46 Commits

Author SHA1 Message Date
Matt Crees
09df6fc1aa Add a flag to handle RabbitMQ high availability
A combination of durable queues and classic queue mirroring can be used
to provide high availability of RabbitMQ. However, these options should
only be used together, otherwise the system will become unstable. Using
the flag ``om_enable_rabbitmq_high_availability`` will either enable
both options at once, or neither of them.

There are some queues that should not be mirrored:
* ``reply`` queues (these have a single consumer and TTL policy)
* ``fanout`` queues (these have a TTL policy)
* ``amq`` queues (these are auto-delete queues, with a single consumer)
An exclusionary pattern is used in the classic mirroring policy. This
pattern is ``^(?!(amq\\.)|(.*_fanout_)|(reply_)).*``

Change-Id: I51c8023b260eb40b2eaa91bd276b46890c215c25
2023-01-13 15:40:08 +00:00
Matt Crees
8b8b4a8217 Explicitly set the value of heartbeat_in_pthread
The ``[oslo_messaging_rabbit] heartbeat_in_pthread`` config option
is set to ``true`` for wsgi applications to allow the RabbitMQ
heartbeats to function. For non-wsgi applications it is set to ``false``
as it may otherwise break the service [1].

[1] https://docs.openstack.org/releasenotes/oslo.messaging/zed.html#upgrade-notes

Change-Id: Id89bd6158aff42d59040674308a8672c358ccb3c
2023-01-05 09:18:13 +00:00
Michal Arbet
3e8db91a1e Add api_workers for each service to defaults
Render {{ openstack_service_workers }} for workers
of each openstack service is not enough. There are
several services which has to have more workers because
there are more requests sent to them.

This patch is just adding default value for workers for
each service and sets {{ openstack_service_workers }} as
default, so value can be overrided in hostvars per server.
Nothing changed for normal user.

Change-Id: Ifa5863f8ec865bbf8e39c9b2add42c92abe40616
2022-07-12 20:09:16 +02:00
Will Szumski
49006e56d9 Add keystone_authtoken.service_type
Fixes an issue where access rules failed to validate:

    Cannot validate request with restricted access rules. Set
    service_type in [keystone_authtoken] to allow access rule validation

I've used the values from the endpoint. This was mostly a straight
forward copy and paste, except:

- versioned endpoints e.g cinderv3 where I stripped the version
- monasca has multiple endpoints associated with a single service. For
  this, I concatenated logging and monitoring to be logging-monitoring.

Closes-Bug: #1965111
Change-Id: Ic4b3ab60abad8c3dd96cd4923a67f2a8f9d195d7
2022-06-09 22:49:38 +02:00
Radosław Piliszek
7ca9349b09 Do not use keystone_admin_url et al
Following up on [1].
The 3 variables are only introducing noise after we removed
the reliance on Keystone's admin port.

[1] I5099b08953789b280c915a6b7a22bdd4e3404076

Change-Id: I3f9dab93042799eda9174257e604fd1844684c1c
2022-05-28 18:19:01 +02:00
Pierre Riteau
57fb7fd0a5 Remove custom value for max_allowed_request_size_in_bytes
There is no explanation for why this option was bumped to 1 MB instead
of the upstream default. This has been the case since the original
barbican role commit in 2016.

Restore upstream default in Yoga.

Change-Id: Ib0245f44d2b049f7e2254d8d2ea4b2080a8d62dd
2022-01-18 22:04:31 +01:00
Pierre Riteau
20a3b14001 Remove custom value of max_allowed_secret_in_bytes
Barbican has recently bumped max_allowed_secret_in_bytes from 10 KB to
20 KB since the original value was too small for some certificates [1].
Remove custom value from the barbican.conf template, which anyway was
the same as the default configuration before the recent upstream change.

The upstream change was backported to Wallaby and has been proposed to
Victoria, Ussuri and Train [2], so this change should be backported too.

[1] https://review.opendev.org/c/openstack/barbican/+/783381
[2] https://review.opendev.org/q/I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

Change-Id: I83e4cb48192c8024650a8d347363f6babb75ad90
Closes-Bug: #1957795
2022-01-18 16:22:03 +01:00
Michal Arbet
7da770d290 Add missing region_name in keystoneauth sections
Closes-Bug: #1933025

Change-Id: Ib67d715ddfa986a5b70a55fdda39e6d0e3333162
2021-06-22 08:35:35 +02:00
Doug Szumski
1ff4e58d70 Fix Barbican API log config
There are a few issues fixed here:

- The Barbican API service doesn't set a log file, so all the Barbican API
  service logs go to loadwsgi.py.log by default.
- The logs in loadwsgi.py.log are not ingested properly by Fluentd.
- uWSGI logs go to barbican-api.log. This would normally be used as the log
  file for the Barbican API service logs.

This patch makes the following changes to address the above issues:

- All uWSGI logs (from the Emperor and Vassals) go to barbican_api_uwsgi_access.log
  Although these logs aren't strictly all access logs, this follows the existing
  pattern for WSGI logs.
- The Barbican API service logs are written to barbican-api.log instead of
  loadwsgi.py.log. This follows the pattern used by other OpenStack services.
- Fluentd is configured to parse the Barbican API service logs as it would with
  other OpenStack Python services.

Change-Id: I6d03fa8c81c52b6f061514a836bbd15bb6639aaf
Closes-Bug: #1891343
2021-01-27 17:24:58 +00:00
Mark Goddard
761ea9a333 Support TLS encryption of RabbitMQ client-server traffic
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.

The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.

RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.

Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
2020-09-17 12:05:44 +01:00
Rafael Weingärtner
f425c0678f Standardize use and construction of endpoint URLs
The goal for this push request is to normalize the construction and use
 of internal, external, and admin URLs. While extending Kolla-ansible
 to enable a more flexible method to manage external URLs, we noticed
 that the same URL was constructed multiple times in different parts
 of the code. This can make it difficult for people that want to work
 with these URLs and create inconsistencies in a large code base with
 time. Therefore, we are proposing here the use of
 "single Kolla-ansible variable" per endpoint URL, which facilitates
 for people that are interested in overriding/extending these URLs.

As an example, we extended Kolla-ansible to facilitate the "override"
of public (external) URLs with the following standard
"<component/serviceName>.<companyBaseUrl>".
Therefore, the "NAT/redirect" in the SSL termination system (HAproxy,
HTTPD or some other) is done via the service name, and not by the port.
This allows operators to easily and automatically create more friendly
 URL names. To develop this feature, we first applied this patch that
 we are sending now to the community. We did that to reduce the surface
  of changes in Kolla-ansible.

Another example is the integration of Kolla-ansible and Consul, which
we also implemented internally, and also requires URLs changes.
Therefore, this PR is essential to reduce code duplicity, and to
facility users/developers to work/customize the services URLs.

Change-Id: I73d483e01476e779a5155b2e18dd5ea25f514e93
Signed-off-by: Rafael Weingärtner <rafael@apache.org>
2020-08-19 07:22:17 +00:00
wu.chunyang
051038621f make barbican notification driver configurable
barbican alway use default notification driver (defalt '')
so we should change this value according to whether enable
notification

Change-Id: Ia17a64fe9bf31042369dec19f1f76b1ab8592288
2020-07-02 22:48:31 +08:00
Mark Goddard
895c86a846 barbican: Use python3 plugin in uwsgi config
backport: ussuri, train

Without this the container returns an empty response.

Change-Id: Ic36845f3fc625c080c92904b58ace070dd24fbb2
Closes-Bug: #1881784
2020-06-04 12:20:32 +01:00
James Kirsch
2e08ffd6d3 Add support for encrypting Barbican API
This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network
2020-05-13 10:26:09 +00:00
Mark Goddard
0edad7138c Remove default(omit) from openstack_cacert in templates
The use of default(omit) is for module parameters, not templates. We
define a default value for openstack_cacert, so it should never be
undefined anyway.

Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28
2020-04-03 14:49:11 +01:00
James Kirsch
c15dc20341 Configure services to use Certificate Authority
Include a reference to the globally configured Certificate Authority to
all services. Services use the CA to verify HTTPs connections.

Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc
Partially-Implements: blueprint support-trusted-ca-certificate-file
2020-01-13 11:00:11 -08:00
Radosław Piliszek
bc053c09c1 Implement IPv6 support in the control plane
Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689

Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
2019-10-16 10:24:35 +02:00
Rafael Weingärtner
22a6223b1b Standardize the configuration of "oslo_messaging" section
After all of the discussions we had on
"https://review.opendev.org/#/c/670626/2", I studied all projects that
have an "oslo_messaging" section. Afterwards, I applied the same method
that is already used in "oslo_messaging" section in Nova, Cinder, and
others. This guarantees that we have a consistent method to
enable/disable notifications across projects based on components (e.g.
Ceilometer) being enabled or disabled. Here follows the list of
components, and the respective changes I did.

* Aodh:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Congress:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Cinder:
It was already properly configured.

* Octavia:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Heat:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Ceilometer:
Ceilometer publishes some messages in the rabbitMQ. However, the
default driver is "messagingv2", and not ''(empty) as defined in Oslo;
these configurations are defined in ceilometer/publisher/messaging.py.
Therefore, we do not need to do anything for the
"oslo_messaging_notifications" section in Ceilometer

* Tacker:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Neutron:
It was already properly configured.

* Nova
It was already properly configured. However, we found another issue
with its configuration. Kolla-ansible does not configure nova
notifications as it should. If 'searchlight' is not installed (enabled)
the 'notification_format' should be 'unversioned'. The default is
'both'; so nova will send a notification to the queue
versioned_notifications; but that queue has no consumer when
'searchlight' is disabled. In our case, the queue got 511k messages.
The huge amount of "stuck" messages made the Rabbitmq cluster
unstable.

https://bugzilla.redhat.com/show_bug.cgi?id=1478274
https://bugs.launchpad.net/ceilometer/+bug/1665449

* Nova_hyperv:
I added the same configurations as in Nova project.

* Vitrage
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Searchlight
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Ironic
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Glance
It was already properly configured.

* Trove
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Blazar
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Sahara
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Watcher
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Barbican
I created a mechanism similar to what we have in Cinder, Nova,
and others. I also added a configuration to 'keystone_notifications'
section. Barbican needs its own queue to capture events from Keystone.
Otherwise, it has an impact on Ceilometer and other systems that are
connected to the "notifications" default queue.

* Keystone
Keystone is the system that triggered this work with the discussions
that followed on https://review.opendev.org/#/c/670626/2. After a long
discussion, we agreed to apply the same approach that we have in Nova,
Cinder and other systems in Keystone. That is what we did. Moreover, we
introduce a new topic "barbican_notifications" when barbican is
enabled. We also removed the "variable" enable_cadf_notifications, as
it is obsolete, and the default in Keystone is CADF.

* Mistral:
It was hardcoded "noop" as the driver. However, that does not seem a
good practice. Instead, I applied the same standard of using the driver
and pushing to "notifications" queue if Ceilometer is enabled.

* Cyborg:
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Murano
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Senlin
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Manila
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Zun
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Designate
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Magnum
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

Closes-Bug: #1838985

Change-Id: I88bdb004814f37c81c9a9c4e5e491fac69f6f202
Signed-off-by: Rafael Weingärtner <rafael@apache.org>
2019-08-15 13:18:16 -03:00
Pierre Riteau
abf10736c7 Remove unused [service_credentials] config sections
Several services inherited [service_credentials] config sections which
they don't use in their code.

Change-Id: Iccf4358e85fb3d7ed25bc1762ff532b2c32bea4a
2019-05-31 13:25:00 +01:00
Jim Rollenhagen
857871df00 Allow barbican services to use independent hostnames
This allows barbican service endpoints to use custom hostnames, and adds the
following variables:

* barbican_internal_fqdn
* barbican_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds a barbican_api_listen_port option, which defaults to
barbican_api_port for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: I1807a9c8b64d737d0e278bb3e925fecb4fadfb08
Implements: blueprint service-hostnames
2019-03-06 15:08:28 -05:00
Jim Rollenhagen
2e4e60503a Use keystone_*_url var in all configs
We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.

Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a
2019-03-06 15:08:26 -05:00
Mark Goddard
8e635db8f1 Allow fluentd to read barbican-api.log
Barbican API uses uWSGI, which by default writes out log files using
0640 permissions and default ownership for the user. This means that the
log file in /var/log/kolla/barbican/barbican-api.log is not readable by
fluentd.

This was tested via the following command on a queens deployment:

$ docker exec -it fluentd bash
find /var/log/kolla/ -type f | while read f; do test -r $f || echo
"Cannot read $f"; done
Cannot read /var/log/kolla/barbican/barbican-api.log

Generally there are a few ways in which access is provided to log file
for fluentd:

1. Set log file ownership to $USER:kolla, permissions to 0640.
2. Set log file ownership to $USER:$USER, permissions to 0644.
3. MariaDB is a special case, and uses 0640 with the fluentd user added
to the mysql group.

Of these, 1. seems the most secure.

This change uses the --logfile-chmod argument to set the log file
permissions to 644, since it does not appear possible to specify a group
to change ownership to using --logfile-chown. We use command line
arguments since putting the option in the config file does not seem to
work. Perhaps it is an ordering issue.

Change-Id: If98ca7cd9630b5622132a00718cb09304b8285b3
Closes-Bug: #1794472
2018-09-26 10:43:08 +00:00
ZhongShengping
ae246945a6 Deprecate auth_uri option
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/

Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ifd8527d404f1df807ae8196eac2b3849911ddc26
Closes-Bug: #1761907
2018-08-07 11:58:23 +05:30
Kevin TIBI
a81a5d5d5d Fix SSL api for multiple services
If SSL is enabled, api of multiple services returns
wrong external URL without https prefix.

Removal of condition for deletion of http  header.

Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4
Closes-Bug: #1749155
Closes-Bug: #1717491
2018-04-18 17:20:27 +02:00
Dai Dang Van
6b99f21341 Support policy.yaml file [part 4]
- Barbican
- Ceilometer
- Cloudkitty
- Congress
- Designate

This will copy only yaml or json policy file if they exist.

Change-Id: Iaa19f64073d8bdee948bc2de58e095ca72afc092
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
2018-01-22 01:57:02 +00:00
Andrew Smith
fd1d3af0df Add support for hybrid messaging backends
This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends

This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note

Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
2017-11-22 14:09:40 -05:00
Jeffrey Zhang
cacf08f0a6 Remove all kolla-kubernetes configurations
kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config
2017-07-18 22:00:58 +08:00
Bertrand Lallau
372e991bec Standardize Keystone domain variables
As described here:
https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L841
https://github.com/openstack/keystone/blob/master/keystone/conf/identity.py#L21

* default project domain name MUST be named 'Default'
* default project domain id MUST be named 'default'
* default project user name MUST be named 'Default'
* default project user id MUST be named 'default'

Change-Id: I610a0416647fdea31bb04889364da5395d8c8d74
2017-07-06 14:34:11 +00:00
Jenkins
bfcda5716e Merge "Fix outdated barbican-api-paste.ini file" 2017-07-05 13:04:13 +00:00
Bertrand Lallau
08ab3d8e73 Fix outdated barbican-api-paste.ini file
Kolla-ansible actually bring it's own barbican-api-paste.ini file to
enable Keystone authentication, in order to fix this
https://bugs.launchpad.net/kolla/+bug/1625337

auth_token middleware is actually managed by Barbican.

Furthermore barbican-api-paste.ini brings by Kolla-ansible is outdated:
* http_proxy_to_wsgi middleware is missing

Hence this file should not be managed statically by kolla-ansible.
This patch keep custom paste file feature. Just put the file to
/etc/kolla/config/barbican/barbican-api.ini path.

Change-Id: Ia50237f7df7f89526a976575b017145c71b11ec0
Closes-bug: #1695026
2017-07-05 07:13:56 +02:00
Mark Goddard
2e4359069e Barbican simple_crypto plugin broken - invalid key
When using the simple_crypto plugin, barbican expects the
[simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
value. However, kolla-ansible is providing a standard autogenerated
password.

There are two relevant variables in kolla-ansible -
barbican_crypto_password (a standard password) and barbican_crypto_key
(a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
when it is generated. barbican_crypto_password is used to set the
[simple_crypto_plugin] kek config value but causes an error when the
simple_crypto plugin is used as the value is not in the expected format.
Using barbican_crypto_key instead resolves the error. Clearly there is a
naming issue here and we should be using barbican_crypto_key instead of
barbican_crypto_password.

This change removes the barbican_crypto_password variable and uses
barbican_crypto_key instead.

Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
Closes-Bug: #1699014
Related-Bug: #1683216
Co-Authored-By: Stig Telfer <stig@stackhpc.com>
2017-06-21 17:07:17 +01:00
Bertrand Lallau
afdd11b9a2 Generalize api_interface_address variable usage
Useful api_interface_address variable has been define here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L57
In order to simplify codebase we must use it as much as possible.

Change-Id: I18fec19bf69e05a22a4142a9cd1165eccd022455
2017-05-23 08:35:15 +00:00
zhubingbing
6d0e31f232
Fix can't find /usr/lib/libCryptoki2_64.so in barbican
Link https://docs.openstack.org/project-install-guide/key-manager/newton/barbican-backend.html#simple-crypto-plugin

Change-Id: I351738c2a98090c56ac69e477fbe5ddec4cc5b26
Closes-Bug: #1672001
2017-03-22 20:43:14 +08:00
Duong Ha-Quang
f45fe3243f Change Barbican default secret store to pkcs11
Change-Id: I758eedb8569ce5ddbfb44f7dc79d622891997e84
Closes-Bug: #1625340
2017-02-09 13:40:13 +07:00
Nenad Radojevic
5229c83a7f External_fqdn for host_href in barbican.conf
The barbican service should use the external fqdn as value for the
host_href parameter. Typically this is the endpoint that clients
would use to connect to barbican from outside.

Change-Id: I075acb6335354a61f935d57a7b84f0f92978c9bd
Closes-Bug: #1660282
2017-01-30 11:20:54 +01:00
Eduardo Gonzalez
775d8019b6 Add custom policies in service.json
Include custom policy.json files in service-api.json.j2 files

Change-Id: Ic55bfc6f61131aa72c3497ce8b2282056bcc7f92
Partially-Implements: blueprint custom-policies
2016-12-02 16:22:17 +00:00
Jenkins
7fcff0e1f2 Merge "Fix barbican upgrade permission issue" 2016-12-02 13:17:18 +00:00
zhubingbing
af3eaa5a23 Fix barbican upgrade permission issue
Change-Id: I08bfa65223fd42df218bfd9e81765d6f1a4e10c8
Closes-Bug: #1646008
2016-11-30 12:43:51 +00:00
portdirect
200dbafb1c Update Barbican to use correct mysql connection string
PyMySQL is prefered to PythonMySQL for Sqlalchemy, as it provides
python3 support and is actively maintained, and is therefore the
currently recommended lib for db connections.
 * https://wiki.openstack.org/wiki/PyMySQL_evaluation

Kolla currently uses PyMySQL for all connections bar Barbican
(which works fine with PyMySQL): once this commit is merged it will
be possible to remove the PythonMySQL libs, and mysql libs for kolla
images (except kolla-toolbox).

TrivialFix

Change-Id: Id256387134ca551a181c5e49c9b6d63f62b72523
2016-11-17 14:27:47 +00:00
Pete Birley
51e6c102d1 Barbican: Fix race condition when starting procs simultaneously
This fixes a race condition when starting barbican processes,
as by default they attempt to manage the db schema on startup.

TrivialFix

Change-Id: Ic168211880709a3279511ce519756e4cbdd57fe8
2016-11-03 14:24:02 +00:00
Jenkins
5661f72f98 Merge "Remove default values from conf file" 2016-10-14 02:17:00 +00:00
liyingjun
626967c1a4 Enable keystone authentication for Barbican
By default Barbican has not enabled the Keystone authentication:

[pipeline:barbican_api]
pipeline = cors unauthenticated-context apiapp

According to the Barbican install guide[1] this pipeline should be:

pipeline = cors authtoken context apiapp

[1]: http://docs.openstack.org/developer/barbican/setup/keystone.html

Change-Id: I941515a98772a72762b20507e100e7872f3b4ab8
Closes-bug: #1625337
2016-10-11 17:44:17 +08:00
liyingjun
cd0336658f Fix 'Address already in use' for barbican-api
By default barbican uwsgi is configured to listen all address on host
[1], we need to change this to the ip address of the host.

[1]:
https://github.com/openstack/barbican/blob/master/etc/barbican/vassals/barbican-api.ini

Change-Id: I4a1f9fb44ad55caf21f82c1b6d272a9743d65fd8
Closes-bug: #1632177
2016-10-11 17:43:19 +08:00
Mauricio Lima
579dd2eb7e Remove default values from conf file
baf5edfbf9/barbican/common/config.py (L108-L131)

TrivialFix

Change-Id: I64baf401718ee694be4651fea6c1aae7cece358c
2016-10-06 10:15:02 -03:00
Christian Berendt
6bc976aa07 Set ownership of barbican configuration files to barbican
Change-Id: I6fe7f0928812f816080ced76dec2659f2094276d
Closes-bug: #1625317
2016-09-19 20:58:06 +02:00
zhubingbing
e0537385d0 Add Barbican ansible role
Partially-Implements: blueprint barbican-ansible

Change-Id: Id6be35b1d0527d5c38d4ea8576b233ebcc404718
2016-09-13 02:56:27 +00:00