The barbican-api process currently writes directly
to its logfile. As such, the logrotate config file
needs a copytruncate directive to ensure the process
doesn't end up writing to the rotated file instead.
Change-Id: I60c8a08ce612fd7f82e05f69b168919b12ab0017
Partial-Bug: 1836632
Signed-off-by: Don Penney <don.penney@windriver.com>
Barbican returns "503 Service Unavailable" during bootstrap
phase of StarlingX. This happens because Keystone auth token
lacks domain details for Barbican. Need to explicitly specify
project_domain_name and user_domain_name in Barbican config.
Change-Id: I4bf6b275c1eb271b62a2e7a1bc72c049f193afc4
Closes-bug: 1834670
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
* Remove those firewalls rules managed by puppet for exposing platform
services, because we have used Calico to create some rules to do the
same thing.
* Remove system firewall-rule-related commands and controllers.
Passed tests:
* Fresh build
* Deployment(simplex, duplex, multi-node)
* System-level tests
* firewall-rule-xxx commands was removed as expected.
* puppet firewall rules have been removed as expected.
* manually check iptable rules.
* use the utility of uc to test exposed tcp ports and a few
non-exposed tcp ports again.
* create vms
Story: 2005066
Task: 29864
Depends-On: https://review.openstack.org/#/c/649217
Change-Id: Ie5df744598c75d45d21ce6585f31f6d8f1809f04
Signed-off-by: Yi Wang <yi.c.wang@intel.com>
Replacing existing mechanism of storing BMC passwords in SysInv.
Implementing access to Barbican API in SysInv and using it to write
the passwords into a Barbican secrets. Note that a Barbican cannot
change the existing password inside its secret, so we need to remove
the old secret and create a new one in case of password update.
Another thing to mention: SysInv has to create Barbican secrets in
context of "services" project in order MTCE can read them later.
Change-Id: I7102a9662f3757c062ab310737f4ba08379d0100
Story: 2003108
Task: 27700
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
Barbican service is needed during bootstrap phase for StarlingX.
Implement bootstrap and runtime manifests to achieve that.
Change-Id: I6c22ebddacf8aec3a731f7f6d7a762f79f511c78
Story: 2003108
Task: 27700
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
Barbican fails to start in case of IPv6 configuration:
"Error: ':2:9311' is not a valid port number."
Wrong parsing of IPv6 host address can be fixed by adding [].
Also dropping '' for API workers number for the sake of consistency.
Change-Id: Ie40a0338d202dfa1cc17810db56d902b14e5accf
Closes-Bug: 1810558
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
1. Add the new barbican DB and barbican user.
2. Support DB backup/restore and upgrades for barbican.
3. Configure barbican user and password in region config.
4. Provide Barbican configuration with appropriate data via SysInv.
5. Setup Barbican thru puppet manifests.
There are three main services that need to be configured:
- Barbican API: a RESTful API for managing secrets.
- Barbican Worker: a RPC interface for Barbican API.
- Barbican Keystone Listener: a service for Keystone changes.
Also, HA Proxy and Firewall need to be updated with Barbican port (9311)
as well as Remote Logging manifest to allow Barbican log collection.
Change-Id: I6b0b0c90456627bebde2b834b339bc968100b6f9
Story: 2003108
Task: 27700
Depends-On: I2667d56a71b7d3881c03b6a5c1e5ed61d4f0b902
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>