Barbican configuration thru Puppet and SysInv.

1. Add the new barbican DB and barbican user.
2. Support DB backup/restore and upgrades for barbican.
3. Configure barbican user and password in region config.
4. Provide Barbican configuration with appropriate data via SysInv.
5. Setup Barbican thru puppet manifests.
There are three main services that need to be configured:
- Barbican API: a RESTful API for managing secrets.
- Barbican Worker: a RPC interface for Barbican API.
- Barbican Keystone Listener: a service for Keystone changes.
Also, HA Proxy and Firewall need to be updated with Barbican port (9311)
as well as Remote Logging manifest to allow Barbican log collection.

Change-Id: I6b0b0c90456627bebde2b834b339bc968100b6f9
Story: 2003108
Task: 27700
Depends-On: I2667d56a71b7d3881c03b6a5c1e5ed61d4f0b902
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
This commit is contained in:
Alex Kozyrev 2018-11-29 11:20:35 -05:00
parent 27cdaf8620
commit ebc7ac888d
38 changed files with 393 additions and 5 deletions

View File

@ -1,3 +1,3 @@
SRC_DIR="configutilities"
COPY_LIST="$SRC_DIR/LICENSE"
TIS_PATCH_VER=35
TIS_PATCH_VER=36

View File

@ -45,6 +45,8 @@ EXPECTED_SERVICE_NAME_AND_TYPE = (
"GNOCCHI_SERVICE_TYPE": "metric",
"FM_SERVICE_NAME": "fm",
"FM_SERVICE_TYPE": "faultmanagement",
"BARBICAN_SERVICE_NAME": "barbican",
"BARBICAN_SERVICE_TYPE": "key-manager",
})

View File

@ -1048,6 +1048,14 @@ class ConfigValidator(object):
fm_password = get_optional(self.conf, 'REGION_2_SERVICES',
'FM_PASSWORD')
# validate barbican service name and type
get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_NAME')
get_service(self.conf, 'REGION_2_SERVICES', 'BARBICAN_SERVICE_TYPE')
barbican_user_name = self.conf.get('REGION_2_SERVICES',
'BARBICAN_USER_NAME')
barbican_password = get_optional(self.conf, 'REGION_2_SERVICES',
'BARBICAN_PASSWORD')
if self.conf.has_option('REGION_2_SERVICES', 'USER_DOMAIN_NAME'):
user_domain = self.conf.get('REGION_2_SERVICES',
'USER_DOMAIN_NAME')
@ -1158,6 +1166,10 @@ class ConfigValidator(object):
self.cgcs_conf.set('cREGION', 'GNOCCHI_PASSWORD', gnocchi_password)
self.cgcs_conf.set('cREGION', 'FM_USER_NAME', fm_user_name)
self.cgcs_conf.set('cREGION', 'FM_PASSWORD', fm_password)
self.cgcs_conf.set('cREGION', 'BARBICAN_USER_NAME',
barbican_user_name)
self.cgcs_conf.set('cREGION', 'BARBICAN_PASSWORD',
barbican_password)
self.cgcs_conf.set('cREGION', 'USER_DOMAIN_NAME',
user_domain)

View File

@ -731,6 +731,7 @@ class REG2SERVICESPage2(ConfigPage):
self.fields['GNOCCHI_PASSWORD'] = Field(
text="GNOCCHI user password",
type=TYPES.string, initial="")
self.fields['FM_USER_NAME'] = Field(
text="FM username",
type=TYPES.string, initial="fm")
@ -738,6 +739,13 @@ class REG2SERVICESPage2(ConfigPage):
text="FM user password",
type=TYPES.string, initial="")
self.fields['BARBICAN_USER_NAME'] = Field(
text="Barbican username",
type=TYPES.string, initial="barbican")
self.fields['BARBICAN_PASSWORD'] = Field(
text="Barbican user password",
type=TYPES.string, initial="")
def validate_page(self):
self.prev.validate_page()
super(REG2SERVICESPage2, self).validate_page()

View File

@ -1,2 +1,2 @@
SRC_DIR="controllerconfig"
TIS_PATCH_VER=148
TIS_PATCH_VER=149

View File

@ -70,7 +70,7 @@ def get_backup_databases(cinder_config=False):
REGION_LOCAL_DATABASES = ('postgres', 'template1', 'nova', 'sysinv',
'neutron', 'heat', 'nova_api',
'aodh', 'murano', 'magnum', 'panko', 'ironic',
'nova_cell0', 'gnocchi', 'fm')
'nova_cell0', 'gnocchi', 'fm', 'barbican')
REGION_SHARED_DATABASES = ('glance', 'keystone')
if cinder_config:

View File

@ -509,6 +509,8 @@ class ConfigAssistant():
self.nfv_ks_password = ""
self.fm_ks_user_name = ""
self.fm_ks_password = ""
self.barbican_ks_user_name = ""
self.barbican_ks_password = ""
self.ldap_region_name = ""
self.ldap_service_name = ""
@ -2894,6 +2896,13 @@ class ConfigAssistant():
self.add_password_for_validation('FM_PASSWORD',
self.fm_ks_password)
self.barbican_ks_user_name = config.get(
'cREGION', 'BARBICAN_USER_NAME')
self.barbican_ks_password = config.get(
'cREGION', 'BARBICAN_PASSWORD')
self.add_password_for_validation('BARBICAN_PASSWORD',
self.barbican_ks_password)
self.shared_services.append(self.keystone_service_type)
if self.glance_region_name == self.region_1_name:
self.shared_services.append(self.glance_service_type)
@ -3469,6 +3478,10 @@ class ConfigAssistant():
self.fm_ks_user_name)
f.write("FM_PASSWORD=%s\n" %
self.fm_ks_password)
f.write("BARBICAN_USER_NAME=%s\n" %
self.barbican_ks_user_name)
f.write("BARBICAN_PASSWORD=%s\n" %
self.barbican_ks_password)
# Subcloud configuration
if self.subcloud_config():
@ -3974,6 +3987,14 @@ class ConfigAssistant():
'capabilities': capabilities}
client.sysinv.sm_service.service_create(**values)
# barbican service config
capabilities = {'user_name': self.barbican_ks_user_name}
values = {'name': "barbican",
'enabled': True,
'region_name': self.region_2_name,
'capabilities': capabilities}
client.sysinv.sm_service.service_create(**values)
def _store_service_password(self):
# store service password in the temporary keyring vault
@ -4035,6 +4056,10 @@ class ConfigAssistant():
keyring.set_password('fm', constants.DEFAULT_SERVICE_PROJECT_NAME,
self.fm_ks_password)
keyring.set_password('barbican',
constants.DEFAULT_SERVICE_PROJECT_NAME,
self.barbican_ks_password)
del os.environ["XDG_DATA_HOME"]
def _populate_network_config(self, client):

View File

@ -56,7 +56,8 @@ EXPECTED_USERS = [
('REGION_2_SERVICES', 'MTCE', 'mtce'),
('REGION_2_SERVICES', 'PANKO', 'panko'),
('REGION_2_SERVICES', 'GNOCCHI', 'gnocchi'),
('REGION_2_SERVICES', 'FM', 'fm')]
('REGION_2_SERVICES', 'FM', 'fm'),
('REGION_2_SERVICES', 'BARBICAN', 'barbican')]
EXPECTED_SHARED_SERVICES_NEUTRON_USER = ('SHARED_SERVICES', 'NEUTRON',
'neutron')
@ -135,6 +136,11 @@ EXPECTED_REGION2_ENDPOINTS = [
'http://{}:18002',
'http://{}:18002',
'Fault Management Service'),
('BARBICAN_SERVICE_NAME', 'BARBICAN_SERVICE_TYPE',
'http://{}:9311',
'http://{}:9311',
'http://{}:9311',
'OpenStack Key Manager Service'),
]
EXPECTED_NEUTRON_ENDPOINT = (

View File

@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchiTWO
GNOCCHI_PASSWORD=password2WO*
FM_USER_NAME=fmTWO
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[VERSION]
RELEASE = TEST.SW.VERSION

View File

@ -112,6 +112,8 @@ GNOCCHI_USER_NAME = gnocchiTWO
GNOCCHI_PASSWORD = password2WO*
FM_USER_NAME = fmTWO
FM_PASSWORD = password2WO*
BARBICAN_USER_NAME = barbican
BARBICAN_PASSWORD = barbican2WO*
USER_DOMAIN_NAME = service_domain
PROJECT_DOMAIN_NAME = service_domain
KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

View File

@ -119,6 +119,8 @@ GNOCCHI_USER_NAME=gnocchiTWO
GNOCCHI_PASSWORD=password2WO*
FM_USER_NAME=fmTWO
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[VERSION]
RELEASE = TEST.SW.VERSION

View File

@ -110,6 +110,8 @@ GNOCCHI_USER_NAME = gnocchiTWO
GNOCCHI_PASSWORD = password2WO*
FM_USER_NAME = fmTWO
FM_PASSWORD = password2WO*
BARBICAN_USER_NAME = barbican
BARBICAN_PASSWORD = barbican2WO*
USER_DOMAIN_NAME = Default
PROJECT_DOMAIN_NAME = Default
KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

View File

@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce
MTCE_PASSWORD=password2WO*
FM_USER_NAME=fm
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[cAUTHENTICATION]
ADMIN_PASSWORD=Li69nux*

View File

@ -133,6 +133,8 @@ MTCE_USER_NAME=mtce
MTCE_PASSWORD=password2WO*
FM_USER_NAME=fm
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[cAUTHENTICATION]
ADMIN_PASSWORD=Li69nux*

View File

@ -115,6 +115,8 @@ GNOCCHI_USER_NAME=gnocchi
GNOCCHI_PASSWORD=password2WO*
FM_USER_NAME=fm
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[VERSION]
RELEASE = TEST.SW.VERSION

View File

@ -115,6 +115,8 @@ GNOCCHI_USER_NAME = gnocchi
GNOCCHI_PASSWORD = password2WO*
FM_USER_NAME = fm
FM_PASSWORD = password2WO*
BARBICAN_USER_NAME = barbican
BARBICAN_PASSWORD = barbican2WO*
USER_DOMAIN_NAME = Default
PROJECT_DOMAIN_NAME = Default
KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

View File

@ -125,6 +125,8 @@ GNOCCHI_USER_NAME=gnocchi
GNOCCHI_PASSWORD=password2WO*
FM_USER_NAME=fm
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[VERSION]
RELEASE = TEST.SW.VERSION

View File

@ -105,6 +105,8 @@ GNOCCHI_USER_NAME = gnocchi
GNOCCHI_PASSWORD = password2WO*
FM_USER_NAME = fm
FM_PASSWORD = password2WO*
BARBICAN_USER_NAME = barbican
BARBICAN_PASSWORD = barbican2WO*
USER_DOMAIN_NAME = Default
PROJECT_DOMAIN_NAME = Default
KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

View File

@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi
GNOCCHI_PASSWORD=password2WO*
FM_USER_NAME=fm
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[VERSION]
RELEASE = TEST.SW.VERSION

View File

@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi
GNOCCHI_PASSWORD = password2WO*
FM_USER_NAME = fm
FM_PASSWORD = password2WO*
BARBICAN_USER_NAME = barbican
BARBICAN_PASSWORD = barbican2WO*
USER_DOMAIN_NAME = Default
PROJECT_DOMAIN_NAME = Default
KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

View File

@ -121,6 +121,8 @@ GNOCCHI_USER_NAME=gnocchi
GNOCCHI_PASSWORD=password2WO*
FM_USER_NAME=fm
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[VERSION]
RELEASE = TEST.SW.VERSION

View File

@ -122,6 +122,8 @@ GNOCCHI_USER_NAME=gnocchi
GNOCCHI_PASSWORD=password2WO*
FM_USER_NAME=fm
FM_PASSWORD=password2WO*
BARBICAN_USER_NAME=barbican
BARBICAN_PASSWORD=barbican2WO*
[VERSION]
RELEASE = TEST.SW.VERSION

View File

@ -93,6 +93,8 @@ GNOCCHI_USER_NAME = gnocchi
GNOCCHI_PASSWORD = password2WO*
FM_USER_NAME = fm
FM_PASSWORD = password2WO*
BARBICAN_USER_NAME = barbican
BARBICAN_PASSWORD = barbican2WO*
USER_DOMAIN_NAME = Default
PROJECT_DOMAIN_NAME = Default
KEYSTONE_AUTH_URI = http://192.168.204.12:8081/keystone/main/v2.0

View File

@ -72,6 +72,9 @@ def get_db_credentials(shared_services, from_release):
{'aodh': {'hiera_user_key': 'aodh::db::postgresql::user',
'keyring_password_key': 'aodh',
},
'barbican': {'hiera_user_key': 'barbican::db::postgresql::user',
'keyring_password_key': 'barbican',
},
'ceilometer': {'hiera_user_key': 'ceilometer::db::postgresql::user',
'keyring_password_key': 'ceilometer',
},
@ -583,10 +586,18 @@ def migrate_databases(from_release, shared_services, db_credentials,
f.write("[database]\n")
f.write(get_connection_string(db_credentials, 'keystone'))
with open("/etc/barbican/barbican-dbsync.conf", "w") as f:
f.write("[database]\n")
f.write(get_connection_string(db_credentials, 'barbican'))
migrate_commands = [
# Migrate aodh (new in R3)
('aodh',
'aodh-dbsync --config-file /etc/aodh/aodh-dbsync.conf'),
# Migrate barbican
('barbican',
'barbican-manage --config-file /etc/barbican/barbican-dbsync.conf ' +
'db upgrade'),
# Migrate ceilometer
('ceilometer',
'ceilometer-upgrade --skip-gnocchi-resource-types --config-file ' +

View File

@ -28,7 +28,7 @@ def get_upgrade_databases(shared_services):
UPGRADE_DATABASES = ('postgres', 'template1', 'nova', 'sysinv', 'murano',
'ceilometer', 'neutron', 'heat', 'nova_api', 'aodh',
'magnum', 'panko', 'ironic')
'magnum', 'panko', 'ironic', 'barbican')
UPGRADE_DATABASE_SKIP_TABLES = {'postgres': (), 'template1': (),
'heat': (), 'nova': (), 'nova_api': (),
@ -39,6 +39,7 @@ def get_upgrade_databases(shared_services):
'magnum': (),
'panko': (),
'ironic': (),
'barbican': (),
'ceilometer': ('metadata_bool',
'metadata_float',
'metadata_int',

View File

@ -25,6 +25,7 @@ Requires: puppet-fm
# Openstack puppet modules
Requires: puppet-aodh
Requires: puppet-barbican
Requires: puppet-ceilometer
Requires: puppet-ceph
Requires: puppet-cinder

View File

@ -544,3 +544,22 @@ fm::db::sync::user: 'root'
fm::database_idle_timeout: 60
fm::database_max_overflow: 20
fm::database_max_pool_size: 1
# Barbican
barbican::use_syslog: true
barbican::log_facility: 'local2'
barbican::database_idle_timeout: 60
barbican::database_max_pool_size: 1
barbican::database_max_overflow: 10
barbican::alarm_history_time_to_live: 86400
barbican::auth::auth_endpoint_type: 'internalURL'
barbican::db::sync::user: 'root'
barbican::api::enabled: false
barbican::api::service_name: 'barbican-api'
barbican::api::enable_proxy_headers_parsing: true
barbican::keystone-listener::enabled: false
barbican::worker::enabled: false

View File

@ -132,6 +132,9 @@ include ::platform::smapi
include ::openstack::swift
include ::openstack::swift::api
include ::openstack::barbican
include ::openstack::barbican::api
include ::platform::sm
class { '::platform::config::controller::post':

View File

@ -0,0 +1,123 @@
class openstack::barbican::params (
$api_port = 9311,
$region_name = undef,
$service_name = 'barbican-api',
$service_create = false,
$service_enabled = true,
) { }
class openstack::barbican
inherits ::openstack::barbican::params {
if $service_enabled {
include ::platform::params
if $::platform::params::init_keystone {
include ::barbican::keystone::auth
include ::barbican::keystone::authtoken
}
if $::platform::params::init_database {
include ::barbican::db::postgresql
}
barbican_config {
'service_credentials/interface': value => 'internalURL'
}
cron { 'barbican-cleaner':
ensure => 'present',
command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
environment => 'PATH=/bin:/usr/bin:/usr/sbin',
minute => '50',
hour => '*/24',
user => 'root',
}
}
}
class openstack::barbican::firewall
inherits ::openstack::barbican::params {
platform::firewall::rule { 'barbican-api':
service_name => 'barbican-api',
ports => $api_port,
}
}
class openstack::barbican::haproxy
inherits ::openstack::barbican::params {
platform::haproxy::proxy { 'barbican-restapi':
server_name => 's-barbican-restapi',
public_port => $api_port,
private_port => $api_port,
}
}
class openstack::barbican::api
inherits ::openstack::barbican::params {
include ::platform::params
# The barbican user and service are always required and they
# are used by subclouds when the service itself is disabled
# on System Controller
# whether it creates the endpoint is determined by
# barbican::keystone::auth::configure_endpoint which is
# set via sysinv puppet
if ($::openstack::barbican::params::service_create and
$::platform::params::init_keystone) {
include ::barbican::keystone::auth
$bu_name = $::barbican::keystone::auth::auth_name
$bu_tenant = $::barbican::keystone::auth::tenant
keystone_role { 'creator':
ensure => present,
}
keystone_user_role { "${bu_name}@${bu_tenant}":
ensure => present,
roles => ['admin', 'creator'],
}
}
if $service_enabled {
$api_workers = $::platform::params::eng_workers
file_line { 'Modify workers in gunicorn-config.py':
path => '/etc/barbican/gunicorn-config.py',
line => "workers = '${api_workers}'",
match => '.*workers = .*',
tag => 'modify-workers',
}
include ::platform::network::mgmt::params
$api_host = $::platform::network::mgmt::params::controller_address
$api_fqdn = $::platform::params::controller_hostname
$url_host = "http://${api_fqdn}:${api_port}"
include ::platform::amqp::params
class { '::barbican::api':
bind_host => $api_host,
bind_port => $api_port,
host_href => $url_host,
sync_db => $::platform::params::init_database,
enable_proxy_headers_parsing => true,
rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
default_transport_url => $::platform::amqp::params::transport_url,
}
class { '::barbican::keystone::notification':
enable_keystone_notification => true,
}
include ::openstack::barbican::firewall
include ::openstack::barbican::haproxy
}
}

View File

@ -395,6 +395,11 @@ class openstack::keystone::endpoint::runtime {
include ::platform::ceph::rgw::keystone::auth
}
include ::openstack::barbican::params
if $::openstack::barbican::params::service_enabled {
include ::barbican::keystone::auth
}
if $::platform::params::distributed_cloud_role =='systemcontroller' {
include ::dcorch::keystone::auth
include ::dcmanager::keystone::auth

View File

@ -13,6 +13,7 @@
"protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s",
"protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s",
"protected_services": [["'aodh':%(target.user.name)s"],
["'barbican':%(target.user.name)s"],
["'ceilometer':%(target.user.name)s"],
["'cinder':%(target.user.name)s"],
["'glance':%(target.user.name)s"],

View File

@ -154,6 +154,7 @@ class platform::haproxy::runtime {
include ::openstack::panko::haproxy
include ::openstack::gnocchi::haproxy
include ::openstack::swift::haproxy
include ::openstack::barbican::haproxy
class {'::platform::haproxy::reload':
stage => post

View File

@ -198,6 +198,7 @@ class platform::postgresql::upgrade
}
include ::aodh::db::postgresql
include ::barbican::db::postgresql
include ::cinder::db::postgresql
include ::glance::db::postgresql
include ::gnocchi::db::postgresql

View File

@ -232,6 +232,9 @@ class platform::sm
# Panko
include ::openstack::panko::params
# Barbican
include ::openstack::barbican::params
if $system_mode == 'simplex' {
$hostunit = '0'
$management_my_unit_ip = $::platform::network::mgmt::params::controller0_address
@ -285,6 +288,7 @@ class platform::sm
$gnocchi_enabled = false
$aodh_enabled = false
$panko_enabled = false
$barbican_enabled = false
} else {
$heat_service_enabled = $::openstack::heat::params::service_enabled
$murano_configured = $::openstack::murano::params::service_enabled
@ -293,6 +297,7 @@ class platform::sm
$gnocchi_enabled = $::openstack::gnocchi::params::service_enabled
$aodh_enabled = $::openstack::aodh::params::service_enabled
$panko_enabled = $::openstack::panko::params::service_enabled
$barbican_enabled = $::openstack::barbican::params::service_enabled
}
if $system_mode == 'simplex' {
@ -1013,6 +1018,49 @@ class platform::sm
command => "sm-configure service_instance ironic-conductor ironic-conductor \"config=/etc/ironic/ironic.conf,tftproot=${ironic_tftproot}\"",
}
# Barbican
if $barbican_enabled {
exec { 'Configure OpenStack - Barbican API':
command => "sm-configure service_instance barbican-api barbican-api \"config=/etc/barbican/barbican.conf\"",
}
exec { 'Configure OpenStack - Barbican Keystone Listener':
command => "sm-configure service_instance barbican-keystone-listener barbican-keystone-listener \"config=/etc/barbican/barbican.conf\"",
}
exec { 'Configure OpenStack - Barbican Worker':
command => "sm-configure service_instance barbican-worker barbican-worker \"config=/etc/barbican/barbican.conf\"",
}
} else {
exec { 'Deprovision OpenStack - Barbican API (service-group-member)':
path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
command => "sm-deprovision service-group-member cloud-services barbican-api",
} ->
exec { 'Deprovision OpenStack - Barbican API (service)':
path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
command => "sm-deprovision service barbican-api",
}
exec { 'Deprovision OpenStack - Barbican Keystone Listener (service-group-member)':
path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
command => "sm-deprovision service-group-member cloud-services barbican-keystone-listener",
} ->
exec { 'Deprovision OpenStack - Barbican Keystone Listener (service)':
path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
command => "sm-deprovision service barbican-keystone-listener",
}
exec { 'Deprovision OpenStack - Barbican Worker (service-group-member)':
path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
command => "sm-deprovision service-group-member cloud-services barbican-worker",
} ->
exec { 'Deprovision OpenStack - Barbican Worker (service)':
path => [ '/usr/bin', '/usr/sbin', '/usr/local/bin', '/etc', '/sbin', '/bin' ],
command => "sm-deprovision service barbican-worker",
}
}
exec { 'Configure OpenStack - Nova Compute':
command => "sm-configure service_instance nova-compute nova-compute \"config=/etc/nova/nova-ironic.conf\"",
}

View File

@ -17,6 +17,11 @@ rewrite r_rewrite_set{
set("<%= @system_name %> aodh-listener.log ${HOST}", value("HOST") condition(filter(f_aodhlistener)));
set("<%= @system_name %> aodh-notifier.log ${HOST}", value("HOST") condition(filter(f_aodhnotifier)));
set("<%= @system_name %> auth.log ${HOST}", value("HOST") condition(filter(f_auth)));
set("<%= @system_name %> barbican-api.log ${HOST}", value("HOST") condition(filter(f_barbicanapi)));
set("<%= @system_name %> barbican-dbsync.log ${HOST}", value("HOST") condition(filter(f_barbicandbsync)));
set("<%= @system_name %> barbican-keystone-listener.log ${HOST}", value("HOST") condition(filter(f_barbicankeystonelistener)));
set("<%= @system_name %> barbican-worker.log ${HOST}", value("HOST") condition(filter(f_barbicanworker)));
set("<%= @system_name %> barbican-cleaner.log ${HOST}", value("HOST") condition(filter(f_barbicancleaner)));
set("<%= @system_name %> bash.log ${HOST}", value("HOST") condition(filter(f_bash)));
set("<%= @system_name %> ceilometer-agent-notification.log ${HOST}", value("HOST") condition(filter(f_ceilometeragentnotification)));
set("<%= @system_name %> ceilometer-upgrade.log ${HOST}", value("HOST") condition(filter(f_ceilometerupgrade)));

View File

@ -71,6 +71,7 @@ systemconfig.puppet_plugins =
031_fm = sysinv.puppet.fm:FmPuppet
032_swift = sysinv.puppet.swift:SwiftPuppet
033_service_parameter = sysinv.puppet.service_parameter:ServiceParamPuppet
034_barbican = sysinv.puppet.barbican:BarbicanPuppet
systemconfig.helm_plugins =
aodh = sysinv.helm.aodh:AodhHelm

View File

@ -856,6 +856,7 @@ SERVICE_TYPE_IRONIC = 'ironic'
SERVICE_TYPE_PANKO = 'panko'
SERVICE_TYPE_AODH = 'aodh'
SERVICE_TYPE_GLANCE = 'glance'
SERVICE_TYPE_BARBICAN = 'barbican'
SERVICE_PARAM_SECTION_MURANO_RABBITMQ = 'rabbitmq'
SERVICE_PARAM_SECTION_MURANO_ENGINE = 'engine'

View File

@ -0,0 +1,84 @@
#
# Copyright (c) 2018 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
from . import openstack
class BarbicanPuppet(openstack.OpenstackBasePuppet):
"""Class to encapsulate puppet operations for barbican configuration"""
SERVICE_NAME = 'barbican'
SERVICE_PORT = 9311
def get_static_config(self):
dbuser = self._get_database_username(self.SERVICE_NAME)
return {
'barbican::db::postgresql::user': dbuser,
}
def get_secure_static_config(self):
dbpass = self._get_database_password(self.SERVICE_NAME)
kspass = self._get_service_password(self.SERVICE_NAME)
return {
'barbican::db::postgresql::password': dbpass,
'barbican::keystone::auth::password': kspass,
'barbican::keystone::authtoken::password': kspass,
}
def get_system_config(self):
ksuser = self._get_service_user_name(self.SERVICE_NAME)
config = {
'barbican::keystone::auth::public_url': self.get_public_url(),
'barbican::keystone::auth::internal_url': self.get_internal_url(),
'barbican::keystone::auth::admin_url': self.get_admin_url(),
'barbican::keystone::auth::auth_name': ksuser,
'barbican::keystone::auth::region': self._region_name(),
'barbican::keystone::auth::tenant': self._get_service_tenant_name(),
'barbican::keystone::auth::configure_user_role': False,
'barbican::keystone::authtoken::auth_url':
self._keystone_identity_uri(),
'barbican::keystone::authtoken::auth_uri':
self._keystone_auth_uri(),
'barbican::keystone::authtoken::user_domain_name':
self._get_service_user_domain_name(),
'barbican::keystone::authtoken::project_domain_name':
self._get_service_project_domain_name(),
'barbican::keystone::authtoken::project_name':
self._get_service_tenant_name(),
'barbican::keystone::authtoken::region_name':
self._keystone_region_name(),
'barbican::keystone::authtoken::username': ksuser,
'openstack::barbican::params::region_name':
self._get_service_region_name(self.SERVICE_NAME),
'openstack::barbican::params::service_create':
self._to_create_services(),
}
return config
def get_secure_system_config(self):
config = {
'barbican::db::database_connection':
self._format_database_connection(self.SERVICE_NAME),
}
return config
def get_public_url(self):
return self._format_public_endpoint(self.SERVICE_PORT)
def get_internal_url(self):
return self._format_private_endpoint(self.SERVICE_PORT)
def get_admin_url(self):
return self._format_private_endpoint(self.SERVICE_PORT)