James Kirsch 2e08ffd6d3 Add support for encrypting Barbican API
This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network
2020-05-13 10:26:09 +00:00

147 lines
4.4 KiB
YAML

---
- name: Ensuring config directories exist
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ barbican_services }}"
- name: Ensuring vassals config directories exist
vars:
service: "{{ barbican_services['barbican-api'] }}"
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_items:
- "barbican-api/vassals"
- name: Check if policies shall be overwritten
stat:
path: "{{ item }}"
run_once: True
delegate_to: localhost
register: barbican_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/barbican/"
skip: true
- name: Set barbican policy file
set_fact:
barbican_policy_file: "{{ barbican_policy.results.0.stat.path | basename }}"
barbican_policy_file_path: "{{ barbican_policy.results.0.stat.path }}"
when:
- barbican_policy.results
- include_tasks: copy-certs.yml
when:
- kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool
- name: Copying over config.json files for services
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
mode: "0660"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ barbican_services }}"
notify:
- Restart {{ item.key }} container
- name: Copying over barbican-api.ini
vars:
service: "{{ barbican_services['barbican-api'] }}"
merge_configs:
sources:
- "{{ role_path }}/templates/barbican-api.ini.j2"
- "{{ node_custom_config }}/barbican-api/barbican-api.ini"
- "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api.ini"
dest: "{{ node_config_directory }}/barbican-api/vassals/barbican-api.ini"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart barbican-api container
- name: Checking whether barbican-api-paste.ini file exists
vars:
service: "{{ barbican_services['barbican-api'] }}"
stat:
path: "{{ node_custom_config }}/barbican/barbican-api-paste.ini"
run_once: True
delegate_to: localhost
register: check_barbican_api_paste_ini
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
- name: Copying over barbican-api-paste.ini
vars:
service: "{{ barbican_services['barbican-api'] }}"
template:
src: "{{ node_custom_config }}/barbican/barbican-api-paste.ini"
dest: "{{ node_config_directory }}/barbican-api/barbican-api-paste.ini"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
- check_barbican_api_paste_ini.stat.exists
notify:
- Restart barbican-api container
- name: Copying over barbican.conf
vars:
service_name: "{{ item.key }}"
merge_configs:
sources:
- "{{ role_path }}/templates/barbican.conf.j2"
- "{{ node_custom_config }}/global.conf"
- "{{ node_custom_config }}/barbican.conf"
- "{{ node_custom_config }}/barbican/{{ item.key }}.conf"
- "{{ node_custom_config }}/barbican/{{ inventory_hostname }}/barbican.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/barbican.conf"
mode: "0660"
become: true
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
with_dict: "{{ barbican_services }}"
notify:
- Restart {{ item.key }} container
- name: Copying over existing policy file
template:
src: "{{ barbican_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ barbican_policy_file }}"
mode: "0660"
become: true
when:
- barbican_policy_file is defined
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ barbican_services }}"
notify:
- Restart {{ item.key }} container
- include_tasks: check-containers.yml
when: kolla_action != "config"