diff --git a/configutilities/centos/build_srpm.data b/configutilities/centos/build_srpm.data index be5aa85bae..2abd3f0ca3 100755 --- a/configutilities/centos/build_srpm.data +++ b/configutilities/centos/build_srpm.data @@ -1,3 +1,3 @@ SRC_DIR="configutilities" COPY_LIST="$SRC_DIR/LICENSE" -TIS_PATCH_VER=35 +TIS_PATCH_VER=36 diff --git a/configutilities/configutilities/configutilities/common/utils.py b/configutilities/configutilities/configutilities/common/utils.py index ac43cdd970..3c38c442d8 100644 --- a/configutilities/configutilities/configutilities/common/utils.py +++ b/configutilities/configutilities/configutilities/common/utils.py @@ -45,6 +45,8 @@ EXPECTED_SERVICE_NAME_AND_TYPE = ( "GNOCCHI_SERVICE_TYPE": "metric", "FM_SERVICE_NAME": "fm", "FM_SERVICE_TYPE": "faultmanagement", + "BARBICAN_SERVICE_NAME": "barbican", + "BARBICAN_SERVICE_TYPE": "key-manager", }) diff --git a/configutilities/configutilities/configutilities/common/validator.py b/configutilities/configutilities/configutilities/common/validator.py index 088a9e767d..dffc20f28f 100755 --- a/configutilities/configutilities/configutilities/common/validator.py +++ b/configutilities/configutilities/configutilities/common/validator.py @@ -1048,6 +1048,14 @@ class ConfigValidator(object): fm_password = get_optional(self.conf, 'REGION_2_SERVICES', 'FM_PASSWORD') + # validate barbican service name and type + get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_NAME') + get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_TYPE') + barbican_user_name = self.conf.get('REGION_2_SERVICES', + 'BARBICAN_USER_NAME') + barbican_password = get_optional(self.conf, 'REGION_2_SERVICES', + 'BARBICAN_PASSWORD') + if self.conf.has_option('REGION_2_SERVICES', 'USER_DOMAIN_NAME'): user_domain = self.conf.get('REGION_2_SERVICES', 'USER_DOMAIN_NAME') @@ -1158,6 +1166,10 @@ class ConfigValidator(object): self.cgcs_conf.set('cREGION', 'GNOCCHI_PASSWORD', gnocchi_password) self.cgcs_conf.set('cREGION', 'FM_USER_NAME', fm_user_name) self.cgcs_conf.set('cREGION', 'FM_PASSWORD', fm_password) + self.cgcs_conf.set('cREGION', 'BARBICAN_USER_NAME', + barbican_user_name) + self.cgcs_conf.set('cREGION', 'BARBICAN_PASSWORD', + barbican_password) self.cgcs_conf.set('cREGION', 'USER_DOMAIN_NAME', user_domain) diff --git a/configutilities/configutilities/configutilities/configfiletool.py b/configutilities/configutilities/configutilities/configfiletool.py index 5b875a528a..e370a2ff96 100755 --- a/configutilities/configutilities/configutilities/configfiletool.py +++ b/configutilities/configutilities/configutilities/configfiletool.py @@ -731,6 +731,7 @@ class REG2SERVICESPage2(ConfigPage): self.fields['GNOCCHI_PASSWORD'] = Field( text="GNOCCHI user password", type=TYPES.string, initial="") + self.fields['FM_USER_NAME'] = Field( text="FM username", type=TYPES.string, initial="fm") @@ -738,6 +739,13 @@ class REG2SERVICESPage2(ConfigPage): text="FM user password", type=TYPES.string, initial="") + self.fields['BARBICAN_USER_NAME'] = Field( + text="Barbican username", + type=TYPES.string, initial="barbican") + self.fields['BARBICAN_PASSWORD'] = Field( + text="Barbican user password", + type=TYPES.string, initial="") + def validate_page(self): self.prev.validate_page() super(REG2SERVICESPage2, self).validate_page() diff --git a/controllerconfig/centos/build_srpm.data b/controllerconfig/centos/build_srpm.data index 52319a2da8..d3d1785a98 100755 --- a/controllerconfig/centos/build_srpm.data +++ b/controllerconfig/centos/build_srpm.data @@ -1,2 +1,2 @@ SRC_DIR="controllerconfig" -TIS_PATCH_VER=148 +TIS_PATCH_VER=149 diff --git a/controllerconfig/controllerconfig/controllerconfig/backup_restore.py b/controllerconfig/controllerconfig/controllerconfig/backup_restore.py index f9bed53f80..df5623e586 100644 --- a/controllerconfig/controllerconfig/controllerconfig/backup_restore.py +++ b/controllerconfig/controllerconfig/controllerconfig/backup_restore.py @@ -70,7 +70,7 @@ def get_backup_databases(cinder_config=False): REGION_LOCAL_DATABASES = ('postgres', 'template1', 'nova', 'sysinv', 'neutron', 'heat', 'nova_api', 'aodh', 'murano', 'magnum', 'panko', 'ironic', - 