Add first attempt at a barbican role
This commit is contained in:
parent
89944953a3
commit
755e8eed8c
|
@ -1,2 +1,135 @@
|
|||
---
|
||||
# defaults file for openstack-ansible-barbican
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
barbican_system_group_name: barbican
|
||||
barbican_system_user_name: barbican
|
||||
barbican_system_user_comment: Barbican System User
|
||||
barbican_system_user_shell: /bin/false
|
||||
barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}"
|
||||
barbican_log_directory: /var/log/barbican
|
||||
barbican_etc_directory: /etc/barbican
|
||||
|
||||
barbican_api_program_name: barbican-api
|
||||
barbican_keystone_listener_program_name: barbican-keystone-listener
|
||||
barbican_worker_program_name: barbican-worker
|
||||
barbican_retry_program_name: barbican-retry
|
||||
|
||||
barbican_service_name: barbican
|
||||
barbican_service_user_name: barbican
|
||||
barbican_service_type: container
|
||||
barbican_service_description: "OpenStack Key and Secrets Management (Barbican)"
|
||||
barbican_service_project_name: service
|
||||
barbican_service_role_names:
|
||||
- admin
|
||||
barbican_service_region: RegionOne
|
||||
barbican_service_port: 9311
|
||||
barbican_service_publicuri_protocol: http
|
||||
barbican_service_publicurl: "{{ barbican_service_publicuri_protocol }}://{{ external_lb_vip_address }}:{{ barbican_service_port }}"
|
||||
barbican_service_internaluri_protocol: http
|
||||
barbican_service_internalurl: "{{ barbican_service_internaluri_protocol }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
|
||||
barbican_service_adminuri_protocol: http
|
||||
barbican_service_adminurl: "{{ barbican_service_adminuri_protocol }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
|
||||
|
||||
barbican_config_overrides: {}
|
||||
barbican_policy_overrides: {}
|
||||
|
||||
barbican_git_repo: "https://git.openstack.org/openstack/barbican"
|
||||
barbican_git_install_branch: c09af59f0f06db9e74a334aaee4c493119384ea7 # master
|
||||
barbican_git_dest: "/opt/barbican_{{ barbican_git_install_branch |replace('/', '_') }}"
|
||||
|
||||
# Database vars
|
||||
barbican_galera_database_name: barbican_service
|
||||
barbican_galera_user: barbican
|
||||
|
||||
# Rabbit vars
|
||||
barbican_rpc_backend: rabbit
|
||||
barbican_rabbitmq_userid: barbican
|
||||
barbican_rabbitmq_virtualhost: /barbican
|
||||
|
||||
# Keystone AuthToken/Middleware
|
||||
barbican_keystone_auth_plugin: password
|
||||
barbican_service_project_domain_name: Default
|
||||
barbican_service_user_domain_name: default
|
||||
barbican_service_project_name: service
|
||||
|
||||
# Apache configuration vars
|
||||
barbican_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
|
||||
barbican_wsgi_threads: 1
|
||||
barbican_apache_log_level: info
|
||||
barbican_apache_servertokens: "Prod"
|
||||
barbican_apache_serversignature: "Off"
|
||||
|
||||
keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
|
||||
|
||||
# set barbican_ssl to true to enable SSL configuration on the barbican containers
|
||||
barbican_ssl: false
|
||||
barbican_ssl_cert: /etc/ssl/certs/barbican.pem
|
||||
barbican_ssl_key: /etc/ssl/private/barbican.key
|
||||
barbican_ssl_ca_cert: /etc/ssl/certs/barbican-ca.pem
|
||||
barbican_ssl_protocol: "{{ ssl_protocol }}"
|
||||
barbican_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
||||
|
||||
# if using a self-signed certificate, set this to true to regenerate it
|
||||
barbican_ssl_self_signed_regen: false
|
||||
barbican_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||
|
||||
# Set these in user_variables to deploy custom certificates
|
||||
#barbican_user_ssl_cert: <path to cert on ansible deployment host>
|
||||
#barbican_user_ssl_key: <path to cert on ansible deployment host>
|
||||
#barbican_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
||||
|
||||
barbican_apt_packages:
|
||||
- python-dev
|
||||
- libssl-dev
|
||||
# - libxml2-dev
|
||||
# - libmysqlclient-dev
|
||||
# - libxslt-dev
|
||||
- libpq-dev
|
||||
- git
|
||||
- libffi-dev
|
||||
- gettext
|
||||
- build-essential
|
||||
|
||||
barbican_pip_packages:
|
||||
- alembic
|
||||
- Babel
|
||||
- cffi
|
||||
- cryptography
|
||||
- eventlet
|
||||
- jsonschema
|
||||
- oslo.concurrency
|
||||
- oslo.config
|
||||
- oslo.context
|
||||
- oslo.i18n
|
||||
- oslo.messaging
|
||||
- oslo.middleware
|
||||
- oslo.log
|
||||
- oslo.policy
|
||||
- oslo.serialization
|
||||
- oslo.service
|
||||
- oslo.utils
|
||||
- Paste
|
||||
- PasteDeploy
|
||||
- pbr
|
||||
- pecan
|
||||
- pycadf
|
||||
- pycrypto
|
||||
- pyOpenSSL
|
||||
- ldap3
|
||||
- keystonemiddleware
|
||||
- six
|
||||
- SQLAlchemy
|
||||
- stevedore
|
||||
- webob
|
||||
|
|
|
@ -0,0 +1,88 @@
|
|||
---
|
||||
# Copyright 2014, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Drop apache2 files
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
with_items:
|
||||
- { src: "barbican-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
|
||||
- { src: "barbican-httpd.conf.j2", dest: "/etc/apache2/sites-available/barbican-httpd.conf" }
|
||||
notify:
|
||||
- Restart Apache
|
||||
tags:
|
||||
- barbican-httpd
|
||||
|
||||
- name: Disable default apache site
|
||||
file:
|
||||
path: "/etc/apache2/sites-enabled/000-default.conf"
|
||||
state: "absent"
|
||||
notify:
|
||||
- Restart Apache
|
||||
tags:
|
||||
- barabican-httpd
|
||||
|
||||
- name: Enable Barbican vhost
|
||||
file:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
state: "{{ item.state }}"
|
||||
with_items:
|
||||
- { src: "/etc/apache2/sites-available/barbican-httpd.conf", dest: "/etc/apache2/sites-enabled/barbican-httpd.conf", state: "link" }
|
||||
notify:
|
||||
- Restart Apache
|
||||
tags:
|
||||
- barbican-httpd
|
||||
|
||||
- name: Ensure Apache ServerName
|
||||
lineinfile:
|
||||
dest: "/etc/apache2/apache2.conf"
|
||||
line: "ServerName {{ inventory_hostname }}"
|
||||
notify:
|
||||
- Restart Apache
|
||||
tags:
|
||||
- barbican-httpd
|
||||
|
||||
- name: Ensure Apache ServerTokens
|
||||
lineinfile:
|
||||
dest: "/etc/apache2/conf-available/security.conf"
|
||||
regexp: '^ServerTokens'
|
||||
line: "ServerTokens {{ barbican_apache_servertokens }}"
|
||||
notify:
|
||||
- Restart Apache
|
||||
tags:
|
||||
- barbican-httpd
|
||||
|
||||
- name: Ensure Apache ServerSignature
|
||||
lineinfile:
|
||||
dest: "/etc/apache2/conf-available/security.conf"
|
||||
regexp: '^ServerSignature'
|
||||
line: "ServerSignature {{ barbican_apache_serversignature }}"
|
||||
notify:
|
||||
- Restart Apache
|
||||
tags:
|
||||
- barbican-httpd
|
||||
|
||||
- name: Enable/disable mod_ssl for apache2
|
||||
apache2_module:
|
||||
name: ssl
|
||||
state: "{{ (barbican_ssl | bool) | ternary('present', 'absent') }}"
|
||||
notify:
|
||||
- Restart Apache
|
||||
tags:
|
||||
- barbican-httpd
|
||||
- barbican-ssl
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
# Copyright 2015, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Remove self signed cert for regeneration
|
||||
file:
|
||||
dest: "{{ barbican_ssl_cert }}"
|
||||
state: "absent"
|
||||
when: barbican_ssl_self_signed_regen | bool
|
||||
tags:
|
||||
- barbican-ssl
|
||||
|
||||
- name: Create self-signed Apache ssl cert
|
||||
command: >
|
||||
openssl req -new -nodes -sha256 -x509 -subj
|
||||
"{{ barbican_ssl_self_signed_subject }}"
|
||||
-days 3650
|
||||
-keyout {{ barbican_ssl_key }}
|
||||
-out {{ barbican_ssl_cert }}
|
