Merge "Generate SimpleCryptoPlugin KEK for devstack"

2025-03-28 15:01:18 +00:00 · 2025-03-28 15:01:18 +00:00 · bfed26a52f
commit bfed26a52f
parent 826e9ca1ac 5250c5f368
3 changed files with 10 additions and 1 deletions
--- a/barbican/plugin/crypto/simple_crypto.py
+++ b/barbican/plugin/crypto/simple_crypto.py
@ -34,7 +34,6 @@ simple_crypto_plugin_group = cfg.OptGroup(name='simple_crypto_plugin',
 simple_crypto_plugin_opts = [
    cfg.MultiStrOpt(
        'kek',
-        default=['dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg='],
        secret=True,
        help=u._('Fernet Key-Encryption Key (KEK) to be used by SimpleCrypto '
                 'Plugin to encrypt Project-specific KEKs.'),
--- a/barbican/tests/utils.py
+++ b/barbican/tests/utils.py
@ -34,6 +34,7 @@ import barbican.context
 from barbican.model import repositories
 from barbican.plugin.crypto import manager as cm
 from barbican.plugin.crypto import p11_crypto
+from barbican.plugin.crypto import simple_crypto
 from barbican.plugin.interface import secret_store
 from barbican.plugin import kmip_secret_store as kss
 from barbican.tests import database_utils
@ -73,6 +74,11 @@ class BarbicanAPIBaseTestCase(oslotest.BaseTestCase):
        context.policy_enforcer = policy_enforcer
        return context

+    def _setup_kek_conf(self):
+        kek = "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+        conf = simple_crypto.CONF
+        conf.simple_crypto_plugin.kek = [kek]
+
    def setUp(self):
        super().setUp()
        self.useFixture(barbican_fixture.StandardLogging())
@ -83,6 +89,7 @@ class BarbicanAPIBaseTestCase(oslotest.BaseTestCase):
        # Generic project id to perform actions under
        self.project_id = generate_test_valid_uuid()

+        self._setup_kek_conf()
        # Build the test app
        wsgi_app = app.build_wsgi_app(
            controller=self.root_controller,
--- a/devstack/lib/barbican
+++ b/devstack/lib/barbican
@ -169,6 +169,9 @@ function configure_barbican {
        echo_summary "Barbican requires that the RabbitMQ service is enabled"
    fi

+    # SimpleCryptoPlugin settings
+    iniset $BARBICAN_CONF simple_crypto_plugin kek "$(python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode('UTF-8'))")"
+
    write_uwsgi_config "$BARBICAN_UWSGI_CONF" "$BARBICAN_WSGI" "/key-manager"
    ## Set up keystone