File: keymaster.pp

package info (click to toggle)
puppet-module-swift 25.0.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 2,400 kB
  • sloc: ruby: 9,593; python: 38; sh: 10; makefile: 10
file content (123 lines) | stat: -rw-r--r-- 4,751 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
 
# Configure keymaster configuration file
#
# == Parameters
#
# [*password*]
#   (Required) String. The password to go with the Keystone username.
#
# [*api_class*]
#   (Required) String. The api_class tells Castellan which key manager to 
#   use to access the external key management system. The default value that
#   accesses Barbican is 'barbican', which resolve to
#   castellan.key_manager.barbican_key_manager.BarbicanKeyManager.
#
# [*key_id*]
#   (Required) String. The key_id is the identifier of the root secret stored
#   in the KMS. The key_id is the final part of the secret href returned in the
#   output of an 'openstack secret order get' command after an order to store
#   or create a key has been successfully completed.
#
# [*username*]
#   (Required) String. The Keystone username of the user used to access the key
#   from the KMS. The username shall be set to match an existing user.
#   Defaults to swift.
#
# [*project_name*]
#   (Optional) String. The Keystone project name. For security reasons,
#   it is recommended to set the project_name to a project separate from the
#   service project used by other OpenStack services. Thereby, if another
#   service is compromised, it will not have access to the Swift root
#   encryption secret. It is recommended that the swift user is the only one
#   that has a role in this project.
#   Defaults to service.
#
# [*project_id*]
#   (Optional) String. Instead of the project name, the project id may also
#   be used.
#
# [*auth_endpoint*]
#   (Required) String. The Keystone URL to authenticate to. The value of
#   auth_url may be set according to the value of auth_uri in
#   [filter:authtoken] in proxy-server.conf.
#
# [*barbican_endpoint*]
#   (Optional) String. Endpoint of the barbican service. This is useful in
#   a multi-region cluster, where Castellan otherwise doesn't know in what
#   region is the key. If there is only a single region in the deployment,
#   this value can be set to default.
#   Defaults to $facts['os_service_default'].
#
# [*project_domain_name*]
#   (Optional) String. The project domain name may optionally be specified.
#
# [*user_domain_name*]
#   (Optional) String. The user domain name may optionally be specified.
#
# [*project_domain_id*]
#   (Optional) String. Instead of the project domain name, the project domain
#   id may also be specified.
#   Defaults to 'default' (note the capitalization).
#
# [*user_domain_id*]
#   (Optional) String. Instead of the user domain name, the user domain
#   id may also be specified.
#   Defaults to 'default' (note the capitalization).
#
# [*meta_version_to_write*]
#   (Optional) Int. The version of crypto metadata to write.
#   Defaults to $facts['os_service_default']
#
# == Dependencies
#
# None
#
# == Authors
#
#   Thiago da Silva thiago@redhat.com
#
class swift::keymaster(
  String[1] $password,
  $api_class             = 'barbican',
  $key_id                = $facts['os_service_default'],
  $username              = 'swift',
  $project_name          = 'services',
  $project_id            = $facts['os_service_default'],
  $auth_endpoint         = $facts['os_service_default'],
  $barbican_endpoint     = $facts['os_service_default'],
  $project_domain_name   = $facts['os_service_default'],
  $user_domain_name      = $facts['os_service_default'],
  $project_domain_id     = 'default',
  $user_domain_id        = 'default',
  $meta_version_to_write = $facts['os_service_default'],
) {

  include swift::deps
  include swift::params

  file { '/etc/swift/keymaster.conf':
    ensure  => 'file',
    owner   => 'root',
    group   => $::swift::params::group,
    mode    => '0640',
    require => Anchor['swift::config::begin'],
    before  => Anchor['swift::config::end']
  }
  File['/etc/swift/keymaster.conf'] -> Swift_keymaster_config<||>

  swift_keymaster_config {
    'kms_keymaster/api_class':             value => $api_class;
    'kms_keymaster/key_id':                value => $key_id;
    'kms_keymaster/username':              value => $username;
    'kms_keymaster/password':              value => $password, secret => true;
    'kms_keymaster/project_name':          value => $project_name;
    'kms_keymaster/project_id':            value => $project_id;
    'kms_keymaster/auth_endpoint':         value => $auth_endpoint;
    'kms_keymaster/barbican_endpoint':     value => $barbican_endpoint;
    'kms_keymaster/project_domain_name':   value => $project_domain_name;
    'kms_keymaster/user_domain_name':      value => $user_domain_name;
    'kms_keymaster/project_domain_id':     value => $project_domain_id;
    'kms_keymaster/user_domain_id':        value => $user_domain_id;
    'kms_keymaster/meta_version_to_write': value => $meta_version_to_write;
  }
}