833 lines
36 KiB
YAML
833 lines
36 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Barbican API service
|
|
|
|
parameters:
|
|
ContainerBarbicanApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerBarbicanConfigImage:
|
|
description: The container image to use for the barbican config_volume
|
|
type: string
|
|
ContainerBarbicanKeystoneListenerImage:
|
|
description: image
|
|
type: string
|
|
ContainerBarbicanWorkerImage:
|
|
description: image
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
BarbicanPkcs11CryptoATOSEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoLunasaEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoThalesEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoLibraryPath:
|
|
description: Path to vendor PKCS11 library
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoLogin:
|
|
description: Password (PIN) to login to PKCS#11 session
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
BarbicanPkcs11CryptoMKEKLabel:
|
|
description: Label for Master KEK
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoHMACLabel:
|
|
description: Label for the HMAC key
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoSlotId:
|
|
description: Slot Id for the PKCS#11 token to be used
|
|
type: string
|
|
default: '0'
|
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
|
description: Serial number for PKCS#11 token to be used
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoTokenLabel:
|
|
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoTokenLabels:
|
|
description: List of comma separated labels for the tokens to be used.
|
|
This is typically a single label, but some devices may require
|
|
more than one label for Load Balancing and High Availability
|
|
configurations.
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoHMACKeyType:
|
|
description: Cryptoki Key Type for Master HMAC key
|
|
type: string
|
|
default: 'CKK_AES'
|
|
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
|
type: string
|
|
default: 'CKM_AES_KEY_GEN'
|
|
BarbicanPkcs11CryptoRewrapKeys:
|
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
|
type: boolean
|
|
default: false
|
|
ThalesHSMNetworkName:
|
|
description: The network that the HSM is listening on.
|
|
type: string
|
|
default: 'internal_api'
|
|
ThalesVars:
|
|
default: {}
|
|
description: Hash of thales_hsm role variables used to
|
|
install Thales client software.
|
|
type: json
|
|
ATOSVars:
|
|
default: {}
|
|
description: Hash of atos-hsm role variables used to
|
|
install ATOS client software.
|
|
type: json
|
|
LunasaVars:
|
|
default: {}
|
|
description: Hash of lunasa-hsm role variables used to
|
|
install Lunasa client software.
|
|
type: json
|
|
LunasaClientIPNetwork:
|
|
description: >
|
|
(Optional) When set Barbican nodes will be registered with
|
|
the HSMs using the IP from this network instead of the FQDN.
|
|
type: string
|
|
default: ''
|
|
BarbicanPassword:
|
|
description: The password for the barbican service account.
|
|
type: string
|
|
hidden: true
|
|
BarbicanWorkers:
|
|
description: Set the number of workers for barbican::wsgi::apache
|
|
default: '%{::processorcount}'
|
|
type: string
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
BarbicanDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Barbican service.
|
|
type: boolean
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPolicies:
|
|
description: |
|
|
A hash of policies to configure for Barbican.
|
|
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
NotificationDriver:
|
|
type: comma_delimited_list
|
|
default: 'noop'
|
|
description: Driver or drivers to handle sending notifications.
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
|
|
conditions:
|
|
hsm_enabled:
|
|
or:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
|
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
|
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
|
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
|
|
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
|
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
|
# will use the Controller's IP address from that network instead.
|
|
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
|
|
|
|
resources:
|
|
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
BarbicanApiLogging:
|
|
type: OS::TripleO::Services::Logging::BarbicanApi
|
|
|
|
BarbicanClient:
|
|
type: ./barbican-client-puppet.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Barbican API role.
|
|
value:
|
|
service_name: barbican_api
|
|
firewall_rules:
|
|
'117 barbican':
|
|
dport:
|
|
- 9311
|
|
- 13311
|
|
keystone_resources:
|
|
barbican:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
|
|
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
|
|
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
|
|
users:
|
|
barbican:
|
|
password: {get_param: BarbicanPassword}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'key-manager'
|
|
roles:
|
|
- key-manager:service-admin
|
|
- creator
|
|
- observer
|
|
- audit
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- get_attr: [BarbicanApiLogging, config_settings]
|
|
- apache::default_vhost: false
|
|
barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
|
|
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
barbican::keystone::authtoken::project_name: 'service'
|
|
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
barbican::keystone::authtoken::interface: 'internal'
|
|
barbican::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
barbican::keystone::notification::enable_keystone_notification: True
|
|
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
|
|
barbican::policy::policies: {get_param: BarbicanPolicies}
|
|
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
|
|
barbican::api::db_auto_create: false
|
|
barbican::api::enabled_certificate_plugins: ['simple_certificate']
|
|
barbican::api::enable_queue: true
|
|
barbican::api::logging::debug:
|
|
if:
|
|
- {get_param: BarbicanDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
barbican::api::notification_driver: {get_param: NotificationDriver}
|
|
barbican::api::service_name: 'httpd'
|
|
barbican::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
|
|
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
|
|
barbican::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
|
|
barbican::db::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: barbican
|
|
password: {get_param: BarbicanPassword}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /barbican
|
|
query:
|
|
if:
|
|
- {get_param: EnableSQLAlchemyCollectd}
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
plugin: collectd
|
|
collectd_program_name: barbican
|
|
collectd_host: localhost
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [BarbicanClient, role_data, service_config_settings]
|
|
- mysql:
|
|
barbican::db::mysql::password: {get_param: BarbicanPassword}
|
|
barbican::db::mysql::user: barbican
|
|
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
barbican::db::mysql::dbname: barbican
|
|
barbican::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
keystone:
|
|
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: barbican
|
|
puppet_tags: barbican_api_paste_ini,barbican_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include tripleo::profile::base::barbican::api"
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerBarbicanConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/barbican_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/barbican_keystone_listener.json:
|
|
command: /usr/bin/barbican-keystone-listener
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/barbican_worker.json:
|
|
command: /usr/bin/barbican-worker
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/barbican_api_db_sync.json:
|
|
command:
