summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Kozyrev <alex.kozyrev@windriver.com>2019-01-10 18:43:14 -0500
committerAlex Kozyrev <alex.kozyrev@windriver.com>2019-01-11 13:33:00 -0500
commitf44717154a78add0a0a2497048e03ab536dc615b (patch)
treed9c72220418feb061221a18df920572b720b3503
parent5dcff4e6164a5d95749ea8f9fa36048045bba84c (diff)
Add Barbican bootstrap and runtime manifests
Barbican service is needed during bootstrap phase for StarlingX. Implement bootstrap and runtime manifests to achieve that. Change-Id: I6c22ebddacf8aec3a731f7f6d7a762f79f511c78 Story: 2003108 Task: 27700 Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
Notes
Notes (review): Code-Review+1: Bart Wensley <barton.wensley@windriver.com> Code-Review+2: Al Bailey <al.bailey@windriver.com> Code-Review+1: Andy <andy.ning@windriver.com> Code-Review+1: melissaml <ma.lei@99cloud.net> Code-Review+2: Don Penney <don.penney@windriver.com> Workflow+1: Don Penney <don.penney@windriver.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Mon, 14 Jan 2019 15:33:30 +0000 Reviewed-on: https://review.openstack.org/629949 Project: openstack/stx-config Branch: refs/heads/master
-rwxr-xr-xconfigutilities/centos/build_srpm.data2
-rw-r--r--configutilities/configutilities/configutilities/common/validator.py3
-rw-r--r--puppet-manifests/centos/build_srpm.data2
-rw-r--r--puppet-manifests/src/manifests/bootstrap.pp1
-rw-r--r--puppet-manifests/src/modules/openstack/manifests/barbican.pp132
-rw-r--r--puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data2
-rw-r--r--puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp2
-rw-r--r--sysinv/sysinv/centos/build_srpm.data2
-rw-r--r--sysinv/sysinv/sysinv/sysinv/conductor/manager.py8
-rw-r--r--sysinv/sysinv/sysinv/sysinv/puppet/barbican.py9
-rw-r--r--sysinv/sysinv/sysinv/sysinv/puppet/inventory.py2
11 files changed, 117 insertions, 48 deletions
diff --git a/configutilities/centos/build_srpm.data b/configutilities/centos/build_srpm.data
index a035c4a..262bcfe 100755
--- a/configutilities/centos/build_srpm.data
+++ b/configutilities/centos/build_srpm.data
@@ -1,3 +1,3 @@
1SRC_DIR="configutilities" 1SRC_DIR="configutilities"
2COPY_LIST="$SRC_DIR/LICENSE" 2COPY_LIST="$SRC_DIR/LICENSE"
3TIS_PATCH_VER=1 3TIS_PATCH_VER=2
diff --git a/configutilities/configutilities/configutilities/common/validator.py b/configutilities/configutilities/configutilities/common/validator.py
index ff0524c..2bba433 100644
--- a/configutilities/configutilities/configutilities/common/validator.py
+++ b/configutilities/configutilities/configutilities/common/validator.py
@@ -1025,7 +1025,8 @@ class ConfigValidator(object):
1025 self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'): 1025 self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'):
1026 password_fields = [ 1026 password_fields = [
1027 'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT', 1027 'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT',
1028 'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI' 1028 'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI',
1029 'BARBICAN'
1029 ] 1030 ]
1030 for pw in password_fields: 1031 for pw in password_fields:
1031 if not self.conf.has_option('REGION_2_SERVICES', 1032 if not self.conf.has_option('REGION_2_SERVICES',
diff --git a/puppet-manifests/centos/build_srpm.data b/puppet-manifests/centos/build_srpm.data
index bbbc6b0..89ee8fe 100644
--- a/puppet-manifests/centos/build_srpm.data
+++ b/puppet-manifests/centos/build_srpm.data
@@ -1,2 +1,2 @@
1SRC_DIR="src" 1SRC_DIR="src"
2TIS_PATCH_VER=76 2TIS_PATCH_VER=77
diff --git a/puppet-manifests/src/manifests/bootstrap.pp b/puppet-manifests/src/manifests/bootstrap.pp
index 37cc489..7c1103b 100644
--- a/puppet-manifests/src/manifests/bootstrap.pp
+++ b/puppet-manifests/src/manifests/bootstrap.pp
@@ -15,6 +15,7 @@ include ::platform::postgresql::bootstrap
15include ::platform::amqp::bootstrap 15include ::platform::amqp::bootstrap
16 16
17include ::openstack::keystone::bootstrap 17include ::openstack::keystone::bootstrap
18include ::openstack::barbican::bootstrap
18include ::platform::client::bootstrap 19include ::platform::client::bootstrap
