diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml index 37c47bbd58..c09cac06ab 100644 --- a/ansible/roles/barbican/defaults/main.yml +++ b/ansible/roles/barbican/defaults/main.yml @@ -16,12 +16,14 @@ barbican_services: external: false port: "{{ barbican_api_port }}" listen_port: "{{ barbican_api_listen_port }}" + tls_backend: "{{ barbican_enable_tls_backend }}" barbican_api_external: enabled: "{{ enable_barbican }}" mode: "http" external: true port: "{{ barbican_api_port }}" listen_port: "{{ barbican_api_listen_port }}" + tls_backend: "{{ barbican_enable_tls_backend }}" barbican-keystone-listener: container_name: barbican_keystone_listener group: barbican-keystone-listener @@ -142,3 +144,8 @@ barbican_ks_roles: - "{{ barbican_creator_role }}" - "{{ barbican_observer_role }}" - "{{ barbican_audit_role }}" + +#################### +# TLS +#################### +barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}" diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml index 51eb889da7..5fbf03172d 100644 --- a/ansible/roles/barbican/tasks/config.yml +++ b/ansible/roles/barbican/tasks/config.yml @@ -49,7 +49,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool + - kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool - name: Copying over config.json files for services template: diff --git a/ansible/roles/barbican/templates/barbican-api.ini.j2 b/ansible/roles/barbican/templates/barbican-api.ini.j2 index 302cf98d58..706d9e8d29 100644 --- a/ansible/roles/barbican/templates/barbican-api.ini.j2 +++ b/ansible/roles/barbican/templates/barbican-api.ini.j2 @@ -1,6 +1,9 @@ [uwsgi] -socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }} -protocol = http +{% if barbican_enable_tls_backend | bool %} +https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem +{% else %} +http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }} +{% endif %} processes = {{ openstack_service_workers }} lazy = true vacuum = true diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2 index 79a3ac263b..e28191aae1 100644 --- a/ansible/roles/barbican/templates/barbican-api.json.j2 +++ b/ansible/roles/barbican/templates/barbican-api.json.j2 @@ -19,7 +19,19 @@ "owner": "barbican", "perm": "0600", "optional": true - }{% if barbican_policy_file is defined %}, + }{% if barbican_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/barbican-cert.pem", + "dest": "/etc/barbican/certs/barbican-cert.pem", + "owner": "barbican", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/barbican-key.pem", + "dest": "/etc/barbican/certs/barbican-key.pem", + "owner": "barbican", + "perm": "0600" + }{% endif %}{% if barbican_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ barbican_policy_file }}", "dest": "/etc/barbican/{{ barbican_policy_file }}", diff --git a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml index bfe710a8b1..72bb288017 100644 --- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml +++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml @@ -2,7 +2,7 @@ features: - | Added configuration options to enable backend TLS encryption from HAProxy - to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services. - When used in conjunction with enabling TLS for service API endpoints, - network communcation will be encrypted end to end, from client through - HAProxy to the backend service. + to the Keystone, Glance, Heat, Placement, Horizon, Barbican, and Cinder + services. When used in conjunction with enabling TLS for service API + endpoints, network communcation will be encrypted end to end, from client + through HAProxy to the backend service.