Simplify conditions in barbican service templates
Change-Id: I799c4d60a674af965971c763e437e4f7987b0dff
This commit is contained in:
parent
cefbfe418c
commit
06efcbbd1f
|
@ -163,18 +163,11 @@ parameters:
|
||||||
perform configuration on a Heat stack-update.
|
perform configuration on a Heat stack-update.
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
||||||
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
|
||||||
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
|
||||||
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
|
|
||||||
hsm_enabled:
|
hsm_enabled:
|
||||||
or:
|
or:
|
||||||
- thales_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- atos_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
||||||
- lunasa_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
||||||
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
|
||||||
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
|
||||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
|
||||||
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
||||||
# will use the Controller's IP address from that network instead.
|
# will use the Controller's IP address from that network instead.
|
||||||
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
|
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
|
||||||
|
@ -278,16 +271,14 @@ outputs:
|
||||||
path: /barbican
|
path: /barbican
|
||||||
query:
|
query:
|
||||||
if:
|
if:
|
||||||
- enable_sqlalchemy_collectd
|
- {get_param: EnableSQLAlchemyCollectd}
|
||||||
-
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
read_default_group: tripleo
|
||||||
read_default_group: tripleo
|
plugin: collectd
|
||||||
plugin: collectd
|
collectd_program_name: barbican
|
||||||
collectd_program_name: barbican
|
collectd_host: localhost
|
||||||
collectd_host: localhost
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||||
-
|
read_default_group: tripleo
|
||||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
||||||
read_default_group: tripleo
|
|
||||||
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -347,9 +338,8 @@ outputs:
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
external_deploy_tasks:
|
external_deploy_tasks:
|
||||||
if:
|
if:
|
||||||
- thales_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
-
|
- - name: Add ip addresses to the RFS server
|
||||||
- name: Add ip addresses to the RFS server
|
|
||||||
when: step|int == 2
|
when: step|int == 2
|
||||||
block:
|
block:
|
||||||
- name: get the ip addresses for the barbican nodes
|
- name: get the ip addresses for the barbican nodes
|
||||||
|
@ -427,18 +417,15 @@ outputs:
|
||||||
file:
|
file:
|
||||||
path: "{{thales_rfs_playbook_dir}}"
|
path: "{{thales_rfs_playbook_dir}}"
|
||||||
state: absent
|
state: absent
|
||||||
- null
|
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
list_concat:
|
list_concat:
|
||||||
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
||||||
- if:
|
- if:
|
||||||
- hsm_enabled
|
- hsm_enabled
|
||||||
- list_concat:
|
- list_concat:
|
||||||
-
|
- if:
|
||||||
if:
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- thales_hsm_enabled
|
- - name: Thales client install
|
||||||
-
|
|
||||||
- name: Thales client install
|
|
||||||
when: step|int == 2
|
when: step|int == 2
|
||||||
block:
|
block:
|
||||||
- set_fact:
|
- set_fact:
|
||||||
|
@ -454,24 +441,18 @@ outputs:
|
||||||
map_merge:
|
map_merge:
|
||||||
- thales_install_client: true
|
- thales_install_client: true
|
||||||
- {get_param: ThalesVars}
|
- {get_param: ThalesVars}
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
||||||
if:
|
- - name: ATOS client install
|
||||||
- atos_hsm_enabled
|
|
||||||
-
|
|
||||||
- name: ATOS client install
|
|
||||||
when: step|int == 2
|
when: step|int == 2
|
||||||
block:
|
block:
|
||||||
- include_role:
|
- include_role:
|
||||||
name: atos_hsm
|
name: atos_hsm
|
||||||
vars:
|
vars:
|
||||||
{get_param: ATOSVars}
|
{get_param: ATOSVars}
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
||||||
if:
|
- - name: Lunasa client install
|
||||||
- lunasa_hsm_enabled
|
|
||||||
-
|
|
||||||
- name: Lunasa client install
|
|
||||||
when: step|int == 2
|
when: step|int == 2
|
||||||
block:
|
block:
|
||||||
- name: install the lunasa client
|
- name: install the lunasa client
|
||||||
|
@ -494,15 +475,13 @@ outputs:
|
||||||
"{{$NETWORK_ip}}"
|
"{{$NETWORK_ip}}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: LunasaClientIPNetwork}
|
$NETWORK: {get_param: LunasaClientIPNetwork}
|
||||||
- null
|
|
||||||
- null
|
|
||||||
docker_config:
|
docker_config:
|
||||||
# db sync runs before permissions set by kolla_config
|
# db sync runs before permissions set by kolla_config
|
||||||
step_2:
|
step_2:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [BarbicanApiLogging, docker_config, step_2]
|
- get_attr: [BarbicanApiLogging, docker_config, step_2]
|
||||||
- if:
|
- if:
|
||||||
- atos_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
||||||
- barbican_init_atos_directory:
|
- barbican_init_atos_directory:
|
||||||
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
|
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
|
||||||
net: host
|
net: host
|
||||||
|
@ -515,7 +494,7 @@ outputs:
|
||||||
step_3:
|
step_3:
|
||||||
map_merge:
|
map_merge:
|
||||||
- if:
|
- if:
|
||||||
- pkcs11_plugin_enabled
|
- {get_param: BarbicanPkcs11CryptoEnabled}
|
||||||
- barbican_api_create_mkek:
|
- barbican_api_create_mkek:
|
||||||
start_order: 0
|
start_order: 0
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
|
@ -526,31 +505,21 @@ outputs:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||||
-
|
- - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
||||||
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
|
||||||
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
||||||
-
|
- if:
|
||||||
if:
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- thales_hsm_enabled
|
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
||||||
-
|
|
||||||
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
||||||
- /opt/nfast:/opt/nfast
|
- /opt/nfast:/opt/nfast
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
||||||
if:
|
- - /etc/proteccio:/etc/proteccio
|
||||||
- atos_hsm_enabled
|
|
||||||
-
|
|
||||||
- /etc/proteccio:/etc/proteccio
|
|
||||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
||||||
if:
|
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
||||||
- lunasa_hsm_enabled
|
|
||||||
-
|
|
||||||
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
||||||
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
||||||
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
||||||
- null
|
|
||||||
environment:
|
environment:
|
||||||
# NOTE: this should force this container to re-run on each
|
# NOTE: this should force this container to re-run on each
|
||||||
# update (scale-out, etc.)
|
# update (scale-out, etc.)
|
||||||
|
@ -567,9 +536,8 @@ outputs:
|
||||||
- "hsm gen_mkek --label"
|
- "hsm gen_mkek --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
- "'"
|
- "'"
|
||||||
- {}
|
|
||||||
- if:
|
- if:
|
||||||
- pkcs11_plugin_enabled
|
- {get_param: BarbicanPkcs11CryptoEnabled}
|
||||||
- barbican_api_create_hmac:
|
- barbican_api_create_hmac:
|
||||||
start_order: 0
|
start_order: 0
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
|
@ -593,7 +561,7 @@ outputs:
|
||||||
- "'"
|
- "'"
|
||||||
- {}
|
- {}
|
||||||
- if:
|
- if:
|
||||||
- thales_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
|
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
|
||||||
start_order: 1
|
start_order: 1
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
|
@ -604,9 +572,8 @@ outputs:
|
||||||
environment:
|
environment:
|
||||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||||
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
||||||
- {}
|
|
||||||
- if:
|
- if:
|
||||||
- thales_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
||||||
start_order: 2
|
start_order: 2
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
|
@ -617,7 +584,6 @@ outputs:
|
||||||
environment:
|
environment:
|
||||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||||
command: "/opt/nfast/bin/rfs-sync --update"
|
command: "/opt/nfast/bin/rfs-sync --update"
|
||||||
- {}
|
|
||||||
- barbican_api_db_sync:
|
- barbican_api_db_sync:
|
||||||
start_order: 3
|
start_order: 3
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
|
@ -653,7 +619,7 @@ outputs:
|
||||||
- "db sync_secret_stores --verbose"
|
- "db sync_secret_stores --verbose"
|
||||||
- "'"
|
- "'"
|
||||||
- if:
|
- if:
|
||||||
- pkcs11_rewrap_pkeks
|
- {get_param: BarbicanPkcs11CryptoRewrapKeys}
|
||||||
- barbican_api_rewrap_pkeks:
|
- barbican_api_rewrap_pkeks:
|
||||||
start_order: 4
|
start_order: 4
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
|
@ -672,7 +638,6 @@ outputs:
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- "hsm rewrap_pkek"
|
- "hsm rewrap_pkek"
|
||||||
- "'"
|
- "'"
|
||||||
- {}
|
|
||||||
- barbican_api:
|
- barbican_api:
|
||||||
# NOTE(alee): Barbican should start after keystone processes
|
# NOTE(alee): Barbican should start after keystone processes
|
||||||
start_order: 5
|
start_order: 5
|
||||||
|
@ -690,35 +655,23 @@ outputs:
|
||||||
-
|
-
|
||||||
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
||||||
-
|
- if:
|
||||||
if:
|
- {get_param: EnableInternalTLS}
|
||||||
- internal_tls_enabled
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||||
-
|
|
||||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
||||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
if:
|
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
||||||
- thales_hsm_enabled
|
|
||||||
-
|
|
||||||
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
||||||
- /opt/nfast:/opt/nfast
|
- /opt/nfast:/opt/nfast
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
||||||
if:
|
- - /etc/proteccio:/etc/proteccio
|
||||||
- atos_hsm_enabled
|
|
||||||
-
|
|
||||||
- /etc/proteccio:/etc/proteccio
|
|
||||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
||||||
if:
|
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
||||||
- lunasa_hsm_enabled
|
|
||||||
-
|
|
||||||
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
||||||
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
||||||
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
||||||
- null
|
|
||||||
environment: &kolla_env
|
environment: &kolla_env
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
- barbican_keystone_listener:
|
- barbican_keystone_listener:
|
||||||
|
@ -749,31 +702,21 @@ outputs:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||||
-
|
- - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
|
||||||
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
||||||
-
|
- if:
|
||||||
if:
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- thales_hsm_enabled
|
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
||||||
-
|
|
||||||
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
||||||
- /opt/nfast:/opt/nfast
|
- /opt/nfast:/opt/nfast
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
||||||
if:
|
- - /etc/proteccio:/etc/proteccio
|
||||||
- atos_hsm_enabled
|
|
||||||
-
|
|
||||||
- /etc/proteccio:/etc/proteccio
|
|
||||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||||
- null
|
- if:
|
||||||
-
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
||||||
if:
|
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
||||||
- lunasa_hsm_enabled
|
|
||||||
-
|
|
||||||
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
||||||
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
||||||
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
||||||
- null
|
|
||||||
environment: *kolla_env
|
environment: *kolla_env
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
list_concat:
|
list_concat:
|
||||||
|
@ -785,9 +728,8 @@ outputs:
|
||||||
state: yes
|
state: yes
|
||||||
scale_tasks:
|
scale_tasks:
|
||||||
if:
|
if:
|
||||||
- lunasa_hsm_enabled
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
||||||
-
|
- - name: Remove HSM clients
|
||||||
- name: Remove HSM clients
|
|
||||||
when: step|int == 1
|
when: step|int == 1
|
||||||
tags: down
|
tags: down
|
||||||
block:
|
block:
|
||||||
|
@ -801,7 +743,6 @@ outputs:
|
||||||
- {get_param: LunasaVars}
|
- {get_param: LunasaVars}
|
||||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
- client_name: "{{ fqdn_canonical }}"
|
- client_name: "{{ fqdn_canonical }}"
|
||||||
- null
|
|
||||||
metadata_settings:
|
metadata_settings:
|
||||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||||
external_upgrade_tasks:
|
external_upgrade_tasks:
|
||||||
|
|
Loading…
Reference in New Issue