||||
-extensions v3_ca
|
||||
creates={{ barbican_ssl_cert }}
|
||||
notify: Restart Apache
|
||||
tags:
|
||||
- barbican-configs
|
||||
- barbican-ssl
|
|
@ -0,0 +1,55 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create Barbican's database tables
|
||||
mysql_db:
|
||||
login_user: "{{ galera_root_user }}"
|
||||
login_password: "{{ galera_root_password }}"
|
||||
login_host: "{{ barbican_galera_address }}"
|
||||
name: "{{ barbican_galera_database_name }}"
|
||||
state: "present"
|
||||
tags:
|
||||
- barbican-database-setup
|
||||
- barbican-db-setup
|
||||
- barbican-setup
|
||||
|
||||
- name: Give Barbican database access
|
||||
mysql_user:
|
||||
login_user: "{{ galera_root_user }}"
|
||||
login_password: "{{ galera_root_password }}"
|
||||
login_host: "{{ barbican_galera_address }}"
|
||||
name: "{{ barbican_galera_user }}"
|
||||
password: "{{ barbican_galera_password }}"
|
||||
priv: "{{ barbican_galera_database_name }}.*:ALL"
|
||||
host: "{{ item }}"
|
||||
state: "present"
|
||||
with_items:
|
||||
- "localhost"
|
||||
- "%"
|
||||
tags:
|
||||
- barbican-database-setup
|
||||
- barbican-db-setup
|
||||
- barbican-setup
|
||||
|
||||
- name: Perform a synchronization of the Barbican database
|
||||
command: "barbican-db-manage upgrade"
|
||||
sudo: yes
|
||||
sudo_user: "{{ barbican_system_user_name }}"
|
||||
tags:
|
||||
- barbican-database-setup
|
||||
- barbican-db-setup
|
||||
- barbican-database-sync
|
||||
- barbican-db-sync
|
||||
- barbican-setup
|
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
# Copyright 2014, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Distribute self signed cert and key
|
||||
memcached:
|
||||
name: "{{ item.name }}"
|
||||
file_path: "{{ item.src }}"
|
||||
state: "retrieve"
|
||||
file_mode: "{{ item.file_mode }}"
|
||||
dir_mode: "{{ item.dir_mode }}"
|
||||
server: "{{ memcached_servers }}"
|
||||
encrypt_string: "{{ memcached_encryption_key }}"
|
||||
with_items:
|
||||
- { src: "{{ barbican_ssl_cert }}", name: "barbican_ssl_cert", file_mode: "0644", dir_mode: "0755" }
|
||||
- { src: "{{ barbican_ssl_key }}", name: "barbican_ssl_key", file_mode: "0640", dir_mode: "0750" }
|
||||
register: barbican_memcache_keys
|
||||
until: barbican_memcache_keys |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
notify: Restart Apache
|
||||
tags:
|
||||
- barbican-config
|
||||
- barbican-ssl
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Update apt sources
|
||||
apt:
|
||||
update_cache: "yes"
|
||||
cache_valid_time: "600"
|
||||
register: apt_update
|
||||
until: apt_update |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
tags:
|
||||
- barbican-apt-packages
|
||||
- barbican-apt-sources
|
||||
- barbican-install
|
||||
|
||||
- name: Install apt packages for Barbican
|
||||
apt:
|
||||
pkg: "{{ item }}"
|
||||
state: "latest"
|
||||
register: install_barbican_apt_packages
|
||||
until: install_barbican_apt_packages |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: barbican_apt_packages
|
||||
tags:
|
||||
- barbican-apt-packages
|
||||
- barbican-install
|
||||
|
||||
- name: Install pip packages for Barbican
|
||||
pip:
|
||||
name: "{{ item }}"
|
||||
state: "present"
|
||||
extra_args: "{{ pip_install_options |default('') }}"
|
||||
register: install_barbican_pip_packages
|
||||
until: install_barbican_pip_packages |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: barbican_pip_packages
|
||||
tags:
|
||||
- barbican-install
|
||||
- barbican-pip-packages
|
|
@ -1,2 +1,50 @@
|
|||
---
|
||||
# tasks file for openstack-ansible-barbican
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Main tasks file for openstack-ansible-barbican
|
||||
|
||||
- include: pre-install.yml
|
||||
|
||||
- include: messaging-setup.yml
|
||||
when: >
|
||||
inventory_hostname == groups['barbican_all'][0]
|
||||
|
||||
- include: install.yml
|
||||
|
||||
- include: post-install.yml
|
||||
|
||||
- include: ssl.yml
|
||||
|
||||
- include: apache.yml
|
||||
|
||||
- include: upstart-init.yml
|
||||
|
||||
- include: database-setup.yml
|
||||
when: >
|
||||
inventory_hostname == groups['barbican_all'][0]
|
||||
|
||||
- include: service-setup.yml
|
||||
when: >
|
||||
inventory_hostname == groups['barbican_all'][0]
|
||||
|
||||
- name: Restart Barbican Services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: "restarted"
|
||||
with_items:
|
||||
- "{{ barbican_api_program_name }}"
|
||||
|
||||
- name: Flush handlers
|
||||
meta: flush_handlers
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Ensure the Barbican RabbitMQ virtualhost exists
|
||||
rabbitmq_vhost:
|
||||
name: "{{ barbican_rabbitmq_virtualhost }}"
|
||||
state: "present"
|
||||
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
|
||||
tags:
|
||||
- barbican-rabbitmq
|
||||
- barbican-rabbitmq-vhost
|
||||
- barbican-rabbitmq-virtualhost
|
||||
|
||||
- name: Ensure the Barbican RabbitMQ user exists
|
||||
rabbitmq_user:
|
||||
user: "{{ barbican_rabbitmq_userid }}"
|
||||
password: "{{ barbican_rabbitmq_password }}"
|
||||
vhost: "{{ barbican_rabbitmq_virtualhost }}"
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
state: "present"
|
||||
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
|
||||
tags:
|
||||
- barbican-rabbitmq
|
||||
- barbican-rabbitmq-user
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Distribute Barbican Config Files
|
||||
config_template:
|
||||
src: "{{ item.source }}"
|
||||
dest: "{{ item.destination }}"
|
||||
owner: "{{ barbican_system_user_name }}"
|
||||
group: "{{ barbican_system_group_name }}"
|
||||
mode: "0644"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items:
|
||||
- source: "barbican.conf.j2"
|
||||
destination: "{{ barbican_etc_directory }}/barbican.conf"
|
||||
config_overrides: "{{ barbican_config_overrides }}"
|
||||
config_type: "ini"
|
||||
- source: "policy.json.j2"
|
||||
destination: "{{ barbican_etc_directory }}/policy.json"
|
||||
config_overrides: "{{ barbican_policy_overrides }}"
|
||||
config_type: "json"
|
||||
- source: "barbican-api-paste.ini.j2"
|
||||
destination: "{{ barbican_etc_directory }}/barbican-api-paste.ini"
|
||||
config_overrides: "{{ barbican_paste_overrides }}"
|
||||
config_type: "ini"
|
||||
- source: "api_audit_map.conf.j2"
|
||||
destination: "{{ barbican_etc_directory }}/api_audit_map.conf"
|
||||
config_overrides: "{{ barbican_api_audit_map_overrides }}"
|
||||
config_type: "ini"
|
||||
- source: "barbican-vassals-api.ini.j2"
|
||||
destination: "{{ barbican_etc_directory }}/vassals/barbican-api.ini"
|
||||
config_overrides: "{{ barbican_vassals_api_overrides }}"
|
||||
config_type: "ini"
|
||||
tags:
|
||||
- barbican-config-files
|
||||
- barbican-configuration
|
||||
- barbican-post-install
|
|
@ -0,0 +1,79 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create the Barbican system group
|
||||
group:
|
||||
name: "{{ barbican_system_group_name }}"
|
||||
state: "present"
|
||||
system: "yes"
|
||||
tags:
|
||||
- barbican-group
|
||||
- barbican-system-settings
|
||||
|
||||
- name: Create the Barbican system user
|
||||
user:
|
||||
name: "{{ barbican_system_user_name }}"
|
||||
group: "{{ barbican_system_group_name }}"
|
||||
comment: "{{ barbican_system_user_comment }}"
|
||||
shell: "{{ barbican_system_user_shell }}"
|
||||
system: "yes"
|
||||
createhome: "yes"
|
||||
home: "{{ barbican_system_user_home }}"
|
||||
tags:
|
||||
- barbican-user
|
||||
- barbican-system-settings
