Add barbican spec

Change-Id: I5542f7afa2bbba53773ed48ed53765246d8cafab

openstack/barbican/barbican-wsgi.conf

@@ -0,0 +1,13 @@
+Listen 9311
+
+<VirtualHost *:9311>
+    WSGIScriptAlias / /usr/bin/barbican-wsgi-api
+    WSGIDaemonProcess barbican-api user=barbican group=barbican processes=3 threads=10
+    WSGIProcessGroup barbican-api
+    ErrorLog /var/log/barbican/barbican-api.log
+    CustomLog /var/log/barbican/barbican-api.log combined
+
+    <Directory /usr/bin>
+        Require all granted
+    </Directory>
+</VirtualHost>

openstack/barbican/barbican.spec.j2

@@ -0,0 +1,310 @@
+{% set pypi_name = 'barbican' %}
+{% set source = fetch_source('https://tarballs.openstack.org/barbican/barbican-master.tar.gz') %}
+{% set upstream_version = upstream_version() %}
+{% set rpm_release = '1' %}
+%if 0%{?rhel} || 0%{?fedora}
+%global rdo 1
+%endif
+Name:           {{ py2name() }}
+Version:        {{ py2rpmversion() }}
+Release:        {{ py2rpmrelease() }}
+Summary:        OpenStack key and secrets management (Barbican)
+License:        {{ license('Apache-2.0') }}
+URL:            https://docs.openstack.org/barbican/latest/
+Source0:        {{ source|basename }}
+Source1:        openstack-barbican.logrotate
+Source2:        openstack-barbican.tmpfiles
+Source3:        openstack-barbican.defaultconf
+Source4:        openstack-barbican.README.config
+Source5:        barbican-wsgi.conf
+# systemd service files
+Source10:       openstack-barbican-worker.service
+Source11:       openstack-barbican-keystone-listener.service
+Source12:       openstack-barbican-retry.service
+BuildRequires:  openstack-macros
+BuildRequires:  {{ py3('Babel') }}
+BuildRequires:  {{ py3('Paste') }}
+BuildRequires:  {{ py3('PasteDeploy') }}
+BuildRequires:  {{ py3('PyKMIP') }}
+BuildRequires:  {{ py3('SQLAlchemy') }}
+BuildRequires:  {{ py3('Sphinx') }}
+BuildRequires:  {{ py3('WebOb') }}
+BuildRequires:  {{ py3('eventlet') }}
+BuildRequires:  {{ py3('fixtures') }}
+BuildRequires:  {{ py3('mock') }}
+BuildRequires:  {{ py3('neutronclient') }}
+BuildRequires:  {{ py3('openstackdocstheme') }}
+BuildRequires:  {{ py3('oslo.concurrency') }}
+BuildRequires:  {{ py3('oslo.config') }}
+BuildRequires:  {{ py3('oslo.db') }}
+BuildRequires:  {{ py3('oslo.i18n') }}
+BuildRequires:  {{ py3('oslo.log') }}
+BuildRequires:  {{ py3('oslo.messaging') }}
+BuildRequires:  {{ py3('oslo.policy') }}
+BuildRequires:  {{ py3('oslo.utils') }}
+BuildRequires:  {{ py3('pbr') }}
+BuildRequires:  {{ py3('pecan') }}
+BuildRequires:  {{ py3('pyOpenSSL') }}
+BuildRequires:  {{ py3('six') }}
+BuildRequires:  {{ py3('stevedore') }}
+BuildRequires:  {{ py3('testtools') }}
+Requires:       logrotate
+Requires:       python3-barbican = %{version}-%{release}
+BuildArch:      noarch
+%if 0%{?suse_version}
+BuildRequires:  systemd-rpm-macros
+%{?systemd_requires}
+%else
+BuildRequires:  systemd
+Requires(post): systemd
+Requires(postun): systemd
+Requires(preun): systemd
+%endif
+%if 0%{?suse_version}
+Requires(pre):  pwdutils
+%endif
+%if 0%{?rdo}
+Requires(pre):  shadow-utils
+%endif
+
+%description
+Barbican is a REST API designed for the secure storage, provisioning and
+management of secrets. It is aimed at being useful for all environments,
+including large ephemeral Clouds.
+
+%package -n python3-{{ pypi_name }}
+Summary:        OpenStack key and secrets management (Barbican) - Python module
+Group:          Development/Languages/Python
+Requires:       {{ py3('Babel') }}
+Requires:       {{ py3('Paste') }}
+Requires:       {{ py3('PasteDeploy') }}
+Requires:       {{ py3('PyKMIP') }}
+Requires:       {{ py3('Pygments') }}
+Requires:       {{ py3('SQLAlchemy') }}
+Requires:       {{ py3('WebOb') }}
+Requires:       {{ py3('alembic') }}
+Requires:       {{ py3('castellan') }}
+Requires:       {{ py3('cffi') }}
+Requires:       {{ py3('cryptography') }}
+Requires:       {{ py3('eventlet') }}
+Requires:       {{ py3('jsonschema') }}
+Requires:       {{ py3('keystoneclient') }}
+Requires:       {{ py3('keystonemiddleware') }}