19include ::openstack::client::bootstrap 20include ::openstack::client::bootstrap
20 21
diff --git a/puppet-manifests/src/modules/openstack/manifests/barbican.pp b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
index e2afe0b..c808668 100644
--- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
@@ -6,7 +6,6 @@ class openstack::barbican::params (
6 $service_enabled = true, 6 $service_enabled = true,
7) { } 7) { }
8 8
9
10class openstack::barbican 9class openstack::barbican
11 inherits ::openstack::barbican::params { 10 inherits ::openstack::barbican::params {
12 11
@@ -27,6 +26,54 @@ class openstack::barbican
27 'service_credentials/interface': value => 'internalURL' 26 'service_credentials/interface': value => 'internalURL'
28 } 27 }
29 28
29 file { '/var/run/barbican':
30 ensure => 'directory',
31 owner => 'barbican',
32 group => 'barbican',
33 }
34
35 $api_workers = $::platform::params::eng_workers_by_4
36
37 file_line { 'Modify workers in gunicorn-config.py':
38 path => '/etc/barbican/gunicorn-config.py',
39 line => "workers = ${api_workers}",
40 match => '.*workers = .*',
41 tag => 'modify-workers',
42 }
43 }
44}
45
46class openstack::barbican::service
47 inherits ::openstack::barbican::params {
48
49 if $service_enabled {
50
51 include ::platform::network::mgmt::params
52 $api_host = $::platform::network::mgmt::params::subnet_version ? {
53 6 => "[${::platform::network::mgmt::params::controller_address}]",
54 default => $::platform::network::mgmt::params::controller_address,
55 }
56 $api_fqdn = $::platform::params::controller_hostname
57 $url_host = "http://${api_fqdn}:${api_port}"
58
59 include ::platform::amqp::params
60
61 class { '::barbican::api':
62 enabled => true,
63 manage_service => true,
64 bind_host => $api_host,
65 bind_port => $api_port,
66 host_href => $url_host,
67 sync_db => !$::openstack::barbican::params::service_create,
68 enable_proxy_headers_parsing => true,
69 rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
70 default_transport_url => $::platform::amqp::params::transport_url,
71 }
72
73 class { '::barbican::keystone::notification':
74 enable_keystone_notification => true,
75 }
76
30 cron { 'barbican-cleaner': 77 cron { 'barbican-cleaner':
31 ensure => 'present', 78 ensure => 'present',
32 command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log', 79 command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
@@ -38,7 +85,6 @@ class openstack::barbican
38 } 85 }
39} 86}
40 87
41
42class openstack::barbican::firewall 88class openstack::barbican::firewall
43 inherits ::openstack::barbican::params { 89 inherits ::openstack::barbican::params {
44 90
@@ -48,7 +94,6 @@ class openstack::barbican::firewall
48 } 94 }
49} 95}
50 96
51
52class openstack::barbican::haproxy 97class openstack::barbican::haproxy
53 inherits ::openstack::barbican::params { 98 inherits ::openstack::barbican::params {
54 99
@@ -59,7 +104,6 @@ class openstack::barbican::haproxy
59 } 104 }
60} 105}
61 106
62
63class openstack::barbican::api 107class openstack::barbican::api
64 inherits ::openstack::barbican::params { 108 inherits ::openstack::barbican::params {
65 include ::platform::params 109 include ::platform::params
@@ -72,55 +116,57 @@ class openstack::barbican::api
72 # set via sysinv puppet 116 # set via sysinv puppet
73 if ($::openstack::barbican::params::service_create and 117 if ($::openstack::barbican::params::service_create and
74 $::platform::params::init_keystone) { 118 $::platform::params::init_keystone) {
75 include ::barbican::keystone::auth
76 $bu_name = $::barbican::keystone::auth::auth_name
77 $bu_tenant = $::barbican::keystone::auth::tenant
78 119
79 keystone_role { 'creator': 120 if ($::platform::params::distributed_cloud_role == 'subcloud' and
80 ensure => present, 121 $::platform::params::region_2_name != 'RegionOne') {
81 } 122 Keystone_endpoint["${platform::params::region_2_name}/barbican::key-manager"] -> Keystone_endpoint['RegionOne/barbican::key-manager']
82 keystone_user_role { "${bu_name}@${bu_tenant}": 123 keystone_endpoint { 'RegionOne/barbican::key-manager':
83 ensure => present, 124 ensure => 'absent',
84 roles => ['admin', 'creator'], 125 name => 'barbican',
126 type => 'key-manager',
127 region => 'RegionOne',
