Add Barbican bootstrap and runtime manifests
Barbican service is needed during bootstrap phase for StarlingX. Implement bootstrap and runtime manifests to achieve that. Change-Id: I6c22ebddacf8aec3a731f7f6d7a762f79f511c78 Story: 2003108 Task: 27700 Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
This commit is contained in:
parent
5dcff4e616
commit
f44717154a
|
@ -1,3 +1,3 @@
|
||||||
SRC_DIR="configutilities"
|
SRC_DIR="configutilities"
|
||||||
COPY_LIST="$SRC_DIR/LICENSE"
|
COPY_LIST="$SRC_DIR/LICENSE"
|
||||||
TIS_PATCH_VER=1
|
TIS_PATCH_VER=2
|
||||||
|
|
|
@ -1025,7 +1025,8 @@ class ConfigValidator(object):
|
||||||
self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'):
|
self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'):
|
||||||
password_fields = [
|
password_fields = [
|
||||||
'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT',
|
'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT',
|
||||||
'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI'
|
'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI',
|
||||||
|
'BARBICAN'
|
||||||
]
|
]
|
||||||
for pw in password_fields:
|
for pw in password_fields:
|
||||||
if not self.conf.has_option('REGION_2_SERVICES',
|
if not self.conf.has_option('REGION_2_SERVICES',
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
SRC_DIR="src"
|
SRC_DIR="src"
|
||||||
TIS_PATCH_VER=76
|
TIS_PATCH_VER=77
|
||||||
|
|
|
@ -15,6 +15,7 @@ include ::platform::postgresql::bootstrap
|
||||||
include ::platform::amqp::bootstrap
|
include ::platform::amqp::bootstrap
|
||||||
|
|
||||||
include ::openstack::keystone::bootstrap
|
include ::openstack::keystone::bootstrap
|
||||||
|
include ::openstack::barbican::bootstrap
|
||||||
include ::platform::client::bootstrap
|
include ::platform::client::bootstrap
|
||||||
include ::openstack::client::bootstrap
|
include ::openstack::client::bootstrap
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,6 @@ class openstack::barbican::params (
|
||||||
$service_enabled = true,
|
$service_enabled = true,
|
||||||
) { }
|
) { }
|
||||||
|
|
||||||
|
|
||||||
class openstack::barbican
|
class openstack::barbican
|
||||||
inherits ::openstack::barbican::params {
|
inherits ::openstack::barbican::params {
|
||||||
|
|
||||||
|
@ -27,6 +26,54 @@ class openstack::barbican
|
||||||
'service_credentials/interface': value => 'internalURL'
|
'service_credentials/interface': value => 'internalURL'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
file { '/var/run/barbican':
|
||||||
|
ensure => 'directory',
|
||||||
|
owner => 'barbican',
|
||||||
|
group => 'barbican',
|
||||||
|
}
|
||||||
|
|
||||||
|
$api_workers = $::platform::params::eng_workers_by_4
|
||||||
|
|
||||||
|
file_line { 'Modify workers in gunicorn-config.py':
|
||||||
|
path => '/etc/barbican/gunicorn-config.py',
|
||||||
|
line => "workers = ${api_workers}",
|
||||||
|
match => '.*workers = .*',
|
||||||
|
tag => 'modify-workers',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
class openstack::barbican::service
|
||||||
|
inherits ::openstack::barbican::params {
|
||||||
|
|
||||||
|
if $service_enabled {
|
||||||
|
|
||||||
|
include ::platform::network::mgmt::params
|
||||||
|
$api_host = $::platform::network::mgmt::params::subnet_version ? {
|
||||||
|
6 => "[${::platform::network::mgmt::params::controller_address}]",
|
||||||
|
default => $::platform::network::mgmt::params::controller_address,
|
||||||
|
}
|
||||||
|
$api_fqdn = $::platform::params::controller_hostname
|
||||||
|
$url_host = "http://${api_fqdn}:${api_port}"
|
||||||
|
|
||||||
|
include ::platform::amqp::params
|
||||||
|
|
||||||
|
class { '::barbican::api':
|
||||||
|
enabled => true,
|
||||||
|
manage_service => true,
|
||||||
|
bind_host => $api_host,
|
||||||
|
bind_port => $api_port,
|
||||||
|
host_href => $url_host,
|
||||||
|
sync_db => !$::openstack::barbican::params::service_create,
|
||||||
|
enable_proxy_headers_parsing => true,
|
||||||
|
rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
|
||||||
|
default_transport_url => $::platform::amqp::params::transport_url,
|
||||||
|
}
|
||||||
|
|
||||||
|
class { '::barbican::keystone::notification':
|
||||||
|
enable_keystone_notification => true,
|
||||||
|
}
|
||||||
|
|
||||||
cron { 'barbican-cleaner':
|
cron { 'barbican-cleaner':
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
|
command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
|
||||||
|
@ -38,7 +85,6 @@ class openstack::barbican
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class openstack::barbican::firewall
|
class openstack::barbican::firewall
|
||||||
inherits ::openstack::barbican::params {
|
inherits ::openstack::barbican::params {
|
||||||
|
|
||||||
|
@ -48,7 +94,6 @@ class openstack::barbican::firewall
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class openstack::barbican::haproxy
|
class openstack::barbican::haproxy
|
||||||
inherits ::openstack::barbican::params {
|
inherits ::openstack::barbican::params {
|
||||||
|
|
||||||
|
@ -59,7 +104,6 @@ class openstack::barbican::haproxy
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class openstack::barbican::api
|
class openstack::barbican::api
|
||||||
inherits ::openstack::barbican::params {
|
inherits ::openstack::barbican::params {
|
||||||
include ::platform::params
|
include ::platform::params
|
||||||
|
@ -72,55 +116,57 @@ class openstack::barbican::api
|
||||||
# set via sysinv puppet
|
# set via sysinv puppet
|
||||||
if ($::openstack::barbican::params::service_create and
|
if ($::openstack::barbican::params::service_create and
|
||||||
$::platform::params::init_keystone) {
|
$::platform::params::init_keystone) {
|
||||||
include ::barbican::keystone::auth
|
|
||||||
$bu_name = $::barbican::keystone::auth::auth_name
|
|
||||||
$bu_tenant = $::barbican::keystone::auth::tenant
|
|
||||||
|
|
||||||
keystone_role { 'creator':
|
if ($::platform::params::distributed_cloud_role == 'subcloud' and
|
||||||
ensure => present,
|
$::platform::params::region_2_name != 'RegionOne') {
|
||||||
}
|
Keystone_endpoint["${platform::params::region_2_name}/barbican::key-manager"] -> Keystone_endpoint['RegionOne/barbican::key-manager']
|
||||||
keystone_user_role { "${bu_name}@${bu_tenant}":
|
keystone_endpoint { 'RegionOne/barbican::key-manager':
|
||||||
ensure => present,
|
ensure => 'absent',
|
||||||
roles => ['admin', 'creator'],
|
name => 'barbican',
|
||||||
|
type => 'key-manager',
|
||||||
|
region => 'RegionOne',
|
||||||
|
public_url => "http://127.0.0.1:${api_port}",
|
||||||
|
admin_url => "http://127.0.0.1:${api_port}",
|
||||||
|
internal_url => "http://127.0.0.1:${api_port}"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if $service_enabled {
|
if $service_enabled {
|
||||||
|
include ::openstack::barbican::service
|
||||||
$api_workers = $::platform::params::eng_workers
|
|
||||||
|
|
||||||
file_line { 'Modify workers in gunicorn-config.py':
|
|
||||||
path => '/etc/barbican/gunicorn-config.py',
|
|
||||||
line => "workers = ${api_workers}",
|
|
||||||
match => '.*workers = .*',
|
|
||||||
tag => 'modify-workers',
|
|
||||||
}
|
|
||||||
|
|
||||||
include ::platform::network::mgmt::params
|
|
||||||
$api_host = $::platform::network::mgmt::params::subnet_version ? {
|
|
||||||
6 => "[${::platform::network::mgmt::params::controller_address}]",
|
|
||||||
default => $::platform::network::mgmt::params::controller_address,
|
|
||||||
}
|
|
||||||
$api_fqdn = $::platform::params::controller_hostname
|
|
||||||
$url_host = "http://${api_fqdn}:${api_port}"
|
|
||||||
|
|
||||||
include ::platform::amqp::params
|
|
||||||
|
|
||||||
class { '::barbican::api':
|
|
||||||
bind_host => $api_host,
|
|
||||||
bind_port => $api_port,
|
|
||||||
host_href => $url_host,
|
|
||||||
sync_db => $::platform::params::init_database,
|
|
||||||
enable_proxy_headers_parsing => true,
|
|
||||||
rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
|
|
||||||
default_transport_url => $::platform::amqp::params::transport_url,
|
|
||||||
}
|
|
||||||
|
|
||||||
class { '::barbican::keystone::notification':
|
|
||||||
enable_keystone_notification => true,
|
|
||||||
}
|
|
||||||
|
|
||||||
include ::openstack::barbican::firewall
|
include ::openstack::barbican::firewall
|
||||||
include ::openstack::barbican::haproxy
|
include ::openstack::barbican::haproxy
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class openstack::barbican::bootstrap
|
||||||
|
inherits ::openstack::barbican::params {
|
||||||
|
|
||||||
|
class { '::barbican::keystone::auth':
|
||||||
|
configure_user_role => false,
|
||||||
|
}
|
||||||
|
class { '::barbican::keystone::authtoken':
|
||||||
|
auth_url => 'http://localhost:5000',
|
||||||
|
}
|
||||||
|
|
||||||
|
$bu_name = $::barbican::keystone::auth::auth_name
|
||||||
|
$bu_tenant = $::barbican::keystone::auth::tenant
|
||||||
|
keystone_role { 'creator':
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
keystone_user_role { "${bu_name}@${bu_tenant}":
|
||||||
|
ensure => present,
|
||||||
|
roles => ['admin', 'creator'],
|
||||||
|
}
|
||||||
|
|
||||||
|
include ::barbican::db::postgresql
|
||||||
|
|
||||||
|
include ::openstack::barbican
|
||||||
|
include ::openstack::barbican::service
|
||||||
|
}
|
||||||
|
|
||||||
|
class openstack::barbican::runtime
|
||||||
|
inherits ::openstack::barbican::params {
|
||||||
|
|
||||||
|
include ::openstack::barbican::service
|
||||||
|
}
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
SRC_DIR="src"
|
SRC_DIR="src"
|
||||||
COPY_LIST="$SRC_DIR/LICENSE"
|
COPY_LIST="$SRC_DIR/LICENSE"
|
||||||
TIS_PATCH_VER=3
|
TIS_PATCH_VER=4
|
||||||
|
|
|
@ -70,6 +70,7 @@ class sysinv (
|
||||||
$cinder_region_name = 'RegionOne',
|
$cinder_region_name = 'RegionOne',
|
||||||
$nova_region_name = 'RegionOne',
|
$nova_region_name = 'RegionOne',
|
||||||
$magnum_region_name = 'RegionOne',
|
$magnum_region_name = 'RegionOne',
|
||||||
|
$barbican_region_name = 'RegionOne',
|
||||||
$fm_catalog_info = undef,
|
$fm_catalog_info = undef,
|
||||||
$fernet_key_repository = undef,
|
$fernet_key_repository = undef,
|
||||||
) {
|
) {
|
||||||
|
@ -202,6 +203,7 @@ class sysinv (
|
||||||
'openstack_keystone_authtoken/cinder_region_name': value => $cinder_region_name;
|
'openstack_keystone_authtoken/cinder_region_name': value => $cinder_region_name;
|
||||||
'openstack_keystone_authtoken/nova_region_name': value => $nova_region_name;
|
'openstack_keystone_authtoken/nova_region_name': value => $nova_region_name;
|
||||||
'openstack_keystone_authtoken/magnum_region_name': value => $magnum_region_name;
|
'openstack_keystone_authtoken/magnum_region_name': value => $magnum_region_name;
|
||||||
|
'openstack_keystone_authtoken/barbican_region_name': value => $barbican_region_name;
|
||||||
}
|
}
|
||||||
|
|
||||||
sysinv_config {
|
sysinv_config {
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
SRC_DIR="sysinv"
|
SRC_DIR="sysinv"
|
||||||
TIS_PATCH_VER=293
|
TIS_PATCH_VER=294
|
||||||
|
|
|
@ -7042,6 +7042,14 @@ class ConductorManager(service.PeriodicService):
|
||||||
}
|
}
|
||||||
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
||||||
|
|
||||||
|
elif service == constants.SERVICE_TYPE_BARBICAN:
|
||||||
|
personalities = [constants.CONTROLLER]
|
||||||
|
config_dict = {
|
||||||
|
"personalities": personalities,
|
||||||
|
"classes": ['openstack::barbican::runtime']
|
||||||
|
}
|
||||||
|
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
||||||
|
|
||||||
def update_security_feature_config(self, context):
|
def update_security_feature_config(self, context):
|
||||||
"""Update the kernel options configuration"""
|
"""Update the kernel options configuration"""
|
||||||
personalities = constants.PERSONALITIES
|
personalities = constants.PERSONALITIES
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
#
|
#
|
||||||
|
|
||||||
|
from sysinv.common import constants
|
||||||
from sysinv.puppet import openstack
|
from sysinv.puppet import openstack
|
||||||
|
|
||||||
|
|
||||||
|
@ -24,7 +25,12 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
|
||||||
dbpass = self._get_database_password(self.SERVICE_NAME)
|
dbpass = self._get_database_password(self.SERVICE_NAME)
|
||||||
kspass = self._get_service_password(self.SERVICE_NAME)
|
kspass = self._get_service_password(self.SERVICE_NAME)
|
||||||
|
|
||||||
|
# initial bootstrap is bound to localhost
|
||||||
|
dburl = self._format_database_connection(self.SERVICE_NAME,
|
||||||
|
constants.LOCALHOST_HOSTNAME)
|
||||||
|
|
||||||
return {
|
return {
|
||||||
|
'barbican::db::database_connection': dburl,
|
||||||
'barbican::db::postgresql::password': dbpass,
|
'barbican::db::postgresql::password': dbpass,
|
||||||
|
|
||||||
'barbican::keystone::auth::password': kspass,
|
'barbican::keystone::auth::password': kspass,
|
||||||
|
@ -82,3 +88,6 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
|
||||||
|
|
||||||
def get_admin_url(self):
|
def get_admin_url(self):
|
||||||
return self._format_private_endpoint(self.SERVICE_PORT)
|
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||||
|
|
||||||
|
def get_region_name(self):
|
||||||
|
return self._get_service_region_name(self.SERVICE_NAME)
|
||||||
|
|
|
@ -49,6 +49,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
|
||||||
cinder_region_name = self._operator.cinder.get_region_name()
|
cinder_region_name = self._operator.cinder.get_region_name()
|
||||||
nova_region_name = self._operator.nova.get_region_name()
|
nova_region_name = self._operator.nova.get_region_name()
|
||||||
magnum_region_name = self._operator.magnum.get_region_name()
|
magnum_region_name = self._operator.magnum.get_region_name()
|
||||||
|
barbican_region_name = self._operator.barbican.get_region_name()
|
||||||
|
|
||||||
return {
|
return {
|
||||||
# The region in which the identity server can be found
|
# The region in which the identity server can be found
|
||||||
|
@ -57,6 +58,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
|
||||||
'sysinv::cinder_region_name': cinder_region_name,
|
'sysinv::cinder_region_name': cinder_region_name,
|
||||||
'sysinv::nova_region_name': nova_region_name,
|
'sysinv::nova_region_name': nova_region_name,
|
||||||
'sysinv::magnum_region_name': magnum_region_name,
|
'sysinv::magnum_region_name': magnum_region_name,
|
||||||
|
'sysinv::barbican_region_name': barbican_region_name,
|
||||||
|
|
||||||
'sysinv::keystone::auth::public_url': self.get_public_url(),
|
'sysinv::keystone::auth::public_url': self.get_public_url(),
|
||||||
'sysinv::keystone::auth::internal_url': self.get_internal_url(),
|
'sysinv::keystone::auth::internal_url': self.get_internal_url(),
|
||||||
|
|
Loading…
Reference in New Issue