heat_template_version: rocky description: > OpenStack containerized Barbican API service parameters: DockerBarbicanApiImage: description: image type: string DockerBarbicanConfigImage: description: The container image to use for the barbican config_volume type: string DockerBarbicanKeystoneListenerImage: description: image type: string DockerBarbicanWorkerImage: description: image type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false BarbicanPkcs11CryptoATOSEnabled: type: boolean default: false BarbicanPkcs11CryptoThalesEnabled: type: boolean default: false BarbicanPkcs11CryptoEnabled: type: boolean default: false BarbicanPkcs11CryptoLibraryPath: description: Path to vendor PKCS11 library type: string default: '' BarbicanPkcs11CryptoLogin: description: Password to login to PKCS11 session type: string hidden: true default: '' BarbicanPkcs11CryptoMKEKLabel: description: Label for Master KEK type: string default: '' BarbicanPkcs11CryptoHMACLabel: description: Label for the HMAC key type: string default: '' BarbicanPkcs11CryptoSlotId: description: Slot Id for the HSM type: string default: '0' BarbicanPkcs11CryptoHMACKeyType: description: Cryptoki Key Type for Master HMAC key type: string default: 'CKK_AES' BarbicanPkcs11CryptoHMACKeygenMechanism: description: Cryptoki Mechanism used to generate Master HMAC Key type: string default: 'CKM_AES_KEY_GEN' BarbicanPkcs11CryptoRewrapKeys: description: Cryptoki Mechanism used to generate Master HMAC Key type: boolean default: false ThalesHSMNetworkName: description: The network that the HSM is listening on. type: string default: 'internal_api' ThalesVars: default: {} description: Hash of thales-hsm role variables used to install Thales client software. type: json ATOSVars: default: {} description: Hash of atos-hsm role variables used to install ATOS client software. type: json BarbicanPassword: description: The password for the barbican service account. type: string hidden: true BarbicanWorkers: description: Set the number of workers for barbican::wsgi::apache default: '%{::processorcount}' type: string Debug: default: false description: Set to True to enable debugging on all services. type: boolean BarbicanDebug: default: '' description: Set to True to enable debugging Barbican service. type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint EnableInternalTLS: type: boolean default: false BarbicanPolicies: description: | A hash of policies to configure for Barbican. e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json NotificationDriver: type: string default: 'messagingv2' description: Driver or drivers to handle sending notifications. RpcPort: default: 5672 description: The network port for messaging backend type: number RpcUserName: default: guest description: The username for messaging backend type: string RpcPassword: description: The password for messaging backend type: string hidden: true RpcUseSSL: default: false description: > Messaging client subscriber parameter to specify an SSL connection to the messaging host. type: string DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. parameter_groups: - label: deprecated description: | The following parameters are deprecated and will be removed. They should not be relied on for new deployments. If you have concerns regarding deprecated parameters, please contact the TripleO development team on IRC or the OpenStack mailing list. parameters: - RpcPort - RpcUserName - RpcPassword - RpcUseSSL conditions: service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]} atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]} thales_or_atos_hsm_enabled: or: - thales_hsm_enabled - atos_hsm_enabled pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]} pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]} resources: ApacheServiceBase: type: ../../deployment/apache/apache-baremetal-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} ContainersCommon: type: ../containers-common.yaml MySQLClient: type: ../database/mysql-client.yaml BarbicanApiLogging: type: OS::TripleO::Services::Logging::BarbicanApi outputs: role_data: description: Role data for the Barbican API role. value: service_name: barbican_api config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [BarbicanApiLogging, config_settings] - apache::default_vhost: false barbican::keystone::authtoken::password: {get_param: BarbicanPassword} barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' barbican::keystone::notification::enable_keystone_notification: True barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications' barbican::policy::policies: {get_param: BarbicanPolicies} barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false barbican::api::enabled_certificate_plugins: ['simple_certificate'] barbican::api::enable_queue: true barbican::api::logging::debug: if: - service_debug_unset - {get_param: Debug } - {get_param: BarbicanDebug } barbican::api::notification_driver: {get_param: NotificationDriver} barbican::api::service_name: 'httpd' barbican::wsgi::apache::bind_host: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]} barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS} barbican::wsgi::apache::workers: {get_param: BarbicanWorkers} barbican::wsgi::apache::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]} barbican::db::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: barbican password: {get_param: BarbicanPassword} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /barbican query: read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo tripleo::barbican_api::firewall_rules: '117 barbican': dport: - 9311 - 13311 service_config_settings: mysql: barbican::db::mysql::password: {get_param: BarbicanPassword} barbican::db::mysql::user: barbican barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} barbican::db::mysql::dbname: barbican