Add Barbican bootstrap and runtime manifests

Barbican service is needed during bootstrap phase for StarlingX.
Implement bootstrap and runtime manifests to achieve that.

Change-Id: I6c22ebddacf8aec3a731f7f6d7a762f79f511c78
Story: 2003108
Task: 27700
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
This commit is contained in:
Alex Kozyrev 2019-01-10 18:43:14 -05:00
parent 5dcff4e616
commit f44717154a
11 changed files with 121 additions and 52 deletions

View File

@ -1,3 +1,3 @@
SRC_DIR="configutilities"
COPY_LIST="$SRC_DIR/LICENSE"
TIS_PATCH_VER=1
TIS_PATCH_VER=2

View File

@ -1025,7 +1025,8 @@ class ConfigValidator(object):
self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'):
password_fields = [
'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT',
'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI'
'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI',
'BARBICAN'
]
for pw in password_fields:
if not self.conf.has_option('REGION_2_SERVICES',

View File

@ -1,2 +1,2 @@
SRC_DIR="src"
TIS_PATCH_VER=76
TIS_PATCH_VER=77

View File

@ -15,6 +15,7 @@ include ::platform::postgresql::bootstrap
include ::platform::amqp::bootstrap
include ::openstack::keystone::bootstrap
include ::openstack::barbican::bootstrap
include ::platform::client::bootstrap
include ::openstack::client::bootstrap

View File

@ -6,7 +6,6 @@ class openstack::barbican::params (
$service_enabled = true,
) { }
class openstack::barbican
inherits ::openstack::barbican::params {
@ -27,6 +26,54 @@ class openstack::barbican
'service_credentials/interface': value => 'internalURL'
}
file { '/var/run/barbican':
ensure => 'directory',
owner => 'barbican',
group => 'barbican',
}
$api_workers = $::platform::params::eng_workers_by_4
file_line { 'Modify workers in gunicorn-config.py':
path => '/etc/barbican/gunicorn-config.py',
line => "workers = ${api_workers}",
match => '.*workers = .*',
tag => 'modify-workers',
}
}
}
class openstack::barbican::service
inherits ::openstack::barbican::params {
if $service_enabled {
include ::platform::network::mgmt::params
$api_host = $::platform::network::mgmt::params::subnet_version ? {
6 => "[${::platform::network::mgmt::params::controller_address}]",
default => $::platform::network::mgmt::params::controller_address,
}
$api_fqdn = $::platform::params::controller_hostname
$url_host = "http://${api_fqdn}:${api_port}"
include ::platform::amqp::params
class { '::barbican::api':
enabled => true,
manage_service => true,
bind_host => $api_host,
bind_port => $api_port,
host_href => $url_host,
sync_db => !$::openstack::barbican::params::service_create,
enable_proxy_headers_parsing => true,
rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
default_transport_url => $::platform::amqp::params::transport_url,
}
class { '::barbican::keystone::notification':
enable_keystone_notification => true,
}
cron { 'barbican-cleaner':
ensure => 'present',
command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
@ -38,7 +85,6 @@ class openstack::barbican
}
}
class openstack::barbican::firewall
inherits ::openstack::barbican::params {
@ -48,7 +94,6 @@ class openstack::barbican::firewall
}
}
class openstack::barbican::haproxy
inherits ::openstack::barbican::params {
@ -59,7 +104,6 @@ class openstack::barbican::haproxy
}
}
class openstack::barbican::api
inherits ::openstack::barbican::params {
include ::platform::params
@ -72,55 +116,57 @@ class openstack::barbican::api
# set via sysinv puppet
if ($::openstack::barbican::params::service_create and
$::platform::params::init_keystone) {
include ::barbican::keystone::auth
$bu_name = $::barbican::keystone::auth::auth_name
$bu_tenant = $::barbican::keystone::auth::tenant
keystone_role { 'creator':
ensure => present,
}
keystone_user_role { "${bu_name}@${bu_tenant}":
ensure => present,
roles => ['admin', 'creator'],
if ($::platform::params::distributed_cloud_role == 'subcloud' and
$::platform::params::region_2_name != 'RegionOne') {
Keystone_endpoint["${platform::params::region_2_name}/barbican::key-manager"] -> Keystone_endpoint['RegionOne/barbican::key-manager']
keystone_endpoint { 'RegionOne/barbican::key-manager':
ensure => 'absent',
name => 'barbican',
type => 'key-manager',
region => 'RegionOne',
public_url => "http://127.0.0.1:${api_port}",
admin_url => "http://127.0.0.1:${api_port}",
internal_url => "http://127.0.0.1:${api_port}"
}
}
}
if $service_enabled {
$api_workers = $::platform::params::eng_workers
file_line { 'Modify workers in gunicorn-config.py':
path => '/etc/barbican/gunicorn-config.py',
line => "workers = ${api_workers}",
match => '.*workers = .*',
tag => 'modify-workers',
}
include ::platform::network::mgmt::params
$api_host = $::platform::network::mgmt::params::subnet_version ? {
6 => "[${::platform::network::mgmt::params::controller_address}]",
default => $::platform::network::mgmt::params::controller_address,
}
$api_fqdn = $::platform::params::controller_hostname
$url_host = "http://${api_fqdn}:${api_port}"
include ::platform::amqp::params
class { '::barbican::api':
bind_host => $api_host,
bind_port => $api_port,
host_href => $url_host,
sync_db => $::platform::params::init_database,
enable_proxy_headers_parsing => true,
rabbit_use_ssl => $::platform::amqp::params::ssl_enabled,
default_transport_url => $::platform::amqp::params::transport_url,
}
class { '::barbican::keystone::notification':
enable_keystone_notification => true,
}
include ::openstack::barbican::service
include ::openstack::barbican::firewall
include ::openstack::barbican::haproxy
}
}
class openstack::barbican::bootstrap
inherits ::openstack::barbican::params {
class { '::barbican::keystone::auth':
configure_user_role => false,
}
class { '::barbican::keystone::authtoken':
auth_url => 'http://localhost:5000',
}
$bu_name = $::barbican::keystone::auth::auth_name
$bu_tenant = $::barbican::keystone::auth::tenant
keystone_role { 'creator':
ensure => present,
}
keystone_user_role { "${bu_name}@${bu_tenant}":
ensure => present,
roles => ['admin', 'creator'],
}
include ::barbican::db::postgresql
include ::openstack::barbican
include ::openstack::barbican::service
}
class openstack::barbican::runtime
inherits ::openstack::barbican::params {
include ::openstack::barbican::service
}

View File

@ -1,3 +1,3 @@
SRC_DIR="src"
COPY_LIST="$SRC_DIR/LICENSE"
TIS_PATCH_VER=3
TIS_PATCH_VER=4

View File

@ -70,6 +70,7 @@ class sysinv (
$cinder_region_name = 'RegionOne',
$nova_region_name = 'RegionOne',
$magnum_region_name = 'RegionOne',
$barbican_region_name = 'RegionOne',
$fm_catalog_info = undef,
$fernet_key_repository = undef,
) {
@ -202,6 +203,7 @@ class sysinv (
'openstack_keystone_authtoken/cinder_region_name': value => $cinder_region_name;
'openstack_keystone_authtoken/nova_region_name': value => $nova_region_name;
'openstack_keystone_authtoken/magnum_region_name': value => $magnum_region_name;
'openstack_keystone_authtoken/barbican_region_name': value => $barbican_region_name;
}
sysinv_config {

View File

@ -1,2 +1,2 @@
SRC_DIR="sysinv"
TIS_PATCH_VER=293
TIS_PATCH_VER=294

View File

@ -7042,6 +7042,14 @@ class ConductorManager(service.PeriodicService):
}
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
elif service == constants.SERVICE_TYPE_BARBICAN:
personalities = [constants.CONTROLLER]
config_dict = {
"personalities": personalities,
"classes": ['openstack::barbican::runtime']
}
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
def update_security_feature_config(self, context):
"""Update the kernel options configuration"""
personalities = constants.PERSONALITIES

View File

@ -4,6 +4,7 @@
# SPDX-License-Identifier: Apache-2.0
#
from sysinv.common import constants
from sysinv.puppet import openstack
@ -24,7 +25,12 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
dbpass = self._get_database_password(self.SERVICE_NAME)
kspass = self._get_service_password(self.SERVICE_NAME)
# initial bootstrap is bound to localhost
dburl = self._format_database_connection(self.SERVICE_NAME,
constants.LOCALHOST_HOSTNAME)
return {
'barbican::db::database_connection': dburl,
'barbican::db::postgresql::password': dbpass,
'barbican::keystone::auth::password': kspass,
@ -82,3 +88,6 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
def get_admin_url(self):
return self._format_private_endpoint(self.SERVICE_PORT)
def get_region_name(self):
return self._get_service_region_name(self.SERVICE_NAME)

View File

@ -49,6 +49,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
cinder_region_name = self._operator.cinder.get_region_name()
nova_region_name = self._operator.nova.get_region_name()
magnum_region_name = self._operator.magnum.get_region_name()
barbican_region_name = self._operator.barbican.get_region_name()
return {
# The region in which the identity server can be found
@ -57,6 +58,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
'sysinv::cinder_region_name': cinder_region_name,
'sysinv::nova_region_name': nova_region_name,
'sysinv::magnum_region_name': magnum_region_name,
'sysinv::barbican_region_name': barbican_region_name,
'sysinv::keystone::auth::public_url': self.get_public_url(),
'sysinv::keystone::auth::internal_url': self.get_internal_url(),