1 heat_template_version: pike
4 OpenStack Barbican API service configured with Puppet
9 description: Dictionary packing service data
13 description: Mapping of service_name -> network name. Typically set
14 via parameter_defaults in the resource registry. This
15 mapping overrides those in ServiceNetMapDefaults.
22 description: Role name on which the service is applied
26 description: Parameters specific to the role
30 description: Mapping of service endpoint -> protocol. Typically set
31 via parameter_defaults in the resource registry.
34 description: The password for the barbican service account.
38 description: Set the number of workers for barbican::wsgi::apache
39 default: '%{::processorcount}'
43 description: Set to True to enable debugging on all services.
47 description: Set to True to enable debugging Barbican service.
52 description: Keystone region for endpoint
55 description: Set rabbit subscriber port, change this if using SSL
60 Rabbit client subscriber parameter to specify
61 an SSL connection to the RabbitMQ host.
64 description: The password for RabbitMQ
69 description: The username for RabbitMQ
76 A hash of policies to configure for Barbican.
77 e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
82 default: 'messagingv2'
83 description: Driver or drivers to handle sending notifications.
85 - allowed_values: [ 'messagingv2', 'noop' ]
92 ServiceData: {get_param: ServiceData}
93 ServiceNetMap: {get_param: ServiceNetMap}
94 DefaultPasswords: {get_param: DefaultPasswords}
95 EndpointMap: {get_param: EndpointMap}
96 RoleName: {get_param: RoleName}
97 RoleParameters: {get_param: RoleParameters}
100 service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
104 description: Role data for the Barbican API role.
106 service_name: barbican_api
109 - get_attr: [ApacheServiceBase, role_data, config_settings]
110 - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
111 barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
112 barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
113 barbican::keystone::authtoken::project_name: 'service'
114 barbican::policy::policies: {get_param: BarbicanPolicies}
115 barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
116 barbican::api::db_auto_create: false
117 barbican::api::enabled_certificate_plugins: ['simple_certificate']
118 barbican::api::logging::debug:
120 - service_debug_unset
121 - {get_param: Debug }
122 - {get_param: BarbicanDebug }
123 barbican::api::notification_driver: {get_param: NotificationDriver}
124 barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
125 barbican::api::rabbit_userid: {get_param: RabbitUserName}
126 barbican::api::rabbit_password: {get_param: RabbitPassword}
127 barbican::api::rabbit_port: {get_param: RabbitClientPort}
128 barbican::api::rabbit_heartbeat_timeout_threshold: 60
129 barbican::api::service_name: 'httpd'
130 barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
131 barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
132 barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
133 barbican::wsgi::apache::servername:
136 "%{hiera('fqdn_$NETWORK')}"
138 $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
139 barbican::db::database_connection:
141 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
143 password: {get_param: BarbicanPassword}
144 host: {get_param: [EndpointMap, MysqlInternal, host]}
147 read_default_file: /etc/my.cnf.d/tripleo.cnf
148 read_default_group: tripleo
149 tripleo.barbican_api.firewall_rules:
155 include ::tripleo::profile::base::barbican::api
156 service_config_settings:
158 barbican::db::mysql::password: {get_param: BarbicanPassword}
159 barbican::db::mysql::user: barbican
160 barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
161 barbican::db::mysql::dbname: barbican
162 barbican::db::mysql::allowed_hosts:
164 - "%{hiera('mysql_bind_host')}"
166 barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
167 barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
168 barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
169 barbican::keystone::auth::password: {get_param: BarbicanPassword}
170 barbican::keystone::auth::region: {get_param: KeystoneRegion}
171 barbican::keystone::auth::tenant: 'service'
173 nova::compute::keymgr_api_class: >
174 castellan.key_manager.barbican_key_manager.BarbicanKeyManager
175 nova::compute::barbican_endpoint:
176 get_param: [EndpointMap, BarbicanInternal, uri]
177 nova::compute::barbican_auth_endpoint:
178 get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
180 cinder::api::keymgr_api_class: >
181 castellan.key_manager.barbican_key_manager.BarbicanKeyManager
182 cinder::api::keymgr_encryption_api_url:
183 get_param: [EndpointMap, BarbicanInternal, uri]
184 cinder::api::keymgr_encryption_auth_url:
185 get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
187 get_attr: [ApacheServiceBase, role_data, metadata_settings]
190 - get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
192 - name: Check if barbican_api is deployed
193 command: systemctl is-enabled openstack-barbican-api
196 register: barbican_api_enabled
197 - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
198 shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
199 when: barbican_api_enabled.rc == 0
200 tags: step0,validation
201 - name: Install openstack-barbican-api package if it was disabled
203 yum: name=openstack-barbican-api state=latest
204 when: barbican_api_enabled.rc != 0