Merge "Barbican configuration thru Puppet and SysInv."

configutilities/centos/build_srpm.data

@@ -1,3 +1,3 @@
 SRC_DIR="configutilities"
 COPY_LIST="$SRC_DIR/LICENSE"
-TIS_PATCH_VER=35
+TIS_PATCH_VER=36

configutilities/configutilities/configutilities/common/utils.py

@@ -45,6 +45,8 @@ EXPECTED_SERVICE_NAME_AND_TYPE = (
      "GNOCCHI_SERVICE_TYPE": "metric",
      "FM_SERVICE_NAME": "fm",
      "FM_SERVICE_TYPE": "faultmanagement",
+     "BARBICAN_SERVICE_NAME": "barbican",
+     "BARBICAN_SERVICE_TYPE": "key-manager",
      })
 
 

configutilities/configutilities/configutilities/common/validator.py

@@ -1048,6 +1048,14 @@ class ConfigValidator(object):
         fm_password = get_optional(self.conf, 'REGION_2_SERVICES',
                                    'FM_PASSWORD')
 
+        # validate barbican service name and type
+        get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_NAME')
+        get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_TYPE')
+        barbican_user_name = self.conf.get('REGION_2_SERVICES',
+                                           'BARBICAN_USER_NAME')
+        barbican_password = get_optional(self.conf, 'REGION_2_SERVICES',
+                                         'BARBICAN_PASSWORD')
+
         if self.conf.has_option('REGION_2_SERVICES', 'USER_DOMAIN_NAME'):
             user_domain = self.conf.get('REGION_2_SERVICES',
                                         'USER_DOMAIN_NAME')
@@ -1158,6 +1166,10 @@ class ConfigValidator(object):
             self.cgcs_conf.set('cREGION', 'GNOCCHI_PASSWORD', gnocchi_password)
             self.cgcs_conf.set('cREGION', 'FM_USER_NAME', fm_user_name)
             self.cgcs_conf.set('cREGION', 'FM_PASSWORD', fm_password)
+            self.cgcs_conf.set('cREGION', 'BARBICAN_USER_NAME',
+                               barbican_user_name)
+            self.cgcs_conf.set('cREGION', 'BARBICAN_PASSWORD',
+                               barbican_password)
 
             self.cgcs_conf.set('cREGION', 'USER_DOMAIN_NAME',
                                user_domain)

configutilities/configutilities/configutilities/configfiletool.py

@@ -731,6 +731,7 @@ class REG2SERVICESPage2(ConfigPage):
         self.fields['GNOCCHI_PASSWORD'] = Field(
             text="GNOCCHI user password",
             type=TYPES.string, initial="")
+
         self.fields['FM_USER_NAME'] = Field(
             text="FM username",
             type=TYPES.string, initial="fm")
@@ -738,6 +739,13 @@ class REG2SERVICESPage2(ConfigPage):
             text="FM user password",
             type=TYPES.string, initial="")
 
+        self.fields['BARBICAN_USER_NAME'] = Field(
+            text="Barbican username",
+            type=TYPES.string, initial="barbican")
+        self.fields['BARBICAN_PASSWORD'] = Field(
+            text="Barbican user password",
+            type=TYPES.string, initial="")
+
     def validate_page(self):
         self.prev.validate_page()
         super(REG2SERVICESPage2, self).validate_page()

controllerconfig/centos/build_srpm.data

@@ -1,2 +1,2 @@
 SRC_DIR="controllerconfig"
-TIS_PATCH_VER=148
+TIS_PATCH_VER=149

controllerconfig/controllerconfig/controllerconfig/backup_restore.py

@@ -70,7 +70,7 @@ def get_backup_databases(cinder_config=False):
     REGION_LOCAL_DATABASES = ('postgres', 'template1', 'nova', 'sysinv',
                               'neutron', 'heat', 'nova_api',
                               'aodh', 'murano', 'magnum', 'panko', 'ironic',
-                              'nova_cell0', 'gnocchi', 'fm')
+                              'nova_cell0', 'gnocchi', 'fm', 'barbican')
     REGION_SHARED_DATABASES = ('glance', 'keystone')
 
     if cinder_config:

controllerconfig/controllerconfig/controllerconfig/configassistant.py

@@ -509,6 +509,8 @@ class ConfigAssistant():
         self.nfv_ks_password = ""
         self.fm_ks_user_name = ""
         self.fm_ks_password = ""
+        self.barbican_ks_user_name = ""
+        self.barbican_ks_password = ""
 
         self.ldap_region_name = ""
         self.ldap_service_name = ""
@@ -2894,6 +2896,13 @@ class ConfigAssistant():
                 self.add_password_for_validation('FM_PASSWORD',
                                                  self.fm_ks_password)
 
+                self.barbican_ks_user_name = config.get(
+                    'cREGION', 'BARBICAN_USER_NAME')
+                self.barbican_ks_password = config.get(
+                    'cREGION', 'BARBICAN_PASSWORD')
+                self.add_password_for_validation('BARBICAN_PASSWORD',
+                                                 self.barbican_ks_password)
+
                 self.shared_services.append(self.keystone_service_type)
                 if self.glance_region_name == self.region_1_name:
                     self.shared_services.append(self.glance_service_type)
@@ -3469,6 +3478,10 @@ class ConfigAssistant():
                             self.fm_ks_user_name)
                     f.write("FM_PASSWORD=%s\n" %
                             self.fm_ks_password)
+                    f.write("BARBICAN_USER_NAME=%s\n" %
+                            self.barbican_ks_user_name)
+                    f.write("BARBICAN_PASSWORD=%s\n" %
+                            self.barbican_ks_password)
 
                 # Subcloud configuration
                 if self.subcloud_config():
@@ -3974,6 +3987,14 @@ class ConfigAssistant():
                   'capabilities': capabilities}
         client.sysinv.sm_service.service_create(**values)
 
+        # barbican service config
+        capabilities = {'user_name': self.barbican_ks_user_name}
+        values = {'name': "barbican",
+                  'enabled': True,
+                  'region_name': self.region_2_name,
+                  'capabilities': capabilities}
+        client.sysinv.sm_service.service_create(**values)
+
     def _store_service_password(self):
         # store service password in the temporary keyring vault
 
@@ -4035,6 +4056,10 @@ class ConfigAssistant():
         keyring.set_password('fm', constants.DEFAULT_SERVICE_PROJECT_NAME,
                              self.fm_ks_password)
 
+        keyring.set_password('barbican',
+                             constants.DEFAULT_SERVICE_PROJECT_NAME,
+                             self.barbican_ks_password)
+
         del os.environ["XDG_DATA_HOME"]
 
     def _populate_network_config(self, client):

controllerconfig/controllerconfig/controllerconfig/regionconfig.py

@@ -56,7 +56,8 @@ EXPECTED_USERS = [
     ('REGION_2_SERVICES', 'MTCE', 'mtce'),
     ('REGION_2_SERVICES', 'PANKO', 'panko'),
     ('REGION_2_SERVICES', 'GNOCCHI', 'gnocchi'),
-    ('REGION_2_SERVICES', 'FM', 'fm')]
+    ('REGION_2_SERVICES', 'FM', 'fm'),
+    ('REGION_2_SERVICES', 'BARBICAN', 'barbican')]
 
 EXPECTED_SHARED_SERVICES_NEUTRON_USER = ('SHARED_SERVICES', 'NEUTRON',
                                          'neutron')
@@ -135,6 +136,11 @@ EXPECTED_REGION2_ENDPOINTS = [
      'http://{}:18002',
      'http://{}:18002',
      'Fault Management Service'),
+    ('BARBICAN_SERVICE_NAME', 'BARBICAN_SERVICE_TYPE',
+     'http://{}:9311',
+     'http://{}:9311',
+     'http://{}:9311',
+     'OpenStack Key Manager Service'),
 ]
 
 EXPECTED_NEUTRON_ENDPOINT = (

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly

@@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchiTWO
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fmTWO
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result

@@ -112,6 +112,8 @@ GNOCCHI_USER_NAME = gnocchiTWO
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fmTWO
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = service_domain
 PROJECT_DOMAIN_NAME = service_domain
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall

@@ -119,6 +119,8 @@ GNOCCHI_USER_NAME=gnocchiTWO
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fmTWO
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result

@@ -110,6 +110,8 @@ GNOCCHI_USER_NAME = gnocchiTWO
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fmTWO
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region

@@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce
 MTCE_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [cAUTHENTICATION]
 ADMIN_PASSWORD=Li69nux*

controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs

@@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce
 MTCE_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [cAUTHENTICATION]
 ADMIN_PASSWORD=Li69nux*

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan

@@ -115,6 +115,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result

@@ -115,6 +115,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs

@@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result

@@ -105,6 +105,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security

@@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result

@@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple

@@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips

@@ -122,6 +122,8 @@ GNOCCHI_USER_NAME=gnocchi
 GNOCCHI_PASSWORD=password2WO*
 FM_USER_NAME=fm
 FM_PASSWORD=password2WO*
+BARBICAN_USER_NAME=barbican
+BARBICAN_PASSWORD=barbican2WO*
 
 [VERSION]
 RELEASE = TEST.SW.VERSION

controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result

@@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi
 GNOCCHI_PASSWORD = password2WO*
 FM_USER_NAME = fm
 FM_PASSWORD = password2WO*
+BARBICAN_USER_NAME = barbican
+BARBICAN_PASSWORD = barbican2WO*
 USER_DOMAIN_NAME = Default
 PROJECT_DOMAIN_NAME = Default
 KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py

@@ -72,6 +72,9 @@ def get_db_credentials(shared_services, from_release):
         {'aodh': {'hiera_user_key': 'aodh::db::postgresql::user',
                   'keyring_password_key': 'aodh',
                   },
+         'barbican': {'hiera_user_key': 'barbican::db::postgresql::user',
+                      'keyring_password_key': 'barbican',
+                      },
          'ceilometer': {'hiera_user_key': 'ceilometer::db::postgresql::user',
                         'keyring_password_key': 'ceilometer',
                         },
@@ -583,10 +586,18 @@ def migrate_databases(from_release, shared_services, db_credentials,
             f.write("[database]\n")
             f.write(get_connection_string(db_credentials, 'keystone'))
 
+    with open("/etc/barbican/barbican-dbsync.conf", "w") as f:
+        f.write("[database]\n")
+        f.write(get_connection_string(db_credentials, 'barbican'))
+
     migrate_commands = [
         # Migrate aodh (new in R3)
         ('aodh',
          'aodh-dbsync --config-file /etc/aodh/aodh-dbsync.conf'),
+        # Migrate barbican
+        ('barbican',
+         'barbican-manage --config-file /etc/barbican/barbican-dbsync.conf ' +
+         'db upgrade'),
         # Migrate ceilometer
         ('ceilometer',
          'ceilometer-upgrade --skip-gnocchi-resource-types --config-file ' +

controllerconfig/controllerconfig/controllerconfig/upgrades/management.py

@@ -28,7 +28,7 @@ def get_upgrade_databases(shared_services):
 
     UPGRADE_DATABASES = ('postgres', 'template1', 'nova', 'sysinv', 'murano',
                          'ceilometer', 'neutron', 'heat', 'nova_api', 'aodh',
-                         'magnum', 'panko', 'ironic')
+                         'magnum', 'panko', 'ironic', 'barbican')
 
     UPGRADE_DATABASE_SKIP_TABLES = {'postgres': (), 'template1': (),
                                     'heat': (), 'nova': (), 'nova_api': (),
@@ -39,6 +39,7 @@ def get_upgrade_databases(shared_services):
                                     'magnum': (),
                                     'panko': (),
                                     'ironic': (),
+                                    'barbican': (),
                                     'ceilometer': ('metadata_bool',
                                                    'metadata_float',
                                                    'metadata_int',

puppet-manifests/centos/puppet-manifests.spec

@@ -25,6 +25,7 @@ Requires: puppet-fm
 
 # Openstack puppet modules
 Requires: puppet-aodh
+Requires: puppet-barbican
 Requires: puppet-ceilometer
 Requires: puppet-ceph
 Requires: puppet-cinder

puppet-manifests/src/hieradata/controller.yaml

@@ -544,3 +544,22 @@ fm::db::sync::user: 'root'
 fm::database_idle_timeout: 60
 fm::database_max_overflow: 20
 fm::database_max_pool_size: 1
+
+# Barbican
+barbican::use_syslog: true
+barbican::log_facility: 'local2'
+barbican::database_idle_timeout: 60
+barbican::database_max_pool_size: 1
+barbican::database_max_overflow: 10
+barbican::alarm_history_time_to_live: 86400
+
+barbican::auth::auth_endpoint_type: 'internalURL'
+
+barbican::db::sync::user: 'root'
+
+barbican::api::enabled: false
+barbican::api::service_name: 'barbican-api'
+barbican::api::enable_proxy_headers_parsing: true
+
+barbican::keystone-listener::enabled: false
+barbican::worker::enabled: false

puppet-manifests/src/manifests/controller.pp

@@ -132,6 +132,9 @@ include ::platform::smapi
 include ::openstack::swift
 include ::openstack::swift::api
 
+include ::openstack::barbican
+include ::openstack::barbican::api
+
 include ::platform::sm
 
 class { '::platform::config::controller::post':

puppet-manifests/src/modules/openstack/manifests/barbican.pp

@@ -0,0 +1,123 @@
+class openstack::barbican::params (
+  $api_port = 9311,
+  $region_name = undef,
+  $service_name = 'barbican-api',
+  $service_create = false,
+  $service_enabled = true,
+) { }
+
+
+class openstack::barbican
+  inherits ::openstack::barbican::params {
+
+  if $service_enabled {
+
+    include ::platform::params
+
+    if $::platform::params::init_keystone {
+      include ::barbican::keystone::auth
+      include ::barbican::keystone::authtoken
+    }
+
+    if $::platform::params::init_database {
+      include ::barbican::db::postgresql
+    }
+
+    barbican_config {
+        'service_credentials/interface': value => 'internalURL'
+    }
+
+    cron { 'barbican-cleaner':
+      ensure  => 'present',
+      command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
+      environment => 'PATH=/bin:/usr/bin:/usr/sbin',
+      minute  => '50',
+      hour    => '*/24',
+      user    => 'root',
+    }
+  }
+}
+
+
+class openstack::barbican::firewall
+  inherits ::openstack::barbican::params {
+
+  platform::firewall::rule { 'barbican-api':
+    service_name => 'barbican-api',
+    ports        => $api_port,
+  }
+}
+
+
+class openstack::barbican::haproxy
+  inherits ::openstack::barbican::params {
+
+  platform::haproxy::proxy { 'barbican-restapi':
+    server_name => 's-barbican-restapi',
+    public_port => $api_port,
+    private_port => $api_port,
+  }
+}
+
+
+class openstack::barbican::api
+  inherits ::openstack::barbican::params {
+  include ::platform::params
+
+  # The barbican user and service are always required and they
+  # are used by subclouds when the service itself is disabled
+  # on System Controller
+  # whether it creates the endpoint is determined by
+  # barbican::keystone::auth::configure_endpoint which is
+  # set via sysinv puppet
+  if ($::openstack::barbican::params::service_create and
+      $::platform::params::init_keystone) {
+    include ::barbican::keystone::auth
+    $bu_name = $::barbican::keystone::auth::auth_name
+    $bu_tenant = $::barbican::keystone::auth::tenant
+
+    keystone_role { 'creator':
+      ensure => present,
+    }
+    keystone_user_role { "${bu_name}@${bu_tenant}":
+      ensure => present,
+      roles  => ['admin', 'creator'],
+    }
+  }
+
+  if $service_enabled {
+
+    $api_workers = $::platform::params::eng_workers
+
+    file_line { 'Modify workers in gunicorn-config.py':
+      path  => '/etc/barbican/gunicorn-config.py',
+      line  => "workers = '${api_workers}'",
+      match => '.*workers = .*',
+      tag   => 'modify-workers',
+    }
+
+    include ::platform::network::mgmt::params
+    $api_host = $::platform::network::mgmt::params::controller_address
+    $api_fqdn = $::platform::params::controller_hostname
+    $url_host = "http://${api_fqdn}:${api_port}"
+
+    include ::platform::amqp::params
+
+    class { '::barbican::api':
+      bind_host => $api_host,
+      bind_port => $api_port,
+      host_href => $url_host,
+      sync_db => $::platform::params::init_database,
+      enable_proxy_headers_parsing  => true,
+      rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
+      default_transport_url => $::platform::amqp::params::transport_url,
+    }
+
+    class { '::barbican::keystone::notification':
+      enable_keystone_notification => true,
+    }
+
+    include ::openstack::barbican::firewall
+    include ::openstack::barbican::haproxy
+  }
+}

puppet-manifests/src/modules/openstack/manifests/keystone.pp

@@ -395,6 +395,11 @@ class openstack::keystone::endpoint::runtime {
       include ::platform::ceph::rgw::keystone::auth
     }
 
+    include ::openstack::barbican::params
+    if $::openstack::barbican::params::service_enabled {
+      include ::barbican::keystone::auth
+    }
+
     if $::platform::params::distributed_cloud_role =='systemcontroller' {
       include ::dcorch::keystone::auth
       include ::dcmanager::keystone::auth

puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb

@@ -13,6 +13,7 @@
     "protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s",
     "protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s",
     "protected_services": [["'aodh':%(target.user.name)s"],
+                           ["'barbican':%(target.user.name)s"],
                            ["'ceilometer':%(target.user.name)s"],
                            ["'cinder':%(target.user.name)s"],
                            ["'glance':%(target.user.name)s"],

puppet-manifests/src/modules/platform/manifests/haproxy.pp

@@ -154,6 +154,7 @@ class platform::haproxy::runtime {
   include ::openstack::panko::haproxy
   include ::openstack::gnocchi::haproxy
   include ::openstack::swift::haproxy
+  include ::openstack::barbican::haproxy
 
   class {'::platform::haproxy::reload':
     stage => post

puppet-manifests/src/modules/platform/manifests/postgresql.pp

@@ -198,6 +198,7 @@ class platform::postgresql::upgrade
   }
 
   include ::aodh::db::postgresql
+  include ::barbican::db::postgresql
   include ::cinder::db::postgresql
   include ::glance::db::postgresql
   include ::gnocchi::db::postgresql

puppet-manifests/src/modules/platform/manifests/sm.pp

@@ -232,6 +232,9 @@ class platform::sm
   # Panko
   include ::openstack::panko::params
 
+  # Barbican
+  include ::openstack::barbican::params
+
   if $system_mode == 'simplex' {
     $hostunit = '0'
     $management_my_unit_ip   = $::platform::network::mgmt::params::controller0_address
@@ -285,6 +288,7 @@ class platform::sm
     $gnocchi_enabled   = false
     $aodh_enabled      = false
     $panko_enabled     = false
+    $barbican_enabled  = false
   } else {
       $heat_service_enabled   = $::openstack::heat::params::service_enabled
       $murano_configured      = $::openstack::murano::params::service_enabled
@@ -293,6 +297,7 @@ class platform::sm
       $gnocchi_enabled        = $::openstack::gnocchi::params::service_enabled
       $aodh_enabled           = $::openstack::aodh::params::service_enabled
       $panko_enabled          = $::openstack::panko::params::service_enabled
+      $barbican_enabled       = $::openstack::barbican::params::service_enabled
   }
 
   if $system_mode == 'simplex' {
@@ -1013,6 +1018,49 @@ class platform::sm
     command => "sm-configure service_instance ironic-conductor ironic-conductor \"config=/etc/ironic/ironic.conf,tftproot=${ironic_tftproot}\"",
   }
 
+  # Barbican
+  if $barbican_enabled {
+
+    exec { 'Configure OpenStack - Barbican API':
+      command => "sm-configure service_instance barbican-api barbican-api \"config=/etc/barbican/barbican.conf\"",
+    }
+
+    exec { 'Configure OpenStack - Barbican Keystone Listener':
+      command => "sm-configure service_instance barbican-keystone-listener barbican-keystone-listener \"config=/etc/barbican/barbican.conf\"",
+    }
+
+    exec { 'Configure OpenStack - Barbican Worker':
+      command => "sm-configure service_instance barbican-worker barbican-worker \"config=/etc/barbican/barbican.conf\"",
+    }
+  } else {
+      exec { 'Deprovision OpenStack - Barbican API (service-group-member)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service-group-member cloud-services barbican-api",
+      } ->
+      exec { 'Deprovision OpenStack - Barbican API (service)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service barbican-api",
+      }
+
+      exec { 'Deprovision OpenStack - Barbican Keystone Listener (service-group-member)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service-group-member cloud-services barbican-keystone-listener",
+      } ->
+      exec { 'Deprovision OpenStack - Barbican Keystone Listener (service)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service barbican-keystone-listener",
+      }
+
+      exec { 'Deprovision OpenStack - Barbican Worker (service-group-member)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service-group-member cloud-services barbican-worker",
+      } ->
+      exec { 'Deprovision OpenStack - Barbican Worker (service)':
+        path    => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
+        command => "sm-deprovision service barbican-worker",
+      }
+  }
+
   exec { 'Configure OpenStack - Nova Compute':
     command => "sm-configure service_instance nova-compute nova-compute \"config=/etc/nova/nova-ironic.conf\"",
   }

puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb

@@ -17,6 +17,11 @@ rewrite r_rewrite_set{
   set("<%= @system_name %> aodh-listener.log ${HOST}", value("HOST") condition(filter(f_aodhlistener)));
   set("<%= @system_name %> aodh-notifier.log ${HOST}", value("HOST") condition(filter(f_aodhnotifier)));
   set("<%= @system_name %> auth.log ${HOST}", value("HOST") condition(filter(f_auth)));
+  set("<%= @system_name %> barbican-api.log ${HOST}", value("HOST") condition(filter(f_barbicanapi)));
+  set("<%= @system_name %> barbican-dbsync.log ${HOST}", value("HOST") condition(filter(f_barbicandbsync)));
+  set("<%= @system_name %> barbican-keystone-listener.log ${HOST}", value("HOST") condition(filter(f_barbicankeystonelistener)));
+  set("<%= @system_name %> barbican-worker.log ${HOST}", value("HOST") condition(filter(f_barbicanworker)));
+  set("<%= @system_name %> barbican-cleaner.log ${HOST}", value("HOST") condition(filter(f_barbicancleaner)));
   set("<%= @system_name %> bash.log ${HOST}", value("HOST") condition(filter(f_bash)));
   set("<%= @system_name %> ceilometer-agent-notification.log ${HOST}", value("HOST") condition(filter(f_ceilometeragentnotification)));
   set("<%= @system_name %> ceilometer-upgrade.log ${HOST}", value("HOST") condition(filter(f_ceilometerupgrade)));

sysinv/sysinv/sysinv/setup.cfg

@@ -71,6 +71,7 @@ systemconfig.puppet_plugins =
     031_fm = sysinv.puppet.fm:FmPuppet
     032_swift = sysinv.puppet.swift:SwiftPuppet
     033_service_parameter = sysinv.puppet.service_parameter:ServiceParamPuppet
+    034_barbican = sysinv.puppet.barbican:BarbicanPuppet
 
 systemconfig.helm_plugins =
     aodh = sysinv.helm.aodh:AodhHelm

sysinv/sysinv/sysinv/sysinv/common/constants.py

@@ -857,6 +857,7 @@ SERVICE_TYPE_IRONIC = 'ironic'
 SERVICE_TYPE_PANKO = 'panko'
 SERVICE_TYPE_AODH = 'aodh'
 SERVICE_TYPE_GLANCE = 'glance'
+SERVICE_TYPE_BARBICAN = 'barbican'
 
 SERVICE_PARAM_SECTION_MURANO_RABBITMQ = 'rabbitmq'
 SERVICE_PARAM_SECTION_MURANO_ENGINE = 'engine'

sysinv/sysinv/sysinv/sysinv/puppet/barbican.py

@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2018 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from . import openstack
+
+
+class BarbicanPuppet(openstack.OpenstackBasePuppet):
+    """Class to encapsulate puppet operations for barbican configuration"""
+
+    SERVICE_NAME = 'barbican'
+    SERVICE_PORT = 9311
+
+    def get_static_config(self):
+        dbuser = self._get_database_username(self.SERVICE_NAME)
+
+        return {
+            'barbican::db::postgresql::user': dbuser,
+        }
+
+    def get_secure_static_config(self):
+        dbpass = self._get_database_password(self.SERVICE_NAME)
+        kspass = self._get_service_password(self.SERVICE_NAME)
+
+        return {
+            'barbican::db::postgresql::password': dbpass,
+
+            'barbican::keystone::auth::password': kspass,
+            'barbican::keystone::authtoken::password': kspass,
+        }
+
+    def get_system_config(self):
+        ksuser = self._get_service_user_name(self.SERVICE_NAME)
+
+        config = {
+            'barbican::keystone::auth::public_url': self.get_public_url(),
+            'barbican::keystone::auth::internal_url': self.get_internal_url(),
+            'barbican::keystone::auth::admin_url': self.get_admin_url(),
+            'barbican::keystone::auth::auth_name': ksuser,
+            'barbican::keystone::auth::region': self._region_name(),
+            'barbican::keystone::auth::tenant': self._get_service_tenant_name(),
+            'barbican::keystone::auth::configure_user_role': False,
+
+            'barbican::keystone::authtoken::auth_url':
+                self._keystone_identity_uri(),
+            'barbican::keystone::authtoken::auth_uri':
+                self._keystone_auth_uri(),
+
+            'barbican::keystone::authtoken::user_domain_name':
+                self._get_service_user_domain_name(),
+            'barbican::keystone::authtoken::project_domain_name':
+                self._get_service_project_domain_name(),
+            'barbican::keystone::authtoken::project_name':
+                self._get_service_tenant_name(),
+            'barbican::keystone::authtoken::region_name':
+                self._keystone_region_name(),
+            'barbican::keystone::authtoken::username': ksuser,
+
+            'openstack::barbican::params::region_name':
+                self._get_service_region_name(self.SERVICE_NAME),
+            'openstack::barbican::params::service_create':
+                self._to_create_services(),
+        }
+
+        return config
+
+    def get_secure_system_config(self):
+        config = {
+            'barbican::db::database_connection':
+                self._format_database_connection(self.SERVICE_NAME),
+        }
+
+        return config
+
+    def get_public_url(self):
+        return self._format_public_endpoint(self.SERVICE_PORT)
+
+    def get_internal_url(self):
+        return self._format_private_endpoint(self.SERVICE_PORT)
+
+    def get_admin_url(self):
+        return self._format_private_endpoint(self.SERVICE_PORT)