flatten the barbican service configurations

This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the barbican API service. The barbican backend files are also
moved into the deployment/barbican directory for consistency.

Change-Id: Ib4a3993ac352e9e00f72ddf374042b574f6d55d6
Related-Blueprint: services-yaml-flattening

ci/environments/scenario002-multinode-containers.yaml

@@ -1,7 +1,7 @@
 resource_registry:
   OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml
   OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml
-  OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
   OS::TripleO::Services::Zaqar: ../../deployment/zaqar/zaqar-container-puppet.yaml
   OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml
   OS::TripleO::Services::PankoApi: ../../deployment/panko/panko-api-container-puppet.yaml
@@ -15,7 +15,7 @@ resource_registry:
   OS::TripleO::Services::MySQL: ../../docker/services/pacemaker/database/mysql.yaml
   OS::TripleO::Services::CinderBackup: ../../deployment/cinder/cinder-backup-pacemaker-puppet.yaml
   OS::TripleO::Services::CinderVolume: ../../deployment/cinder/cinder-volume-pacemaker-puppet.yaml
-  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../puppet/services/barbican-backend-simple-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
   OS::TripleO::Services::Keepalived: OS::Heat::None
   # Some infra instances don't pass the ping test but are otherwise working.
   # Since the OVB jobs also test this functionality we can shut it off here.

ci/environments/scenario002-standalone.yaml

@@ -13,7 +13,7 @@ resource_registry:
   OS::TripleO::Services::HeatApiCfn: ../../deployment/heat/heat-api-cfn-container-puppet.yaml
   OS::TripleO::Services::HeatApiCloudwatch: ../../deployment/heat/heat-api-cloudwatch-disabled-puppet.yaml
   OS::TripleO::Services::HeatEngine: ../../deployment/heat/heat-engine-container-puppet.yaml
-  OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml
   OS::TripleO::Services::Zaqar: ../../deployment/zaqar/zaqar-container-puppet.yaml
   OS::TripleO::Services::Ec2Api: ../../docker/services/ec2-api.yaml
   OS::TripleO::Services::PankoApi: ../../deployment/panko/panko-api-container-puppet.yaml
@@ -27,7 +27,7 @@ resource_registry:
   OS::TripleO::Services::MySQL: ../../docker/services/pacemaker/database/mysql.yaml
   OS::TripleO::Services::CinderBackup: ../../deployment/cinder/cinder-backup-pacemaker-puppet.yaml
   OS::TripleO::Services::CinderVolume: ../../deployment/cinder/cinder-volume-pacemaker-puppet.yaml
-  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../puppet/services/barbican-backend-simple-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml
   # Some infra instances don't pass the ping test but are otherwise working.
   # Since the OVB jobs also test this functionality we can shut it off here.
   OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml

deployment/barbican/barbican-api-container-puppet.yaml

@@ -71,10 +71,6 @@ parameters:
     description: Label for Master KEK
     type: string
     default: ''
-  BarbicanPkcs11CryptoMKEKLength:
-    description: Length of Master KEK in bytes
-    type: string
-    default: '256'
   BarbicanPkcs11CryptoHMACLabel:
     description: Label for the HMAC key
     type: string
@@ -83,10 +79,6 @@ parameters:
     description: Slot Id for the HSM
     type: string
     default: '0'
-  BarbicanPkcs11CryptoEncryptionMechanism:
-    description: Cryptoki Mechanism used for encryption
-    type: string
-    default: 'CKM_AES_CBC'
   BarbicanPkcs11CryptoHMACKeyType:
     description: Cryptoki Key Type for Master HMAC key
     type: string
@@ -95,10 +87,6 @@ parameters:
     description: Cryptoki Mechanism used to generate Master HMAC Key
     type: string
     default: 'CKM_AES_KEY_GEN'
-  BarbicanPkcs11AlwaysSetCkaSensitive:
-    description: Always set CKA_SENSITIVE=CK_TRUE
-    type: boolean
-    default: true
   ThalesHSMNetworkName:
     description: The network that the HSM is listening on.
     type: string
@@ -113,8 +101,62 @@ parameters:
     description: Hash of atos-hsm role variables used to
                  install ATOS client software.
     type: json
+  BarbicanPassword:
+    description: The password for the barbican service account.
+    type: string
+    hidden: true
+  BarbicanWorkers:
+    description: Set the number of workers for barbican::wsgi::apache
+    default: '%{::processorcount}'
+    type: string
+  Debug:
+    default: false
+    description: Set to True to enable debugging on all services.
+    type: boolean
+  BarbicanDebug:
+    default: ''
+    description: Set to True to enable debugging Barbican service.
+    type: string
+    constraints:
+      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
+  KeystoneRegion:
+    type: string
+    default: 'regionOne'
+    description: Keystone region for endpoint
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  BarbicanPolicies:
+    description: |
+      A hash of policies to configure for Barbican.
+      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
+  NotificationDriver:
+    type: string
+    default: 'messagingv2'
+    description: Driver or drivers to handle sending notifications.
+  RpcPort:
+    default: 5672
+    description: The network port for messaging backend
+    type: number
+  RpcUserName:
+    default: guest
+    description: The username for messaging backend
+    type: string
+  RpcPassword:
+    description: The password for messaging backend
+    type: string
+    hidden: true
+  RpcUseSSL:
+    default: false
+    description: >
+        Messaging client subscriber parameter to specify
+        an SSL connection to the messaging host.
+    type: string
 
 conditions:
+  service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   thales_hsm_enabled:   {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
   atos_hsm_enabled:     {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
@@ -126,37 +168,127 @@ conditions:
 
 resources:
 
-  ContainersCommon:
+  ApacheServiceBase:
-    type: ./containers-common.yaml
+    type: ../../puppet/services/apache.yaml
-
-  MySQLClient:
-    type: ../../deployment/database/mysql-client.yaml
-
-  BarbicanApiBase:
-    type: ../../puppet/services/barbican-api.yaml
     properties:
-      EndpointMap: {get_param: EndpointMap}
       ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+  ContainersCommon:
+    type: ../../docker/services/containers-common.yaml
+
+  MySQLClient:
+    type: ../database/mysql-client.yaml
+
   BarbicanApiLogging:
     type: OS::TripleO::Services::Logging::BarbicanApi
 
-
 outputs:
   role_data:
     description: Role data for the Barbican API role.
     value:
-      service_name: {get_attr: [BarbicanApiBase, role_data, service_name]}
+      service_name: barbican_api
       config_settings:
         map_merge:
-          - get_attr: [BarbicanApiBase, role_data, config_settings]
+          - get_attr: [ApacheServiceBase, role_data, config_settings]
           - get_attr: [BarbicanApiLogging, config_settings]
           - apache::default_vhost: false
-      service_config_settings: {get_attr: [BarbicanApiBase, role_data, service_config_settings]}
+            barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
+            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::project_name: 'service'
+            barbican::keystone::notification::enable_keystone_notification: True
+            barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
+            barbican::policy::policies: {get_param: BarbicanPolicies}
+            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
+            barbican::api::db_auto_create: false
+            barbican::api::enabled_certificate_plugins: ['simple_certificate']
+            barbican::api::enable_queue: true
+            barbican::api::logging::debug:
+              if:
+              - service_debug_unset
+              - {get_param: Debug }
+              - {get_param: BarbicanDebug }
+            barbican::api::notification_driver: {get_param: NotificationDriver}
+            # TODO(ansmith): remove once p-t-o switches to oslo params
+            barbican::api::rabbit_use_ssl: {get_param: RpcUseSSL}
+            barbican::api::rabbit_userid: {get_param: RpcUserName}
+            barbican::api::rabbit_password: {get_param: RpcPassword}
+            barbican::api::rabbit_port: {get_param: RpcPort}
+            barbican::api::rabbit_heartbeat_timeout_threshold: 60
+            barbican::api::service_name: 'httpd'
+            barbican::wsgi::apache::bind_host:
+              str_replace:
+                 template:
+                   "%{hiera('$NETWORK')}"
+                 params:
+                   $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
+            barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
+            barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
+            barbican::wsgi::apache::servername:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
+            barbican::db::database_connection:
+              make_url:
+                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
+                username: barbican
+                password: {get_param: BarbicanPassword}
+                host: {get_param: [EndpointMap, MysqlInternal, host]}
+                path: /barbican
+                query:
+                  read_default_file: /etc/my.cnf.d/tripleo.cnf
+                  read_default_group: tripleo
+            tripleo::barbican_api::firewall_rules:
+              '117 barbican':
+                dport:
+                  - 9311
+                  - 13311
+      service_config_settings:
+        mysql:
+          barbican::db::mysql::password: {get_param: BarbicanPassword}
+          barbican::db::mysql::user: barbican
+          barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
+          barbican::db::mysql::dbname: barbican
+          barbican::db::mysql::allowed_hosts:
+            - '%'
+            - "%{hiera('mysql_bind_host')}"
+        keystone:
+          barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
+          barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
+          barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
+          barbican::keystone::auth::password: {get_param: BarbicanPassword}
+          barbican::keystone::auth::region: {get_param: KeystoneRegion}
+          barbican::keystone::auth::tenant: 'service'
+          tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
+        nova_compute:
+          nova::compute::keymgr_backend: >
+            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+          nova::compute::barbican_endpoint:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          nova::compute::barbican_auth_endpoint:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
+        cinder_api:
+          cinder::api::keymgr_backend: >
+            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+          cinder::api::keymgr_encryption_api_url:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          cinder::api::keymgr_encryption_auth_url:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
+        glance_api:
+          glance::api::keymgr_backend: >
+            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+          glance::api::keymgr_encryption_api_url:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          glance::api::keymgr_encryption_auth_url:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: barbican
@@ -164,7 +296,7 @@ outputs:
         step_config:
           list_join:
             - "\n"
-            - - {get_attr: [BarbicanApiBase, role_data, step_config]}
+            - - "include ::tripleo::profile::base::barbican::api"
               - {get_attr: [MySQLClient, role_data, step_config]}
         config_image: {get_param: DockerBarbicanConfigImage}
       kolla_config:
@@ -309,7 +441,6 @@ outputs:
                       {get_param: ATOSVars}
               - null
         - null
-
       docker_config:
         # db sync runs before permissions set by kolla_config
         step_2:
@@ -528,7 +659,7 @@ outputs:
                         - yaql:
                             expression: str($.data.port)
                             data:
-                              port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
+                              port: {get_param: RpcPort}
                 volumes:
                   list_concat:
                     - {get_attr: [ContainersCommon, volumes]}
@@ -552,7 +683,7 @@ outputs:
                         - yaql:
                             expression: str($.data.port)
                             data:
-                              port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
+                              port: {get_param: RpcPort}
                 volumes:
                   list_concat:
                     - {get_attr: [ContainersCommon, volumes]}
@@ -602,4 +733,4 @@ outputs:
               - barbican_keystone_listener
               - barbican_worker
       metadata_settings:
-        get_attr: [BarbicanApiBase, role_data, metadata_settings]
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]

