tripleo-heat-templates/deployment/barbican/barbican-api-container-puppet.yaml

833 lines
36 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Barbican API service
parameters:
ContainerBarbicanApiImage:
description: image
type: string
ContainerBarbicanConfigImage:
description: The container image to use for the barbican config_volume
type: string
ContainerBarbicanKeystoneListenerImage:
description: image
type: string
ContainerBarbicanWorkerImage:
description: image
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
BarbicanPkcs11CryptoATOSEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLunasaEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoThalesEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password (PIN) to login to PKCS#11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the PKCS#11 token to be used
type: string
default: '0'
BarbicanPkcs11CryptoTokenSerialNumber:
description: Serial number for PKCS#11 token to be used
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoRewrapKeys:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: boolean
default: false
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
default: 'internal_api'
ThalesVars:
default: {}
description: Hash of thales_hsm role variables used to
install Thales client software.
type: json
ATOSVars:
default: {}
description: Hash of atos-hsm role variables used to
install ATOS client software.
type: json
LunasaVars:
default: {}
description: Hash of lunasa-hsm role variables used to
install Lunasa client software.
type: json
LunasaClientIPNetwork:
description: >
(Optional) When set Barbican nodes will be registered with
the HSMs using the IP from this network instead of the FQDN.
type: string
default: ''
BarbicanPassword:
description: The password for the barbican service account.
type: string
hidden: true
BarbicanWorkers:
description: Set the number of workers for barbican::wsgi::apache
default: '%{::processorcount}'
type: string
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
BarbicanDebug:
default: false
description: Set to True to enable debugging Barbican service.
type: boolean
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
EnableInternalTLS:
type: boolean
default: false
BarbicanPolicies:
description: |
A hash of policies to configure for Barbican.
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
hsm_enabled:
or:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
resources:
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
BarbicanApiLogging:
type: OS::TripleO::Services::Logging::BarbicanApi
BarbicanClient:
type: ./barbican-client-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
outputs:
role_data:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
keystone_resources:
barbican:
endpoints:
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
users:
barbican:
password: {get_param: BarbicanPassword}
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:
- key-manager:service-admin
- creator
- observer
- audit
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [BarbicanApiLogging, config_settings]
- apache::default_vhost: false
barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
barbican::keystone::authtoken::interface: 'internal'
barbican::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
barbican::keystone::notification::enable_keystone_notification: True
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
barbican::api::enable_queue: true
barbican::api::logging::debug:
if:
- {get_param: BarbicanDebug}
- true
- {get_param: Debug}
barbican::api::notification_driver: {get_param: NotificationDriver}
barbican::api::service_name: 'httpd'
barbican::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
barbican::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: barbican
password: {get_param: BarbicanPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /barbican
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: barbican
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings:
map_merge:
- get_attr: [BarbicanClient, role_data, service_config_settings]
- mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: barbican
puppet_tags: barbican_api_paste_ini,barbican_config
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::barbican::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerBarbicanConfigImage}
kolla_config:
/var/lib/kolla/config_files/barbican_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_keystone_listener.json:
command: /usr/bin/barbican-keystone-listener
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_worker.json:
command: /usr/bin/barbican-worker
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_api_db_sync.json:
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
config_files: &barbican_api_create_config_files
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_api_create_mkek.json:
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "|| /usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm gen_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'"
config_files: *barbican_api_create_config_files
/var/lib/kolla/config_files/barbican_api_create_hmac.json:
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_hmac --label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "'"
config_files: *barbican_api_create_config_files
/var/lib/kolla/config_files/barbican_api_update_rfs_server.json:
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
config_files: *barbican_api_create_config_files
/var/lib/kolla/config_files/barbican_api_get_from_rfs.json:
command: "/opt/nfast/bin/rfs-sync --update"
config_files: *barbican_api_create_config_files
/var/lib/kolla/config_files/barbican_api_secret_store_sync.json:
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
config_files: *barbican_api_create_config_files
/var/lib/kolla/config_files/barbican_api_rewrap_pkeks.json:
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm rewrap_pkek"
- "'"
config_files: *barbican_api_create_config_files
external_deploy_tasks:
if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - name: Add ip addresses to the RFS server
when: step|int == 2
block:
- name: get the ip addresses for the barbican nodes
set_fact:
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
thales_client_ips:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_bootstrap_client_ip:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
{%- endif %}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
nshield_hsms: {get_param: [ThalesVars, nshield_hsms]}
- name: allow using legacy variables for backwards compatibility
set_fact:
nshield_hsms:
- name: Legacy variables HSM
ip: {get_param: [ThalesVars, thales_hsm_ip_address]}
when: nshield_hsms|length == 0
- name: set playbook vars
set_fact:
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
- name: creating working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: directory
- name: generate an inventory
copy:
dest: "{{thales_rfs_inventory}}"
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
- name: write SSH key to file
copy:
dest: "{{thales_rfs_keyfile}}"
content: {get_param: [ThalesVars, thales_rfs_key]}
mode: 0400
- name: generate playbook to run
copy:
dest: "{{thales_rfs_playbook}}"
content: |
---
- hosts: all
remote_user: "{{thales_rfs_user}}"
vars:
thales_configure_rfs: true
thales_client_ips: "{{thales_client_ips}}"
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
nshield_hsms: "{{nshield_hsms}}"
roles:
- thales_hsm
- name: call ansible on rfs server
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
- name: clean up working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
deploy_steps_tasks:
list_concat:
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
- if:
- hsm_enabled
- list_concat:
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - name: Thales client install
when: step|int == 2
block:
- set_fact:
my_thales_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: ThalesHSMNetworkName}
- include_role:
name: thales_hsm
vars:
map_merge:
- thales_install_client: true
- {get_param: ThalesVars}
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - name: ATOS client install
when: step|int == 2
block:
- include_role:
name: atos_hsm
vars:
{get_param: ATOSVars}
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - name: Lunasa client install
when: step|int == 2
block:
- name: install the lunasa client
include_role:
name: lunasa_hsm
vars:
if:
- lunasa_hsm_use_fqdn
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- lunasa_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: LunasaClientIPNetwork}
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
net: host
user: root
volumes:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
- {}
step_3:
map_merge:
- if:
- {get_param: BarbicanPkcs11CryptoEnabled}
- barbican_api_create_mkek:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes:
list_concat:
- list_concat: &barbican_api_common_volumes
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
- - /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- - /var/lib/kolla/config_files/barbican_api_create_mkek.json:/var/lib/kolla/config_files/config.json:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
- if:
- {get_param: BarbicanPkcs11CryptoEnabled}
- barbican_api_create_hmac:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes:
list_concat:
- list_concat: *barbican_api_common_volumes
- - /var/lib/kolla/config_files/barbican_api_create_hmac.json:/var/lib/kolla/config_files/config.json:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
- {}
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes:
list_concat:
- list_concat: *barbican_api_common_volumes
- - /var/lib/kolla/config_files/barbican_api_update_rfs_server.json:/var/lib/kolla/config_files/config.json:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 2
image: *barbican_api_image
net: host
detach: false
user: root
volumes:
list_concat:
- list_concat: *barbican_api_common_volumes
- - /var/lib/kolla/config_files/barbican_api_get_from_rfs.json:/var/lib/kolla/config_files/config.json:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
- barbican_api_db_sync:
start_order: 3
image: *barbican_api_image
net: host
detach: false
user: root
volumes:
list_concat:
- list_concat: *barbican_api_common_volumes
- - /var/lib/kolla/config_files/barbican_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- barbican_api_secret_store_sync:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes:
list_concat:
- list_concat: *barbican_api_common_volumes
- - /var/lib/kolla/config_files/barbican_api_secret_store_sync.json:/var/lib/kolla/config_files/config.json:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- if:
- {get_param: BarbicanPkcs11CryptoRewrapKeys}
- barbican_api_rewrap_pkeks:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes:
list_concat:
- list_concat: *barbican_api_common_volumes
- - /var/lib/kolla/config_files/barbican_api_rewrap_pkeks.json:/var/lib/kolla/config_files/config.json:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
environment: &kolla_env
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- barbican_keystone_listener:
start_order: 6
image: {get_param: ContainerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- barbican_worker:
start_order: 7
image: {get_param: ContainerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
- - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: BarbicanPkcs11CryptoThalesEnabled}
- - /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- if:
- {get_param: BarbicanPkcs11CryptoATOSEnabled}
- - /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
environment: *kolla_env
host_prep_tasks:
list_concat:
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
scale_tasks:
if:
- {get_param: BarbicanPkcs11CryptoLunasaEnabled}
- - name: Remove HSM clients
when: step|int == 1
tags: down
block:
- name: Remove client from HSM
import_role:
name: lunasa_hsm
tasks_from: unregister_client
delegate_to: undercloud
vars:
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- client_name: "{{ fqdn_canonical }}"
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop barbican api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- barbican_api
tripleo_delegate_to: "{{ groups['barbican_api'] | default([]) }}"