Add barbican role

Sem-Ver: feature
Change-Id: I91e736d2647511db24fe37bab646f3cd3b2f3f1a

doc/source/roles/openstack_helm_barbican/index.rst

@@ -0,0 +1,10 @@
+.. Copyright (C) 2022 VEXXHOST, Inc.
+.. SPDX-License-Identifier: Apache-2.0
+
+``openstack_helm_barbican``
+===========================
+
+.. toctree::
+   :maxdepth: 2
+
+   defaults/main

playbooks/generate_workspace.yml

@@ -209,6 +209,7 @@
       vars:
         default_map:
           openstack_helm_endpoints_region_name: "{{ region_name }}"
+          openstack_helm_endpoints_barbican_api_host: "key-manager.{{ domain_name }}"
           openstack_helm_endpoints_cinder_api_host: "volume.{{ domain_name }}"
           openstack_helm_endpoints_designate_api_host: "dns.{{ domain_name }}"
           openstack_helm_endpoints_glance_api_host: "image.{{ domain_name }}"
@@ -297,7 +298,21 @@
       with_lines: >
         ls {{ playbook_dir }}/../roles/*/defaults/main.yml |
           xargs grep undef |
-            egrep -v '(_host|region_name|_ssh_key|_vip|_interface)' |
+            egrep -v '(_host|region_name|_ssh_key|_vip|_interface|_kek)' |
+              cut -d':' -f2
+
+    - name: Generate base64 encoded secrets
+      ansible.builtin.set_fact:
+        secrets: "{{ secrets | default({}) | combine({item: lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=32') | b64encode}) }}"
+      # NOTE(mnaser): We don't want to override existing secrets, so we generate
+      #               a new one if and only if it doesn't exist
+      when: item not in secrets
+      # NOTE(mnaser): This is absolutely hideous but there's no clean way of
+      #               doing this using `with_fileglob` or `with_filetree`
+      with_lines: >
+        ls {{ playbook_dir }}/../roles/*/defaults/main.yml |
+          xargs grep undef |
+            egrep '(_kek)' |
               cut -d':' -f2
 
     - name: Generate temporary files for generating keys for missing variables

releasenotes/notes/barbican-add-role-8c70f47a587d871a.yaml

@@ -0,0 +1,3 @@
+---
+features:
+  - Add barbican role

roles/openstack_helm_barbican/defaults/main.yml

@@ -0,0 +1,61 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2022 VEXXHOST, Inc.
+# .. SPDX-License-Identifier: Apache-2.0
+
+# Default variables
+# =================
+
+# .. contents:: Sections
+#    :local:
+
+
+# .. envvar:: openstack_helm_barbican_chart_repo_name [[[
+#
+# Helm repository name for the chart.
+openstack_helm_barbican_chart_repo_name: openstack-helm
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_barbican_chart_repo_url [[[
+#
+# Helm repository URL for the chart.
+openstack_helm_barbican_chart_repo_url: https://tarballs.opendev.org/openstack/openstack-helm/
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_barbican_chart_name [[[
+#
+# Helm chart name (will also be used for release name)
+openstack_helm_barbican_chart_name: barbican
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_barbican_image_repository [[[
+#
+# Image repository location to be prefixed for all images
+openstack_helm_barbican_image_repository: "{{ atmosphere_image_repository | default('us-docker.pkg.dev/vexxhost-infra/openstack') }}"
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_barbican_image_tag [[[
+#
+# Image tag for container
+openstack_helm_barbican_image_tag: 12.0.1.dev11
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_barbican_heat_image_tag [[[
+#
+# Image tag for Heat to be used for jobs running via Helm hooks
+openstack_helm_barbican_heat_image_tag: wallaby
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_barbican_values [[[
+#
+# Overrides for Helm chart values
+openstack_helm_barbican_values: {}
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_barbican_kek [[[
+#
+# Barbican key encryption key
+openstack_helm_barbican_kek: "{{ undef(hint='You must specify a Barbican key encryption key') }}"
+
+                                                                   # ]]]

roles/openstack_helm_barbican/meta/main.yml

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+  author: VEXXHOST, Inc.
+  description: Ansible role for OpenStack Barbican
+  license: Apache-2.0
+  min_ansible_version: 5.5.0
+  platforms:
+    - name: Ubuntu
+      versions:
+        - focal
+
+dependencies:
+  - role: helm_repository
+    vars:
+      helm_repository_name: "{{ openstack_helm_barbican_chart_repo_name }}"
+      helm_repository_repo_url: "{{ openstack_helm_barbican_chart_repo_url }}"

roles/openstack_helm_barbican/tasks/main.yml

@@ -0,0 +1,38 @@
+# Copyright (c) 2022 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Generate OpenStack-Helm endpoints
+  ansible.builtin.include_role:
+    name: openstack_helm_endpoints
+  vars:
+    openstack_helm_endpoints_repo_name: "{{ openstack_helm_barbican_chart_repo_name }}"
+    openstack_helm_endpoints_repo_url: "{{ openstack_helm_barbican_chart_repo_url }}"
+    openstack_helm_endpoints_chart: "{{ openstack_helm_barbican_chart_name }}"
+
+- name: Deploy Helm chart
+  kubernetes.core.helm:
+    name: "{{ openstack_helm_barbican_chart_name }}"
+    chart_ref: "{{ openstack_helm_barbican_chart_repo_name }}/{{ openstack_helm_barbican_chart_name }}"
+    chart_version: 0.2.12
+    release_namespace: openstack
+    kubeconfig: /etc/kubernetes/admin.conf
+    values: "{{ _openstack_helm_barbican_values | combine(openstack_helm_barbican_values, recursive=True) }}"
+
+- name: Create Ingress
+  ansible.builtin.include_role:
+    name: openstack_helm_ingress
+  vars:
+    openstack_helm_ingress_endpoint: barbican
+    openstack_helm_ingress_service_name: barbican-api
+    openstack_helm_ingress_service_port: 9311

roles/openstack_helm_barbican/vars/main.yml

@@ -0,0 +1,43 @@
+# Copyright (c) 2022 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+_openstack_helm_barbican_values:
+  endpoints: "{{ openstack_helm_endpoints }}"
+  images:
+    tags:
+      bootstrap: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+      db_drop: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+      db_init: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+      dep_check: "{{ openstack_helm_barbican_image_repository }}/kubernetes-entrypoint:latest"
+      ks_endpoints: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+      ks_service: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+      ks_user: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+      barbican_db_sync: "{{ openstack_helm_barbican_image_repository }}/barbican:{{ openstack_helm_barbican_image_tag }}"
+      barbican_api: "{{ openstack_helm_barbican_image_repository }}/barbican:{{ openstack_helm_barbican_image_tag }}"
+      rabbit_init: "{{ openstack_helm_barbican_image_repository }}/rabbitmq:3.8.23-management"
+  pod:
+    replicas:
+      api: 3
+  conf:
+    barbican:
+      DEFAULT:
+        log_config_append: null
+      simple_crypto_plugin:
+        kek: "{{ openstack_helm_barbican_kek }}"
+    simple_crypto_kek_rewrap:
+      old_kek: "{{ openstack_helm_barbican_kek }}"
+
+  manifests:
+    ingress_api: false
+    service_ingress_api: false

roles/openstack_helm_endpoints/defaults/main.yml

@@ -154,6 +154,30 @@ openstack_helm_endpoints_placement_keystone_password: "{{ undef(hint='You must s
 # Database password for service
 openstack_helm_endpoints_placement_mariadb_password: "{{ undef(hint='You must specify a Placement MariaDB password') }}"
 
+                                                                   # ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_api_host [[[
+#
+# API hostname for OpenStack Barbican Service
+openstack_helm_endpoints_barbican_api_host: "{{ undef(hint='You must specify a Barbican API hostname') }}"
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_region_name [[[
+#
+# Region name for service
+openstack_helm_endpoints_barbican_region_name: "{{ openstack_helm_endpoints_region_name }}"
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_keystone_password [[[
+#
+# Keystone password for service
+openstack_helm_endpoints_barbican_keystone_password: "{{ undef(hint='You must specify a Barbican Keystone password') }}"
+
+                                                                   # ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_mariadb_password [[[
+#
+# Database password for service
+openstack_helm_endpoints_barbican_mariadb_password: "{{ undef(hint='You must specify a Barbican MariaDB password') }}"
+
                                                                    # ]]]
 # .. envvar:: openstack_helm_endpoints_neutron_api_host [[[
 #

roles/openstack_helm_endpoints/vars/main.yml

@@ -151,6 +151,27 @@ _openstack_helm_endpoints_placement:
       api:
         public: 443
 
+_openstack_helm_endpoints_key_manager:
+  identity:
+    auth:
+      barbican:
+        region_name: "{{ openstack_helm_endpoints_barbican_region_name }}"
+        username: "barbican-{{ openstack_helm_endpoints_barbican_region_name }}"
+        password: "{{ openstack_helm_endpoints_barbican_keystone_password }}"
+  oslo_db:
+    auth:
+      barbican:
+        password: "{{ openstack_helm_endpoints_barbican_mariadb_password }}"
+  key_manager:
+    scheme:
+      public: https
+    host_fqdn_override:
+      public:
+        host: "{{ openstack_helm_endpoints_barbican_api_host }}"
+    port:
+      api:
+        public: 443
+
 _openstack_helm_endpoints_network:
   identity:
     auth: