'some dogtag key'
plugin:
simple_crypto:
kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 581ede3..0a94c8e 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -4,6 +4,9 @@
version: ocata
host_href: ''
is_proxied: true
+ dogtag_admin_cert:
+ engine: manual
+ key: 'some dogtag key'
plugin:
simple_crypto:
kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="