Add Barbican integration to Nova This patch adds Barbican integration to Nova Change-Id: I74ba842b34fcfd4627586a3f337ad729c706c5b5 Related-PROD: PROD-15205

commit: 370c10d90f03241edd117f8e73127954fd14eb5c [log] [tgz]
author: Oleg Iurchenko <oiurchenko@mirantis.com> Thu Oct 19 14:03:37 2017 +0300
committer: Oleg Iurchenko <oiurchenko@mirantis.com> Thu Oct 19 17:15:47 2017 +0300
tree: effa1b5225d68492c4a13dfed4e3cea1f455a555
parent: 939135848c4d18e59e09087ef89aac0e5ac22792 [diff]
diff --git a/README.rst b/README.rst
index 56ecdb1..2a8ace1 100644
--- a/README.rst
+++ b/README.rst

@@ -71,6 +71,8 @@
         audit:
           enabled: false
         osapi_max_limit: 500
+        barbican:
+          enabled: true
 
 
 Nova services from custom package repository
@@ -146,6 +148,16 @@
           # Add key without value to remove line from policy.json
           'compute:create:attach_network':
 
+Enable Barbican integration
+
+.. code-block:: yaml
+
+    nova:
+      controller:
+        ....
+        barbican:
+          enabled: true
+
 
 Client-side RabbitMQ TLS configuration:
 ---------------------------------------
@@ -367,6 +379,17 @@
               - /dev/sdj
               - /dev/sdh
 
+Enable Barbican integration
+
+.. code-block:: yaml
+
+    nova:
+      compute:
+        ....
+        barbican:
+          enabled: true
+
+
 Client role
 -----------
 

diff --git a/nova/files/ocata/nova-compute.conf.Debian b/nova/files/ocata/nova-compute.conf.Debian
index f7db4c2..ab59964 100644
--- a/nova/files/ocata/nova-compute.conf.Debian
+++ b/nova/files/ocata/nova-compute.conf.Debian

@@ -3477,7 +3477,7 @@
 # If set, use this value for pool_timeout with SQLAlchemy. (integer value)
 #pool_timeout=<None>
 
-
+{%- if compute.get('barbican', {}).get('enabled', False) %}
 [barbican]
 
 #
@@ -3492,7 +3492,7 @@
 #barbican_api_version=<None>
 
 # Use this endpoint to connect to Keystone (string value)
-#auth_endpoint=http://localhost:5000/v3
+auth_endpoint={{ compute.identity.get('protocol', 'http') }}://{{ compute.identity.get('host', 'localhost') }}:{{ compute.identity.get('port', '5000') }}/v3
 
 # Number of seconds to wait before retrying poll for key creation completion
 # (integer value)
@@ -3500,7 +3500,7 @@
 
 # Number of times to retry poll for key creation completion (integer value)
 #number_of_retries=60
-
+{%- endif %}
 
 [cache]
 
@@ -5069,7 +5069,11 @@
 # * The options in the `key_manager` group, as the key_manager is used
 #   for the signature validation.
 #  (boolean value)
+{%- if compute.get('barbican', {}).get('enabled', False) %}
+verify_glance_signatures=true
+{%- else %}
 #verify_glance_signatures=false
+{%- endif %}
 
 # Enable or disable debug logging with glanceclient. (boolean value)
 #debug=false
@@ -5601,7 +5605,9 @@
 #fixed_key=<None>
 
 # The full class name of the key manager API class (string value)
-#api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- if compute.get('barbican', {}).get('enabled', False) %}
+api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- endif %}
 
 # The type of authentication credential to create. Possible values are 'token',
 # 'password', 'keystone_token', and 'keystone_password'. Required if no context

diff --git a/nova/files/ocata/nova-controller.conf.Debian b/nova/files/ocata/nova-controller.conf.Debian
index ee7bcc3..9287087 100644
--- a/nova/files/ocata/nova-controller.conf.Debian
+++ b/nova/files/ocata/nova-controller.conf.Debian

@@ -3477,7 +3477,9 @@
 #barbican_api_version=<None>
 
 # Use this endpoint to connect to Keystone (string value)
-#auth_endpoint=http://localhost:5000/v3
+{%- if controller.get('barbican', {}).get('enabled', False) %}
+auth_endpoint={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.get('host', 'localhost') }}:{{ controller.identity.get('port', '5000') }}/v3
+{%- endif %}
 
 # Number of seconds to wait before retrying poll for key creation completion
 # (integer value)
@@ -5090,7 +5092,11 @@
 # * The options in the `key_manager` group, as the key_manager is used
 #   for the signature validation.
 #  (boolean value)
+{%- if controller.get('barbican', {}).get('enabled', False) %}
+verify_glance_signatures=true
+{%- else %}
 #verify_glance_signatures=false
+{%- endif %}
 
 # Enable or disable debug logging with glanceclient. (boolean value)
 #debug=false
@@ -5618,7 +5624,9 @@
 #fixed_key=<None>
 
 # The full class name of the key manager API class (string value)
-#api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- if controller.get('barbican', {}).get('enabled', False) %}
+api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- endif %}
 
 # The type of authentication credential to create. Possible values are 'token',
 # 'password', 'keystone_token', and 'keystone_password'. Required if no context

diff --git a/tests/pillar/compute_cluster.sls b/tests/pillar/compute_cluster.sls
index b027101..e200640 100644
--- a/tests/pillar/compute_cluster.sls
+++ b/tests/pillar/compute_cluster.sls

@@ -75,4 +75,5 @@
       images_volume_group: nova_vg
       volume_clear: zero
       volume_clear_size: 0
-
+    barbican:
+      enabled: true

diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 07cb450..d057d1b 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls

@@ -64,3 +64,5 @@
       'compute:create:attach_network':
     upgrade_levels:
       compute: liberty
+    barbican:
+      enabled: true
commit	370c10d90f03241edd117f8e73127954fd14eb5c	[log] [tgz]
author	Oleg Iurchenko <oiurchenko@mirantis.com>	Thu Oct 19 14:03:37 2017 +0300
committer	Oleg Iurchenko <oiurchenko@mirantis.com>	Thu Oct 19 17:15:47 2017 +0300
tree	effa1b5225d68492c4a13dfed4e3cea1f455a555
parent	939135848c4d18e59e09087ef89aac0e5ac22792 [diff]