tripleo-heat-templates/deployment/barbican/barbican-api-container-puppet.yaml
ramishra b4203a30eb Change all *Debug parameter types to boolean
This changes all these parameters as heat would correctly
parse all values. Also, drops all yaql shenanigans
used for their handling and heat conditions.

Also fixes wrong usage of non-existent NeutronWrapperDebug
parameter in ovn-metadata-container-puppet.yaml.

We had converted all ``Debug`` parameters to boolean with
Ib6c3969d4dd75d5fb2cc274266c060acff8d5571.

Change-Id: Ia2bffffde34aa248a4cc60c3895464f1f9d1ded2
2021-03-30 08:29:10 +05:30

822 lines
33 KiB
YAML

heat_template_version: rocky
description: >
OpenStack containerized Barbican API service
parameters:
ContainerBarbicanApiImage:
description: image
type: string
ContainerBarbicanConfigImage:
description: The container image to use for the barbican config_volume
type: string
ContainerBarbicanKeystoneListenerImage:
description: image
type: string
ContainerBarbicanWorkerImage:
description: image
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
BarbicanPkcs11CryptoATOSEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLunasaEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoThalesEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password (PIN) to login to PKCS#11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the PKCS#11 token to be used
type: string
default: '0'
BarbicanPkcs11CryptoTokenSerialNumber:
description: Serial number for PKCS#11 token to be used
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: Label for PKCS#11 token to be used
type: string
default: ''
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoRewrapKeys:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: boolean
default: false
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
default: 'internal_api'
ThalesVars:
default: {}
description: Hash of thales_hsm role variables used to
install Thales client software.
type: json
ATOSVars:
default: {}
description: Hash of atos-hsm role variables used to
install ATOS client software.
type: json
LunasaVars:
default: {}
description: Hash of lunasa-hsm role variables used to
install Lunasa client software.
type: json
LunasaClientIPNetwork:
description: >
(Optional) When set Barbican nodes will be registered with
the HSMs using the IP from this network instead of the FQDN.
type: string
default: ''
BarbicanPassword:
description: The password for the barbican service account.
type: string
hidden: true
BarbicanWorkers:
description: Set the number of workers for barbican::wsgi::apache
default: '%{::processorcount}'
type: string
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
BarbicanDebug:
default: false
description: Set to True to enable debugging Barbican service.
type: boolean
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
EnableInternalTLS:
type: boolean
default: false
BarbicanPolicies:
description: |
A hash of policies to configure for Barbican.
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
hsm_enabled:
or:
- thales_hsm_enabled
- atos_hsm_enabled
- lunasa_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
resources:
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
BarbicanApiLogging:
type: OS::TripleO::Services::Logging::BarbicanApi
BarbicanClient:
type: ./barbican-client-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
outputs:
role_data:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
keystone_resources:
barbican:
endpoints:
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
users:
barbican:
password: {get_param: BarbicanPassword}
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:
- key-manager:service-admin
- creator
- observer
- audit
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [BarbicanApiLogging, config_settings]
- apache::default_vhost: false
barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
barbican::keystone::authtoken::interface: 'internal'
barbican::keystone::notification::enable_keystone_notification: True
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
barbican::policy::policies: {get_param: BarbicanPolicies}
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
barbican::api::db_auto_create: false
barbican::api::enabled_certificate_plugins: ['simple_certificate']
barbican::api::enable_queue: true
barbican::api::logging::debug:
if:
- {get_param: BarbicanDebug}
- true
- {get_param: Debug}
barbican::api::notification_driver: {get_param: NotificationDriver}
barbican::api::service_name: 'httpd'
barbican::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
barbican::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
barbican::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: barbican
password: {get_param: BarbicanPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /barbican
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: barbican
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings:
map_merge:
- get_attr: [BarbicanClient, role_data, service_config_settings]
- mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: barbican
puppet_tags: barbican_api_paste_ini,barbican_config
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::barbican::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerBarbicanConfigImage}
kolla_config:
/var/lib/kolla/config_files/barbican_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
# TODO(emilien) remove optional flag once we get a promotion
# https://launchpad.net/bugs/1884115
optional: true
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_keystone_listener.json:
command: /usr/bin/barbican-keystone-listener
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/barbican_worker.json:
command: /usr/bin/barbican-worker
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
external_deploy_tasks:
if:
- thales_hsm_enabled
-
- name: Add ip addresses to the RFS server
when: step|int == 2
block:
- name: get the ip addresses for the barbican nodes
set_fact:
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
thales_client_ips:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_bootstrap_client_ip:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
{%- endif %}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
nshield_hsms: {get_param: [ThalesVars, nshield_hsms]}
- name: allow using legacy variables for backwards compatibility
set_fact:
nshield_hsms:
- name: Legacy variables HSM
ip: {get_param: [ThalesVars, thales_hsm_ip_address]}
when: nshield_hsms|length == 0
- name: set playbook vars
set_fact:
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
- name: creating working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: directory
- name: generate an inventory
copy:
dest: "{{thales_rfs_inventory}}"
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
- name: write SSH key to file
copy:
dest: "{{thales_rfs_keyfile}}"
content: {get_param: [ThalesVars, thales_rfs_key]}
mode: 0400
- name: generate playbook to run
copy:
dest: "{{thales_rfs_playbook}}"
content: |
---
- hosts: all
remote_user: "{{thales_rfs_user}}"
vars:
thales_configure_rfs: true
thales_client_ips: "{{thales_client_ips}}"
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
nshield_hsms: "{{nshield_hsms}}"
roles:
- thales_hsm
- name: call ansible on rfs server
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
- name: clean up working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
- null
deploy_steps_tasks:
list_concat:
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
- if:
- hsm_enabled
- list_concat:
-
if:
- thales_hsm_enabled
-
- name: Thales client install
when: step|int == 2
block:
- set_fact:
my_thales_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: ThalesHSMNetworkName}
- include_role:
name: thales_hsm
vars:
map_merge:
- thales_install_client: true
- {get_param: ThalesVars}
- null
-
if:
- atos_hsm_enabled
-
- name: ATOS client install
when: step|int == 2
block:
- include_role:
name: atos_hsm
vars:
{get_param: ATOSVars}
- null
-
if:
- lunasa_hsm_enabled
-
- name: Lunasa client install
when: step|int == 2
block:
- name: install the lunasa client
include_role:
name: lunasa_hsm
vars:
if:
- lunasa_hsm_use_fqdn
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: LunasaClientIPNetwork}
- null
- null
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- atos_hsm_enabled
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
net: host
user: root
volumes:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
- {}
step_3:
map_merge:
- if:
- pkcs11_plugin_enabled
- barbican_api_create_mkek:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: &barbican_api_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "|| /usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm gen_mkek --label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'"
- {}
- if:
- pkcs11_plugin_enabled
- barbican_api_create_hmac:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_hmac --label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "'"
- {}
- if:
- thales_hsm_enabled
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 2
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 3
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
- barbican_api_secret_store_sync:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
- if:
- pkcs11_rewrap_pkeks
- barbican_api_rewrap_pkeks:
start_order: 4
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm rewrap_pkek"
- "'"
- {}
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: &kolla_env
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- barbican_keystone_listener:
start_order: 6
image: {get_param: ContainerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- barbican_worker:
start_order: 7
image: {get_param: ContainerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
-
if:
- thales_hsm_enabled
-
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
-
if:
- lunasa_hsm_enabled
-
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- null
environment: *kolla_env
host_prep_tasks:
list_concat:
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
scale_tasks:
if:
- lunasa_hsm_enabled
-
- name: Remove HSM clients
when: step|int == 1
tags: down
block:
- name: Remove client from HSM
import_role:
name: lunasa_hsm
tasks_from: unregister_client
delegate_to: undercloud
vars:
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- client_name: "{{ fqdn_canonical }}"
- null
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop barbican api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- barbican_api
tripleo_delegate_to: "{{ groups['barbican_api'] | default([]) }}"