This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.
The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.
Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
- follow the standard installation pattern for barbicanclient:
only clones if it is installed from source. This way it is
possible to install and test barbicanclient from pip
by default, additional jobs can simply add it
to required-projects;
- define the repository metadata using the GIT* arrays.
They are also defined by stackrc, but they should be probably
removed from there;
- remove the useless call of configure_barbicanclient (the same
steps are already performed by install_barbicanclient).
Going forward, configure_barbicanclient can be removed
Change-Id: Iea1cd3f82c3b38f03f91b0191846e1ddbbfb1d6c
Tempest's service_available config option includes all the service
availability which is further used by tests to take decision of skip
or run the test.
For example, [service_available].barbican is true then, barbican test will run
or if [service_available].barbican is false then, all barbican related tests either
in barbican tempest plugin or any other plugins[1] will be skipped.
So it is important that when barbican is installed via devstack plugin then,
it set the service_available.barbican value to True in tempest conf.
This commit add the setting of barbican service[2] on barbican devstack plugin.
Related-Bug: #1743688
Related-Bug: #1817154
[1] 0a0f9b342a/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py (L53)
[2] 123dd7d416/barbican_tempest_plugin/config.py (L18)
Change-Id: I7fd60d48802cc5e9071c39eaeb83351bec36cc41
Currently the devstack plugin sets creator role for tempest user, but it may
conflict with other roles already set to that configuration key. This patch
adds the creator role to the list of roles instead of replacing its value.
Change-Id: I8bdfc31bb2baeabe1d599ea6e9be3c473531f8b6
This is a mostely complete solution. Ideally we could use the stevedore
entry point name 'barbican' instead of the full class name for cinder, but
I87926d6c95ac82b6f74c263c7441614f80348c1e needs to merge first.
Change-Id: I32ed528f585e790bc771473504ab7e4bfeb63de9
TEMPEST_CONFIG options should be set in the test-config section,
otherwise they get overridden.
Also adds the creator role to the tempest user.
Change-Id: I6816c1b699e140600e5bb47a251cd0788125f8d0
The barbican-tempest-plugin should be installed through the gate
configuration rather than when barbican devstack plugin is enabled.
Removes some of the changes added in I376d58cad9a33dc90afdd0bf01e1e73bdd5a8b28
Co-Authored-By: Brianna Poulos <Brianna.Poulos@jhuapl.edu>
Depends-On: Ibef3f9a135f14727bf57c29e766f838d7da56c68
Change-Id: I87bd021f08f381c5319ee7ffa08fb8026a22a16c
In case tempest is enabled we need to install the barbican tempest
repo and register the plugin endpoint.
Change-Id: I376d58cad9a33dc90afdd0bf01e1e73bdd5a8b28
Depends-On: I7a861dcc800cf3a49da2e317e4780aa5c5027733
This change adds an override-defaults file which
configures Nova, Cinder and Glance to use Barbican for
key management when the Barbican plugin is
installed.
Blueprint: image-signing-experimental-gate
Change-Id: Ibc3b017596a3d401fd62adb07f2d12913c2cef9a
Added code to devstack libraries to allow KMIP secret store to be
enabled. This edits barbican.conf to enable the KMIP secret store.
The Barbican PyKMIP client can be configured to connect to an existing
KMIP device or use PyKMIP's server. If the client configuration is all
that is needed then enable the 'barbican-pykmip' service in the
devstack configuration and set the appropriate key, certificate, and
CA path variables. This will allow the Barbican KMIP secret store to
connect to an existing KMIP server.
If a KMIP server is requested then also enable the 'pykmip-server'
service in the devstack configuration. This will install, configure,
and start the KMIP server. This option requires the 'barbican-pykmip'
service be configured as well.
Added passenv command to tox to allow the KMIP_PLUGIN_ENABLED
environment variable to be passed to the underlying command. Without
this the environment variable will not be seen by the tox command.
Change-Id: Ib804fa97545f14ed866bfd73bb251e85923a2e4e
Depends-On: Ifda13a84607bb199b794dc24f5dbba0ee8108dbf
This makes usage of barbican in devstack significantly more straight
forward. No more pre-cloning and moving files around.
Change-Id: I0ec63819b3aae21a6ffaed5cf8285e26dce6ae94
