From ebc7ac888d1751eabcc91849e37c8197f68b0ed0 Mon Sep 17 00:00:00 2001 From: Alex Kozyrev Date: Thu, 29 Nov 2018 11:20:35 -0500 Subject: [PATCH] Barbican configuration thru Puppet and SysInv. 1. Add the new barbican DB and barbican user. 2. Support DB backup/restore and upgrades for barbican. 3. Configure barbican user and password in region config. 4. Provide Barbican configuration with appropriate data via SysInv. 5. Setup Barbican thru puppet manifests. There are three main services that need to be configured: - Barbican API: a RESTful API for managing secrets. - Barbican Worker: a RPC interface for Barbican API. - Barbican Keystone Listener: a service for Keystone changes. Also, HA Proxy and Firewall need to be updated with Barbican port (9311) as well as Remote Logging manifest to allow Barbican log collection. Change-Id: I6b0b0c90456627bebde2b834b339bc968100b6f9 Story: 2003108 Task: 27700 Depends-On: I2667d56a71b7d3881c03b6a5c1e5ed61d4f0b902 Signed-off-by: Alex Kozyrev --- configutilities/centos/build_srpm.data | 2 +- .../configutilities/common/utils.py | 2 + .../configutilities/common/validator.py | 12 ++ .../configutilities/configfiletool.py | 8 ++ controllerconfig/centos/build_srpm.data | 2 +- .../controllerconfig/backup_restore.py | 2 +- .../controllerconfig/configassistant.py | 25 ++++ .../controllerconfig/regionconfig.py | 8 +- .../TiS_region_config.share.keystoneonly | 2 + ...iS_region_config.share.keystoneonly.result | 2 + .../tests/files/TiS_region_config.shareall | 2 + .../files/TiS_region_config.shareall.result | 2 + .../tests/files/cgcs_config.region | 2 + .../tests/files/cgcs_config.region_nuage_vrs | 2 + .../tests/files/region_config.lag.vlan | 2 + .../tests/files/region_config.lag.vlan.result | 2 + .../tests/files/region_config.nuage_vrs | 2 + .../files/region_config.nuage_vrs.result | 2 + .../tests/files/region_config.security | 2 + .../tests/files/region_config.security.result | 2 + .../tests/files/region_config.simple | 2 + .../tests/files/region_config.simple.can_ips | 2 + .../tests/files/region_config.simple.result | 2 + .../controllerconfig/upgrades/controller.py | 11 ++ .../controllerconfig/upgrades/management.py | 3 +- puppet-manifests/centos/puppet-manifests.spec | 1 + .../src/hieradata/controller.yaml | 19 +++ puppet-manifests/src/manifests/controller.pp | 3 + .../modules/openstack/manifests/barbican.pp | 123 ++++++++++++++++++ .../modules/openstack/manifests/keystone.pp | 5 + .../templates/keystone-policy.json.erb | 1 + .../src/modules/platform/manifests/haproxy.pp | 1 + .../modules/platform/manifests/postgresql.pp | 1 + .../src/modules/platform/manifests/sm.pp | 48 +++++++ .../platform/templates/remotelogging.conf.erb | 5 + sysinv/sysinv/sysinv/setup.cfg | 1 + .../sysinv/sysinv/sysinv/common/constants.py | 1 + .../sysinv/sysinv/sysinv/puppet/barbican.py | 84 ++++++++++++ 38 files changed, 393 insertions(+), 5 deletions(-) create mode 100644 puppet-manifests/src/modules/openstack/manifests/barbican.pp create mode 100644 sysinv/sysinv/sysinv/sysinv/puppet/barbican.py diff --git a/configutilities/centos/build_srpm.data b/configutilities/centos/build_srpm.data index be5aa85bae..2abd3f0ca3 100755 --- a/configutilities/centos/build_srpm.data +++ b/configutilities/centos/build_srpm.data @@ -1,3 +1,3 @@ SRC_DIR="configutilities" COPY_LIST="$SRC_DIR/LICENSE" -TIS_PATCH_VER=35 +TIS_PATCH_VER=36 diff --git a/configutilities/configutilities/configutilities/common/utils.py b/configutilities/configutilities/configutilities/common/utils.py index ac43cdd970..3c38c442d8 100644 --- a/configutilities/configutilities/configutilities/common/utils.py +++ b/configutilities/configutilities/configutilities/common/utils.py @@ -45,6 +45,8 @@ EXPECTED_SERVICE_NAME_AND_TYPE = ( "GNOCCHI_SERVICE_TYPE": "metric", "FM_SERVICE_NAME": "fm", "FM_SERVICE_TYPE": "faultmanagement", + "BARBICAN_SERVICE_NAME": "barbican", + "BARBICAN_SERVICE_TYPE": "key-manager", }) diff --git a/configutilities/configutilities/configutilities/common/validator.py b/configutilities/configutilities/configutilities/common/validator.py index 088a9e767d..dffc20f28f 100755 --- a/configutilities/configutilities/configutilities/common/validator.py +++ b/configutilities/configutilities/configutilities/common/validator.py @@ -1048,6 +1048,14 @@ class ConfigValidator(object): fm_password = get_optional(self.conf, 'REGION_2_SERVICES', 'FM_PASSWORD') + # validate barbican service name and type + get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_NAME') + get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_TYPE') + barbican_user_name = self.conf.get('REGION_2_SERVICES', + 'BARBICAN_USER_NAME') + barbican_password = get_optional(self.conf, 'REGION_2_SERVICES', + 'BARBICAN_PASSWORD') + if self.conf.has_option('REGION_2_SERVICES', 'USER_DOMAIN_NAME'): user_domain = self.conf.get('REGION_2_SERVICES', 'USER_DOMAIN_NAME') @@ -1158,6 +1166,10 @@ class ConfigValidator(object): self.cgcs_conf.set('cREGION', 'GNOCCHI_PASSWORD', gnocchi_password) self.cgcs_conf.set('cREGION', 'FM_USER_NAME', fm_user_name) self.cgcs_conf.set('cREGION', 'FM_PASSWORD', fm_password) + self.cgcs_conf.set('cREGION', 'BARBICAN_USER_NAME', + barbican_user_name) + self.cgcs_conf.set('cREGION', 'BARBICAN_PASSWORD', + barbican_password) self.cgcs_conf.set('cREGION', 'USER_DOMAIN_NAME', user_domain) diff --git a/configutilities/configutilities/configutilities/configfiletool.py b/configutilities/configutilities/configutilities/configfiletool.py index 5b875a528a..e370a2ff96 100755 --- a/configutilities/configutilities/configutilities/configfiletool.py +++ b/configutilities/configutilities/configutilities/configfiletool.py @@ -731,6 +731,7 @@ class REG2SERVICESPage2(ConfigPage): self.fields['GNOCCHI_PASSWORD'] = Field( text="GNOCCHI user password", type=TYPES.string, initial="") + self.fields['FM_USER_NAME'] = Field( text="FM username", type=TYPES.string, initial="fm") @@ -738,6 +739,13 @@ class REG2SERVICESPage2(ConfigPage): text="FM user password", type=TYPES.string, initial="") + self.fields['BARBICAN_USER_NAME'] = Field( + text="Barbican username", + type=TYPES.string, initial="barbican") + self.fields['BARBICAN_PASSWORD'] = Field( + text="Barbican user password", + type=TYPES.string, initial="") + def validate_page(self): self.prev.validate_page() super(REG2SERVICESPage2, self).validate_page() diff --git a/controllerconfig/centos/build_srpm.data b/controllerconfig/centos/build_srpm.data index 52319a2da8..d3d1785a98 100755 --- a/controllerconfig/centos/build_srpm.data +++ b/controllerconfig/centos/build_srpm.data @@ -1,2 +1,2 @@ SRC_DIR="controllerconfig" -TIS_PATCH_VER=148 +TIS_PATCH_VER=149 diff --git a/controllerconfig/controllerconfig/controllerconfig/backup_restore.py b/controllerconfig/controllerconfig/controllerconfig/backup_restore.py index f9bed53f80..df5623e586 100644 --- a/controllerconfig/controllerconfig/controllerconfig/backup_restore.py +++ b/controllerconfig/controllerconfig/controllerconfig/backup_restore.py @@ -70,7 +70,7 @@ def get_backup_databases(cinder_config=False): REGION_LOCAL_DATABASES = ('postgres', 'template1', 'nova', 'sysinv', 'neutron', 'heat', 'nova_api', 'aodh', 'murano', 'magnum', 'panko', 'ironic', - 'nova_cell0', 'gnocchi', 'fm') + 'nova_cell0', 'gnocchi', 'fm', 'barbican') REGION_SHARED_DATABASES = ('glance', 'keystone') if cinder_config: diff --git a/controllerconfig/controllerconfig/controllerconfig/configassistant.py b/controllerconfig/controllerconfig/controllerconfig/configassistant.py index b29eaa1564..7b9555775a 100644 --- a/controllerconfig/controllerconfig/controllerconfig/configassistant.py +++ b/controllerconfig/controllerconfig/controllerconfig/configassistant.py @@ -509,6 +509,8 @@ class ConfigAssistant(): self.nfv_ks_password = "" self.fm_ks_user_name = "" self.fm_ks_password = "" + self.barbican_ks_user_name = "" + self.barbican_ks_password = "" self.ldap_region_name = "" self.ldap_service_name = "" @@ -2894,6 +2896,13 @@ class ConfigAssistant(): self.add_password_for_validation('FM_PASSWORD', self.fm_ks_password) + self.barbican_ks_user_name = config.get( + 'cREGION', 'BARBICAN_USER_NAME') + self.barbican_ks_password = config.get( + 'cREGION', 'BARBICAN_PASSWORD') + self.add_password_for_validation('BARBICAN_PASSWORD', + self.barbican_ks_password) + self.shared_services.append(self.keystone_service_type) if self.glance_region_name == self.region_1_name: self.shared_services.append(self.glance_service_type) @@ -3469,6 +3478,10 @@ class ConfigAssistant(): self.fm_ks_user_name) f.write("FM_PASSWORD=%s\n" % self.fm_ks_password) + f.write("BARBICAN_USER_NAME=%s\n" % + self.barbican_ks_user_name) + f.write("BARBICAN_PASSWORD=%s\n" % + self.barbican_ks_password) # Subcloud configuration if self.subcloud_config(): @@ -3974,6 +3987,14 @@ class ConfigAssistant(): 'capabilities': capabilities} client.sysinv.sm_service.service_create(**values) + # barbican service config + capabilities = {'user_name': self.barbican_ks_user_name} + values = {'name': "barbican", + 'enabled': True, + 'region_name': self.region_2_name, + 'capabilities': capabilities} + client.sysinv.sm_service.service_create(**values) + def _store_service_password(self): # store service password in the temporary keyring vault @@ -4035,6 +4056,10 @@ class ConfigAssistant(): keyring.set_password('fm', constants.DEFAULT_SERVICE_PROJECT_NAME, self.fm_ks_password) + keyring.set_password('barbican', + constants.DEFAULT_SERVICE_PROJECT_NAME, + self.barbican_ks_password) + del os.environ["XDG_DATA_HOME"] def _populate_network_config(self, client): diff --git a/controllerconfig/controllerconfig/controllerconfig/regionconfig.py b/controllerconfig/controllerconfig/controllerconfig/regionconfig.py index 8f41e703e6..25a1c77ded 100755 --- a/controllerconfig/controllerconfig/controllerconfig/regionconfig.py +++ b/controllerconfig/controllerconfig/controllerconfig/regionconfig.py @@ -56,7 +56,8 @@ EXPECTED_USERS = [ ('REGION_2_SERVICES', 'MTCE', 'mtce'), ('REGION_2_SERVICES', 'PANKO', 'panko'), ('REGION_2_SERVICES', 'GNOCCHI', 'gnocchi'), - ('REGION_2_SERVICES', 'FM', 'fm')] + ('REGION_2_SERVICES', 'FM', 'fm'), + ('REGION_2_SERVICES', 'BARBICAN', 'barbican')] EXPECTED_SHARED_SERVICES_NEUTRON_USER = ('SHARED_SERVICES', 'NEUTRON', 'neutron') @@ -135,6 +136,11 @@ EXPECTED_REGION2_ENDPOINTS = [ 'http://{}:18002', 'http://{}:18002', 'Fault Management Service'), + ('BARBICAN_SERVICE_NAME', 'BARBICAN_SERVICE_TYPE', + 'http://{}:9311', + 'http://{}:9311', + 'http://{}:9311', + 'OpenStack Key Manager Service'), ] EXPECTED_NEUTRON_ENDPOINT = ( diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly index 86237577f6..75c82feaca 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly @@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchiTWO GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fmTWO FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result index 44da706583..c9370d39c4 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result @@ -112,6 +112,8 @@ GNOCCHI_USER_NAME = gnocchiTWO GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fmTWO FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = service_domain PROJECT_DOMAIN_NAME = service_domain KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall index 02454d8559..edaa4684c0 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall @@ -119,6 +119,8 @@ GNOCCHI_USER_NAME=gnocchiTWO GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fmTWO FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result index 09e179659c..75ba071e03 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result @@ -110,6 +110,8 @@ GNOCCHI_USER_NAME = gnocchiTWO GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fmTWO FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region index bd897d8d3b..11a83f223c 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region @@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce MTCE_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [cAUTHENTICATION] ADMIN_PASSWORD=Li69nux* diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs index e6157df94c..0a2adcbde9 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs @@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce MTCE_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [cAUTHENTICATION] ADMIN_PASSWORD=Li69nux* diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan index 042c38eae1..9240899205 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan @@ -115,6 +115,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result index 2853624508..5a90e01572 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result @@ -115,6 +115,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs index d05b224845..280f10e57f 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs @@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result index 8b2ca4c6a1..6c36e70c3e 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result @@ -105,6 +105,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security index f89bb0d3ed..9ae7f59d2e 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security @@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result index 77e6ce8165..a8dc53666f 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result @@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple index 51c119f842..b2fb380278 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple @@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips index ac69a1ca19..95d8db305e 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips @@ -122,6 +122,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result index 77e6ce8165..a8dc53666f 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result @@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py index 20343511ed..4eae0ea94c 100644 --- a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py +++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py @@ -72,6 +72,9 @@ def get_db_credentials(shared_services, from_release): {'aodh': {'hiera_user_key': 'aodh::db::postgresql::user', 'keyring_password_key': 'aodh', }, + 'barbican': {'hiera_user_key': 'barbican::db::postgresql::user', + 'keyring_password_key': 'barbican', + }, 'ceilometer': {'hiera_user_key': 'ceilometer::db::postgresql::user', 'keyring_password_key': 'ceilometer', }, @@ -583,10 +586,18 @@ def migrate_databases(from_release, shared_services, db_credentials, f.write("[database]\n") f.write(get_connection_string(db_credentials, 'keystone')) + with open("/etc/barbican/barbican-dbsync.conf", "w") as f: + f.write("[database]\n") + f.write(get_connection_string(db_credentials, 'barbican')) + migrate_commands = [ # Migrate aodh (new in R3) ('aodh', 'aodh-dbsync --config-file /etc/aodh/aodh-dbsync.conf'), + # Migrate barbican + ('barbican', + 'barbican-manage --config-file /etc/barbican/barbican-dbsync.conf ' + + 'db upgrade'), # Migrate ceilometer ('ceilometer', 'ceilometer-upgrade --skip-gnocchi-resource-types --config-file ' + diff --git a/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py b/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py index 3365589cd7..b4e6130a76 100644 --- a/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py +++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py @@ -28,7 +28,7 @@ def get_upgrade_databases(shared_services): UPGRADE_DATABASES = ('postgres', 'template1', 'nova', 'sysinv', 'murano', 'ceilometer', 'neutron', 'heat', 'nova_api', 'aodh', - 'magnum', 'panko', 'ironic') + 'magnum', 'panko', 'ironic', 'barbican') UPGRADE_DATABASE_SKIP_TABLES = {'postgres': (), 'template1': (), 'heat': (), 'nova': (), 'nova_api': (), @@ -39,6 +39,7 @@ def get_upgrade_databases(shared_services): 'magnum': (), 'panko': (), 'ironic': (), + 'barbican': (), 'ceilometer': ('metadata_bool', 'metadata_float', 'metadata_int', diff --git a/puppet-manifests/centos/puppet-manifests.spec b/puppet-manifests/centos/puppet-manifests.spec index 7717aa38d6..410fbabb2b 100644 --- a/puppet-manifests/centos/puppet-manifests.spec +++ b/puppet-manifests/centos/puppet-manifests.spec @@ -25,6 +25,7 @@ Requires: puppet-fm # Openstack puppet modules Requires: puppet-aodh +Requires: puppet-barbican Requires: puppet-ceilometer Requires: puppet-ceph Requires: puppet-cinder diff --git a/puppet-manifests/src/hieradata/controller.yaml b/puppet-manifests/src/hieradata/controller.yaml index e76cc0da14..4a8900d4f2 100644 --- a/puppet-manifests/src/hieradata/controller.yaml +++ b/puppet-manifests/src/hieradata/controller.yaml @@ -544,3 +544,22 @@ fm::db::sync::user: 'root' fm::database_idle_timeout: 60 fm::database_max_overflow: 20 fm::database_max_pool_size: 1 + +# Barbican +barbican::use_syslog: true +barbican::log_facility: 'local2' +barbican::database_idle_timeout: 60 +barbican::database_max_pool_size: 1 +barbican::database_max_overflow: 10 +barbican::alarm_history_time_to_live: 86400 + +barbican::auth::auth_endpoint_type: 'internalURL' + +barbican::db::sync::user: 'root' + +barbican::api::enabled: false +barbican::api::service_name: 'barbican-api' +barbican::api::enable_proxy_headers_parsing: true + +barbican::keystone-listener::enabled: false +barbican::worker::enabled: false diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index 886218bb55..6c8af8e3d3 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -132,6 +132,9 @@ include ::platform::smapi include ::openstack::swift include ::openstack::swift::api +include ::openstack::barbican +include ::openstack::barbican::api + include ::platform::sm class { '::platform::config::controller::post': diff --git a/puppet-manifests/src/modules/openstack/manifests/barbican.pp b/puppet-manifests/src/modules/openstack/manifests/barbican.pp new file mode 100644 index 0000000000..e73bae9adb --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp @@ -0,0 +1,123 @@ +class openstack::barbican::params ( + $api_port = 9311, + $region_name = undef, + $service_name = 'barbican-api', + $service_create = false, + $service_enabled = true, +) { } + + +class openstack::barbican + inherits ::openstack::barbican::params { + + if $service_enabled { + + include ::platform::params + + if $::platform::params::init_keystone { + include ::barbican::keystone::auth + include ::barbican::keystone::authtoken + } + + if $::platform::params::init_database { + include ::barbican::db::postgresql + } + + barbican_config { + 'service_credentials/interface': value => 'internalURL' + } + + cron { 'barbican-cleaner': + ensure => 'present', + command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '50', + hour => '*/24', + user => 'root', + } + } +} + + +class openstack::barbican::firewall + inherits ::openstack::barbican::params { + + platform::firewall::rule { 'barbican-api': + service_name => 'barbican-api', + ports => $api_port, + } +} + + +class openstack::barbican::haproxy + inherits ::openstack::barbican::params { + + platform::haproxy::proxy { 'barbican-restapi': + server_name => 's-barbican-restapi', + public_port => $api_port, + private_port => $api_port, + } +} + + +class openstack::barbican::api + inherits ::openstack::barbican::params { + include ::platform::params + + # The barbican user and service are always required and they + # are used by subclouds when the service itself is disabled + # on System Controller + # whether it creates the endpoint is determined by + # barbican::keystone::auth::configure_endpoint which is + # set via sysinv puppet + if ($::openstack::barbican::params::service_create and + $::platform::params::init_keystone) { + include ::barbican::keystone::auth + $bu_name = $::barbican::keystone::auth::auth_name + $bu_tenant = $::barbican::keystone::auth::tenant + + keystone_role { 'creator': + ensure => present, + } + keystone_user_role { "${bu_name}@${bu_tenant}": + ensure => present, + roles => ['admin', 'creator'], + } + } + + if $service_enabled { + + $api_workers = $::platform::params::eng_workers + + file_line { 'Modify workers in gunicorn-config.py': + path => '/etc/barbican/gunicorn-config.py', + line => "workers = '${api_workers}'", + match => '.*workers = .*', + tag => 'modify-workers', + } + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + $api_fqdn = $::platform::params::controller_hostname + $url_host = "http://${api_fqdn}:${api_port}" + + include ::platform::amqp::params + + class { '::barbican::api': + bind_host => $api_host, + bind_port => $api_port, + host_href => $url_host, + sync_db => $::platform::params::init_database, + enable_proxy_headers_parsing => true, + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } + + class { '::barbican::keystone::notification': + enable_keystone_notification => true, + } + + include ::openstack::barbican::firewall + include ::openstack::barbican::haproxy + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp index e3bc1202ee..ef8841ac79 100644 --- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp +++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp @@ -395,6 +395,11 @@ class openstack::keystone::endpoint::runtime { include ::platform::ceph::rgw::keystone::auth } + include ::openstack::barbican::params + if $::openstack::barbican::params::service_enabled { + include ::barbican::keystone::auth + } + if $::platform::params::distributed_cloud_role =='systemcontroller' { include ::dcorch::keystone::auth include ::dcmanager::keystone::auth diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb b/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb index 5ea2090dee..42f858aaff 100644 --- a/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb +++ b/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb @@ -13,6 +13,7 @@ "protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s", "protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s", "protected_services": [["'aodh':%(target.user.name)s"], + ["'barbican':%(target.user.name)s"], ["'ceilometer':%(target.user.name)s"], ["'cinder':%(target.user.name)s"], ["'glance':%(target.user.name)s"], diff --git a/puppet-manifests/src/modules/platform/manifests/haproxy.pp b/puppet-manifests/src/modules/platform/manifests/haproxy.pp index 0c3fd9aacf..2cae8d3f42 100644 --- a/puppet-manifests/src/modules/platform/manifests/haproxy.pp +++ b/puppet-manifests/src/modules/platform/manifests/haproxy.pp @@ -154,6 +154,7 @@ class platform::haproxy::runtime { include ::openstack::panko::haproxy include ::openstack::gnocchi::haproxy include ::openstack::swift::haproxy + include ::openstack::barbican::haproxy class {'::platform::haproxy::reload': stage => post diff --git a/puppet-manifests/src/modules/platform/manifests/postgresql.pp b/puppet-manifests/src/modules/platform/manifests/postgresql.pp index 60a0d9e799..371ed42c02 100644 --- a/puppet-manifests/src/modules/platform/manifests/postgresql.pp +++ b/puppet-manifests/src/modules/platform/manifests/postgresql.pp @@ -198,6 +198,7 @@ class platform::postgresql::upgrade } include ::aodh::db::postgresql + include ::barbican::db::postgresql include ::cinder::db::postgresql include ::glance::db::postgresql include ::gnocchi::db::postgresql diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index b3fa1bc516..e6630c7f5b 100755 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -232,6 +232,9 @@ class platform::sm # Panko include ::openstack::panko::params + # Barbican + include ::openstack::barbican::params + if $system_mode == 'simplex' { $hostunit = '0' $management_my_unit_ip = $::platform::network::mgmt::params::controller0_address @@ -285,6 +288,7 @@ class platform::sm $gnocchi_enabled = false $aodh_enabled = false $panko_enabled = false + $barbican_enabled = false } else { $heat_service_enabled = $::openstack::heat::params::service_enabled $murano_configured = $::openstack::murano::params::service_enabled @@ -293,6 +297,7 @@ class platform::sm $gnocchi_enabled = $::openstack::gnocchi::params::service_enabled $aodh_enabled = $::openstack::aodh::params::service_enabled $panko_enabled = $::openstack::panko::params::service_enabled + $barbican_enabled = $::openstack::barbican::params::service_enabled } if $system_mode == 'simplex' { @@ -1013,6 +1018,49 @@ class platform::sm command => "sm-configure service_instance ironic-conductor ironic-conductor \"config=/etc/ironic/ironic.conf,tftproot=${ironic_tftproot}\"", } + # Barbican + if $barbican_enabled { + + exec { 'Configure OpenStack - Barbican API': + command => "sm-configure service_instance barbican-api barbican-api \"config=/etc/barbican/barbican.conf\"", + } + + exec { 'Configure OpenStack - Barbican Keystone Listener': + command => "sm-configure service_instance barbican-keystone-listener barbican-keystone-listener \"config=/etc/barbican/barbican.conf\"", + } + + exec { 'Configure OpenStack - Barbican Worker': + command => "sm-configure service_instance barbican-worker barbican-worker \"config=/etc/barbican/barbican.conf\"", + } + } else { + exec { 'Deprovision OpenStack - Barbican API (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services barbican-api", + } -> + exec { 'Deprovision OpenStack - Barbican API (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service barbican-api", + } + + exec { 'Deprovision OpenStack - Barbican Keystone Listener (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services barbican-keystone-listener", + } -> + exec { 'Deprovision OpenStack - Barbican Keystone Listener (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service barbican-keystone-listener", + } + + exec { 'Deprovision OpenStack - Barbican Worker (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services barbican-worker", + } -> + exec { 'Deprovision OpenStack - Barbican Worker (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service barbican-worker", + } + } + exec { 'Configure OpenStack - Nova Compute': command => "sm-configure service_instance nova-compute nova-compute \"config=/etc/nova/nova-ironic.conf\"", } diff --git a/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb b/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb index 3353fccf84..3ed1d83eca 100644 --- a/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb +++ b/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb @@ -17,6 +17,11 @@ rewrite r_rewrite_set{ set("<%= @system_name %> aodh-listener.log ${HOST}", value("HOST") condition(filter(f_aodhlistener))); set("<%= @system_name %> aodh-notifier.log ${HOST}", value("HOST") condition(filter(f_aodhnotifier))); set("<%= @system_name %> auth.log ${HOST}", value("HOST") condition(filter(f_auth))); + set("<%= @system_name %> barbican-api.log ${HOST}", value("HOST") condition(filter(f_barbicanapi))); + set("<%= @system_name %> barbican-dbsync.log ${HOST}", value("HOST") condition(filter(f_barbicandbsync))); + set("<%= @system_name %> barbican-keystone-listener.log ${HOST}", value("HOST") condition(filter(f_barbicankeystonelistener))); + set("<%= @system_name %> barbican-worker.log ${HOST}", value("HOST") condition(filter(f_barbicanworker))); + set("<%= @system_name %> barbican-cleaner.log ${HOST}", value("HOST") condition(filter(f_barbicancleaner))); set("<%= @system_name %> bash.log ${HOST}", value("HOST") condition(filter(f_bash))); set("<%= @system_name %> ceilometer-agent-notification.log ${HOST}", value("HOST") condition(filter(f_ceilometeragentnotification))); set("<%= @system_name %> ceilometer-upgrade.log ${HOST}", value("HOST") condition(filter(f_ceilometerupgrade))); diff --git a/sysinv/sysinv/sysinv/setup.cfg b/sysinv/sysinv/sysinv/setup.cfg index 2991099568..da56d3daca 100644 --- a/sysinv/sysinv/sysinv/setup.cfg +++ b/sysinv/sysinv/sysinv/setup.cfg @@ -71,6 +71,7 @@ systemconfig.puppet_plugins = 031_fm = sysinv.puppet.fm:FmPuppet 032_swift = sysinv.puppet.swift:SwiftPuppet 033_service_parameter = sysinv.puppet.service_parameter:ServiceParamPuppet + 034_barbican = sysinv.puppet.barbican:BarbicanPuppet systemconfig.helm_plugins = aodh = sysinv.helm.aodh:AodhHelm diff --git a/sysinv/sysinv/sysinv/sysinv/common/constants.py b/sysinv/sysinv/sysinv/sysinv/common/constants.py index 5112d8b029..3097b98deb 100644 --- a/sysinv/sysinv/sysinv/sysinv/common/constants.py +++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py @@ -856,6 +856,7 @@ SERVICE_TYPE_IRONIC = 'ironic' SERVICE_TYPE_PANKO = 'panko' SERVICE_TYPE_AODH = 'aodh' SERVICE_TYPE_GLANCE = 'glance' +SERVICE_TYPE_BARBICAN = 'barbican' SERVICE_PARAM_SECTION_MURANO_RABBITMQ = 'rabbitmq' SERVICE_PARAM_SECTION_MURANO_ENGINE = 'engine' diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py new file mode 100644 index 0000000000..d1da20aa41 --- /dev/null +++ b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py @@ -0,0 +1,84 @@ +# +# Copyright (c) 2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +from . import openstack + + +class BarbicanPuppet(openstack.OpenstackBasePuppet): + """Class to encapsulate puppet operations for barbican configuration""" + + SERVICE_NAME = 'barbican' + SERVICE_PORT = 9311 + + def get_static_config(self): + dbuser = self._get_database_username(self.SERVICE_NAME) + + return { + 'barbican::db::postgresql::user': dbuser, + } + + def get_secure_static_config(self): + dbpass = self._get_database_password(self.SERVICE_NAME) + kspass = self._get_service_password(self.SERVICE_NAME) + + return { + 'barbican::db::postgresql::password': dbpass, + + 'barbican::keystone::auth::password': kspass, + 'barbican::keystone::authtoken::password': kspass, + } + + def get_system_config(self): + ksuser = self._get_service_user_name(self.SERVICE_NAME) + + config = { + 'barbican::keystone::auth::public_url': self.get_public_url(), + 'barbican::keystone::auth::internal_url': self.get_internal_url(), + 'barbican::keystone::auth::admin_url': self.get_admin_url(), + 'barbican::keystone::auth::auth_name': ksuser, + 'barbican::keystone::auth::region': self._region_name(), + 'barbican::keystone::auth::tenant': self._get_service_tenant_name(), + 'barbican::keystone::auth::configure_user_role': False, + + 'barbican::keystone::authtoken::auth_url': + self._keystone_identity_uri(), + 'barbican::keystone::authtoken::auth_uri': + self._keystone_auth_uri(), + + 'barbican::keystone::authtoken::user_domain_name': + self._get_service_user_domain_name(), + 'barbican::keystone::authtoken::project_domain_name': + self._get_service_project_domain_name(), + 'barbican::keystone::authtoken::project_name': + self._get_service_tenant_name(), + 'barbican::keystone::authtoken::region_name': + self._keystone_region_name(), + 'barbican::keystone::authtoken::username': ksuser, + + 'openstack::barbican::params::region_name': + self._get_service_region_name(self.SERVICE_NAME), + 'openstack::barbican::params::service_create': + self._to_create_services(), + } + + return config + + def get_secure_system_config(self): + config = { + 'barbican::db::database_connection': + self._format_database_connection(self.SERVICE_NAME), + } + + return config + + def get_public_url(self): + return self._format_public_endpoint(self.SERVICE_PORT) + + def get_internal_url(self): + return self._format_private_endpoint(self.SERVICE_PORT) + + def get_admin_url(self): + return self._format_private_endpoint(self.SERVICE_PORT)