openstack
/
tripleo-heat-templates
Code Issues Proposed changes
Browse Source

Merge "Simplify conditions in barbican service templates"

changes/44/709744/25
Zuul 1 year ago committed by Gerrit Code Review
parent
54b18352b2 06efcbbd1f
commit
9d3088e4b3
1 changed files with 62 additions and 121 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 183
      deployment/barbican/barbican-api-container-puppet.yaml

183
deployment/barbican/barbican-api-container-puppet.yaml
Unescape View File

@ -163,18 +163,11 @@ parameters:
perform configuration on a Heat stack-update.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
hsm_enabled:
or:
- thales_hsm_enabled
- atos_hsm_enabled
- lunasa_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
@ -278,16 +271,14 @@ outputs:
path: /barbican
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: barbican
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: barbican
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings:
map_merge:
@ -347,9 +338,8 @@ outputs:
preserve_properties: true
external_deploy_tasks:
if:
- thales_hsm_enabled
-
- name: Add ip addresses to the RFS server
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - name: Add ip addresses to the RFS server
when: step|int == 2
block:
- name: get the ip addresses for the barbican nodes
@ -427,18 +417,15 @@ outputs:
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
- null
deploy_steps_tasks:
list_concat:
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
- if:
- hsm_enabled
- list_concat:
-
if:
- thales_hsm_enabled
-
- name: Thales client install
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - name: Thales client install
when: step|int == 2
block:
- set_fact:
@ -454,24 +441,18 @@ outputs:
map_merge:
- thales_install_client: true
- {get_param: ThalesVars}
- null
-
if:
- atos_hsm_enabled
-
- name: ATOS client install
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - name: ATOS client install
when: step|int == 2
block:
- include_role:
name: atos_hsm
vars:
{get_param: ATOSVars}
- null
-
if:
- lunasa_hsm_enabled
-
- name: Lunasa client install
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - name: Lunasa client install
when: step|int == 2
block:
- name: install the lunasa client
@ -494,15 +475,13 @@ outputs:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: LunasaClientIPNetwork}
- null
- null
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- atos_hsm_enabled
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
net: host
@ -515,7 +494,7 @@ outputs:
step_3:
map_merge:
- if:
- pkcs11_plugin_enabled
- {get_param: BarbicanPkcs11CryptoEnabled}
- barbican_api_create_mkek:
start_order: 0
image: *barbican_api_image
@ -526,31 +505,21 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
@ -567,9 +536,8 @@ outputs:
- "hsm gen_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'"
- {}
- if:
- pkcs11_plugin_enabled
- {get_param: BarbicanPkcs11CryptoEnabled}
- barbican_api_create_hmac:
start_order: 0
image: *barbican_api_image
@ -593,7 +561,7 @@ outputs:
- "'"
- {}
- if:
- thales_hsm_enabled
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 1
image: *barbican_api_image
@ -604,9 +572,8 @@ outputs:
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 2
image: *barbican_api_image
@ -617,7 +584,6 @@ outputs:
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 3
image: *barbican_api_image
@ -653,7 +619,7 @@ outputs:
- "db sync_secret_stores --verbose"
- "'"
- if:
- pkcs11_rewrap_pkeks
- {get_param: BarbicanPkcs11CryptoRewrapKeys}
- barbican_api_rewrap_pkeks:
start_order: 4
image: *barbican_api_image
@ -672,7 +638,6 @@ outputs:
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm rewrap_pkek"
- "'"
- {}
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
@ -690,35 +655,23 @@ outputs:
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: &kolla_env
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- barbican_keystone_listener:
@ -749,31 +702,21 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: *kolla_env
host_prep_tasks:
list_concat:
@ -785,9 +728,8 @@ outputs:
state: yes
scale_tasks:
if:
- lunasa_hsm_enabled
-
- name: Remove HSM clients
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - name: Remove HSM clients
when: step|int == 1
tags: down
block:
@ -801,7 +743,6 @@ outputs:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- client_name: "{{ fqdn_canonical }}"
- null
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:

Write Preview
Loading…
Cancel
Save