'nova_cell0', 'gnocchi', 'fm') + 'nova_cell0', 'gnocchi', 'fm', 'barbican') REGION_SHARED_DATABASES = ('glance', 'keystone') if cinder_config: diff --git a/controllerconfig/controllerconfig/controllerconfig/configassistant.py b/controllerconfig/controllerconfig/controllerconfig/configassistant.py index b29eaa1564..7b9555775a 100644 --- a/controllerconfig/controllerconfig/controllerconfig/configassistant.py +++ b/controllerconfig/controllerconfig/controllerconfig/configassistant.py @@ -509,6 +509,8 @@ class ConfigAssistant(): self.nfv_ks_password = "" self.fm_ks_user_name = "" self.fm_ks_password = "" + self.barbican_ks_user_name = "" + self.barbican_ks_password = "" self.ldap_region_name = "" self.ldap_service_name = "" @@ -2894,6 +2896,13 @@ class ConfigAssistant(): self.add_password_for_validation('FM_PASSWORD', self.fm_ks_password) + self.barbican_ks_user_name = config.get( + 'cREGION', 'BARBICAN_USER_NAME') + self.barbican_ks_password = config.get( + 'cREGION', 'BARBICAN_PASSWORD') + self.add_password_for_validation('BARBICAN_PASSWORD', + self.barbican_ks_password) + self.shared_services.append(self.keystone_service_type) if self.glance_region_name == self.region_1_name: self.shared_services.append(self.glance_service_type) @@ -3469,6 +3478,10 @@ class ConfigAssistant(): self.fm_ks_user_name) f.write("FM_PASSWORD=%s\n" % self.fm_ks_password) + f.write("BARBICAN_USER_NAME=%s\n" % + self.barbican_ks_user_name) + f.write("BARBICAN_PASSWORD=%s\n" % + self.barbican_ks_password) # Subcloud configuration if self.subcloud_config(): @@ -3974,6 +3987,14 @@ class ConfigAssistant(): 'capabilities': capabilities} client.sysinv.sm_service.service_create(**values) + # barbican service config + capabilities = {'user_name': self.barbican_ks_user_name} + values = {'name': "barbican", + 'enabled': True, + 'region_name': self.region_2_name, + 'capabilities': capabilities} + client.sysinv.sm_service.service_create(**values) + def _store_service_password(self): # store service password in the temporary keyring vault @@ -4035,6 +4056,10 @@ class ConfigAssistant(): keyring.set_password('fm', constants.DEFAULT_SERVICE_PROJECT_NAME, self.fm_ks_password) + keyring.set_password('barbican', + constants.DEFAULT_SERVICE_PROJECT_NAME, + self.barbican_ks_password) + del os.environ["XDG_DATA_HOME"] def _populate_network_config(self, client): diff --git a/controllerconfig/controllerconfig/controllerconfig/regionconfig.py b/controllerconfig/controllerconfig/controllerconfig/regionconfig.py index 8f41e703e6..25a1c77ded 100755 --- a/controllerconfig/controllerconfig/controllerconfig/regionconfig.py +++ b/controllerconfig/controllerconfig/controllerconfig/regionconfig.py @@ -56,7 +56,8 @@ EXPECTED_USERS = [ ('REGION_2_SERVICES', 'MTCE', 'mtce'), ('REGION_2_SERVICES', 'PANKO', 'panko'), ('REGION_2_SERVICES', 'GNOCCHI', 'gnocchi'), - ('REGION_2_SERVICES', 'FM', 'fm')] + ('REGION_2_SERVICES', 'FM', 'fm'), + ('REGION_2_SERVICES', 'BARBICAN', 'barbican')] EXPECTED_SHARED_SERVICES_NEUTRON_USER = ('SHARED_SERVICES', 'NEUTRON', 'neutron') @@ -135,6 +136,11 @@ EXPECTED_REGION2_ENDPOINTS = [ 'http://{}:18002', 'http://{}:18002', 'Fault Management Service'), + ('BARBICAN_SERVICE_NAME', 'BARBICAN_SERVICE_TYPE', + 'http://{}:9311', + 'http://{}:9311', + 'http://{}:9311', + 'OpenStack Key Manager Service'), ] EXPECTED_NEUTRON_ENDPOINT = ( diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly index 86237577f6..75c82feaca 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly @@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchiTWO GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fmTWO FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result index 44da706583..c9370d39c4 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.share.keystoneonly.result @@ -112,6 +112,8 @@ GNOCCHI_USER_NAME = gnocchiTWO GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fmTWO FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = service_domain PROJECT_DOMAIN_NAME = service_domain KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall index 02454d8559..edaa4684c0 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall @@ -119,6 +119,8 @@ GNOCCHI_USER_NAME=gnocchiTWO GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fmTWO FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result index 09e179659c..75ba071e03 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/TiS_region_config.shareall.result @@ -110,6 +110,8 @@ GNOCCHI_USER_NAME = gnocchiTWO GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fmTWO FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region index bd897d8d3b..11a83f223c 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region @@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce MTCE_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [cAUTHENTICATION] ADMIN_PASSWORD=Li69nux* diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs index e6157df94c..0a2adcbde9 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/cgcs_config.region_nuage_vrs @@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce MTCE_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [cAUTHENTICATION] ADMIN_PASSWORD=Li69nux* diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan index 042c38eae1..9240899205 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan @@ -115,6 +115,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result index 2853624508..5a90e01572 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.lag.vlan.result @@ -115,6 +115,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs index d05b224845..280f10e57f 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs @@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result index 8b2ca4c6a1..6c36e70c3e 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.nuage_vrs.result @@ -105,6 +105,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security index f89bb0d3ed..9ae7f59d2e 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security @@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result index 77e6ce8165..a8dc53666f 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.security.result @@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple index 51c119f842..b2fb380278 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple @@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips index ac69a1ca19..95d8db305e 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.can_ips @@ -122,6 +122,8 @@ GNOCCHI_USER_NAME=gnocchi GNOCCHI_PASSWORD=password2WO* FM_USER_NAME=fm FM_PASSWORD=password2WO* +BARBICAN_USER_NAME=barbican +BARBICAN_PASSWORD=barbican2WO* [VERSION] RELEASE = TEST.SW.VERSION diff --git a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result index 77e6ce8165..a8dc53666f 100755 --- a/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result +++ b/controllerconfig/controllerconfig/controllerconfig/tests/files/region_config.simple.result @@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi GNOCCHI_PASSWORD = password2WO* FM_USER_NAME = fm FM_PASSWORD = password2WO* +BARBICAN_USER_NAME = barbican +BARBICAN_PASSWORD = barbican2WO* USER_DOMAIN_NAME = Default PROJECT_DOMAIN_NAME = Default KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0 diff --git a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py index 20343511ed..4eae0ea94c 100644 --- a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py +++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py @@ -72,6 +72,9 @@ def get_db_credentials(shared_services, from_release): {'aodh': {'hiera_user_key': 'aodh::db::postgresql::user', 'keyring_password_key': 'aodh', }, + 'barbican': {'hiera_user_key': 'barbican::db::postgresql::user', + 'keyring_password_key': 'barbican', + }, 'ceilometer': {'hiera_user_key': 'ceilometer::db::postgresql::user', 'keyring_password_key': 'ceilometer', }, @@ -583,10 +586,18 @@ def migrate_databases(from_release, shared_services, db_credentials, f.write("[database]\n") f.write(get_connection_string(db_credentials, 'keystone')) + with open("/etc/barbican/barbican-dbsync.conf", "w") as f: + f.write("[database]\n") + f.write(get_connection_string(db_credentials, 'barbican')) + migrate_commands = [ # Migrate aodh (new in R3) ('aodh', 'aodh-dbsync --config-file /etc/aodh/aodh-dbsync.conf'), + # Migrate barbican + ('barbican', + 'barbican-manage --config-file /etc/barbican/barbican-dbsync.conf ' + + 'db upgrade'), # Migrate ceilometer ('ceilometer', 'ceilometer-upgrade --skip-gnocchi-resource-types --config-file ' + diff --git a/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py b/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py index 3365589cd7..b4e6130a76 100644 --- a/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py +++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py @@ -28,7 +28,7 @@ def get_upgrade_databases(shared_services): UPGRADE_DATABASES = ('postgres', 'template1', 'nova', 'sysinv', 'murano', 'ceilometer', 'neutron', 'heat', 'nova_api', 'aodh', - 'magnum', 'panko', 'ironic') + 'magnum', 'panko', 'ironic', 'barbican') UPGRADE_DATABASE_SKIP_TABLES = {'postgres': (), 'template1': (), 'heat': (), 'nova': (), 'nova_api': (), @@ -39,6 +39,7 @@ def get_upgrade_databases(shared_services): 'magnum': (), 'panko': (), 'ironic': (), + 'barbican': (), 'ceilometer': ('metadata_bool', 'metadata_float', 'metadata_int', diff --git a/puppet-manifests/centos/puppet-manifests.spec b/puppet-manifests/centos/puppet-manifests.spec index 7717aa38d6..410fbabb2b 100644 --- a/puppet-manifests/centos/puppet-manifests.spec +++ b/puppet-manifests/centos/puppet-manifests.spec @@ -25,6 +25,7 @@ Requires: puppet-fm # Openstack puppet modules Requires: puppet-aodh +Requires: puppet-barbican Requires: puppet-ceilometer Requires: puppet-ceph Requires: puppet-cinder diff --git a/puppet-manifests/src/hieradata/controller.yaml b/puppet-manifests/src/hieradata/controller.yaml index e76cc0da14..4a8900d4f2 100644 --- a/puppet-manifests/src/hieradata/controller.yaml +++ b/puppet-manifests/src/hieradata/controller.yaml @@ -544,3 +544,22 @@ fm::db::sync::user: 'root' fm::database_idle_timeout: 60 fm::database_max_overflow: 20 fm::database_max_pool_size: 1 + +# Barbican +barbican::use_syslog: true +barbican::log_facility: 'local2' +barbican::database_idle_timeout: 60 +barbican::database_max_pool_size: 1 +barbican::database_max_overflow: 10 +barbican::alarm_history_time_to_live: 86400 + +barbican::auth::auth_endpoint_type: 'internalURL' + +barbican::db::sync::user: 'root' + +barbican::api::enabled: false +barbican::api::service_name: 'barbican-api' +barbican::api::enable_proxy_headers_parsing: true + +barbican::keystone-listener::enabled: false +barbican::worker::enabled: false diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index 886218bb55..6c8af8e3d3 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -132,6 +132,9 @@ include ::platform::smapi include ::openstack::swift include ::openstack::swift::api +include ::openstack::barbican +include ::openstack::barbican::api + include ::platform::sm class { '::platform::config::controller::post': diff --git a/puppet-manifests/src/modules/openstack/manifests/barbican.pp b/puppet-manifests/src/modules/openstack/manifests/barbican.pp new file mode 100644 index 0000000000..e73bae9adb --- /dev/null +++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp @@ -0,0 +1,123 @@ +class openstack::barbican::params ( + $api_port = 9311, + $region_name = undef, + $service_name = 'barbican-api', + $service_create = false, + $service_enabled = true, +) { } + + +class openstack::barbican + inherits ::openstack::barbican::params { + + if $service_enabled { + + include ::platform::params + + if $::platform::params::init_keystone { + include ::barbican::keystone::auth + include ::barbican::keystone::authtoken + } + + if $::platform::params::init_database { + include ::barbican::db::postgresql + } + + barbican_config { + 'service_credentials/interface': value => 'internalURL' + } + + cron { 'barbican-cleaner': + ensure => 'present', + command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '50', + hour => '*/24', + user => 'root', + } + } +} + + +class openstack::barbican::firewall + inherits ::openstack::barbican::params { + + platform::firewall::rule { 'barbican-api': + service_name => 'barbican-api', + ports => $api_port, + } +} + + +class openstack::barbican::haproxy + inherits ::openstack::barbican::params { + + platform::haproxy::proxy { 'barbican-restapi': + server_name => 's-barbican-restapi', + public_port => $api_port, + private_port => $api_port, + } +} + + +class openstack::barbican::api + inherits ::openstack::barbican::params { + include ::platform::params + + # The barbican user and service are always required and they + # are used by subclouds when the service itself is disabled + # on System Controller + # whether it creates the endpoint is determined by + # barbican::keystone::auth::configure_endpoint which is + # set via sysinv puppet + if ($::openstack::barbican::params::service_create and + $::platform::params::init_keystone) { + include ::barbican::keystone::auth + $bu_name = $::barbican::keystone::auth::auth_name + $bu_tenant = $::barbican::keystone::auth::tenant + + keystone_role { 'creator': + ensure => present, + } + keystone_user_role { "${bu_name}@${bu_tenant}": + ensure => present, + roles => ['admin', 'creator'], + } + } + + if $service_enabled { + + $api_workers = $::platform::params::eng_workers + + file_line { 'Modify workers in gunicorn-config.py': + path => '/etc/barbican/gunicorn-config.py', + line => "workers = '${api_workers}'", + match => '.*workers = .*', + tag => 'modify-workers', + } + + include ::platform::network::mgmt::params + $api_host = $::platform::network::mgmt::params::controller_address + $api_fqdn = $::platform::params::controller_hostname + $url_host = "http://${api_fqdn}:${api_port}" + + include ::platform::amqp::params + + class { '::barbican::api': + bind_host => $api_host, + bind_port => $api_port, + host_href => $url_host, + sync_db => $::platform::params::init_database, + enable_proxy_headers_parsing => true, + rabbit_use_ssl => $::platform::amqp::params::ssl_enabled, + default_transport_url => $::platform::amqp::params::transport_url, + } + + class { '::barbican::keystone::notification': + enable_keystone_notification => true, + } + + include ::openstack::barbican::firewall + include ::openstack::barbican::haproxy + } +} diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp index e3bc1202ee..ef8841ac79 100644 --- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp +++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp @@ -395,6 +395,11 @@ class openstack::keystone::endpoint::runtime { include ::platform::ceph::rgw::keystone::auth } + include ::openstack::barbican::params + if $::openstack::barbican::params::service_enabled { + include ::barbican::keystone::auth + } + if $::platform::params::distributed_cloud_role =='systemcontroller' { include ::dcorch::keystone::auth include ::dcmanager::keystone::auth diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb b/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb index 5ea2090dee..42f858aaff 100644 --- a/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb +++ b/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb @@ -13,6 +13,7 @@ "protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s", "protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s", "protected_services": [["'aodh':%(target.user.name)s"], + ["'barbican':%(target.user.name)s"], ["'ceilometer':%(target.user.name)s"], ["'cinder':%(target.user.name)s"], ["'glance':%(target.user.name)s"], diff --git a/puppet-manifests/src/modules/platform/manifests/haproxy.pp b/puppet-manifests/src/modules/platform/manifests/haproxy.pp index 0c3fd9aacf..2cae8d3f42 100644 --- a/puppet-manifests/src/modules/platform/manifests/haproxy.pp +++ b/puppet-manifests/src/modules/platform/manifests/haproxy.pp @@ -154,6 +154,7 @@ class platform::haproxy::runtime { include ::openstack::panko::haproxy include ::openstack::gnocchi::haproxy include ::openstack::swift::haproxy + include ::openstack::barbican::haproxy class {'::platform::haproxy::reload': stage => post diff --git a/puppet-manifests/src/modules/platform/manifests/postgresql.pp b/puppet-manifests/src/modules/platform/manifests/postgresql.pp index 60a0d9e799..371ed42c02 100644 --- a/puppet-manifests/src/modules/platform/manifests/postgresql.pp +++ b/puppet-manifests/src/modules/platform/manifests/postgresql.pp @@ -198,6 +198,7 @@ class platform::postgresql::upgrade } include ::aodh::db::postgresql + include ::barbican::db::postgresql include ::cinder::db::postgresql include ::glance::db::postgresql include ::gnocchi::db::postgresql diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index b3fa1bc516..e6630c7f5b 100755 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -232,6 +232,9 @@ class platform::sm # Panko include ::openstack::panko::params + # Barbican + include ::openstack::barbican::params + if $system_mode == 'simplex' { $hostunit = '0' $management_my_unit_ip = $::platform::network::mgmt::params::controller0_address @@ -285,6 +288,7 @@ class platform::sm $gnocchi_enabled = false $aodh_enabled = false $panko_enabled = false + $barbican_enabled = false } else { $heat_service_enabled = $::openstack::heat::params::service_enabled $murano_configured = $::openstack::murano::params::service_enabled @@ -293,6 +297,7 @@ class platform::sm $gnocchi_enabled = $::openstack::gnocchi::params::service_enabled $aodh_enabled = $::openstack::aodh::params::service_enabled $panko_enabled = $::openstack::panko::params::service_enabled + $barbican_enabled = $::openstack::barbican::params::service_enabled } if $system_mode == 'simplex' { @@ -1013,6 +1018,49 @@ class platform::sm command => "sm-configure service_instance ironic-conductor ironic-conductor \"config=/etc/ironic/ironic.conf,tftproot=${ironic_tftproot}\"", } + # Barbican + if $barbican_enabled { + + exec { 'Configure OpenStack - Barbican API': + command => "sm-configure service_instance barbican-api barbican-api \"config=/etc/barbican/barbican.conf\"", + } + + exec { 'Configure OpenStack - Barbican Keystone Listener': + command => "sm-configure service_instance barbican-keystone-listener barbican-keystone-listener \"config=/etc/barbican/barbican.conf\"", + } + + exec { 'Configure OpenStack - Barbican Worker': + command => "sm-configure service_instance barbican-worker barbican-worker \"config=/etc/barbican/barbican.conf\"", + } + } else { + exec { 'Deprovision OpenStack - Barbican API (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services barbican-api", + } -> + exec { 'Deprovision OpenStack - Barbican API (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service barbican-api", + } + + exec { 'Deprovision OpenStack - Barbican Keystone Listener (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services barbican-keystone-listener", + } -> + exec { 'Deprovision OpenStack - Barbican Keystone Listener (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service barbican-keystone-listener", + } + + exec { 'Deprovision OpenStack - Barbican Worker (service-group-member)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service-group-member cloud-services barbican-worker", + } -> + exec { 'Deprovision OpenStack - Barbican Worker (service)': + path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ], + command => "sm-deprovision service barbican-worker", + } + } + exec { 'Configure OpenStack - Nova Compute': command => "sm-configure service_instance nova-compute nova-compute \"config=/etc/nova/nova-ironic.conf\"", } diff --git a/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb b/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb index 3353fccf84..3ed1d83eca 100644 --- a/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb +++ b/puppet-manifests/src/modules/platform/templates/remotelogging.conf.erb @@ -17,6 +17,11 @@ rewrite r_rewrite_set{ set("<%= @system_name %> aodh-listener.log ${HOST}", value("HOST") condition(filter(f_aodhlistener))); set("<%= @system_name %> aodh-notifier.log ${HOST}", value("HOST") condition(filter(f_aodhnotifier))); set("<%= @system_name %> auth.log ${HOST}", value("HOST") condition(filter(f_auth))); + set("<%= @system_name %> barbican-api.log ${HOST}", value("HOST") condition(filter(f_barbicanapi))); + set("<%= @system_name %> barbican-dbsync.log ${HOST}", value("HOST") condition(filter(f_barbicandbsync))); + set("<%= @system_name %> barbican-keystone-listener.log ${HOST}", value("HOST") condition(filter(f_barbicankeystonelistener))); + set("<%= @system_name %> barbican-worker.log ${HOST}", value("HOST") condition(filter(f_barbicanworker))); + set("<%= @system_name %> barbican-cleaner.log ${HOST}", value("HOST") condition(filter(f_barbicancleaner))); set("<%= @system_name %> bash.log ${HOST}", value("HOST") condition(filter(f_bash))); set("<%= @system_name %> ceilometer-agent-notification.log ${HOST}", value("HOST") condition(filter(f_ceilometeragentnotification))); set("<%= @system_name %> ceilometer-upgrade.log ${HOST}", value("HOST") condition(filter(f_ceilometerupgrade))); diff --git a/sysinv/sysinv/sysinv/setup.cfg b/sysinv/sysinv/sysinv/setup.cfg index 2991099568..da56d3daca 100644 --- a/sysinv/sysinv/sysinv/setup.cfg +++ b/sysinv/sysinv/sysinv/setup.cfg @@ -71,6 +71,7 @@ systemconfig.puppet_plugins = 031_fm = sysinv.puppet.fm:FmPuppet 032_swift = sysinv.puppet.swift:SwiftPuppet 033_service_parameter = sysinv.puppet.service_parameter:ServiceParamPuppet + 034_barbican = sysinv.puppet.barbican:BarbicanPuppet systemconfig.helm_plugins = aodh = sysinv.helm.aodh:AodhHelm diff --git a/sysinv/sysinv/sysinv/sysinv/common/constants.py b/sysinv/sysinv/sysinv/sysinv/common/constants.py index 5112d8b029..3097b98deb 100644 --- a/sysinv/sysinv/sysinv/sysinv/common/constants.py +++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py @@ -856,6 +856,7 @@ SERVICE_TYPE_IRONIC = 'ironic' SERVICE_TYPE_PANKO = 'panko' SERVICE_TYPE_AODH = 'aodh' SERVICE_TYPE_GLANCE = 'glance' +SERVICE_TYPE_BARBICAN = 'barbican' SERVICE_PARAM_SECTION_MURANO_RABBITMQ = 'rabbitmq' SERVICE_PARAM_SECTION_MURANO_ENGINE = 'engine' diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py new file mode 100644 index 0000000000..d1da20aa41 --- /dev/null +++ b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py @@ -0,0 +1,84 @@ +# +# Copyright (c) 2018 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +from . import openstack + + +class BarbicanPuppet(openstack.OpenstackBasePuppet): + """Class to encapsulate puppet operations for barbican configuration""" + + SERVICE_NAME = 'barbican' + SERVICE_PORT = 9311 + + def get_static_config(self): + dbuser = self._get_database_username(self.SERVICE_NAME) + + return { + 'barbican::db::postgresql::user': dbuser, + } + + def get_secure_static_config(self): + dbpass = self._get_database_password(self.SERVICE_NAME) + kspass = self._get_service_password(self.SERVICE_NAME) + + return { + 'barbican::db::postgresql::password': dbpass, + + 'barbican::keystone::auth::password': kspass, + 'barbican::keystone::authtoken::password': kspass, + } + + def get_system_config(self): + ksuser = self._get_service_user_name(self.SERVICE_NAME) + + config = { + 'barbican::keystone::auth::public_url': self.get_public_url(), + 'barbican::keystone::auth::internal_url': self.get_internal_url(), + 'barbican::keystone::auth::admin_url': self.get_admin_url(), + 'barbican::keystone::auth::auth_name': ksuser, + 'barbican::keystone::auth::region': self._region_name(), + 'barbican::keystone::auth::tenant': self._get_service_tenant_name(), + 'barbican::keystone::auth::configure_user_role': False, + + 'barbican::keystone::authtoken::auth_url': + self._keystone_identity_uri(), + 'barbican::keystone::authtoken::auth_uri': + self._keystone_auth_uri(), + + 'barbican::keystone::authtoken::user_domain_name': + self._get_service_user_domain_name(), + 'barbican::keystone::authtoken::project_domain_name': + self._get_service_project_domain_name(), + 'barbican::keystone::authtoken::project_name': + self._get_service_tenant_name(), + 'barbican::keystone::authtoken::region_name': + self._keystone_region_name(), + 'barbican::keystone::authtoken::username': ksuser, + + 'openstack::barbican::params::region_name': + self._get_service_region_name(self.SERVICE_NAME), + 'openstack::barbican::params::service_create': + self._to_create_services(), + } + + return config + + def get_secure_system_config(self): + config = { + 'barbican::db::database_connection': + self._format_database_connection(self.SERVICE_NAME), + } + + return config + + def get_public_url(self): + return self._format_public_endpoint(self.SERVICE_PORT) + + def get_internal_url(self): + return self._format_private_endpoint(self.SERVICE_PORT) + + def get_admin_url(self): + return self._format_private_endpoint(self.SERVICE_PORT)