From e0537385d05ec122696c38c63fd75fb6e7d16213 Mon Sep 17 00:00:00 2001 From: zhubingbing <1392607554@qq.com> Date: Mon, 8 Aug 2016 16:48:11 +0000 Subject: [PATCH] Add Barbican ansible role Partially-Implements: blueprint barbican-ansible Change-Id: Id6be35b1d0527d5c38d4ea8576b233ebcc404718 --- ansible/group_vars/all.yml | 3 + ansible/inventory/all-in-one | 13 ++++ ansible/inventory/multinode | 13 ++++ ansible/roles/barbican/defaults/main.yml | 40 ++++++++++ ansible/roles/barbican/meta/main.yml | 3 + ansible/roles/barbican/tasks/bootstrap.yml | 41 ++++++++++ .../barbican/tasks/bootstrap_service.yml | 21 ++++++ ansible/roles/barbican/tasks/config.yml | 37 ++++++++++ ansible/roles/barbican/tasks/deploy.yml | 16 ++++ .../roles/barbican/tasks/do_reconfigure.yml | 74 +++++++++++++++++++ ansible/roles/barbican/tasks/main.yml | 2 + ansible/roles/barbican/tasks/pull.yml | 21 ++++++ ansible/roles/barbican/tasks/reconfigure.yml | 6 ++ ansible/roles/barbican/tasks/register.yml | 40 ++++++++++ ansible/roles/barbican/tasks/start.yml | 34 +++++++++ .../barbican/templates/barbican-api.json.j2 | 11 +++ .../barbican-keystone-listener.json.j2 | 11 +++ .../templates/barbican-worker.json.j2 | 11 +++ .../roles/barbican/templates/barbican.conf.j2 | 55 ++++++++++++++ ansible/roles/common/tasks/config.yml | 2 + .../templates/cron-logrotate-barbican.conf.j2 | 3 + ansible/roles/common/templates/cron.json.j2 | 2 +- .../common/templates/heka-barbican.toml.j2 | 13 ++++ .../roles/haproxy/templates/haproxy.cfg.j2 | 16 ++++ ansible/roles/prechecks/tasks/port_checks.yml | 16 ++++ ansible/site.yml | 9 +++ etc/kolla/globals.yml | 1 + etc/kolla/passwords.yml | 3 + .../notes/add-barbican-8f0636668001de73.yaml | 4 + 29 files changed, 520 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/barbican/defaults/main.yml create mode 100644 ansible/roles/barbican/meta/main.yml create mode 100644 ansible/roles/barbican/tasks/bootstrap.yml create mode 100644 ansible/roles/barbican/tasks/bootstrap_service.yml create mode 100644 ansible/roles/barbican/tasks/config.yml create mode 100644 ansible/roles/barbican/tasks/deploy.yml create mode 100644 ansible/roles/barbican/tasks/do_reconfigure.yml create mode 100644 ansible/roles/barbican/tasks/main.yml create mode 100644 ansible/roles/barbican/tasks/pull.yml create mode 100644 ansible/roles/barbican/tasks/reconfigure.yml create mode 100644 ansible/roles/barbican/tasks/register.yml create mode 100644 ansible/roles/barbican/tasks/start.yml create mode 100644 ansible/roles/barbican/templates/barbican-api.json.j2 create mode 100644 ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 create mode 100644 ansible/roles/barbican/templates/barbican-worker.json.j2 create mode 100644 ansible/roles/barbican/templates/barbican.conf.j2 create mode 100644 ansible/roles/common/templates/cron-logrotate-barbican.conf.j2 create mode 100644 ansible/roles/common/templates/heka-barbican.toml.j2 create mode 100644 releasenotes/notes/add-barbican-8f0636668001de73.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 3250293a7e..bf89f1dd9b 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -116,6 +116,8 @@ neutron_plugin_agent: "openvswitch" # The default ports used by each service. aodh_api_port: "8042" +barbican_api_port: "9311" + ceilometer_api_port: "8777" congress_api_port: "1789" @@ -229,6 +231,7 @@ enable_rabbitmq: "yes" # Additional optional OpenStack services are specified here enable_aodh: "no" +enable_barbican: "no" enable_ceilometer: "no" enable_central_logging: "no" enable_ceph: "no" diff --git a/ansible/inventory/all-in-one b/ansible/inventory/all-in-one index 0995c6a815..4154ef7d4d 100644 --- a/ansible/inventory/all-in-one +++ b/ansible/inventory/all-in-one @@ -60,6 +60,9 @@ control [swift:children] control +[barbican:children] +control + [heat:children] control @@ -215,6 +218,16 @@ storage [swift-object-server:children] storage +# Barbican +[barbican-api:children] +barbican + +[barbican-keystone-listener:children] +barbican + +[barbican-worker:children] +barbican + # Heat [heat-api:children] heat diff --git a/ansible/inventory/multinode b/ansible/inventory/multinode index dd6a519f2e..b45b157516 100644 --- a/ansible/inventory/multinode +++ b/ansible/inventory/multinode @@ -77,6 +77,9 @@ control [swift:children] control +[barbican:children] +control + [heat:children] control @@ -232,6 +235,16 @@ storage [swift-object-server:children] storage +# Barbican +[barbican-api:children] +barbican + +[barbican-keystone-listener:children] +barbican + +[barbican-worker:children] +barbican + # Heat [heat-api:children] heat diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml new file mode 100644 index 0000000000..7fb8d628f9 --- /dev/null +++ b/ansible/roles/barbican/defaults/main.yml @@ -0,0 +1,40 @@ +--- +project_name: "barbican" + + +#################### +# Database +#################### +barbican_database_name: "barbican" +barbican_database_user: "barbican" +barbican_database_address: "{{ kolla_internal_fqdn }}:{{ database_port }}" + + +#################### +# Docker +#################### +barbican_api_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-api" +barbican_api_tag: "{{ openstack_release }}" +barbican_api_image_full: "{{ barbican_api_image }}:{{ barbican_api_tag }}" + +barbican_keystone_listener_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-keystone-listener" +barbican_keystone_listener_tag: "{{ openstack_release }}" +barbican_keystone_listener_image_full: "{{ barbican_keystone_listener_image }}:{{ barbican_keystone_listener_tag }}" + +barbican_worker_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-worker" +barbican_worker_tag: "{{ openstack_release }}" +barbican_worker_image_full: "{{ barbican_worker_image }}:{{ barbican_worker_tag }}" + + +#################### +# OpenStack +#################### +barbican_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}" +barbican_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}" +barbican_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}" + +barbican_logging_debug: "{{ openstack_logging_debug }}" + +barbican_keystone_user: "barbican" + +openstack_barbican_auth: "{'auth_url':'{{ openstack_auth.auth_url }}','username':'{{ openstack_auth.username }}','password':'{{ openstack_auth.password }}','project_name':'{{ openstack_auth.project_name }}','domain_name':'default'}" diff --git a/ansible/roles/barbican/meta/main.yml b/ansible/roles/barbican/meta/main.yml new file mode 100644 index 0000000000..6b4fff8fef --- /dev/null +++ b/ansible/roles/barbican/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: common } diff --git a/ansible/roles/barbican/tasks/bootstrap.yml b/ansible/roles/barbican/tasks/bootstrap.yml new file mode 100644 index 0000000000..b37ae86428 --- /dev/null +++ b/ansible/roles/barbican/tasks/bootstrap.yml @@ -0,0 +1,41 @@ +--- +- name: Creating barbican database + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m mysql_db + -a "login_host='{{ database_address }}' + login_port='{{ database_port }}' + login_user='{{ database_user }}' + login_password='{{ database_password }}' + name='{{ barbican_database_name }}'" + register: database + changed_when: "{{ database.stdout.find('localhost | SUCCESS => ') != -1 and + (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + failed_when: database.stdout.split()[2] != 'SUCCESS' + run_once: True + delegate_to: "{{ groups['barbican-api'][0] }}" + +- name: Reading json from variable + set_fact: + database_created: "{{ (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + +- name: Creating barbican database user and setting permissions + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m mysql_user + -a "login_host='{{ database_address }}' + login_port='{{ database_port }}' + login_user='{{ database_user }}' + login_password='{{ database_password }}' + name='{{ barbican_database_name }}' + password='{{ barbican_database_password }}' + host='%' + priv='{{ barbican_database_name }}.*:ALL' + append_privs='yes'" + register: database_user_create + changed_when: "{{ database_user_create.stdout.find('localhost | SUCCESS => ') != -1 and + (database_user_create.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + failed_when: database_user_create.stdout.split()[2] != 'SUCCESS' + run_once: True + delegate_to: "{{ groups['barbican-api'][0] }}" + +- include: bootstrap_service.yml + when: database_created diff --git a/ansible/roles/barbican/tasks/bootstrap_service.yml b/ansible/roles/barbican/tasks/bootstrap_service.yml new file mode 100644 index 0000000000..fc575a0ac1 --- /dev/null +++ b/ansible/roles/barbican/tasks/bootstrap_service.yml @@ -0,0 +1,21 @@ +--- +- name: Running barbican bootstrap container + kolla_docker: + action: "start_container" + common_options: "{{ docker_common_options }}" + detach: False + environment: + KOLLA_BOOTSTRAP: + KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" + image: "{{ barbican_api_image_full }}" + labels: + BOOTSTRAP: + name: "bootstrap_barbican" + restart_policy: "never" + volumes: + - "{{ node_config_directory }}/barbican-api/:{{ container_config_directory }}/:ro" + - "barbican:/var/lib/barbican/" + - "/etc/localtime:/etc/localtime:ro" + - "kolla_logs:/var/log/kolla/" + run_once: True + delegate_to: "{{ groups['barbican-api'][0] }}" diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml new file mode 100644 index 0000000000..9bbceb42b1 --- /dev/null +++ b/ansible/roles/barbican/tasks/config.yml @@ -0,0 +1,37 @@ +--- +- name: Ensuring config directories exist + file: + path: "{{ node_config_directory }}/{{ item }}" + state: "directory" + recurse: yes + with_items: + - "barbican-api" + - "barbican-keystone-listener" + - "barbican-worker" + +- name: Copying over config.json files for services + template: + src: "{{ item }}.json.j2" + dest: "{{ node_config_directory }}/{{ item }}/config.json" + with_items: + - "barbican-api" + - "barbican-worker" + - "barbican-keystone-listener" + +- name: Copying over barbican.conf + merge_configs: + vars: + service_name: "{{ item }}" + sources: + - "{{ role_path }}/templates/barbican.conf.j2" + - "{{ node_custom_config }}/global.conf" + - "{{ node_custom_config }}/database.conf" + - "{{ node_custom_config }}/messaging.conf" + - "{{ node_custom_config }}/barbican.conf" + - "{{ node_custom_config }}/barbican/{{ item }}.conf" + - "{{ node_custom_config }}/barbican/{{ inventory_hostname }}/barbican.conf" + dest: "{{ node_config_directory }}/{{ item }}/barbican.conf" + with_items: + - "barbican-api" + - "barbican-keystone-listener" + - "barbican-worker" diff --git a/ansible/roles/barbican/tasks/deploy.yml b/ansible/roles/barbican/tasks/deploy.yml new file mode 100644 index 0000000000..4b9f3ebcc3 --- /dev/null +++ b/ansible/roles/barbican/tasks/deploy.yml @@ -0,0 +1,16 @@ +--- +- include: register.yml + when: inventory_hostname in groups['barbican-api'] + +- include: config.yml + when: inventory_hostname in groups['barbican-api'] or + inventory_hostname in groups['barbican-worker'] or + inventory_hostname in groups['barbican-keystone-listener'] + +- include: bootstrap.yml + when: inventory_hostname in groups['barbican-api'] + +- include: start.yml + when: inventory_hostname in groups['barbican-api'] or + inventory_hostname in groups['barbican-worker'] or + inventory_hostname in groups['barbican-keystone-listener'] diff --git a/ansible/roles/barbican/tasks/do_reconfigure.yml b/ansible/roles/barbican/tasks/do_reconfigure.yml new file mode 100644 index 0000000000..84f378665f --- /dev/null +++ b/ansible/roles/barbican/tasks/do_reconfigure.yml @@ -0,0 +1,74 @@ +--- +- name: Ensuring the containers up + kolla_docker: + name: "{{ item.name }}" + action: "get_container_state" + register: container_state + failed_when: container_state.Running == false + when: inventory_hostname in groups[item.group] + with_items: + - { name: barbican_api, group: barbican-api } + - { name: barbican_keystone_listener, group: barbican-keystone-listener } + - { name: barbican_worker, group: barbican-worker } + +- include: config.yml + +- name: Check the configs + command: docker exec {{ item.name }} /usr/local/bin/kolla_set_configs --check + changed_when: false + failed_when: false + register: check_results + when: inventory_hostname in groups[item.group] + with_items: + - { name: barbican_api, group: barbican-api } + - { name: barbican_keystone_listener, group: barbican-keystone-listener } + - { name: barbican_worker, group: barbican-worker } + +# NOTE(jeffrey4l): when config_strategy == 'COPY_ALWAYS' +# and container env['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE', +# just remove the container and start again +- name: Containers config strategy + kolla_docker: + name: "{{ item.name }}" + action: "get_container_env" + register: container_envs + when: inventory_hostname in groups[item.group] + with_items: + - { name: barbican_api, group: barbican-api } + - { name: barbican_keystone_listener, group: barbican-keystone-listener } + - { name: barbican_worker, group: barbican-worker } + +- name: Remove the containers + kolla_docker: + name: "{{ item[0]['name'] }}" + action: "remove_container" + register: remove_containers + when: + - inventory_hostname in groups[item[0]['group']] + - config_strategy == "COPY_ONCE" or item[1]['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE' + - item[2]['rc'] == 1 + with_together: + - [{ name: barbican_api, group: barbican-api }, + { name: barbican_keystone_listener, group: barbican-keystone-listener }, + { name: barbican_worker, group: barbican-worker }] + - "{{ container_envs.results }}" + - "{{ check_results.results }}" + +- include: start.yml + when: remove_containers.changed + +- name: Restart containers + kolla_docker: + name: "{{ item[0]['name'] }}" + action: "restart_container" + when: + - inventory_hostname in groups[item[0]['group']] + - config_strategy == 'COPY_ALWAYS' + - item[1]['KOLLA_CONFIG_STRATEGY'] != 'COPY_ONCE' + - item[2]['rc'] == 1 + with_together: + - [{ name: barbican_api, group: barbican-api }, + { name: barbican_keystone_listener, group: barbican-keystone-listener }, + { name: barbican_worker, group: barbican-worker }] + - "{{ container_envs.results }}" + - "{{ check_results.results }}" diff --git a/ansible/roles/barbican/tasks/main.yml b/ansible/roles/barbican/tasks/main.yml new file mode 100644 index 0000000000..b017e8b4ad --- /dev/null +++ b/ansible/roles/barbican/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include: "{{ action }}.yml" diff --git a/ansible/roles/barbican/tasks/pull.yml b/ansible/roles/barbican/tasks/pull.yml new file mode 100644 index 0000000000..284f8970da --- /dev/null +++ b/ansible/roles/barbican/tasks/pull.yml @@ -0,0 +1,21 @@ +--- +- name: Pulling barbican-api image + kolla_docker: + action: "pull_image" + common_options: "{{ docker_common_options }}" + image: "{{ barbican_api_image_full }}" + when: inventory_hostname in groups['barbican-api'] + +- name: Pulling barbican-keystone-listener image + kolla_docker: + action: "pull_image" + common_options: "{{ docker_common_options }}" + image: "{{ barbican_keystone_listener_image_full }}" + when: inventory_hostname in groups['barbican-keystone-listener'] + +- name: Pulling barbican-worker image + kolla_docker: + action: "pull_image" + common_options: "{{ docker_common_options }}" + image: "{{ barbican_worker_image_full }}" + when: inventory_hostname in groups['barbican-worker'] diff --git a/ansible/roles/barbican/tasks/reconfigure.yml b/ansible/roles/barbican/tasks/reconfigure.yml new file mode 100644 index 0000000000..a54cac8bf2 --- /dev/null +++ b/ansible/roles/barbican/tasks/reconfigure.yml @@ -0,0 +1,6 @@ +--- +- include: do_reconfigure.yml + serial: "30%" + when: inventory_hostname in groups['barbican-api'] + or inventory_hostname in groups['barbican-keystone-listener'] + or inventory_hostname in groups['barbican-worker'] diff --git a/ansible/roles/barbican/tasks/register.yml b/ansible/roles/barbican/tasks/register.yml new file mode 100644 index 0000000000..5bc6719c94 --- /dev/null +++ b/ansible/roles/barbican/tasks/register.yml @@ -0,0 +1,40 @@ +--- +- name: Creating the barbican service and endpoint + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m kolla_keystone_service + -a "service_name=barbican + service_type=key-manager + description='Barbican Key Management Service' + endpoint_region={{ openstack_region_name }} + url='{{ item.url }}' + interface='{{ item.interface }}' + region_name={{ openstack_region_name }} + auth={{ '{{ openstack_barbican_auth }}' }}" + -e "{'openstack_barbican_auth':{{ openstack_barbican_auth }}}" + register: barbican_endpoint + changed_when: "{{ barbican_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (barbican_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + until: barbican_endpoint.stdout.split()[2] == 'SUCCESS' + retries: 10 + delay: 5 + run_once: True + with_items: + - {'interface': 'admin', 'url': '{{ barbican_admin_endpoint }}'} + - {'interface': 'internal', 'url': '{{ barbican_internal_endpoint }}'} + - {'interface': 'public', 'url': '{{ barbican_public_endpoint }}'} + +- name: Creating the barbican project, user, and role + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m kolla_keystone_user + -a "project=service + user=barbican + password={{ barbican_keystone_password }} + role=admin + region_name={{ openstack_region_name }} + auth={{ '{{ openstack_barbican_auth }}' }}" + -e "{'openstack_barbican_auth':{{ openstack_barbican_auth }}}" + register: barbican_user + changed_when: "{{ barbican_user.stdout.find('localhost | SUCCESS => ') != -1 and (barbican_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + until: barbican_user.stdout.split()[2] == 'SUCCESS' + retries: 10 + delay: 5 + run_once: True diff --git a/ansible/roles/barbican/tasks/start.yml b/ansible/roles/barbican/tasks/start.yml new file mode 100644 index 0000000000..e1891f6560 --- /dev/null +++ b/ansible/roles/barbican/tasks/start.yml @@ -0,0 +1,34 @@ +--- +- name: Starting barbican-api container + kolla_docker: + action: "start_container" + common_options: "{{ docker_common_options }}" + image: "{{ barbican_api_image_full }}" + name: "barbican_api" + volumes: + - "{{ node_config_directory }}/barbican-api/:{{ container_config_directory }}/:ro" + - "barbican:/var/lib/barbican/" + - "kolla_logs:/var/log/kolla/" + when: inventory_hostname in groups['barbican-api'] + +- name: Starting barbican-keystone-listener container + kolla_docker: + action: "start_container" + common_options: "{{ docker_common_options }}" + image: "{{ barbican_keystone_listener_image_full }}" + name: "barbican_keystone_listener" + volumes: + - "{{ node_config_directory }}/barbican-keystone-listener/:{{ container_config_directory }}/:ro" + - "kolla_logs:/var/log/kolla/" + when: inventory_hostname in groups['barbican-keystone-listener'] + +- name: Starting barbican-worker container + kolla_docker: + action: "start_container" + common_options: "{{ docker_common_options }}" + image: "{{ barbican_worker_image_full }}" + name: "barbican_worker" + volumes: + - "{{ node_config_directory }}/barbican-worker/:{{ container_config_directory }}/:ro" + - "kolla_logs:/var/log/kolla/" + when: inventory_hostname in groups['barbican-worker'] diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2 new file mode 100644 index 0000000000..8eb678dd67 --- /dev/null +++ b/ansible/roles/barbican/templates/barbican-api.json.j2 @@ -0,0 +1,11 @@ +{ + "command": "uwsgi --master --emperor /etc/barbican/vassals --logto /var/log/kolla/barbican/barbican-api.log", + "config_files": [ + { + "source": "{{ container_config_directory }}/barbican.conf", + "dest": "/etc/barbican/barbican.conf", + "owner": "root", + "perm": "0600" + } + ] +} diff --git a/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 b/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 new file mode 100644 index 0000000000..f9f986b500 --- /dev/null +++ b/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 @@ -0,0 +1,11 @@ +{ + "command": "barbican-keystone-listener", + "config_files": [ + { + "source": "{{ container_config_directory }}/barbican.conf", + "dest": "/etc/barbican/barbican.conf", + "owner": "root", + "perm": "0600" + } + ] +} diff --git a/ansible/roles/barbican/templates/barbican-worker.json.j2 b/ansible/roles/barbican/templates/barbican-worker.json.j2 new file mode 100644 index 0000000000..26c660e7c6 --- /dev/null +++ b/ansible/roles/barbican/templates/barbican-worker.json.j2 @@ -0,0 +1,11 @@ +{ + "command": "barbican-worker", + "config_files": [ + { + "source": "{{ container_config_directory }}/barbican.conf", + "dest": "/etc/barbican/barbican.conf", + "owner": "root", + "perm": "0600" + } + ] +} diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2 new file mode 100644 index 0000000000..17e3080c13 --- /dev/null +++ b/ansible/roles/barbican/templates/barbican.conf.j2 @@ -0,0 +1,55 @@ +[DEFAULT] +debug = {{ barbican_logging_debug }} +log_dir = /var/log/kolla/barbican + + +bind_port = {{ barbican_api_port }} +bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }} +host_href = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }} +backlog = 4096 +max_allowed_secret_in_bytes = 10000 +max_allowed_request_size_in_bytes = 1000000 + +sql_connection = mysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }} + +transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %} + +[keystone_notifications] +enable = True + +control_exchange = 'openstack' +topic = 'notifications' +allow_requeue = False + +version = '1.0' + +thread_pool_size = 10 + + +[keystone_authtoken] +auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} +project_domain_id = default +project_name = service +user_domain_id = default +username = {{ barbican_keystone_user }} +password = {{ barbican_keystone_password }} +auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} +auth_type = password + +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +{% if orchestration_engine == 'KUBERNETES' %} +memcache_servers = {{ memcached_servers }} +{% else %} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} +{% endif %} + +[service_credentials] +auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} +region_name = {{ openstack_region_name }} +password = {{ barbican_keystone_password }} +username = {{ barbican_keystone_user }} +project_name = service +project_domain_id = default +user_domain_id = default +auth_type = password diff --git a/ansible/roles/common/tasks/config.yml b/ansible/roles/common/tasks/config.yml index cf31a54ac7..7b225b92d0 100644 --- a/ansible/roles/common/tasks/config.yml +++ b/ansible/roles/common/tasks/config.yml @@ -26,6 +26,7 @@ when: item.enabled | bool with_items: - { name: "aodh", enabled: "{{ enable_aodh }}" } + - { name: "barbican", enabled: "{{ enable_barbican }}"} - { name: "elasticsearch", enabled: "{{ enable_central_logging }}" } - { name: "global", enabled: "yes" } - { name: "gnocchi", enabled: "{{ enable_gnocchi }}" } @@ -69,6 +70,7 @@ with_items: - "ansible" - "aodh" + - "barbican" - "cinder" - "glance" - "global" diff --git a/ansible/roles/common/templates/cron-logrotate-barbican.conf.j2 b/ansible/roles/common/templates/cron-logrotate-barbican.conf.j2 new file mode 100644 index 0000000000..eaa5f0f494 --- /dev/null +++ b/ansible/roles/common/templates/cron-logrotate-barbican.conf.j2 @@ -0,0 +1,3 @@ +"/var/log/kolla/barbican/*.log" +{ +} diff --git a/ansible/roles/common/templates/cron.json.j2 b/ansible/roles/common/templates/cron.json.j2 index 2bc594f039..65855b2be5 100644 --- a/ansible/roles/common/templates/cron.json.j2 +++ b/ansible/roles/common/templates/cron.json.j2 @@ -1,5 +1,5 @@ {% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %} -{% set services = ["ansible", "aodh", "cinder", "glance", "gnocchi", "haproxy", "heat", "keepalived", "keystone", "magnum", "manila", "mariadb", "mistral", "murano", "neutron", "nova", "rabbitmq", "swift"] %} +{% set services = ["ansible", "aodh", "barbican", "cinder", "glance", "gnocchi", "haproxy", "heat", "keepalived", "keystone", "magnum", "manila", "mariadb", "mistral", "murano", "neutron", "nova", "rabbitmq", "swift"] %} { "command": "{{ cron_cmd }}", "config_files": [ diff --git a/ansible/roles/common/templates/heka-barbican.toml.j2 b/ansible/roles/common/templates/heka-barbican.toml.j2 new file mode 100644 index 0000000000..9ec0e8c6b6 --- /dev/null +++ b/ansible/roles/common/templates/heka-barbican.toml.j2 @@ -0,0 +1,13 @@ +[barbican_apache_log_decoder] +type = "SandboxDecoder" +filename = "lua_decoders/os_barbican_apache_log.lua" + [barbican_apache_log_decoder.config] + apache_log_pattern = '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"' + +[barbican_apache_logstreamer_input] +type = "LogstreamerInput" +decoder = "barbican_apache_log_decoder" +log_directory = "/var/log/kolla" +file_match = 'barbican/barbican-apache-(?P.+)-access\.log\.?(?P\d*)$' +priority = ["^Seq"] +differentiator = ["barbican-apache-", "Service"] diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 index c58680490a..f075a9236f 100644 --- a/ansible/roles/haproxy/templates/haproxy.cfg.j2 +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -453,6 +453,22 @@ listen elasticsearch {% endfor %} {% endif %} +{% if enable_barbican | bool %} +listen barbican_api + bind {{ kolla_internal_vip_address }}:{{ barbican_api_port }} +{% for host in groups['barbican-api'] %} + server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5 +{% endfor %} +{% if haproxy_enable_external_vip | bool %} + +listen barbican_api_external + bind {{ kolla_external_vip_address }}:{{ barbican_api_port }} {{ tls_bind_info }} +{% for host in groups['barbican-api'] %} + server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5 +{% endfor %} +{% endif %} +{% endif %} + {% if enable_ceilometer | bool %} listen ceilometer_api bind {{ kolla_internal_vip_address }}:{{ ceilometer_api_port }} diff --git a/ansible/roles/prechecks/tasks/port_checks.yml b/ansible/roles/prechecks/tasks/port_checks.yml index 482bc41b19..044756cc11 100644 --- a/ansible/roles/prechecks/tasks/port_checks.yml +++ b/ansible/roles/prechecks/tasks/port_checks.yml @@ -1,4 +1,20 @@ --- +- name: Checking free port for Barbican API + wait_for: + host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}" + port: "{{ barbican_api_port }}" + connect_timeout: 1 + state: stopped + when: inventory_hostname in groups['barbican-api'] + +- name: Checking free port for Barbican API HAProxy + wait_for: + host: "{{ kolla_internal_vip_address }}" + port: "{{ barbican_api_port }}" + connect_timeout: 1 + state: stopped + when: inventory_hostname in groups['haproxy'] + - name: Checking free port for Cinder API wait_for: host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}" diff --git a/ansible/site.yml b/ansible/site.yml index 5fdf170094..bbded87fdf 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -250,6 +250,15 @@ tags: aodh, when: enable_aodh | bool } +- hosts: + - barbican-api + - barbican-keystone-listener + - barbican-worker + roles: + - { role: barbican, + tags: barbican, + when: enable_barbican | bool } + - hosts: - congress-api - congress-policy-engine diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 0edeb65c3a..76730765d6 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -121,6 +121,7 @@ kolla_internal_vip_address: "10.10.10.254" #fernet_token_expiry: 86400 # OpenStack services can be enabled or disabled with these options +#enable_barbican: "no" #enable_ceilometer: "no" #enable_central_logging: "no" #enable_ceph: "no" diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index 09ae97226d..e570a9d906 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -24,6 +24,9 @@ docker_registry_password: aodh_database_password: aodh_keystone_password: +barbican_database_password: +barbican_keystone_password: + keystone_admin_password: keystone_database_password: diff --git a/releasenotes/notes/add-barbican-8f0636668001de73.yaml b/releasenotes/notes/add-barbican-8f0636668001de73.yaml new file mode 100644 index 0000000000..51dc01e34d --- /dev/null +++ b/releasenotes/notes/add-barbican-8f0636668001de73.yaml @@ -0,0 +1,4 @@ +--- +features: + - To produce a secret storage and generation system capable of providing key + management for services wishing to enable encryption features.