2e08ffd6d3
This patch introduces an optional backend encryption for the Barbican API service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Barbican service. Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b Partially-Implements: blueprint add-ssl-internal-network
147 lines
4.4 KiB
YAML
147 lines
4.4 KiB
YAML
---
|
|
- name: Ensuring config directories exist
|
|
file:
|
|
path: "{{ node_config_directory }}/{{ item.key }}"
|
|
state: "directory"
|
|
owner: "{{ config_owner_user }}"
|
|
group: "{{ config_owner_group }}"
|
|
mode: "0770"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
with_dict: "{{ barbican_services }}"
|
|
|
|
- name: Ensuring vassals config directories exist
|
|
vars:
|
|
service: "{{ barbican_services['barbican-api'] }}"
|
|
file:
|
|
path: "{{ node_config_directory }}/{{ item }}"
|
|
state: "directory"
|
|
owner: "{{ config_owner_user }}"
|
|
group: "{{ config_owner_group }}"
|
|
mode: "0770"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
with_items:
|
|
- "barbican-api/vassals"
|
|
|
|
- name: Check if policies shall be overwritten
|
|
stat:
|
|
path: "{{ item }}"
|
|
run_once: True
|
|
delegate_to: localhost
|
|
register: barbican_policy
|
|
with_first_found:
|
|
- files: "{{ supported_policy_format_list }}"
|
|
paths:
|
|
- "{{ node_custom_config }}/barbican/"
|
|
skip: true
|
|
|
|
- name: Set barbican policy file
|
|
set_fact:
|
|
barbican_policy_file: "{{ barbican_policy.results.0.stat.path | basename }}"
|
|
barbican_policy_file_path: "{{ barbican_policy.results.0.stat.path }}"
|
|
when:
|
|
- barbican_policy.results
|
|
|
|
- include_tasks: copy-certs.yml
|
|
when:
|
|
- kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool
|
|
|
|
- name: Copying over config.json files for services
|
|
template:
|
|
src: "{{ item.key }}.json.j2"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
|
|
mode: "0660"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
with_dict: "{{ barbican_services }}"
|
|
notify:
|
|
- Restart {{ item.key }} container
|
|
|
|
- name: Copying over barbican-api.ini
|
|
vars:
|
|
service: "{{ barbican_services['barbican-api'] }}"
|
|
merge_configs:
|
|
sources:
|
|
- "{{ role_path }}/templates/barbican-api.ini.j2"
|
|
- "{{ node_custom_config }}/barbican-api/barbican-api.ini"
|
|
- "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api.ini"
|
|
dest: "{{ node_config_directory }}/barbican-api/vassals/barbican-api.ini"
|
|
mode: "0660"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
notify:
|
|
- Restart barbican-api container
|
|
|
|
- name: Checking whether barbican-api-paste.ini file exists
|
|
vars:
|
|
service: "{{ barbican_services['barbican-api'] }}"
|
|
stat:
|
|
path: "{{ node_custom_config }}/barbican/barbican-api-paste.ini"
|
|
run_once: True
|
|
delegate_to: localhost
|
|
register: check_barbican_api_paste_ini
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
|
|
- name: Copying over barbican-api-paste.ini
|
|
vars:
|
|
service: "{{ barbican_services['barbican-api'] }}"
|
|
template:
|
|
src: "{{ node_custom_config }}/barbican/barbican-api-paste.ini"
|
|
dest: "{{ node_config_directory }}/barbican-api/barbican-api-paste.ini"
|
|
mode: "0660"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
- check_barbican_api_paste_ini.stat.exists
|
|
notify:
|
|
- Restart barbican-api container
|
|
|
|
- name: Copying over barbican.conf
|
|
vars:
|
|
service_name: "{{ item.key }}"
|
|
merge_configs:
|
|
sources:
|
|
- "{{ role_path }}/templates/barbican.conf.j2"
|
|
- "{{ node_custom_config }}/global.conf"
|
|
- "{{ node_custom_config }}/barbican.conf"
|
|
- "{{ node_custom_config }}/barbican/{{ item.key }}.conf"
|
|
- "{{ node_custom_config }}/barbican/{{ inventory_hostname }}/barbican.conf"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/barbican.conf"
|
|
mode: "0660"
|
|
become: true
|
|
when:
|
|
- item.value.enabled | bool
|
|
- inventory_hostname in groups[item.value.group]
|
|
with_dict: "{{ barbican_services }}"
|
|
notify:
|
|
- Restart {{ item.key }} container
|
|
|
|
- name: Copying over existing policy file
|
|
template:
|
|
src: "{{ barbican_policy_file_path }}"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/{{ barbican_policy_file }}"
|
|
mode: "0660"
|
|
become: true
|
|
when:
|
|
- barbican_policy_file is defined
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
with_dict: "{{ barbican_services }}"
|
|
notify:
|
|
- Restart {{ item.key }} container
|
|
|
|
- include_tasks: check-containers.yml
|
|
when: kolla_action != "config"
|