heat_template_version: wallaby

description: >
  OpenStack containerized Barbican API service

parameters:
  ContainerBarbicanApiImage:
    description: image
    type: string
  ContainerBarbicanConfigImage:
    description: The container image to use for the barbican config_volume
    type: string
  ContainerBarbicanKeystoneListenerImage:
    description: image
    type: string
  ContainerBarbicanWorkerImage:
    description: image
    type: string
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry. Use
                 parameter_merge_strategies to merge it with the defaults.
    type: json
  EnableSQLAlchemyCollectd:
    type: boolean
    description: >
        Set to true to enable the SQLAlchemy-collectd server plugin
    default: false
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  BarbicanPkcs11CryptoATOSEnabled:
    type: boolean
    default: false
  BarbicanPkcs11CryptoLunasaEnabled:
    type: boolean
    default: false
  BarbicanPkcs11CryptoThalesEnabled:
    type: boolean
    default: false
  BarbicanPkcs11CryptoEnabled:
    type: boolean
    default: false
  BarbicanPkcs11CryptoLibraryPath:
    description: Path to vendor PKCS11 library
    type: string
    default: ''
  BarbicanPkcs11CryptoLogin:
    description: Password (PIN) to login to PKCS#11 session
    type: string
    hidden: true
    default: ''
  BarbicanPkcs11CryptoMKEKLabel:
    description: Label for Master KEK
    type: string
    default: ''
  BarbicanPkcs11CryptoHMACLabel:
    description: Label for the HMAC key
    type: string
    default: ''
  BarbicanPkcs11CryptoSlotId:
    description: Slot Id for the PKCS#11 token to be used
    type: string
    default: '0'
  BarbicanPkcs11CryptoTokenSerialNumber:
    description: Serial number for PKCS#11 token to be used
    type: string
    default: ''
  BarbicanPkcs11CryptoTokenLabel:
    description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
    type: string
    default: ''
  BarbicanPkcs11CryptoTokenLabels:
    description: List of comma separated labels for the tokens to be used.
                 This is typically a single label, but some devices may require
                 more than one label for Load Balancing and High Availability
                 configurations.
    type: string
    default: ''
  BarbicanPkcs11CryptoHMACKeyType:
    description: Cryptoki Key Type for Master HMAC key
    type: string
    default: 'CKK_AES'
  BarbicanPkcs11CryptoHMACKeygenMechanism:
    description: Cryptoki Mechanism used to generate Master HMAC Key
    type: string
    default: 'CKM_AES_KEY_GEN'
  BarbicanPkcs11CryptoRewrapKeys:
    description: Cryptoki Mechanism used to generate Master HMAC Key
    type: boolean
    default: false
  ThalesHSMNetworkName:
    description: The network that the HSM is listening on.
    type: string
    default: 'internal_api'
  ThalesVars:
    default: {}
    description: Hash of thales_hsm role variables used to
                 install Thales client software.
    type: json
  ATOSVars:
    default: {}
    description: Hash of atos-hsm role variables used to
                 install ATOS client software.
    type: json
  LunasaVars:
    default: {}
    description: Hash of lunasa-hsm role variables used to
                 install Lunasa client software.
    type: json
  LunasaClientIPNetwork:
    description: >
      (Optional) When set Barbican nodes will be registered with
      the HSMs using the IP from this network instead of the FQDN.
    type: string
    default: ''
  BarbicanPassword:
    description: The password for the barbican service account.
    type: string
    hidden: true
  BarbicanWorkers:
    description: Set the number of workers for barbican::wsgi::apache
    default: '%{::processorcount}'
    type: string
  Debug:
    default: false
    description: Set to True to enable debugging on all services.
    type: boolean
  BarbicanDebug:
    default: false
    description: Set to True to enable debugging Barbican service.
    type: boolean
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  EnableInternalTLS:
    type: boolean
    default: false
  BarbicanPolicies:
    description: |
      A hash of policies to configure for Barbican.
      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
    default: {}
    type: json
  NotificationDriver:
    type: comma_delimited_list
    default: 'noop'
    description: Driver or drivers to handle sending notifications.
  DeployIdentifier:
    default: ''
    type: string
    description: >
      Setting this to a unique value will re-run any deployment tasks which
      perform configuration on a Heat stack-update.

conditions:
  hsm_enabled:
    or:
    - {get_param: BarbicanPkcs11CryptoThalesEnabled}
    - {get_param: BarbicanPkcs11CryptoATOSEnabled}
    - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
  pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
  pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
  pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
  enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
  # Luna Clients use FQDN by default.  When LunasaClientIPNetwork is set we
  # will use the Controller's IP address from that network instead.
  lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}

resources:

  ApacheServiceBase:
    type: ../../deployment/apache/apache-baremetal-puppet.yaml
    properties:
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

  ContainersCommon:
    type: ../containers-common.yaml

  MySQLClient:
    type: ../database/mysql-client.yaml

  BarbicanApiLogging:
    type: OS::TripleO::Services::Logging::BarbicanApi

  BarbicanClient:
    type: ./barbican-client-puppet.yaml
    properties:
      EndpointMap: {get_param: EndpointMap}

outputs:
  role_data:
    description: Role data for the Barbican API role.
    value:
      service_name: barbican_api
      firewall_rules:
        '117 barbican':
          dport:
            - 9311
            - 13311
      keystone_resources:
        barbican:
          endpoints:
            public: {get_param: [EndpointMap, BarbicanPublic, uri]}
            internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
            admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
          users:
            barbican:
              password: {get_param: BarbicanPassword}
          region: {get_param: KeystoneRegion}
          service: 'key-manager'
          roles:
            - key-manager:service-admin
            - creator
            - observer
            - audit
      config_settings:
        map_merge:
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - get_attr: [BarbicanApiLogging, config_settings]
          - apache::default_vhost: false
            barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::project_name: 'service'
            barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            barbican::keystone::authtoken::interface: 'internal'
            barbican::keystone::notification::enable_keystone_notification: True
            barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
            barbican::policy::policies: {get_param: BarbicanPolicies}
            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
            barbican::api::db_auto_create: false
            barbican::api::enabled_certificate_plugins: ['simple_certificate']
            barbican::api::enable_queue: true
            barbican::api::logging::debug:
              if:
              - {get_param: BarbicanDebug}
              - true
              - {get_param: Debug}
            barbican::api::notification_driver: {get_param: NotificationDriver}
            barbican::api::service_name: 'httpd'
            barbican::wsgi::apache::bind_host:
              str_replace:
                 template:
                   "%{hiera('$NETWORK')}"
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
            barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
            barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
            barbican::wsgi::apache::servername:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
            barbican::db::database_connection:
              make_url:
                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
                username: barbican
                password: {get_param: BarbicanPassword}
                host: {get_param: [EndpointMap, MysqlInternal, host]}
                path: /barbican
                query:
                  if:
                    - {get_param: EnableSQLAlchemyCollectd}
                    - read_default_file: /etc/my.cnf.d/tripleo.cnf
                      read_default_group: tripleo
                      plugin: collectd
                      collectd_program_name: barbican
                      collectd_host: localhost
                    - read_default_file: /etc/my.cnf.d/tripleo.cnf
                      read_default_group: tripleo

      service_config_settings:
        map_merge:
          - get_attr: [BarbicanClient, role_data, service_config_settings]
          - mysql:
              barbican::db::mysql::password: {get_param: BarbicanPassword}
              barbican::db::mysql::user: barbican
              barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
              barbican::db::mysql::dbname: barbican
              barbican::db::mysql::allowed_hosts:
                - '%'
                - "%{hiera('mysql_bind_host')}"
            keystone:
              tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: barbican
        puppet_tags: barbican_api_paste_ini,barbican_config
        step_config:
          list_join:
            - "\n"
            - - "include tripleo::profile::base::barbican::api"
              - {get_attr: [MySQLClient, role_data, step_config]}
        config_image: {get_param: ContainerBarbicanConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/barbican_api.json:
          command: /usr/sbin/httpd -DFOREGROUND
          config_files:
            - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
              dest: "/etc/httpd/conf.d"
              merge: false
              preserve_properties: true
            - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
              dest: "/etc/httpd/conf.modules.d"
              merge: false
              preserve_properties: true
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
        /var/lib/kolla/config_files/barbican_keystone_listener.json:
          command: /usr/bin/barbican-keystone-listener
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
        /var/lib/kolla/config_files/barbican_worker.json:
          command: /usr/bin/barbican-worker
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
      external_deploy_tasks:
        if:
        - {get_param: BarbicanPkcs11CryptoThalesEnabled}
        - - name: Add ip addresses to the RFS server
            when: step|int == 2
            block:
              - name: get the ip addresses for the barbican nodes
                set_fact:
                  thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
                  thales_client_ips:
                    str_replace:
                      template: >-
                        {% for host in groups['barbican_backend_pkcs11_crypto'] -%}
                          {{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
                        {%- endfor %}
                      params:
                        $THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
                  thales_bootstrap_client_ip:
                    str_replace:
                      template: >-
                        {% for host in groups['barbican_backend_pkcs11_crypto'] -%}
                        {% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
                        {{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
                        {%- endif %}
                        {%- endfor %}
                      params:
                        $THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
                  thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
                  nshield_hsms: {get_param: [ThalesVars, nshield_hsms]}

              - name: allow using legacy variables for backwards compatibility
                set_fact:
                  nshield_hsms:
                    - name: Legacy variables HSM
                      ip: {get_param: [ThalesVars, thales_hsm_ip_address]}
                when: nshield_hsms|length == 0

              - name: set playbook vars
                set_fact:
                  thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
                  thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
                  thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"

              - name: creating working directory
                file:
                  path: "{{thales_rfs_playbook_dir}}"
                  state: directory

              - name: generate an inventory
                copy:
                  dest: "{{thales_rfs_inventory}}"
                  content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}

              - name: write SSH key to file
                copy:
                  dest: "{{thales_rfs_keyfile}}"
                  content: {get_param: [ThalesVars, thales_rfs_key]}
                  mode: 0400

              - name: generate playbook to run
                copy:
                  dest: "{{thales_rfs_playbook}}"
                  content: |
                    ---
                    - hosts: all
                      remote_user: "{{thales_rfs_user}}"
                      vars:
                        thales_configure_rfs: true
                        thales_client_ips: "{{thales_client_ips}}"
                        thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
                        nshield_hsms: "{{nshield_hsms}}"
                      roles:
                        - thales_hsm

              - name: call ansible on rfs server
                shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"

              - name: clean up working directory
                file:
                  path: "{{thales_rfs_playbook_dir}}"
                  state: absent
      deploy_steps_tasks:
        list_concat:
          - get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
          - if:
            - hsm_enabled
            - list_concat:
              - if:
                  - {get_param: BarbicanPkcs11CryptoThalesEnabled}
                  - - name: Thales client install
                      when: step|int == 2
                      block:
                        - set_fact:
                            my_thales_client_ip:
                              str_replace:
                                 template:
                                   "{{$NETWORK_ip}}"
                                 params:
                                   $NETWORK: {get_param: ThalesHSMNetworkName}
                        - include_role:
                            name: thales_hsm
                          vars:
                            map_merge:
                              - thales_install_client: true
                              - {get_param: ThalesVars}
              - if:
                  - {get_param: BarbicanPkcs11CryptoATOSEnabled}
                  - - name: ATOS client install
                      when: step|int == 2
                      block:
                      - include_role:
                          name: atos_hsm
                        vars:
                          {get_param: ATOSVars}
              - if:
                  - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
                  - - name: Lunasa client install
                      when: step|int == 2
                      block:
                      - name: install the lunasa client
                        include_role:
                          name: lunasa_hsm
                        vars:
                          if:
                            - lunasa_hsm_use_fqdn
                            - map_merge:
                              - {get_param: LunasaVars}
                              - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
                              - if:
                                  - pkcs11_tokens_unset
                                  - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
                                  - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
                            - map_merge:
                              - {get_param: LunasaVars}
                              - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
                              - if:
                                  - pkcs11_tokens_unset
                                  - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
                                  - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
                              - lunasa_client_ip:
                                  str_replace:
                                    template:
                                      "{{$NETWORK_ip}}"
                                    params:
                                      $NETWORK: {get_param: LunasaClientIPNetwork}
      docker_config:
        # db sync runs before permissions set by kolla_config
        step_2:
          map_merge:
          - get_attr: [BarbicanApiLogging, docker_config, step_2]
          - if:
            - {get_param: BarbicanPkcs11CryptoATOSEnabled}
            - barbican_init_atos_directory:
                image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
                net: host
                user: root
                volumes:
                  - /etc/proteccio:/etc/proteccio
                  - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
                command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
            - {}
        step_3:
          map_merge:
            - if:
              - {get_param: BarbicanPkcs11CryptoEnabled}
              - barbican_api_create_mkek:
                  start_order: 0
                  image: *barbican_api_image
                  net: host
                  detach: false
                  user: root
                  volumes: &barbican_api_volumes
                    list_concat:
                      - {get_attr: [ContainersCommon, volumes]}
                      - {get_attr: [BarbicanApiLogging, volumes]}
                      - - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
                        - /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
                      - if:
                          - {get_param: BarbicanPkcs11CryptoThalesEnabled}
                          - - /lib64/libnsl.so.1:/lib64/libnsl.so.1
                            - /opt/nfast:/opt/nfast
                      - if:
                          - {get_param: BarbicanPkcs11CryptoATOSEnabled}
                          - - /etc/proteccio:/etc/proteccio
                            - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
                      - if:
                          - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
                          - - /etc/Chrystoki.conf:/etc/Chrystoki.conf
                            - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
                            - /usr/safenet/lunaclient:/usr/safenet/lunaclient
                  environment:
                    # NOTE: this should force this container to re-run on each
                    # update (scale-out, etc.)
                    TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
                  command:
                    list_join:
                      - ' '
                      - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
                        - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
                        - "hsm check_mkek --label"
                        - {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
                        - "|| /usr/bin/barbican-manage"
                        - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
                        - "hsm gen_mkek --label"
                        - {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
                        - "'"
            - if:
              - {get_param: BarbicanPkcs11CryptoEnabled}
              - barbican_api_create_hmac:
                  start_order: 0
                  image: *barbican_api_image
                  net: host
                  detach: false
                  user: root
                  volumes: *barbican_api_volumes
                  environment:
                    # NOTE: this should force this container to re-run on each
                    # update (scale-out, etc.)
                    TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
                  command:
                    list_join:
                      - ' '
                      - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
                        - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
                        - "hsm check_hmac --label"
                        - {get_param: [BarbicanPkcs11CryptoHMACLabel]}
                        - "|| /usr/bin/barbican-manage hsm gen_hmac --label"
                        - {get_param: [BarbicanPkcs11CryptoHMACLabel]}
                        - "'"
              - {}
            - if:
              - {get_param: BarbicanPkcs11CryptoThalesEnabled}
              - barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
                  start_order: 1
                  image: *barbican_api_image
                  net: host
                  detach: false
                  user: root
                  volumes: *barbican_api_volumes
                  environment:
                    TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
                  command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
            - if:
              - {get_param: BarbicanPkcs11CryptoThalesEnabled}
              - barbican_api_get_mkek_and_hmac_keys_from_rfs:
                  start_order: 2
                  image: *barbican_api_image
                  net: host
                  detach: false
                  user: root
                  volumes: *barbican_api_volumes
                  environment:
                    TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
                  command: "/opt/nfast/bin/rfs-sync --update"
            - barbican_api_db_sync:
                start_order: 3
                image: *barbican_api_image
                net: host
                detach: false
                user: root
                volumes: *barbican_api_volumes
                command:
                  # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
                  # of the bash -c invocation, so we include them in the quoted db sync command. Hence the
                  # final single quote that's part of the list_join.
                  list_join:
                  - ' '
                  - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
                    - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
                    - "db upgrade"
                    - "'"
            - barbican_api_secret_store_sync:
                start_order: 4
                image: *barbican_api_image
                net: host
                detach: false
                user: root
                volumes: *barbican_api_volumes
                command:
                  # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
                  # of the bash -c invocation, so we include them in the quoted db sync command. Hence the
                  # final single quote that's part of the list_join.
                  list_join:
                  - ' '
                  - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
                    - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
                    - "db sync_secret_stores --verbose"
                    - "'"
            - if:
              - {get_param: BarbicanPkcs11CryptoRewrapKeys}
              - barbican_api_rewrap_pkeks:
                  start_order: 4
                  image: *barbican_api_image
                  net: host
                  detach: false
                  user: root
                  volumes: *barbican_api_volumes
                  environment:
                    # NOTE: this should force this container to re-run on each
                    # update (scale-out, etc.)
                    TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
                  command:
                    list_join:
                      - ' '
                      - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
                        - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
                        - "hsm rewrap_pkek"
                        - "'"
            - barbican_api:
                # NOTE(alee): Barbican should start after keystone processes
                start_order: 5
                image: *barbican_api_image
                net: host
                privileged: false
                restart: always
                user: root
                healthcheck:
                  test: /openstack/healthcheck
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}
                    - {get_attr: [BarbicanApiLogging, volumes]}
                    -
                      - /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
                      - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
                    - if:
                        - {get_param: EnableInternalTLS}
                        - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
                    - if:
                        - {get_param: BarbicanPkcs11CryptoThalesEnabled}
                        - - /lib64/libnsl.so.1:/lib64/libnsl.so.1
                          - /opt/nfast:/opt/nfast
                    - if:
                        - {get_param: BarbicanPkcs11CryptoATOSEnabled}
                        - - /etc/proteccio:/etc/proteccio
                          - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
                    - if:
                        - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
                        - - /etc/Chrystoki.conf:/etc/Chrystoki.conf
                          - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
                          - /usr/safenet/lunaclient:/usr/safenet/lunaclient
                environment: &kolla_env
                  KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
            - barbican_keystone_listener:
                start_order: 6
                image: {get_param: ContainerBarbicanKeystoneListenerImage}
                net: host
                privileged: false
                restart: always
                user: barbican
                healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}
                    - {get_attr: [BarbicanApiLogging, volumes]}
                    -
                      - /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
                      - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
                environment: *kolla_env
            - barbican_worker:
                start_order: 7
                image: {get_param: ContainerBarbicanWorkerImage}
                net: host
                privileged: false
                restart: always
                user: barbican
                healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}
                    - {get_attr: [BarbicanApiLogging, volumes]}
                    - - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
                      - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
                    - if:
                        - {get_param: BarbicanPkcs11CryptoThalesEnabled}
                        - - /lib64/libnsl.so.1:/lib64/libnsl.so.1
                          - /opt/nfast:/opt/nfast
                    - if:
                        - {get_param: BarbicanPkcs11CryptoATOSEnabled}
                        - - /etc/proteccio:/etc/proteccio
                          - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
                    - if:
                        - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
                        - - /etc/Chrystoki.conf:/etc/Chrystoki.conf
                          - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
                          - /usr/safenet/lunaclient:/usr/safenet/lunaclient
                environment: *kolla_env
      host_prep_tasks:
        list_concat:
          - {get_attr: [BarbicanApiLogging, host_prep_tasks]}
          - - name: enable virt_sandbox_use_netlink for healthcheck
              seboolean:
                name: virt_sandbox_use_netlink
                persistent: yes
                state: yes
      scale_tasks:
        if:
        - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
        - - name: Remove HSM clients
            when: step|int == 1
            tags: down
            block:
              - name: Remove client from HSM
                import_role:
                  name: lunasa_hsm
                  tasks_from: unregister_client
                delegate_to: undercloud
                vars:
                  - map_merge:
                    - {get_param: LunasaVars}
                    - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
                    - client_name: "{{ fqdn_canonical }}"
      metadata_settings:
        get_attr: [ApacheServiceBase, role_data, metadata_settings]
      external_upgrade_tasks:
        - when:
            - step|int == 1
          tags:
            - never
            - system_upgrade_transfer_data
            - system_upgrade_stop_services
          block:
            - name: Stop barbican api container
              import_role:
                name: tripleo_container_stop
              vars:
                tripleo_containers_to_stop:
                  - barbican_api
                tripleo_delegate_to: "{{ groups['barbican_api'] | default([]) }}"