From f44717154a78add0a0a2497048e03ab536dc615b Mon Sep 17 00:00:00 2001
From: Alex Kozyrev <alex.kozyrev@windriver.com>
Date: Thu, 10 Jan 2019 18:43:14 -0500
Subject: [PATCH] Add Barbican bootstrap and runtime manifests

Barbican service is needed during bootstrap phase for StarlingX.
Implement bootstrap and runtime manifests to achieve that.

Change-Id: I6c22ebddacf8aec3a731f7f6d7a762f79f511c78
Story: 2003108
Task: 27700
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
---
 configutilities/centos/build_srpm.data        |   2 +-
 .../configutilities/common/validator.py       |   3 +-
 puppet-manifests/centos/build_srpm.data       |   2 +-
 puppet-manifests/src/manifests/bootstrap.pp   |   1 +
 .../modules/openstack/manifests/barbican.pp   | 140 ++++++++++++------
 .../puppet-sysinv/centos/build_srpm.data      |   2 +-
 .../src/sysinv/manifests/init.pp              |   2 +
 sysinv/sysinv/centos/build_srpm.data          |   2 +-
 .../sysinv/sysinv/sysinv/conductor/manager.py |   8 +
 .../sysinv/sysinv/sysinv/puppet/barbican.py   |   9 ++
 .../sysinv/sysinv/sysinv/puppet/inventory.py  |   2 +
 11 files changed, 121 insertions(+), 52 deletions(-)

diff --git a/configutilities/centos/build_srpm.data b/configutilities/centos/build_srpm.data
index a035c4a180..262bcfec5b 100755
--- a/configutilities/centos/build_srpm.data
+++ b/configutilities/centos/build_srpm.data
@@ -1,3 +1,3 @@
 SRC_DIR="configutilities"
 COPY_LIST="$SRC_DIR/LICENSE"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
diff --git a/configutilities/configutilities/configutilities/common/validator.py b/configutilities/configutilities/configutilities/common/validator.py
index ff0524c219..2bba43351e 100644
--- a/configutilities/configutilities/configutilities/common/validator.py
+++ b/configutilities/configutilities/configutilities/common/validator.py
@@ -1025,7 +1025,8 @@ class ConfigValidator(object):
                 self.conf.get('REGION_2_SERVICES', 'CREATE') == 'Y'):
             password_fields = [
                 'NOVA', 'CEILOMETER', 'PATCHING', 'SYSINV', 'HEAT',
-                'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI'
+                'HEAT_ADMIN', 'PLACEMENT', 'AODH', 'PANKO', 'GNOCCHI',
+                'BARBICAN'
             ]
             for pw in password_fields:
                 if not self.conf.has_option('REGION_2_SERVICES',
diff --git a/puppet-manifests/centos/build_srpm.data b/puppet-manifests/centos/build_srpm.data
index bbbc6b0b21..89ee8fe6e1 100644
--- a/puppet-manifests/centos/build_srpm.data
+++ b/puppet-manifests/centos/build_srpm.data
@@ -1,2 +1,2 @@
 SRC_DIR="src"
-TIS_PATCH_VER=76
+TIS_PATCH_VER=77
diff --git a/puppet-manifests/src/manifests/bootstrap.pp b/puppet-manifests/src/manifests/bootstrap.pp
index 37cc489e77..7c1103b620 100644
--- a/puppet-manifests/src/manifests/bootstrap.pp
+++ b/puppet-manifests/src/manifests/bootstrap.pp
@@ -15,6 +15,7 @@ include ::platform::postgresql::bootstrap
 include ::platform::amqp::bootstrap
 
 include ::openstack::keystone::bootstrap
+include ::openstack::barbican::bootstrap
 include ::platform::client::bootstrap
 include ::openstack::client::bootstrap
 
diff --git a/puppet-manifests/src/modules/openstack/manifests/barbican.pp b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
index e2afe0b305..c8086682e6 100644
--- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
@@ -6,7 +6,6 @@ class openstack::barbican::params (
   $service_enabled = true,
 ) { }
 
-
 class openstack::barbican
   inherits ::openstack::barbican::params {
 
@@ -27,6 +26,54 @@ class openstack::barbican
         'service_credentials/interface': value => 'internalURL'
     }
 
+    file { '/var/run/barbican':
+      ensure => 'directory',
+      owner  => 'barbican',
+      group  => 'barbican',
+    }
+
+    $api_workers = $::platform::params::eng_workers_by_4
+
+    file_line { 'Modify workers in gunicorn-config.py':
+      path  => '/etc/barbican/gunicorn-config.py',
+      line  => "workers = ${api_workers}",
+      match => '.*workers = .*',
+      tag   => 'modify-workers',
+    }
+  }
+}
+
+class openstack::barbican::service
+  inherits ::openstack::barbican::params {
+
+  if $service_enabled {
+
+    include ::platform::network::mgmt::params
+    $api_host = $::platform::network::mgmt::params::subnet_version ? {
+      6       => "[${::platform::network::mgmt::params::controller_address}]",
+      default => $::platform::network::mgmt::params::controller_address,
+    }
+    $api_fqdn = $::platform::params::controller_hostname
+    $url_host = "http://${api_fqdn}:${api_port}"
+
+    include ::platform::amqp::params
+
+    class { '::barbican::api':
+      enabled                      => true,
+      manage_service               => true,
+      bind_host                    => $api_host,
+      bind_port                    => $api_port,
+      host_href                    => $url_host,
+      sync_db                      => !$::openstack::barbican::params::service_create,
+      enable_proxy_headers_parsing => true,
+      rabbit_use_ssl               => $::platform::amqp::params::ssl_enabled,
+      default_transport_url        => $::platform::amqp::params::transport_url,
+    }
+
+    class { '::barbican::keystone::notification':
+      enable_keystone_notification => true,
+    }
+
     cron { 'barbican-cleaner':
       ensure      => 'present',
       command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
@@ -38,7 +85,6 @@ class openstack::barbican
   }
 }
 
-
 class openstack::barbican::firewall
   inherits ::openstack::barbican::params {
 
@@ -48,7 +94,6 @@ class openstack::barbican::firewall
   }
 }
 
-
 class openstack::barbican::haproxy
   inherits ::openstack::barbican::params {
 
@@ -59,7 +104,6 @@ class openstack::barbican::haproxy
   }
 }
 
-
 class openstack::barbican::api
   inherits ::openstack::barbican::params {
   include ::platform::params
@@ -72,55 +116,57 @@ class openstack::barbican::api
   # set via sysinv puppet
   if ($::openstack::barbican::params::service_create and
       $::platform::params::init_keystone) {
-    include ::barbican::keystone::auth
-    $bu_name = $::barbican::keystone::auth::auth_name
-    $bu_tenant = $::barbican::keystone::auth::tenant
 
-    keystone_role { 'creator':
-      ensure => present,
-    }
-    keystone_user_role { "${bu_name}@${bu_tenant}":
-      ensure => present,
-      roles  => ['admin', 'creator'],
+    if ($::platform::params::distributed_cloud_role == 'subcloud' and
+        $::platform::params::region_2_name != 'RegionOne') {
+      Keystone_endpoint["${platform::params::region_2_name}/barbican::key-manager"] -> Keystone_endpoint['RegionOne/barbican::key-manager']
+      keystone_endpoint { 'RegionOne/barbican::key-manager':
+        ensure       => 'absent',
+        name         => 'barbican',
+        type         => 'key-manager',
+        region       => 'RegionOne',
+        public_url   => "http://127.0.0.1:${api_port}",
+        admin_url    => "http://127.0.0.1:${api_port}",
+        internal_url => "http://127.0.0.1:${api_port}"
+      }
     }
   }
 
   if $service_enabled {
-
-    $api_workers = $::platform::params::eng_workers
-
-    file_line { 'Modify workers in gunicorn-config.py':
-      path  => '/etc/barbican/gunicorn-config.py',
-      line  => "workers = ${api_workers}",
-      match => '.*workers = .*',
-      tag   => 'modify-workers',
-    }
-
-    include ::platform::network::mgmt::params
-    $api_host = $::platform::network::mgmt::params::subnet_version ? {
-      6       => "[${::platform::network::mgmt::params::controller_address}]",
-      default => $::platform::network::mgmt::params::controller_address,
-    }
-    $api_fqdn = $::platform::params::controller_hostname
-    $url_host = "http://${api_fqdn}:${api_port}"
-
-    include ::platform::amqp::params
-
-    class { '::barbican::api':
-      bind_host                    => $api_host,
-      bind_port                    => $api_port,
-      host_href                    => $url_host,
-      sync_db                      => $::platform::params::init_database,
-      enable_proxy_headers_parsing => true,
-      rabbit_use_ssl               => $::platform::amqp::params::ssl_enabled,
-      default_transport_url        => $::platform::amqp::params::transport_url,
-    }
-
-    class { '::barbican::keystone::notification':
-      enable_keystone_notification => true,
-    }
-
+    include ::openstack::barbican::service
     include ::openstack::barbican::firewall
     include ::openstack::barbican::haproxy
   }
 }
+
+class openstack::barbican::bootstrap
+  inherits ::openstack::barbican::params {
+
+  class { '::barbican::keystone::auth':
+    configure_user_role => false,
+  }
+  class { '::barbican::keystone::authtoken':
+    auth_url => 'http://localhost:5000',
+  }
+
+  $bu_name = $::barbican::keystone::auth::auth_name
+  $bu_tenant = $::barbican::keystone::auth::tenant
+  keystone_role { 'creator':
+    ensure => present,
+  }
+  keystone_user_role { "${bu_name}@${bu_tenant}":
+    ensure => present,
+    roles  => ['admin', 'creator'],
+  }
+
+  include ::barbican::db::postgresql
+
+  include ::openstack::barbican
+  include ::openstack::barbican::service
+}
+
+class openstack::barbican::runtime
+  inherits ::openstack::barbican::params {
+
+  include ::openstack::barbican::service
+}
diff --git a/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data b/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
index fd1bf4cda9..5850dc4b9e 100644
--- a/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
+++ b/puppet-modules-wrs/puppet-sysinv/centos/build_srpm.data
@@ -1,3 +1,3 @@
 SRC_DIR="src"
 COPY_LIST="$SRC_DIR/LICENSE"
-TIS_PATCH_VER=3
+TIS_PATCH_VER=4
diff --git a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
index 5a3dc931ea..2fa57491e6 100644
--- a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
+++ b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
@@ -70,6 +70,7 @@ class sysinv (
   $cinder_region_name          = 'RegionOne',
   $nova_region_name            = 'RegionOne',
   $magnum_region_name          = 'RegionOne',
+  $barbican_region_name        = 'RegionOne',
   $fm_catalog_info             = undef,
   $fernet_key_repository       = undef,
 ) {
@@ -202,6 +203,7 @@ class sysinv (
     'openstack_keystone_authtoken/cinder_region_name':  value => $cinder_region_name;
     'openstack_keystone_authtoken/nova_region_name':  value => $nova_region_name;
     'openstack_keystone_authtoken/magnum_region_name':  value => $magnum_region_name;
+    'openstack_keystone_authtoken/barbican_region_name':  value => $barbican_region_name;
   }
 
   sysinv_config {
diff --git a/sysinv/sysinv/centos/build_srpm.data b/sysinv/sysinv/centos/build_srpm.data
index a462501f81..eb4441e542 100644
--- a/sysinv/sysinv/centos/build_srpm.data
+++ b/sysinv/sysinv/centos/build_srpm.data
@@ -1,2 +1,2 @@
 SRC_DIR="sysinv"
-TIS_PATCH_VER=293
+TIS_PATCH_VER=294
diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
index 6b4e896c76..cb9f5e4ede 100644
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@@ -7042,6 +7042,14 @@ class ConductorManager(service.PeriodicService):
                 }
                 self._config_apply_runtime_manifest(context, config_uuid, config_dict)
 
+            elif service == constants.SERVICE_TYPE_BARBICAN:
+                personalities = [constants.CONTROLLER]
+                config_dict = {
+                    "personalities": personalities,
+                    "classes": ['openstack::barbican::runtime']
+                }
+                self._config_apply_runtime_manifest(context, config_uuid, config_dict)
+
     def update_security_feature_config(self, context):
         """Update the kernel options configuration"""
         personalities = constants.PERSONALITIES
diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
index c7d2f23853..c108949852 100644
--- a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py
@@ -4,6 +4,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+from sysinv.common import constants
 from sysinv.puppet import openstack
 
 
@@ -24,7 +25,12 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
         dbpass = self._get_database_password(self.SERVICE_NAME)
         kspass = self._get_service_password(self.SERVICE_NAME)
 
+        # initial bootstrap is bound to localhost
+        dburl = self._format_database_connection(self.SERVICE_NAME,
+                                                 constants.LOCALHOST_HOSTNAME)
+
         return {
+            'barbican::db::database_connection': dburl,
             'barbican::db::postgresql::password': dbpass,
 
             'barbican::keystone::auth::password': kspass,
@@ -82,3 +88,6 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
 
     def get_admin_url(self):
         return self._format_private_endpoint(self.SERVICE_PORT)
+
+    def get_region_name(self):
+        return self._get_service_region_name(self.SERVICE_NAME)
diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
index 0a3aab38e6..3dab83e3e4 100644
--- a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
@@ -49,6 +49,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
         cinder_region_name = self._operator.cinder.get_region_name()
         nova_region_name = self._operator.nova.get_region_name()
         magnum_region_name = self._operator.magnum.get_region_name()
+        barbican_region_name = self._operator.barbican.get_region_name()
 
         return {
             # The region in which the identity server can be found
@@ -57,6 +58,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
             'sysinv::cinder_region_name': cinder_region_name,
             'sysinv::nova_region_name': nova_region_name,
             'sysinv::magnum_region_name': magnum_region_name,
+            'sysinv::barbican_region_name': barbican_region_name,
 
             'sysinv::keystone::auth::public_url': self.get_public_url(),
             'sysinv::keystone::auth::internal_url': self.get_internal_url(),