Merge "Add BarbicanClient service for configuring edge sites"

deployment/barbican/barbican-client-puppet.yaml

@@ -0,0 +1,60 @@
+heat_template_version: rocky
+
+description: >
+  OpenStack Barbican client configuration
+
+parameters:
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the Barbican client.
+    value:
+      service_name: barbican_client
+      service_config_settings:
+        nova_compute:
+          nova::compute::keymgr_backend: barbican
+          nova::compute::barbican_endpoint:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          nova::compute::barbican_auth_endpoint:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
+        cinder_volume: &cinder_barbican_config
+          cinder::config::cinder_config:
+            key_manager/backend:
+              value: barbican
+            barbican/barbican_endpoint:
+              value: {get_param: [EndpointMap, BarbicanInternal, uri]}
+            barbican/auth_endpoint:
+              value: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+        cinder_backup: *cinder_barbican_config
+        glance_api:
+          glance::api::keymgr_backend: barbican
+          glance::api::keymgr_encryption_api_url:
+            get_param: [EndpointMap, BarbicanInternal, uri]
+          glance::api::keymgr_encryption_auth_url:
+            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]

environments/services/barbican-edge.yaml

@@ -0,0 +1,4 @@
+# A Heat environment file which can be used to configure services running at
+# a DCN/Edge site to access Barbican in the control plane.
+resource_registry:
+  OS::TripleO::Services::BarbicanClient: ../../deployment/barbican/barbican-client-puppet.yaml

overcloud-resource-registry-puppet.j2.yaml

@@ -251,6 +251,7 @@ resource_registry:
   OS::TripleO::Services::BarbicanBackendDogtag: OS::Heat::None
   OS::TripleO::Services::BarbicanBackendKmip: OS::Heat::None
   OS::TripleO::Services::BarbicanBackendPkcs11Crypto: OS::Heat::None
+  OS::TripleO::Services::BarbicanClient: OS::Heat::None
   OS::TripleO::Services::AodhApi: OS::Heat::None
   OS::TripleO::Services::AodhEvaluator: OS::Heat::None
   OS::TripleO::Services::AodhListener: OS::Heat::None

releasenotes/notes/add-barbican-client-for-dcn-7182e8bab41fce21.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Add new BarbicanClient tripleo service for configuring DCN/Edge nodes
+    to access a barbican service running in the control plane. The client
+    service is disabled by default, and can be enabled by including the
+    environments/services/barbican-edge.yaml environment file when deploying
+    a DCN/Edge stack.
+fixes:
+  - |
+    Ensure the barbican Key Manager settings are configured on DCN/Edge nodes
+    when the barbican service is deployed in the control plane. See `bug 1886070
+    <https://bugs.launchpad.net/tripleo/+bug/1886070>`_.

roles/DistributedCompute.yaml

@@ -18,6 +18,7 @@
   ServicesDefault:
     - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
+    - OS::TripleO::Services::BarbicanClient
     - OS::TripleO::Services::BootParams
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/DistributedComputeHCI.yaml

@@ -20,6 +20,7 @@
   ServicesDefault:
     - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
+    - OS::TripleO::Services::BarbicanClient
     - OS::TripleO::Services::BootParams
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/DistributedComputeHCIScaleOut.yaml

@@ -20,6 +20,7 @@
   ServicesDefault:
     - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
+    - OS::TripleO::Services::BarbicanClient
     - OS::TripleO::Services::BootParams
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/DistributedComputeScaleOut.yaml

@@ -18,6 +18,7 @@
   ServicesDefault:
     - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
+    - OS::TripleO::Services::BarbicanClient
     - OS::TripleO::Services::BootParams
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient