Barbican/Dogtag plugin
- Install dogtag requirements
- use dogtag_crypto instead of dogtag_plugin
- fix port from 8433 to 8443
+
- jinja formating
- comment out the enabled_*_plugins: not needed with
`multiple secret stores` configuration
Change-Id: Iad378e9c7e54205300200ecbace34e32951fbfa7
diff --git a/README.rst b/README.rst
index 0ed5ade..2255dca 100644
--- a/README.rst
+++ b/README.rst
@@ -169,7 +169,7 @@
dogtag:
pem_path: '/etc/barbican/kra_admin_cert.pem'
dogtag_host: localhost
- dogtag_port: 8433
+ dogtag_port: 8443
nss_db_path: '/etc/barbican/alias'
nss_db_path_ca: '/etc/barbican/alias-ca'
nss_password: 'password123'
@@ -251,7 +251,7 @@
dogtag:
pem_path: '/etc/barbican/kra_admin_cert.pem'
dogtag_host: localhost
- dogtag_port: 8433
+ dogtag_port: 8443
nss_db_path: '/etc/barbican/alias'
nss_db_path_ca: '/etc/barbican/alias-ca'
nss_password: 'password123'
@@ -266,7 +266,7 @@
kmip:
store_plugin: kmip_plugin
dogtag:
- store_plugin: dogtag_plugin
+ store_plugin: dogtag_crypto
pkcs11:
store_plugin: store_crypto
crypto_plugin: p11_crypto
diff --git a/barbican/files/ocata/barbican.conf.Debian b/barbican/files/ocata/barbican.conf.Debian
index eaf7280..c0da2bb 100644
--- a/barbican/files/ocata/barbican.conf.Debian
+++ b/barbican/files/ocata/barbican.conf.Debian
@@ -263,24 +263,24 @@
# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
-enabled_secretstore_plugins = store_crypto
+#enabled_secretstore_plugins = store_crypto
enable_multiple_secret_stores = True
stores_lookup_suffix = {{ server.get('store', {}).keys() | join(', ') }}
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
-enabled_crypto_plugins = simple_crypto
+#enabled_crypto_plugins = simple_crypto
{% for store_name, store in server.get('store', {}).iteritems() %}
[secretstore:{{ store_name }}]
-{% if store.store_plugin is defined -%}
+{%- if store.store_plugin is defined %}
secret_store_plugin = {{ store.store_plugin }}
{%- endif %}
-{% if store.crypto_plugin is defined -%}
+{%- if store.crypto_plugin is defined %}
crypto_plugin = {{ store.crypto_plugin }}
{%- endif %}
-{% if store.global_default is defined -%}
+{%- if store.global_default is defined %}
global_default = {{ store.global_default }}
{%- endif %}
{% endfor %}
diff --git a/barbican/files/ocata/plugin/_dogtag.conf b/barbican/files/ocata/plugin/_dogtag.conf
index fb16a77..2797eb2 100644
--- a/barbican/files/ocata/plugin/_dogtag.conf
+++ b/barbican/files/ocata/plugin/_dogtag.conf
@@ -1,7 +1,7 @@
[{{ plugin_name }}_plugin]
pem_path = '{{ plugin.get('pem_path', '/etc/barbican/kra_admin_cert.pem') }}'
dogtag_host = {{ plugin.get('dogtag_host', 'localhost') }}
-dogtag_port = {{ plugin.get('dogtag_port', '8433') }}
+dogtag_port = {{ plugin.get('dogtag_port', '8443') }}
nss_db_path = '{{ plugin.get('nss_db_path', '/etc/barbican/alias') }}'
nss_db_path_ca = '{{ plugin.get('nss_db_path_ca', '/etc/barbican/alias-ca') }}'
nss_password = '{{ plugin.nss_password }}'
diff --git a/barbican/map.jinja b/barbican/map.jinja
index f334fec..bb9c15f 100644
--- a/barbican/map.jinja
+++ b/barbican/map.jinja
@@ -14,6 +14,10 @@
services:
- barbican-keystone-listener
- barbican-worker
+ dogtag_pkgs:
+ - libnss3-tools
+ - python-nss
+ - pki-base
{%- endload %}
{%- load_yaml as client_defaults %}
diff --git a/barbican/server.sls b/barbican/server.sls
index 351160f..cbf613b 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -27,8 +27,8 @@
barbican_api_config:
file.symlink:
- - name: /etc/apache2/sites-enabled/barbican-api.conf
- - target: /etc/apache2/sites-available/barbican-api.conf
+ - name: /etc/apache2/sites-enabled/barbican-api.conf
+ - target: /etc/apache2/sites-available/barbican-api.conf
barbican_apache_restart:
service.running:
@@ -46,4 +46,12 @@
- watch:
- file: /etc/barbican/barbican.conf
+{%- if 'dogtag' in server.get('plugin', {}) %}
+barbican_dogtag_packages:
+ pkg.installed:
+ - names: {{ server.dogtag_pkgs }}
+ - watch_in:
+ - service: barbican_server_services
+{%- endif %}
+
{%- endif %}
diff --git a/metadata/service/server/plugin/dogtag.yml b/metadata/service/server/plugin/dogtag.yml
index 5979258..3b862f0 100644
--- a/metadata/service/server/plugin/dogtag.yml
+++ b/metadata/service/server/plugin/dogtag.yml
@@ -7,7 +7,7 @@
plugin:
dogtag:
dogtag_host: ${_param:barbican_dogtag_host}
- dogtag_port: 8433
+ dogtag_port: 8443
nss_db_path: '/etc/barbican/alias'
nss_db_path_ca: '/etc/barbican/alias-ca'
nss_password: "${_param:barbican_dogtag_nss_password}"
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index d438e3d..581ede3 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -24,7 +24,7 @@
dogtag:
pem_path: '/etc/barbican/kra_admin_cert.pem'
dogtag_host: localhost
- dogtag_port: 8433
+ dogtag_port: 8443
nss_db_path: '/etc/barbican/alias'
nss_db_path_ca: '/etc/barbican/alias-ca'
nss_password: 'password123'
@@ -39,7 +39,7 @@
kmip:
store_plugin: kmip_plugin
dogtag:
- store_plugin: dogtag_plugin
+ store_plugin: dogtag_crypto
pkcs11:
store_plugin: store_crypto
crypto_plugin: p11_crypto
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index d438e3d..581ede3 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -24,7 +24,7 @@
dogtag:
pem_path: '/etc/barbican/kra_admin_cert.pem'
dogtag_host: localhost
- dogtag_port: 8433
+ dogtag_port: 8443
nss_db_path: '/etc/barbican/alias'
nss_db_path_ca: '/etc/barbican/alias-ca'
nss_password: 'password123'
@@ -39,7 +39,7 @@
kmip:
store_plugin: kmip_plugin
dogtag:
- store_plugin: dogtag_plugin
+ store_plugin: dogtag_crypto
pkcs11:
store_plugin: store_crypto
crypto_plugin: p11_crypto