Deprecate parameters for certificate plugins

... because certificate plugins were deprecated some time ago in Barbican and are being removed in this cycle. Depends-on: https://review.opendev.org/c/openstack/barbican/+/909640 Change-Id: Ie2dacb037a3d5ba8f1732ddb8f4b8ea8ded1e5ed
2024-03-08 13:39:50 +09:00 · 2024-03-08 13:39:50 +09:00 · d2625af949
parent 9c0930273d
commit d2625af949
5 changed files with 80 additions and 59 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -157,15 +157,6 @@
 #   are defined in a list eg. ['simple_crypto','p11_crypto']
 #   Defaults to false
 #
-# [*enabled_certificate_plugins*]
-#   (optional) Enabled certificate plugins as a list.
-#   e.g. ['snakeoil_ca', 'dogtag']
-#   Defaults to $facts['os_service_default']
-#
-# [*enabled_certificate_event_plugins*]
-#   (optional) Enabled certificate event plugins as a list
-#   Defaults to $facts['os_service_default']
-#
 # [*kombu_ssl_ca_certs*]
 #   (optional) SSL certification authority file (valid only if SSL enabled).
 #   Defaults to $facts['os_service_default']
@ -248,6 +239,16 @@
 #   (Optional) Default page size for the 'limit' paging URL parameter.
 #   Defaults to $facts['os_service_default']
 #
+# DEPRECATED PARAMETERS
+#
+# [*enabled_certificate_plugins*]
+#   (optional) Enabled certificate plugins as a list.
+#   Defaults to undef
+#
+# [*enabled_certificate_event_plugins*]
+#   (optional) Enabled certificate event plugins as a list
+#   Defaults to undef
+#
 class barbican::api (
  $package_ensure                                = 'present',
  $bind_host                                     = '0.0.0.0',
@ -280,8 +281,6 @@ class barbican::api (
  $enabled_crypto_plugins                        = $facts['os_service_default'],
  $enabled_secret_stores                         = 'simple_crypto',
  Boolean $multiple_secret_stores_enabled        = false,
-  $enabled_certificate_plugins                   = $facts['os_service_default'],
-  $enabled_certificate_event_plugins             = $facts['os_service_default'],
  $kombu_ssl_ca_certs                            = $facts['os_service_default'],
  $kombu_ssl_certfile                            = $facts['os_service_default'],
  $kombu_ssl_keyfile                             = $facts['os_service_default'],
@ -299,6 +298,9 @@ class barbican::api (
  $max_request_body_size                         = $facts['os_service_default'],
  $max_limit_paging                              = $facts['os_service_default'],
  $default_limit_paging                          = $facts['os_service_default'],
+  # DEPRECATED PARAMETERS
+  $enabled_certificate_plugins                   = undef,
+  $enabled_certificate_event_plugins             = undef,
 ) inherits barbican::params {

  include barbican::deps
@ -306,6 +308,12 @@ class barbican::api (
  include barbican::client
  include barbican::policy

+  ['enabled_certificate_plugins', 'enabled_certificate_event_plugins'].each |String $opt| {
+    if getvar($opt) != undef {
+      warning("The ${opt} parameter has been deprecated and has no effect.")
+    }
+  }
+
  package { 'barbican-api':
    ensure => $package_ensure,
    name   => $::barbican::params::api_package_name,
@ -379,10 +387,14 @@ class barbican::api (

  # enabled plugins
  barbican_config {
-    'secretstore/enabled_secretstore_plugins':             value => $enabled_secretstore_plugins;
-    'crypto/enabled_crypto_plugins':                       value => $enabled_crypto_plugins;
-    'certificate/enabled_certificate_plugins':             value => $enabled_certificate_plugins;
-    'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins;
+    'secretstore/enabled_secretstore_plugins': value => $enabled_secretstore_plugins;
+    'crypto/enabled_crypto_plugins':           value => $enabled_crypto_plugins;
+  }
+
+  # TODO(tkajinam): Remove this after 2024.1 release
+  barbican_config {
+    'certificate/enabled_certificate_plugins':             ensure => absent;
+    'certificate_event/enabled_certificate_event_plugins': ensure => absent;
  }

  # enabled plugins when multiple plugins is enabled
--- a/manifests/plugins/dogtag.pp
+++ b/manifests/plugins/dogtag.pp
@ -27,6 +27,12 @@
 #   (optional) Path to plugin NSS DB
 #   Defaults to $facts['os_service_default']
 #
+# [*global_default*]
+#   (optional) set plugin as global default
+#   Defaults to false
+#
+# DEPRECATED PARAMETERS
+#
 # [*dogtag_plugin_simple_cmc_profile*]
 #   (optional) Profile for simple CMC enrollment.
 #   Defaults to $facts['os_service_default']
@ -39,10 +45,6 @@
 #   (optional) Working directory for Dogtag plugin
 #   Defaults to $facts['os_service_default']
 #
-# [*global_default*]
-#   (optional) set plugin as global default
-#   Defaults to false
-#
 class barbican::plugins::dogtag (
  $dogtag_plugin_nss_password,
  $dogtag_plugin_ensure_package     = 'present',
@ -50,15 +52,24 @@ class barbican::plugins::dogtag (
  $dogtag_plugin_dogtag_host        = $facts['os_service_default'],
  $dogtag_plugin_dogtag_port        = $facts['os_service_default'],
  $dogtag_plugin_nss_db_path        = $facts['os_service_default'],
-  $dogtag_plugin_simple_cmc_profile = $facts['os_service_default'],
-  $dogtag_plugin_ca_expiration_time = $facts['os_service_default'],
-  $dogtag_plugin_plugin_working_dir = $facts['os_service_default'],
  $global_default                   = false,
+  # DEPRECATED PARAMETERS
+  $dogtag_plugin_simple_cmc_profile = undef,
+  $dogtag_plugin_ca_expiration_time = undef,
+  $dogtag_plugin_plugin_working_dir = undef,
 ) {

  include barbican::deps
  include barbican::params

+  [
+    'simple_cmc_profile', 'ca_expiration_time', 'plugin_working_dir'
+  ].each |String $opt| {
+    if getvar("dogtag_plugin_${opt}") != undef {
+      warning("The dogtag_plugin_${opt} parameter has been deprecated and has no effect")
+    }
+  }
+
  package {'dogtag-client':
    ensure => $dogtag_plugin_ensure_package,
    name   => $::barbican::params::dogtag_client_package,
@ -71,13 +82,17 @@ class barbican::plugins::dogtag (
  }

  barbican_config {
-    'dogtag_plugin/pem_path':           value => $dogtag_plugin_pem_path;
-    'dogtag_plugin/dogtag_host':        value => $dogtag_plugin_dogtag_host;
-    'dogtag_plugin/dogtag_port':        value => $dogtag_plugin_dogtag_port;
-    'dogtag_plugin/nss_db_path':        value => $dogtag_plugin_nss_db_path;
-    'dogtag_plugin/nss_password':       value => $dogtag_plugin_nss_password, secret => true;
-    'dogtag_plugin/simple_cmc_profile': value => $dogtag_plugin_simple_cmc_profile;
-    'dogtag_plugin/ca_expiration_time': value => $dogtag_plugin_ca_expiration_time;
-    'dogtag_plugin/plugin_working_dir': value => $dogtag_plugin_plugin_working_dir;
+    'dogtag_plugin/pem_path':     value => $dogtag_plugin_pem_path;
+    'dogtag_plugin/dogtag_host':  value => $dogtag_plugin_dogtag_host;
+    'dogtag_plugin/dogtag_port':  value => $dogtag_plugin_dogtag_port;
+    'dogtag_plugin/nss_db_path':  value => $dogtag_plugin_nss_db_path;
+    'dogtag_plugin/nss_password': value => $dogtag_plugin_nss_password, secret => true;
+  }
+
+  # TODO(tkajinam): Remove this after 2024.1 release
+  barbican_config {
+    'dogtag_plugin/simple_cmc_profile': ensure => absent;
+    'dogtag_plugin/ca_expiration_time': ensure => absent;
+    'dogtag_plugin/plugin_working_dir': ensure => absent;
  }
 }
--- a/releasenotes/notes/deprecate-certificate-plugin-opts-cfecb5a4692fa7fc.yaml
+++ b/releasenotes/notes/deprecate-certificate-plugin-opts-cfecb5a4692fa7fc.yaml
@ -0,0 +1,11 @@
+---
+deprecations:
+  - |
+    The following parameters have been deprecated and have no effect now,
+    because certificate plugins have beeen removed from barbican.
+
+    - ``barbican::api::enabled_certificate_plugins``
+    - ``barbican::api::enabled_certificate_event_plugins``
+    - ``barbican::plugins::dogtag::dogtag_plugin_simple_cmc_profile``
+    - ``barbican::plugins::dogtag::dogtag_plugin_ca_expiration_time``
+    - ``barbican::plugins::dogtag::dogtag_plugin_plugin_working_dir``
--- a/spec/classes/barbican_api_spec.rb
+++ b/spec/classes/barbican_api_spec.rb
@ -59,8 +59,6 @@ describe 'barbican::api' do
        :enabled                                       => true,
        :enabled_secretstore_plugins                   => ['<SERVICE DEFAULT>'],
        :enabled_crypto_plugins                        => ['<SERVICE DEFAULT>'],
-        :enabled_certificate_plugins                   => ['<SERVICE DEFAULT>'],
-        :enabled_certificate_event_plugins             => ['<SERVICE DEFAULT>'],
        :auth_strategy                                 => 'keystone',
        :service_name                                  => platform_params[:service_name],
        :enable_proxy_headers_parsing                  => '<SERVICE DEFAULT>',
@ -107,8 +105,6 @@ describe 'barbican::api' do
        :kombu_compression                             => 'gzip',
        :enabled_secretstore_plugins                   => ['dogtag_crypto', 'store_crypto', 'kmip'],
        :enabled_crypto_plugins                        => ['simple_crypto'],
-        :enabled_certificate_plugins                   => ['simple_certificate', 'dogtag'],
-        :enabled_certificate_event_plugins             => ['simple_certificate_event', 'foo_event'],
        :max_allowed_secret_in_bytes                   => 20000,
        :max_allowed_request_size_in_bytes             => 2000000,
        :enable_proxy_headers_parsing                  => false,
@ -195,10 +191,6 @@ describe 'barbican::api' do
            .with_value(param_hash[:enabled_secretstore_plugins])
          is_expected.to contain_barbican_config('crypto/enabled_crypto_plugins') \
            .with_value(param_hash[:enabled_crypto_plugins])
-          is_expected.to contain_barbican_config('certificate/enabled_certificate_plugins') \
-            .with_value(param_hash[:enabled_certificate_plugins])
-          is_expected.to contain_barbican_config('certificate_event/enabled_certificate_event_plugins') \
-            .with_value(param_hash[:enabled_certificate_event_plugins])
        end

        it 'configures plugins in multiple plugin config' do
--- a/spec/classes/barbican_plugins_dogtag_spec.rb
+++ b/spec/classes/barbican_plugins_dogtag_spec.rb
@ -22,15 +22,12 @@ require 'spec_helper'
 describe 'barbican::plugins::dogtag' do
  let :default_params do
    {
-      :dogtag_plugin_ensure_package     => 'present',
-      :dogtag_plugin_pem_path           => '<SERVICE DEFAULT>',
-      :dogtag_plugin_dogtag_host        => '<SERVICE DEFAULT>',
-      :dogtag_plugin_dogtag_port        => '<SERVICE DEFAULT>',
-      :dogtag_plugin_nss_db_path        => '<SERVICE DEFAULT>',
-      :dogtag_plugin_simple_cmc_profile => '<SERVICE DEFAULT>',
-      :dogtag_plugin_ca_expiration_time => '<SERVICE DEFAULT>',
-      :dogtag_plugin_plugin_working_dir => '<SERVICE DEFAULT>',
-      :global_default                   => false,
+      :dogtag_plugin_ensure_package => 'present',
+      :dogtag_plugin_pem_path       => '<SERVICE DEFAULT>',
+      :dogtag_plugin_dogtag_host    => '<SERVICE DEFAULT>',
+      :dogtag_plugin_dogtag_port    => '<SERVICE DEFAULT>',
+      :dogtag_plugin_nss_db_path    => '<SERVICE DEFAULT>',
+      :global_default               => false,
    }
  end

@ -39,15 +36,12 @@ describe 'barbican::plugins::dogtag' do
       :dogtag_plugin_nss_password => 'password',
     },
     {
-       :dogtag_plugin_pem_path           => 'path_to_pem_file',
-       :dogtag_plugin_dogtag_host        => 'dogtag_host',
-       :dogtag_plugin_dogtag_port        => '1234',
-       :dogtag_plugin_nss_db_path        => 'path_to_nss_db',
-       :dogtag_plugin_nss_password       => 'password',
-       :dogtag_plugin_simple_cmc_profile => 'caServerCert',
-       :dogtag_plugin_ca_expiration_time => '100',
-       :dogtag_plugin_plugin_working_dir => 'path_to_working_dir',
-       :global_default                   => true,
+       :dogtag_plugin_pem_path     => 'path_to_pem_file',
+       :dogtag_plugin_dogtag_host  => 'dogtag_host',
+       :dogtag_plugin_dogtag_port  => '1234',
+       :dogtag_plugin_nss_db_path  => 'path_to_nss_db',
+       :dogtag_plugin_nss_password => 'password',
+       :global_default             => true,
      }
    ].each do |param_set|
      context "when #{param_set == {} ? "using default" : "specifying"} class parameters" do
@ -71,9 +65,6 @@ describe 'barbican::plugins::dogtag' do
          should contain_barbican_config('dogtag_plugin/dogtag_port').with_value(param_hash[:dogtag_plugin_dogtag_port])
          should contain_barbican_config('dogtag_plugin/nss_db_path').with_value(param_hash[:dogtag_plugin_nss_db_path])
          should contain_barbican_config('dogtag_plugin/nss_password').with_value(param_hash[:dogtag_plugin_nss_password]).with_secret(true)
-          should contain_barbican_config('dogtag_plugin/simple_cmc_profile').with_value(param_hash[:dogtag_plugin_simple_cmc_profile])
-          should contain_barbican_config('dogtag_plugin/ca_expiration_time').with_value(param_hash[:dogtag_plugin_ca_expiration_time])
-          should contain_barbican_config('dogtag_plugin/plugin_working_dir').with_value(param_hash[:dogtag_plugin_plugin_working_dir])
          should contain_barbican_config('secretstore:dogtag/secret_store_plugin').with_value('dogtag_crypto')
          should contain_barbican_config('secretstore:dogtag/global_default').with_value(param_hash[:global_default])
        }