Merge "Drop Travis CI support - Update links"
diff --git a/README.rst b/README.rst
index c5d01ec..0557f46 100644
--- a/README.rst
+++ b/README.rst
@@ -378,7 +378,7 @@
resources:
v1:
enabled: true
- cloud_name: admin_identity:
+ cloud_name: admin_identity
secrets:
TestSecret:
type: certificate
@@ -387,10 +387,38 @@
payload_content_encoding: base64
payload_path: /tmp/test.crt
encodeb64_payload: true
+ acl:
+ TestSecret:
+ test_user:
+ enabled: True
+
+
+Sign image with barbican
+------------------------
+
+To sign image with given image name, secrect name and user credentials, can be
+used the following pillar:
+
+
+.. code-block:: yaml
+
+ barbican:
+ client:
+ enabled: True
+ signed_images:
+ v1:
+ enabled: true
+ images:
+ TestImage:
+ secret_name: 'TestSecret'
+ cert_key: /etc/test/certs/image.key
+ name: test-image-name
+ cloud_name: admin_identity
+
Enable x509 and ssl communication between Barbican and Galera cluster.
----------------------
+----------------------------------------------------------------------
By default communication between Barbican and Galera is unsecure.
barbican:
diff --git a/_states/barbicanv1.py b/_states/barbicanv1.py
index 8c70bea..af202d5 100644
--- a/_states/barbicanv1.py
+++ b/_states/barbicanv1.py
@@ -213,6 +213,39 @@
return _created(image_name, 'sign_image', resp)
+def secret_acl_present(name, cloud_name, **kwargs):
+ try:
+ secret = _barbicanv1_call(
+ 'secret_get_details', name=name, cloud_name=cloud_name
+ )
+ except Exception as e:
+ if 'ResourceNotFound' in repr(e):
+ return _absent(name, 'secret')
+ if 'MultipleResourcesFound' in repr(e):
+ return _find_failed(name, 'secret')
+ try:
+ resp = _barbicanv1_call('secret_acl_get', name=name,
+ cloud_name=cloud_name)
+ except Exception as e:
+ if 'ResourceNotFound' in repr(e):
+ resp = _barbicanv1_call('secret_acl_put', name=name,
+ cloud_name=cloud_name, **kwargs)
+ return _created(name, 'acl', resp)
+ else:
+ log.error('Add acl for user faild with {}'.format(e))
+ return _create_failed(name, 'acl')
+
+ missing_users = [user_id
+ for user_id in kwargs.get('users', [])
+ if user_id not in resp['read']['users']]
+ if missing_users:
+ kwargs['users'] = missing_users
+ resp = _barbicanv1_call('secret_acl_put', name=name,
+ cloud_name=cloud_name, **kwargs)
+ return _created(name, 'acl', resp)
+ return _no_changes(name, 'acl')
+
+
def _created(name, resource, resource_definition):
changes_dict = {
'name': name,
diff --git a/barbican/client/image_sign.sls b/barbican/client/image_sign.sls
new file mode 100644
index 0000000..894989f
--- /dev/null
+++ b/barbican/client/image_sign.sls
@@ -0,0 +1,18 @@
+{%- from "barbican/map.jinja" import client with context %}
+
+{%- set signed_images = client.get('signed_images', {}).get('v1', {}) %}
+
+{%- if signed_images.get('enabled', False) %}
+
+{%- for image, image_params in signed_images.get('images', {}).iteritems() %}
+
+barbican_sign_image_{{ image_params.name }}:
+ barbicanv1.glance_image_signed:
+ - cloud_name: {{ image_params.cloud_name }}
+ - image_name: {{ image_params.name }}
+ - pk_fname: {{ image_params.cert_key }}
+ - secret_name: {{ image_params.secret_name }}
+ - out_fname: /tmp/signature_{{ image_params.name }}
+
+{%- endfor %}
+{%- endif %}
\ No newline at end of file
diff --git a/barbican/client/init.sls b/barbican/client/init.sls
index c708c05..23d9adb 100644
--- a/barbican/client/init.sls
+++ b/barbican/client/init.sls
@@ -1,3 +1,4 @@
include:
- barbican.client.service
- barbican.client.resources
+- barbican.client.image_sign
diff --git a/barbican/client/resources/v1.sls b/barbican/client/resources/v1.sls
index ddd2c76..277e134 100644
--- a/barbican/client/resources/v1.sls
+++ b/barbican/client/resources/v1.sls
@@ -29,6 +29,26 @@
- payload: {{ payload }}
- payload_content_type: {{ secret.payload_content_type }}
{%- endif %}
+{%- endfor %}
+
+{%- for secret_name, users_info in resources.get('acl', {}).iteritems() %}
+
+{%- set users = salt['keystonev3.user_list'](cloud_name=resources.cloud_name) %}
+
+barbican_secret_acl_add_user_{{ secret_name }}:
+ barbicanv1.secret_acl_present:
+ - name: {{ secret_name }}
+ - cloud_name: {{ resources.cloud_name }}
+ - users:
+{%- for user in users['users'] %}
+{%- for user_name, enabled in users_info.iteritems() %}
+{%- if user_name == user['name'] and enabled %}
+ - {{ user['id'] }}
+{%- endif %}
+{%- endfor %}
+{%- endfor %}
+ - project-access: True
{%- endfor %}
+
{%- endif %}
diff --git a/barbican/files/queens/barbican.conf.Debian b/barbican/files/queens/barbican.conf.Debian
index b59d886..ad9ea74 100644
--- a/barbican/files/queens/barbican.conf.Debian
+++ b/barbican/files/queens/barbican.conf.Debian
@@ -215,6 +215,9 @@
{%- set _data = server.identity %}
{%- if 'cacert_file' not in _data.keys() %}{% do _data.update({'cacert_file': server.cacert_file}) %}{% endif %}
{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- if server.get('cache',{}).members is defined and 'cache' not in _data.keys() %}
+{% do _data.update({'cache': server.cache}) %}
+{% endif %}
{%- include "oslo_templates/files/queens/keystonemiddleware/_auth_token.conf" %}
{%- include "oslo_templates/files/queens/keystoneauth/_type_" + auth_type + ".conf" %}