|
||||
|
||||
- name: Create Barbican's directories
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: "directory"
|
||||
owner: "{{ item.owner |default(barbican_system_user_name) }}"
|
||||
group: "{{ item.group |default(barbican_system_group_name) }}"
|
||||
mode: "{{ item.mode |default('0750') }}"
|
||||
with_items:
|
||||
- path: "/etc/barbican"
|
||||
- path: "{{ barbican_system_user_home }}"
|
||||
tags:
|
||||
- barbican-directories
|
||||
- barbican-system-settings
|
||||
|
||||
- name: Test for Barbican log directory or link
|
||||
shell: |
|
||||
if [ -h "{{ barbican_log_directory }}" ]; then
|
||||
chown -h {{ barbican_system_user_name }}:{{ barbican_system_group_name }} {{ barbican_log_directory }}
|
||||
chown -R {{ barbican_system_user_name }}:{{ barbican_system_group_name }} "$(readlink {{ barbican_log_directory }})"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
register: log_dir
|
||||
failed_when: false
|
||||
changed_when: log_dir.rc != 0
|
||||
tags:
|
||||
- barbican-directories
|
||||
- barbican-logs
|
||||
- barbican-system-settings
|
||||
|
||||
- name: Create Barbican log directory
|
||||
file:
|
||||
path: "{{ barbican_log_directory }}"
|
||||
state: "directory"
|
||||
owner: "{{ barbican_system_user_name }}"
|
||||
group: "{{ barbican_system_group_name }}"
|
||||
mode: "0750"
|
||||
when: log_dir.rc != 0
|
||||
tags:
|
||||
- barbican-directories
|
||||
- barbican-logs
|
||||
- barbican-system-settings
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
# Copyright 2015, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include: create-ssl-key.yml
|
||||
when: >
|
||||
inventory_hostname == groups['barbican_all'][0]
|
||||
|
||||
- include: store-ssl-key.yml
|
||||
when: >
|
||||
inventory_hostname == groups['barbican_all'][0]
|
||||
|
||||
- include: distribute-ssl-key.yml
|
||||
when: >
|
||||
inventory_hostname != groups['barbican_all'][0]
|
|
@ -0,0 +1,96 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Ensure the service for Barbican exists
|
||||
keystone:
|
||||
command: "ensure_service"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
service_name: "{{ barbican_service_name }}"
|
||||
service_type: "{{ barbican_service_type }}"
|
||||
description: "{{ barbican_service_description }}"
|
||||
register: add_barbican_service
|
||||
until: add_barbican_service |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
tags:
|
||||
- barbican-api-setup
|
||||
- barbican-service-add
|
||||
- barbican-setup
|
||||
|
||||
- name: Ensure the Barbican user exists
|
||||
keystone:
|
||||
command: "ensure_user"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
user_name: "{{ barbican_service_user_name }}"
|
||||
tenant_name: "{{ barbican_service_project_name }}"
|
||||
password: "{{ barbican_service_password |default('changeme') }}"
|
||||
register: add_barbican_user
|
||||
until: add_barbican_user |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
tags:
|
||||
- barbican-api-setup
|
||||
- barbican-service-add
|
||||
- barbican-user-add
|
||||
- barbican-setup
|
||||
|
||||
- name: Ensure the Barbican user has the admin role
|
||||
keystone:
|
||||
command: "ensure_user_role"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
user_name: "{{ barbican_service_user_name }}"
|
||||
tenant_name: "{{ barbican_service_project_name }}"
|
||||
role_name: "{{ item }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: ensure_barbican_roles
|
||||
until: ensure_barbican_roles |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: barbican_service_role_names
|
||||
tags:
|
||||
- barbican-api-setup
|
||||
- barbican-role-setup
|
||||
- barbican-setup
|
||||
|
||||
- name: Ensure the Barbican endpoint is registered
|
||||
keystone:
|
||||
command: "ensure_endpoint"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
region_name: "{{ barbican_service_region }}"
|
||||
service_name: "{{ barbican_service_name }}"
|
||||
service_type: "{{ barbican_service_type }}"
|
||||
endpoint_list:
|
||||
- url: "{{ barbican_service_publicurl }}"
|
||||
interface: "public"
|
||||
- url: "{{ barbican_service_internalurl }}"
|
||||
interface: "internal"
|
||||
- url: "{{ barbican_service_adminurl }}"
|
||||
interface: "admin"
|
||||
register: add_barbican_endpoints
|
||||
until: add_barbican_endpoints |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
tags:
|
||||
- barbican-api-setup
|
||||
- barbican-service-add
|
||||
- barbican-endpoints-add
|
||||
- barbican-setup
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Copyright 2015, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include: self-signed-ssl.yml
|
||||
when: >
|
||||
barbican_ssl | bool and
|
||||
(barbican_user_ssl_cert is not defined or barbican_user_ssl_key is not defined)
|
||||
tags:
|
||||
- barbican-ssl
|
||||
|
||||
- include: user-provided-ssl.yml
|
||||
tags:
|
||||
- barbican-ssl
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# Copyright 2015, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Store self signed cert and key
|
||||
memcached:
|
||||
name: "{{ item.name }}"
|
||||
file_path: "{{ item.src }}"
|
||||
state: "present"
|
||||
server: "{{ memcached_servers }}"
|
||||
encrypt_string: "{{ memcached_encryption_key }}"
|
||||
with_items:
|
||||
- { src: "{{ barbican_ssl_cert }}", name: "barbican_ssl_cert" }
|
||||
- { src: "{{ barbican_ssl_key }}", name: "barbican_ssl_key" }
|
||||
register: barbican_memcache_keys
|
||||
until: barbican_memcache_keys |success
|
||||
retries: 5
|
||||
delay: 2
|
||||
tags:
|
||||
- barbican-ssl
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Template the init script
|
||||
template:
|
||||
src: "upstart-init.j2"
|
||||
dest: "/etc/init/{{ program_name }}.conf"
|
||||
mode: "0644"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
tags:
|
||||
- upstart-init
|
||||
- barbican-upstart
|
||||
- barbican-init
|
||||
|
||||
- name: Reload init scripts
|
||||
shell: |
|
||||
initctl reload-configuration
|
||||
tags:
|
||||
- upstart-init
|
||||
- barbican-upstart
|
||||
- barbican-init
|
||||
|
||||
- name: Load service
|
||||
service:
|
||||
name: "{{ program_name }}"
|
||||
enabled: "yes"
|
||||
tags:
|
||||
- upstart-init
|
||||
- barbican-upstart
|
||||
- barbican-init
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include: upstart-common-init.yml
|
||||
vars:
|
||||
program_name: "{{ barbican_api_program_name }}"
|
||||
service_name: "{{ barbican_service_name }}"
|
||||
system_user: "{{ barbican_system_user_name }}"
|
||||
system_group: "{{ barbican_system_group_name }}"
|
||||
service_home: "{{ barbican_system_user_home }}"
|
||||
log_directory: "{{ barbican_log_directory }}"
|
||||
|
||||
- include: upstart-common-init.yml
|
||||
vars:
|
||||
program_name: "{{ barbican_keystone_listener_program_name }}"
|
||||
service_name: "{{ barbican_service_name }}"
|
||||
system_user: "{{ barbican_system_user_name }}"
|
||||
system_group: "{{ barbican_system_group_name }}"
|
||||
service_home: "{{ barbican_system_user_home }}"
|
||||
log_directory: "{{ barbican_log_directory }}"
|
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
# Copyright 2015, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Drop user provided ssl cert
|
||||
copy:
|
||||
src: "{{ barbican_user_ssl_cert }}"
|
||||
dest: "{{ barbican_ssl_cert }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
when: barbican_user_ssl_cert is defined
|
||||
notify: Restart Apache
|
||||
tags:
|
||||
