Added support Hashicorp-Vault
* Added Vault plugin definitions.
Change-Id: Ib37e7cf01bb76dff8905a1d14fb0b3880ed03f5f
Related-Prod: PROD-29576
diff --git a/.kitchen.yml b/.kitchen.yml
index ad94a5c..50de6b9 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -27,6 +27,23 @@
- apache
- barbican
pillars:
+ barbican_plugins.sls:
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: https
+ host: localhost
+ port: 8200
+ root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
+ approle_role_id: role_id
+ approle_secret_id: secret_id
+ kv_mountpoint: secret
+ ssl_ca_crt_file: '/etc/barbican/ssl/vault/CA.crt'
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ -----END CERTIFICATE-----
ssl.sls:
barbican:
server:
@@ -159,6 +176,15 @@
barbican:
server:
version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ <% unless os_version == 'ocata' || os_version == 'pike' %>
+ - barbican_plugins
+ <% end %>
- name: control_cluster_<%=os_version%>
provisioner:
@@ -170,6 +196,15 @@
barbican:
server:
version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ <% unless os_version == 'ocata' || os_version == 'pike' %>
+ - barbican_plugins
+ <% end %>
- name: control_single_ssl_<%=os_version%>
provisioner:
diff --git a/README.rst b/README.rst
index 904bf22..47f3e6d 100644
--- a/README.rst
+++ b/README.rst
@@ -302,6 +302,35 @@
mkek_length: 32
hmac_label: 'my_hmac_label'
+VAULT
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: http
+ host: localhost
+ port: 8200
+ root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
+ approle_role_id: role_id
+ approle_secret_id: secret_id
+ kv_mountpoint: secret
+
+Vault supports secure connection. You able to define following fields for use security connection,
+also you should place file of certificate or define cert content in cacert field, in the last case
+`ssl_ca_crt_file` field required to define.
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: https
+ ssl_ca_crt_file: '/etc/barbican/ssl/vault/CA.crt'
+ cacert: (certificate content)
Software Only Crypto
@@ -352,6 +381,14 @@
simple_cmc_profile: 'caOtherCert'
ca_expiration_time: 1
plugin_working_dir: '/etc/barbican/dogtag'
+ vault:
+ schema: http
+ host: localhost
+ port: 8200
+ root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
+ approle_role_id: role_id
+ approle_secret_id: secret_id
+ kv_mountpoint: secret
store:
software:
crypto_plugin: simple_crypto
diff --git a/barbican/_ssl/plugin/init.sls b/barbican/_ssl/plugin/init.sls
new file mode 100644
index 0000000..6858200
--- /dev/null
+++ b/barbican/_ssl/plugin/init.sls
@@ -0,0 +1,33 @@
+{%- from "barbican/map.jinja" import server with context %}
+
+barbican_plugin_ssl:
+ test.show_notification:
+ - text: "Running barbican._ssl.plugin"
+
+{%- if server.get('plugin', {}).get('vault', {}).get('schema', 'http') == 'https' %}
+
+ {%- set ca_file=server.plugin.vault.ssl_ca_crt_file %}
+
+barbican_plugin_vault_ca:
+ {%- if server.plugin.vault.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: barbican:server:plugin:vault:cacert
+ - mode: 444
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+barbican_plugin_vault_ca_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - mode: 444
+ - user: barbican
+ - group: barbican
+
+{%- endif %}
diff --git a/barbican/files/queens/barbican.conf.Debian b/barbican/files/queens/barbican.conf.Debian
index c9d230d..3958f8e 100644
--- a/barbican/files/queens/barbican.conf.Debian
+++ b/barbican/files/queens/barbican.conf.Debian
@@ -411,11 +411,14 @@
# List of secret store plugins to load. (multi valued)
#enabled_secretstore_plugins = store_crypto
+{%- if server.get('plugin', {}).vault is defined %}
+enabled_secretstore_plugins = vault_plugin
+{%- endif %}
# Flag to enable multiple secret store plugin backend support. Default
# is False (boolean value)
#enable_multiple_secret_stores = false
-enable_multiple_secret_stores = True
+enable_multiple_secret_stores = {% if server.get('plugin', {}).vault is defined %}false{% else %}true{% endif %}
# List of suffix to use for looking up plugins which are supported
# with multiple backend support. (list value)
diff --git a/barbican/files/queens/plugin/_vault.conf b/barbican/files/queens/plugin/_vault.conf
new file mode 100644
index 0000000..ac5fbe3
--- /dev/null
+++ b/barbican/files/queens/plugin/_vault.conf
@@ -0,0 +1,33 @@
+
+#
+# From barbican.plugin.vault
+#
+
+# Vault endpoint URL.
+# vault_url = http://127.0.0.1:8200
+vault_url = {{ plugin.get('schema', 'http') }}://{{ plugin.get('host', '127.0.0.1') }}:{{ plugin.get('port', '8200') }}
+
+# Root token for vault or AppRole role ID.
+#root_token_id = token
+#approle_role_id = role ID
+{%- if plugin.root_token_id is defined %}
+root_token_id = {{ plugin.root_token_id }}
+ {%- else %}
+approle_role_id = {{ plugin.approle_role_id }}
+{%- endif %}
+
+# AppRole secret_id for authentication with vault.
+#approle_secret_id = #secret_id
+{%- if plugin.approle_secret_id is defined %}
+approle_secret_id = {{ plugin.approle_secret_id }}
+{%- endif %}
+
+# Mountpoint of KV store in Vault to use.
+#kv_mountpoint = secret
+kv_mountpoint = {{ plugin.get('kv_mountpoint', 'secret') }}
+
+#Absolute path to CA cert file.
+#ssl_ca_crt_file = /path/to/the/cert
+{% if plugin.ssl_ca_crt_file is defined %}
+ssl_ca_crt_file = {{ plugin.ssl_ca_crt_file }}
+{%- endif %}
diff --git a/barbican/files/rocky/barbican.conf.Debian b/barbican/files/rocky/barbican.conf.Debian
index 61eaec4..683ab00 100644
--- a/barbican/files/rocky/barbican.conf.Debian
+++ b/barbican/files/rocky/barbican.conf.Debian
@@ -406,10 +406,14 @@
# List of secret store plugins to load. (multi valued)
#enabled_secretstore_plugins = store_crypto
+{%- if server.get('plugin', {}).vault is defined %}
+enabled_secretstore_plugins = vault_plugin
+{%- endif %}
# Flag to enable multiple secret store plugin backend support. Default
# is False (boolean value)
-enable_multiple_secret_stores = true
+#enable_multiple_secret_stores = false
+enable_multiple_secret_stores = {% if server.get('plugin', {}).vault is defined %}false{% else %}true{% endif %}
# List of suffix to use for looking up plugins which are supported
# with multiple backend support. (list value)
diff --git a/barbican/files/rocky/plugin/_vault.conf b/barbican/files/rocky/plugin/_vault.conf
new file mode 100644
index 0000000..ac5fbe3
--- /dev/null
+++ b/barbican/files/rocky/plugin/_vault.conf
@@ -0,0 +1,33 @@
+
+#
+# From barbican.plugin.vault
+#
+
+# Vault endpoint URL.
+# vault_url = http://127.0.0.1:8200
+vault_url = {{ plugin.get('schema', 'http') }}://{{ plugin.get('host', '127.0.0.1') }}:{{ plugin.get('port', '8200') }}
+
+# Root token for vault or AppRole role ID.
+#root_token_id = token
+#approle_role_id = role ID
+{%- if plugin.root_token_id is defined %}
+root_token_id = {{ plugin.root_token_id }}
+ {%- else %}
+approle_role_id = {{ plugin.approle_role_id }}
+{%- endif %}
+
+# AppRole secret_id for authentication with vault.
+#approle_secret_id = #secret_id
+{%- if plugin.approle_secret_id is defined %}
+approle_secret_id = {{ plugin.approle_secret_id }}
+{%- endif %}
+
+# Mountpoint of KV store in Vault to use.
+#kv_mountpoint = secret
+kv_mountpoint = {{ plugin.get('kv_mountpoint', 'secret') }}
+
+#Absolute path to CA cert file.
+#ssl_ca_crt_file = /path/to/the/cert
+{% if plugin.ssl_ca_crt_file is defined %}
+ssl_ca_crt_file = {{ plugin.ssl_ca_crt_file }}
+{%- endif %}
diff --git a/barbican/server.sls b/barbican/server.sls
index 79f58b9..7d5d07f 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -5,6 +5,7 @@
- apache
- barbican._ssl.mysql
- barbican._ssl.rabbitmq
+ - barbican._ssl.plugin
- barbican.db.offline_sync
barbican_policy-rc.d_present:
@@ -36,6 +37,7 @@
- pkg: barbican_server_packages
- sls: barbican._ssl.mysql
- sls: barbican._ssl.rabbitmq
+ - sls: barbican._ssl.plugin
- require_in:
- sls: barbican.db.offline_sync
diff --git a/metadata/service/server/plugin/vault.yml b/metadata/service/server/plugin/vault.yml
new file mode 100644
index 0000000..095475f
--- /dev/null
+++ b/metadata/service/server/plugin/vault.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ barbican_vault_schema: http
+ barbican_vault_host: localhost
+ barbican_vault_port: 8200
+ barbican_vault_kv_mountpoint: secret
+ barbican_vault_ca_certs: '/etc/barbican/ssl/vault/CA.crt'
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: ${_param:barbican_vault_schema}
+ host: ${_param:barbican_vault_host}
+ port: ${_param:barbican_vault_port}
+ kv_mountpoint: ${_param:barbican_vault_kv_mountpoint}
+ ssl_ca_crt_file: ${_param:barbican_vault_ca_certs}