From 1bcdf3932d3094fd0a300d4fc36f652c077af375 Mon Sep 17 00:00:00 2001
From: Paul Bourke <paul.bourke@oracle.com>
Date: Tue, 5 Dec 2017 14:35:08 +0000
Subject: [PATCH] Add config necessary to use Barbican with Murano

Murano offers optional Barbican integration for apps using sensitive
data [0]

This patch adds the necessary config pieces to allow these apps to work out of
the box.

[0] https://docs.openstack.org/murano/latest/admin/appdev-guide/encrypting_properties.html

Change-Id: Ia78f53b12619deb518111a1c02c00d73bf5acdb1
---
 ansible/group_vars/all.yml                        |  1 +
 ansible/roles/horizon/templates/local_settings.j2 | 11 +++++++++++
 ansible/roles/murano/defaults/main.yml            |  2 --
 ansible/roles/murano/templates/murano.conf.j2     |  9 +++++++++
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 0562ad3678..adefb3813a 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -477,6 +477,7 @@ ironic_keystone_user: "ironic"
 neutron_keystone_user: "neutron"
 nova_keystone_user: "nova"
 placement_keystone_user: "placement"
+murano_keystone_user: "murano"
 
 # Nova fake driver and the number of fake driver per compute node
 enable_nova_fake: "no"
diff --git a/ansible/roles/horizon/templates/local_settings.j2 b/ansible/roles/horizon/templates/local_settings.j2
index 75ff669cd7..a8ff82cceb 100644
--- a/ansible/roles/horizon/templates/local_settings.j2
+++ b/ansible/roles/horizon/templates/local_settings.j2
@@ -830,3 +830,14 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
 # before loading any data into the admin views, set the following attribute to
 # True
 #ADMIN_FILTER_DATA_FIRST=False
+
+{% if enable_murano | bool and enable_barbican | bool %}
+KEY_MANAGER = {
+        'auth_url': '{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3',
+        'username': '{{ murano_keystone_user }}',
+        'user_domain_name': '{{ default_project_domain_name }}',
+        'password': '{{ murano_keystone_password }}',
+        'project_name': 'service',
+        'project_domain_name': '{{ default_project_domain_name }}'
+}
+{% endif %}
diff --git a/ansible/roles/murano/defaults/main.yml b/ansible/roles/murano/defaults/main.yml
index c7cba5c083..ebc00060f3 100644
--- a/ansible/roles/murano/defaults/main.yml
+++ b/ansible/roles/murano/defaults/main.yml
@@ -33,8 +33,6 @@ murano_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ mu
 
 murano_logging_debug: "{{ openstack_logging_debug }}"
 
-murano_keystone_user: "murano"
-
 openstack_murano_auth: "{{ openstack_auth }}"
 
 
diff --git a/ansible/roles/murano/templates/murano.conf.j2 b/ansible/roles/murano/templates/murano.conf.j2
index 8b5435a979..4068211ba4 100644
--- a/ansible/roles/murano/templates/murano.conf.j2
+++ b/ansible/roles/murano/templates/murano.conf.j2
@@ -48,4 +48,13 @@ port = {{ outward_rabbitmq_port }}
 login = {{ murano_agent_rabbitmq_user }}
 password = {{ murano_agent_rabbitmq_password }}
 virtual_host = {{ murano_agent_rabbitmq_vhost }}
+
+{% if enable_barbican | bool %}
+[key_manager]
+auth_type = keystone_password
+auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
+username = {{ murano_keystone_user }}
+password = {{ murano_keystone_password }}
+user_domain_name = {{ default_project_domain_name }}
+{% endif %}
 {% endif %}