barbican::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" keystone: barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]} barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]} barbican::keystone::auth::password: {get_param: BarbicanPassword} barbican::keystone::auth::region: {get_param: KeystoneRegion} barbican::keystone::auth::tenant: 'service' tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications'] nova_compute: nova::compute::keymgr_backend: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager nova::compute::barbican_endpoint: get_param: [EndpointMap, BarbicanInternal, uri] nova::compute::barbican_auth_endpoint: get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] cinder_api: cinder::api::keymgr_backend: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager cinder::api::keymgr_encryption_api_url: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] glance_api: glance::api::keymgr_backend: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager glance::api::keymgr_encryption_api_url: get_param: [EndpointMap, BarbicanInternal, uri] glance::api::keymgr_encryption_auth_url: get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] # BEGIN DOCKER SETTINGS puppet_config: config_volume: barbican puppet_tags: barbican_api_paste_ini,barbican_config step_config: list_join: - "\n" - - "include ::tripleo::profile::base::barbican::api" - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerBarbicanConfigImage} kolla_config: /var/lib/kolla/config_files/barbican_api.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true /var/lib/kolla/config_files/barbican_keystone_listener.json: command: /usr/bin/barbican-keystone-listener config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true /var/lib/kolla/config_files/barbican_worker.json: command: /usr/bin/barbican-worker config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true external_deploy_tasks: if: - thales_hsm_enabled - - name: Add ip addresses to the RFS server when: step == '2' block: - name: get the ip addresses for the barbican nodes set_fact: thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir" thales_client_ips: str_replace: template: >- {% for host in groups['barbican_backend_pkcs11_crypto'] -%} {{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }} {%- endfor %} params: $THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName} thales_bootstrap_client_ip: str_replace: template: >- {% for host in groups['barbican_backend_pkcs11_crypto'] -%} {% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%} {{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }} {%- endif %} {%- endfor %} params: $THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName} thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]} thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]} thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]} - name: set playbook vars set_fact: thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory" thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa" thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml" - name: creating working directory file: path: "{{thales_rfs_playbook_dir}}" state: directory - name: generate an inventory copy: dest: "{{thales_rfs_inventory}}" content: {get_param: [ThalesVars, thales_rfs_server_ip_address]} - name: write SSH key to file copy: dest: "{{thales_rfs_keyfile}}" content: {get_param: [ThalesVars, thales_rfs_key]} mode: 0400 - name: generate playbook to run copy: dest: "{{thales_rfs_playbook}}" content: | --- - hosts: all remote_user: "{{thales_rfs_user}}" vars: thales_configure_rfs: true thales_client_ips: "{{thales_client_ips}}" thales_hsm_ip_address: "{{thales_hsm_ip_address}}" thales_hsm_config_location: "{{thales_hsm_config_location}}" thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}" roles: - thales-hsm - name: call ansible on rfs server shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}" - name: clean up working directory file: path: "{{thales_rfs_playbook_dir}}" state: absent - null deploy_steps_tasks: if: - thales_or_atos_hsm_enabled - list_concat: - if: - thales_hsm_enabled - - name: Thales client install when: step == '2' block: - set_fact: my_thales_client_ip: str_replace: template: "{{$NETWORK_ip}}" params: $NETWORK: {get_param: ThalesHSMNetworkName} - include_role: name: thales-hsm vars: map_merge: - thales_install_client: true - {get_param: ThalesVars} - null - if: - atos_hsm_enabled - - name: ATOS client install when: step == '2' block: - include_role: name: atos-hsm vars: {get_param: ATOSVars} - null - null docker_config: # db sync runs before permissions set by kolla_config step_2: map_merge: - get_attr: [BarbicanApiLogging, docker_config, step_2] - if: - atos_hsm_enabled - barbican_init_atos_directory: image: &barbican_api_image {get_param: DockerBarbicanApiImage} user: root volumes: - /etc/proteccio:/etc/proteccio - /usr/lib64/libnetshm.so:/usr/lib64/libnethsm.so command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so'] - {} step_3: map_merge: - if: - pkcs11_plugin_enabled - barbican_api_create_mkek: start_order: 0 image: *barbican_api_image net: host detach: false user: root volumes: &barbican_api_volumes list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [BarbicanApiLogging, volumes]} - - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro - /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro - if: - thales_hsm_enabled - - /opt/nfast:/opt/nfast - null - if: - atos_hsm_enabled - - /etc/proteccio:/etc/proteccio - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so - null environment: # NOTE: this should force this container to re-run on each # update (scale-out, etc.) - list_join: - '' - - 'TRIPLEO_DEPLOY_IDENTIFIER=' - {get_param: DeployIdentifier} command: list_join: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - "hsm check_mkek --library-path" - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - "--slot-id" - {get_param: [BarbicanPkcs11CryptoSlotId]} - "--passphrase" - {get_param: [BarbicanPkcs11CryptoLogin]} - "--label" - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} - "|| /usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - "hsm gen_mkek --library-path" - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - "--slot-id" - {get_param: [BarbicanPkcs11CryptoSlotId]} - "--passphrase" - {get_param: [BarbicanPkcs11CryptoLogin]} - "--label" - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} - "'" - {} - if: - pkcs11_plugin_enabled - barbican_api_create_hmac: start_order: 0 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes environment: # NOTE: this should force this container to re-run on each # update (scale-out, etc.) - list_join: - '' - - 'TRIPLEO_DEPLOY_IDENTIFIER=' - {get_param: DeployIdentifier} command: list_join: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - "hsm check_hmac --library-path" - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - "--slot-id" - {get_param: [BarbicanPkcs11CryptoSlotId]} - "--passphrase" - {get_param: [BarbicanPkcs11CryptoLogin]} - "--label" - {get_param: [BarbicanPkcs11CryptoHMACLabel]} - "--key-type" - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} - "|| /usr/bin/barbican-manage hsm gen_hmac --library-path" - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - "--slot-id" - {get_param: [BarbicanPkcs11CryptoSlotId]} - "--passphrase" - {get_param: [BarbicanPkcs11CryptoLogin]} - "--label" - {get_param: [BarbicanPkcs11CryptoHMACLabel]} - "--key-type" - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} - "--mechanism" - {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]} - "'" - {} - if: - thales_hsm_enabled - barbican_api_update_rfs_server_with_mkek_and_hmac_keys: start_order: 1 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes environment: # NOTE: this should force this container to re-run on each # update (scale-out, etc.) - list_join: - '' - - 'TRIPLEO_DEPLOY_IDENTIFIER=' - {get_param: DeployIdentifier} command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit" - {} - if: - thales_hsm_enabled - barbican_api_get_mkek_and_hmac_keys_from_rfs: start_order: 2 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes environment: # NOTE: this should force this container to re-run on each # update (scale-out, etc.) - list_join: - '' - - 'TRIPLEO_DEPLOY_IDENTIFIER=' - {get_param: DeployIdentifier} command: "/opt/nfast/bin/rfs-sync --update" - {} - barbican_api_db_sync: start_order: 3 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes command: # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part # of the bash -c invocation, so we include them in the quoted db sync command. Hence the # final single quote that's part of the list_join. list_join: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - "db upgrade" - "'" - barbican_api_secret_store_sync: start_order: 4 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes command: # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part # of the bash -c invocation, so we include them in the quoted db sync command. Hence the # final single quote that's part of the list_join. list_join: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - "db sync_secret_stores --verbose" - "'" - if: - pkcs11_rewrap_pkeks - barbican_api_rewrap_pkeks: start_order: 4 image: *barbican_api_image net: host detach: false user: root volumes: *barbican_api_volumes environment: # NOTE: this should force this container to re-run on each # update (scale-out, etc.) - list_join: - '' - - 'TRIPLEO_DEPLOY_IDENTIFIER=' - {get_param: DeployIdentifier} command: list_join: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - "hsm rewrap_pkek" - "'" - {} - barbican_api: # NOTE(alee): Barbican should start after keystone processes start_order: 5 image: *barbican_api_image net: host privileged: false restart: always user: root healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [BarbicanApiLogging, volumes]} - - /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro - if: - internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - null - if: - thales_hsm_enabled - - /opt/nfast:/opt/nfast - null - if: - atos_hsm_enabled - - /etc/proteccio:/etc/proteccio - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so - null environment: &kolla_env - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - barbican_keystone_listener: start_order: 6 image: {get_param: DockerBarbicanKeystoneListenerImage} net: host privileged: false restart: always user: barbican healthcheck: test: list_join: - ' ' - - '/openstack/healthcheck' - yaql: expression: str($.data.port) data: port: {get_param: RpcPort} volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [BarbicanApiLogging, volumes]} - - /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro environment: *kolla_env - barbican_worker: start_order: 7 image: {get_param: DockerBarbicanWorkerImage} net: host privileged: false restart: always user: barbican healthcheck: test: list_join: - ' ' - - '/openstack/healthcheck' - yaql: expression: str($.data.port) data: port: {get_param: RpcPort} volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [BarbicanApiLogging, volumes]} - - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro - if: - thales_hsm_enabled - - /opt/nfast:/opt/nfast - null - if: - atos_hsm_enabled - - /etc/proteccio:/etc/proteccio - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so - null environment: *kolla_env host_prep_tasks: list_concat: - {get_attr: [BarbicanApiLogging, host_prep_tasks]} - - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink persistent: yes state: yes post_upgrade_tasks: - when: step|int == 1 import_role: name: tripleo-docker-rm vars: containers_to_rm: - barbican_api - barbican_keystone_listener - barbican_worker metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings]