openstack/tripleo-heat-templates
Code Issues Proposed changes
1879441b3c
tripleo-heat-templates/deployment/barbican/barbican-api-container-puppet.yaml
Takashi Kajinami 37548ddb40 Enforce internal api for token verification 
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.

Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
2020-10-11 15:46:08 +09:00

820 lines
33 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Barbican API service
parameters:
ContainerBarbicanApiImage:
description: image
type: string
ContainerBarbicanConfigImage:
description: The container image to use for the barbican config_volume
type: string
ContainerBarbicanKeystoneListenerImage:
description: image
type: string
ContainerBarbicanWorkerImage:
description: image
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
BarbicanPkcs11CryptoATOSEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLunasaEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoThalesEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM
type: string
default: '0'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoRewrapKeys:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: boolean
default: false
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
default: 'internal_api'
ThalesVars:
default: {}
description: Hash of thales_hsm role variables used to
install Thales client software.
type: json
ATOSVars:
default: {}
description: Hash of atos-hsm role variables used to
install ATOS client software.
type: json
LunasaVars:
default: {}
description: Hash of lunasa-hsm role variables used to
install Lunasa client software.
type: json
LunasaClientIPNetwork:
description: >
(Optional) When set Barbican nodes will be registered with
the HSMs using the IP from this network instead of the FQDN.
type: string
default: ''
BarbicanPassword:
description: The password for the barbican service account.
type: string
hidden: true
BarbicanWorkers:
description: Set the number of workers for barbican::wsgi::apache
default: '%{::processorcount}'
type: string
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
BarbicanDebug:
default: ''
description: Set to True to enable debugging Barbican service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
EnableInternalTLS:
type: boolean
default: false
BarbicanPolicies:
description: |
A hash of policies to configure for Barbican.
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: string
default: 'noop'
description: Driver or drivers to handle sending notifications.
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
conditions:
service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
thales_or_atos_or_lunasa_hsm_enabled:
or:
- thales_hsm_enabled
- atos_hsm_enabled
- lunasa_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
resources:
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
BarbicanApiLogging:
type: OS::TripleO::Services::Logging::BarbicanApi
BarbicanClient:
type: ./barbican-client-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
outputs:
role_data:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
keystone_resources:
barbican:
endpoints:
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
users:
barbican:
password: {get_param: BarbicanPassword}
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:
- key-manager:service-admin
- creator
- observer
- audit
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [BarbicanApiLogging, config_settings]
- apache::default_vhost: false
barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
barbican::keystone::authtoken::interface: 'internal'
barbican::keystone::notification::enable_keystone_notification: True
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
barbican::api::enable_queue: true
barbican::api::logging::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: BarbicanDebug }
barbican::api::notification_driver: {get_param: NotificationDriver}
barbican::api::service_name: 'httpd'
barbican::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
barbican::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: barbican
password: {get_param: BarbicanPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /barbican
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: barbican
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings:
map_merge:
- get_attr: [BarbicanClient, role_data, service_config_settings]
- mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: barbican
puppet_tags: barbican_api_paste_ini,barbican_config
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::barbican::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerBarbicanConfigImage}
kolla_config:
/var/lib/kolla/config_files/barbican_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
# TODO(emilien) remove optional flag once we get a promotion
# https://launchpad.net/bugs/1884115
optional: true
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_keystone_listener.json:
command: /usr/bin/barbican-keystone-listener
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_worker.json:
command: /usr/bin/barbican-worker
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
external_deploy_tasks:
if:
- thales_hsm_enabled
-
- name: Add ip addresses to the RFS server
when: step|int == 2
block:
- name: get the ip addresses for the barbican nodes
set_fact:
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
thales_client_ips:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_bootstrap_client_ip:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
{%- endif %}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]}
thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]}
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
- name: set playbook vars
set_fact:
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
- name: creating working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: directory
- name: generate an inventory
copy:
dest: "{{thales_rfs_inventory}}"
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
- name: write SSH key to file
copy:
dest: "{{thales_rfs_keyfile}}"
content: {get_param: [ThalesVars, thales_rfs_key]}
mode: 0400
- name: generate playbook to run
copy:
dest: "{{thales_rfs_playbook}}"
content: |
---
- hosts: all
remote_user: "{{thales_rfs_user}}"
vars:
thales_configure_rfs: true
thales_client_ips: "{{thales_client_ips}}"
thales_hsm_ip_address: "{{thales_hsm_ip_address}}"
thales_hsm_config_location: "{{thales_hsm_config_location}}"
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
roles:
- thales_hsm
- name: call ansible on rfs server
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
- name: clean up working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
- null
deploy_steps_tasks:
if:
- thales_or_atos_or_lunasa_hsm_enabled
- list_concat:
-
if:
- thales_hsm_enabled
-
- name: Thales client install
when: step|int == 2
block:
- set_fact:
my_thales_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: ThalesHSMNetworkName}
- include_role:
name: thales_hsm
vars:
map_merge:
- thales_install_client: true
- {get_param: ThalesVars}
- null
-
if:
- atos_hsm_enabled
-
- name: ATOS client install
when: step|int == 2
block:
- include_role:
name: atos_hsm
vars:
{get_param: ATOSVars}
- null
-
if:
- lunasa_hsm_enabled
-
- name: Lunasa client install
when: step|int == 2
block:
- name: install the lunasa client
include_role:
name: lunasa_hsm
vars:
if:
- lunasa_hsm_use_fqdn
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: LunasaClientIPNetwork}
- name: set the slot id in hieradata
include_role:
name: tripleo_hieradata
tasks_from: ansible_hieradata.yml
vars:
hieradata_ansible_data:
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
when: lunasa_ha_slot is defined
- null
- null
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- atos_hsm_enabled
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
net: host
user: root
volumes:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
- {}
step_3:
map_merge:
- if:
- pkcs11_plugin_enabled
- barbican_api_create_mkek:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: &barbican_api_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_mkek --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "|| /usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm gen_mkek --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'"
- {}
- if:
- pkcs11_plugin_enabled
- barbican_api_create_hmac:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_hmac --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "--key-type"
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "--key-type"
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
- "--mechanism"
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
- "'"
- {}
- if:
- thales_hsm_enabled
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 2
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 3
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
- barbican_api_secret_store_sync:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
- if:
- pkcs11_rewrap_pkeks
- barbican_api_rewrap_pkeks:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm rewrap_pkek"
- "'"
- {}
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: &kolla_env
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- barbican_keystone_listener:
start_order: 6
image: {get_param: ContainerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- barbican_worker:
start_order: 7
image: {get_param: ContainerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: *kolla_env
host_prep_tasks:
list_concat:
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
View Git Blame Copy Permalink