From 4e04dc1d2ed7db5dd47da9fd521b4e8054505683 Mon Sep 17 00:00:00 2001
From: Marcus Watts <mwatts@redhat.com>
Date: Thu, 29 Oct 2020 12:04:36 -0400
Subject: [PATCH] rgw/kms/kmip - correct documentation.

The pykmip task should be after ceph, and before rgw.

kmip needs ssl certs in order to function correctly.
Because the openssl_keys task has an indeterminate
order of execution, it is best to create the ca as
a separate task.  The ca can be shared with rgw, but
real life deployments of kmip are likely to have their
own CA.

In order to create kmip secrets, a client certificate
is necessary, so must be supplied to the pykmip task.

Signed-off-by: Marcus Watts <mwatts@redhat.com>
---
 qa/tasks/pykmip.py | 63 ++++++++++++++++++++++++++++------------------
 1 file changed, 39 insertions(+), 24 deletions(-)

diff --git a/qa/tasks/pykmip.py b/qa/tasks/pykmip.py
index 8f9b18c297e..d0b72f69ecc 100644
--- a/qa/tasks/pykmip.py
+++ b/qa/tasks/pykmip.py
@@ -383,37 +383,52 @@ def create_secrets(ctx, config):
 @contextlib.contextmanager
 def task(ctx, config):
     """
-    Deploy and configure Keystone
+    Deploy and configure PyKMIP
 
     Example of configuration:
 
     tasks:
-      - local_cluster:
-          cluster_path: /home/adam/ceph-1/build
-      - local_rgw:
-      - tox: [ client.0 ]
-      - pykmip:
-          client.0:
-            force-branch: master
-            config:
-              clientca: ca-ssl-cert
-              servercert: pykmkp-ssl-cert-and-key
-            secrets:
-              - name: my-key-1
-                base64: a2V5MS5GcWVxKzhzTGNLaGtzQkg5NGVpb1FKcFpGb2c=
-              - name: my-key-2
-                base64: a2V5Mi5yNUNNMGFzMVdIUVZxcCt5NGVmVGlQQ1k4YWg=
-      - s3tests:
-          client.0:
-            force-branch: master
-            kms_key: my-key-1
-      - rgw:
-          client.0:
-            use-pykmip-role: client.0
+    - install:
+    - ceph:
+       conf:
+        client:
+         rgw crypt s3 kms backend: kmip
+         rgw crypt kmip ca path: /home/ubuntu/cephtest/ca/kmiproot.crt
+         rgw crypt kmip client cert: /home/ubuntu/cephtest/ca/kmip-client.crt
+         rgw crypt kmip client key: /home/ubuntu/cephtest/ca/kmip-client.key
+         rgw crypt kmip kms key template: pykmip-$keyid
+    - openssl_keys:
+       kmiproot:
+         client: client.0
+         cn: kmiproot
+         key-type: rsa:4096
+    - openssl_keys:
+       kmip-server:
+         client: client.0
+         ca: kmiproot
+       kmip-client:
+         client: client.0
+         ca: kmiproot
+         cn: rgw-client
+    - pykmip:
+        client.0:
+          force-branch: master
+          clientca: kmiproot
+          servercert: kmip-server
+          clientcert: kmip-client
+          secrets:
+          - name: pykmip-key-1
+          - name: pykmip-key-2
+    - rgw:
+        client.0:
+          use-pykmip-role: client.0
+    - s3tests:
+        client.0:
+          force-branch: master
     """
     assert config is None or isinstance(config, list) \
         or isinstance(config, dict), \
-        "task keystone only supports a list or dictionary for configuration"
+        "task pykmip only supports a list or dictionary for configuration"
     all_clients = ['client.{id}'.format(id=id_)
                    for id_ in teuthology.all_roles_of_type(ctx.cluster, 'client')]
     if config is None:
-- 
2.39.5