Add first attempt at a barbican role

defaults/main.yml

@@ -1,2 +1,135 @@
 ---
-# defaults file for openstack-ansible-barbican
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+barbican_system_group_name: barbican
+barbican_system_user_name: barbican
+barbican_system_user_comment: Barbican System User
+barbican_system_user_shell: /bin/false
+barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}"
+barbican_log_directory: /var/log/barbican
+barbican_etc_directory: /etc/barbican
+
+barbican_api_program_name: barbican-api
+barbican_keystone_listener_program_name: barbican-keystone-listener
+barbican_worker_program_name: barbican-worker
+barbican_retry_program_name: barbican-retry
+
+barbican_service_name: barbican
+barbican_service_user_name: barbican
+barbican_service_type: container
+barbican_service_description: "OpenStack Key and Secrets Management (Barbican)"
+barbican_service_project_name: service
+barbican_service_role_names:
+  - admin
+barbican_service_region: RegionOne
+barbican_service_port: 9311
+barbican_service_publicuri_protocol: http
+barbican_service_publicurl: "{{ barbican_service_publicuri_protocol }}://{{ external_lb_vip_address }}:{{ barbican_service_port }}"
+barbican_service_internaluri_protocol: http
+barbican_service_internalurl: "{{ barbican_service_internaluri_protocol }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
+barbican_service_adminuri_protocol: http
+barbican_service_adminurl: "{{ barbican_service_adminuri_protocol }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
+
+barbican_config_overrides: {}
+barbican_policy_overrides: {}
+
+barbican_git_repo: "https://git.openstack.org/openstack/barbican"
+barbican_git_install_branch: c09af59f0f06db9e74a334aaee4c493119384ea7 # master
+barbican_git_dest: "/opt/barbican_{{ barbican_git_install_branch |replace('/', '_') }}"
+
+# Database vars
+barbican_galera_database_name: barbican_service
+barbican_galera_user: barbican
+
+# Rabbit vars
+barbican_rpc_backend: rabbit
+barbican_rabbitmq_userid: barbican
+barbican_rabbitmq_virtualhost: /barbican
+
+# Keystone AuthToken/Middleware
+barbican_keystone_auth_plugin: password
+barbican_service_project_domain_name: Default
+barbican_service_user_domain_name: default
+barbican_service_project_name: service
+
+# Apache configuration vars
+barbican_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
+barbican_wsgi_threads: 1
+barbican_apache_log_level: info
+barbican_apache_servertokens: "Prod"
+barbican_apache_serversignature: "Off"
+
+keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
+
+# set barbican_ssl to true to enable SSL configuration on the barbican containers
+barbican_ssl: false
+barbican_ssl_cert: /etc/ssl/certs/barbican.pem
+barbican_ssl_key: /etc/ssl/private/barbican.key
+barbican_ssl_ca_cert: /etc/ssl/certs/barbican-ca.pem
+barbican_ssl_protocol: "{{ ssl_protocol }}"
+barbican_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
+
+# if using a self-signed certificate, set this to true to regenerate it
+barbican_ssl_self_signed_regen: false
+barbican_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
+
+# Set these in user_variables to deploy custom certificates
+#barbican_user_ssl_cert: <path to cert on ansible deployment host>
+#barbican_user_ssl_key: <path to cert on ansible deployment host>
+#barbican_user_ssl_ca_cert: <path to cert on ansible deployment host>
+
+barbican_apt_packages:
+  - python-dev
+  - libssl-dev
+  # - libxml2-dev
+  # - libmysqlclient-dev
+  # - libxslt-dev
+  - libpq-dev
+  - git
+  - libffi-dev
+  - gettext
+  - build-essential
+
+barbican_pip_packages:
+  - alembic
+  - Babel
+  - cffi
+  - cryptography
+  - eventlet
+  - jsonschema
+  - oslo.concurrency
+  - oslo.config
+  - oslo.context
+  - oslo.i18n
+  - oslo.messaging
+  - oslo.middleware
+  - oslo.log
+  - oslo.policy
+  - oslo.serialization
+  - oslo.service
+  - oslo.utils
+  - Paste
+  - PasteDeploy
+  - pbr
+  - pecan
+  - pycadf
+  - pycrypto
+  - pyOpenSSL
+  - ldap3
+  - keystonemiddleware
+  - six
+  - SQLAlchemy
+  - stevedore
+  - webob

tasks/apache.yml

@@ -0,0 +1,88 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Drop apache2 files
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+  with_items:
+    - { src: "barbican-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
+    - { src: "barbican-httpd.conf.j2", dest: "/etc/apache2/sites-available/barbican-httpd.conf" }
+  notify:
+    - Restart Apache
+  tags:
+    - barbican-httpd
+
+- name: Disable default apache site
+  file:
+    path: "/etc/apache2/sites-enabled/000-default.conf"
+    state: "absent"
+  notify:
+    - Restart Apache
+  tags:
+    - barabican-httpd
+
+- name: Enable Barbican vhost
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: "{{ item.state }}"
+  with_items:
+    - { src: "/etc/apache2/sites-available/barbican-httpd.conf", dest: "/etc/apache2/sites-enabled/barbican-httpd.conf", state: "link" }
+  notify:
+    - Restart Apache
+  tags:
+    - barbican-httpd
+
+- name: Ensure Apache ServerName
+  lineinfile:
+    dest: "/etc/apache2/apache2.conf"
+    line: "ServerName {{ inventory_hostname }}"
+  notify:
+    - Restart Apache
+  tags:
+    - barbican-httpd
+
+- name: Ensure Apache ServerTokens
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerTokens'
+    line: "ServerTokens {{ barbican_apache_servertokens }}"
+  notify:
+    - Restart Apache
+  tags:
+    - barbican-httpd
+
+- name: Ensure Apache ServerSignature
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerSignature'
+    line: "ServerSignature {{ barbican_apache_serversignature }}"
+  notify:
+    - Restart Apache
+  tags:
+    - barbican-httpd
+
+- name: Enable/disable mod_ssl for apache2
+  apache2_module:
+    name: ssl
+    state: "{{ (barbican_ssl | bool) | ternary('present', 'absent') }}"
+  notify:
+    - Restart Apache
+  tags:
+    - barbican-httpd
+    - barbican-ssl

tasks/create-ssl-key.yml

@@ -0,0 +1,36 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Remove self signed cert for regeneration
+  file:
+    dest: "{{ barbican_ssl_cert }}"
+    state: "absent"
+  when: barbican_ssl_self_signed_regen | bool
+  tags:
+    - barbican-ssl
+
+- name: Create self-signed Apache ssl cert
+  command: >
+    openssl req -new -nodes -sha256 -x509 -subj
+    "{{ barbican_ssl_self_signed_subject }}"
+    -days 3650
+    -keyout {{ barbican_ssl_key }}
+    -out {{ barbican_ssl_cert }}
+    -extensions v3_ca
+    creates={{ barbican_ssl_cert }}
+  notify: Restart Apache
+  tags:
+    - barbican-configs
+    - barbican-ssl

tasks/database-setup.yml

@@ -0,0 +1,55 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create Barbican's database tables
+  mysql_db:
+    login_user: "{{ galera_root_user }}"
+    login_password: "{{ galera_root_password }}"
+    login_host: "{{ barbican_galera_address }}"
+    name: "{{ barbican_galera_database_name }}"
+    state: "present"
+  tags:
+    - barbican-database-setup
+    - barbican-db-setup
+    - barbican-setup
+
+- name: Give Barbican database access
+  mysql_user:
+    login_user: "{{ galera_root_user }}"
+    login_password: "{{ galera_root_password }}"
+    login_host: "{{ barbican_galera_address }}"
+    name: "{{ barbican_galera_user }}"
+    password: "{{ barbican_galera_password }}"
+    priv: "{{ barbican_galera_database_name }}.*:ALL"
+    host: "{{ item }}"
+    state: "present"
+  with_items:
+    - "localhost"
+    - "%"
+  tags:
+    - barbican-database-setup
+    - barbican-db-setup
+    - barbican-setup
+
+- name: Perform a synchronization of the Barbican database
+  command: "barbican-db-manage upgrade"
+  sudo: yes
+  sudo_user: "{{ barbican_system_user_name }}"
+  tags:
+    - barbican-database-setup
+    - barbican-db-setup
+    - barbican-database-sync
+    - barbican-db-sync
+    - barbican-setup

tasks/distribute-ssl-key.yml

@@ -0,0 +1,35 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute self signed cert and key
+  memcached:
+    name: "{{ item.name }}"
+    file_path: "{{ item.src }}"
+    state: "retrieve"
+    file_mode: "{{ item.file_mode }}"
+    dir_mode: "{{ item.dir_mode }}"
+    server: "{{ memcached_servers }}"
+    encrypt_string: "{{ memcached_encryption_key }}"
+  with_items:
+    - { src: "{{ barbican_ssl_cert }}", name: "barbican_ssl_cert", file_mode: "0644", dir_mode: "0755" }
+    - { src: "{{ barbican_ssl_key }}", name: "barbican_ssl_key", file_mode: "0640", dir_mode: "0750" }
+  register: barbican_memcache_keys
+  until: barbican_memcache_keys |success
+  retries: 5
+  delay: 2
+  notify: Restart Apache
+  tags:
+    - barbican-config
+    - barbican-ssl

tasks/install.yml

@@ -0,0 +1,54 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Update apt sources
+  apt:
+    update_cache: "yes"
+    cache_valid_time: "600"
+  register: apt_update
+  until: apt_update |success
+  retries: 5
+  delay: 2
+  tags:
+    - barbican-apt-packages
+    - barbican-apt-sources
+    - barbican-install
+
+- name: Install apt packages for Barbican
+  apt:
+    pkg: "{{ item }}"
+    state: "latest"
+  register: install_barbican_apt_packages
+  until: install_barbican_apt_packages |success
+  retries: 5
+  delay: 2
+  with_items: barbican_apt_packages
+  tags:
+    - barbican-apt-packages
+    - barbican-install
+
+- name: Install pip packages for Barbican
+  pip:
+    name: "{{ item }}"
+    state: "present"
+    extra_args: "{{ pip_install_options |default('') }}"
+  register: install_barbican_pip_packages
+  until: install_barbican_pip_packages |success
+  retries: 5
+  delay: 2
+  with_items: barbican_pip_packages
+  tags:
+    - barbican-install
+    - barbican-pip-packages

tasks/main.yml

@@ -1,2 +1,50 @@
 ---
-# tasks file for openstack-ansible-barbican
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Main tasks file for openstack-ansible-barbican
+
+- include: pre-install.yml
+
+- include: messaging-setup.yml
+  when: >
+    inventory_hostname == groups['barbican_all'][0]
+
+- include: install.yml
+
+- include: post-install.yml
+
+- include: ssl.yml
+
+- include: apache.yml
+
+- include: upstart-init.yml
+
+- include: database-setup.yml
+  when: >
+    inventory_hostname == groups['barbican_all'][0]
+
+- include: service-setup.yml
+  when: >
+    inventory_hostname == groups['barbican_all'][0]
+
+- name: Restart Barbican Services
+  service:
+    name: "{{ item }}"
+    state: "restarted"
+  with_items:
+    - "{{ barbican_api_program_name }}"
+
+- name: Flush handlers
+  meta: flush_handlers

tasks/messaging-setup.yml

@@ -0,0 +1,38 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure the Barbican RabbitMQ virtualhost exists
+  rabbitmq_vhost:
+    name: "{{ barbican_rabbitmq_virtualhost }}"
+    state: "present"
+  delegate_to: "{{ groups['rabbitmq_all'][0] }}"
+  tags:
+    - barbican-rabbitmq
+    - barbican-rabbitmq-vhost
+    - barbican-rabbitmq-virtualhost
+
+- name: Ensure the Barbican RabbitMQ user exists
+  rabbitmq_user:
+    user: "{{ barbican_rabbitmq_userid }}"
+    password: "{{ barbican_rabbitmq_password }}"
+    vhost: "{{ barbican_rabbitmq_virtualhost }}"
+    configure_priv: ".*"
+    read_priv: ".*"
+    write_priv: ".*"
+    state: "present"
+  delegate_to: "{{ groups['rabbitmq_all'][0] }}"
+  tags:
+    - barbican-rabbitmq
+    - barbican-rabbitmq-user

tasks/post-install.yml

@@ -0,0 +1,49 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute Barbican Config Files
+  config_template:
+    src: "{{ item.source }}"
+    dest: "{{ item.destination }}"
+    owner: "{{ barbican_system_user_name }}"
+    group: "{{ barbican_system_group_name }}"
+    mode: "0644"
+    config_overrides: "{{ item.config_overrides }}"
+    config_type: "{{ item.config_type }}"
+  with_items:
+    - source: "barbican.conf.j2"
+      destination: "{{ barbican_etc_directory }}/barbican.conf"
+      config_overrides: "{{ barbican_config_overrides }}"
+      config_type: "ini"
+    - source: "policy.json.j2"
+      destination: "{{ barbican_etc_directory }}/policy.json"
+      config_overrides: "{{ barbican_policy_overrides }}"
+      config_type: "json"
+    - source: "barbican-api-paste.ini.j2"
+      destination: "{{ barbican_etc_directory }}/barbican-api-paste.ini"
+      config_overrides: "{{ barbican_paste_overrides }}"
+      config_type: "ini"
+    - source: "api_audit_map.conf.j2"
+      destination: "{{ barbican_etc_directory }}/api_audit_map.conf"
+      config_overrides: "{{ barbican_api_audit_map_overrides }}"
+      config_type: "ini"
+    - source: "barbican-vassals-api.ini.j2"
+      destination: "{{ barbican_etc_directory }}/vassals/barbican-api.ini"
+      config_overrides: "{{ barbican_vassals_api_overrides }}"
+      config_type: "ini"
+  tags:
+    - barbican-config-files
+    - barbican-configuration
+    - barbican-post-install

tasks/pre-install.yml

@@ -0,0 +1,79 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create the Barbican system group
+  group:
+    name: "{{ barbican_system_group_name }}"
+    state: "present"
+    system: "yes"
+  tags:
+    - barbican-group
+    - barbican-system-settings
+
+- name: Create the Barbican system user
+  user:
+    name: "{{ barbican_system_user_name }}"
+    group: "{{ barbican_system_group_name }}"
+    comment: "{{ barbican_system_user_comment }}"
+    shell: "{{ barbican_system_user_shell }}"
+    system: "yes"
+    createhome: "yes"
+    home: "{{ barbican_system_user_home }}"
+  tags:
+    - barbican-user
+    - barbican-system-settings
+
+- name: Create Barbican's directories
+  file:
+    path: "{{ item.path }}"
+    state: "directory"
+    owner: "{{ item.owner |default(barbican_system_user_name) }}"
+    group: "{{ item.group |default(barbican_system_group_name) }}"
+    mode: "{{ item.mode |default('0750') }}"
+  with_items:
+    - path: "/etc/barbican"
+    - path: "{{ barbican_system_user_home }}"
+  tags:
+    - barbican-directories
+    - barbican-system-settings
+
+- name: Test for Barbican log directory or link
+  shell: |
+    if [ -h "{{ barbican_log_directory }}" ]; then
+      chown -h {{ barbican_system_user_name }}:{{ barbican_system_group_name }} {{ barbican_log_directory }}
+      chown -R {{ barbican_system_user_name }}:{{ barbican_system_group_name }} "$(readlink {{ barbican_log_directory }})"
+    else
+      exit 1
+    fi
+  register: log_dir
+  failed_when: false
+  changed_when: log_dir.rc != 0
+  tags:
+    - barbican-directories
+    - barbican-logs
+    - barbican-system-settings
+
+- name: Create Barbican log directory
+  file:
+    path: "{{ barbican_log_directory }}"
+    state: "directory"
+    owner: "{{ barbican_system_user_name }}"
+    group: "{{ barbican_system_group_name }}"
+    mode: "0750"
+  when: log_dir.rc != 0
+  tags:
+    - barbican-directories
+    - barbican-logs
+    - barbican-system-settings

tasks/self-signed-ssl.yml

@@ -0,0 +1,26 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: create-ssl-key.yml
+  when: >
+    inventory_hostname == groups['barbican_all'][0]
+
+- include: store-ssl-key.yml
+  when: >
+    inventory_hostname == groups['barbican_all'][0]
+
+- include: distribute-ssl-key.yml
+  when: >
+    inventory_hostname != groups['barbican_all'][0]

tasks/service-setup.yml

@@ -0,0 +1,96 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure the service for Barbican exists
+  keystone:
+    command: "ensure_service"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+    service_name: "{{ barbican_service_name }}"
+    service_type: "{{ barbican_service_type }}"
+    description: "{{ barbican_service_description }}"
+  register: add_barbican_service
+  until: add_barbican_service |success
+  retries: 5
+  delay: 2
+  tags:
+    - barbican-api-setup
+    - barbican-service-add
+    - barbican-setup
+
+- name: Ensure the Barbican user exists
+  keystone:
+    command: "ensure_user"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+    user_name: "{{ barbican_service_user_name }}"
+    tenant_name: "{{ barbican_service_project_name }}"
+    password: "{{ barbican_service_password |default('changeme') }}"
+  register: add_barbican_user
+  until: add_barbican_user |success
+  retries: 5
+  delay: 2
+  tags:
+    - barbican-api-setup
+    - barbican-service-add
+    - barbican-user-add
+    - barbican-setup
+
+- name: Ensure the Barbican user has the admin role
+  keystone:
+    command: "ensure_user_role"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    user_name: "{{ barbican_service_user_name }}"
+    tenant_name: "{{ barbican_service_project_name }}"
+    role_name: "{{ item }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: ensure_barbican_roles
+  until: ensure_barbican_roles |success
+  retries: 5
+  delay: 2
+  with_items: barbican_service_role_names
+  tags:
+    - barbican-api-setup
+    - barbican-role-setup
+    - barbican-setup
+
+- name: Ensure the Barbican endpoint is registered
+  keystone:
+    command: "ensure_endpoint"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+    region_name: "{{ barbican_service_region }}"
+    service_name: "{{ barbican_service_name }}"
+    service_type: "{{ barbican_service_type }}"
+    endpoint_list:
+      - url: "{{ barbican_service_publicurl }}"
+        interface: "public"
+      - url: "{{ barbican_service_internalurl }}"
+        interface: "internal"
+      - url: "{{ barbican_service_adminurl }}"
+        interface: "admin"
+  register: add_barbican_endpoints
+  until: add_barbican_endpoints |success
+  retries: 5
+  delay: 2
+  tags:
+    - barbican-api-setup
+    - barbican-service-add
+    - barbican-endpoints-add
+    - barbican-setup

tasks/ssl.yml

@@ -0,0 +1,25 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: self-signed-ssl.yml
+  when: >
+    barbican_ssl | bool and
+    (barbican_user_ssl_cert is not defined or barbican_user_ssl_key is not defined)
+  tags:
+    - barbican-ssl
+
+- include: user-provided-ssl.yml
+  tags:
+    - barbican-ssl

tasks/store-ssl-key.yml

@@ -0,0 +1,31 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Store self signed cert and key
+  memcached:
+    name: "{{ item.name }}"
+    file_path: "{{ item.src }}"
+    state: "present"
+    server: "{{ memcached_servers }}"
+    encrypt_string: "{{ memcached_encryption_key }}"
+  with_items:
+    - { src: "{{ barbican_ssl_cert }}", name: "barbican_ssl_cert" }
+    - { src: "{{ barbican_ssl_key }}", name: "barbican_ssl_key" }
+  register: barbican_memcache_keys
+  until: barbican_memcache_keys |success
+  retries: 5
+  delay: 2
+  tags:
+    - barbican-ssl

tasks/upstart-common-init.yml

@@ -0,0 +1,43 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Template the init script
+  template:
+    src: "upstart-init.j2"
+    dest: "/etc/init/{{ program_name }}.conf"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  tags:
+    - upstart-init
+    - barbican-upstart
+    - barbican-init
+
+- name: Reload init scripts
+  shell: |
+    initctl reload-configuration
+  tags:
+    - upstart-init
+    - barbican-upstart
+    - barbican-init
+
+- name: Load service
+  service:
+    name: "{{ program_name }}"
+    enabled: "yes"
+  tags:
+    - upstart-init
+    - barbican-upstart
+    - barbican-init

tasks/upstart-init.yml

@@ -0,0 +1,32 @@
+---
+# Copyright 2016, Ian Cordasco
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: upstart-common-init.yml
+  vars:
+    program_name: "{{ barbican_api_program_name }}"
+    service_name: "{{ barbican_service_name }}"
+    system_user: "{{ barbican_system_user_name }}"
+    system_group: "{{ barbican_system_group_name }}"
+    service_home: "{{ barbican_system_user_home }}"
+    log_directory: "{{ barbican_log_directory }}"
+
+- include: upstart-common-init.yml
+  vars:
+    program_name: "{{ barbican_keystone_listener_program_name }}"
+    service_name: "{{ barbican_service_name }}"
+    system_user: "{{ barbican_system_user_name }}"
+    system_group: "{{ barbican_system_group_name }}"
+    service_home: "{{ barbican_system_user_home }}"
+    log_directory: "{{ barbican_log_directory }}"

tasks/user-provided-ssl.yml

@@ -0,0 +1,53 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Drop user provided ssl cert
+  copy:
+    src: "{{ barbican_user_ssl_cert }}"
+    dest: "{{ barbican_ssl_cert }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: barbican_user_ssl_cert is defined
+  notify: Restart Apache
+  tags:
+    - barbican-configs
+    - barbican-ssl
+
+- name: Drop user provided ssl key
+  copy:
+    src: "{{ barbican_user_ssl_key }}"
+    dest: "{{ barbican_ssl_key }}"
+    owner: "root"
+    group: "root"
+    mode: "0640"
+  when: barbican_user_ssl_key is defined
+  notify: Restart Apache
+  tags:
+    - barbican-configs
+    - barbican-ssl
+
+- name: Drop user provided ssl CA cert
+  copy:
+    src: "{{ barbican_user_ssl_ca_cert }}"
+    dest: "{{ barbican_ssl_ca_cert }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: barbican_user_ssl_ca_cert is defined
+  notify: Restart Apache
+  tags:
+    - barbican-configs
+    - barbican-ssl

templates/barbican-httpd.conf.j2

@@ -0,0 +1,89 @@
+# {{ ansible_managed }}
+
+<VirtualHost *:{{ barbican_service_port }}>
+    WSGIDaemonProcess     barbican-service user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP}
+    WSGIProcessGroup      barbican-service
+    WSGIScriptAlias       / /var/www/cgi-bin/barbican/main
+    WSGIApplicationGroup  %{GLOBAL}
+    WSGIPassAuthorization On
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
+    LogLevel  {{ barbican_apache_log_level }}
+    ErrorLog  {{ barbican_log_directory }}/barbican-apache-error.log
+    CustomLog {{ barbican_log_directory }}/ssl_access.log combined
+    Options +FollowSymLinks
+
+    {% if barbican_ssl | bool and barbican_service_internaluri_proto == "https" -%}
+    SSLEngine on
+    SSLCertificateFile    {{ barbican_ssl_cert }}
+    SSLCertificateKeyFile {{ barbican_ssl_key }}
+    {% if barbican_user_ssl_ca_cert is defined -%}
+    SSLCACertificateFile  {{ barbican_ssl_ca_cert }}
+    {% endif -%}
+    SSLCompression Off
+    SSLProtocol {{ barbican_ssl_protocol }}
+    SSLHonorCipherOrder On
+    SSLCipherSuite {{ barbican_ssl_cipher_suite }}
+    SSLOptions +StdEnvVars +ExportCertData
+    {% endif %}
+
+    {% if barbican_sp is defined -%}
+    ShibURLScheme {{ barbican_service_publicuri_proto }}
+
+    <Location /Shibboleth.sso>
+        SetHandler shib
+    </Location>
+
+    <Location /v3/auth/OS-FEDERATION/websso/saml2>
+        AuthType shibboleth
+        ShibRequestSetting requireSession 1
+        ShibRequestSetting exportAssertion 1
+        ShibRequireSession On
+        ShibExportAssertion On
+        Require valid-user
+    </Location>
+
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
+        ShibRequestSetting requireSession 1
+        AuthType shibboleth
+        ShibExportAssertion Off
+        Require valid-user
+    </LocationMatch>
+
+    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/barbican/main/$1
+    {% endif %}
+</VirtualHost>
+
+<VirtualHost *:{{ barbican_admin_port }}>
+    WSGIDaemonProcess     barbican-admin user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP}
+    WSGIProcessGroup      barbican-admin
+    WSGIScriptAlias       / /var/www/cgi-bin/barbican/admin
+    WSGIApplicationGroup  %{GLOBAL}
+    WSGIPassAuthorization On
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
+    LogLevel  {{ barbican_apache_log_level }}
+    ErrorLog  {{ barbican_log_directory }}/barbican-apache-error.log
+    CustomLog {{ barbican_log_directory }}/ssl_access.log combined
+    Options +FollowSymLinks
+
+    {% if barbican_ssl | bool and barbican_service_adminuri_proto == "https" -%}
+    SSLEngine on
+    SSLCertificateFile    {{ barbican_ssl_cert }}
+    SSLCertificateKeyFile {{ barbican_ssl_key }}
+    {% if barbican_user_ssl_ca_cert is defined -%}
+    SSLCACertificateFile  {{ barbican_ssl_ca_cert }}
+    {% endif -%}
+    SSLCompression Off
+    SSLProtocol {{ barbican_ssl_protocol }}
+    SSLHonorCipherOrder On
+    SSLCipherSuite {{ barbican_ssl_cipher_suite }}
+    SSLOptions +StdEnvVars +ExportCertData
+    {% endif %}
+</VirtualHost>

templates/barbican-ports.conf.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+Listen {{ keystone_service_port }}
+Listen {{ keystone_admin_port }}