1799c192cc
These were deprecated so that the options can be defined in the common
base class shared between the barbican services[1].
[1] c72177cc26
Related-Bug: #1883034
Change-Id: I6530a7c567b2a61ab6bf41c777e2d96680588040
269 lines
9.4 KiB
Puppet
269 lines
9.4 KiB
Puppet
# == Class: barbican::api
|
|
#
|
|
# The barbican::api class encapsulates a Barbican API service running
|
|
# in a gunicorn container.
|
|
#
|
|
# === Parameters
|
|
#
|
|
# [*package_ensure*]
|
|
# (optional) The state of barbican packages
|
|
# Defaults to 'present'
|
|
#
|
|
# [*bind_host*]
|
|
# (optional) The IP address of the network interface to listen on
|
|
# Default to '0.0.0.0'.
|
|
#
|
|
# [*bind_port*]
|
|
# (optional) Port that barbican binds to.
|
|
# Defaults to '9311'
|
|
#
|
|
# [*host_href*]
|
|
# (optional) The reference that clients use to point back to the service
|
|
# Defaults to http://`hostname`:<bind_port>
|
|
# TODO: needs to be set
|
|
#
|
|
# [*max_allowed_secret_in_bytes*]
|
|
# (optional) Maximum allowed secret size to be stored.
|
|
# Defaults to $facts['os_service_default']
|
|
#
|
|
# [*max_allowed_request_size_in_bytes*]
|
|
# (optional) Maximum request size against the barbican API.
|
|
# Defaults to $facts['os_service_default']
|
|
#
|
|
# [*enabled_secretstore_plugins*]
|
|
# (optional) Enabled secretstore plugins. Multiple plugins
|
|
# are defined in a list eg. ['store_crypto', dogtag_crypto']
|
|
# Used when multiple_secret_stores_enabled is not set to true.
|
|
# Defaults to $facts['os_service_default']
|
|
#
|
|
# [*enabled_crypto_plugins*]
|
|
# (optional) Enabled crypto_plugins. Multiple plugins
|
|
# are defined in a list eg. ['simple_crypto','p11_crypto']
|
|
# Used when multiple_secret_stores_enabled is not set to true.
|
|
# Defaults to $facts['os_service_default']
|
|
#
|
|
# [*enabled_secret_stores*]
|
|
# (optional) Enabled secretstores. This is the configuration
|
|
# parameters when multiple plugin configuration is used.
|
|
# Suffixes are defined in a comma separated list eg.
|
|
# 'simple_crypto,dogtag,kmip,pkcs11'
|
|
# Defaults to 'simple_crypto'
|
|
#
|
|
# [*multiple_secret_stores_enabled*]
|
|
# (optional) Enabled crypto_plugins. Multiple plugins
|
|
# are defined in a list eg. ['simple_crypto','p11_crypto']
|
|
# Defaults to false
|
|
#
|
|
# [*auth_strategy*]
|
|
# (optional) authentication type
|
|
# Defaults to 'keystone'
|
|
#
|
|
# [*manage_service*]
|
|
# (optional) If Puppet should manage service startup / shutdown.
|
|
# Defaults to true.
|
|
#
|
|
# [*enabled*]
|
|
# (optional) Whether to enable services.
|
|
# Defaults to true.
|
|
#
|
|
# [*sync_db*]
|
|
# (optional) Run barbican-db-manage on api nodes.
|
|
# Defaults to true
|
|
#
|
|
# [*db_auto_create*]
|
|
# (optional) Barbican API server option to create the database
|
|
# automatically when the server starts.
|
|
# Defaults to $facts['os_service_default']
|
|
#
|
|
# [*service_name*]
|
|
# (optional) Name of the service that will be providing the
|
|
# server functionality of barbican-api.
|
|
# If the value is 'httpd', this means barbican-api will be a web
|
|
# service, and you must use another class to configure that
|
|
# web service. For example, use class { 'barbican::wsgi::apache'...}
|
|
# to make barbican-api be a web app using apache mod_wsgi.
|
|
# Defaults to $::barbican::params::api_service_name
|
|
#
|
|
# [*enable_proxy_headers_parsing*]
|
|
# (Optional) Enable paste middleware to handle SSL requests through
|
|
# HTTPProxyToWSGI middleware.
|
|
# Defaults to $facts['os_service_default'].
|
|
#
|
|
# [*max_request_body_size*]
|
|
# (Optional) Set max request body size
|
|
# Defaults to $facts['os_service_default'].
|
|
#
|
|
# [*max_limit_paging*]
|
|
# (Optional) Maximum page size for the 'limit' paging URL parameter.
|
|
# Defaults to $facts['os_service_default']
|
|
#
|
|
# [*default_limit_paging*]
|
|
# (Optional) Default page size for the 'limit' paging URL parameter.
|
|
# Defaults to $facts['os_service_default']
|
|
#
|
|
class barbican::api (
|
|
$package_ensure = 'present',
|
|
$bind_host = '0.0.0.0',
|
|
$bind_port = '9311',
|
|
$host_href = undef,
|
|
$max_allowed_secret_in_bytes = $facts['os_service_default'],
|
|
$max_allowed_request_size_in_bytes = $facts['os_service_default'],
|
|
$enabled_secretstore_plugins = $facts['os_service_default'],
|
|
$enabled_crypto_plugins = $facts['os_service_default'],
|
|
$enabled_secret_stores = 'simple_crypto',
|
|
Boolean $multiple_secret_stores_enabled = false,
|
|
$auth_strategy = 'keystone',
|
|
Boolean $manage_service = true,
|
|
Boolean $enabled = true,
|
|
Boolean $sync_db = true,
|
|
$db_auto_create = $facts['os_service_default'],
|
|
$service_name = $::barbican::params::api_service_name,
|
|
$enable_proxy_headers_parsing = $facts['os_service_default'],
|
|
$max_request_body_size = $facts['os_service_default'],
|
|
$max_limit_paging = $facts['os_service_default'],
|
|
$default_limit_paging = $facts['os_service_default'],
|
|
) inherits barbican::params {
|
|
|
|
include barbican::deps
|
|
include barbican::db
|
|
include barbican::client
|
|
include barbican::policy
|
|
|
|
package { 'barbican-api':
|
|
ensure => $package_ensure,
|
|
name => $::barbican::params::api_package_name,
|
|
tag => ['openstack', 'barbican-package'],
|
|
}
|
|
|
|
# basic service config
|
|
if $host_href == undef {
|
|
$host_href_real = "http://${facts['networking']['fqdn']}:${bind_port}"
|
|
} else {
|
|
$host_href_real = $host_href
|
|
}
|
|
|
|
barbican_config {
|
|
'DEFAULT/host_href': value => $host_href_real;
|
|
}
|
|
|
|
# max allowed secret options
|
|
barbican_config {
|
|
'DEFAULT/max_allowed_secret_in_bytes': value => $max_allowed_secret_in_bytes;
|
|
'DEFAULT/max_allowed_request_size_in_bytes': value => $max_allowed_request_size_in_bytes;
|
|
}
|
|
|
|
if $multiple_secret_stores_enabled and !is_service_default($enabled_secretstore_plugins) {
|
|
warning("barbican::api::enabled_secretstore_plugins and barbican::api::enabled_crypto_plugins \
|
|
will be set by puppet, but will not be used by the server whenever \
|
|
barbican::api::multiple_secret_stores_enabled is set to true. Use \
|
|
barbican::api::enabled_secret_stores instead")
|
|
}
|
|
|
|
# enabled plugins
|
|
barbican_config {
|
|
'secretstore/enabled_secretstore_plugins': value => $enabled_secretstore_plugins;
|
|
'crypto/enabled_crypto_plugins': value => $enabled_crypto_plugins;
|
|
}
|
|
|
|
# enabled plugins when multiple plugins is enabled
|
|
barbican_config {
|
|
'secretstore/enable_multiple_secret_stores': value => $multiple_secret_stores_enabled;
|
|
'secretstore/stores_lookup_suffix': value => join(any2array($enabled_secret_stores), ',');
|
|
}
|
|
|
|
# keystone config
|
|
if $auth_strategy == 'keystone' {
|
|
include barbican::keystone::authtoken
|
|
barbican_api_paste_ini {
|
|
'composite:main//v1': value => 'barbican-api-keystone', key_val_separator => ':';
|
|
}
|
|
} else {
|
|
barbican_api_paste_ini {
|
|
'composite:main//v1': value => 'barbican_api', key_val_separator => ':';
|
|
}
|
|
}
|
|
|
|
# set value to have the server auto-create the database on startup
|
|
# instead of using db_sync
|
|
barbican_config { 'DEFAULT/db_auto_create': value => $db_auto_create }
|
|
|
|
if $sync_db {
|
|
include barbican::db::sync
|
|
}
|
|
|
|
if $manage_service {
|
|
if $enabled {
|
|
$service_ensure = 'running'
|
|
} else {
|
|
$service_ensure = 'stopped'
|
|
}
|
|
|
|
if $service_name == $::barbican::params::api_service_name {
|
|
|
|
if $facts['os']['name'] == 'Ubuntu' {
|
|
fail('With Ubuntu packages the service_name must be set to httpd as there is no eventlet init script.')
|
|
}
|
|
|
|
service { 'barbican-api':
|
|
ensure => $service_ensure,
|
|
name => $::barbican::params::api_service_name,
|
|
enable => $enabled,
|
|
hasstatus => true,
|
|
hasrestart => true,
|
|
tag => 'barbican-service',
|
|
}
|
|
|
|
# Debian is using UWSGI, not gunicorn
|
|
if $facts['os']['name'] != 'Debian' {
|
|
file_line { 'Modify bind_port in gunicorn-config.py':
|
|
path => '/etc/barbican/gunicorn-config.py',
|
|
line => "bind = '${bind_host}:${bind_port}'",
|
|
match => '^bind = .*',
|
|
tag => 'modify-bind-port',
|
|
require => Anchor['barbican::config::begin'],
|
|
before => Anchor['barbican::config::end'],
|
|
notify => Service['barbican-api'],
|
|
}
|
|
}
|
|
|
|
# On any paste-api.ini config change, we must restart Barbican API.
|
|
Barbican_api_paste_ini<||> ~> Service['barbican-api']
|
|
# On any uwsgi config change, we must restart Barbican API.
|
|
Barbican_api_uwsgi_config<||> ~> Service['barbican-api']
|
|
|
|
} elsif $service_name == 'httpd' {
|
|
# Ubuntu packages does not have a barbican-api service
|
|
if $facts['os']['name'] != 'Ubuntu' {
|
|
service { 'barbican-api':
|
|
ensure => 'stopped',
|
|
name => $::barbican::params::api_service_name,
|
|
enable => false,
|
|
tag => 'barbican-service',
|
|
}
|
|
Service <| title == 'httpd' |> { tag +> 'barbican-service' }
|
|
|
|
# we need to make sure barbican-api is stopped before trying to start apache
|
|
Service['barbican-api'] -> Service[$service_name]
|
|
|
|
}
|
|
|
|
# On any paste-api.ini config change, we must restart Barbican API.
|
|
Barbican_api_paste_ini<||> ~> Service[$service_name]
|
|
|
|
} else {
|
|
fail('Invalid service_name.')
|
|
}
|
|
}
|
|
|
|
oslo::middleware { 'barbican_config':
|
|
enable_proxy_headers_parsing => $enable_proxy_headers_parsing,
|
|
max_request_body_size => $max_request_body_size,
|
|
}
|
|
|
|
# limit paging options
|
|
barbican_config {
|
|
'DEFAULT/max_limit_paging': value => $max_limit_paging;
|
|
'DEFAULT/default_limit_paging': value => $default_limit_paging;
|
|
}
|
|
}
|