+Requires:       {{ py3('ldap3') }}
+Requires:       {{ py3('oslo.config') }}
+Requires:       {{ py3('oslo.context') }}
+Requires:       {{ py3('oslo.db') }}
+Requires:       {{ py3('oslo.i18n') }}
+Requires:       {{ py3('oslo.log') }}
+Requires:       {{ py3('oslo.messaging') }}
+Requires:       {{ py3('oslo.middleware') }}
+Requires:       {{ py3('oslo.policy') }}
+Requires:       {{ py3('oslo.serialization') }}
+Requires:       {{ py3('oslo.service') }}
+Requires:       {{ py3('oslo.upgradecheck') }}
+Requires:       {{ py3('oslo.utils') }}
+Requires:       {{ py3('oslo.versionedobjects') }}
+Requires:       {{ py3('pbr') }}
+Requires:       {{ py3('pecan') }}
+Requires:       {{ py3('pyOpenSSL') }}
+Requires:       {{ py3('requests') }}
+Requires:       {{ py3('six') }}
+Requires:       {{ py3('stevedore') }}
+
+%description -n python3-{{ pypi_name }}
+Barbican is a REST API designed for the secure storage, provisioning and
+management of secrets. It is aimed at being useful for all environments,
+including large ephemeral Clouds.
+
+This package contains the core Python module of OpenStack Barbican.
+
+%package api
+Summary:        OpenStack key and secret management (Barbican) - API
+Group:          Development/Languages/Python
+Requires:       %{name} = %{version}-%{release}
+
+%description api
+Barbican is a REST API designed for the secure storage, provisioning and
+management of secrets. It is aimed at being useful for all environments,
+including large ephemeral Clouds.
+This package contains the OpenStack Barbican API (WSGI only).
+
+%package worker
+Summary:        OpenStack key and secret management (Barbican) - Worker
+Group:          Development/Languages/Python
+Requires:       %{name} = %{version}-%{release}
+
+%description worker
+Barbican is a REST API designed for the secure storage, provisioning and
+management of secrets. It is aimed at being useful for all environments,
+including large ephemeral Clouds.
+This package contains the OpenStack Barbican Worker service.
+
+%package keystone-listener
+Summary:        OpenStack key and secret management (Barbican) - keystone listener
+Group:          Development/Languages/Python
+Requires:       %{name} = %{version}-%{release}
+
+%description keystone-listener
+Barbican is a REST API designed for the secure storage, provisioning and
+management of secrets. It is aimed at being useful for all environments,
+including large ephemeral Clouds.
+This package contains the OpenStack Barbican Keystone Listener service.
+
+%package retry
+Summary:        OpenStack key and secret management (Barbican) - Retry Scheduler
+Group:          Development/Languages/Python
+Requires:       %{name} = %{version}-%{release}
+
+%description retry
+Barbican is a REST API designed for the secure storage, provisioning and
+management of secrets. It is aimed at being useful for all environments,
+including large ephemeral Clouds.
+This package contains the OpenStack Barbican Retry Scheduler service.
+
+%prep
+%autosetup -p1 -n {{ pypi_name }}-{{ upstream_version }}
+%py_req_cleanup
+
+%build
+%{py3_build}
+PYTHONPATH=. PBR_VERSION={{ upstream_version }} %sphinx_build -b html doc/source doc/build/html
+# remove the Sphinx-build leftovers
+rm -rf doc/build/html/.{doctrees,buildinfo}
+
+### configuration file generation
+PYTHONPATH=. oslo-config-generator --config-file etc/oslo-config-generator/barbican.conf --output-file etc/barbican.conf.sample
+PYTHONPATH=. oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf
+
+%install
+%{py3_install}
+
+### directories
+install -d -m 750 %{buildroot}%{_localstatedir}/{lib,log}/barbican
+install -d -m 750 %{buildroot}%{_localstatedir}/cache/barbican
+install -D -m 644 %{SOURCE2} %{buildroot}/%{_tmpfilesdir}/barbican.conf
+install -d -m 755 %{buildroot}%{_sysconfdir}/barbican
+install -d -m 755 %{buildroot}%{_datadir}/barbican
+install -d -m 755 %{buildroot}%{_sysconfdir}/barbican/barbican.conf.d/
+install -p -D -m 640 %{SOURCE4} %{buildroot}%{_sysconfdir}/barbican/README.config
+
+### configuration files
+install -p -D -m 644 etc/barbican.conf.sample %{buildroot}%{_sysconfdir}/barbican/barbican.conf
+install -p -D -m 640 etc/barbican/policy.yaml.sample %{buildroot}%{_sysconfdir}/barbican/policy.yaml
+install -p -D -m 644  etc/barbican/{barbican-functional.conf,api_audit_map.conf} %{buildroot}%{_sysconfdir}/barbican/
+mv %{buildroot}/%{_prefix}/%{_sysconfdir}/barbican/barbican-api-paste.ini %{buildroot}%{_sysconfdir}/barbican/
+
+### default configuration
+install -D -m 640 %{SOURCE3} %{buildroot}/%{_sysconfdir}/barbican/barbican.conf.d/010-barbican.conf
+
+# bash-completion/logrotate/etc.
+install -p -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/barbican
+
+# Install systemd unit services
+mkdir -p %{buildroot}%{_sbindir} %{buildroot}%{_unitdir}
+install -p -D -m 444 %{SOURCE10} %{buildroot}%{_unitdir}/%{name}-worker.service
+install -p -D -m 444 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}-keystone-listener.service
+install -p -D -m 444 %{SOURCE12} %{buildroot}%{_unitdir}/%{name}-retry.service
+%if 0%{?suse_version}
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-worker
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-keystone-listener
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-retry
+%endif
+
+# Install apache configuration files
+install -p -D -m 644 %{SOURCE5}  %{buildroot}%{_datadir}/barbican/
+
+%pre
+%openstack_pre_user_group_create barbican barbican /sbin/nologin
+exit 0
+
+%post
+%tmpfiles_create %{_tmpfilesdir}/barbican.conf
+
+%post worker
+%systemd_post %{name}-worker.service
+
+%preun worker
+%systemd_preun %{name}-worker.service
+
+%postun worker
+%systemd_postun %{name}-worker.service
+
+%post keystone-listener
+%systemd_post %{name}-keystone-listener.service
+
+%preun keystone-listener
+%systemd_preun %{name}-keystone-listener.service
+
+%postun keystone-listener
+%systemd_postun %{name}-keystone-listener.service
+
+%post retry
+%systemd_post %{name}-retry.service
+
+%preun retry
+%systemd_preun %{name}-retry.service
+
+%postun retry
+%systemd_postun %{name}-retry.service
+
+%files
+%license LICENSE
+%dir %attr(0750, barbican, barbican) %{_localstatedir}/lib/barbican
+%dir %attr(0750, barbican, barbican) %{_localstatedir}/cache/barbican
+%dir %attr(0750, barbican, barbican) %{_localstatedir}/log/barbican
+%_tmpfilesdir/barbican.conf
+%dir %{_datadir}/barbican
+%dir %{_sysconfdir}/barbican
+%dir %{_sysconfdir}/barbican/barbican.conf.d/
+%{_sysconfdir}/barbican/README.config
+%config(noreplace) %{_sysconfdir}/logrotate.d/barbican
+%config %attr(0644, root, barbican) %{_sysconfdir}/barbican/barbican-functional.conf
+%config(noreplace) %attr(0640, root, barbican) %{_sysconfdir}/barbican/barbican.conf
+%config(noreplace) %attr(0640, root, barbican) %{_sysconfdir}/barbican/barbican.conf.d/010-barbican.conf
+%config %attr(0640, root, barbican) %{_sysconfdir}/barbican/policy.yaml
+%attr(0644, root, barbican) %{_datadir}/barbican/barbican-wsgi.conf
+%{_bindir}/barbican-manage
+%{_bindir}/barbican-status
+%{_bindir}/barbican-db-manage
+%{_bindir}/pkcs11-kek-rewrap
+%{_bindir}/pkcs11-key-generation
+
+%files -n python3-barbican
+%license LICENSE
+%{python3_sitelib}/barbican/
+%{python3_sitelib}/barbican-*.egg-info
+
+%files api
+%defattr(-,root,root,-)
+%license LICENSE
+%{_bindir}/barbican-wsgi-api
+%config %attr(0644, root, barbican) %{_sysconfdir}/barbican/api_audit_map.conf
+%config %attr(0640, root, barbican) %{_sysconfdir}/barbican/barbican-api-paste.ini
+
+%files worker
+%defattr(-,root,root,-)
+%license LICENSE
+%{_unitdir}/%{name}-worker.service
+%{_bindir}/barbican-worker
+%if 0%{?suse_version}
+%{_sbindir}/rc%{name}-worker
+%endif
+
+%files keystone-listener
+%license LICENSE
+%{_unitdir}/%{name}-keystone-listener.service
+%{_bindir}/barbican-keystone-listener
+%if 0%{?suse_version}
+%{_sbindir}/rc%{name}-keystone-listener
+%endif
+
+%files retry
+%license LICENSE
+%{_unitdir}/%{name}-retry.service
+%{_bindir}/barbican-retry
+%if 0%{?suse_version}
+%{_sbindir}/rc%{name}-retry
+%endif
+
+%changelog

openstack/barbican/openstack-barbican-keystone-listener.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenStack key and secret management (Barbican) - keystone-service
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User=barbican
+Group=barbican
+WorkingDirectory=/var/lib/barbican
+PrivateTmp=yes
+ExecStart=/usr/bin/barbican-keystone-listener
+
+[Install]
+WantedBy=multi-user.target

openstack/barbican/openstack-barbican-retry.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenStack key and secret management (Barbican) - retry
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User=barbican
+Group=barbican
+WorkingDirectory=/var/lib/barbican
+PrivateTmp=yes
+ExecStart=/usr/bin/barbican-retry
+
+[Install]
+WantedBy=multi-user.target

openstack/barbican/openstack-barbican-worker.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenStack key and secret management (Barbican) - worker
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User=barbican
+Group=barbican
+WorkingDirectory=/var/lib/barbican
+PrivateTmp=yes
+ExecStart=/usr/bin/barbican-worker
+
+[Install]
+WantedBy=multi-user.target

openstack/barbican/openstack-barbican.README.config

@@ -0,0 +1,30 @@
+The main service configuration (/etc/$project/$project.conf) can still be used
+for configuration but the preferred way is to add config file snippets into
+/etc/$project/$project.conf.d/ instead.
+
+As part of the packaging, the package itself installs a config snippet at
+/etc/$project/$project.conf.d/010-$project.conf with basic configuration. This
+file should not be modified. In case there is a need to overwrite or add
+settings, a XXX-$project.conf (XXX being a 3 digit number) should be created
+instead.
+
+Config directory file snippet naming should follow these conventions:
+- snippets should start with "XXX-" where "X" is a number
+- snippets must end with ".conf"
+- config management systems (Crowbar, Salt, ...) should use numbers
+  between 100 and 499
+- users should use numbers starting from 500
+
+Configuring just a single $program (eg for Nova, $project is "nova" and
+$program is "nova-api", "nova-compute", "nova-scheduler", ...) can be done
+in a similar way. The config snippets should be placed in
+/etc/$project/$program.conf.d/ . The same snippets rules apply here, too.
+
+$program reads the configuration files in the following order:
+- /etc/$project/$project.conf
+- /etc/$project/$project.conf.d/*.conf (lexically sorted)
+- /etc/$project/$program.conf.d/*.conf (lexically sorted)
+
+The last configured key overwrites all previous ones. In particular, settings
+in /etc/$project/$project.conf are overwritten by config values from any file
+in /etc/$project/$project.conf.d/XXX-$project.conf .

openstack/barbican/openstack-barbican.defaultconf

@@ -0,0 +1,5 @@
+[DEFAULT]
+log_dir=/var/log/barbican
+state_path=/var/lib/barbican
+# disable the snakeoil certificate which is enabled by default
+enabled_certificate_plugins =

openstack/barbican/openstack-barbican.logrotate

@@ -0,0 +1,13 @@
+/var/log/barbican/*.log {
+    compress
+    copytruncate
+    dateext
+    minsize 100k
+    missingok
+    notifempty
+    rotate 10
+    sharedscripts
+    size 1M
+    su barbican barbican
+    weekly
+}

openstack/barbican/openstack-barbican.tmpfiles

@@ -0,0 +1 @@
+d /run/barbican 0700 barbican barbican -