environments/barbican-backend-dogtag.yaml

@@ -14,4 +14,4 @@ parameter_defaults:
 
 
 resource_registry:
-  OS::TripleO::Services::BarbicanBackendDogtag: ../puppet/services/barbican-backend-dogtag.yaml
+  OS::TripleO::Services::BarbicanBackendDogtag: ../deployment/barbican/barbican-backend-dogtag-puppet.yaml

environments/barbican-backend-kmip.yaml

@@ -12,4 +12,4 @@ parameter_defaults:
   # BarbicanKmipStoreGlobalDefault: Whether this plugin is the global default plugin
 
 resource_registry:
-  OS::TripleO::Services::BarbicanBackendKmip: ../puppet/services/barbican-backend-kmip.yaml
+  OS::TripleO::Services::BarbicanBackendKmip: ../deployment/barbican/barbican-backend-kmip-puppet.yaml

environments/barbican-backend-pkcs11-atos.yaml

@@ -27,4 +27,4 @@ parameter_defaults:
     # atos_hsm_ip_address:
 
 resource_registry:
-  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

environments/barbican-backend-pkcs11-thales.yaml

@@ -36,4 +36,4 @@ parameter_defaults:
     # thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
 
 resource_registry:
-  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

environments/barbican-backend-pkcs11.yaml

@@ -15,4 +15,4 @@ parameter_defaults:
   BarbicanPkcs11AlwaysSetCkaSensitive: true
 
 resource_registry:
-  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

environments/barbican-backend-simple-crypto.yaml

@@ -10,4 +10,4 @@ parameter_defaults:
   #     -- defaults to false
 
 resource_registry:
-  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml
+  OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../deployment/barbican/barbican-backend-simple-crypto-puppet.yaml

environments/services-baremetal/barbican.yaml

@@ -1,4 +1,4 @@
 # A Heat environment file which can be used to enable
 # Barbican with the default secret store backend.
 resource_registry:
-  OS::TripleO::Services::BarbicanApi: ../../puppet/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml

environments/services/barbican.yaml

@@ -1,4 +1,4 @@
 # A Heat environment file which can be used to enable
 # Barbican with the default secret store backend.
 resource_registry:
-  OS::TripleO::Services::BarbicanApi: ../../docker/services/barbican-api.yaml
+  OS::TripleO::Services::BarbicanApi: ../../deployment/barbican/barbican-api-container-puppet.yaml

puppet/services/barbican-api.yaml

@@ -1,206 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  OpenStack Barbican API service configured with Puppet
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  BarbicanPassword:
-    description: The password for the barbican service account.
-    type: string
-    hidden: true
-  BarbicanWorkers:
-    description: Set the number of workers for barbican::wsgi::apache
-    default: '%{::processorcount}'
-    type: string
-  Debug:
-    default: false
-    description: Set to True to enable debugging on all services.
-    type: boolean
-  BarbicanDebug:
-    default: ''
-    description: Set to True to enable debugging Barbican service.
-    type: string
-    constraints:
-      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
-  KeystoneRegion:
-    type: string
-    default: 'regionOne'
-    description: Keystone region for endpoint
-  EnableInternalTLS:
-    type: boolean
-    default: false
-  BarbicanPolicies:
-    description: |
-      A hash of policies to configure for Barbican.
-      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
-    default: {}
-    type: json
-  NotificationDriver:
-    type: string
-    default: 'messagingv2'
-    description: Driver or drivers to handle sending notifications.
-  RpcPort:
-    default: 5672
-    description: The network port for messaging backend
-    type: number
-  RpcUserName:
-    default: guest
-    description: The username for messaging backend
-    type: string
-  RpcPassword:
-    description: The password for messaging backend
-    type: string
-    hidden: true
-  RpcUseSSL:
-    default: false
-    description: >
-        Messaging client subscriber parameter to specify
-        an SSL connection to the messaging host.
-    type: string
-
-resources:
-
-  ApacheServiceBase:
-    type: ./apache.yaml
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-conditions:
-  service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
-
-outputs:
-  role_data:
-    description: Role data for the Barbican API role.
-    value:
-      service_name: barbican_api
-      config_settings:
-        map_merge:
-          - get_attr: [ApacheServiceBase, role_data, config_settings]
-          - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
-            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            barbican::keystone::authtoken::project_name: 'service'
-            barbican::keystone::notification::enable_keystone_notification: True
-            barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
-            barbican::policy::policies: {get_param: BarbicanPolicies}
-            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
-            barbican::api::db_auto_create: false
-            barbican::api::enabled_certificate_plugins: ['simple_certificate']
-            barbican::api::enable_queue: true
-            barbican::api::logging::debug:
-              if:
-              - service_debug_unset
-              - {get_param: Debug }
-              - {get_param: BarbicanDebug }
-            barbican::api::notification_driver: {get_param: NotificationDriver}
-            # TODO(ansmith): remove once p-t-o switches to oslo params
-            barbican::api::rabbit_use_ssl: {get_param: RpcUseSSL}
-            barbican::api::rabbit_userid: {get_param: RpcUserName}
-            barbican::api::rabbit_password: {get_param: RpcPassword}
-            barbican::api::rabbit_port: {get_param: RpcPort}
-            barbican::api::rabbit_heartbeat_timeout_threshold: 60
-            barbican::api::service_name: 'httpd'
-            barbican::wsgi::apache::bind_host:
-              str_replace:
-                 template:
-                   "%{hiera('$NETWORK')}"
-                 params:
-                   $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
-            barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
-            barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
-            barbican::wsgi::apache::servername:
-              str_replace:
-                template:
-                  "%{hiera('fqdn_$NETWORK')}"
-                params:
-                  $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
-            barbican::db::database_connection:
-              make_url:
-                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
-                username: barbican
-                password: {get_param: BarbicanPassword}
-                host: {get_param: [EndpointMap, MysqlInternal, host]}
-                path: /barbican
-                query:
-                  read_default_file: /etc/my.cnf.d/tripleo.cnf
-                  read_default_group: tripleo
-            tripleo::barbican_api::firewall_rules:
-              '117 barbican':
-                dport:
-                  - 9311
-                  - 13311
-      step_config: |
-        include ::tripleo::profile::base::barbican::api
-      service_config_settings:
-        mysql:
-          barbican::db::mysql::password: {get_param: BarbicanPassword}
-          barbican::db::mysql::user: barbican
-          barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-          barbican::db::mysql::dbname: barbican
-          barbican::db::mysql::allowed_hosts:
-            - '%'
-            - "%{hiera('mysql_bind_host')}"
-        keystone:
-          barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
-          barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
-          barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
-          barbican::keystone::auth::password: {get_param: BarbicanPassword}
-          barbican::keystone::auth::region: {get_param: KeystoneRegion}
-          barbican::keystone::auth::tenant: 'service'
-          tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
-        nova_compute:
-          nova::compute::keymgr_backend: >
-            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
-          nova::compute::barbican_endpoint:
-            get_param: [EndpointMap, BarbicanInternal, uri]
-          nova::compute::barbican_auth_endpoint:
-            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
-        cinder_api:
-          cinder::api::keymgr_backend: >
-            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
-          cinder::api::keymgr_encryption_api_url:
-            get_param: [EndpointMap, BarbicanInternal, uri]
-          cinder::api::keymgr_encryption_auth_url:
-            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
-        glance_api:
-          glance::api::keymgr_backend: >
-            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
-          glance::api::keymgr_encryption_api_url:
-            get_param: [EndpointMap, BarbicanInternal, uri]
-          glance::api::keymgr_encryption_auth_url:
-            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
-      metadata_settings:
-        get_attr: [ApacheServiceBase, role_data, metadata_settings]
-      upgrade_tasks: []