This commit adds support for a Vault path that is relative to
the root of the Vault KV store. This configuration is optional
and will be a noop for existing deployments.
Change-Id: If34c38c8f0a2f13ea90f564bfe5e933e5e748da4
The target value is exactly same as the default defined in oslo.log,
thus this override is just redundant.
Change-Id: I91fcc035526d655f0b885f5b6a176dc18577a3a3
Vault Namespaces [0] is a feature available in Vault Enterprise that
can be considered as a more advanced isolation feature on top of current
KV Mountpoint option in Castellan Vault plugin.
Passing a namespace in all request headers (including Auth) allows to organize
Vault-in-Vault style of isolation, with clients using the same simple URI path
but accessing separate sets of entities in Vault.
[0] https://www.vaultproject.io/docs/enterprise/namespaces
Change-Id: I627c20002bb2a0a1b346b57e824f87f856eca4c9
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.
Closes-Bug: #1876102
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
The KeyManager itself should be responsible for advertising the
correct set of options for discovery, not relying on the global
option listing method to know which variable holds the options
and how are they grouped.
Change-Id: I1764c383206df835b7d654f2f776663bd6d4d25b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Support end user configuration of KV store in Vault to use for
key storage allowing more flexibility in Vault configuration.
Change-Id: I625a819c2b9b542677258de709a9c520fb86858b
Closes-Bug: 1797148
Add support for use of AppRole's for authentication to Vault; this
feature provides a more application centric approach to managing
long term access to Vault.
The functional tests exercise this integration with a restricted
policy which only allows access to the default 'secret' backend.
Change-Id: I59dfe31adb72712c53d49f66d9ac894e43e8bbad
Closes-Bug: 1796851
This change willl allow the user to specify the endpoint
type for Barbican. The allowed values are: public, internal,
and admin. The default value will be 'public' since this is
the current value.
Change-Id: Ic89519ed3a9c347a9fff245ec231aa575b42f1ac
Closes-bug: 1767473
* Uses https://www.vaultproject.io/ to store/fetch secrets
* All we need is the URL and a Token to talk to the vault server
* tox target "functional-vault" sets up a server in development mode
and runs functional tests
* Supports both http:// and https:// url(s)
* the https support was tested by setting up a vault server by hand
(https://gist.github.com/dims/47674cf2c3b0a953df69246c2ea1ff78)
* create_key_pair is the only API that is not implemented
Change-Id: I6436e5841c8e77a7262b4d5aa39201b40a985255
Since all Oslo library drivers are discoverable via
stevedore, we should use stevedore in Castellan as well.
This will make it easier for folks to write their own
custom drivers. Stevedore uses setuptools entry points
for implementing the common patterns for dynamically
loading extensions.
We add [key_manager]/backend as the new option to set
the custom driver. For a while, we should support the
older values that used to be specified using
[key_manager]/apiclass.
Change-Id: I2610459839806a5591da1efa314dfa52bcfb7cda
This new option should be used with caution, but is useful
for development environments where the certificates can't
be verified yet.
Closes-Bug: #1516793
Change-Id: I2e5433fda8dec02556a6715b8182201daf8fe9bb
This patch introduces the credential factory which creates a
credential object based upon the values in the configuration file.
It is the second of several patches which will implement the
"Allow different Keystone Auth Support in Castellan" blueprint.
Other patches will add:
1.) barbican key manager logic and tests
2.) documentation on usage
Change-Id: I34243c7a2523d9d0aa4e86d823dd28f1beed821a
Implements: blueprint remove-keystone-dependency
Allows a user to be able to set logging defaults if they have not
created a configuration for logging.
Change-Id: I7e7ce2f7904aefa30db63264d9e0702f0db57513
Co-Authored-By: Michael McCune <msm@redhat.com>
Closes-Bug: #1521265
In rumtime castellan should be able to set auth_endpoint using options.set_defaults()
which is critical for application to be able to adjust endpoint in runtime.
https://bugs.launchpad.net/castellan/+bug/1515388
Change-Id: Ie918dcc4d28ec3507559e1b0c218995f6809c364
Closes-Bug: 1515388
This change adds a module for listing configuration options and setting
their defaults. It also changes the key manager base class to
incorporate a configuration during creation. By default, the key manager
will continue to use the global CONF object from the oslo.config
package.
For the most part, this change will be backwards compatible. The one
exception is the creation of sample configuration files. Previously,
importing castellan was sufficient to add these options to the global
configuration object. Now, these options will need to be applied by
using the castellan.options.list_opts function, or adding them through
other means, to create sample configuration files. Similar applies for
setting configuration before instantiating a key manager.
changes
* adding castellan.options with list_opts and set_defaults functions
* changing KeyManager abc to include a configuration option to __init__
* changing barbican and not_implemented key managers to accept
configuration parameters
* adding tests for set_defaults function
* fixing barbican tests to accomodate new configuration parameter
* adding documentation about configuration usage
* adding castellan configs to oslo entry point in setup.cfg
* adding a genconfig target to tox for producing a sample castellan
configuration file
* adding the sample configuration file to the git ignore
* renaming barbican option api_version to barbican_api_version
Change-Id: I86d6d7d49a893beaae6f311060ec593e0482d889
Implements: blueprint improved-configuration-options