Merge "Switch barbican actions to use kolla_config"
This commit is contained in:
commit
5e7ed965c6
|
@ -344,6 +344,75 @@ outputs:
|
||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
/var/lib/kolla/config_files/barbican_api_db_sync.json:
|
||||||
|
command:
|
||||||
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||||
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||||
|
# final single quote that's part of the list_join.
|
||||||
|
list_join:
|
||||||
|
- ' '
|
||||||
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
|
- "db upgrade"
|
||||||
|
- "'"
|
||||||
|
config_files: &barbican_api_create_config_files
|
||||||
|
- source: "/var/lib/kolla/config_files/src/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
/var/lib/kolla/config_files/barbican_api_create_mkek.json:
|
||||||
|
command:
|
||||||
|
list_join:
|
||||||
|
- ' '
|
||||||
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
|
- "hsm check_mkek --label"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
|
- "|| /usr/bin/barbican-manage"
|
||||||
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
|
- "hsm gen_mkek --label"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
|
- "'"
|
||||||
|
config_files: *barbican_api_create_config_files
|
||||||
|
/var/lib/kolla/config_files/barbican_api_create_hmac.json:
|
||||||
|
command:
|
||||||
|
list_join:
|
||||||
|
- ' '
|
||||||
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
|
- "hsm check_hmac --label"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
|
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
|
||||||
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
|
- "'"
|
||||||
|
config_files: *barbican_api_create_config_files
|
||||||
|
/var/lib/kolla/config_files/barbican_api_update_rfs_server.json:
|
||||||
|
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
||||||
|
config_files: *barbican_api_create_config_files
|
||||||
|
/var/lib/kolla/config_files/barbican_api_get_from_rfs.json:
|
||||||
|
command: "/opt/nfast/bin/rfs-sync --update"
|
||||||
|
config_files: *barbican_api_create_config_files
|
||||||
|
/var/lib/kolla/config_files/barbican_api_secret_store_sync.json:
|
||||||
|
command:
|
||||||
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
||||||
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
||||||
|
# final single quote that's part of the list_join.
|
||||||
|
list_join:
|
||||||
|
- ' '
|
||||||
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
|
- "db sync_secret_stores --verbose"
|
||||||
|
- "'"
|
||||||
|
config_files: *barbican_api_create_config_files
|
||||||
|
/var/lib/kolla/config_files/barbican_api_rewrap_pkeks.json:
|
||||||
|
command:
|
||||||
|
list_join:
|
||||||
|
- ' '
|
||||||
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
|
- "hsm rewrap_pkek"
|
||||||
|
- "'"
|
||||||
|
config_files: *barbican_api_create_config_files
|
||||||
external_deploy_tasks:
|
external_deploy_tasks:
|
||||||
if:
|
if:
|
||||||
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
|
@ -515,41 +584,31 @@ outputs:
|
||||||
net: host
|
net: host
|
||||||
detach: false
|
detach: false
|
||||||
user: root
|
user: root
|
||||||
volumes: &barbican_api_volumes
|
volumes:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- list_concat: &barbican_api_common_volumes
|
||||||
- {get_attr: [BarbicanApiLogging, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
||||||
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
- - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
||||||
- if:
|
- if:
|
||||||
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
||||||
- /opt/nfast:/opt/nfast
|
- /opt/nfast:/opt/nfast
|
||||||
- if:
|
- if:
|
||||||
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
||||||
- - /etc/proteccio:/etc/proteccio
|
- - /etc/proteccio:/etc/proteccio
|
||||||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||||
- if:
|
- if:
|
||||||
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
||||||
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
||||||
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
||||||
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
||||||
|
- - /var/lib/kolla/config_files/barbican_api_create_mkek.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
environment:
|
environment:
|
||||||
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
# NOTE: this should force this container to re-run on each
|
# NOTE: this should force this container to re-run on each
|
||||||
# update (scale-out, etc.)
|
# update (scale-out, etc.)
|
||||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||||
command:
|
|
||||||
list_join:
|
|
||||||
- ' '
|
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
||||||
- "hsm check_mkek --label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
|
||||||
- "|| /usr/bin/barbican-manage"
|
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
||||||
- "hsm gen_mkek --label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
|
||||||
- "'"
|
|
||||||
- if:
|
- if:
|
||||||
- {get_param: BarbicanPkcs11CryptoEnabled}
|
- {get_param: BarbicanPkcs11CryptoEnabled}
|
||||||
- barbican_api_create_hmac:
|
- barbican_api_create_hmac:
|
||||||
|
@ -558,21 +617,15 @@ outputs:
|
||||||
net: host
|
net: host
|
||||||
detach: false
|
detach: false
|
||||||
user: root
|
user: root
|
||||||
volumes: *barbican_api_volumes
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- list_concat: *barbican_api_common_volumes
|
||||||
|
- - /var/lib/kolla/config_files/barbican_api_create_hmac.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
environment:
|
environment:
