openstack/tripleo-heat-templates
Code Issues Proposed changes
643c3d25d9
tripleo-heat-templates/deployment/barbican/barbican-api-container-puppet.yaml
Takashi Kajinami 89fde273ea Add support for keystone_authtoken/memcache_use_advanced_pool 
This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.

Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.

[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939

(To Victoria)
Conflicts:
	deployment/aodh/aodh-api-container-puppet.yaml
	deployment/glance/glance-api-container-puppet.yaml
	deployment/gnocchi/gnocchi-api-container-puppet.yaml
	deployment/manila/manila-api-container-puppet.yaml
	deployment/nova/nova-api-container-puppet.yaml

Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
(cherry picked from commit 09bcacd25a)
(cherry picked from commit 9a89b9add6)
2021-06-25 07:44:11 +00:00

850 lines
34 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Barbican API service
parameters:
ContainerBarbicanApiImage:
description: image
type: string
ContainerBarbicanConfigImage:
description: The container image to use for the barbican config_volume
type: string
ContainerBarbicanKeystoneListenerImage:
description: image
type: string
ContainerBarbicanWorkerImage:
description: image
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
BarbicanPkcs11CryptoATOSEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLunasaEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoThalesEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password (PIN) to login to PKCS#11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the PKCS#11 token to be used
type: string
default: '0'
BarbicanPkcs11CryptoTokenSerialNumber:
description: Serial number for PKCS#11 token to be used
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoRewrapKeys:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: boolean
default: false
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
default: 'internal_api'
ThalesVars:
default: {}
description: Hash of thales_hsm role variables used to
install Thales client software.
type: json
ATOSVars:
default: {}
description: Hash of atos-hsm role variables used to
install ATOS client software.
type: json
LunasaVars:
default: {}
description: Hash of lunasa-hsm role variables used to
install Lunasa client software.
type: json
LunasaClientIPNetwork:
description: >
(Optional) When set Barbican nodes will be registered with
the HSMs using the IP from this network instead of the FQDN.
type: string
default: ''
BarbicanPassword:
description: The password for the barbican service account.
type: string
hidden: true
BarbicanWorkers:
description: Set the number of workers for barbican::wsgi::apache
default: '%{::processorcount}'
type: string
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
BarbicanDebug:
default: ''
description: Set to True to enable debugging Barbican service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
EnableInternalTLS:
type: boolean
default: false
BarbicanPolicies:
description: |
A hash of policies to configure for Barbican.
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: string
default: 'noop'
description: Driver or drivers to handle sending notifications.
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
hsm_enabled:
or:
- thales_hsm_enabled
- atos_hsm_enabled
- lunasa_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
resources:
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
BarbicanApiLogging:
type: OS::TripleO::Services::Logging::BarbicanApi
BarbicanClient:
type: ./barbican-client-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
outputs:
role_data:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
keystone_resources:
barbican:
endpoints:
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
users:
barbican:
password: {get_param: BarbicanPassword}
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:
- key-manager:service-admin
- creator
- observer
- audit
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [BarbicanApiLogging, config_settings]
- apache::default_vhost: false
barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
barbican::keystone::authtoken::interface: 'internal'
barbican::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
barbican::keystone::notification::enable_keystone_notification: True
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
barbican::api::enable_queue: true
barbican::api::logging::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: BarbicanDebug }
barbican::api::notification_driver: {get_param: NotificationDriver}
barbican::api::service_name: 'httpd'
barbican::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
barbican::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: barbican
password: {get_param: BarbicanPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /barbican
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: barbican
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings:
map_merge:
- get_attr: [BarbicanClient, role_data, service_config_settings]
- mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: barbican
puppet_tags: barbican_api_paste_ini,barbican_config
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::barbican::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerBarbicanConfigImage}
kolla_config:
/var/lib/kolla/config_files/barbican_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
# TODO(emilien) remove optional flag once we get a promotion
# https://launchpad.net/bugs/1884115
optional: true
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_keystone_listener.json:
command: /usr/bin/barbican-keystone-listener
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_worker.json:
command: /usr/bin/barbican-worker
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
external_deploy_tasks:
if:
- thales_hsm_enabled
-
- name: Add ip addresses to the RFS server
when: step|int == 2
block:
- name: get the ip addresses for the barbican nodes
set_fact:
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
thales_client_ips:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_bootstrap_client_ip:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
{%- endif %}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
nshield_hsms: {get_param: [ThalesVars, nshield_hsms]}
- name: allow using legacy variables for backwards compatibility
set_fact:
nshield_hsms:
- name: Legacy variables HSM
ip: {get_param: [ThalesVars, thales_hsm_ip_address]}
when: nshield_hsms|length == 0
- name: set playbook vars
set_fact:
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
- name: creating working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: directory
- name: generate an inventory
copy:
dest: "{{thales_rfs_inventory}}"
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
- name: write SSH key to file
copy:
dest: "{{thales_rfs_keyfile}}"
content: {get_param: [ThalesVars, thales_rfs_key]}
mode: 0400
- name: generate playbook to run
copy:
dest: "{{thales_rfs_playbook}}"
content: |
---
- hosts: all
remote_user: "{{thales_rfs_user}}"
vars:
thales_configure_rfs: true
thales_client_ips: "{{thales_client_ips}}"
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
nshield_hsms: "{{nshield_hsms}}"
roles:
- thales_hsm
- name: call ansible on rfs server
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
- name: clean up working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
- null
deploy_steps_tasks:
if:
- hsm_enabled
- list_concat:
-
if:
- thales_hsm_enabled
-
- name: Thales client install
when: step|int == 2
block:
- set_fact:
my_thales_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: ThalesHSMNetworkName}
- include_role:
name: thales_hsm
vars:
map_merge:
- thales_install_client: true
- {get_param: ThalesVars}
- null
-
if:
- atos_hsm_enabled
-
- name: ATOS client install
when: step|int == 2
block:
- include_role:
name: atos_hsm
vars:
{get_param: ATOSVars}
- null
-
if:
- lunasa_hsm_enabled
-
- name: Lunasa client install
when: step|int == 2
block:
- name: install the lunasa client
include_role:
name: lunasa_hsm
vars:
if:
- lunasa_hsm_use_fqdn
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- lunasa_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: LunasaClientIPNetwork}
- null
- null
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- atos_hsm_enabled
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
net: host
user: root
volumes:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
- {}
step_3:
map_merge:
- if:
- pkcs11_plugin_enabled
- barbican_api_create_mkek:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: &barbican_api_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "|| /usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm gen_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'"
- {}
- if:
- pkcs11_plugin_enabled
- barbican_api_create_hmac:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_hmac --label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "'"
- {}
- if:
- thales_hsm_enabled
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 2
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 3
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
- barbican_api_secret_store_sync:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
- if:
- pkcs11_rewrap_pkeks
- barbican_api_rewrap_pkeks:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm rewrap_pkek"
- "'"
- {}
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: &kolla_env
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- barbican_keystone_listener:
start_order: 6
image: {get_param: ContainerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- barbican_worker:
start_order: 7
image: {get_param: ContainerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: *kolla_env
host_prep_tasks:
list_concat:
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
scale_tasks:
if:
- lunasa_hsm_enabled
-
- name: Remove HSM clients
when: step|int == 1
tags: down
block:
- name: Remove client from HSM
import_role:
name: lunasa_hsm
tasks_from: unregister_client
delegate_to: undercloud
vars:
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- client_name: "{{ fqdn_canonical }}"
- null
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop barbican api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- barbican_api
tripleo_delegate_to: "{{ groups['barbican_api'] | default([]) }}"
View Git Blame Copy Permalink