puppet/services/barbican-api.yaml

   1 heat_template_version: ocata
   2
   3 description: >
   4   OpenStack Barbican API service configured with Puppet
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   EndpointMap:
  17     default: {}
  18     description: Mapping of service endpoint -> protocol. Typically set
  19                  via parameter_defaults in the resource registry.
  20     type: json
  21   BarbicanPassword:
  22     description: The password for the barbican service account.
  23     type: string
  24     hidden: true
  25   BarbicanWorkers:
  26     description: Set the number of workers for barbican::wsgi::apache
  27     default: '%{::processorcount}'
  28     type: string
  29   Debug:
  30     default: ''
  31     description: Set to True to enable debugging on all services.
  32     type: string
  33   KeystoneRegion:
  34     type: string
  35     default: 'regionOne'
  36     description: Keystone region for endpoint
  37   RabbitClientPort:
  38     default: 5672
  39     description: Set rabbit subscriber port, change this if using SSL
  40     type: number
  41   RabbitClientUseSSL:
  42     default: false
  43     description: >
  44         Rabbit client subscriber parameter to specify
  45         an SSL connection to the RabbitMQ host.
  46     type: string
  47   RabbitPassword:
  48     description: The password for RabbitMQ
  49     type: string
  50     hidden: true
  51   RabbitUserName:
  52     default: guest
  53     description: The username for RabbitMQ
  54     type: string
  55   EnableInternalTLS:
  56     type: boolean
  57     default: false
  58
  59 resources:
  60
  61   ApacheServiceBase:
  62     type: ./apache.yaml
  63     properties:
  64       ServiceNetMap: {get_param: ServiceNetMap}
  65       DefaultPasswords: {get_param: DefaultPasswords}
  66       EndpointMap: {get_param: EndpointMap}
  67
  68 outputs:
  69   role_data:
  70     description: Role data for the Barbican API role.
  71     value:
  72       service_name: barbican_api
  73       config_settings:
  74         map_merge:
  75           - get_attr: [ApacheServiceBase, role_data, config_settings]
  76           - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
  77             barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  78             barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
  79             barbican::keystone::authtoken::project_name: 'service'
  80             barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
  81             barbican::api::db_auto_create: false
  82             barbican::api::enabled_certificate_plugins: ['simple_certificate']
  83             barbican::api::logging::debug: {get_param: Debug}
  84             barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
  85             barbican::api::rabbit_userid: {get_param: RabbitUserName}
  86             barbican::api::rabbit_password: {get_param: RabbitPassword}
  87             barbican::api::rabbit_port: {get_param: RabbitClientPort}
  88             barbican::api::rabbit_heartbeat_timeout_threshold: 60
  89             barbican::api::service_name: 'httpd'
  90             barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
  91             barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
  92             barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
  93             barbican::wsgi::apache::servername:
  94               str_replace:
  95                 template:
  96                   "%{hiera('fqdn_$NETWORK')}"
  97                 params:
  98                   $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
  99             barbican::db::database_connection:
 100               list_join:
 101                 - ''
 102                 - - {get_param: [EndpointMap, MysqlInternal, protocol]}
 103                   - '://barbican:'
 104                   - {get_param: BarbicanPassword}
 105                   - '@'
 106                   - {get_param: [EndpointMap, MysqlInternal, host]}
 107                   - '/barbican'
 108                   - '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
 109             tripleo.barbican_api.firewall_rules:
 110               '117 barbican':
 111                 dport:
 112                   - 9311
 113                   - 13311
 114       step_config: |
 115         include ::tripleo::profile::base::barbican::api
 116       service_config_settings:
 117         mysql:
 118           barbican::db::mysql::password: {get_param: BarbicanPassword}
 119           barbican::db::mysql::user: barbican
 120           barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
 121           barbican::db::mysql::dbname: barbican
 122           barbican::db::mysql::allowed_hosts:
 123             - '%'
 124             - "%{hiera('mysql_bind_host')}"
 125         keystone:
 126           barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
 127           barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
 128           barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
 129           barbican::keystone::auth::password: {get_param: BarbicanPassword}
 130           barbican::keystone::auth::region: {get_param: KeystoneRegion}
 131           barbican::keystone::auth::tenant: 'service'
 132         nova_compute:
 133           nova::compute::keymgr_api_class: >
 134             castellan.key_manager.barbican_key_manager.BarbicanKeyManager
 135           nova::compute::barbican_endpoint:
 136             get_param: [EndpointMap, BarbicanInternal, uri]
 137           nova::compute::barbican_auth_endpoint:
 138             get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
 139         cinder_api:
 140           cinder::api::keymgr_api_class: >
 141             castellan.key_manager.barbican_key_manager.BarbicanKeyManager
 142           cinder::api::keymgr_encryption_api_url:
 143             get_param: [EndpointMap, BarbicanInternal, uri]
 144           cinder::api::keymgr_encryption_auth_url:
 145             get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
 146       metadata_settings:
 147         get_attr: [ApacheServiceBase, role_data, metadata_settings]
 148       upgrade_tasks:
 149         - name: Check if barbican_api is deployed
 150           command: systemctl is-enabled openstack-barbican-api
 151           tags: common
 152           ignore_errors: True
 153           register: barbican_api_enabled
 154         - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
 155           shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
 156           when: barbican_api_enabled.rc == 0
 157           tags: step0,validation
 158         - name: Install openstack-barbican-api package if it was disabled
 159           tags: step3
 160           yum: name=openstack-barbican-api state=latest
 161           when: barbican_api_enabled.rc != 0