106038d3cd
This is to change passing the secret URI instead of the secret UUID to barbican's get secret endpoint from which the secret itself can be extracted. While the API [0] expects a UUID the CLI instead expects a URI and the latter extracts the UUID from the URI automatically [1]. API ref: GET /v1/secrets/{uuid} Headers: Accept: application/json X-Auth-Token: {token} (or X-Project-Id: {project_id}) CLI ref: $ barbican help secret get usage: barbican secret get [-h] [-f {shell,table,value}] [-c COLUMN] [--max-width <integer>] [--prefix PREFIX] [--decrypt] [--payload] [--payload_content_type PAYLOAD_CONTENT_TYPE] URI Retrieve a secret by providing its URI. Finally, this adds logic for ensuring that all encrypted data is retrieved and injected back into the raw documents with Barbican references, during document rendering. Currently, this process is only performed for documents with substitutions, but should also be carried out for encrypted documents themselves. [0] https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets-uuid [1] https://docs.openstack.org/python-barbicanclient/latest/reference/index.html#barbicanclient.v1.secrets.SecretManager.get Change-Id: I1717592b7acdedb66353c25fb5dcda2d5330196b |
||
---|---|---|
alembic | ||
charts/deckhand | ||
deckhand | ||
docs | ||
etc/deckhand | ||
images/deckhand | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.dockerignore | ||
.gitignore | ||
.gitreview | ||
.stestr.conf | ||
HACKING.rst | ||
LICENSE | ||
Makefile | ||
README.rst | ||
alembic.ini | ||
entrypoint.sh | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Deckhand
Deckhand is a storage service for YAML-based configuration documents, which are managed through version control and automatically validated. Deckhand provides users with a variety of different document types that describe complex configurations using the features listed below.
Find more documentation for Deckhand on Read the Docs.
Core Responsibilities
- layering - helps reduce duplication in configuration while maintaining auditability across many sites
- substitution - provides separation between secret data and other configuration data, while allowing a simple interface for clients
- revision history - improves auditability and enables services to provide functional validation of a well-defined collection of documents that are meant to operate together
- validation - allows services to implement and register different kinds of validations and report errors
Getting Started
For more detailed installation and setup information, please refer to the Getting Started guide.
Testing
Automated Testing
To run unit tests using sqlite, execute:
$ tox -epy27
$ tox -epy35
against a py27- or py35-backed environment, respectively. To run individual unit tests, run:
$ tox -e py27 -- deckhand.tests.unit.db.test_revisions
for example.
To run functional tests:
$ tox -e functional
You can also run a subset of tests via a regex:
$ tox -e functional -- gabbi.suitemaker.test_gabbi_document-crud-success-multi-bucket
Intgration Points
Deckhand has the following integration points:
- Keystone (OpenStack Identity service) provides authentication and support for role based authorization.
- PostgreSQL is used to persist information to correlate workflows with users and history of workflow commands.
Note
Currently, other database backends are not supported.
Though, being a low-level service, has many other UCP services that integrate with it, including: