Barbican configuration thru Puppet and SysInv.

1. Add the new barbican DB and barbican user.
2. Support DB backup/restore and upgrades for barbican.
3. Configure barbican user and password in region config.
4. Provide Barbican configuration with appropriate data via SysInv.
5. Setup Barbican thru puppet manifests.
There are three main services that need to be configured:
- Barbican API: a RESTful API for managing secrets.
- Barbican Worker: a RPC interface for Barbican API.
- Barbican Keystone Listener: a service for Keystone changes.
Also, HA Proxy and Firewall need to be updated with Barbican port (9311)
as well as Remote Logging manifest to allow Barbican log collection.

Change-Id: I6b0b0c90456627bebde2b834b339bc968100b6f9
Story: 2003108
Task: 27700
Depends-On: I2667d56a71b7d3881c03b6a5c1e5ed61d4f0b902
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>

configutilities/centos/build_srpm.data

@@ -1,3 +1,3 @@
 SRC_DIR="configutilities"
 COPY_LIST="$SRC_DIR/LICENSE"
-TIS_PATCH_VER=35
+TIS_PATCH_VER=36

configutilities/configutilities/configutilities/common/utils.py

@@ -45,6 +45,8 @@ EXPECTED_SERVICE_NAME_AND_TYPE = (
      "GNOCCHI_SERVICE_TYPE": "metric",
      "FM_SERVICE_NAME": "fm",
      "FM_SERVICE_TYPE": "faultmanagement",
+     "BARBICAN_SERVICE_NAME": "barbican",
+     "BARBICAN_SERVICE_TYPE": "key-manager",
      })
 
 

configutilities/configutilities/configutilities/common/validator.py

@@ -1048,6 +1048,14 @@ class ConfigValidator(object):
         fm_password = get_optional(self.conf, 'REGION_2_SERVICES',
                                    'FM_PASSWORD')
 
+        # validate barbican service name and type
+        get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_NAME')
+        get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_TYPE')
+        barbican_user_name = self.conf.get('REGION_2_SERVICES',
+                                           'BARBICAN_USER_NAME')
+        barbican_password = get_optional(self.conf, 'REGION_2_SERVICES',
+                                         'BARBICAN_PASSWORD')
+
         if self.conf.has_option('REGION_2_SERVICES', 'USER_DOMAIN_NAME'):
             user_domain = self.conf.get('REGION_2_SERVICES',
                                         'USER_DOMAIN_NAME')
@@ -1158,6 +1166,10 @@ class ConfigValidator(object):
             self.cgcs_conf.set('cREGION', 'GNOCCHI_PASSWORD', gnocchi_password)
             self.cgcs_conf.set('cREGION', 'FM_USER_NAME', fm_user_name)
             self.cgcs_conf.set('cREGION', 'FM_PASSWORD', fm_password)
+            self.cgcs_conf.set('cREGION', 'BARBICAN_USER_NAME',
+                               barbican_user_name)
+            self.cgcs_conf.set('cREGION', 'BARBICAN_PASSWORD',
+                               barbican_password)
 
             self.cgcs_conf.set('cREGION', 'USER_DOMAIN_NAME',
                                user_domain)

configutilities/configutilities/configutilities/configfiletool.py

@@ -731,6 +731,7 @@ class REG2SERVICESPage2(ConfigPage):
         self.fields['GNOCCHI_PASSWORD'] = Field(
             text="GNOCCHI user password",
             type=TYPES.string, initial="")
+
         self.fields['FM_USER_NAME'] = Field(
             text="FM username",
             type=TYPES.string, initial="fm")
@@ -738,6 +739,13 @@ class REG2SERVICESPage2(ConfigPage):
             text="FM user password",
             type=TYPES.string, initial="")
 
+        self.fields['BARBICAN_USER_NAME'] = Field(
+            text="Barbican username",
+            type=TYPES.string, initial="barbican")
+        self.fields['BARBICAN_PASSWORD'] = Field(
+            text="Barbican user password",
+            type=TYPES.string, initial="")
+
     def validate_page(self):
         self.prev.validate_page()
         super(REG2SERVICESPage2, self).validate_page()

controllerconfig/centos/build_srpm.data

@@ -1,2 +1,2 @@
 SRC_DIR="controllerconfig"
-TIS_PATCH_VER=148
+TIS_PATCH_VER=149

controllerconfig/controllerconfig/controllerconfig/backup_restore.py

@@ -70,7 +70,7 @@ def get_backup_databases(cinder_config=False):
     REGION_LOCAL_DATABASES = ('postgres', 'template1', 'nova', 'sysinv',
                               'neutron', 'heat', 'nova_api',
                               'aodh', 'murano', 'magnum', 'panko', 'ironic',
-                              'nova_cell0', 'gnocchi', 'fm')
+                              'nova_cell0', 'gnocchi', 'fm', 'barbican')
     REGION_SHARED_DATABASES = ('glance', 'keystone')
 
     if cinder_config:

controllerconfig/controllerconfig/controllerconfig/configassistant.py

@@ -509,6 +509,8 @@ class ConfigAssistant():
         self.nfv_ks_password = ""
         self.fm_ks_user_name = ""
         self.fm_ks_password = ""
+        self.barbican_ks_user_name = ""
+        self.barbican_ks_password = ""
 
         self.ldap_region_name = ""
         self.ldap_service_name = ""
@@ -2894,6 +2896,13 @@ class ConfigAssistant():
                 self.add_password_for_validation('FM_PASSWORD',
                                                  self.fm_ks_password)
 
+                self.barbican_ks_user_name = config.get(
+                    'cREGION', 'BARBICAN_USER_NAME')
+                self.barbican_ks_password = config.get(
+                    'cREGION', 'BARBICAN_PASSWORD')
+                self.add_password_for_validation('BARBICAN_PASSWORD',
+                                                 self.barbican_ks_password)
+
                 self.shared_services.append(self.keystone_service_type)
                 if self.glance_region_name == self.region_1_name:
                     self.shared_services.append(self.glance_service_type)
@@ -3469,6 +3478,10 @@ class ConfigAssistant():
                             self.fm_ks_user_name)
                     f.write("FM_PASSWORD=%s\n" %
                             self.fm_ks_password)
+                    f.write("BARBICAN_USER_NAME=%s\n" %
+                            self.barbican_ks_user_name)
+                    f.write("BARBICAN_PASSWORD=%s\n" %
+                            self.barbican_ks_password)
 
                 # Subcloud configuration
                 if self.subcloud_config():
@@ -3974,6 +3987,14 @@ class ConfigAssistant():
                   'capabilities': capabilities}
         client.sysinv.sm_service.service_create(**values)
 
+        # barbican service config
+        capabilities = {'user_name': self.barbican_ks_user_name}
+        values = {'name': "barbican",
+                  'enabled': True,
+                  'region_name': self.region_2_name,
+                  'capabilities': capabilities}
+        client.sysinv.sm_service.service_create(**values)
+
     def _store_service_password(self):
         # store service password in the temporary keyring vault
 
@@ -4035,6 +4056,10 @@ class ConfigAssistant():
         keyring.set_password('fm', constants.DEFAULT_SERVICE_PROJECT_NAME,
                              self.fm_ks_password)
 
+        keyring.set_password('barbican',
+                             constants.DEFAULT_SERVICE_PROJECT_NAME,
+                             self.barbican_ks_password)
+
         del os.environ["XDG_DATA_HOME"]
 
     def _populate_network_config(self, client):

controllerconfig/controllerconfig/controllerconfig/regionconfig.py

@@ -56,7 +56,8 @@ EXPECTED_USERS = [
     ('REGION_2_SERVICES', 'MTCE', 'mtce'),
     ('REGION_2_SERVICES', 'PANKO', 'panko'),
     ('REGION_2_SERVICES', 'GNOCCHI', 'gnocchi'),
-    ('REGION_2_SERVICES', 'FM', 'fm')]
+    ('REGION_2_SERVICES', 'FM', 'fm'),
+    ('REGION_2_SERVICES', 'BARBICAN', 'barbican')]
 
 EXPECTED_SHARED_SERVICES_NEUTRON_USER = ('SHARED_SERVICES', 'NEUTRON',
                                          'neutron')
@@ -135,6 +136,11 @@ EXPECTED_REGION2_ENDPOINTS = [
      'http://{}:18002',
      'http://{}:18002',
      'Fault Management Service'),
+    ('BARBICAN_SERVICE_NAME', 'BARBICAN_SERVICE_TYPE',
+     'http://{}:9311',
+     'http://{}:9311',
+     'http://{}:9311',
+     'OpenStack Key Manager Service'),
 ]
 
 EXPECTED_NEUTRON_ENDPOINT = (

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly

@@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchiTWO
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fmTWO
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result

@@ -112,6 +112,8 @@ GNOCCHI_USER_NAME = gnocchiTWO
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fmTWO
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = service_domain
 PROJECT_DOMAIN_NAME = service_domain
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall

@@ -119,6 +119,8 @@ GNOCCHI_USER_NAME=gnocchiTWO
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fmTWO
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result

@@ -110,6 +110,8 @@ GNOCCHI_USER_NAME = gnocchiTWO
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fmTWO
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region

@@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce
 MTCE_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [cAUTHENTICATION]
 ADMIN_PASSWORD=Li69nux*

controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs

@@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce
 MTCE_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [cAUTHENTICATION]
 ADMIN_PASSWORD=Li69nux*

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan

@@ -115,6 +115,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result

@@ -115,6 +115,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs

@@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result

@@ -105,6 +105,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security

@@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result

@@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple

@@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips

@@ -122,6 +122,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result

@@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py

@@ -72,6 +72,9 @@ def get_db_credentials(shared_services, from_release):
         {'aodh': {'hiera_user_key': 'aodh::db::postgresql::user',
                   'keyring_password_key': 'aodh',
                   },
+         'barbican': {'hiera_user_key': 'barbican::db::postgresql::user',
+                      'keyring_password_key': 'barbican',
+                      },
          'ceilometer': {'hiera_user_key': 'ceilometer::db::postgresql::user',
                         'keyring_password_key': 'ceilometer',
                         },
@@ -583,10 +586,18 @@ def migrate_databases(from_release, shared_services, db_credentials,
             f.write("[database]\n")
             f.write(get_connection_string(db_credentials, 'keystone'))
 
+    with open("/etc/barbican/barbican-dbsync.conf", "w") as f:
+        f.write("[database]\n")
+        f.write(get_connection_string(db_credentials, 'barbican'))
+
     migrate_commands = [
         # Migrate aodh (new in R3)
         ('aodh',
          'aodh-dbsync --config-file /etc/aodh/aodh-dbsync.conf'),
+        # Migrate barbican
+        ('barbican',
+         'barbican-manage --config-file /etc/barbican/barbican-dbsync.conf ' +
+         'db upgrade'),
         # Migrate ceilometer
         ('ceilometer',
          'ceilometer-upgrade --skip-gnocchi-resource-types --config-file ' +

controllerconfig/controllerconfig/controllerconfig/upgrades/management.py

@@ -28,7 +28,7 @@ def get_upgrade_databases(shared_services):
 
     UPGRADE_DATABASES = ('postgres', 'template1', 'nova', 'sysinv', 'murano',
                          'ceilometer', 'neutron', 'heat', 'nova_api', 'aodh',
-                         'magnum', 'panko', 'ironic')
+                         'magnum', 'panko', 'ironic', 'barbican')
 
     UPGRADE_DATABASE_SKIP_TABLES = {'postgres': (), 'template1': (),
                                     'heat': (), 'nova': (), 'nova_api': (),
@@ -39,6 +39,7 @@ def get_upgrade_databases(shared_services):
                                     'magnum': (),
                                     'panko': (),
                                     'ironic': (),
+                                    'barbican': (),
                                     'ceilometer': ('metadata_bool',
                                                    'metadata_float',
                                                    'metadata_int',

puppet-manifests/centos/puppet-manifests.spec

@@ -25,6 +25,7 @@ Requires: puppet-fm
 
 # Openstack puppet modules
 Requires: puppet-aodh
+Requires: puppet-barbican
 Requires: puppet-ceilometer
 Requires: puppet-ceph
 Requires: puppet-cinder

puppet-manifests/src/hieradata/controller.yaml

@@ -544,3 +544,22 @@ fm::db::sync::user: 'root'
 fm::database_idle_timeout: 60
 fm::database_max_overflow: 20
 fm::database_max_pool_size: 1
+
+# Barbican
+barbican::use_syslog: true
+barbican::log_facility: 'local2'
+barbican::database_idle_timeout: 60
+barbican::database_max_pool_size: 1
+barbican::database_max_overflow: 10
+barbican::alarm_history_time_to_live: 86400
+
+barbican::auth::auth_endpoint_type: 'internalURL'
+
+barbican::db::sync::user: 'root'
+
+barbican::api::enabled: false
+barbican::api::service_name: 'barbican-api'
+barbican::api::enable_proxy_headers_parsing: true
+
+barbican::keystone-listener::enabled: false
+barbican::worker::enabled: false

puppet-manifests/src/manifests/controller.pp

@@ -132,6 +132,9 @@ include ::platform::smapi
 include ::openstack::swift
 include ::openstack::swift::api
 
+include ::openstack::barbican
+include ::openstack::barbican::api
+
 include ::platform::sm
 
 class { '::platform::config::controller::post':

puppet-manifests/src/modules/openstack/manifests/barbican.pp

@@ -0,0 +1,123 @@
+class openstack::barbican::params (
+  $api_port = 9311,
+  $region_name = undef,
+  $service_name = 'barbican-api',
+  $service_create = false,
+  $service_enabled = true,
+) { }
+
+
+class openstack::barbican
+  inherits ::openstack::barbican::params {
+
+  if $service_enabled {
+
+    include ::platform::params
+
+    if $::platform::params::init_keystone {
+      include ::barbican::keystone::auth
+      include ::barbican::keystone::authtoken
+    }
+
+    if $::platform::params::init_database {
+      include ::barbican::db::postgresql
+    }
+
+    barbican_config {
+        'service_credentials/interface': value => 'internalURL'
+    }
+
+    cron { 'barbican-cleaner':
+      ensure  => 'present',
+      command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
+      environment => 'PATH=/bin:/usr/bin:/usr/sbin',
+      minute  => '50',
+      hour    => '*/24',
+      user    => 'root',
+    }
+  }
+}
+
+
+class openstack::barbican::firewall
+  inherits ::openstack::barbican::params {
+
+  platform::firewall::rule { 'barbican-api':
+    service_name => 'barbican-api',
+    ports        => $api_port,
+  }
+}
+
+
+class openstack::barbican::haproxy
+  inherits ::openstack::barbican::params {
+
+  platform::haproxy::proxy { 'barbican-restapi':
+    server_name => 's-barbican-restapi',
+    public_port => $api_port,
+    private_port => $api_port,
+  }
+}
+
+
+class openstack::barbican::api
+  inherits ::openstack::barbican::params {
+  include ::platform::params
+
+  # The barbican user and service are always required and they
+  # are used by subclouds when the service itself is disabled
+  # on System Controller
+  # whether it creates the endpoint is determined by
+  # barbican::keystone::auth::configure_endpoint which is
+  # set via sysinv puppet
+  if ($::openstack::barbican::params::service_create and
+      $::platform::params::init_keystone) {
+    include ::barbican::keystone::auth
+    $bu_name = $::barbican::keystone::auth::auth_name
+    $bu_tenant = $::barbican::keystone::auth::tenant
+
+    keystone_role { 'creator':
+      ensure => present,
+    }
+    keystone_user_role { "${bu_name}@${bu_tenant}":
+      ensure => present,
+      roles  => ['admin', 'creator'],
+    }
+  }
+
+  if $service_enabled {
+
+    $api_workers = $::platform::params::eng_workers
+
+    file_line { 'Modify workers in gunicorn-config.py':
+      path  => '/etc/barbican/gunicorn-config.py',
+      line  => "workers = '${api_workers}'",
+      match => '.*workers = .*',
+      tag   => 'modify-workers',
+    }
+
+    include ::platform::network::mgmt::params
+    $api_host = $::platform::network::mgmt::params::controller_address
+    $api_fqdn = $::platform::params::controller_hostname
+    $url_host = "http://${api_fqdn}:${api_port}"
+
+    include ::platform::amqp::params
+
+    class { '::barbican::api':
+      bind_host => $api_host,
+      bind_port => $api_port,
+      host_href => $url_host,
+      sync_db => $::platform::params::init_database,
+      enable_proxy_headers_parsing  => true,
+      rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
+      default_transport_url => $::platform::amqp::params::transport_url,
+    }
+
+    class { '::barbican::keystone::notification':
+      enable_keystone_notification => true,
+    }
+
+    include ::openstack::barbican::firewall
+    include ::openstack::barbican::haproxy
+  }
+}

puppet-manifests/src/modules/openstack/manifests/keystone.pp

@@ -395,6 +395,11 @@ class openstack::keystone::endpoint::runtime {
       include ::platform::ceph::rgw::keystone::auth
     }
 
+    include ::openstack::barbican::params
+    if $::openstack::barbican::params::service_enabled {
+      include ::barbican::keystone::auth
+    }
+
     if $::platform::params::distributed_cloud_role =='systemcontroller' {
       include ::dcorch::keystone::auth
       include ::dcmanager::keystone::auth

puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb

@@ -13,6 +13,7 @@
     "protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s",
     "protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s",
     "protected_services": [["'aodh':%(target.user.name)s"],
+                           ["'barbican':%(target.user.name)s"],
                            ["'ceilometer':%(target.user.name)s"],
                            ["'cinder':%(target.user.name)s"],
                            ["'glance':%(target.user.name)s"],

puppet-manifests/src/modules/platform/manifests/haproxy.pp

@@ -154,6 +154,7 @@ class platform::haproxy::runtime {
   include ::openstack::panko::haproxy
   include ::openstack::gnocchi::haproxy
   include ::openstack::swift::haproxy
+  include ::openstack::barbican::haproxy
 
   class {'::platform::haproxy::reload':
     stage => post

puppet-manifests/src/modules/platform/manifests/postgresql.pp

@@ -198,6 +198,7 @@ class platform::postgresql::upgrade
   }
 
   include ::aodh::db::postgresql
+  include ::barbican::db::postgresql
   include ::cinder::db::postgresql
   include ::glance::db::postgresql
   include ::gnocchi::db::postgresql

puppet-manifests/src/modules/platform/manifests/sm.pp

@@ -232,6 +232,9 @@ class platform::sm
   # Panko
   include ::openstack::panko::params
 
+  # Barbican
+  include ::openstack::barbican::params
+
   if $system_mode == 'simplex' {
     $hostunit = '0'
     $management_my_unit_ip   = $::platform::network::mgmt::params::controller0_address
@@ -285,6 +288,7 @@ class platform::sm
     $gnocchi_enabled   = false
     $aodh_enabled      = false
     $panko_enabled     = false
+    $barbican_enabled  = false
   } else {
       $heat_service_enabled   = $::openstack::heat::params::service_enabled
       $murano_configured      = $::openstack::murano::params::service_enabled
@@ -293,6 +297,7 @@ class platform::sm
       $gnocchi_enabled        = $::openstack::gnocchi::params::service_enabled
       $aodh_enabled           = $::openstack::aodh::params::service_enabled
       $panko_enabled          = $::openstack::panko::params::service_enabled
+      $barbican_enabled       = $::openstack::barbican::params::service_enabled
   }
 
   if $system_mode == 'simplex' {
@@ -1013,6 +1018,49 @@ class platform::sm
     command => "sm-configure service_instance ironic-conductor ironic-conductor \"config=/etc/ironic/ironic.conf,tftproot=${ironic_tftproot}\"",
   }
 
+  # Barbican
+  if $barbican_enabled {
+
+    exec { 'Configure OpenStack - Barbican API':
+      command => "sm-configure service_instance barbican-api barbican-api \"config=/etc/barbican/barbican.conf\"",
+    }
+
+    exec { 'Configure OpenStack - Barbican Keystone Listener':
+      command => "sm-configure service_instance barbican-keystone-listener barbican-keystone-listener \"config=/etc/barbican/barbican.conf\"",
+    }
+
+    exec { 'Configure OpenStack - Barbican Worker':
+      command => "sm-configure service_instance barbican-worker barbican-worker \"config=/etc/barbican/barbican.conf\"",
+    }
+  } else {
+      exec { 'Deprovision OpenStack - Barbican API (service-group-member)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service-group-member cloud-services barbican-api",
+      } ->
+      exec { 'Deprovision OpenStack - Barbican API (service)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service barbican-api",
+      }
+
+      exec { 'Deprovision OpenStack - Barbican Keystone Listener (service-group-member)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service-group-member cloud-services barbican-keystone-listener",
+      } ->
+      exec { 'Deprovision OpenStack - Barbican Keystone Listener (service)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service barbican-keystone-listener",
+      }
+
+      exec { 'Deprovision OpenStack - Barbican Worker (service-group-member)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service-group-member cloud-services barbican-worker",
+      } ->
+      exec { 'Deprovision OpenStack - Barbican Worker (service)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service barbican-worker",
+      }
+  }
+
   exec { 'Configure OpenStack - Nova Compute':
     command => "sm-configure service_instance nova-compute nova-compute \"config=/etc/nova/nova-ironic.conf\"",
   }

puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb

@@ -17,6 +17,11 @@ rewrite r_rewrite_set{
   set("<%= @system_name %> aodh-listener.log ${HOST}", value("HOST") condition(filter(f_aodhlistener)));
   set("<%= @system_name %> aodh-notifier.log ${HOST}", value("HOST") condition(filter(f_aodhnotifier)));
   set("<%= @system_name %> auth.log ${HOST}", value("HOST") condition(filter(f_auth)));
+  set("<%= @system_name %> barbican-api.log ${HOST}", value("HOST") condition(filter(f_barbicanapi)));
+  set("<%= @system_name %> barbican-dbsync.log ${HOST}", value("HOST") condition(filter(f_barbicandbsync)));
+  set("<%= @system_name %> barbican-keystone-listener.log ${HOST}", value("HOST") condition(filter(f_barbicankeystonelistener)));
+  set("<%= @system_name %> barbican-worker.log ${HOST}", value("HOST") condition(filter(f_barbicanworker)));
+  set("<%= @system_name %> barbican-cleaner.log ${HOST}", value("HOST") condition(filter(f_barbicancleaner)));
   set("<%= @system_name %> bash.log ${HOST}", value("HOST") condition(filter(f_bash)));
   set("<%= @system_name %> ceilometer-agent-notification.log ${HOST}", value("HOST") condition(filter(f_ceilometeragentnotification)));
   set("<%= @system_name %> ceilometer-upgrade.log ${HOST}", value("HOST") condition(filter(f_ceilometerupgrade)));

sysinv/sysinv/sysinv/setup.cfg

@@ -71,6 +71,7 @@ systemconfig.puppet_plugins =
     031_fm = sysinv.puppet.fm:FmPuppet
     032_swift = sysinv.puppet.swift:SwiftPuppet
     033_service_parameter = sysinv.puppet.service_parameter:ServiceParamPuppet
+    034_barbican = sysinv.puppet.barbican:BarbicanPuppet
 
 systemconfig.helm_plugins =
     aodh = sysinv.helm.aodh:AodhHelm

sysinv/sysinv/sysinv/sysinv/common/constants.py

@@ -856,6 +856,7 @@ SERVICE_TYPE_IRONIC = 'ironic'
 SERVICE_TYPE_PANKO = 'panko'
 SERVICE_TYPE_AODH = 'aodh'
 SERVICE_TYPE_GLANCE = 'glance'
+SERVICE_TYPE_BARBICAN = 'barbican'
 
 SERVICE_PARAM_SECTION_MURANO_RABBITMQ = 'rabbitmq'
 SERVICE_PARAM_SECTION_MURANO_ENGINE = 'engine'

sysinv/sysinv/sysinv/sysinv/puppet/barbican.py

@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2018 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from . import openstack
+
+
+class BarbicanPuppet(openstack.OpenstackBasePuppet):
+    """Class to encapsulate puppet operations for barbican configuration"""
+
+    SERVICE_NAME = 'barbican'
+    SERVICE_PORT = 9311
+
+    def get_static_config(self):
+        dbuser = self._get_database_username(self.SERVICE_NAME)
+
+        return {
+            'barbican::db::postgresql::user': dbuser,
+        }
+
+    def get_secure_static_config(self):
+        dbpass = self._get_database_password(self.SERVICE_NAME)
+        kspass = self._get_service_password(self.SERVICE_NAME)
+
+        return {
+            'barbican::db::postgresql::password': dbpass,
+
+            'barbican::keystone::auth::password': kspass,
+            'barbican::keystone::authtoken::password': kspass,
+        }
+
+    def get_system_config(self):
+        ksuser = self._get_service_user_name(self.SERVICE_NAME)
+
+        config = {
+            'barbican::keystone::auth::public_url': self.get_public_url(),
+            'barbican::keystone::auth::internal_url': self.get_internal_url(),
+            'barbican::keystone::auth::admin_url': self.get_admin_url(),
+            'barbican::keystone::auth::auth_name': ksuser,
+            'barbican::keystone::auth::region': self._region_name(),
+            'barbican::keystone::auth::tenant': self._get_service_tenant_name(),
+            'barbican::keystone::auth::configure_user_role': False,
+
+            'barbican::keystone::authtoken::auth_url':
+                self._keystone_identity_uri(),
+            'barbican::keystone::authtoken::auth_uri':
+                self._keystone_auth_uri(),
+
+            'barbican::keystone::authtoken::user_domain_name':
+                self._get_service_user_domain_name(),
+            'barbican::keystone::authtoken::project_domain_name':
+                self._get_service_project_domain_name(),
+            'barbican::keystone::authtoken::project_name':
+                self._get_service_tenant_name(),
+            'barbican::keystone::authtoken::region_name':
+                self._keystone_region_name(),
+            'barbican::keystone::authtoken::username': ksuser,
+
+            'openstack::barbican::params::region_name':
+                self._get_service_region_name(self.SERVICE_NAME),
+            'openstack::barbican::params::service_create':
+                self._to_create_services(),
+        }
+
+        return config
+
+    def get_secure_system_config(self):
+        config = {
+            'barbican::db::database_connection':
+                self._format_database_connection(self.SERVICE_NAME),
+        }
+
+        return config
+
+    def get_public_url(self):
+        return self._format_public_endpoint(self.SERVICE_PORT)
+
+    def get_internal_url(self):
+        return self._format_private_endpoint(self.SERVICE_PORT)
+
+    def get_admin_url(self):
+        return self._format_private_endpoint(self.SERVICE_PORT)