b4203a30eb
This changes all these parameters as heat would correctly parse all values. Also, drops all yaql shenanigans used for their handling and heat conditions. Also fixes wrong usage of non-existent NeutronWrapperDebug parameter in ovn-metadata-container-puppet.yaml. We had converted all ``Debug`` parameters to boolean with Ib6c3969d4dd75d5fb2cc274266c060acff8d5571. Change-Id: Ia2bffffde34aa248a4cc60c3895464f1f9d1ded2
822 lines
33 KiB
YAML
822 lines
33 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Barbican API service
|
|
|
|
parameters:
|
|
ContainerBarbicanApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerBarbicanConfigImage:
|
|
description: The container image to use for the barbican config_volume
|
|
type: string
|
|
ContainerBarbicanKeystoneListenerImage:
|
|
description: image
|
|
type: string
|
|
ContainerBarbicanWorkerImage:
|
|
description: image
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
BarbicanPkcs11CryptoATOSEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoLunasaEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoThalesEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoEnabled:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPkcs11CryptoLibraryPath:
|
|
description: Path to vendor PKCS11 library
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoLogin:
|
|
description: Password (PIN) to login to PKCS#11 session
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
BarbicanPkcs11CryptoMKEKLabel:
|
|
description: Label for Master KEK
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoHMACLabel:
|
|
description: Label for the HMAC key
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoSlotId:
|
|
description: Slot Id for the PKCS#11 token to be used
|
|
type: string
|
|
default: '0'
|
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
|
description: Serial number for PKCS#11 token to be used
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoTokenLabel:
|
|
description: Label for PKCS#11 token to be used
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoHMACKeyType:
|
|
description: Cryptoki Key Type for Master HMAC key
|
|
type: string
|
|
default: 'CKK_AES'
|
|
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
|
type: string
|
|
default: 'CKM_AES_KEY_GEN'
|
|
BarbicanPkcs11CryptoRewrapKeys:
|
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
|
type: boolean
|
|
default: false
|
|
ThalesHSMNetworkName:
|
|
description: The network that the HSM is listening on.
|
|
type: string
|
|
default: 'internal_api'
|
|
ThalesVars:
|
|
default: {}
|
|
description: Hash of thales_hsm role variables used to
|
|
install Thales client software.
|
|
type: json
|
|
ATOSVars:
|
|
default: {}
|
|
description: Hash of atos-hsm role variables used to
|
|
install ATOS client software.
|
|
type: json
|
|
LunasaVars:
|
|
default: {}
|
|
description: Hash of lunasa-hsm role variables used to
|
|
install Lunasa client software.
|
|
type: json
|
|
LunasaClientIPNetwork:
|
|
description: >
|
|
(Optional) When set Barbican nodes will be registered with
|
|
the HSMs using the IP from this network instead of the FQDN.
|
|
type: string
|
|
default: ''
|
|
BarbicanPassword:
|
|
description: The password for the barbican service account.
|
|
type: string
|
|
hidden: true
|
|
BarbicanWorkers:
|
|
description: Set the number of workers for barbican::wsgi::apache
|
|
default: '%{::processorcount}'
|
|
type: string
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
BarbicanDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Barbican service.
|
|
type: boolean
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
BarbicanPolicies:
|
|
description: |
|
|
A hash of policies to configure for Barbican.
|
|
e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
NotificationDriver:
|
|
type: comma_delimited_list
|
|
default: 'noop'
|
|
description: Driver or drivers to handle sending notifications.
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
|
|
conditions:
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
|
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
|
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
|
|
hsm_enabled:
|
|
or:
|
|
- thales_hsm_enabled
|
|
- atos_hsm_enabled
|
|
- lunasa_hsm_enabled
|
|
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
|
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
|
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
|
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
|
# will use the Controller's IP address from that network instead.
|
|
lunasa_hsm_use_fqdn: {equals: [{get_param: LunasaClientIPNetwork}, '']}
|
|
|
|
resources:
|
|
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
BarbicanApiLogging:
|
|
type: OS::TripleO::Services::Logging::BarbicanApi
|
|
|
|
BarbicanClient:
|
|
type: ./barbican-client-puppet.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Barbican API role.
|
|
value:
|
|
service_name: barbican_api
|
|
firewall_rules:
|
|
'117 barbican':
|
|
dport:
|
|
- 9311
|
|
- 13311
|
|
keystone_resources:
|
|
barbican:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, BarbicanPublic, uri]}
|
|
internal: {get_param: [EndpointMap, BarbicanInternal, uri]}
|
|
admin: {get_param: [EndpointMap, BarbicanAdmin, uri]}
|
|
users:
|
|
barbican:
|
|
password: {get_param: BarbicanPassword}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'key-manager'
|
|
roles:
|
|
- key-manager:service-admin
|
|
- creator
|
|
- observer
|
|
- audit
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- get_attr: [BarbicanApiLogging, config_settings]
|
|
- apache::default_vhost: false
|
|
barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
|
|
barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
barbican::keystone::authtoken::project_name: 'service'
|
|
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
barbican::keystone::authtoken::interface: 'internal'
|
|
barbican::keystone::notification::enable_keystone_notification: True
|
|
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
|
|
barbican::policy::policies: {get_param: BarbicanPolicies}
|
|
barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
|
|
barbican::api::db_auto_create: false
|
|
barbican::api::enabled_certificate_plugins: ['simple_certificate']
|
|
barbican::api::enable_queue: true
|
|
barbican::api::logging::debug:
|
|
if:
|
|
- {get_param: BarbicanDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
barbican::api::notification_driver: {get_param: NotificationDriver}
|
|
barbican::api::service_name: 'httpd'
|
|
barbican::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
|
|
barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
|
|
barbican::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
|
|
barbican::db::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: barbican
|
|
password: {get_param: BarbicanPassword}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /barbican
|
|
query:
|
|
if:
|
|
- enable_sqlalchemy_collectd
|
|
-
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
plugin: collectd
|
|
collectd_program_name: barbican
|
|
collectd_host: localhost
|
|
-
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [BarbicanClient, role_data, service_config_settings]
|
|
- mysql:
|
|
barbican::db::mysql::password: {get_param: BarbicanPassword}
|
|
barbican::db::mysql::user: barbican
|
|
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
barbican::db::mysql::dbname: barbican
|
|
barbican::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
keystone:
|
|
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: barbican
|
|
puppet_tags: barbican_api_paste_ini,barbican_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include tripleo::profile::base::barbican::api"
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerBarbicanConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/barbican_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
# TODO(emilien) remove optional flag once we get a promotion
|
|
# https://launchpad.net/bugs/1884115
|
|
optional: true
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/barbican_keystone_listener.json:
|
|
command: /usr/bin/barbican-keystone-listener
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/barbican_worker.json:
|
|
command: /usr/bin/barbican-worker
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
external_deploy_tasks:
|
|
if:
|
|
- thales_hsm_enabled
|
|
-
|
|
- name: Add ip addresses to the RFS server
|
|
when: step|int == 2
|
|
block:
|
|
- name: get the ip addresses for the barbican nodes
|
|
set_fact:
|
|
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
|
|
thales_client_ips:
|
|
str_replace:
|
|
template: >-
|
|
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
|
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
|
|
{%- endfor %}
|
|
params:
|
|
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
|
thales_bootstrap_client_ip:
|
|
str_replace:
|
|
template: >-
|
|
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
|
|
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
|
|
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
params:
|
|
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
|
|
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
|
|
nshield_hsms: {get_param: [ThalesVars, nshield_hsms]}
|
|
|
|
- name: allow using legacy variables for backwards compatibility
|
|
set_fact:
|
|
nshield_hsms:
|
|
- name: Legacy variables HSM
|
|
ip: {get_param: [ThalesVars, thales_hsm_ip_address]}
|
|
when: nshield_hsms|length == 0
|
|
|
|
- name: set playbook vars
|
|
set_fact:
|
|
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
|
|
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
|
|
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
|
|
|
|
- name: creating working directory
|
|
file:
|
|
path: "{{thales_rfs_playbook_dir}}"
|
|
state: directory
|
|
|
|
- name: generate an inventory
|
|
copy:
|
|
dest: "{{thales_rfs_inventory}}"
|
|
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
|
|
|
|
- name: write SSH key to file
|
|
copy:
|
|
dest: "{{thales_rfs_keyfile}}"
|
|
content: {get_param: [ThalesVars, thales_rfs_key]}
|
|
mode: 0400
|
|
|
|
- name: generate playbook to run
|
|
copy:
|
|
dest: "{{thales_rfs_playbook}}"
|
|
content: |
|
|
---
|
|
- hosts: all
|
|
remote_user: "{{thales_rfs_user}}"
|
|
vars:
|
|
thales_configure_rfs: true
|
|
thales_client_ips: "{{thales_client_ips}}"
|
|
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
|
|
nshield_hsms: "{{nshield_hsms}}"
|
|
roles:
|
|
- thales_hsm
|
|
|
|
- name: call ansible on rfs server
|
|
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
|
|
|
|
- name: clean up working directory
|
|
file:
|
|
path: "{{thales_rfs_playbook_dir}}"
|
|
state: absent
|
|
- null
|
|
deploy_steps_tasks:
|
|
list_concat:
|
|
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
- if:
|
|
- hsm_enabled
|
|
- list_concat:
|
|
-
|
|
if:
|
|
- thales_hsm_enabled
|
|
-
|
|
- name: Thales client install
|
|
when: step|int == 2
|
|
block:
|
|
- set_fact:
|
|
my_thales_client_ip:
|
|
str_replace:
|
|
template:
|
|
"{{$NETWORK_ip}}"
|
|
params:
|
|
$NETWORK: {get_param: ThalesHSMNetworkName}
|
|
- include_role:
|
|
name: thales_hsm
|
|
vars:
|
|
map_merge:
|
|
- thales_install_client: true
|
|
- {get_param: ThalesVars}
|
|
- null
|
|
-
|
|
if:
|
|
- atos_hsm_enabled
|
|
-
|
|
- name: ATOS client install
|
|
when: step|int == 2
|
|
block:
|
|
- include_role:
|
|
name: atos_hsm
|
|
vars:
|
|
{get_param: ATOSVars}
|
|
- null
|
|
-
|
|
if:
|
|
- lunasa_hsm_enabled
|
|
-
|
|
- name: Lunasa client install
|
|
when: step|int == 2
|
|
block:
|
|
- name: install the lunasa client
|
|
include_role:
|
|
name: lunasa_hsm
|
|
vars:
|
|
if:
|
|
- lunasa_hsm_use_fqdn
|
|
- map_merge:
|
|
- {get_param: LunasaVars}
|
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
|
- map_merge:
|
|
- {get_param: LunasaVars}
|
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
|
- lunasa_client_ip:
|
|
str_replace:
|
|
template:
|
|
"{{$NETWORK_ip}}"
|
|
params:
|
|
$NETWORK: {get_param: LunasaClientIPNetwork}
|
|
- null
|
|
- null
|
|
docker_config:
|
|
# db sync runs before permissions set by kolla_config
|
|
step_2:
|
|
map_merge:
|
|
- get_attr: [BarbicanApiLogging, docker_config, step_2]
|
|
- if:
|
|
- atos_hsm_enabled
|
|
- barbican_init_atos_directory:
|
|
image: &barbican_api_image {get_param: ContainerBarbicanApiImage}
|
|
net: host
|
|
user: root
|
|
volumes:
|
|
- /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
|
|
- {}
|
|
step_3:
|
|
map_merge:
|
|
- if:
|
|
- pkcs11_plugin_enabled
|
|
- barbican_api_create_mkek:
|
|
start_order: 0
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes: &barbican_api_volumes
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
-
|
|
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
|
|
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
|
-
|
|
if:
|
|
- thales_hsm_enabled
|
|
-
|
|
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
- /opt/nfast:/opt/nfast
|
|
- null
|
|
-
|
|
if:
|
|
- atos_hsm_enabled
|
|
-
|
|
- /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
- null
|
|
-
|
|
if:
|
|
- lunasa_hsm_enabled
|
|
-
|
|
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
|
- null
|
|
environment:
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm check_mkek --label"
|
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
|
- "|| /usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm gen_mkek --label"
|
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
|
- "'"
|
|
- {}
|
|
- if:
|
|
- pkcs11_plugin_enabled
|
|
- barbican_api_create_hmac:
|
|
start_order: 0
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes: *barbican_api_volumes
|
|
environment:
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm check_hmac --label"
|
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
|
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
|
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
|
- "'"
|
|
- {}
|
|
- if:
|
|
- thales_hsm_enabled
|
|
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
|
|
start_order: 1
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes: *barbican_api_volumes
|
|
environment:
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
|
|
- {}
|
|
- if:
|
|
- thales_hsm_enabled
|
|
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
|
|
start_order: 2
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes: *barbican_api_volumes
|
|
environment:
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
command: "/opt/nfast/bin/rfs-sync --update"
|
|
- {}
|
|
- barbican_api_db_sync:
|
|
start_order: 3
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes: *barbican_api_volumes
|
|
command:
|
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
|
# final single quote that's part of the list_join.
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "db upgrade"
|
|
- "'"
|
|
- barbican_api_secret_store_sync:
|
|
start_order: 4
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes: *barbican_api_volumes
|
|
command:
|
|
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
|
|
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
|
|
# final single quote that's part of the list_join.
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "db sync_secret_stores --verbose"
|
|
- "'"
|
|
- if:
|
|
- pkcs11_rewrap_pkeks
|
|
- barbican_api_rewrap_pkeks:
|
|
start_order: 4
|
|
image: *barbican_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes: *barbican_api_volumes
|
|
environment:
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
|
- "hsm rewrap_pkek"
|
|
- "'"
|
|
- {}
|
|
- barbican_api:
|
|
# NOTE(alee): Barbican should start after keystone processes
|
|
start_order: 5
|
|
image: *barbican_api_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
user: root
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
-
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- null
|
|
-
|
|
if:
|
|
- thales_hsm_enabled
|
|
-
|
|
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
- /opt/nfast:/opt/nfast
|
|
- null
|
|
-
|
|
if:
|
|
- atos_hsm_enabled
|
|
-
|
|
- /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
- null
|
|
-
|
|
if:
|
|
- lunasa_hsm_enabled
|
|
-
|
|
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
|
- null
|
|
environment: &kolla_env
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- barbican_keystone_listener:
|
|
start_order: 6
|
|
image: {get_param: ContainerBarbicanKeystoneListenerImage}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
user: barbican
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
|
environment: *kolla_env
|
|
- barbican_worker:
|
|
start_order: 7
|
|
image: {get_param: ContainerBarbicanWorkerImage}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
user: barbican
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [BarbicanApiLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/barbican:/var/lib/kolla/config_files/src:ro
|
|
-
|
|
if:
|
|
- thales_hsm_enabled
|
|
-
|
|
- /lib64/libnsl.so.1:/lib64/libnsl.so.1
|
|
- /opt/nfast:/opt/nfast
|
|
- null
|
|
-
|
|
if:
|
|
- atos_hsm_enabled
|
|
-
|
|
- /etc/proteccio:/etc/proteccio
|
|
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
|
- null
|
|
-
|
|
if:
|
|
- lunasa_hsm_enabled
|
|
-
|
|
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
|
|
- /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
|
|
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
|
|
- null
|
|
environment: *kolla_env
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
|
|
- - name: enable virt_sandbox_use_netlink for healthcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
scale_tasks:
|
|
if:
|
|
- lunasa_hsm_enabled
|
|
-
|
|
- name: Remove HSM clients
|
|
when: step|int == 1
|
|
tags: down
|
|
block:
|
|
- name: Remove client from HSM
|
|
import_role:
|
|
name: lunasa_hsm
|
|
tasks_from: unregister_client
|
|
delegate_to: undercloud
|
|
vars:
|
|
- map_merge:
|
|
- {get_param: LunasaVars}
|
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
|
- client_name: "{{ fqdn_canonical }}"
|
|
- null
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop barbican api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- barbican_api
|
|
tripleo_delegate_to: "{{ groups['barbican_api'] | default([]) }}"
|