- barbican-configs
|
||||
- barbican-ssl
|
||||
|
||||
- name: Drop user provided ssl key
|
||||
copy:
|
||||
src: "{{ barbican_user_ssl_key }}"
|
||||
dest: "{{ barbican_ssl_key }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0640"
|
||||
when: barbican_user_ssl_key is defined
|
||||
notify: Restart Apache
|
||||
tags:
|
||||
- barbican-configs
|
||||
- barbican-ssl
|
||||
|
||||
- name: Drop user provided ssl CA cert
|
||||
copy:
|
||||
src: "{{ barbican_user_ssl_ca_cert }}"
|
||||
dest: "{{ barbican_ssl_ca_cert }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
when: barbican_user_ssl_ca_cert is defined
|
||||
notify: Restart Apache
|
||||
tags:
|
||||
- barbican-configs
|
||||
- barbican-ssl
|
|
@ -0,0 +1,89 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
<VirtualHost *:{{ barbican_service_port }}>
|
||||
WSGIDaemonProcess barbican-service user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP}
|
||||
WSGIProcessGroup barbican-service
|
||||
WSGIScriptAlias / /var/www/cgi-bin/barbican/main
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
|
||||
LogLevel {{ barbican_apache_log_level }}
|
||||
ErrorLog {{ barbican_log_directory }}/barbican-apache-error.log
|
||||
CustomLog {{ barbican_log_directory }}/ssl_access.log combined
|
||||
Options +FollowSymLinks
|
||||
|
||||
{% if barbican_ssl | bool and barbican_service_internaluri_proto == "https" -%}
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ barbican_ssl_cert }}
|
||||
SSLCertificateKeyFile {{ barbican_ssl_key }}
|
||||
{% if barbican_user_ssl_ca_cert is defined -%}
|
||||
SSLCACertificateFile {{ barbican_ssl_ca_cert }}
|
||||
{% endif -%}
|
||||
SSLCompression Off
|
||||
SSLProtocol {{ barbican_ssl_protocol }}
|
||||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite {{ barbican_ssl_cipher_suite }}
|
||||
SSLOptions +StdEnvVars +ExportCertData
|
||||
{% endif %}
|
||||
|
||||
{% if barbican_sp is defined -%}
|
||||
ShibURLScheme {{ barbican_service_publicuri_proto }}
|
||||
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
|
||||
<Location /v3/auth/OS-FEDERATION/websso/saml2>
|
||||
AuthType shibboleth
|
||||
ShibRequestSetting requireSession 1
|
||||
ShibRequestSetting exportAssertion 1
|
||||
ShibRequireSession On
|
||||
ShibExportAssertion On
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
|
||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/barbican/main/$1
|
||||
{% endif %}
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:{{ barbican_admin_port }}>
|
||||
WSGIDaemonProcess barbican-admin user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP}
|
||||
WSGIProcessGroup barbican-admin
|
||||
WSGIScriptAlias / /var/www/cgi-bin/barbican/admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
|
||||
LogLevel {{ barbican_apache_log_level }}
|
||||
ErrorLog {{ barbican_log_directory }}/barbican-apache-error.log
|
||||
CustomLog {{ barbican_log_directory }}/ssl_access.log combined
|
||||
Options +FollowSymLinks
|
||||
|
||||
{% if barbican_ssl | bool and barbican_service_adminuri_proto == "https" -%}
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ barbican_ssl_cert }}
|
||||
SSLCertificateKeyFile {{ barbican_ssl_key }}
|
||||
{% if barbican_user_ssl_ca_cert is defined -%}
|
||||
SSLCACertificateFile {{ barbican_ssl_ca_cert }}
|
||||
{% endif -%}
|
||||
SSLCompression Off
|
||||
SSLProtocol {{ barbican_ssl_protocol }}
|
||||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite {{ barbican_ssl_cipher_suite }}
|
||||
SSLOptions +StdEnvVars +ExportCertData
|
||||
{% endif %}
|
||||
</VirtualHost>
|
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
Listen {{ keystone_service_port }}
|
||||
Listen {{ keystone_admin_port }}
|
Loading…
Reference in New Issue