From e0537385d05ec122696c38c63fd75fb6e7d16213 Mon Sep 17 00:00:00 2001
From: zhubingbing <1392607554@qq.com>
Date: Mon, 8 Aug 2016 16:48:11 +0000
Subject: [PATCH] Add Barbican ansible role
Partially-Implements: blueprint barbican-ansible
Change-Id: Id6be35b1d0527d5c38d4ea8576b233ebcc404718
---
ansible/group_vars/all.yml | 3 +
ansible/inventory/all-in-one | 13 ++++
ansible/inventory/multinode | 13 ++++
ansible/roles/barbican/defaults/main.yml | 40 ++++++++++
ansible/roles/barbican/meta/main.yml | 3 +
ansible/roles/barbican/tasks/bootstrap.yml | 41 ++++++++++
.../barbican/tasks/bootstrap_service.yml | 21 ++++++
ansible/roles/barbican/tasks/config.yml | 37 ++++++++++
ansible/roles/barbican/tasks/deploy.yml | 16 ++++
.../roles/barbican/tasks/do_reconfigure.yml | 74 +++++++++++++++++++
ansible/roles/barbican/tasks/main.yml | 2 +
ansible/roles/barbican/tasks/pull.yml | 21 ++++++
ansible/roles/barbican/tasks/reconfigure.yml | 6 ++
ansible/roles/barbican/tasks/register.yml | 40 ++++++++++
ansible/roles/barbican/tasks/start.yml | 34 +++++++++
.../barbican/templates/barbican-api.json.j2 | 11 +++
.../barbican-keystone-listener.json.j2 | 11 +++
.../templates/barbican-worker.json.j2 | 11 +++
.../roles/barbican/templates/barbican.conf.j2 | 55 ++++++++++++++
ansible/roles/common/tasks/config.yml | 2 +
.../templates/cron-logrotate-barbican.conf.j2 | 3 +
ansible/roles/common/templates/cron.json.j2 | 2 +-
.../common/templates/heka-barbican.toml.j2 | 13 ++++
.../roles/haproxy/templates/haproxy.cfg.j2 | 16 ++++
ansible/roles/prechecks/tasks/port_checks.yml | 16 ++++
ansible/site.yml | 9 +++
etc/kolla/globals.yml | 1 +
etc/kolla/passwords.yml | 3 +
.../notes/add-barbican-8f0636668001de73.yaml | 4 +
29 files changed, 520 insertions(+), 1 deletion(-)
create mode 100644 ansible/roles/barbican/defaults/main.yml
create mode 100644 ansible/roles/barbican/meta/main.yml
create mode 100644 ansible/roles/barbican/tasks/bootstrap.yml
create mode 100644 ansible/roles/barbican/tasks/bootstrap_service.yml
create mode 100644 ansible/roles/barbican/tasks/config.yml
create mode 100644 ansible/roles/barbican/tasks/deploy.yml
create mode 100644 ansible/roles/barbican/tasks/do_reconfigure.yml
create mode 100644 ansible/roles/barbican/tasks/main.yml
create mode 100644 ansible/roles/barbican/tasks/pull.yml
create mode 100644 ansible/roles/barbican/tasks/reconfigure.yml
create mode 100644 ansible/roles/barbican/tasks/register.yml
create mode 100644 ansible/roles/barbican/tasks/start.yml
create mode 100644 ansible/roles/barbican/templates/barbican-api.json.j2
create mode 100644 ansible/roles/barbican/templates/barbican-keystone-listener.json.j2
create mode 100644 ansible/roles/barbican/templates/barbican-worker.json.j2
create mode 100644 ansible/roles/barbican/templates/barbican.conf.j2
create mode 100644 ansible/roles/common/templates/cron-logrotate-barbican.conf.j2
create mode 100644 ansible/roles/common/templates/heka-barbican.toml.j2
create mode 100644 releasenotes/notes/add-barbican-8f0636668001de73.yaml
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 3250293a7e..bf89f1dd9b 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -116,6 +116,8 @@ neutron_plugin_agent: "openvswitch"
# The default ports used by each service.
aodh_api_port: "8042"
+barbican_api_port: "9311"
+
ceilometer_api_port: "8777"
congress_api_port: "1789"
@@ -229,6 +231,7 @@ enable_rabbitmq: "yes"
# Additional optional OpenStack services are specified here
enable_aodh: "no"
+enable_barbican: "no"
enable_ceilometer: "no"
enable_central_logging: "no"
enable_ceph: "no"
diff --git a/ansible/inventory/all-in-one b/ansible/inventory/all-in-one
index 0995c6a815..4154ef7d4d 100644
--- a/ansible/inventory/all-in-one
+++ b/ansible/inventory/all-in-one
@@ -60,6 +60,9 @@ control
[swift:children]
control
+[barbican:children]
+control
+
[heat:children]
control
@@ -215,6 +218,16 @@ storage
[swift-object-server:children]
storage
+# Barbican
+[barbican-api:children]
+barbican
+
+[barbican-keystone-listener:children]
+barbican
+
+[barbican-worker:children]
+barbican
+
# Heat
[heat-api:children]
heat
diff --git a/ansible/inventory/multinode b/ansible/inventory/multinode
index dd6a519f2e..b45b157516 100644
--- a/ansible/inventory/multinode
+++ b/ansible/inventory/multinode
@@ -77,6 +77,9 @@ control
[swift:children]
control
+[barbican:children]
+control
+
[heat:children]
control
@@ -232,6 +235,16 @@ storage
[swift-object-server:children]
storage
+# Barbican
+[barbican-api:children]
+barbican
+
+[barbican-keystone-listener:children]
+barbican
+
+[barbican-worker:children]
+barbican
+
# Heat
[heat-api:children]
heat
diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml
new file mode 100644
index 0000000000..7fb8d628f9
--- /dev/null
+++ b/ansible/roles/barbican/defaults/main.yml
@@ -0,0 +1,40 @@
+---
+project_name: "barbican"
+
+
+####################
+# Database
+####################
+barbican_database_name: "barbican"
+barbican_database_user: "barbican"
+barbican_database_address: "{{ kolla_internal_fqdn }}:{{ database_port }}"
+
+
+####################
+# Docker
+####################
+barbican_api_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-api"
+barbican_api_tag: "{{ openstack_release }}"
+barbican_api_image_full: "{{ barbican_api_image }}:{{ barbican_api_tag }}"
+
+barbican_keystone_listener_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-keystone-listener"
+barbican_keystone_listener_tag: "{{ openstack_release }}"
+barbican_keystone_listener_image_full: "{{ barbican_keystone_listener_image }}:{{ barbican_keystone_listener_tag }}"
+
+barbican_worker_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ kolla_install_type }}-barbican-worker"
+barbican_worker_tag: "{{ openstack_release }}"
+barbican_worker_image_full: "{{ barbican_worker_image }}:{{ barbican_worker_tag }}"
+
+
+####################
+# OpenStack
+####################
+barbican_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}"
+barbican_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}"
+barbican_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}"
+
+barbican_logging_debug: "{{ openstack_logging_debug }}"
+
+barbican_keystone_user: "barbican"
+
+openstack_barbican_auth: "{'auth_url':'{{ openstack_auth.auth_url }}','username':'{{ openstack_auth.username }}','password':'{{ openstack_auth.password }}','project_name':'{{ openstack_auth.project_name }}','domain_name':'default'}"
diff --git a/ansible/roles/barbican/meta/main.yml b/ansible/roles/barbican/meta/main.yml
new file mode 100644
index 0000000000..6b4fff8fef
--- /dev/null
+++ b/ansible/roles/barbican/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: common }
diff --git a/ansible/roles/barbican/tasks/bootstrap.yml b/ansible/roles/barbican/tasks/bootstrap.yml
new file mode 100644
index 0000000000..b37ae86428
--- /dev/null
+++ b/ansible/roles/barbican/tasks/bootstrap.yml
@@ -0,0 +1,41 @@
+---
+- name: Creating barbican database
+ command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+ -m mysql_db
+ -a "login_host='{{ database_address }}'
+ login_port='{{ database_port }}'
+ login_user='{{ database_user }}'
+ login_password='{{ database_password }}'
+ name='{{ barbican_database_name }}'"
+ register: database
+ changed_when: "{{ database.stdout.find('localhost | SUCCESS => ') != -1 and
+ (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+ failed_when: database.stdout.split()[2] != 'SUCCESS'
+ run_once: True
+ delegate_to: "{{ groups['barbican-api'][0] }}"
+
+- name: Reading json from variable
+ set_fact:
+ database_created: "{{ (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+
+- name: Creating barbican database user and setting permissions
+ command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+ -m mysql_user
+ -a "login_host='{{ database_address }}'
+ login_port='{{ database_port }}'
+ login_user='{{ database_user }}'
+ login_password='{{ database_password }}'
+ name='{{ barbican_database_name }}'
+ password='{{ barbican_database_password }}'
+ host='%'
+ priv='{{ barbican_database_name }}.*:ALL'
+ append_privs='yes'"
+ register: database_user_create
+ changed_when: "{{ database_user_create.stdout.find('localhost | SUCCESS => ') != -1 and
+ (database_user_create.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+ failed_when: database_user_create.stdout.split()[2] != 'SUCCESS'
+ run_once: True
+ delegate_to: "{{ groups['barbican-api'][0] }}"
+
+- include: bootstrap_service.yml
+ when: database_created
diff --git a/ansible/roles/barbican/tasks/bootstrap_service.yml b/ansible/roles/barbican/tasks/bootstrap_service.yml
new file mode 100644
index 0000000000..fc575a0ac1
--- /dev/null
+++ b/ansible/roles/barbican/tasks/bootstrap_service.yml
@@ -0,0 +1,21 @@
+---
+- name: Running barbican bootstrap container
+ kolla_docker:
+ action: "start_container"
+ common_options: "{{ docker_common_options }}"
+ detach: False
+ environment:
+ KOLLA_BOOTSTRAP:
+ KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+ image: "{{ barbican_api_image_full }}"
+ labels:
+ BOOTSTRAP:
+ name: "bootstrap_barbican"
+ restart_policy: "never"
+ volumes:
+ - "{{ node_config_directory }}/barbican-api/:{{ container_config_directory }}/:ro"
+ - "barbican:/var/lib/barbican/"
+ - "/etc/localtime:/etc/localtime:ro"
+ - "kolla_logs:/var/log/kolla/"
+ run_once: True
+ delegate_to: "{{ groups['barbican-api'][0] }}"
diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml
new file mode 100644
index 0000000000..9bbceb42b1
--- /dev/null
+++ b/ansible/roles/barbican/tasks/config.yml
@@ -0,0 +1,37 @@
+---
+- name: Ensuring config directories exist
+ file:
+ path: "{{ node_config_directory }}/{{ item }}"
+ state: "directory"
+ recurse: yes
+ with_items:
+ - "barbican-api"
+ - "barbican-keystone-listener"
+ - "barbican-worker"
+
+- name: Copying over config.json files for services
+ template:
+ src: "{{ item }}.json.j2"
+ dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ with_items:
+ - "barbican-api"
+ - "barbican-worker"
+ - "barbican-keystone-listener"
+
+- name: Copying over barbican.conf
+ merge_configs:
+ vars:
+ service_name: "{{ item }}"
+ sources:
+ - "{{ role_path }}/templates/barbican.conf.j2"
+ - "{{ node_custom_config }}/global.conf"
+ - "{{ node_custom_config }}/database.conf"
+ - "{{ node_custom_config }}/messaging.conf"
+ - "{{ node_custom_config }}/barbican.conf"
+ - "{{ node_custom_config }}/barbican/{{ item }}.conf"
+ - "{{ node_custom_config }}/barbican/{{ inventory_hostname }}/barbican.conf"
+ dest: "{{ node_config_directory }}/{{ item }}/barbican.conf"
+ with_items:
+ - "barbican-api"
+ - "barbican-keystone-listener"
+ - "barbican-worker"
diff --git a/ansible/roles/barbican/tasks/deploy.yml b/ansible/roles/barbican/tasks/deploy.yml
new file mode 100644
index 0000000000..4b9f3ebcc3
--- /dev/null
+++ b/ansible/roles/barbican/tasks/deploy.yml
@@ -0,0 +1,16 @@
+---
+- include: register.yml
+ when: inventory_hostname in groups['barbican-api']
+
+- include: config.yml
+ when: inventory_hostname in groups['barbican-api'] or
+ inventory_hostname in groups['barbican-worker'] or
+ inventory_hostname in groups['barbican-keystone-listener']
+
+- include: bootstrap.yml
+ when: inventory_hostname in groups['barbican-api']
+
+- include: start.yml
+ when: inventory_hostname in groups['barbican-api'] or
+ inventory_hostname in groups['barbican-worker'] or
+ inventory_hostname in groups['barbican-keystone-listener']
diff --git a/ansible/roles/barbican/tasks/do_reconfigure.yml b/ansible/roles/barbican/tasks/do_reconfigure.yml
new file mode 100644
index 0000000000..84f378665f
--- /dev/null
+++ b/ansible/roles/barbican/tasks/do_reconfigure.yml
@@ -0,0 +1,74 @@
+---
+- name: Ensuring the containers up
+ kolla_docker:
+ name: "{{ item.name }}"
+ action: "get_container_state"
+ register: container_state
+ failed_when: container_state.Running == false
+ when: inventory_hostname in groups[item.group]
+ with_items:
+ - { name: barbican_api, group: barbican-api }
+ - { name: barbican_keystone_listener, group: barbican-keystone-listener }
+ - { name: barbican_worker, group: barbican-worker }
+
+- include: config.yml
+
+- name: Check the configs
+ command: docker exec {{ item.name }} /usr/local/bin/kolla_set_configs --check
+ changed_when: false
+ failed_when: false
+ register: check_results
+ when: inventory_hostname in groups[item.group]
+ with_items:
+ - { name: barbican_api, group: barbican-api }
+ - { name: barbican_keystone_listener, group: barbican-keystone-listener }
+ - { name: barbican_worker, group: barbican-worker }
+
+# NOTE(jeffrey4l): when config_strategy == 'COPY_ALWAYS'
+# and container env['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE',
+# just remove the container and start again
+- name: Containers config strategy
+ kolla_docker:
+ name: "{{ item.name }}"
+ action: "get_container_env"
+ register: container_envs
+ when: inventory_hostname in groups[item.group]
+ with_items:
+ - { name: barbican_api, group: barbican-api }
+ - { name: barbican_keystone_listener, group: barbican-keystone-listener }
+ - { name: barbican_worker, group: barbican-worker }
+
+- name: Remove the containers
+ kolla_docker:
+ name: "{{ item[0]['name'] }}"
+ action: "remove_container"
+ register: remove_containers
+ when:
+ - inventory_hostname in groups[item[0]['group']]
+ - config_strategy == "COPY_ONCE" or item[1]['KOLLA_CONFIG_STRATEGY'] == 'COPY_ONCE'
+ - item[2]['rc'] == 1
+ with_together:
+ - [{ name: barbican_api, group: barbican-api },
+ { name: barbican_keystone_listener, group: barbican-keystone-listener },
+ { name: barbican_worker, group: barbican-worker }]
+ - "{{ container_envs.results }}"
+ - "{{ check_results.results }}"
+
+- include: start.yml
+ when: remove_containers.changed
+
+- name: Restart containers
+ kolla_docker:
+ name: "{{ item[0]['name'] }}"
+ action: "restart_container"
+ when:
+ - inventory_hostname in groups[item[0]['group']]
+ - config_strategy == 'COPY_ALWAYS'
+ - item[1]['KOLLA_CONFIG_STRATEGY'] != 'COPY_ONCE'
+ - item[2]['rc'] == 1
+ with_together:
+ - [{ name: barbican_api, group: barbican-api },
+ { name: barbican_keystone_listener, group: barbican-keystone-listener },
+ { name: barbican_worker, group: barbican-worker }]
+ - "{{ container_envs.results }}"
+ - "{{ check_results.results }}"
diff --git a/ansible/roles/barbican/tasks/main.yml b/ansible/roles/barbican/tasks/main.yml
new file mode 100644
index 0000000000..b017e8b4ad
--- /dev/null
+++ b/ansible/roles/barbican/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- include: "{{ action }}.yml"
diff --git a/ansible/roles/barbican/tasks/pull.yml b/ansible/roles/barbican/tasks/pull.yml
new file mode 100644
index 0000000000..284f8970da
--- /dev/null
+++ b/ansible/roles/barbican/tasks/pull.yml
@@ -0,0 +1,21 @@
+---
+- name: Pulling barbican-api image
+ kolla_docker:
+ action: "pull_image"
+ common_options: "{{ docker_common_options }}"
+ image: "{{ barbican_api_image_full }}"
+ when: inventory_hostname in groups['barbican-api']
+
+- name: Pulling barbican-keystone-listener image
+ kolla_docker:
+ action: "pull_image"
+ common_options: "{{ docker_common_options }}"
+ image: "{{ barbican_keystone_listener_image_full }}"
+ when: inventory_hostname in groups['barbican-keystone-listener']
+
+- name: Pulling barbican-worker image
+ kolla_docker:
+ action: "pull_image"
+ common_options: "{{ docker_common_options }}"
+ image: "{{ barbican_worker_image_full }}"
+ when: inventory_hostname in groups['barbican-worker']
diff --git a/ansible/roles/barbican/tasks/reconfigure.yml b/ansible/roles/barbican/tasks/reconfigure.yml
new file mode 100644
index 0000000000..a54cac8bf2
--- /dev/null
+++ b/ansible/roles/barbican/tasks/reconfigure.yml
@@ -0,0 +1,6 @@
+---
+- include: do_reconfigure.yml
+ serial: "30%"
+ when: inventory_hostname in groups['barbican-api']
+ or inventory_hostname in groups['barbican-keystone-listener']
+ or inventory_hostname in groups['barbican-worker']
diff --git a/ansible/roles/barbican/tasks/register.yml b/ansible/roles/barbican/tasks/register.yml
new file mode 100644
index 0000000000..5bc6719c94
--- /dev/null
+++ b/ansible/roles/barbican/tasks/register.yml
@@ -0,0 +1,40 @@
+---
+- name: Creating the barbican service and endpoint
+ command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+ -m kolla_keystone_service
+ -a "service_name=barbican
+ service_type=key-manager
+ description='Barbican Key Management Service'
+ endpoint_region={{ openstack_region_name }}
+ url='{{ item.url }}'
+ interface='{{ item.interface }}'
+ region_name={{ openstack_region_name }}
+ auth={{ '{{ openstack_barbican_auth }}' }}"
+ -e "{'openstack_barbican_auth':{{ openstack_barbican_auth }}}"
+ register: barbican_endpoint
+ changed_when: "{{ barbican_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (barbican_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+ until: barbican_endpoint.stdout.split()[2] == 'SUCCESS'
+ retries: 10
+ delay: 5
+ run_once: True
+ with_items:
+ - {'interface': 'admin', 'url': '{{ barbican_admin_endpoint }}'}
+ - {'interface': 'internal', 'url': '{{ barbican_internal_endpoint }}'}
+ - {'interface': 'public', 'url': '{{ barbican_public_endpoint }}'}
+
+- name: Creating the barbican project, user, and role
+ command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+ -m kolla_keystone_user
+ -a "project=service
+ user=barbican
+ password={{ barbican_keystone_password }}
+ role=admin
+ region_name={{ openstack_region_name }}
+ auth={{ '{{ openstack_barbican_auth }}' }}"
+ -e "{'openstack_barbican_auth':{{ openstack_barbican_auth }}}"
+ register: barbican_user
+ changed_when: "{{ barbican_user.stdout.find('localhost | SUCCESS => ') != -1 and (barbican_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+ until: barbican_user.stdout.split()[2] == 'SUCCESS'
+ retries: 10
+ delay: 5
+ run_once: True
diff --git a/ansible/roles/barbican/tasks/start.yml b/ansible/roles/barbican/tasks/start.yml
new file mode 100644
index 0000000000..e1891f6560
--- /dev/null
+++ b/ansible/roles/barbican/tasks/start.yml
@@ -0,0 +1,34 @@
+---
+- name: Starting barbican-api container
+ kolla_docker:
+ action: "start_container"
+ common_options: "{{ docker_common_options }}"
+ image: "{{ barbican_api_image_full }}"
+ name: "barbican_api"
+ volumes:
+ - "{{ node_config_directory }}/barbican-api/:{{ container_config_directory }}/:ro"
+ - "barbican:/var/lib/barbican/"
+ - "kolla_logs:/var/log/kolla/"
+ when: inventory_hostname in groups['barbican-api']
+
+- name: Starting barbican-keystone-listener container
+ kolla_docker:
+ action: "start_container"
+ common_options: "{{ docker_common_options }}"
+ image: "{{ barbican_keystone_listener_image_full }}"
+ name: "barbican_keystone_listener"
+ volumes:
+ - "{{ node_config_directory }}/barbican-keystone-listener/:{{ container_config_directory }}/:ro"
+ - "kolla_logs:/var/log/kolla/"
+ when: inventory_hostname in groups['barbican-keystone-listener']
+
+- name: Starting barbican-worker container
+ kolla_docker:
+ action: "start_container"
+ common_options: "{{ docker_common_options }}"
+ image: "{{ barbican_worker_image_full }}"
+ name: "barbican_worker"
+ volumes:
+ - "{{ node_config_directory }}/barbican-worker/:{{ container_config_directory }}/:ro"
+ - "kolla_logs:/var/log/kolla/"
+ when: inventory_hostname in groups['barbican-worker']
diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2
new file mode 100644
index 0000000000..8eb678dd67
--- /dev/null
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@@ -0,0 +1,11 @@
+{
+ "command": "uwsgi --master --emperor /etc/barbican/vassals --logto /var/log/kolla/barbican/barbican-api.log",
+ "config_files": [
+ {
+ "source": "{{ container_config_directory }}/barbican.conf",
+ "dest": "/etc/barbican/barbican.conf",
+ "owner": "root",
+ "perm": "0600"
+ }
+ ]
+}
diff --git a/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 b/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2
new file mode 100644
index 0000000000..f9f986b500
--- /dev/null
+++ b/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2
@@ -0,0 +1,11 @@
+{
+ "command": "barbican-keystone-listener",
+ "config_files": [
+ {
+ "source": "{{ container_config_directory }}/barbican.conf",
+ "dest": "/etc/barbican/barbican.conf",
+ "owner": "root",
+ "perm": "0600"
+ }
+ ]
+}
diff --git a/ansible/roles/barbican/templates/barbican-worker.json.j2 b/ansible/roles/barbican/templates/barbican-worker.json.j2
new file mode 100644
index 0000000000..26c660e7c6
--- /dev/null
+++ b/ansible/roles/barbican/templates/barbican-worker.json.j2
@@ -0,0 +1,11 @@
+{
+ "command": "barbican-worker",
+ "config_files": [
+ {
+ "source": "{{ container_config_directory }}/barbican.conf",
+ "dest": "/etc/barbican/barbican.conf",
+ "owner": "root",
+ "perm": "0600"
+ }
+ ]
+}
diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2
new file mode 100644
index 0000000000..17e3080c13
--- /dev/null
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -0,0 +1,55 @@
+[DEFAULT]
+debug = {{ barbican_logging_debug }}
+log_dir = /var/log/kolla/barbican
+
+
+bind_port = {{ barbican_api_port }}
+bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
+host_href = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ barbican_api_port }}
+backlog = 4096
+max_allowed_secret_in_bytes = 10000
+max_allowed_request_size_in_bytes = 1000000
+
+sql_connection = mysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }}
+
+transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+[keystone_notifications]
+enable = True
+
+control_exchange = 'openstack'
+topic = 'notifications'
+allow_requeue = False
+
+version = '1.0'
+
+thread_pool_size = 10
+
+
+[keystone_authtoken]
+auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
+project_domain_id = default
+project_name = service
+user_domain_id = default
+username = {{ barbican_keystone_user }}
+password = {{ barbican_keystone_password }}
+auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
+auth_type = password
+
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+{% if orchestration_engine == 'KUBERNETES' %}
+memcache_servers = {{ memcached_servers }}
+{% else %}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
+
+[service_credentials]
+auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
+region_name = {{ openstack_region_name }}
+password = {{ barbican_keystone_password }}
+username = {{ barbican_keystone_user }}
+project_name = service
+project_domain_id = default
+user_domain_id = default
+auth_type = password
diff --git a/ansible/roles/common/tasks/config.yml b/ansible/roles/common/tasks/config.yml
index cf31a54ac7..7b225b92d0 100644
--- a/ansible/roles/common/tasks/config.yml
+++ b/ansible/roles/common/tasks/config.yml
@@ -26,6 +26,7 @@
when: item.enabled | bool
with_items:
- { name: "aodh", enabled: "{{ enable_aodh }}" }
+ - { name: "barbican", enabled: "{{ enable_barbican }}"}
- { name: "elasticsearch", enabled: "{{ enable_central_logging }}" }
- { name: "global", enabled: "yes" }
- { name: "gnocchi", enabled: "{{ enable_gnocchi }}" }
@@ -69,6 +70,7 @@
with_items:
- "ansible"
- "aodh"
+ - "barbican"
- "cinder"
- "glance"
- "global"
diff --git a/ansible/roles/common/templates/cron-logrotate-barbican.conf.j2 b/ansible/roles/common/templates/cron-logrotate-barbican.conf.j2
new file mode 100644
index 0000000000..eaa5f0f494
--- /dev/null
+++ b/ansible/roles/common/templates/cron-logrotate-barbican.conf.j2
@@ -0,0 +1,3 @@
+"/var/log/kolla/barbican/*.log"
+{
+}
diff --git a/ansible/roles/common/templates/cron.json.j2 b/ansible/roles/common/templates/cron.json.j2
index 2bc594f039..65855b2be5 100644
--- a/ansible/roles/common/templates/cron.json.j2
+++ b/ansible/roles/common/templates/cron.json.j2
@@ -1,5 +1,5 @@
{% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %}
-{% set services = ["ansible", "aodh", "cinder", "glance", "gnocchi", "haproxy", "heat", "keepalived", "keystone", "magnum", "manila", "mariadb", "mistral", "murano", "neutron", "nova", "rabbitmq", "swift"] %}
+{% set services = ["ansible", "aodh", "barbican", "cinder", "glance", "gnocchi", "haproxy", "heat", "keepalived", "keystone", "magnum", "manila", "mariadb", "mistral", "murano", "neutron", "nova", "rabbitmq", "swift"] %}
{
"command": "{{ cron_cmd }}",
"config_files": [
diff --git a/ansible/roles/common/templates/heka-barbican.toml.j2 b/ansible/roles/common/templates/heka-barbican.toml.j2
new file mode 100644
index 0000000000..9ec0e8c6b6
--- /dev/null
+++ b/ansible/roles/common/templates/heka-barbican.toml.j2
@@ -0,0 +1,13 @@
+[barbican_apache_log_decoder]
+type = "SandboxDecoder"
+filename = "lua_decoders/os_barbican_apache_log.lua"
+ [barbican_apache_log_decoder.config]
+ apache_log_pattern = '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"'
+
+[barbican_apache_logstreamer_input]
+type = "LogstreamerInput"
+decoder = "barbican_apache_log_decoder"
+log_directory = "/var/log/kolla"
+file_match = 'barbican/barbican-apache-(?P<Service>.+)-access\.log\.?(?P<Seq>\d*)$'
+priority = ["^Seq"]
+differentiator = ["barbican-apache-", "Service"]
diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2
index c58680490a..f075a9236f 100644
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -453,6 +453,22 @@ listen elasticsearch
{% endfor %}
{% endif %}
+{% if enable_barbican | bool %}
+listen barbican_api
+ bind {{ kolla_internal_vip_address }}:{{ barbican_api_port }}
+{% for host in groups['barbican-api'] %}
+ server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen barbican_api_external
+ bind {{ kolla_external_vip_address }}:{{ barbican_api_port }} {{ tls_bind_info }}
+{% for host in groups['barbican-api'] %}
+ server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
+{% endif %}
+
{% if enable_ceilometer | bool %}
listen ceilometer_api
bind {{ kolla_internal_vip_address }}:{{ ceilometer_api_port }}
diff --git a/ansible/roles/prechecks/tasks/port_checks.yml b/ansible/roles/prechecks/tasks/port_checks.yml
index 482bc41b19..044756cc11 100644
--- a/ansible/roles/prechecks/tasks/port_checks.yml
+++ b/ansible/roles/prechecks/tasks/port_checks.yml
@@ -1,4 +1,20 @@
---
+- name: Checking free port for Barbican API
+ wait_for:
+ host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}"
+ port: "{{ barbican_api_port }}"
+ connect_timeout: 1
+ state: stopped
+ when: inventory_hostname in groups['barbican-api']
+
+- name: Checking free port for Barbican API HAProxy
+ wait_for:
+ host: "{{ kolla_internal_vip_address }}"
+ port: "{{ barbican_api_port }}"
+ connect_timeout: 1
+ state: stopped
+ when: inventory_hostname in groups['haproxy']
+
- name: Checking free port for Cinder API
wait_for:
host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}"
diff --git a/ansible/site.yml b/ansible/site.yml
index 5fdf170094..bbded87fdf 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -250,6 +250,15 @@
tags: aodh,
when: enable_aodh | bool }
+- hosts:
+ - barbican-api
+ - barbican-keystone-listener
+ - barbican-worker
+ roles:
+ - { role: barbican,
+ tags: barbican,
+ when: enable_barbican | bool }
+
- hosts:
- congress-api
- congress-policy-engine
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 0edeb65c3a..76730765d6 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -121,6 +121,7 @@ kolla_internal_vip_address: "10.10.10.254"
#fernet_token_expiry: 86400
# OpenStack services can be enabled or disabled with these options
+#enable_barbican: "no"
#enable_ceilometer: "no"
#enable_central_logging: "no"
#enable_ceph: "no"
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index 09ae97226d..e570a9d906 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -24,6 +24,9 @@ docker_registry_password:
aodh_database_password:
aodh_keystone_password:
+barbican_database_password:
+barbican_keystone_password:
+
keystone_admin_password:
keystone_database_password:
diff --git a/releasenotes/notes/add-barbican-8f0636668001de73.yaml b/releasenotes/notes/add-barbican-8f0636668001de73.yaml
new file mode 100644
index 0000000000..51dc01e34d
--- /dev/null
+++ b/releasenotes/notes/add-barbican-8f0636668001de73.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - To produce a secret storage and generation system capable of providing key
+ management for services wishing to enable encryption features.