128 public_url => "http://127.0.0.1:${api_port}",
129 admin_url => "http://127.0.0.1:${api_port}",
130 internal_url => "http://127.0.0.1:${api_port}"
131 }
85 } 132 }
86 } 133 }
87 134
88 if $service_enabled { 135 if $service_enabled {
136 include ::openstack::barbican::service
137 include ::openstack::barbican::firewall
138 include ::openstack::barbican::haproxy
139 }
140}
89 141
90 $api_workers = $::platform::params::eng_workers 142class openstack::barbican::bootstrap
143 inherits ::openstack::barbican::params {
91 144
92 file_line { 'Modify workers in gunicorn-config.py': 145 class { '::barbican::keystone::auth':
93 path => '/etc/barbican/gunicorn-config.py', 146 configure_user_role => false,
94 line => "workers = ${api_workers}", 147 }
95 match => '.*workers = .*', 148 class { '::barbican::keystone::authtoken':
96 tag => 'modify-workers', 149 auth_url => 'http://localhost:5000',
97 } 150 }
98 151
99 include ::platform::network::mgmt::params 152 $bu_name = $::barbican::keystone::auth::auth_name
100 $api_host = $::platform::network::mgmt::params::subnet_version ? { 153 $bu_tenant = $::barbican::keystone::auth::tenant
101 6 => "[${::platform::network::mgmt::params::controller_address}]", 154 keystone_role { 'creator':
102 default => $::platform::network::mgmt::params::controller_address, 155 ensure => present,
103 } 156 }
104 $api_fqdn = $::platform::params::controller_hostname 157 keystone_user_role { "${bu_name}@${bu_tenant}":
105 $url_host = "http://${api_fqdn}:${api_port}" 158 ensure => present,
159 roles => ['admin', 'creator'],
160 }
106 161
107 include ::platform::amqp::params 162 include ::barbican::db::postgresql
108 163
109 class { '::barbican::api': 164 include ::openstack::barbican
110 bind_host => $api_host, 165 include ::openstack::barbican::service
111 bind_port => $api_port, 166}
112 host_href => $url_host,
113 sync_db => $::platform::params::init_database,
114 enable_proxy_headers_parsing => true,
115 rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
116 default_transport_url => $::platform::amqp::params::transport_url,
117 }
118 167
119 class { '::barbican::keystone::notification': 168class openstack::barbican::runtime
120 enable_keystone_notification => true, 169 inherits ::openstack::barbican::params {
121 }
122 170
123 include ::openstack::barbican::firewall 171 include ::openstack::barbican::service
124 include ::openstack::barbican::haproxy
125 }
126} 172}
diff --git a/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data b/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
index fd1bf4c..5850dc4 100644
--- a/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
+++ b/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
@@ -1,3 +1,3 @@
1SRC_DIR="src" 1SRC_DIR="src"
2COPY_LIST="$SRC_DIR/LICENSE" 2COPY_LIST="$SRC_DIR/LICENSE"
3TIS_PATCH_VER=3 3TIS_PATCH_VER=4
diff --git a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
index 5a3dc93..2fa5749 100644
--- a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
+++ b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
@@ -70,6 +70,7 @@ class sysinv (
70 $cinder_region_name = 'RegionOne', 70 $cinder_region_name = 'RegionOne',
71 $nova_region_name = 'RegionOne', 71 $nova_region_name = 'RegionOne',
72 $magnum_region_name = 'RegionOne', 72 $magnum_region_name = 'RegionOne',
73 $barbican_region_name = 'RegionOne',
73 $fm_catalog_info = undef, 74 $fm_catalog_info = undef,
74 $fernet_key_repository = undef, 75 $fernet_key_repository = undef,
75) { 76) {
@@ -202,6 +203,7 @@ class sysinv (
202 'openstack_keystone_authtoken/cinder_region_name': value => $cinder_region_name; 203 'openstack_keystone_authtoken/cinder_region_name': value => $cinder_region_name;
203 'openstack_keystone_authtoken/nova_region_name': value => $nova_region_name; 204 'openstack_keystone_authtoken/nova_region_name': value => $nova_region_name;
204 'openstack_keystone_authtoken/magnum_region_name': value => $magnum_region_name; 205 'openstack_keystone_authtoken/magnum_region_name': value => $magnum_region_name;
206 'openstack_keystone_authtoken/barbican_region_name': value => $barbican_region_name;
205 } 207 }
206 208
207 sysinv_config { 209 sysinv_config {
diff --git a/sysinv/sysinv/centos/build_srpm.data b/sysinv/sysinv/centos/build_srpm.data
index a462501..eb4441e 100644
--- a/sysinv/sysinv/centos/build_srpm.data
+++ b/sysinv/sysinv/centos/build_srpm.data
@@ -1,2 +1,2 @@
1SRC_DIR="sysinv" 1SRC_DIR="sysinv"
2TIS_PATCH_VER=293 2TIS_PATCH_VER=294
diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
index 6b4e896..cb9f5e4 100644
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@@ -7042,6 +7042,14 @@ class ConductorManager(service.PeriodicService):
7042 } 7042 }
7043 self._config_apply_runtime_manifest(context, config_uuid, config_dict) 7043 self._config_apply_runtime_manifest(context, config_uuid, config_dict)
7044 7044
7045 elif service == constants.SERVICE_TYPE_BARBICAN:
7046 personalities = [constants.CONTROLLER]
7047 config_dict = {
7048 "personalities": personalities,
7049 "classes": ['openstack::barbican::runtime']
7050 }
7051 self._config_apply_runtime_manifest(context, config_uuid, config_dict)
7052
7045 def update_security_feature_config(self, context): 7053 def update_security_feature_config(self, context):
7046 """Update the kernel options configuration""" 7054 """Update the kernel options configuration"""
7047 personalities = constants.PERSONALITIES 7055 personalities = constants.PERSONALITIES
diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
index c7d2f23..c108949 100644
--- a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
@@ -4,6 +4,7 @@
4# SPDX-License-Identifier: Apache-2.0 4# SPDX-License-Identifier: Apache-2.0
5# 5#
6 6
7from sysinv.common import constants
7from sysinv.puppet import openstack 8from sysinv.puppet import openstack
8 9
9 10
@@ -24,7 +25,12 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
24 dbpass = self._get_database_password(self.SERVICE_NAME) 25 dbpass = self._get_database_password(self.SERVICE_NAME)
25 kspass = self._get_service_password(self.SERVICE_NAME) 26 kspass = self._get_service_password(self.SERVICE_NAME)
26 27
28 # initial bootstrap is bound to localhost
29 dburl = self._format_database_connection(self.SERVICE_NAME,
30 constants.LOCALHOST_HOSTNAME)
31
27 return { 32 return {
33 'barbican::db::database_connection': dburl,
28 'barbican::db::postgresql::password': dbpass, 34 'barbican::db::postgresql::password': dbpass,
29 35
30 'barbican::keystone::auth::password': kspass, 36 'barbican::keystone::auth::password': kspass,
@@ -82,3 +88,6 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
82 88
83 def get_admin_url(self): 89 def get_admin_url(self):
84 return self._format_private_endpoint(self.SERVICE_PORT) 90 return self._format_private_endpoint(self.SERVICE_PORT)
91
92 def get_region_name(self):
93 return self._get_service_region_name(self.SERVICE_NAME)
diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
index 0a3aab3..3dab83e 100644
--- a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
@@ -49,6 +49,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
49 cinder_region_name = self._operator.cinder.get_region_name() 49 cinder_region_name = self._operator.cinder.get_region_name()
50 nova_region_name = self._operator.nova.get_region_name() 50 nova_region_name = self._operator.nova.get_region_name()
51 magnum_region_name = self._operator.magnum.get_region_name() 51 magnum_region_name = self._operator.magnum.get_region_name()
52 barbican_region_name = self._operator.barbican.get_region_name()
52 53
53 return { 54 return {
54 # The region in which the identity server can be found 55 # The region in which the identity server can be found
@@ -57,6 +58,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
57 'sysinv::cinder_region_name': cinder_region_name, 58 'sysinv::cinder_region_name': cinder_region_name,
58 'sysinv::nova_region_name': nova_region_name, 59 'sysinv::nova_region_name': nova_region_name,
59 'sysinv::magnum_region_name': magnum_region_name, 60 'sysinv::magnum_region_name': magnum_region_name,
61 'sysinv::barbican_region_name': barbican_region_name,
60 62
61 'sysinv::keystone::auth::public_url': self.get_public_url(), 63 'sysinv::keystone::auth::public_url': self.get_public_url(),
62 'sysinv::keystone::auth::internal_url': self.get_internal_url(), 64 'sysinv::keystone::auth::internal_url': self.get_internal_url(),