From 7eca22359fc5e9978cd3f2e60871d5eb64925da4 Mon Sep 17 00:00:00 2001
From: Jimmy McCrory <jimmy.mccrory@gmail.com>
Date: Thu, 27 Oct 2016 16:51:04 +0200
Subject: [PATCH] Include barbican role in integrated release

Add playbook, haproxy service configuration, variable definition,
and environment definition files required to deploy barbican as an
integrated role of openstack-ansible.

Change-Id: If87099958e0b1fc48866a468a47bb60bae622f28
---
 ansible-role-requirements.yml                 |  4 ++
 .../install-guide/app-advanced-role-docs.rst  |  2 +
 etc/openstack_deploy/user_secrets.yml         |  5 ++
 .../repo_packages/openstack_services.yml      |  7 +++
 playbooks/inventory/env.d/barbican.yml        | 36 +++++++++++
 .../inventory/group_vars/barbican_all.yml     | 29 +++++++++
 playbooks/os-barbican-install.yml             | 63 +++++++++++++++++++
 playbooks/setup-openstack.yml                 |  1 +
 playbooks/vars/configs/haproxy_config.yml     |  8 +++
 ...barbican-integration-cef0bf5e44d455e6.yaml |  5 ++
 tests/test_inventory.py                       |  5 ++
 11 files changed, 165 insertions(+)
 create mode 100644 playbooks/inventory/env.d/barbican.yml
 create mode 100644 playbooks/inventory/group_vars/barbican_all.yml
 create mode 100644 playbooks/os-barbican-install.yml
 create mode 100644 releasenotes/notes/barbican-integration-cef0bf5e44d455e6.yaml

diff --git a/ansible-role-requirements.yml b/ansible-role-requirements.yml
index 8900a77326..ffc98e290f 100644
--- a/ansible-role-requirements.yml
+++ b/ansible-role-requirements.yml
@@ -58,6 +58,10 @@
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_aodh
   version: master
+- name: os_barbican
+  scm: git
+  src: https://git.openstack.org/openstack/openstack-ansible-os_barbican
+  version: master
 - name: os_ceilometer
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_ceilometer
diff --git a/doc/source/install-guide/app-advanced-role-docs.rst b/doc/source/install-guide/app-advanced-role-docs.rst
index ef95a41b60..4fb38ecef8 100644
--- a/doc/source/install-guide/app-advanced-role-docs.rst
+++ b/doc/source/install-guide/app-advanced-role-docs.rst
@@ -33,6 +33,8 @@ OpenStack service roles
 
 -  `os_aodh <http://docs.openstack.org/developer/openstack-ansible-os_aodh>`_
 
+-  `os_barbican <http://docs.openstack.org/developer/openstack-ansible-os_barbican>`_
+
 -  `os_ceilometer <http://docs.openstack.org/developer/openstack-ansible-os_ceilometer>`_
 
 -  `os_cinder <http://docs.openstack.org/developer/openstack-ansible-os_cinder>`_
diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml
index ebc9b1e27b..cd35963ca0 100644
--- a/etc/openstack_deploy/user_secrets.yml
+++ b/etc/openstack_deploy/user_secrets.yml
@@ -144,3 +144,8 @@ trove_rabbitmq_password:
 trove_service_password:
 trove_admin_user_password:
 trove_regular_user_password:
+
+## Barbican Options
+barbican_galera_password:
+barbican_rabbitmq_password:
+barbican_service_password:
diff --git a/playbooks/defaults/repo_packages/openstack_services.yml b/playbooks/defaults/repo_packages/openstack_services.yml
index e59df3fcff..ab6643070a 100644
--- a/playbooks/defaults/repo_packages/openstack_services.yml
+++ b/playbooks/defaults/repo_packages/openstack_services.yml
@@ -42,6 +42,13 @@ aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}"
 aodh_git_project_group: aodh_all
 
 
+## Barbican service
+barbican_git_repo: https://git.openstack.org/openstack/barbican
+barbican_git_install_branch: b8bbd3264e3e9201b23a081c1d810f1b5da5a580 # HEAD of "master" as of 12.10.2016
+barbican_git_dest: "/opt/barbican_{{ barbican_git_install_branch | replace('/', '_') }}"
+barbican_git_project_group: barbican_all
+
+
 ## Ceilometer service
 ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer
 ceilometer_git_install_branch: a3f4a777336c413a214364af80a3880f27ea5e04 # HEAD of "master" as of 12.10.2016
diff --git a/playbooks/inventory/env.d/barbican.yml b/playbooks/inventory/env.d/barbican.yml
new file mode 100644
index 0000000000..b9ef685964
--- /dev/null
+++ b/playbooks/inventory/env.d/barbican.yml
@@ -0,0 +1,36 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+component_skel:
+  barbican_api:
+    belongs_to:
+      - barbican_all
+
+container_skel:
+  barbican_container:
+    belongs_to:
+      - key-manager_containers
+    contains:
+      - barbican_api
+    properties:
+      service_name: barbican
+
+physical_skel:
+  key-manager_containers:
+    belongs_to:
+      - all_containers
+  key-manager_hosts:
+    belongs_to:
+      - hosts
diff --git a/playbooks/inventory/group_vars/barbican_all.yml b/playbooks/inventory/group_vars/barbican_all.yml
new file mode 100644
index 0000000000..7ff8279aae
--- /dev/null
+++ b/playbooks/inventory/group_vars/barbican_all.yml
@@ -0,0 +1,29 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+barbican_service_region: "{{ service_region }}"
+barbican_service_in_ldap: "{{ service_ldap_backend_enabled }}"
+barbican_keystone_auth: yes
+
+barbican_galera_address: "{{ galera_address }}"
+barbican_galera_database: barbican
+barbican_galera_user: barbican
+
+barbican_rabbitmq_host_group: "{{ rabbitmq_host_group }}"
+barbican_rabbitmq_port: "{{ rabbitmq_port }}"
+barbican_rabbitmq_servers: "{{ rabbitmq_servers }}"
+barbican_rabbitmq_use_ssl: "{{ rabbitmq_use_ssl }}"
+barbican_rabbitmq_userid: barbican
+barbican_rabbitmq_vhost: /barbican
diff --git a/playbooks/os-barbican-install.yml b/playbooks/os-barbican-install.yml
new file mode 100644
index 0000000000..e7124e40a6
--- /dev/null
+++ b/playbooks/os-barbican-install.yml
@@ -0,0 +1,63 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Installation and setup of barbican
+  hosts: barbican_all
+  gather_facts: "{{ gather_facts | default(True) }}"
+  max_fail_percentage: 20
+  user: root
+  pre_tasks:
+    - include: common-tasks/os-lxc-container-setup.yml
+    - include: common-tasks/rabbitmq-vhost-user.yml
+      static: no
+      vars:
+        user: "{{ barbican_rabbitmq_userid }}"
+        password: "{{ barbican_rabbitmq_password }}"
+        vhost: "{{ barbican_rabbitmq_vhost }}"
+        _rabbitmq_host_group: "{{ barbican_rabbitmq_host_group }}"
+      when:
+        - inventory_hostname == groups['barbican_api'][0]
+        - groups[barbican_rabbitmq_host_group] | length > 0
+    - include: common-tasks/os-log-dir-setup.yml
+      vars:
+        log_dirs:
+          - src: "/openstack/log/{{ inventory_hostname }}-barbican"
+            dest: "/var/log/barbican"
+    - include: common-tasks/mysql-db-user.yml
+      static: no
+      vars:
+        user_name: "{{ barbican_galera_user }}"
+        password: "{{ barbican_galera_password }}"
+        login_host: "{{ barbican_galera_address }}"
+        db_name: "{{ barbican_galera_database }}"
+      when: inventory_hostname == groups['barbican_all'][0]
+    - include: common-tasks/package-cache-proxy.yml
+  roles:
+    - role: "os_barbican"
+      barbican_venv_tag: "{{ openstack_release }}"
+      barbican_venv_download_url: "{{ openstack_repo_url }}/venvs/{{ openstack_release }}/{{ ansible_distribution | lower }}/barbican-{{ openstack_release }}-{{ ansible_architecture | lower }}.tgz"
+    - role: "openstack_openrc"
+      tags:
+        - openrc
+    - role: "rsyslog_client"
+      rsyslog_client_log_rotate_file: barbican_log_rotate
+      rsyslog_client_log_dir: "/var/log/barbican"
+      rsyslog_client_config_name: "99-barbican-rsyslog-client.conf"
+      tags:
+        - rsyslog
+  vars:
+    is_metal: "{{ properties.is_metal|default(false) }}"
+  tags:
+    - barbican
diff --git a/playbooks/setup-openstack.yml b/playbooks/setup-openstack.yml
index 3d6bbfbb56..f7daa5ed4e 100644
--- a/playbooks/setup-openstack.yml
+++ b/playbooks/setup-openstack.yml
@@ -14,6 +14,7 @@
 # limitations under the License.
 
 - include: os-keystone-install.yml
+- include: os-barbican-install.yml
 - include: os-glance-install.yml
 - include: os-cinder-install.yml
 - include: os-nova-install.yml
diff --git a/playbooks/vars/configs/haproxy_config.yml b/playbooks/vars/configs/haproxy_config.yml
index 10cfc73bd4..9aba1f4359 100644
--- a/playbooks/vars/configs/haproxy_config.yml
+++ b/playbooks/vars/configs/haproxy_config.yml
@@ -260,3 +260,11 @@ haproxy_default_services:
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk HEAD /"
+  - service:
+      haproxy_service_name: barbican
+      haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}"
+      haproxy_ssl: "{{ haproxy_ssl }}"
+      haproxy_port: 9311
+      haproxy_balance_type: tcp
+      haproxy_backend_options:
+        - tcp-check
diff --git a/releasenotes/notes/barbican-integration-cef0bf5e44d455e6.yaml b/releasenotes/notes/barbican-integration-cef0bf5e44d455e6.yaml
new file mode 100644
index 0000000000..518597249e
--- /dev/null
+++ b/releasenotes/notes/barbican-integration-cef0bf5e44d455e6.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Support has been added to allow the deployment of the OpenStack
+    barbican service when hosts are present in the host group
+    ``key-manager_hosts``.
diff --git a/tests/test_inventory.py b/tests/test_inventory.py
index caad0cb375..7bd31d6f44 100644
--- a/tests/test_inventory.py
+++ b/tests/test_inventory.py
@@ -137,6 +137,9 @@ class TestAnsibleInventoryFormatConstraints(unittest.TestCase):
         'aodh_api',
         'aodh_container',
         'aodh_listener',
+        'barbican_all',
+        'barbican_api',
+        'barbican_container',
         'ceilometer_agent_central',
         'ceilometer_agent_compute',
         'ceilometer_agent_notification',
@@ -215,6 +218,8 @@ class TestAnsibleInventoryFormatConstraints(unittest.TestCase):
         'ironic-compute_containers',
         'ironic-compute_all',
         'ironic-compute_hosts',
+        'key-manager_containers',
+        'key-manager_hosts',
         'keystone',
         'keystone_all',
         'keystone_container',