Clean up barbican.conf

Drop out default or misconfigured variables from barbican.conf to make config file readable. This should not affect existing deployments since plugin config has to be overriden anyway. Depends-On: https://review.opendev.org/759082 Change-Id: I2a0756b851c9e862b2312b47d37b723386d6915c
2020-10-21 18:52:13 +03:00 · 2020-10-21 18:52:13 +03:00 · 76b72c0975
parent 8283b92b68
commit 76b72c0975
2 changed files with 3 additions and 327 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -137,6 +137,7 @@ barbican_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/ga
 barbican_galera_port: 3306

 ## Oslo Messaging
+barbican_ceilometer_enabled: False

 # RPC
 barbican_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
--- a/templates/barbican.conf.j2
+++ b/templates/barbican.conf.j2
@ -6,130 +6,21 @@ use_journal = True
 use_stderr = False
 # Show debugging output in logs (sets DEBUG log level output)
 debug = {{ debug }}
-use_json = {{ debug }}
-# Address to bind the API server
-bind_host = 0.0.0.0
-
-# Port to bind the API server to
-bind_port = 9311

 # Host name, for use in HATEOAS-style references
 #  Note: Typically this would be the load balanced endpoint that clients would use
 #  communicate back with this service.
 host_href = {{ barbican_service_publicurl }}

-# Backlog requests when creating socket
-backlog = 4096
-
-# TCP_KEEPIDLE value in seconds when creating socket.
-# Not supported on OS X.
-#tcp_keepidle = 600
-
-# Maximum allowed http request size against the barbican-api
-max_allowed_secret_in_bytes = 10000
-max_allowed_request_size_in_bytes = 1000000
-
-# SQLAlchemy connection string for the reference implementation
-# registry server. Any valid SQLAlchemy connection string is fine.
-# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
-# Uncomment this for local dev, putting db in project directory:
-#sql_connection = sqlite:///barbican.sqlite
-# Note: For absolute addresses, use '////' slashes after 'sqlite:'
-# Uncomment for a more global development environment
 sql_connection = mysql+pymysql://{{ barbican_galera_user }}:{{ barbican_galera_password }}@{{ barbican_galera_address }}/{{ barbican_galera_database }}?charset=utf8{% if barbican_galera_use_ssl | bool %}&ssl_ca={{ barbican_galera_ssl_ca_cert }}{% endif %}

-# Period in seconds after which SQLAlchemy should reestablish its connection
-# to the database.
-#
-# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
-# idle connections. This can result in 'MySQL Gone Away' exceptions. If you
-# notice this, you can lower this value to ensure that SQLAlchemy reconnects
-# before MySQL can drop the connection.
-sql_idle_timeout = 3600
-
-# Accepts a class imported from the sqlalchemy.pool module, and handles the
-# details of building the pool for you. If commented out, SQLAlchemy
-# will select based on the database dialect. Other options are QueuePool
-# (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy
-# management of connections).
-# See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details.
-#sql_pool_class = QueuePool
-
-# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level
-# output) if specified.
-#sql_pool_logging = True
-
-# Size of pool used by SQLAlchemy. This is the largest number of connections
-# that will be kept persistently in the pool. Can be set to 0 to indicate no
-# size limit. To disable pooling, use a NullPool with sql_pool_class instead.
-# Comment out to allow SQLAlchemy to select the default.
-#sql_pool_size = 5
-
-# The maximum overflow size of the pool used by SQLAlchemy. When the number of
-# checked-out connections reaches the size set in sql_pool_size, additional
-# connections will be returned up to this limit. It follows then that the
-# total number of simultaneous connections the pool will allow is
-# sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no
-# overflow limit, so no limit will be placed on the total number of concurrent
-# connections. Comment out to allow SQLAlchemy to select the default.
-#sql_pool_max_overflow = 10
-
-# Default page size for the 'limit' paging URL parameter.
-default_limit_paging = 10
-
-# Maximum page size for the 'limit' paging URL parameter.
-max_limit_paging = 100
-
-# Role used to identify an authenticated user as administrator
-#admin_role = admin
-
-# Allow unauthenticated users to access the API with read-only
-# privileges. This only applies when using ContextMiddleware.
-#allow_anonymous_access = False
-
-# Allow access to version 1 of barbican api
-#enable_v1_api = True
-
-# Allow access to version 2 of barbican api
-#enable_v2_api = True
-
-# ================= SSL Options ===============================
-
-# Certificate file to use when starting API server securely
-#cert_file = /path/to/certfile
-
-# Private key file to use when starting API server securely
-#key_file = /path/to/keyfile
-
-# CA certificate file to use to verify connecting clients
-#ca_file = /path/to/cafile
-
-# ================= Security Options ==========================
-
-# AES key for encrypting store 'location' metadata, including
-# -- if used -- Swift or S3 credentials
-# Should be set to a random string of length 16, 24 or 32 bytes
-#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
-
-# ================= Queue Options - oslo.messaging ==========================
-
 # Rabbit and HA configuration:
 ampq_durable_queues = True
 rabbit_ha_queues = True
-
-# For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset':
-#   For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/
-#   DO NOT USE THIS, due to '# FIXME(markmc): support multiple hosts' in oslo/messaging/_drivers/amqpdriver.py
-# transport_url = rabbit://guest@localhost:5672/
 transport_url = {{ barbican_oslomsg_rpc_transport }}://{% for host in barbican_oslomsg_rpc_servers.split(',') %}{{ barbican_oslomsg_rpc_userid }}:{{ barbican_oslomsg_rpc_password }}@{{ host }}:{{ barbican_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ barbican_oslomsg_rpc_vhost }}{% if (barbican_oslomsg_rpc_use_ssl | lower) | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

-# oslo notification driver for sending audit events via audit middleware.
-# Meaningful only when middleware is enabled in barbican paste ini file.
-# This is oslo config MultiStrOpt so can be defined multiple times in case
-# there is need to route audit event to messaging as well as log.
-# notification_driver = messagingv2
-# notification_driver = log
 [oslo_messaging_notifications]
+driver = {{ (barbican_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }}
 transport_url = {{ barbican_oslomsg_notify_transport }}://{% for host in barbican_oslomsg_notify_servers.split(',') %}{{ barbican_oslomsg_notify_userid }}:{{ barbican_oslomsg_notify_password }}@{{ host }}:{{ barbican_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ barbican_oslomsg_notify_vhost }}{% if (barbican_oslomsg_notify_use_ssl | lower) | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

 [oslo_messaging_rabbit]
@ -158,180 +49,23 @@ memcache_secret_key = {{ memcached_encryption_key }}

 {% endif %}

-# ======== OpenStack policy - oslo_policy ===============
-
-[oslo_policy]
-
-# ======== OpenStack policy integration
-# JSON file representing policy (string value)
-policy_file=/etc/barbican/policy.json
-
-# Rule checked when requested rule is not found (string value)
-policy_default_rule=default
-
-
-# ================= Queue Options - Application ==========================
-
-[queue]
-# Enable queuing asynchronous messaging.
-#   Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode)
-enable = False
-
-# Namespace for the queue
-namespace = 'barbican'
-
-# Topic for the queue
-topic = 'barbican.workers'
-
-# Version for the task API
-version = '1.1'
-
-# Server name for RPC service
-server_name = 'barbican.queue'
-
-# Number of asynchronous worker processes.
-# When greater than 1, then that many additional worker processes are
-# created for asynchronous worker functionality.
-asynchronous_workers = 1
-
-# ================= Retry/Scheduler Options ==========================
-
-[retry_scheduler]
-# Seconds (float) to wait between starting retry scheduler
-initial_delay_seconds = 10.0
-
-# Seconds (float) to wait between starting retry scheduler
-periodic_interval_max_seconds = 10.0
-
-
-# ====================== Quota Options ===============================
-
-[quotas]
-# For each resource, the default maximum number that can be used for
-# a project is set below.  This value can be overridden for each
-# project through the API.  A negative value means no limit.  A zero
-# value effectively disables the resource.
-
-# default number of secrets allowed per project
-quota_secrets = -1
-
-# default number of orders allowed per project
-quota_orders = -1
-
-# default number of containers allowed per project
-quota_containers = -1
-
-# default number of consumers allowed per project
-quota_consumers = -1
-
-# default number of CAs allowed per project
-quota_cas = -1
-
-# ================= Keystone Notification Options - Application ===============
-
-[keystone_notifications]
-
-# Keystone notification functionality uses transport related configuration
-# from barbican common configuration as defined under
-# 'Queue Options - oslo.messaging' comments.
-# The HA related configuration is also shared with notification server.
-
-# True enables keystone notification listener functionality.
-enable = False
-
-# The default exchange under which topics are scoped.
-# May be overridden by an exchange name specified in the transport_url option.
-control_exchange = 'openstack'
-
-# Keystone notification queue topic name.
-# This name needs to match one of values mentioned in Keystone deployment's
-# 'notification_topics' configuration e.g.
-#      notification_topics=notifications, barbican_notifications
-# Multiple servers may listen on a topic and messages will be dispatched to one
-# of the servers in a round-robin fashion. That's why Barbican service should
-# have its own dedicated notification queue so that it receives all of Keystone
-# notifications.
-topic = 'notifications'
-
-# True enables requeue feature in case of notification processing error.
-# Enable this only when underlying transport supports this feature.
-allow_requeue = False
-
-# Version of tasks invoked via notifications
-version = '1.0'
-
-# Define the number of max threads to be used for notification server
-# processing functionality.
-thread_pool_size = 10
-
 # ================= Secret Store Plugin ===================
 [secretstore]
-namespace = barbican.secretstore.plugin
 enabled_secretstore_plugins = store_crypto

 # ================= Crypto plugin ===================
 [crypto]
-namespace = barbican.crypto.plugin
 enabled_crypto_plugins = simple_crypto

 [simple_crypto_plugin]
 # the kek should be a 32-byte value which is base64 encoded
-kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
+kek = '{{ barbican_simple_crypto_key | b64encode }}'

-[dogtag_plugin]
-pem_path = '/etc/barbican/kra_admin_cert.pem'
-dogtag_host = localhost
-dogtag_port = 8443
-nss_db_path = '/etc/barbican/alias'
-nss_db_path_ca = '/etc/barbican/alias-ca'
-nss_password = 'password123'
-simple_cmc_profile = 'caOtherCert'
-ca_expiration_time = 1
-plugin_working_dir = '/etc/barbican/dogtag'
-
-
-[p11_crypto_plugin]
-# Path to vendor PKCS11 library
-library_path = '/usr/lib/libCryptoki2_64.so'
-# Password to login to PKCS11 session
-login = 'mypassword'
-# Label to identify master KEK in the HSM (must not be the same as HMAC label)
-mkek_label = 'an_mkek'
-# Length in bytes of master KEK
-mkek_length = 32
-# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
-hmac_label = 'my_hmac_label'
-# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
-# slot_id = 1
-# Enable Read/Write session with the HSM?
-# rw_session = True
-# Length of Project KEKs to create
-# pkek_length = 32
-# How long to cache unwrapped Project KEKs
-# pkek_cache_ttl = 900
-# Max number of items in pkek cache
-# pkek_cache_limit = 100
-
-
-# ================== KMIP plugin =====================
-[kmip_plugin]
-username = 'admin'
-password = 'password'
-host = localhost
-port = 5696
-keyfile = '/path/to/certs/cert.key'
-certfile = '/path/to/certs/cert.crt'
-ca_certs = '/path/to/certs/LocalCA.crt'
-
-
-# ================= Certificate plugin ===================
 [certificate]
-namespace = barbican.certificate.plugin
 enabled_certificate_plugins = simple_certificate
 enabled_certificate_plugins = snakeoil_ca

 [certificate_event]
-namespace = barbican.certificate.event.plugin
 enabled_certificate_event_plugins = simple_certificate

 [snakeoil_ca_plugin]
@ -340,62 +74,3 @@ ca_cert_key_path = /etc/barbican/snakeoil-ca.key
 ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain
 ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b
 subca_cert_key_directory=/etc/barbican/snakeoil-cas
-
-[cors]
-
-#
-# From oslo.middleware.cors
-#
-
-# Indicate whether this resource may be shared with the domain
-# received in the requests "origin" header. (list value)
-#allowed_origin = <None>
-
-# Indicate that the actual request can include user credentials
-# (boolean value)
-#allow_credentials = true
-
-# Indicate which headers are safe to expose to the API. Defaults to
-# HTTP Simple Headers. (list value)
-#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
-
-# Maximum cache age of CORS preflight requests. (integer value)
-#max_age = 3600
-
-# Indicate which methods can be used during the actual request. (list
-# value)
-#allow_methods = GET,POST,PUT,DELETE,OPTIONS
-
-# Indicate which header field names may be used during the actual
-# request. (list value)
-#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
-
-
-[cors.subdomain]
-
-#
-# From oslo.middleware.cors
-#
-
-# Indicate whether this resource may be shared with the domain
-# received in the requests "origin" header. (list value)
-#allowed_origin = <None>
-
-# Indicate that the actual request can include user credentials
-# (boolean value)
-#allow_credentials = true
-
-# Indicate which headers are safe to expose to the API. Defaults to
-# HTTP Simple Headers. (list value)
-#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
-
-# Maximum cache age of CORS preflight requests. (integer value)
-#max_age = 3600
-
-# Indicate which methods can be used during the actual request. (list
-# value)
-#allow_methods = GET,POST,PUT,DELETE,OPTIONS
-
-# Indicate which header field names may be used during the actual
-# request. (list value)
-#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma