From 9d5c6a43ee1d8c8cd08fc2f21c7276e4a4172bef Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 29 Nov 2017 23:22:51 -0500
Subject: [PATCH] Add parameters for Barbican for image signing

Change-Id: I9e87e7b927fa595d05e1ac872fa1aa1cbe40e5eb
---
 manifests/api.pp                              | 26 +++++++++++++++++++
 .../add-barbican-params-236b21da099104b1.yaml |  5 ++++
 spec/classes/glance_api_spec.rb               | 15 +++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 releasenotes/notes/add-barbican-params-236b21da099104b1.yaml

diff --git a/manifests/api.pp b/manifests/api.pp
index deaeb1b3..77bf07c7 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -275,6 +275,21 @@
 #   (optional) Maximum number of results that could be returned by a request
 #   Default: $::os_service_default.
 #
+# [*keymgr_backend*]
+#   (optional) Key Manager service class.
+#   Example of valid value: castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+#   Defaults to undef.
+#
+# [*keymgr_encryption_api_url*]
+#   (optional) Key Manager service URL
+#   Example of valid value: https://localhost:9311/v1
+#   Defaults to undef
+#
+# [*keymgr_encryption_auth_url*]
+#   (optional) Auth URL for keymgr authentication. Should be in format
+#   http://auth_url:5000/v3
+#   Defaults to undef
+#
 #  === deprecated parameters:
 #
 # [*known_stores*]
@@ -344,6 +359,9 @@ class glance::api(
   $validation_options                   = {},
   $limit_param_default                  = $::os_service_default,
   $api_limit_max                        = $::os_service_default,
+  $keymgr_backend                       = undef,
+  $keymgr_encryption_api_url            = undef,
+  $keymgr_encryption_auth_url           = undef,
   # DEPRECATED PARAMETERS
   $known_stores                         = false,
 ) inherits glance {
@@ -502,6 +520,14 @@ class glance::api(
     'DEFAULT/registry_client_key_file':  value => $registry_client_key_file;
   }
 
+  if $keymgr_backend {
+    glance_api_config {
+      'key_manager/backend':        value => $keymgr_backend;
+      'barbican/barbican_endpoint': value => $keymgr_encryption_api_url;
+      'barbican/auth_endpoint':     value => $keymgr_encryption_auth_url;
+    }
+  }
+
   if $manage_service {
     if $enabled {
       $service_ensure = 'running'
diff --git a/releasenotes/notes/add-barbican-params-236b21da099104b1.yaml b/releasenotes/notes/add-barbican-params-236b21da099104b1.yaml
new file mode 100644
index 00000000..10a87289
--- /dev/null
+++ b/releasenotes/notes/add-barbican-params-236b21da099104b1.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Add new options glance::api::keymgr_* to allow
+    glance-api to interact with Barbican to store and
+    retrieve secrets for features like image signing.
diff --git a/spec/classes/glance_api_spec.rb b/spec/classes/glance_api_spec.rb
index f3323819..7acdf31e 100644
--- a/spec/classes/glance_api_spec.rb
+++ b/spec/classes/glance_api_spec.rb
@@ -387,6 +387,21 @@ describe 'glance::api' do
       )}
 
     end
+
+    describe 'with barbican parameters' do
+      let :params do
+        default_params.merge!({
+          :keymgr_backend             => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
+          :keymgr_encryption_api_url  => 'https://localhost:9311/v1',
+          :keymgr_encryption_auth_url => 'https://localhost:5000/v3',
+        })
+      end
+      it 'should set keymgr parameters' do
+        is_expected.to contain_glance_api_config('key_manager/backend').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
+        is_expected.to contain_glance_api_config('barbican/barbican_endpoint').with_value('https://localhost:9311/v1')
+        is_expected.to contain_glance_api_config('barbican/auth_endpoint').with_value('https://localhost:5000/v3')
+      end
+    end
   end
 
   shared_examples_for 'glance::api Debian' do