Merge "Use Deployment actions for blacklist"

[apex-tripleo-heat-templates.git] / puppet / services / barbican-api.yaml

heat_template_version: pike

description: >
  OpenStack Barbican API service configured with Puppet

parameters:
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  BarbicanPassword:
    description: The password for the barbican service account.
    type: string
    hidden: true
  BarbicanWorkers:
    description: Set the number of workers for barbican::wsgi::apache
    default: '%{::processorcount}'
    type: string
  Debug:
    default: ''
    description: Set to True to enable debugging on all services.
    type: string
  BarbicanDebug:
    default: ''
    description: Set to True to enable debugging Barbican service.
    type: string
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  RabbitClientPort:
    default: 5672
    description: Set rabbit subscriber port, change this if using SSL
    type: number
  RabbitClientUseSSL:
    default: false
    description: >
        Rabbit client subscriber parameter to specify
        an SSL connection to the RabbitMQ host.
    type: string
  RabbitPassword:
    description: The password for RabbitMQ
    type: string
    hidden: true
  RabbitUserName:
    default: guest
    description: The username for RabbitMQ
    type: string
  EnableInternalTLS:
    type: boolean
    default: false
  BarbicanPolicies:
    description: |
      A hash of policies to configure for Barbican.
      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
    default: {}
    type: json

resources:

  ApacheServiceBase:
    type: ./apache.yaml
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

conditions:
  service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}

outputs:
  role_data:
    description: Role data for the Barbican API role.
    value:
      service_name: barbican_api
      config_settings:
        map_merge:
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::project_name: 'service'
            barbican::policy::policies: {get_param: BarbicanPolicies}
            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
            barbican::api::db_auto_create: false
            barbican::api::enabled_certificate_plugins: ['simple_certificate']
            barbican::api::logging::debug:
              if:
              - service_debug_unset
              - {get_param: Debug }
              - {get_param: BarbicanDebug }
            barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
            barbican::api::rabbit_userid: {get_param: RabbitUserName}
            barbican::api::rabbit_password: {get_param: RabbitPassword}
            barbican::api::rabbit_port: {get_param: RabbitClientPort}
            barbican::api::rabbit_heartbeat_timeout_threshold: 60
            barbican::api::service_name: 'httpd'
            barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
            barbican::wsgi::apache::ssl:  {get_param: EnableInternalTLS}
            barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
            barbican::wsgi::apache::servername:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
            barbican::db::database_connection:
              make_url:
                scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
                username: barbican
                password: {get_param: BarbicanPassword}
                host: {get_param: [EndpointMap, MysqlInternal, host]}
                path: /barbican
                query:
                  read_default_file: /etc/my.cnf.d/tripleo.cnf
                  read_default_group: tripleo
            tripleo.barbican_api.firewall_rules:
              '117 barbican':
                dport:
                  - 9311
                  - 13311
      step_config: |
        include ::tripleo::profile::base::barbican::api
      service_config_settings:
        mysql:
          barbican::db::mysql::password: {get_param: BarbicanPassword}
          barbican::db::mysql::user: barbican
          barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
          barbican::db::mysql::dbname: barbican
          barbican::db::mysql::allowed_hosts:
            - '%'
            - "%{hiera('mysql_bind_host')}"
        keystone:
          barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
          barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
          barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
          barbican::keystone::auth::password: {get_param: BarbicanPassword}
          barbican::keystone::auth::region: {get_param: KeystoneRegion}
          barbican::keystone::auth::tenant: 'service'
        nova_compute:
          nova::compute::keymgr_api_class: >
            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
          nova::compute::barbican_endpoint:
            get_param: [EndpointMap, BarbicanInternal, uri]
          nova::compute::barbican_auth_endpoint:
            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
        cinder_api:
          cinder::api::keymgr_api_class: >
            castellan.key_manager.barbican_key_manager.BarbicanKeyManager
          cinder::api::keymgr_encryption_api_url:
            get_param: [EndpointMap, BarbicanInternal, uri]
          cinder::api::keymgr_encryption_auth_url:
            get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
      metadata_settings:
        get_attr: [ApacheServiceBase, role_data, metadata_settings]
      upgrade_tasks:
        yaql:
          expression: $.data.apache_upgrade + $.data.barbican_api_upgrade
          data:
            apache_upgrade:
              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
            barbican_api_upgrade:
              - name: Check if barbican_api is deployed
                command: systemctl is-enabled openstack-barbican-api
                tags: common
                ignore_errors: True
                register: barbican_api_enabled
              - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
                shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
                when: barbican_api_enabled.rc == 0
                tags: step0,validation
              - name: Install openstack-barbican-api package if it was disabled
                tags: step3
                yum: name=openstack-barbican-api state=latest
                when: barbican_api_enabled.rc != 0