flatten the barbican service configurations

This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the barbican API service. The barbican backend files are also
moved into the deployment/barbican directory for consistency.

Change-Id: Ib4a3993ac352e9e00f72ddf374042b574f6d55d6
Related-Blueprint: services-yaml-flattening
This commit is contained in:
Dan Prince 2019-02-04 14:21:46 -05:00
parent afe1cb5581
commit 5e46c2a579
16 changed files with 173 additions and 248 deletions

View File

@ -1,7 +1,7 @@
resource_registry:
OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml
OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml
OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
OS::TripleO::Services::Zaqar: ../../deployment/zaqar/zaqar-container-puppet.yaml
OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml
OS::TripleO::Services::PankoApi: ../../deployment/panko/panko-api-container-puppet.yaml
@ -15,7 +15,7 @@ resource_registry:
OS::TripleO::Services::MySQL: ../../docker/services/pacemaker/database/mysql.yaml
OS::TripleO::Services::CinderBackup: ../../deployment/cinder/cinder-backup-pacemaker-puppet.yaml
OS::TripleO::Services::CinderVolume: ../../deployment/cinder/cinder-volume-pacemaker-puppet.yaml
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../puppet/services/barbican-backend-simple-crypto.yaml
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
OS::TripleO::Services::Keepalived: OS::Heat::None
# Some infra instances don't pass the ping test but are otherwise working.
# Since the OVB jobs also test this functionality we can shut it off here.

View File

@ -13,7 +13,7 @@ resource_registry:
OS::TripleO::Services::HeatApiCfn: ../../deployment/heat/heat-api-cfn-container-puppet.yaml
OS::TripleO::Services::HeatApiCloudwatch: ../../deployment/heat/heat-api-cloudwatch-disabled-puppet.yaml
OS::TripleO::Services::HeatEngine: ../../deployment/heat/heat-engine-container-puppet.yaml
OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
OS::TripleO::Services::Zaqar: ../../deployment/zaqar/zaqar-container-puppet.yaml
OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml
OS::TripleO::Services::PankoApi: ../../deployment/panko/panko-api-container-puppet.yaml
@ -27,7 +27,7 @@ resource_registry:
OS::TripleO::Services::MySQL: ../../docker/services/pacemaker/database/mysql.yaml
OS::TripleO::Services::CinderBackup: ../../deployment/cinder/cinder-backup-pacemaker-puppet.yaml
OS::TripleO::Services::CinderVolume: ../../deployment/cinder/cinder-volume-pacemaker-puppet.yaml
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../puppet/services/barbican-backend-simple-crypto.yaml
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
# Some infra instances don't pass the ping test but are otherwise working.
# Since the OVB jobs also test this functionality we can shut it off here.
OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml

View File

@ -71,10 +71,6 @@ parameters:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes
type: string
default: '256'
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
@ -83,10 +79,6 @@ parameters:
description: Slot Id for the HSM
type: string
default: '0'
BarbicanPkcs11CryptoEncryptionMechanism:
description: Cryptoki Mechanism used for encryption
type: string
default: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
@ -95,10 +87,6 @@ parameters:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11AlwaysSetCkaSensitive:
description: Always set CKA_SENSITIVE=CK_TRUE
type: boolean
default: true
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
@ -113,8 +101,62 @@ parameters:
description: Hash of atos-hsm role variables used to
install ATOS client software.
type: json
BarbicanPassword:
description: The password for the barbican service account.
type: string
hidden: true
BarbicanWorkers:
description: Set the number of workers for barbican::wsgi::apache
default: '%{::processorcount}'
type: string
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
BarbicanDebug:
default: ''
description: Set to True to enable debugging Barbican service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
EnableInternalTLS:
type: boolean
default: false
BarbicanPolicies:
description: |
A hash of policies to configure for Barbican.
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
RpcPort:
default: 5672
description: The network port for messaging backend
type: number
RpcUserName:
default: guest
description: The username for messaging backend
type: string
RpcPassword:
description: The password for messaging backend
type: string
hidden: true
RpcUseSSL:
default: false
description: >
Messaging client subscriber parameter to specify
an SSL connection to the messaging host.
type: string
conditions:
service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
@ -126,37 +168,127 @@ conditions:
resources:
ContainersCommon:
type: ./containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
BarbicanApiBase:
type: ../../puppet/services/barbican-api.yaml
ApacheServiceBase:
type: ../../puppet/services/apache.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ContainersCommon:
type: ../../docker/services/containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
BarbicanApiLogging:
type: OS::TripleO::Services::Logging::BarbicanApi
outputs:
role_data:
description: Role data for the Barbican API role.
value:
service_name: {get_attr: [BarbicanApiBase, role_data, service_name]}
service_name: barbican_api
config_settings:
map_merge:
- get_attr: [BarbicanApiBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [BarbicanApiLogging, config_settings]
- apache::default_vhost: false
service_config_settings: {get_attr: [BarbicanApiBase, role_data, service_config_settings]}
barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::keystone::notification::enable_keystone_notification: True
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
barbican::api::enable_queue: true
barbican::api::logging::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: BarbicanDebug }
barbican::api::notification_driver: {get_param: NotificationDriver}
# TODO(ansmith): remove once p-t-o switches to oslo params
barbican::api::rabbit_use_ssl: {get_param: RpcUseSSL}
barbican::api::rabbit_userid: {get_param: RpcUserName}
barbican::api::rabbit_password: {get_param: RpcPassword}
barbican::api::rabbit_port: {get_param: RpcPort}
barbican::api::rabbit_heartbeat_timeout_threshold: 60
barbican::api::service_name: 'httpd'
barbican::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
barbican::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: barbican
password: {get_param: BarbicanPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /barbican
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
tripleo::barbican_api::firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
service_config_settings:
mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
barbican::keystone::auth::password: {get_param: BarbicanPassword}
barbican::keystone::auth::region: {get_param: KeystoneRegion}
barbican::keystone::auth::tenant: 'service'
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
nova_compute:
nova::compute::keymgr_backend: >
castellan.key_manager.barbican_key_manager.BarbicanKeyManager
nova::compute::barbican_endpoint:
get_param: [EndpointMap, BarbicanInternal, uri]
nova::compute::barbican_auth_endpoint:
get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
cinder_api:
cinder::api::keymgr_backend: >
castellan.key_manager.barbican_key_manager.BarbicanKeyManager
cinder::api::keymgr_encryption_api_url:
get_param: [EndpointMap, BarbicanInternal, uri]
cinder::api::keymgr_encryption_auth_url:
get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
glance_api:
glance::api::keymgr_backend: >
castellan.key_manager.barbican_key_manager.BarbicanKeyManager
glance::api::keymgr_encryption_api_url:
get_param: [EndpointMap, BarbicanInternal, uri]
glance::api::keymgr_encryption_auth_url:
get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: barbican
@ -164,7 +296,7 @@ outputs:
step_config:
list_join:
- "\n"
- - {get_attr: [BarbicanApiBase, role_data, step_config]}
- - "include ::tripleo::profile::base::barbican::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerBarbicanConfigImage}
kolla_config:
@ -309,7 +441,6 @@ outputs:
{get_param: ATOSVars}
- null
- null
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
@ -528,7 +659,7 @@ outputs:
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
port: {get_param: RpcPort}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@ -552,7 +683,7 @@ outputs:
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
port: {get_param: RpcPort}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@ -602,4 +733,4 @@ outputs:
- barbican_keystone_listener
- barbican_worker
metadata_settings:
get_attr: [BarbicanApiBase, role_data, metadata_settings]
get_attr: [ApacheServiceBase, role_data, metadata_settings]

View File

@ -14,4 +14,4 @@ parameter_defaults:
resource_registry:
OS::TripleO::Services::BarbicanBackendDogtag: ../puppet/services/barbican-backend-dogtag.yaml
OS::TripleO::Services::BarbicanBackendDogtag: ../deployment/barbican/barbican-backend-dogtag-puppet.yaml

View File

@ -12,4 +12,4 @@ parameter_defaults:
# BarbicanKmipStoreGlobalDefault: Whether this plugin is the global default plugin
resource_registry:
OS::TripleO::Services::BarbicanBackendKmip: ../puppet/services/barbican-backend-kmip.yaml
OS::TripleO::Services::BarbicanBackendKmip: ../deployment/barbican/barbican-backend-kmip-puppet.yaml

View File

@ -27,4 +27,4 @@ parameter_defaults:
# atos_hsm_ip_address:
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

View File

@ -36,4 +36,4 @@ parameter_defaults:
# thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

View File

@ -15,4 +15,4 @@ parameter_defaults:
BarbicanPkcs11AlwaysSetCkaSensitive: true
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

View File

@ -10,4 +10,4 @@ parameter_defaults:
# -- defaults to false
resource_registry:
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml
OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml

View File

@ -1,4 +1,4 @@
# A Heat environment file which can be used to enable
# Barbican with the default secret store backend.
resource_registry:
OS::TripleO::Services::BarbicanApi: ../../puppet/services/barbican-api.yaml
OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml

View File

@ -1,4 +1,4 @@
# A Heat environment file which can be used to enable
# Barbican with the default secret store backend.
resource_registry:
OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml

View File

@ -1,206 +0,0 @@
heat_template_version: rocky
description: >
OpenStack Barbican API service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
BarbicanPassword:
description: The password for the barbican service account.
type: string
hidden: true
BarbicanWorkers:
description: Set the number of workers for barbican::wsgi::apache
default: '%{::processorcount}'
type: string
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
BarbicanDebug:
default: ''
description: Set to True to enable debugging Barbican service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
EnableInternalTLS:
type: boolean
default: false
BarbicanPolicies:
description: |
A hash of policies to configure for Barbican.
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
RpcPort:
default: 5672
description: The network port for messaging backend
type: number
RpcUserName:
default: guest
description: The username for messaging backend
type: string
RpcPassword:
description: The password for messaging backend
type: string
hidden: true
RpcUseSSL:
default: false
description: >
Messaging client subscriber parameter to specify
an SSL connection to the messaging host.
type: string
resources:
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
conditions:
service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
outputs:
role_data:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::keystone::notification::enable_keystone_notification: True
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
barbican::api::enable_queue: true
barbican::api::logging::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: BarbicanDebug }
barbican::api::notification_driver: {get_param: NotificationDriver}
# TODO(ansmith): remove once p-t-o switches to oslo params
barbican::api::rabbit_use_ssl: {get_param: RpcUseSSL}
barbican::api::rabbit_userid: {get_param: RpcUserName}
barbican::api::rabbit_password: {get_param: RpcPassword}
barbican::api::rabbit_port: {get_param: RpcPort}
barbican::api::rabbit_heartbeat_timeout_threshold: 60
barbican::api::service_name: 'httpd'
barbican::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
barbican::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: barbican
password: {get_param: BarbicanPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /barbican
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
tripleo::barbican_api::firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
step_config: |
include ::tripleo::profile::base::barbican::api
service_config_settings:
mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
barbican::keystone::auth::password: {get_param: BarbicanPassword}
barbican::keystone::auth::region: {get_param: KeystoneRegion}
barbican::keystone::auth::tenant: 'service'
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
nova_compute:
nova::compute::keymgr_backend: >
castellan.key_manager.barbican_key_manager.BarbicanKeyManager
nova::compute::barbican_endpoint:
get_param: [EndpointMap, BarbicanInternal, uri]
nova::compute::barbican_auth_endpoint:
get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
cinder_api:
cinder::api::keymgr_backend: >
castellan.key_manager.barbican_key_manager.BarbicanKeyManager
cinder::api::keymgr_encryption_api_url:
get_param: [EndpointMap, BarbicanInternal, uri]
cinder::api::keymgr_encryption_auth_url:
get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
glance_api:
glance::api::keymgr_backend: >
castellan.key_manager.barbican_key_manager.BarbicanKeyManager
glance::api::keymgr_encryption_api_url:
get_param: [EndpointMap, BarbicanInternal, uri]
glance::api::keymgr_encryption_auth_url:
get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks: []