Add Barbican ansible role
Partially-Implements: blueprint barbican-ansible Change-Id: Id6be35b1d0527d5c38d4ea8576b233ebcc404718
This commit is contained in:
parent
9974652588
commit
e0537385d0
@ -116,6 +116,8 @@ neutron_plugin_agent: "openvswitch"
|
|||||||
# The default ports used by each service.
|
# The default ports used by each service.
|
||||||
aodh_api_port: "8042"
|
aodh_api_port: "8042"
|
||||||
|
|
||||||
|
barbican_api_port: "9311"
|
||||||
|
|
||||||
ceilometer_api_port: "8777"
|
ceilometer_api_port: "8777"
|
||||||
|
|
||||||
congress_api_port: "1789"
|
congress_api_port: "1789"
|
||||||
@ -229,6 +231,7 @@ enable_rabbitmq: "yes"
|
|||||||
|
|
||||||
# Additional optional OpenStack services are specified here
|
# Additional optional OpenStack services are specified here
|
||||||
enable_aodh: "no"
|
enable_aodh: "no"
|
||||||
|
enable_barbican: "no"
|
||||||
enable_ceilometer: "no"
|
enable_ceilometer: "no"
|
||||||
enable_central_logging: "no"
|
enable_central_logging: "no"
|
||||||
enable_ceph: "no"
|
enable_ceph: "no"
|
||||||
|
@ -60,6 +60,9 @@ control
|
|||||||
[swift:children]
|
[swift:children]
|
||||||
control
|
control
|
||||||
|
|
||||||
|
[barbican:children]
|
||||||
|
control
|
||||||
|
|
||||||
[heat:children]
|
[heat:children]
|
||||||
control
|
control
|
||||||
|
|
||||||
@ -215,6 +218,16 @@ storage
|
|||||||
[swift-object-server:children]
|
[swift-object-server:children]
|
||||||
storage
|
storage
|
||||||
|
|
||||||
|
# Barbican
|
||||||
|
[barbican-api:children]
|
||||||
|
barbican
|
||||||
|
|
||||||
|
[barbican-keystone-listener:children]
|
||||||
|
barbican
|
||||||
|
|
||||||
|
[barbican-worker:children]
|
||||||
|
barbican
|
||||||
|
|
||||||
# Heat
|
# Heat
|
||||||
[heat-api:children]
|
[heat-api:children]
|
||||||
heat
|
heat
|
||||||
|
@ -77,6 +77,9 @@ control
|
|||||||
[swift:children]
|
[swift:children]
|
||||||
control
|
control
|
||||||
|
|
||||||
|
[barbican:children]
|
||||||
|
control
|
||||||
|
|
||||||
[heat:children]
|
[heat:children]
|
||||||
control
|
control
|
||||||
|
|
||||||
@ -232,6 +235,16 @@ storage
|
|||||||
[swift-object-server:children]
|
[swift-object-server:children]
|
||||||
storage
|
storage
|
||||||
|
|
||||||
|
# Barbican
|
||||||
|
[barbican-api:children]
|
||||||
|
barbican
|
||||||
|
|
||||||
|
[barbican-keystone-listener:children]
|
||||||
|
barbican
|
||||||
|
|
||||||
|
[barbican-worker:children]
|
||||||
|
barbican
|
||||||
|
|
||||||
# Heat
|
# Heat
|
||||||
[heat-api:children]
|
[heat-api:children]
|
||||||
heat
|
heat
|
||||||
|
40
ansible/roles/barbican/defaults/main.yml
Normal file
40
ansible/roles/barbican/defaults/main.yml
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
---
|
||||||
|
project_name: "barbican"
|
||||||
|
|
||||||
|
|
||||||
|
####################
|
||||||
|
# Database
|
||||||
|
####################
|
||||||
|
barbican_database_name: "barbican"
|
||||||
|
barbican_database_user: "barbican"
|
||||||
|
barbican_database_address: "{{ kolla_internal_fqdn }}:{{ database_port }}"
|
||||||
|
|
||||||
|
|
||||||
|
####################
|
||||||
|
# Docker
|
||||||
|
####################
|
||||||
|
barbican_api_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-api"
|
||||||
|
barbican_api_tag: "{{ openstack_release }}"
|
||||||
|
barbican_api_image_full: "{{ barbican_api_image }}:{{ barbican_api_tag }}"
|
||||||
|
|
||||||
|
barbican_keystone_listener_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-keystone-listener"
|
||||||
|
barbican_keystone_listener_tag: "{{ openstack_release }}"
|
||||||
|
barbican_keystone_listener_image_full: "{{ barbican_keystone_listener_image }}:{{ barbican_keystone_listener_tag }}"
|
||||||
|
|
||||||
|
barbican_worker_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-worker"
|
||||||
|
barbican_worker_tag: "{{ openstack_release }}"
|
||||||
|
barbican_worker_image_full: "{{ barbican_worker_image }}:{{ barbican_worker_tag }}"
|
||||||
|
|
||||||
|
|
||||||
|
####################
|
||||||
|
# OpenStack
|
||||||
|
####################
|
||||||
|
barbican_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}"
|
||||||
|
barbican_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}"
|
||||||
|
barbican_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}"
|
||||||
|
|
||||||
|
barbican_logging_debug: "{{ openstack_logging_debug }}"
|
||||||
|
|
||||||
|
barbican_keystone_user: "barbican"
|
||||||
|
|
||||||
|
openstack_barbican_auth: "{'auth_url':'{{ openstack_auth.auth_url }}','username':'{{ openstack_auth.username }}','password':'{{ openstack_auth.password }}','project_name':'{{ openstack_auth.project_name }}','domain_name':'default'}"
|
3
ansible/roles/barbican/meta/main.yml
Normal file
3
ansible/roles/barbican/meta/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- { role: common }
|
41
ansible/roles/barbican/tasks/bootstrap.yml
Normal file
41
ansible/roles/barbican/tasks/bootstrap.yml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
- name: Creating barbican database
|
||||||
|
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||||
|
-m mysql_db
|
||||||
|
-a "login_host='{{ database_address }}'
|
||||||
|
login_port='{{ database_port }}'
|
||||||
|
login_user='{{ database_user }}'
|
||||||
|
login_password='{{ database_password }}'
|
||||||
|
name='{{ barbican_database_name }}'"
|
||||||
|
register: database
|
||||||
|
changed_when: "{{ database.stdout.find('localhost | SUCCESS => ') != -1 and
|
||||||
|
(database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||||
|
failed_when: database.stdout.split()[2] != 'SUCCESS'
|
||||||
|
run_once: True
|
||||||
|
delegate_to: "{{ groups['barbican-api'][0] }}"
|
||||||
|
|
||||||
|
- name: Reading json from variable
|
||||||
|
set_fact:
|
||||||
|
database_created: "{{ (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||||
|
|
||||||
|
- name: Creating barbican database user and setting permissions
|
||||||
|
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||||
|
-m mysql_user
|
||||||
|
-a "login_host='{{ database_address }}'
|
||||||
|
login_port='{{ database_port }}'
|
||||||
|
login_user='{{ database_user }}'
|
||||||
|
login_password='{{ database_password }}'
|
||||||
|
name='{{ barbican_database_name }}'
|
||||||
|
password='{{ barbican_database_password }}'
|
||||||
|
host='%'
|
||||||
|
priv='{{ barbican_database_name }}.*:ALL'
|
||||||
|
append_privs='yes'"
|
||||||
|
register: database_user_create
|
||||||
|
changed_when: "{{ database_user_create.stdout.find('localhost | SUCCESS => ') != -1 and
|
||||||
|
(database_user_create.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||||
|
failed_when: database_user_create.stdout.split()[2] != 'SUCCESS'
|
||||||
|
run_once: True
|
||||||
|
delegate_to: "{{ groups['barbican-api'][0] }}"
|
||||||
|
|
||||||
|
- include: bootstrap_service.yml
|
||||||
|
when: database_created
|
21
ansible/roles/barbican/tasks/bootstrap_service.yml
Normal file
21
ansible/roles/barbican/tasks/bootstrap_service.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
- name: Running barbican bootstrap container
|
||||||
|
kolla_docker:
|
||||||
|
action: "start_container"
|
||||||
|
common_options: "{{ docker_common_options }}"
|
||||||
|
detach: False
|
||||||
|
environment:
|
||||||
|
KOLLA_BOOTSTRAP:
|
||||||
|
KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
|
||||||
|
image: "{{ barbican_api_image_full }}"
|
||||||
|
labels:
|
||||||
|
BOOTSTRAP:
|
||||||
|
name: "bootstrap_barbican"
|
||||||
|
restart_policy: "never"
|
||||||
|
volumes:
|
||||||
|
- "{{ node_config_directory }}/barbican-api/:{{ container_config_directory }}/:ro"
|
||||||
|
- "barbican:/var/lib/barbican/"
|
||||||
|
- "/etc/localtime:/etc/localtime:ro"
|
||||||
|
- "kolla_logs:/var/log/kolla/"
|
||||||
|
run_once: True
|
||||||
|
delegate_to: "{{ groups['barbican-api'][0] }}"
|
37
ansible/roles/barbican/tasks/config.yml
Normal file
37
ansible/roles/barbican/tasks/config.yml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
- name: Ensuring config directories exist
|
||||||
|
file:
|
||||||
|
path: "{{ node_config_directory }}/{{ item }}"
|
||||||
|
state: "directory"
|
||||||
|
recurse: yes
|
||||||
|
with_items:
|
||||||
|
- "barbican-api"
|
||||||
|
- "barbican-keystone-listener"
|
||||||
|
- "barbican-worker"
|
||||||
|
|
||||||
|
- name: Copying over config.json files for services
|
||||||
|
template:
|
||||||
|
src: "{{ item }}.json.j2"
|
||||||
|
dest: "{{ node_config_directory }}/{{ item }}/config.json"
|
||||||
|
with_items:
|
||||||
|
- "barbican-api"
|
||||||
|
- "barbican-worker"
|
||||||
|
- "barbican-keystone-listener"
|
||||||
|
|
||||||
|
- name: Copying over barbican.conf
|
||||||
|
merge_configs:
|
||||||
|
vars:
|
||||||
|
service_name: "{{ item }}"
|
||||||
|
sources:
|
||||||
|
- "{{ role_path }}/templates/barbican.conf.j2"
|
||||||
|
- "{{ node_custom_config }}/global.conf"
|
||||||
|
- "{{ node_custom_config }}/database.conf"
|
||||||
|
- "{{ node_custom_config }}/messaging.conf"
|
||||||
|
- "{{ node_custom_config }}/barbican.conf"
|
||||||
|
- "{{ node_custom_config }}/barbican/{{ item }}.conf"
|
||||||
|
- "{{ node_custom_config }}/barbican/{{ inventory_hostname }}/barbican.conf"
|
||||||
|
dest: "{{ node_config_directory }}/{{ item }}/barbican.conf"
|
||||||
|
with_items:
|
||||||
|
- "barbican-api"
|
||||||
|
- "barbican-keystone-listener"
|
||||||
|
- "barbican-worker"
|
16
ansible/roles/barbican/tasks/deploy.yml
Normal file
16
ansible/roles/barbican/tasks/deploy.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
- include: register.yml
|
||||||
|
when: inventory_hostname in groups['barbican-api']
|
||||||
|
|
||||||
|
- include: config.yml
|
||||||
|
when: inventory_hostname in groups['barbican-api'] or
|
||||||
|
inventory_hostname in groups['barbican-worker'] or
|
||||||
|
inventory_hostname in groups['barbican-keystone-listener']
|
||||||
|
|
||||||
|
- include: bootstrap.yml
|
||||||
|
when: inventory_hostname in groups['barbican-api']
|
||||||
|
|
||||||
|
- include: start.yml
|
||||||
|
when: inventory_hostname in groups['barbican-api'] or
|
||||||
|
inventory_hostname in groups['barbican-worker'] or
|
||||||
|
inventory_hostname in groups['barbican-keystone-listener']
|
74
ansible/roles/barbican/tasks/do_reconfigure.yml
Normal file
74
ansible/roles/barbican/tasks/do_reconfigure.yml
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
---
|
||||||
|
- name: Ensuring the containers up
|
||||||
|
kolla_docker:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
action: "get_container_state"
|
||||||
|
register: container_state
|
||||||
|
failed_when: container_state.Running == false
|
||||||
|
when: inventory_hostname in groups[item.group]
|
||||||
|
with_items:
|
||||||
|
- { name: barbican_api, group: barbican-api }
|
||||||
|
- { name: barbican_keystone_listener, group: barbican-keystone-listener }
|
||||||
|
- { name: barbican_worker, group: barbican-worker }
|
||||||
|
|
||||||
|
- include: config.yml
|
||||||
|
|
||||||
|
- name: Check the configs
|
||||||
|
command: docker exec {{ item.name }} /usr/local/bin/kolla_set_configs --check
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
register: check_results
|
||||||
|
when: inventory_hostname in groups[item.group]
|
||||||
|
with_items:
|
||||||
|
- { name: barbican_api, group: barbican-api }
|
||||||
|
- { name: barbican_keystone_listener, group: barbican-keystone-listener }
|
||||||
|
- { name: barbican_worker, group: barbican-worker }
|
||||||
|
|
||||||
|
# NOTE(jeffrey4l): when config_strategy == 'COPY_ALWAYS'
|
||||||
|
# and container env['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE',
|
||||||
|
# just remove the container and start again
|
||||||
|
- name: Containers config strategy
|
||||||
|
kolla_docker:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
action: "get_container_env"
|
||||||
|
register: container_envs
|
||||||
|
when: inventory_hostname in groups[item.group]
|
||||||
|
with_items:
|
||||||
|
- { name: barbican_api, group: barbican-api }
|
||||||
|
- { name: barbican_keystone_listener, group: barbican-keystone-listener }
|
||||||
|
- { name: barbican_worker, group: barbican-worker }
|
||||||
|
|
||||||
|
- name: Remove the containers
|
||||||
|
kolla_docker:
|
||||||
|
name: "{{ item[0]['name'] }}"
|
||||||
|
action: "remove_container"
|
||||||
|
register: remove_containers
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups[item[0]['group']]
|
||||||
|
- config_strategy == "COPY_ONCE" or item[1]['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE'
|
||||||
|
- item[2]['rc'] == 1
|
||||||
|
with_together:
|
||||||
|
- [{ name: barbican_api, group: barbican-api },
|
||||||
|
{ name: barbican_keystone_listener, group: barbican-keystone-listener },
|
||||||
|
{ name: barbican_worker, group: barbican-worker }]
|
||||||
|
- "{{ container_envs.results }}"
|
||||||
|
- "{{ check_results.results }}"
|
||||||
|
|
||||||
|
- include: start.yml
|
||||||
|
when: remove_containers.changed
|
||||||
|
|
||||||
|
- name: Restart containers
|
||||||
|
kolla_docker:
|
||||||
|
name: "{{ item[0]['name'] }}"
|
||||||
|
action: "restart_container"
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups[item[0]['group']]
|
||||||
|
- config_strategy == 'COPY_ALWAYS'
|
||||||
|
- item[1]['KOLLA_CONFIG_STRATEGY'] != 'COPY_ONCE'
|
||||||
|
- item[2]['rc'] == 1
|
||||||
|
with_together:
|
||||||
|
- [{ name: barbican_api, group: barbican-api },
|
||||||
|
{ name: barbican_keystone_listener, group: barbican-keystone-listener },
|
||||||
|
{ name: barbican_worker, group: barbican-worker }]
|
||||||
|
- "{{ container_envs.results }}"
|
||||||
|
- "{{ check_results.results }}"
|
2
ansible/roles/barbican/tasks/main.yml
Normal file
2
ansible/roles/barbican/tasks/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
- include: "{{ action }}.yml"
|
21
ansible/roles/barbican/tasks/pull.yml
Normal file
21
ansible/roles/barbican/tasks/pull.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
- name: Pulling barbican-api image
|
||||||
|
kolla_docker:
|
||||||
|
action: "pull_image"
|
||||||
|
common_options: "{{ docker_common_options }}"
|
||||||
|
image: "{{ barbican_api_image_full }}"
|
||||||
|
when: inventory_hostname in groups['barbican-api']
|
||||||
|
|
||||||
|
- name: Pulling barbican-keystone-listener image
|
||||||
|
kolla_docker:
|
||||||
|
action: "pull_image"
|
||||||
|
common_options: "{{ docker_common_options }}"
|
||||||
|
image: "{{ barbican_keystone_listener_image_full }}"
|
||||||
|
when: inventory_hostname in groups['barbican-keystone-listener']
|
||||||
|
|
||||||
|
- name: Pulling barbican-worker image
|
||||||
|
kolla_docker:
|
||||||
|
action: "pull_image"
|
||||||
|
common_options: "{{ docker_common_options }}"
|
||||||
|
image: "{{ barbican_worker_image_full }}"
|
||||||
|
when: inventory_hostname in groups['barbican-worker']
|
6
ansible/roles/barbican/tasks/reconfigure.yml
Normal file
6
ansible/roles/barbican/tasks/reconfigure.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- include: do_reconfigure.yml
|
||||||
|
serial: "30%"
|
||||||
|
when: inventory_hostname in groups['barbican-api']
|
||||||
|
or inventory_hostname in groups['barbican-keystone-listener']
|
||||||
|
or inventory_hostname in groups['barbican-worker']
|
40
ansible/roles/barbican/tasks/register.yml
Normal file
40
ansible/roles/barbican/tasks/register.yml
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
---
|
||||||
|
- name: Creating the barbican service and endpoint
|
||||||
|
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||||
|
-m kolla_keystone_service
|
||||||
|
-a "service_name=barbican
|
||||||
|
service_type=key-manager
|
||||||
|
description='Barbican Key Management Service'
|
||||||
|
endpoint_region={{ openstack_region_name }}
|
||||||
|
url='{{ item.url }}'
|
||||||
|
interface='{{ item.interface }}'
|
||||||
|
region_name={{ openstack_region_name }}
|
||||||
|
auth={{ '{{ openstack_barbican_auth }}' }}"
|
||||||
|
-e "{'openstack_barbican_auth':{{ openstack_barbican_auth }}}"
|
||||||
|
register: barbican_endpoint
|
||||||
|
changed_when: "{{ barbican_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (barbican_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||||
|
until: barbican_endpoint.stdout.split()[2] == 'SUCCESS'
|
||||||
|
retries: 10
|
||||||
|
delay: 5
|
||||||
|
run_once: True
|
||||||
|
with_items:
|
||||||
|
- {'interface': 'admin', 'url': '{{ barbican_admin_endpoint }}'}
|
||||||
|
- {'interface': 'internal', 'url': '{{ barbican_internal_endpoint }}'}
|
||||||
|
- {'interface': 'public', 'url': '{{ barbican_public_endpoint }}'}
|
||||||
|
|
||||||
|
- name: Creating the barbican project, user, and role
|
||||||
|
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||||
|
-m kolla_keystone_user
|
||||||
|
-a "project=service
|
||||||
|
user=barbican
|
||||||
|
password={{ barbican_keystone_password }}
|
||||||
|
role=admin
|
||||||
|
region_name={{ openstack_region_name }}
|
||||||
|
auth={{ '{{ openstack_barbican_auth }}' }}"
|
||||||
|
-e "{'openstack_barbican_auth':{{ openstack_barbican_auth }}}"
|
||||||
|
register: barbican_user
|
||||||
|
changed_when: "{{ barbican_user.stdout.find('localhost | SUCCESS => ') != -1 and (barbican_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||||
|
until: barbican_user.stdout.split()[2] == 'SUCCESS'
|
||||||
|
retries: 10
|
||||||
|
delay: 5
|
||||||
|
run_once: True
|
34
ansible/roles/barbican/tasks/start.yml
Normal file
34
ansible/roles/barbican/tasks/start.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
- name: Starting barbican-api container
|
||||||
|
kolla_docker:
|
||||||
|
action: "start_container"
|
||||||
|
common_options: "{{ docker_common_options }}"
|
||||||
|
image: "{{ barbican_api_image_full }}"
|
||||||
|
name: "barbican_api"
|
||||||
|
volumes:
|
||||||
|
- "{{ node_config_directory }}/barbican-api/:{{ container_config_directory }}/:ro"
|
||||||
|
- "barbican:/var/lib/barbican/"
|
||||||
|
- "kolla_logs:/var/log/kolla/"
|
||||||
|
when: inventory_hostname in groups['barbican-api']
|
||||||
|
|
||||||
|
- name: Starting barbican-keystone-listener container
|
||||||
|
kolla_docker:
|
||||||
|
action: "start_container"
|
||||||
|
common_options: "{{ docker_common_options }}"
|
||||||
|
image: "{{ barbican_keystone_listener_image_full }}"
|
||||||
|
name: "barbican_keystone_listener"
|
||||||
|
volumes:
|
||||||
|
- "{{ node_config_directory }}/barbican-keystone-listener/:{{ container_config_directory }}/:ro"
|
||||||
|
- "kolla_logs:/var/log/kolla/"
|
||||||
|
when: inventory_hostname in groups['barbican-keystone-listener']
|
||||||
|
|
||||||
|
- name: Starting barbican-worker container
|
||||||
|
kolla_docker:
|
||||||
|
action: "start_container"
|
||||||
|
common_options: "{{ docker_common_options }}"
|
||||||
|
image: "{{ barbican_worker_image_full }}"
|
||||||
|
name: "barbican_worker"
|
||||||
|
volumes:
|
||||||
|
- "{{ node_config_directory }}/barbican-worker/:{{ container_config_directory }}/:ro"
|
||||||
|
- "kolla_logs:/var/log/kolla/"
|
||||||
|
when: inventory_hostname in groups['barbican-worker']
|
11
ansible/roles/barbican/templates/barbican-api.json.j2
Normal file
11
ansible/roles/barbican/templates/barbican-api.json.j2
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
{
|
||||||
|
"command": "uwsgi --master --emperor /etc/barbican/vassals --logto /var/log/kolla/barbican/barbican-api.log",
|
||||||
|
"config_files": [
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/barbican.conf",
|
||||||
|
"dest": "/etc/barbican/barbican.conf",
|
||||||
|
"owner": "root",
|
||||||
|
"perm": "0600"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -0,0 +1,11 @@
|
|||||||
|
{
|
||||||
|
"command": "barbican-keystone-listener",
|
||||||
|
"config_files": [
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/barbican.conf",
|
||||||
|
"dest": "/etc/barbican/barbican.conf",
|
||||||
|
"owner": "root",
|
||||||
|
"perm": "0600"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
11
ansible/roles/barbican/templates/barbican-worker.json.j2
Normal file
11
ansible/roles/barbican/templates/barbican-worker.json.j2
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
{
|
||||||
|
"command": "barbican-worker",
|
||||||
|
"config_files": [
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/barbican.conf",
|
||||||
|
"dest": "/etc/barbican/barbican.conf",
|
||||||
|
"owner": "root",
|
||||||
|
"perm": "0600"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
55
ansible/roles/barbican/templates/barbican.conf.j2
Normal file
55
ansible/roles/barbican/templates/barbican.conf.j2
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
[DEFAULT]
|
||||||
|
debug = {{ barbican_logging_debug }}
|
||||||
|
log_dir = /var/log/kolla/barbican
|
||||||
|
|
||||||
|
|
||||||
|
bind_port = {{ barbican_api_port }}
|
||||||
|
bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
||||||
|
host_href = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}
|
||||||
|
backlog = 4096
|
||||||
|
max_allowed_secret_in_bytes = 10000
|
||||||
|
max_allowed_request_size_in_bytes = 1000000
|
||||||
|
|
||||||
|
sql_connection = mysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }}
|
||||||
|
|
||||||
|
transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||||
|
|
||||||
|
[keystone_notifications]
|
||||||
|
enable = True
|
||||||
|
|
||||||
|
control_exchange = 'openstack'
|
||||||
|
topic = 'notifications'
|
||||||
|
allow_requeue = False
|
||||||
|
|
||||||
|
version = '1.0'
|
||||||
|
|
||||||
|
thread_pool_size = 10
|
||||||
|
|
||||||
|
|
||||||
|
[keystone_authtoken]
|
||||||
|
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
|
||||||
|
project_domain_id = default
|
||||||
|
project_name = service
|
||||||
|
user_domain_id = default
|
||||||
|
username = {{ barbican_keystone_user }}
|
||||||
|
password = {{ barbican_keystone_password }}
|
||||||
|
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
|
||||||
|
auth_type = password
|
||||||
|
|
||||||
|
memcache_security_strategy = ENCRYPT
|
||||||
|
memcache_secret_key = {{ memcache_secret_key }}
|
||||||
|
{% if orchestration_engine == 'KUBERNETES' %}
|
||||||
|
memcache_servers = {{ memcached_servers }}
|
||||||
|
{% else %}
|
||||||
|
memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
[service_credentials]
|
||||||
|
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
|
||||||
|
region_name = {{ openstack_region_name }}
|
||||||
|
password = {{ barbican_keystone_password }}
|
||||||
|
username = {{ barbican_keystone_user }}
|
||||||
|
project_name = service
|
||||||
|
project_domain_id = default
|
||||||
|
user_domain_id = default
|
||||||
|
auth_type = password
|
@ -26,6 +26,7 @@
|
|||||||
when: item.enabled | bool
|
when: item.enabled | bool
|
||||||
with_items:
|
with_items:
|
||||||
- { name: "aodh", enabled: "{{ enable_aodh }}" }
|
- { name: "aodh", enabled: "{{ enable_aodh }}" }
|
||||||
|
- { name: "barbican", enabled: "{{ enable_barbican }}"}
|
||||||
- { name: "elasticsearch", enabled: "{{ enable_central_logging }}" }
|
- { name: "elasticsearch", enabled: "{{ enable_central_logging }}" }
|
||||||
- { name: "global", enabled: "yes" }
|
- { name: "global", enabled: "yes" }
|
||||||
- { name: "gnocchi", enabled: "{{ enable_gnocchi }}" }
|
- { name: "gnocchi", enabled: "{{ enable_gnocchi }}" }
|
||||||
@ -69,6 +70,7 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- "ansible"
|
- "ansible"
|
||||||
- "aodh"
|
- "aodh"
|
||||||
|
- "barbican"
|
||||||
- "cinder"
|
- "cinder"
|
||||||
- "glance"
|
- "glance"
|
||||||
- "global"
|
- "global"
|
||||||
|
@ -0,0 +1,3 @@
|
|||||||
|
"/var/log/kolla/barbican/*.log"
|
||||||
|
{
|
||||||
|
}
|
@ -1,5 +1,5 @@
|
|||||||
{% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %}
|
{% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %}
|
||||||
{% set services = ["ansible", "aodh", "cinder", "glance", "gnocchi", "haproxy", "heat", "keepalived", "keystone", "magnum", "manila", "mariadb", "mistral", "murano", "neutron", "nova", "rabbitmq", "swift"] %}
|
{% set services = ["ansible", "aodh", "barbican", "cinder", "glance", "gnocchi", "haproxy", "heat", "keepalived", "keystone", "magnum", "manila", "mariadb", "mistral", "murano", "neutron", "nova", "rabbitmq", "swift"] %}
|
||||||
{
|
{
|
||||||
"command": "{{ cron_cmd }}",
|
"command": "{{ cron_cmd }}",
|
||||||
"config_files": [
|
"config_files": [
|
||||||
|
13
ansible/roles/common/templates/heka-barbican.toml.j2
Normal file
13
ansible/roles/common/templates/heka-barbican.toml.j2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[barbican_apache_log_decoder]
|
||||||
|
type = "SandboxDecoder"
|
||||||
|
filename = "lua_decoders/os_barbican_apache_log.lua"
|
||||||
|
[barbican_apache_log_decoder.config]
|
||||||
|
apache_log_pattern = '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"'
|
||||||
|
|
||||||
|
[barbican_apache_logstreamer_input]
|
||||||
|
type = "LogstreamerInput"
|
||||||
|
decoder = "barbican_apache_log_decoder"
|
||||||
|
log_directory = "/var/log/kolla"
|
||||||
|
file_match = 'barbican/barbican-apache-(?P<Service>.+)-access\.log\.?(?P<Seq>\d*)$'
|
||||||
|
priority = ["^Seq"]
|
||||||
|
differentiator = ["barbican-apache-", "Service"]
|
@ -453,6 +453,22 @@ listen elasticsearch
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if enable_barbican | bool %}
|
||||||
|
listen barbican_api
|
||||||
|
bind {{ kolla_internal_vip_address }}:{{ barbican_api_port }}
|
||||||
|
{% for host in groups['barbican-api'] %}
|
||||||
|
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5
|
||||||
|
{% endfor %}
|
||||||
|
{% if haproxy_enable_external_vip | bool %}
|
||||||
|
|
||||||
|
listen barbican_api_external
|
||||||
|
bind {{ kolla_external_vip_address }}:{{ barbican_api_port }} {{ tls_bind_info }}
|
||||||
|
{% for host in groups['barbican-api'] %}
|
||||||
|
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if enable_ceilometer | bool %}
|
{% if enable_ceilometer | bool %}
|
||||||
listen ceilometer_api
|
listen ceilometer_api
|
||||||
bind {{ kolla_internal_vip_address }}:{{ ceilometer_api_port }}
|
bind {{ kolla_internal_vip_address }}:{{ ceilometer_api_port }}
|
||||||
|
@ -1,4 +1,20 @@
|
|||||||
---
|
---
|
||||||
|
- name: Checking free port for Barbican API
|
||||||
|
wait_for:
|
||||||
|
host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}"
|
||||||
|
port: "{{ barbican_api_port }}"
|
||||||
|
connect_timeout: 1
|
||||||
|
state: stopped
|
||||||
|
when: inventory_hostname in groups['barbican-api']
|
||||||
|
|
||||||
|
- name: Checking free port for Barbican API HAProxy
|
||||||
|
wait_for:
|
||||||
|
host: "{{ kolla_internal_vip_address }}"
|
||||||
|
port: "{{ barbican_api_port }}"
|
||||||
|
connect_timeout: 1
|
||||||
|
state: stopped
|
||||||
|
when: inventory_hostname in groups['haproxy']
|
||||||
|
|
||||||
- name: Checking free port for Cinder API
|
- name: Checking free port for Cinder API
|
||||||
wait_for:
|
wait_for:
|
||||||
host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}"
|
host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}"
|
||||||
|
@ -250,6 +250,15 @@
|
|||||||
tags: aodh,
|
tags: aodh,
|
||||||
when: enable_aodh | bool }
|
when: enable_aodh | bool }
|
||||||
|
|
||||||
|
- hosts:
|
||||||
|
- barbican-api
|
||||||
|
- barbican-keystone-listener
|
||||||
|
- barbican-worker
|
||||||
|
roles:
|
||||||
|
- { role: barbican,
|
||||||
|
tags: barbican,
|
||||||
|
when: enable_barbican | bool }
|
||||||
|
|
||||||
- hosts:
|
- hosts:
|
||||||
- congress-api
|
- congress-api
|
||||||
- congress-policy-engine
|
- congress-policy-engine
|
||||||
|
@ -121,6 +121,7 @@ kolla_internal_vip_address: "10.10.10.254"
|
|||||||
#fernet_token_expiry: 86400
|
#fernet_token_expiry: 86400
|
||||||
|
|
||||||
# OpenStack services can be enabled or disabled with these options
|
# OpenStack services can be enabled or disabled with these options
|
||||||
|
#enable_barbican: "no"
|
||||||
#enable_ceilometer: "no"
|
#enable_ceilometer: "no"
|
||||||
#enable_central_logging: "no"
|
#enable_central_logging: "no"
|
||||||
#enable_ceph: "no"
|
#enable_ceph: "no"
|
||||||
|
@ -24,6 +24,9 @@ docker_registry_password:
|
|||||||
aodh_database_password:
|
aodh_database_password:
|
||||||
aodh_keystone_password:
|
aodh_keystone_password:
|
||||||
|
|
||||||
|
barbican_database_password:
|
||||||
|
barbican_keystone_password:
|
||||||
|
|
||||||
keystone_admin_password:
|
keystone_admin_password:
|
||||||
keystone_database_password:
|
keystone_database_password:
|
||||||
|
|
||||||
|
4
releasenotes/notes/add-barbican-8f0636668001de73.yaml
Normal file
4
releasenotes/notes/add-barbican-8f0636668001de73.yaml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- To produce a secret storage and generation system capable of providing key
|
||||||
|
management for services wishing to enable encryption features.
|
Loading…
Reference in New Issue
Block a user