Add Barbican bootstrap and runtime manifests

Barbican service is needed during bootstrap phase for StarlingX. Implement bootstrap and runtime manifests to achieve that. Change-Id: I6c22ebddacf8aec3a731f7f6d7a762f79f511c78 Story: 2003108 Task: 27700 Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
2019-01-10 18:43:14 -05:00 · 2019-01-10 18:43:14 -05:00 · f44717154a
commit f44717154a
parent 5dcff4e616
11 changed files with 121 additions and 52 deletions
--- a/configutilities/centos/build_srpm.data
+++ b/configutilities/centos/build_srpm.data
@ -1,3 +1,3 @@
 SRC_DIR="configutilities"
 COPY_LIST="$SRC_DIR/LICENSE"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
--- a/configutilities/configutilities/configutilities/common/validator.py
+++ b/configutilities/configutilities/configutilities/common/validator.py
@ -1025,7 +1025,8 @@ class ConfigValidator(object):
                self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'):
            password_fields = [
                'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT',
-                'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI'
+                'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI',
+                'BARBICAN'
            ]
            for pw in password_fields:
                if not self.conf.has_option('REGION_2_SERVICES',
--- a/puppet-manifests/centos/build_srpm.data
+++ b/puppet-manifests/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="src"
-TIS_PATCH_VER=76
+TIS_PATCH_VER=77
--- a/puppet-manifests/src/manifests/bootstrap.pp
+++ b/puppet-manifests/src/manifests/bootstrap.pp
@ -15,6 +15,7 @@ include ::platform::postgresql::bootstrap
 include ::platform::amqp::bootstrap

 include ::openstack::keystone::bootstrap
+include ::openstack::barbican::bootstrap
 include ::platform::client::bootstrap
 include ::openstack::client::bootstrap

--- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
@ -6,7 +6,6 @@ class openstack::barbican::params (
  $service_enabled = true,
 ) { }

-
 class openstack::barbican
  inherits ::openstack::barbican::params {

@ -27,6 +26,54 @@ class openstack::barbican
        'service_credentials/interface': value => 'internalURL'
    }

+    file { '/var/run/barbican':
+      ensure => 'directory',
+      owner  => 'barbican',
+      group  => 'barbican',
+    }
+
+    $api_workers = $::platform::params::eng_workers_by_4
+
+    file_line { 'Modify workers in gunicorn-config.py':
+      path  => '/etc/barbican/gunicorn-config.py',
+      line  => "workers = ${api_workers}",
+      match => '.*workers = .*',
+      tag   => 'modify-workers',
+    }
+  }
+}
+
+class openstack::barbican::service
+  inherits ::openstack::barbican::params {
+
+  if $service_enabled {
+
+    include ::platform::network::mgmt::params
+    $api_host = $::platform::network::mgmt::params::subnet_version ? {
+      6       => "[${::platform::network::mgmt::params::controller_address}]",
+      default => $::platform::network::mgmt::params::controller_address,
+    }
+    $api_fqdn = $::platform::params::controller_hostname
+    $url_host = "http://${api_fqdn}:${api_port}"
+
+    include ::platform::amqp::params
+
+    class { '::barbican::api':
+      enabled                      => true,
+      manage_service               => true,
+      bind_host                    => $api_host,
+      bind_port                    => $api_port,
+      host_href                    => $url_host,
+      sync_db                      => !$::openstack::barbican::params::service_create,
+      enable_proxy_headers_parsing => true,
+      rabbit_use_ssl               => $::platform::amqp::params::ssl_enabled,
+      default_transport_url        => $::platform::amqp::params::transport_url,
+    }
+
+    class { '::barbican::keystone::notification':
+      enable_keystone_notification => true,
+    }
+
    cron { 'barbican-cleaner':
      ensure      => 'present',
      command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
@ -38,7 +85,6 @@ class openstack::barbican
  }
 }

-
 class openstack::barbican::firewall
  inherits ::openstack::barbican::params {

@ -48,7 +94,6 @@ class openstack::barbican::firewall
  }
 }

-
 class openstack::barbican::haproxy
  inherits ::openstack::barbican::params {

@ -59,7 +104,6 @@ class openstack::barbican::haproxy
  }
 }

-
 class openstack::barbican::api
  inherits ::openstack::barbican::params {
  include ::platform::params
@ -72,55 +116,57 @@ class openstack::barbican::api
  # set via sysinv puppet
  if ($::openstack::barbican::params::service_create and
      $::platform::params::init_keystone) {
-    include ::barbican::keystone::auth
-    $bu_name = $::barbican::keystone::auth::auth_name
-    $bu_tenant = $::barbican::keystone::auth::tenant

-    keystone_role { 'creator':
-      ensure => present,
-    }
-    keystone_user_role { "${bu_name}@${bu_tenant}":
-      ensure => present,
-      roles  => ['admin', 'creator'],
+    if ($::platform::params::distributed_cloud_role == 'subcloud' and
+        $::platform::params::region_2_name != 'RegionOne') {
+      Keystone_endpoint["${platform::params::region_2_name}/barbican::key-manager"] -> Keystone_endpoint['RegionOne/barbican::key-manager']
+      keystone_endpoint { 'RegionOne/barbican::key-manager':
+        ensure       => 'absent',
+        name         => 'barbican',
+        type         => 'key-manager',
+        region       => 'RegionOne',
+        public_url   => "http://127.0.0.1:${api_port}",
+        admin_url    => "http://127.0.0.1:${api_port}",
+        internal_url => "http://127.0.0.1:${api_port}"
+      }
    }
  }

