openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Simplify conditions in barbican service templates 

Change-Id: I799c4d60a674af965971c763e437e4f7987b0dff
This commit is contained in:
ramishra 2021-04-05 09:01:06 +05:30
parent cefbfe418c
commit 06efcbbd1f
1 changed files with 62 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
deployment/barbican/barbican-api-container-puppet.yaml
View File

@ -163,18 +163,11 @@ parameters:
perform configuration on a Heat stack-update. perform configuration on a Heat stack-update.
conditions: conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
hsm_enabled: hsm_enabled:
or: or:
- thales_hsm_enabled - {get_param: BarbicanPkcs11CryptoThalesEnabled}
- atos_hsm_enabled - {get_param: BarbicanPkcs11CryptoATOSEnabled}
- lunasa_hsm_enabled - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we # Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead. # will use the Controller's IP address from that network instead.
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']} lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
@ -278,16 +271,14 @@ outputs:
path: /barbican path: /barbican
query: query:
if: if:
- enable_sqlalchemy_collectd - {get_param: EnableSQLAlchemyCollectd}
- - read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo
read_default_group: tripleo plugin: collectd
plugin: collectd collectd_program_name: barbican
collectd_program_name: barbican collectd_host: localhost
collectd_host: localhost - read_default_file: /etc/my.cnf.d/tripleo.cnf
- read_default_group: tripleo
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings: service_config_settings:
map_merge: map_merge:
@ -347,9 +338,8 @@ outputs:
preserve_properties: true preserve_properties: true
external_deploy_tasks: external_deploy_tasks:
if: if:
- thales_hsm_enabled - {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - - name: Add ip addresses to the RFS server
- name: Add ip addresses to the RFS server
when: step|int == 2 when: step|int == 2
block: block:
- name: get the ip addresses for the barbican nodes - name: get the ip addresses for the barbican nodes
@ -427,18 +417,15 @@ outputs:
file: file:
path: "{{thales_rfs_playbook_dir}}" path: "{{thales_rfs_playbook_dir}}"
state: absent state: absent
- null
deploy_steps_tasks: deploy_steps_tasks:
list_concat: list_concat:
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks] - get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
- if: - if:
- hsm_enabled - hsm_enabled
- list_concat: - list_concat:
- - if:
if: - {get_param: BarbicanPkcs11CryptoThalesEnabled}
- thales_hsm_enabled - - name: Thales client install
-
- name: Thales client install
when: step|int == 2 when: step|int == 2
block: block:
- set_fact: - set_fact:
@ -454,24 +441,18 @@ outputs:
map_merge: map_merge:
- thales_install_client: true - thales_install_client: true
- {get_param: ThalesVars} - {get_param: ThalesVars}
- null - if:
- - {get_param: BarbicanPkcs11CryptoATOSEnabled}
if: - - name: ATOS client install
- atos_hsm_enabled
-
- name: ATOS client install
when: step|int == 2 when: step|int == 2
block: block:
- include_role: - include_role:
name: atos_hsm name: atos_hsm
vars: vars:
{get_param: ATOSVars} {get_param: ATOSVars}
- null - if:
- - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
if: - - name: Lunasa client install
- lunasa_hsm_enabled
-
- name: Lunasa client install
when: step|int == 2 when: step|int == 2
block: block:
- name: install the lunasa client - name: install the lunasa client
@ -494,15 +475,13 @@ outputs:
"{{$NETWORK_ip}}" "{{$NETWORK_ip}}"
params: params:
$NETWORK: {get_param: LunasaClientIPNetwork} $NETWORK: {get_param: LunasaClientIPNetwork}
- null
- null
docker_config: docker_config:
# db sync runs before permissions set by kolla_config # db sync runs before permissions set by kolla_config
step_2: step_2:
map_merge: map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2] - get_attr: [BarbicanApiLogging, docker_config, step_2]
- if: - if:
- atos_hsm_enabled - {get_param: BarbicanPkcs11CryptoATOSEnabled}
- barbican_init_atos_directory: - barbican_init_atos_directory:
image: &barbican_api_image {get_param: ContainerBarbicanApiImage} image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
net: host net: host
@ -515,7 +494,7 @@ outputs:
step_3: step_3:
map_merge: map_merge:
- if: - if:
- pkcs11_plugin_enabled - {get_param: BarbicanPkcs11CryptoEnabled}
- barbican_api_create_mkek: - barbican_api_create_mkek:
start_order: 0 start_order: 0
image: *barbican_api_image image: *barbican_api_image
@ -526,31 +505,21 @@ outputs:
list_concat: list_concat:
- {get_attr: [ContainersCommon, volumes]} - {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]} - {get_attr: [BarbicanApiLogging, volumes]}
- - - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro - /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
- - if:
if: - {get_param: BarbicanPkcs11CryptoThalesEnabled}
- thales_hsm_enabled - - /lib64/libnsl.so.1:/lib64/libnsl.so.1
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast - /opt/nfast:/opt/nfast
- null - if:
- - {get_param: BarbicanPkcs11CryptoATOSEnabled}
if: - - /etc/proteccio:/etc/proteccio
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null - if:
- - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
if: - - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient - /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: environment:
# NOTE: this should force this container to re-run on each # NOTE: this should force this container to re-run on each
# update (scale-out, etc.) # update (scale-out, etc.)
@ -567,9 +536,8 @@ outputs:
- "hsm gen_mkek --label" - "hsm gen_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]} - {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'" - "'"
- {}
- if: - if:
- pkcs11_plugin_enabled - {get_param: BarbicanPkcs11CryptoEnabled}
- barbican_api_create_hmac: - barbican_api_create_hmac:
start_order: 0 start_order: 0
image: *barbican_api_image image: *barbican_api_image
@ -593,7 +561,7 @@ outputs:
- "'" - "'"
- {} - {}
- if: - if:
- thales_hsm_enabled - {get_param: BarbicanPkcs11CryptoThalesEnabled}
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys: - barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 1 start_order: 1
image: *barbican_api_image image: *barbican_api_image
@ -604,9 +572,8 @@ outputs:
environment: environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit" command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if: - if:
- thales_hsm_enabled - {get_param: BarbicanPkcs11CryptoThalesEnabled}
- barbican_api_get_mkek_and_hmac_keys_from_rfs: - barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 2 start_order: 2
image: *barbican_api_image image: *barbican_api_image
@ -617,7 +584,6 @@ outputs:
environment: environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/opt/nfast/bin/rfs-sync --update" command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync: - barbican_api_db_sync:
start_order: 3 start_order: 3
image: *barbican_api_image image: *barbican_api_image
@ -653,7 +619,7 @@ outputs:
- "db sync_secret_stores --verbose" - "db sync_secret_stores --verbose"
- "'" - "'"
- if: - if:
- pkcs11_rewrap_pkeks - {get_param: BarbicanPkcs11CryptoRewrapKeys}
- barbican_api_rewrap_pkeks: - barbican_api_rewrap_pkeks:
start_order: 4 start_order: 4
image: *barbican_api_image image: *barbican_api_image
@ -672,7 +638,6 @@ outputs:
- {get_attr: [BarbicanApiLogging, cmd_extra_args]} - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm rewrap_pkek" - "hsm rewrap_pkek"
- "'" - "'"
- {}
- barbican_api: - barbican_api:
# NOTE(alee): Barbican should start after keystone processes # NOTE(alee): Barbican should start after keystone processes
start_order: 5 start_order: 5
@ -690,35 +655,23 @@ outputs:
- -
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
- - if:
if: - {get_param: EnableInternalTLS}
- internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null - if:
- - {get_param: BarbicanPkcs11CryptoThalesEnabled}
if: - - /lib64/libnsl.so.1:/lib64/libnsl.so.1
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast - /opt/nfast:/opt/nfast
- null - if:
- - {get_param: BarbicanPkcs11CryptoATOSEnabled}
if: - - /etc/proteccio:/etc/proteccio
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null - if:
- - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
if: - - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient - /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: &kolla_env environment: &kolla_env
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- barbican_keystone_listener: - barbican_keystone_listener:
@ -749,31 +702,21 @@ outputs:
list_concat: list_concat:
- {get_attr: [ContainersCommon, volumes]} - {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]} - {get_attr: [BarbicanApiLogging, volumes]}
- - - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
- - if:
if: - {get_param: BarbicanPkcs11CryptoThalesEnabled}
- thales_hsm_enabled - - /lib64/libnsl.so.1:/lib64/libnsl.so.1
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast - /opt/nfast:/opt/nfast
- null - if:
- - {get_param: BarbicanPkcs11CryptoATOSEnabled}
if: - - /etc/proteccio:/etc/proteccio
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null - if:
- - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
if: - - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient - /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: *kolla_env environment: *kolla_env
host_prep_tasks: host_prep_tasks:
list_concat: list_concat:
@ -785,9 +728,8 @@ outputs:
state: yes state: yes
scale_tasks: scale_tasks:
if: if:
- lunasa_hsm_enabled - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - - name: Remove HSM clients
- name: Remove HSM clients
when: step|int == 1 when: step|int == 1
tags: down tags: down
block: block:
@ -801,7 +743,6 @@ outputs:
- {get_param: LunasaVars} - {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- client_name: "{{ fqdn_canonical }}" - client_name: "{{ fqdn_canonical }}"
- null
metadata_settings: metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings] get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks: external_upgrade_tasks: