/
main.yml
314 lines (275 loc) · 14 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
---
# Copyright 2016, Ian Cordasco
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Verbosity Options
debug: False
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
barbican_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
barbican_service_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default(
(barbican_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
barbican_package_state: "{{ package_state | default('latest') }}"
# Set installation method.
barbican_install_method: "{{ service_install_method | default('source') }}"
barbican_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"
# Toggle keystone authentication for barbican
barbican_keystone_auth: "{{ (groups['keystone_all'] is defined) and (groups['keystone_all'] | length > 0) }}"
## System info
barbican_system_group_name: barbican
barbican_system_user_name: barbican
barbican_system_user_comment: Barbican System User
barbican_system_user_shell: /bin/false
barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}"
barbican_etc_directory: /etc/barbican
# Barbican services info
barbican_keystone_listener_enable: false
barbican_worker_enable: false
barbican_retry_enable: false
# Variable defines barbican store backends configuration. It supports multibackend scenario
# in case list length > 1. Then additional key global_default should be present, otherwise
# first element would be set as global default. For multibackend one backend should be set
# as global_default: True
barbican_backends_config:
software:
secret_store_plugin: store_crypto
crypto_plugin: simple_crypto
# Variable defines barbican crypto configuration.
barbican_plugins_config:
simple_crypto_plugin:
kek: "{{ barbican_simple_crypto_key | b64encode }}"
## Service Name-Group Mapping
barbican_services:
barbican-api:
group: barbican_all
service_name: barbican-api
init_config_overrides: "{{ barbican_init_config_overrides }}"
uwsgi_bind_address: "{{ barbican_service_host }}"
uwsgi_port: "{{ barbican_service_port }}"
uwsgi_overrides: "{{ barbican_uwsgi_init_overrides }}"
wsgi_app: True
wsgi_name: barbican-wsgi-api
start_order: 1
uwsgi_tls: "{{ barbican_backend_ssl | ternary(barbican_uwsgi_tls, {}) }}"
barbican-worker:
group: barbican_all
service_name: barbican-worker
init_config_overrides: "{{ barbican_init_config_overrides }}"
execstarts: "{{ barbican_bin }}/barbican-worker"
condition: "{{ barbican_worker_enable | bool }}"
start_order: 2
barbican-keystone-listener:
group: barbican_all
service_name: barbican-keystone-listener
init_config_overrides: "{{ barbican_init_config_overrides }}"
execstarts: "{{ barbican_bin }}/barbican-keystone-listener"
condition: "{{ barbican_keystone_listener_enable | bool }}"
start_order: 3
barbican-retry:
group: barbican_all
service_name: barbican-retry
init_config_overrides: "{{ barbican_init_config_overrides }}"
execstarts: "{{ barbican_bin }}/barbican-retry"
condition: "{{ barbican_retry_enable | bool }}"
start_order: 4
# With `barbican_user_libraries` you can deploy libraries, needed for barbican
# to interact with third party services like HSM
# barbican_user_libraries:
# - src: /etc/openstack_deploy/barbican/libdpod.plugin
# dest: /opt/barbican/libs/libCryptoki2.so
# owner: root
# group: "{{ barbican_system_group_name }}"
# - src: /etc/openstack_deploy/barbican/Chrystoki.conf
# dest: /opt/barbican/Chrystoki.conf
# link: /etc/Chrystoki.conf
barbican_user_libraries: []
## Service Type and Data
barbican_service_name: barbican
barbican_service_user_name: barbican
barbican_service_type: key-manager
barbican_service_description: "OpenStack Key and Secrets Management (Barbican)"
barbican_default_role_names:
- "key-manager:service-admin"
- creator
- observer
- audit
barbican_service_role_names:
- admin
- creator
- service
barbican_service_token_roles:
- service
barbican_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
barbican_service_region: "{{ service_region | default('RegionOne') }}"
barbican_service_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
barbican_service_port: 9311
barbican_service_proto: http
barbican_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(barbican_service_proto) }}"
barbican_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(barbican_service_proto) }}"
barbican_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(barbican_service_proto) }}"
barbican_service_publicurl: "{{ barbican_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ barbican_service_port }}"
barbican_service_internalurl: "{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
barbican_service_adminurl: "{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
barbican_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
barbican_init_config_overrides: {}
barbican_config_overrides: {}
barbican_policy_overrides: {}
barbican_paste_overrides: {}
barbican_api_audit_map_overrides: {}
barbican_vassals_api_overrides: {}
## The git source/branch
barbican_git_repo: "https://opendev.org/openstack/barbican"
barbican_git_install_branch: master
barbican_upper_constraints_url: >-
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
barbican_git_constraints:
- "--constraint {{ barbican_upper_constraints_url }}"
barbican_pip_install_args: "{{ pip_install_options | default('') }}"
# Name of the virtual env to deploy into
barbican_venv_tag: "{{ venv_tag | default('untagged') }}"
barbican_bin: "{{ _barbican_bin }}"
# Database vars
barbican_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
barbican_db_setup_python_interpreter: >-
{{
openstack_db_setup_python_interpreter | default(
(barbican_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
barbican_galera_address: "{{ galera_address | default('127.0.0.1') }}"
barbican_galera_database: barbican
barbican_galera_user: barbican
barbican_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
barbican_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
barbican_galera_port: "{{ galera_port | default('3306') }}"
# NOTE: barbican does not support pool_timeout so it is not set for this role
barbican_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
barbican_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
barbican_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"
## Oslo Messaging
barbican_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"
# RPC
barbican_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
barbican_oslomsg_rpc_setup_host: "{{ (barbican_oslomsg_rpc_host_group in groups) | ternary(groups[barbican_oslomsg_rpc_host_group][0], 'localhost') }}"
barbican_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
barbican_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
barbican_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
barbican_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
barbican_oslomsg_rpc_userid: barbican
barbican_oslomsg_rpc_policies: []
# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues
# are not used - vhost name will be prefixed with leading `/`.
barbican_oslomsg_rpc_vhost:
- name: /barbican
state: "{{ barbican_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
- name: barbican
state: "{{ barbican_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
barbican_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
barbican_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
# Notify
barbican_oslomsg_notify_configure: "{{ oslomsg_notify_configure | default(barbican_ceilometer_enabled) }}"
barbican_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
barbican_oslomsg_notify_setup_host: "{{ (barbican_oslomsg_notify_host_group in groups) | ternary(groups[barbican_oslomsg_notify_host_group][0], 'localhost') }}"
barbican_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
barbican_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
barbican_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
barbican_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
barbican_oslomsg_notify_userid: "{{ barbican_oslomsg_rpc_userid }}"
barbican_oslomsg_notify_password: "{{ barbican_oslomsg_rpc_password }}"
barbican_oslomsg_notify_vhost: "{{ barbican_oslomsg_rpc_vhost }}"
barbican_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
barbican_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
barbican_oslomsg_notify_policies: []
## RabbitMQ integration
barbican_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
barbican_oslomsg_rabbit_stream_fanout: "{{ oslomsg_rabbit_stream_fanout | default(barbican_oslomsg_rabbit_quorum_queues) }}"
barbican_oslomsg_rabbit_transient_quorum_queues: "{{ oslomsg_rabbit_transient_quorum_queues | default(barbican_oslomsg_rabbit_stream_fanout) }}"
barbican_oslomsg_rabbit_qos_prefetch_count: "{{ oslomsg_rabbit_qos_prefetch_count | default(barbican_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}"
barbican_oslomsg_rabbit_queue_manager: "{{ oslomsg_rabbit_queue_manager | default(barbican_oslomsg_rabbit_quorum_queues) }}"
barbican_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
barbican_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"
## (Qdrouterd) integration
# TODO(ansmith): Change structure when more backends will be supported
barbican_oslomsg_amqp1_enabled: "{{ barbican_oslomsg_rpc_transport == 'amqp' }}"
# Keystone AuthToken/Middleware
barbican_keystone_auth_plugin: password
barbican_service_project_domain_id: default
barbican_service_user_domain_id: default
barbican_service_project_name: service
# uwsgi configuration vars
barbican_wsgi_processes_max: 16
barbican_wsgi_processes: >-
{{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, barbican_wsgi_processes_max] | min }}
barbican_wsgi_threads: 1
barbican_uwsgi_tls:
crt: "{{ barbican_ssl_cert }}"
key: "{{ barbican_ssl_key }}"
# Memcached override
barbican_memcached_servers: "{{ memcached_servers }}"
# packages required to run the barbican service
barbican_pip_packages:
- "git+{{ barbican_git_repo }}@{{ barbican_git_install_branch }}#egg=barbican"
- osprofiler
- PyMySQL
- pymemcache
- python-memcached
- systemd-python
barbican_user_pip_packages: []
barbican_optional_oslomsg_amqp1_pip_packages:
- oslo.messaging[amqp1]
barbican_uwsgi_init_overrides: {}
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
barbican_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# Storage location for SSL certificate authority
barbican_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
# Delegated host for operating the certificate authority
barbican_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# barbican server certificate
barbican_pki_keys_path: "{{ barbican_pki_dir ~ '/certs/private/' }}"
barbican_pki_certs_path: "{{ barbican_pki_dir ~ '/certs/certs/' }}"
barbican_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
barbican_pki_regen_cert: ''
barbican_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
barbican_pki_certificates:
- name: "barbican_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ barbican_pki_san }}"
signed_by: "{{ barbican_pki_intermediate_cert_name }}"
# barbican destination files for SSL certificates
barbican_ssl_cert: /etc/barbican/barbican.pem
barbican_ssl_key: /etc/barbican/barbican.key
# Installation details for SSL certificates
barbican_pki_install_certificates:
- src: "{{ barbican_user_ssl_cert | default(barbican_pki_certs_path ~ 'barbican_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ barbican_ssl_cert }}"
owner: "{{ barbican_system_user_name }}"
group: "{{ barbican_system_user_name }}"
mode: "0644"
- src: "{{ barbican_user_ssl_key | default(barbican_pki_keys_path ~ 'barbican_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ barbican_ssl_key }}"
owner: "{{ barbican_system_user_name }}"
group: "{{ barbican_system_user_name }}"
mode: "0600"
# Define user-provided SSL certificates
# barbican_user_ssl_cert: <path to cert on ansible deployment host>
# barbican_user_ssl_key: <path to cert on ansible deployment host>