Browse Source

Add Barbican bootstrap and runtime manifests

Barbican service is needed during bootstrap phase for StarlingX.
Implement bootstrap and runtime manifests to achieve that.

Change-Id: I6c22ebddacf8aec3a731f7f6d7a762f79f511c78
Story: 2003108
Task: 27700
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
tags/final-non-containers
Alex Kozyrev 5 months ago
parent
commit
f44717154a

+ 1
- 1
configutilities/centos/build_srpm.data View File

@@ -1,3 +1,3 @@
1 1
 SRC_DIR="configutilities"
2 2
 COPY_LIST="$SRC_DIR/LICENSE"
3
-TIS_PATCH_VER=1
3
+TIS_PATCH_VER=2

+ 2
- 1
configutilities/configutilities/configutilities/common/validator.py View File

@@ -1025,7 +1025,8 @@ class ConfigValidator(object):
1025 1025
                 self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'):
1026 1026
             password_fields = [
1027 1027
                 'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT',
1028
-                'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI'
1028
+                'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI',
1029
+                'BARBICAN'
1029 1030
             ]
1030 1031
             for pw in password_fields:
1031 1032
                 if not self.conf.has_option('REGION_2_SERVICES',

+ 1
- 1
puppet-manifests/centos/build_srpm.data View File

@@ -1,2 +1,2 @@
1 1
 SRC_DIR="src"
2
-TIS_PATCH_VER=76
2
+TIS_PATCH_VER=77

+ 1
- 0
puppet-manifests/src/manifests/bootstrap.pp View File

@@ -15,6 +15,7 @@ include ::platform::postgresql::bootstrap
15 15
 include ::platform::amqp::bootstrap
16 16
 
17 17
 include ::openstack::keystone::bootstrap
18
+include ::openstack::barbican::bootstrap
18 19
 include ::platform::client::bootstrap
19 20
 include ::openstack::client::bootstrap
20 21
 

+ 89
- 43
puppet-manifests/src/modules/openstack/manifests/barbican.pp View File

@@ -6,7 +6,6 @@ class openstack::barbican::params (
6 6
   $service_enabled = true,
7 7
 ) { }
8 8
 
9
-
10 9
 class openstack::barbican
11 10
   inherits ::openstack::barbican::params {
12 11
 
@@ -27,6 +26,54 @@ class openstack::barbican
27 26
         'service_credentials/interface': value => 'internalURL'
28 27
     }
29 28
 
29
+    file { '/var/run/barbican':
30
+      ensure => 'directory',
31
+      owner  => 'barbican',
32
+      group  => 'barbican',
33
+    }
34
+
35
+    $api_workers = $::platform::params::eng_workers_by_4
36
+
37
+    file_line { 'Modify workers in gunicorn-config.py':
38
+      path  => '/etc/barbican/gunicorn-config.py',
39
+      line  => "workers = ${api_workers}",
40
+      match => '.*workers = .*',
41
+      tag   => 'modify-workers',
42
+    }
43
+  }
44
+}
45
+
46
+class openstack::barbican::service
47
+  inherits ::openstack::barbican::params {
48
+
49
+  if $service_enabled {
50
+
51
+    include ::platform::network::mgmt::params
52
+    $api_host = $::platform::network::mgmt::params::subnet_version ? {
53
+      6       => "[${::platform::network::mgmt::params::controller_address}]",
54
+      default => $::platform::network::mgmt::params::controller_address,
55
+    }
56
+    $api_fqdn = $::platform::params::controller_hostname
57
+    $url_host = "http://${api_fqdn}:${api_port}"
58
+
59
+    include ::platform::amqp::params
60
+
61
+    class { '::barbican::api':
62
+      enabled                      => true,
63
+      manage_service               => true,
64
+      bind_host                    => $api_host,
65
+      bind_port                    => $api_port,
66
+      host_href                    => $url_host,
67
+      sync_db                      => !$::openstack::barbican::params::service_create,
68
+      enable_proxy_headers_parsing => true,
69
+      rabbit_use_ssl               => $::platform::amqp::params::ssl_enabled,
70
+      default_transport_url        => $::platform::amqp::params::transport_url,
71
+    }
72
+
73
+    class { '::barbican::keystone::notification':
74
+      enable_keystone_notification => true,
75
+    }
76
+
30 77
     cron { 'barbican-cleaner':
31 78
       ensure      => 'present',
32 79
       command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
@@ -38,7 +85,6 @@ class openstack::barbican
38 85
   }
39 86
 }
40 87
 
41
-
42 88
 class openstack::barbican::firewall
43 89
   inherits ::openstack::barbican::params {
44 90
 
@@ -48,7 +94,6 @@ class openstack::barbican::firewall
48 94
   }
49 95
 }
50 96
 
51
-
52 97
 class openstack::barbican::haproxy
53 98
   inherits ::openstack::barbican::params {
54 99
 
@@ -59,7 +104,6 @@ class openstack::barbican::haproxy
59 104
   }
60 105
 }
61 106
 
62
-
63 107
 class openstack::barbican::api
64 108
   inherits ::openstack::barbican::params {
65 109
   include ::platform::params
@@ -72,55 +116,57 @@ class openstack::barbican::api
72 116
   # set via sysinv puppet
73 117
   if ($::openstack::barbican::params::service_create and
74 118
       $::platform::params::init_keystone) {
75
-    include ::barbican::keystone::auth
76
-    $bu_name = $::barbican::keystone::auth::auth_name
77
-    $bu_tenant = $::barbican::keystone::auth::tenant
78 119
 
79
-    keystone_role { 'creator':
80
-      ensure => present,
81
-    }
82
-    keystone_user_role { "${bu_name}@${bu_tenant}":
83
-      ensure => present,
84
-      roles  => ['admin', 'creator'],
120
+    if ($::platform::params::distributed_cloud_role == 'subcloud' and
121
+        $::platform::params::region_2_name != 'RegionOne') {
122
+      Keystone_endpoint["${platform::params::region_2_name}/barbican::key-manager"] -> Keystone_endpoint['RegionOne/barbican::key-manager']
123
+      keystone_endpoint { 'RegionOne/barbican::key-manager':
124
+        ensure       => 'absent',
125
+        name         => 'barbican',
126
+        type         => 'key-manager',
127
+        region       => 'RegionOne',
128
+        public_url   => "http://127.0.0.1:${api_port}",
129
+        admin_url    => "http://127.0.0.1:${api_port}",
130
+        internal_url => "http://127.0.0.1:${api_port}"
131
+      }
85 132
     }
86 133
   }
87 134
 
88 135
   if $service_enabled {
136
+    include ::openstack::barbican::service
137
+    include ::openstack::barbican::firewall
138
+    include ::openstack::barbican::haproxy
139
+  }
140
+}
89 141
 
90
-    $api_workers = $::platform::params::eng_workers
142
+class openstack::barbican::bootstrap
143
+  inherits ::openstack::barbican::params {
91 144
 
92
-    file_line { 'Modify workers in gunicorn-config.py':
93
-      path  => '/etc/barbican/gunicorn-config.py',
94
-      line  => "workers = ${api_workers}",
95
-      match => '.*workers = .*',
96
-      tag   => 'modify-workers',
97
-    }
145
+  class { '::barbican::keystone::auth':
146
+    configure_user_role => false,
147
+  }
148
+  class { '::barbican::keystone::authtoken':
149
+    auth_url => 'http://localhost:5000',
150
+  }
98 151
 
99
-    include ::platform::network::mgmt::params
100
-    $api_host = $::platform::network::mgmt::params::subnet_version ? {
101
-      6       => "[${::platform::network::mgmt::params::controller_address}]",
102
-      default => $::platform::network::mgmt::params::controller_address,
103
-    }
104
-    $api_fqdn = $::platform::params::controller_hostname
105
-    $url_host = "http://${api_fqdn}:${api_port}"
152
+  $bu_name = $::barbican::keystone::auth::auth_name
153
+  $bu_tenant = $::barbican::keystone::auth::tenant
154
+  keystone_role { 'creator':
155
+    ensure => present,
156
+  }
157
+  keystone_user_role { "${bu_name}@${bu_tenant}":
158
+    ensure => present,
159
+    roles  => ['admin', 'creator'],
160
+  }
106 161
 
107
-    include ::platform::amqp::params
162
+  include ::barbican::db::postgresql
108 163
 
109
-    class { '::barbican::api':
110
-      bind_host                    => $api_host,
111
-      bind_port                    => $api_port,
112
-      host_href                    => $url_host,
113
-      sync_db                      => $::platform::params::init_database,
114
-      enable_proxy_headers_parsing => true,
115
-      rabbit_use_ssl               => $::platform::amqp::params::ssl_enabled,
116
-      default_transport_url        => $::platform::amqp::params::transport_url,
117
-    }
164
+  include ::openstack::barbican
165
+  include ::openstack::barbican::service
166
+}
118 167
 
119
-    class { '::barbican::keystone::notification':
120
-      enable_keystone_notification => true,
121
-    }
168
+class openstack::barbican::runtime
169
+  inherits ::openstack::barbican::params {
122 170
 
123
-    include ::openstack::barbican::firewall
124
-    include ::openstack::barbican::haproxy
125
-  }
171
+  include ::openstack::barbican::service
126 172
 }

+ 1
- 1
puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data View File

@@ -1,3 +1,3 @@
1 1
 SRC_DIR="src"
2 2
 COPY_LIST="$SRC_DIR/LICENSE"
3
-TIS_PATCH_VER=3
3
+TIS_PATCH_VER=4

+ 2
- 0
puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp View File

@@ -70,6 +70,7 @@ class sysinv (
70 70
   $cinder_region_name          = 'RegionOne',
71 71
   $nova_region_name            = 'RegionOne',
72 72
   $magnum_region_name          = 'RegionOne',
73
+  $barbican_region_name        = 'RegionOne',
73 74
   $fm_catalog_info             = undef,
74 75
   $fernet_key_repository       = undef,
75 76
 ) {
@@ -202,6 +203,7 @@ class sysinv (
202 203
     'openstack_keystone_authtoken/cinder_region_name':  value => $cinder_region_name;
203 204
     'openstack_keystone_authtoken/nova_region_name':  value => $nova_region_name;
204 205
     'openstack_keystone_authtoken/magnum_region_name':  value => $magnum_region_name;
206
+    'openstack_keystone_authtoken/barbican_region_name':  value => $barbican_region_name;
205 207
   }
206 208
 
207 209
   sysinv_config {

+ 1
- 1
sysinv/sysinv/centos/build_srpm.data View File

@@ -1,2 +1,2 @@
1 1
 SRC_DIR="sysinv"
2
-TIS_PATCH_VER=293
2
+TIS_PATCH_VER=294

+ 8
- 0
sysinv/sysinv/sysinv/sysinv/conductor/manager.py View File

@@ -7042,6 +7042,14 @@ class ConductorManager(service.PeriodicService):
7042 7042
                 }
7043 7043
                 self._config_apply_runtime_manifest(context, config_uuid, config_dict)
7044 7044
 
7045
+            elif service == constants.SERVICE_TYPE_BARBICAN:
7046
+                personalities = [constants.CONTROLLER]
7047
+                config_dict = {
7048
+                    "personalities": personalities,
7049
+                    "classes": ['openstack::barbican::runtime']
7050
+                }
7051
+                self._config_apply_runtime_manifest(context, config_uuid, config_dict)
7052
+
7045 7053
     def update_security_feature_config(self, context):
7046 7054
         """Update the kernel options configuration"""
7047 7055
         personalities = constants.PERSONALITIES

+ 9
- 0
sysinv/sysinv/sysinv/sysinv/puppet/barbican.py View File

@@ -4,6 +4,7 @@
4 4
 # SPDX-License-Identifier: Apache-2.0
5 5
 #
6 6
 
7
+from sysinv.common import constants
7 8
 from sysinv.puppet import openstack
8 9
 
9 10
 
@@ -24,7 +25,12 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
24 25
         dbpass = self._get_database_password(self.SERVICE_NAME)
25 26
         kspass = self._get_service_password(self.SERVICE_NAME)
26 27
 
28
+        # initial bootstrap is bound to localhost
29
+        dburl = self._format_database_connection(self.SERVICE_NAME,
30
+                                                 constants.LOCALHOST_HOSTNAME)
31
+
27 32
         return {
33
+            'barbican::db::database_connection': dburl,
28 34
             'barbican::db::postgresql::password': dbpass,
29 35
 
30 36
             'barbican::keystone::auth::password': kspass,
@@ -82,3 +88,6 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
82 88
 
83 89
     def get_admin_url(self):
84 90
         return self._format_private_endpoint(self.SERVICE_PORT)
91
+
92
+    def get_region_name(self):
93
+        return self._get_service_region_name(self.SERVICE_NAME)

+ 2
- 0
sysinv/sysinv/sysinv/sysinv/puppet/inventory.py View File

@@ -49,6 +49,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
49 49
         cinder_region_name = self._operator.cinder.get_region_name()
50 50
         nova_region_name = self._operator.nova.get_region_name()
51 51
         magnum_region_name = self._operator.magnum.get_region_name()
52
+        barbican_region_name = self._operator.barbican.get_region_name()
52 53
 
53 54
         return {
54 55
             # The region in which the identity server can be found
@@ -57,6 +58,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
57 58
             'sysinv::cinder_region_name': cinder_region_name,
58 59
             'sysinv::nova_region_name': nova_region_name,
59 60
             'sysinv::magnum_region_name': magnum_region_name,
61
+            'sysinv::barbican_region_name': barbican_region_name,
60 62
 
61 63
             'sysinv::keystone::auth::public_url': self.get_public_url(),
62 64
             'sysinv::keystone::auth::internal_url': self.get_internal_url(),

Loading…
Cancel
Save