flatten the barbican service configurations

This change combines the previous puppet and docker files into a single file that performs the docker service installation and configuration for the barbican API service. The barbican backend files are also moved into the deployment/barbican directory for consistency. Change-Id: Ib4a3993ac352e9e00f72ddf374042b574f6d55d6 Related-Blueprint: services-yaml-flattening
2019-02-04 14:21:46 -05:00 · 2019-02-04 14:21:46 -05:00 · 5e46c2a579
parent afe1cb5581
commit 5e46c2a579
16 changed files with 173 additions and 248 deletions
--- a/ci/environments/scenario002-multinode-containers.yaml
+++ b/ci/environments/scenario002-multinode-containers.yaml
@ -1,7 +1,7 @@
 resource_registry:
  OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml
  OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml
-  OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
  OS::TripleO::Services::Zaqar: ../../deployment/zaqar/zaqar-container-puppet.yaml
  OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml
  OS::TripleO::Services::PankoApi: ../../deployment/panko/panko-api-container-puppet.yaml
@ -15,7 +15,7 @@ resource_registry:
  OS::TripleO::Services::MySQL: ../../docker/services/pacemaker/database/mysql.yaml
  OS::TripleO::Services::CinderBackup: ../../deployment/cinder/cinder-backup-pacemaker-puppet.yaml
  OS::TripleO::Services::CinderVolume: ../../deployment/cinder/cinder-volume-pacemaker-puppet.yaml
-  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../puppet/services/barbican-backend-simple-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
  OS::TripleO::Services::Keepalived: OS::Heat::None
  # Some infra instances don't pass the ping test but are otherwise working.
  # Since the OVB jobs also test this functionality we can shut it off here.
--- a/ci/environments/scenario002-standalone.yaml
+++ b/ci/environments/scenario002-standalone.yaml
@ -13,7 +13,7 @@ resource_registry:
  OS::TripleO::Services::HeatApiCfn: ../../deployment/heat/heat-api-cfn-container-puppet.yaml
  OS::TripleO::Services::HeatApiCloudwatch: ../../deployment/heat/heat-api-cloudwatch-disabled-puppet.yaml
  OS::TripleO::Services::HeatEngine: ../../deployment/heat/heat-engine-container-puppet.yaml
-  OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
  OS::TripleO::Services::Zaqar: ../../deployment/zaqar/zaqar-container-puppet.yaml
  OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml
  OS::TripleO::Services::PankoApi: ../../deployment/panko/panko-api-container-puppet.yaml
@ -27,7 +27,7 @@ resource_registry:
  OS::TripleO::Services::MySQL: ../../docker/services/pacemaker/database/mysql.yaml
  OS::TripleO::Services::CinderBackup: ../../deployment/cinder/cinder-backup-pacemaker-puppet.yaml
  OS::TripleO::Services::CinderVolume: ../../deployment/cinder/cinder-volume-pacemaker-puppet.yaml
-  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../puppet/services/barbican-backend-simple-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
  # Some infra instances don't pass the ping test but are otherwise working.
  # Since the OVB jobs also test this functionality we can shut it off here.
  OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@ -71,10 +71,6 @@ parameters:
    description: Label for Master KEK
    type: string
    default: ''
-  BarbicanPkcs11CryptoMKEKLength:
-    description: Length of Master KEK in bytes
-    type: string
-    default: '256'
  BarbicanPkcs11CryptoHMACLabel:
    description: Label for the HMAC key
    type: string
@ -83,10 +79,6 @@ parameters:
    description: Slot Id for the HSM
    type: string
    default: '0'
-  BarbicanPkcs11CryptoEncryptionMechanism:
-    description: Cryptoki Mechanism used for encryption
-    type: string
-    default: 'CKM_AES_CBC'
  BarbicanPkcs11CryptoHMACKeyType:
    description: Cryptoki Key Type for Master HMAC key
    type: string
@ -95,10 +87,6 @@ parameters:
    description: Cryptoki Mechanism used to generate Master HMAC Key
    type: string
    default: 'CKM_AES_KEY_GEN'
-  BarbicanPkcs11AlwaysSetCkaSensitive:
-    description: Always set CKA_SENSITIVE=CK_TRUE
-    type: boolean
-    default: true
  ThalesHSMNetworkName:
    description: The network that the HSM is listening on.
    type: string
@ -113,8 +101,62 @@ parameters:
    description: Hash of atos-hsm role variables used to
                 install ATOS client software.
    type: json
+  BarbicanPassword:
+    description: The password for the barbican service account.
+    type: string
+    hidden: true
+  BarbicanWorkers:
+    description: Set the number of workers for barbican::wsgi::apache
+    default: '%{::processorcount}'
+    type: string
+  Debug:
+    default: false
+    description: Set to True to enable debugging on all services.
+    type: boolean
+  BarbicanDebug:
+    default: ''
+    description: Set to True to enable debugging Barbican service.
+    type: string
+    constraints:
+      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
+  KeystoneRegion:
+    type: string
+    default: 'regionOne'
+    description: Keystone region for endpoint
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  BarbicanPolicies:
+    description: |
+      A hash of policies to configure for Barbican.
+      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
+  NotificationDriver:
+    type: string
+    default: 'messagingv2'
+    description: Driver or drivers to handle sending notifications.
+  RpcPort:
+    default: 5672
+    description: The network port for messaging backend
+    type: number
+  RpcUserName:
+    default: guest
+    description: The username for messaging backend
+    type: string
+  RpcPassword:
+    description: The password for messaging backend
+    type: string
+    hidden: true
+  RpcUseSSL:
+    default: false
+    description: >
+        Messaging client subscriber parameter to specify
+        an SSL connection to the messaging host.
+    type: string

 conditions:
+  service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  thales_hsm_enabled:   {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
  atos_hsm_enabled:     {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
@ -126,37 +168,127 @@ conditions:

 resources:

-  ContainersCommon:
-    type: ./containers-common.yaml
-
-  MySQLClient:
-    type: ../../deployment/database/mysql-client.yaml
-
-  BarbicanApiBase:
-    type: ../../puppet/services/barbican-api.yaml
+  ApacheServiceBase:
+    type: ../../puppet/services/apache.yaml
    properties:
-      EndpointMap: {get_param: EndpointMap}
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

+  ContainersCommon:
+    type: ../../docker/services/containers-common.yaml
+
+  MySQLClient:
+    type: ../database/mysql-client.yaml
+
  BarbicanApiLogging:
    type: OS::TripleO::Services::Logging::BarbicanApi

-
 outputs:
  role_data:
    description: Role data for the Barbican API role.
    value:
-      service_name: {get_attr: [BarbicanApiBase, role_data, service_name]}
+      service_name: barbican_api
      config_settings:
        map_merge:
-          - get_attr: [BarbicanApiBase, role_data, config_settings]
+          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - get_attr: [BarbicanApiLogging, config_settings]
          - apache::default_vhost: false
-      service_config_settings: {get_attr: [BarbicanApiBase, role_data, service_config_settings]}
+            barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
+            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::project_name: 'service'
+            barbican::keystone::notification::enable_keystone_notification: True
+            barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
+            barbican::policy::policies: {get_param: BarbicanPolicies}
+            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
+            barbican::api::db_auto_create: false
+            barbican::api::enabled_certificate_plugins: ['simple_certificate']
+            barbican::api::enable_queue: true
+            barbican::api::logging::debug:
+              if:
+              - service_debug_unset
+              - {get_param: Debug }
+              - {get_param: BarbicanDebug }
+            barbican::api::notification_driver: {get_param: NotificationDriver}
+            # TODO(ansmith): remove once p-t-o switches to oslo params
+            barbican::api::rabbit_use_ssl: {get_param: RpcUseSSL}
+            barbican::api::rabbit_userid: {get_param: RpcUserName}
+            barbican::api::rabbit_password: {get_param: RpcPassword}
+            barbican::api::rabbit_port: {get_param: RpcPort}
+            barbican::api::rabbit_heartbeat_timeout_threshold: 60
+            barbican::api::service_name: 'httpd'
+            barbican::wsgi::apache::bind_host:
+              str_replace:
+                 template:
+                   "%{hiera('$NETWORK')}"
+                 params:
+                   $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
+            barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
+            barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
+            barbican::wsgi::apache::servername:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
+            barbican::db::database_connection:
+              make_url:
+                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
+                username: barbican
+                password: {get_param: BarbicanPassword}
+                host: {get_param: [EndpointMap, MysqlInternal, host]}
+                path: /barbican
+                query:
+                  read_default_file: /etc/my.cnf.d/tripleo.cnf
+                  read_default_group: tripleo
+            tripleo::barbican_api::firewall_rules:
+              '117 barbican':
+                dport:
+                  - 9311
+                  - 13311
+      service_config_settings:
+        mysql:
+          barbican::db::mysql::password: {get_param: BarbicanPassword}
+          barbican::db::mysql::user: barbican
+          barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+          barbican::db::mysql::dbname: barbican
+          barbican::db::mysql::allowed_hosts:
+            - '%'
+            - "%{hiera('mysql_bind_host')}"
+        keystone:
+          barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
+          barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
+          barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
+          barbican::keystone::auth::password: {get_param: BarbicanPassword}
+          barbican::keystone::auth::region: {get_param: KeystoneRegion}
+          barbican::keystone::auth::tenant: 'service'
+          tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
+        nova_compute:
+          nova::compute::keymgr_backend: >
+            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+          nova::compute::barbican_endpoint:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          nova::compute::barbican_auth_endpoint:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
+        cinder_api:
+          cinder::api::keymgr_backend: >
+            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+          cinder::api::keymgr_encryption_api_url:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          cinder::api::keymgr_encryption_auth_url:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
+        glance_api:
+          glance::api::keymgr_backend: >
+            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+          glance::api::keymgr_encryption_api_url:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          glance::api::keymgr_encryption_auth_url:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: barbican
@ -164,7 +296,7 @@ outputs:
        step_config:
          list_join:
            - "\n"
-            - - {get_attr: [BarbicanApiBase, role_data, step_config]}
+            - - "include ::tripleo::profile::base::barbican::api"
              - {get_attr: [MySQLClient, role_data, step_config]}
        config_image: {get_param: DockerBarbicanConfigImage}
      kolla_config:
@ -309,7 +441,6 @@ outputs:
                      {get_param: ATOSVars}
              - null
        - null
-
      docker_config:
        # db sync runs before permissions set by kolla_config
        step_2:
@ -528,7 +659,7 @@ outputs:
                        - yaql:
                            expression: str($.data.port)
                            data:
-                              port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
+                              port: {get_param: RpcPort}
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}
@ -552,7 +683,7 @@ outputs:
                        - yaql:
                            expression: str($.data.port)
                            data:
-                              port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
+                              port: {get_param: RpcPort}
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}
@ -602,4 +733,4 @@ outputs:
              - barbican_keystone_listener
              - barbican_worker
      metadata_settings:
-        get_attr: [BarbicanApiBase, role_data, metadata_settings]
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]
--- a/deployment/barbican/barbican-backend-dogtag-puppet.yaml
+++ b/deployment/barbican/barbican-backend-dogtag-puppet.yaml
--- a/deployment/barbican/barbican-backend-kmip-puppet.yaml
+++ b/deployment/barbican/barbican-backend-kmip-puppet.yaml
--- a/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
+++ b/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
--- a/deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
+++ b/deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
--- a/environments/barbican-backend-dogtag.yaml
+++ b/environments/barbican-backend-dogtag.yaml
@ -14,4 +14,4 @@ parameter_defaults:


 resource_registry:
-  OS::TripleO::Services::BarbicanBackendDogtag: ../puppet/services/barbican-backend-dogtag.yaml
+  OS::TripleO::Services::BarbicanBackendDogtag: ../deployment/barbican/barbican-backend-dogtag-puppet.yaml
--- a/environments/barbican-backend-kmip.yaml
+++ b/environments/barbican-backend-kmip.yaml
@ -12,4 +12,4 @@ parameter_defaults:
  # BarbicanKmipStoreGlobalDefault: Whether this plugin is the global default plugin

 resource_registry:
-  OS::TripleO::Services::BarbicanBackendKmip: ../puppet/services/barbican-backend-kmip.yaml
+  OS::TripleO::Services::BarbicanBackendKmip: ../deployment/barbican/barbican-backend-kmip-puppet.yaml
--- a/environments/barbican-backend-pkcs11-atos.yaml
+++ b/environments/barbican-backend-pkcs11-atos.yaml
@ -27,4 +27,4 @@ parameter_defaults:
    # atos_hsm_ip_address:

 resource_registry:
-  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
--- a/environments/barbican-backend-pkcs11-thales.yaml
+++ b/environments/barbican-backend-pkcs11-thales.yaml
@ -36,4 +36,4 @@ parameter_defaults:
    # thales_rfs_key: RSA Private key in PEM format used to log into RFS server.

 resource_registry:
-  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
--- a/environments/barbican-backend-pkcs11.yaml
+++ b/environments/barbican-backend-pkcs11.yaml
@ -15,4 +15,4 @@ parameter_defaults:
  BarbicanPkcs11AlwaysSetCkaSensitive: true

 resource_registry:
-  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
--- a/environments/barbican-backend-simple-crypto.yaml
+++ b/environments/barbican-backend-simple-crypto.yaml
@ -10,4 +10,4 @@ parameter_defaults:
  #     -- defaults to false

 resource_registry:
-  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
--- a/environments/services-baremetal/barbican.yaml
+++ b/environments/services-baremetal/barbican.yaml
@ -1,4 +1,4 @@
 # A Heat environment file which can be used to enable
 # Barbican with the default secret store backend.
 resource_registry:
-  OS::TripleO::Services::BarbicanApi: ../../puppet/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
--- a/environments/services/barbican.yaml
+++ b/environments/services/barbican.yaml
@ -1,4 +1,4 @@
 # A Heat environment file which can be used to enable
 # Barbican with the default secret store backend.
 resource_registry:
-  OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@ -1,206 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  OpenStack Barbican API service configured with Puppet
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  BarbicanPassword:
-    description: The password for the barbican service account.
-    type: string
-    hidden: true
-  BarbicanWorkers:
-    description: Set the number of workers for barbican::wsgi::apache
-    default: '%{::processorcount}'
-    type: string
-  Debug:
-    default: false
-    description: Set to True to enable debugging on all services.
-    type: boolean
-  BarbicanDebug:
-    default: ''
-    description: Set to True to enable debugging Barbican service.
-    type: string
-    constraints:
-      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
-  KeystoneRegion:
-    type: string
-    default: 'regionOne'
-    description: Keystone region for endpoint
-  EnableInternalTLS:
-    type: boolean
-    default: false
-  BarbicanPolicies:
-    description: |
-      A hash of policies to configure for Barbican.
-      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
-    default: {}
-    type: json
-  NotificationDriver:
-    type: string
-    default: 'messagingv2'
-    description: Driver or drivers to handle sending notifications.
-  RpcPort:
-    default: 5672
-    description: The network port for messaging backend
-    type: number
-  RpcUserName:
-    default: guest
-    description: The username for messaging backend
-    type: string
-  RpcPassword:
-    description: The password for messaging backend
-    type: string
-    hidden: true
-  RpcUseSSL:
-    default: false
-    description: >
-        Messaging client subscriber parameter to specify
-        an SSL connection to the messaging host.
-    type: string
-
-resources:
-
-  ApacheServiceBase:
-    type: ./apache.yaml
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-conditions:
-  service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
-
-outputs:
-  role_data:
-    description: Role data for the Barbican API role.
-    value:
-      service_name: barbican_api
-      config_settings:
-        map_merge:
-          - get_attr: [ApacheServiceBase, role_data, config_settings]
-          - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
-            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            barbican::keystone::authtoken::project_name: 'service'
-            barbican::keystone::notification::enable_keystone_notification: True
-            barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
-            barbican::policy::policies: {get_param: BarbicanPolicies}
-            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
-            barbican::api::db_auto_create: false
-            barbican::api::enabled_certificate_plugins: ['simple_certificate']
-            barbican::api::enable_queue: true
-            barbican::api::logging::debug:
-              if:
-              - service_debug_unset
-              - {get_param: Debug }
-              - {get_param: BarbicanDebug }
-            barbican::api::notification_driver: {get_param: NotificationDriver}
-            # TODO(ansmith): remove once p-t-o switches to oslo params
-            barbican::api::rabbit_use_ssl: {get_param: RpcUseSSL}
-            barbican::api::rabbit_userid: {get_param: RpcUserName}
-            barbican::api::rabbit_password: {get_param: RpcPassword}
-            barbican::api::rabbit_port: {get_param: RpcPort}
-            barbican::api::rabbit_heartbeat_timeout_threshold: 60
-            barbican::api::service_name: 'httpd'
-            barbican::wsgi::apache::bind_host:
-              str_replace:
-                 template:
-                   "%{hiera('$NETWORK')}"
-                 params:
-                   $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
-            barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
-            barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
-            barbican::wsgi::apache::servername:
-              str_replace:
-                template:
-                  "%{hiera('fqdn_$NETWORK')}"
-                params:
-                  $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
-            barbican::db::database_connection:
-              make_url:
-                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
-                username: barbican
-                password: {get_param: BarbicanPassword}
-                host: {get_param: [EndpointMap, MysqlInternal, host]}
-                path: /barbican
-                query:
-                  read_default_file: /etc/my.cnf.d/tripleo.cnf
-                  read_default_group: tripleo
-            tripleo::barbican_api::firewall_rules:
-              '117 barbican':
-                dport:
-                  - 9311
-                  - 13311
-      step_config: |
-        include ::tripleo::profile::base::barbican::api
-      service_config_settings:
-        mysql:
-          barbican::db::mysql::password: {get_param: BarbicanPassword}
-          barbican::db::mysql::user: barbican
-          barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-          barbican::db::mysql::dbname: barbican
-          barbican::db::mysql::allowed_hosts:
-            - '%'
-            - "%{hiera('mysql_bind_host')}"
-        keystone:
-          barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
-          barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
-          barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
-          barbican::keystone::auth::password: {get_param: BarbicanPassword}
-          barbican::keystone::auth::region: {get_param: KeystoneRegion}
-          barbican::keystone::auth::tenant: 'service'
-          tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
-        nova_compute:
-          nova::compute::keymgr_backend: >
-            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
-          nova::compute::barbican_endpoint:
-            get_param: [EndpointMap, BarbicanInternal, uri]
-          nova::compute::barbican_auth_endpoint:
-            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
-        cinder_api:
-          cinder::api::keymgr_backend: >
-            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
-          cinder::api::keymgr_encryption_api_url:
-            get_param: [EndpointMap, BarbicanInternal, uri]
-          cinder::api::keymgr_encryption_auth_url:
-            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
-        glance_api:
-          glance::api::keymgr_backend: >
-            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
-          glance::api::keymgr_encryption_api_url:
-            get_param: [EndpointMap, BarbicanInternal, uri]
-          glance::api::keymgr_encryption_auth_url:
-            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
-      metadata_settings:
-        get_attr: [ApacheServiceBase, role_data, metadata_settings]
-      upgrade_tasks: []