173 lines
4.9 KiB
Puppet
173 lines
4.9 KiB
Puppet
class openstack::barbican::params (
|
|
$api_port = 9311,
|
|
$region_name = undef,
|
|
$service_name = 'barbican-api',
|
|
$service_create = false,
|
|
$service_enabled = true,
|
|
) { }
|
|
|
|
class openstack::barbican
|
|
inherits ::openstack::barbican::params {
|
|
|
|
if $service_enabled {
|
|
|
|
include ::platform::params
|
|
|
|
if $::platform::params::init_keystone {
|
|
include ::barbican::keystone::auth
|
|
include ::barbican::keystone::authtoken
|
|
}
|
|
|
|
if $::platform::params::init_database {
|
|
include ::barbican::db::postgresql
|
|
}
|
|
|
|
barbican_config {
|
|
'service_credentials/interface': value => 'internalURL'
|
|
}
|
|
|
|
file { '/var/run/barbican':
|
|
ensure => 'directory',
|
|
owner => 'barbican',
|
|
group => 'barbican',
|
|
}
|
|
|
|
$api_workers = $::platform::params::eng_workers_by_4
|
|
|
|
file_line { 'Modify workers in gunicorn-config.py':
|
|
path => '/etc/barbican/gunicorn-config.py',
|
|
line => "workers = ${api_workers}",
|
|
match => '.*workers = .*',
|
|
tag => 'modify-workers',
|
|
}
|
|
}
|
|
}
|
|
|
|
class openstack::barbican::service
|
|
inherits ::openstack::barbican::params {
|
|
|
|
if $service_enabled {
|
|
|
|
include ::platform::network::mgmt::params
|
|
$api_host = $::platform::network::mgmt::params::subnet_version ? {
|
|
6 => "[${::platform::network::mgmt::params::controller_address}]",
|
|
default => $::platform::network::mgmt::params::controller_address,
|
|
}
|
|
$api_fqdn = $::platform::params::controller_hostname
|
|
$url_host = "http://${api_fqdn}:${api_port}"
|
|
|
|
include ::platform::amqp::params
|
|
|
|
class { '::barbican::api':
|
|
enabled => true,
|
|
manage_service => true,
|
|
bind_host => $api_host,
|
|
bind_port => $api_port,
|
|
host_href => $url_host,
|
|
sync_db => !$::openstack::barbican::params::service_create,
|
|
enable_proxy_headers_parsing => true,
|
|
rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
|
|
default_transport_url => $::platform::amqp::params::transport_url,
|
|
}
|
|
|
|
class { '::barbican::keystone::notification':
|
|
enable_keystone_notification => true,
|
|
}
|
|
|
|
cron { 'barbican-cleaner':
|
|
ensure => 'present',
|
|
command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
|
|
environment => 'PATH=/bin:/usr/bin:/usr/sbin',
|
|
minute => '50',
|
|
hour => '*/24',
|
|
user => 'root',
|
|
}
|
|
}
|
|
}
|
|
|
|
class openstack::barbican::firewall
|
|
inherits ::openstack::barbican::params {
|
|
|
|
platform::firewall::rule { 'barbican-api':
|
|
service_name => 'barbican-api',
|
|
ports => $api_port,
|
|
}
|
|
}
|
|
|
|
class openstack::barbican::haproxy
|
|
inherits ::openstack::barbican::params {
|
|
|
|
platform::haproxy::proxy { 'barbican-restapi':
|
|
server_name => 's-barbican-restapi',
|
|
public_port => $api_port,
|
|
private_port => $api_port,
|
|
}
|
|
}
|
|
|
|
class openstack::barbican::api
|
|
inherits ::openstack::barbican::params {
|
|
include ::platform::params
|
|
|
|
# The barbican user and service are always required and they
|
|
# are used by subclouds when the service itself is disabled
|
|
# on System Controller
|
|
# whether it creates the endpoint is determined by
|
|
# barbican::keystone::auth::configure_endpoint which is
|
|
# set via sysinv puppet
|
|
if ($::openstack::barbican::params::service_create and
|
|
$::platform::params::init_keystone) {
|
|
|
|
if ($::platform::params::distributed_cloud_role == 'subcloud' and
|
|
$::platform::params::region_2_name != 'RegionOne') {
|
|
Keystone_endpoint["${platform::params::region_2_name}/barbican::key-manager"] -> Keystone_endpoint['RegionOne/barbican::key-manager']
|
|
keystone_endpoint { 'RegionOne/barbican::key-manager':
|
|
ensure => 'absent',
|
|
name => 'barbican',
|
|
type => 'key-manager',
|
|
region => 'RegionOne',
|
|
public_url => "http://127.0.0.1:${api_port}",
|
|
admin_url => "http://127.0.0.1:${api_port}",
|
|
internal_url => "http://127.0.0.1:${api_port}"
|
|
}
|
|
}
|
|
}
|
|
|
|
if $service_enabled {
|
|
include ::openstack::barbican::service
|
|
include ::openstack::barbican::firewall
|
|
include ::openstack::barbican::haproxy
|
|
}
|
|
}
|
|
|
|
class openstack::barbican::bootstrap
|
|
inherits ::openstack::barbican::params {
|
|
|
|
class { '::barbican::keystone::auth':
|
|
configure_user_role => false,
|
|
}
|
|
class { '::barbican::keystone::authtoken':
|
|
auth_url => 'http://localhost:5000',
|
|
}
|
|
|
|
$bu_name = $::barbican::keystone::auth::auth_name
|
|
$bu_tenant = $::barbican::keystone::auth::tenant
|
|
keystone_role { 'creator':
|
|
ensure => present,
|
|
}
|
|
keystone_user_role { "${bu_name}@${bu_tenant}":
|
|
ensure => present,
|
|
roles => ['admin', 'creator'],
|
|
}
|
|
|
|
include ::barbican::db::postgresql
|
|
|
|
include ::openstack::barbican
|
|
include ::openstack::barbican::service
|
|
}
|
|
|
|
class openstack::barbican::runtime
|
|
inherits ::openstack::barbican::params {
|
|
|
|
include ::openstack::barbican::service
|
|
}
|