|
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
|
# final single quote that's part of the list_join.
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "db upgrade"
|
|
- "'"
|
|
config_files: &barbican_api_create_config_files
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/barbican_api_create_mkek.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm check_mkek --label"
|
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
|
- "|| /usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm gen_mkek --label"
|
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
|
- "'"
|
|
config_files: *barbican_api_create_config_files
|
|
/var/lib/kolla/config_files/barbican_api_create_hmac.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm check_hmac --label"
|
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
|
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
|
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
|
- "'"
|
|
config_files: *barbican_api_create_config_files
|
|
/var/lib/kolla/config_files/barbican_api_update_rfs_server.json:
|
|
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
|
config_files: *barbican_api_create_config_files
|
|
/var/lib/kolla/config_files/barbican_api_get_from_rfs.json:
|
|
command: "/opt/nfast/bin/rfs-sync --update"
|
|
config_files: *barbican_api_create_config_files
|
|
/var/lib/kolla/config_files/barbican_api_secret_store_sync.json:
|
|
command:
|
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
|
# final single quote that's part of the list_join.
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "db sync_secret_stores --verbose"
|
|
- "'"
|
|
config_files: *barbican_api_create_config_files
|
|
/var/lib/kolla/config_files/barbican_api_rewrap_pkeks.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm rewrap_pkek"
|
|
- "'"
|
|
config_files: *barbican_api_create_config_files
|
|
external_deploy_tasks:
|
|
if:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- - name: Add ip addresses to the RFS server
|
|
when: step|int == 2
|
|
block:
|
|
- name: get the ip addresses for the barbican nodes
|
|
set_fact:
|
|
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
|
|
thales_client_ips:
|
|
str_replace:
|
|
template: >-
|
|
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
|
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
|
|
{%- endfor %}
|
|
params:
|
|
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
|
thales_bootstrap_client_ip:
|
|
str_replace:
|
|
template: >-
|
|
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
|
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
|
|
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
params:
|
|
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
|
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
|
|
nshield_hsms: {get_param: [ThalesVars, nshield_hsms]}
|
|
|
|
- name: allow using legacy variables for backwards compatibility
|
|
set_fact:
|
|
nshield_hsms:
|
|
- name: Legacy variables HSM
|
|
ip: {get_param: [ThalesVars, thales_hsm_ip_address]}
|
|
when: nshield_hsms|length == 0
|
|
|
|
- name: set playbook vars
|
|
set_fact:
|
|
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
|
|
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
|
|
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
|
|
|
|
- name: creating working directory
|
|
file:
|
|
path: "{{thales_rfs_playbook_dir}}"
|
|
state: directory
|
|
|
|
- name: generate an inventory
|
|
copy:
|
|
dest: "{{thales_rfs_inventory}}"
|
|
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
|
|
|
|
- name: write SSH key to file
|
|
copy:
|
|
dest: "{{thales_rfs_keyfile}}"
|
|
content: {get_param: [ThalesVars, thales_rfs_key]}
|
|
mode: 0400
|
|
|
|
- name: generate playbook to run
|
|
copy:
|
|
dest: "{{thales_rfs_playbook}}"
|
|
content: |
|
|
---
|
|
- hosts: all
|
|
remote_user: "{{thales_rfs_user}}"
|
|
vars:
|
|
thales_configure_rfs: true
|
|
thales_client_ips: "{{thales_client_ips}}"
|
|
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
|
|
nshield_hsms: "{{nshield_hsms}}"
|
|
roles:
|
|
- thales_hsm
|
|
|
|
- name: call ansible on rfs server
|
|
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
|
|
|
|
- name: clean up working directory
|
|
file:
|
|
path: "{{thales_rfs_playbook_dir}}"
|
|
state: absent
|
|
deploy_steps_tasks:
|
|
list_concat:
|
|
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
- if:
|
|
- hsm_enabled
|
|
- list_concat:
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- - name: Thales client install
|
|
when: step|int == 2
|
|
block:
|
|
- set_fact:
|
|
my_thales_client_ip:
|
|
str_replace:
|
|
template:
|
|
"{{$NETWORK_ip}}"
|
|
params:
|
|
$NETWORK: {get_param: ThalesHSMNetworkName}
|
|
- include_role:
|
|
name: thales_hsm
|
|
vars:
|
|
map_merge:
|
|
- thales_install_client: true
|
|
- {get_param: ThalesVars}
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
|
- - name: ATOS client install
|
|
when: step|int == 2
|
|
block:
|
|
- include_role:
|
|
name: atos_hsm
|
|
vars:
|
|
{get_param: ATOSVars}
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
|
- - name: Lunasa client install
|
|
when: step|int == 2
|
|
block:
|
|
- name: install the lunasa client
|
|
include_role:
|
|
name: lunasa_hsm
|
|
vars:
|
|
if:
|
|
- lunasa_hsm_use_fqdn
|
|
- map_merge:
|
|
- {get_param: LunasaVars}
|
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
|
- if:
|
|
- pkcs11_tokens_unset
|
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
|
- map_merge:
|
|
- {get_param: LunasaVars}
|
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
|
- if:
|
|
- pkcs11_tokens_unset
|
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
|
- lunasa_client_ip:
|
|
str_replace:
|
|
template:
|
|
"{{$NETWORK_ip}}"
|
|
params:
|
|
$NETWORK: {get_param: LunasaClientIPNetwork}
|
|
docker_config:
|
|
# db sync runs before permissions set by kolla_config
|
|
step_2:
|
|
map_merge:
|
|
- get_attr: [BarbicanApiLogging, docker_config, step_2]
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
|
- barbican_init_atos_directory:
|
|
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
|
|
net: host
|
|
user: root
|
|
volumes:
|
|
- /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
|
|
- {}
|
|
step_3:
|
|
map_merge:
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoEnabled}
|
|
- barbican_api_create_mkek:
|
|
start_order: 0
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- list_concat: &barbican_api_common_volumes
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
- - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
- /opt/nfast:/opt/nfast
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
|
- - /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
|
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
|
- - /var/lib/kolla/config_files/barbican_api_create_mkek.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoEnabled}
|
|
- barbican_api_create_hmac:
|
|
start_order: 0
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- list_concat: *barbican_api_common_volumes
|
|
- - /var/lib/kolla/config_files/barbican_api_create_hmac.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
- {}
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
|
|
start_order: 1
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- list_concat: *barbican_api_common_volumes
|
|
- - /var/lib/kolla/config_files/barbican_api_update_rfs_server.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
|
start_order: 2
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- list_concat: *barbican_api_common_volumes
|
|
- - /var/lib/kolla/config_files/barbican_api_get_from_rfs.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
- barbican_api_db_sync:
|
|
start_order: 3
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- list_concat: *barbican_api_common_volumes
|
|
- - /var/lib/kolla/config_files/barbican_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- barbican_api_secret_store_sync:
|
|
start_order: 4
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- list_concat: *barbican_api_common_volumes
|
|
- - /var/lib/kolla/config_files/barbican_api_secret_store_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoRewrapKeys}
|
|
- barbican_api_rewrap_pkeks:
|
|
start_order: 4
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- list_concat: *barbican_api_common_volumes
|
|
- - /var/lib/kolla/config_files/barbican_api_rewrap_pkeks.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
- barbican_api:
|
|
# NOTE(alee): Barbican should start after keystone processes
|
|
start_order: 5
|
|
image: *barbican_api_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
user: root
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
- /opt/nfast:/opt/nfast
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
|
- - /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
|
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
|
environment: &kolla_env
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- barbican_keystone_listener:
|
|
start_order: 6
|
|
image: {get_param: ContainerBarbicanKeystoneListenerImage}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
user: barbican
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
|
environment: *kolla_env
|
|
- barbican_worker:
|
|
start_order: 7
|
|
image: {get_param: ContainerBarbicanWorkerImage}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
user: barbican
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
|
|
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
- /opt/nfast:/opt/nfast
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
|
|
- - /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
- if:
|
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
|
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
|
environment: *kolla_env
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
|
|
- - name: enable virt_sandbox_use_netlink for healthcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
scale_tasks:
|
|
if:
|
|
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
|
|
- - name: Remove HSM clients
|
|
when: step|int == 1
|
|
tags: down
|
|
block:
|
|
- name: Remove client from HSM
|
|
import_role:
|
|
name: lunasa_hsm
|
|
tasks_from: unregister_client
|
|
delegate_to: undercloud
|
|
vars:
|
|
- map_merge:
|
|
- {get_param: LunasaVars}
|
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
|
- client_name: "{{ fqdn_canonical }}"
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop barbican api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- barbican_api
|
|
tripleo_delegate_to: "{{ groups['barbican_api'] | default([]) }}"
|