  if $service_enabled {
-
-    $api_workers = $::platform::params::eng_workers
-
-    file_line { 'Modify workers in gunicorn-config.py':
-      path  => '/etc/barbican/gunicorn-config.py',
-      line  => "workers = ${api_workers}",
-      match => '.*workers = .*',
-      tag   => 'modify-workers',
-    }
-
-    include ::platform::network::mgmt::params
-    $api_host = $::platform::network::mgmt::params::subnet_version ? {
-      6       => "[${::platform::network::mgmt::params::controller_address}]",
-      default => $::platform::network::mgmt::params::controller_address,
-    }
-    $api_fqdn = $::platform::params::controller_hostname
-    $url_host = "http://${api_fqdn}:${api_port}"
-
-    include ::platform::amqp::params
-
-    class { '::barbican::api':
-      bind_host                    => $api_host,
-      bind_port                    => $api_port,
-      host_href                    => $url_host,
-      sync_db                      => $::platform::params::init_database,
-      enable_proxy_headers_parsing => true,
-      rabbit_use_ssl               => $::platform::amqp::params::ssl_enabled,
-      default_transport_url        => $::platform::amqp::params::transport_url,
-    }
-
-    class { '::barbican::keystone::notification':
-      enable_keystone_notification => true,
-    }
-
+    include ::openstack::barbican::service
    include ::openstack::barbican::firewall
    include ::openstack::barbican::haproxy
  }
 }
+
+class openstack::barbican::bootstrap
+  inherits ::openstack::barbican::params {
+
+  class { '::barbican::keystone::auth':
+    configure_user_role => false,
+  }
+  class { '::barbican::keystone::authtoken':
+    auth_url => 'http://localhost:5000',
+  }
+
+  $bu_name = $::barbican::keystone::auth::auth_name
+  $bu_tenant = $::barbican::keystone::auth::tenant
+  keystone_role { 'creator':
+    ensure => present,
+  }
+  keystone_user_role { "${bu_name}@${bu_tenant}":
+    ensure => present,
+    roles  => ['admin', 'creator'],
+  }
+
+  include ::barbican::db::postgresql
+
+  include ::openstack::barbican
+  include ::openstack::barbican::service
+}
+
+class openstack::barbican::runtime
+  inherits ::openstack::barbican::params {
+
+  include ::openstack::barbican::service
+}
--- a/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
+++ b/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
@ -1,3 +1,3 @@
 SRC_DIR="src"
 COPY_LIST="$SRC_DIR/LICENSE"
-TIS_PATCH_VER=3
+TIS_PATCH_VER=4
--- a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
+++ b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
@ -70,6 +70,7 @@ class sysinv (
  $cinder_region_name          = 'RegionOne',
  $nova_region_name            = 'RegionOne',
  $magnum_region_name          = 'RegionOne',
+  $barbican_region_name        = 'RegionOne',
  $fm_catalog_info             = undef,
  $fernet_key_repository       = undef,
 ) {
@ -202,6 +203,7 @@ class sysinv (
    'openstack_keystone_authtoken/cinder_region_name':  value => $cinder_region_name;
    'openstack_keystone_authtoken/nova_region_name':  value => $nova_region_name;
    'openstack_keystone_authtoken/magnum_region_name':  value => $magnum_region_name;
+    'openstack_keystone_authtoken/barbican_region_name':  value => $barbican_region_name;
  }

  sysinv_config {
--- a/sysinv/sysinv/centos/build_srpm.data
+++ b/sysinv/sysinv/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="sysinv"
-TIS_PATCH_VER=293
+TIS_PATCH_VER=294
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@ -7042,6 +7042,14 @@ class ConductorManager(service.PeriodicService):
                }
                self._config_apply_runtime_manifest(context, config_uuid, config_dict)

+            elif service == constants.SERVICE_TYPE_BARBICAN:
+                personalities = [constants.CONTROLLER]
+                config_dict = {
+                    "personalities": personalities,
+                    "classes": ['openstack::barbican::runtime']
+                }
+                self._config_apply_runtime_manifest(context, config_uuid, config_dict)
+
    def update_security_feature_config(self, context):
        """Update the kernel options configuration"""
        personalities = constants.PERSONALITIES
--- a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
@ -4,6 +4,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #

+from sysinv.common import constants
 from sysinv.puppet import openstack


@ -24,7 +25,12 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
        dbpass = self._get_database_password(self.SERVICE_NAME)
        kspass = self._get_service_password(self.SERVICE_NAME)

+        # initial bootstrap is bound to localhost
+        dburl = self._format_database_connection(self.SERVICE_NAME,
+                                                 constants.LOCALHOST_HOSTNAME)
+
        return {
+            'barbican::db::database_connection': dburl,
            'barbican::db::postgresql::password': dbpass,

            'barbican::keystone::auth::password': kspass,
@ -82,3 +88,6 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):

    def get_admin_url(self):
        return self._format_private_endpoint(self.SERVICE_PORT)
+
+    def get_region_name(self):
+        return self._get_service_region_name(self.SERVICE_NAME)
--- a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
@ -49,6 +49,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
        cinder_region_name = self._operator.cinder.get_region_name()
        nova_region_name = self._operator.nova.get_region_name()
        magnum_region_name = self._operator.magnum.get_region_name()
+        barbican_region_name = self._operator.barbican.get_region_name()

        return {
            # The region in which the identity server can be found
@ -57,6 +58,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
            'sysinv::cinder_region_name': cinder_region_name,
            'sysinv::nova_region_name': nova_region_name,
            'sysinv::magnum_region_name': magnum_region_name,
+            'sysinv::barbican_region_name': barbican_region_name,

            'sysinv::keystone::auth::public_url': self.get_public_url(),
            'sysinv::keystone::auth::internal_url': self.get_internal_url(),