|
||||||
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
# NOTE: this should force this container to re-run on each
|
# NOTE: this should force this container to re-run on each
|
||||||
# update (scale-out, etc.)
|
# update (scale-out, etc.)
|
||||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||||
command:
|
|
||||||
list_join:
|
|
||||||
- ' '
|
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
||||||
- "hsm check_hmac --label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
|
||||||
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
|
||||||
- "'"
|
|
||||||
- {}
|
- {}
|
||||||
- if:
|
- if:
|
||||||
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
|
@ -582,10 +635,15 @@ outputs:
|
||||||
net: host
|
net: host
|
||||||
detach: false
|
detach: false
|
||||||
user: root
|
user: root
|
||||||
volumes: *barbican_api_volumes
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- list_concat: *barbican_api_common_volumes
|
||||||
|
- - /var/lib/kolla/config_files/barbican_api_update_rfs_server.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
environment:
|
environment:
|
||||||
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
|
# NOTE: this should force this container to re-run on each
|
||||||
|
# update (scale-out, etc.)
|
||||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||||
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
|
||||||
- if:
|
- if:
|
||||||
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
||||||
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
||||||
|
@ -594,44 +652,39 @@ outputs:
|
||||||
net: host
|
net: host
|
||||||
detach: false
|
detach: false
|
||||||
user: root
|
user: root
|
||||||
volumes: *barbican_api_volumes
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- list_concat: *barbican_api_common_volumes
|
||||||
|
- - /var/lib/kolla/config_files/barbican_api_get_from_rfs.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
environment:
|
environment:
|
||||||
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
|
# NOTE: this should force this container to re-run on each
|
||||||
|
# update (scale-out, etc.)
|
||||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||||
command: "/opt/nfast/bin/rfs-sync --update"
|
|
||||||
- barbican_api_db_sync:
|
- barbican_api_db_sync:
|
||||||
start_order: 3
|
start_order: 3
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
net: host
|
net: host
|
||||||
detach: false
|
detach: false
|
||||||
user: root
|
user: root
|
||||||
volumes: *barbican_api_volumes
|
volumes:
|
||||||
command:
|
list_concat:
|
||||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
- list_concat: *barbican_api_common_volumes
|
||||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
- - /var/lib/kolla/config_files/barbican_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
# final single quote that's part of the list_join.
|
environment:
|
||||||
list_join:
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
- ' '
|
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
||||||
- "db upgrade"
|
|
||||||
- "'"
|
|
||||||
- barbican_api_secret_store_sync:
|
- barbican_api_secret_store_sync:
|
||||||
start_order: 4
|
start_order: 4
|
||||||
image: *barbican_api_image
|
image: *barbican_api_image
|
||||||
net: host
|
net: host
|
||||||
detach: false
|
detach: false
|
||||||
user: root
|
user: root
|
||||||
volumes: *barbican_api_volumes
|
volumes:
|
||||||
command:
|
list_concat:
|
||||||
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
- list_concat: *barbican_api_common_volumes
|
||||||
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
- - /var/lib/kolla/config_files/barbican_api_secret_store_sync.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
# final single quote that's part of the list_join.
|
environment:
|
||||||
list_join:
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
- ' '
|
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
||||||
- "db sync_secret_stores --verbose"
|
|
||||||
- "'"
|
|
||||||
- if:
|
- if:
|
||||||
- {get_param: BarbicanPkcs11CryptoRewrapKeys}
|
- {get_param: BarbicanPkcs11CryptoRewrapKeys}
|
||||||
- barbican_api_rewrap_pkeks:
|
- barbican_api_rewrap_pkeks:
|
||||||
|
@ -640,18 +693,15 @@ outputs:
|
||||||
net: host
|
net: host
|
||||||
detach: false
|
detach: false
|
||||||
user: root
|
user: root
|
||||||
volumes: *barbican_api_volumes
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
- list_concat: *barbican_api_common_volumes
|
||||||
|
- - /var/lib/kolla/config_files/barbican_api_rewrap_pkeks.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
environment:
|
environment:
|
||||||
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
# NOTE: this should force this container to re-run on each
|
# NOTE: this should force this container to re-run on each
|
||||||
# update (scale-out, etc.)
|
# update (scale-out, etc.)
|
||||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||||
command:
|
|
||||||
list_join:
|
|
||||||
- ' '
|
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
||||||
- "hsm rewrap_pkek"
|
|
||||||
- "'"
|
|
||||||
- barbican_api:
|
- barbican_api:
|
||||||
# NOTE(alee): Barbican should start after keystone processes
|
# NOTE(alee): Barbican should start after keystone processes
|
||||||
start_order: 5
|
start_order: 5
|
||||||
|
|
Loading…
Reference in New Issue