Add ability to create secrets via barbican.client state
This patch adds ability to create secrets in barbican using client state
Secret can be created with or without payload, and payload can be added
later. Also there is possibility to pass path to file which should be
added as payload. Also payload can be encoded to base64 via client state
Depends-On: Idad75a8445a874e62c2e2d729cb8e98d7a37d6bd
Change-Id: Ia455622550d4456c594e6aa98c77aa3a1b3ab628
Related-Prod: https://mirantis.jira.com/browse/PROD-18731
diff --git a/README.rst b/README.rst
index e92ff23..f933560 100644
--- a/README.rst
+++ b/README.rst
@@ -337,6 +337,30 @@
store_plugin: store_crypto
crypto_plugin: p11_crypto
+Creating resources in barbican
+------------------------------
+
+To create a secret with payload from file in barbican, next pillar can be used:
+
+.. code-block:: yaml
+
+ barbican:
+ client:
+ enabled: True
+ resources:
+ v1:
+ enabled: true
+ cloud_name: admin_identity:
+ secrets:
+ TestSecret:
+ type: certificate
+ algorithm: RSA
+ payload_content_type: application/octet-stream
+ payload_content_encoding: base64
+ payload_path: /tmp/test.crt
+ encodeb64_payload: true
+
+
Documentation and Bugs
======================
diff --git a/barbican/client/init.sls b/barbican/client/init.sls
new file mode 100644
index 0000000..c708c05
--- /dev/null
+++ b/barbican/client/init.sls
@@ -0,0 +1,3 @@
+include:
+- barbican.client.service
+- barbican.client.resources
diff --git a/barbican/client/resources/init.sls b/barbican/client/resources/init.sls
new file mode 100644
index 0000000..c58d367
--- /dev/null
+++ b/barbican/client/resources/init.sls
@@ -0,0 +1,2 @@
+include:
+- barbican.client.resources.v1
diff --git a/barbican/client/resources/v1.sls b/barbican/client/resources/v1.sls
new file mode 100644
index 0000000..ddd2c76
--- /dev/null
+++ b/barbican/client/resources/v1.sls
@@ -0,0 +1,34 @@
+{%- from "barbican/map.jinja" import client with context %}
+
+{%- set resources = client.get('resources', {}).get('v1', {}) %}
+
+{%- if resources.get('enabled', False) %}
+
+{%- for secret_name, secret in resources.get('secrets', {}).iteritems() %}
+
+{%- set payload = '' %}
+{%- if secret.payload is defined %}
+{%- set payload = secret.payload %}
+{%- elif secret.payload_path is defined %}
+{%- set payload = salt['cmd.shell']('cat '+secret.payload_path) %}
+{%- endif %}
+
+barbican_secret_{{ secret_name }}:
+ barbicanv1.secret_present:
+ - cloud_name: {{ secret.get('cloud_name', resources.cloud_name) }}
+ - name: {{ secret_name }}
+ - algorithm: {{ secret.algorithm}}
+ - secret_type: {{ secret.type }}
+{%- if payload %}
+{%- if secret.get('encodeb64_payload', False) %}
+{%- set payload = salt['hashutil.base64_b64encode'](payload) %}
+ - payload_content_encoding: base64
+{%- elif secret.payload_content_encoding is defined %}
+ - payload_content_encoding: {{ secret.payload_content_encoding }}
+{%- endif %}
+ - payload: {{ payload }}
+ - payload_content_type: {{ secret.payload_content_type }}
+{%- endif %}
+
+{%- endfor %}
+{%- endif %}
diff --git a/barbican/client.sls b/barbican/client/service.sls
similarity index 100%
rename from barbican/client.sls
rename to barbican/client/service.sls