1 heat_template_version: pike
4 OpenStack Barbican API service configured with Puppet
9 description: Mapping of service_name -> network name. Typically set
10 via parameter_defaults in the resource registry. This
11 mapping overrides those in ServiceNetMapDefaults.
18 description: Mapping of service endpoint -> protocol. Typically set
19 via parameter_defaults in the resource registry.
22 description: The password for the barbican service account.
26 description: Set the number of workers for barbican::wsgi::apache
27 default: '%{::processorcount}'
31 description: Set to True to enable debugging on all services.
36 description: Keystone region for endpoint
39 description: Set rabbit subscriber port, change this if using SSL
44 Rabbit client subscriber parameter to specify
45 an SSL connection to the RabbitMQ host.
48 description: The password for RabbitMQ
53 description: The username for RabbitMQ
60 A hash of policies to configure for Barbican.
61 e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
70 ServiceNetMap: {get_param: ServiceNetMap}
71 DefaultPasswords: {get_param: DefaultPasswords}
72 EndpointMap: {get_param: EndpointMap}
76 description: Role data for the Barbican API role.
78 service_name: barbican_api
81 - get_attr: [ApacheServiceBase, role_data, config_settings]
82 - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
83 barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
84 barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
85 barbican::keystone::authtoken::project_name: 'service'
86 barbican::policy::policies: {get_param: BarbicanPolicies}
87 barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
88 barbican::api::db_auto_create: false
89 barbican::api::enabled_certificate_plugins: ['simple_certificate']
90 barbican::api::logging::debug: {get_param: Debug}
91 barbican::api::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
92 barbican::api::rabbit_userid: {get_param: RabbitUserName}
93 barbican::api::rabbit_password: {get_param: RabbitPassword}
94 barbican::api::rabbit_port: {get_param: RabbitClientPort}
95 barbican::api::rabbit_heartbeat_timeout_threshold: 60
96 barbican::api::service_name: 'httpd'
97 barbican::wsgi::apache::bind_host: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
98 barbican::wsgi::apache::ssl: {get_param: EnableInternalTLS}
99 barbican::wsgi::apache::workers: {get_param: BarbicanWorkers}
100 barbican::wsgi::apache::servername:
103 "%{hiera('fqdn_$NETWORK')}"
105 $NETWORK: {get_param: [ServiceNetMap, BarbicanApiNetwork]}
106 barbican::db::database_connection:
108 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
110 password: {get_param: BarbicanPassword}
111 host: {get_param: [EndpointMap, MysqlInternal, host]}
114 read_default_file: /etc/my.cnf.d/tripleo.cnf
115 read_default_group: tripleo
116 tripleo.barbican_api.firewall_rules:
122 include ::tripleo::profile::base::barbican::api
123 service_config_settings:
125 barbican::db::mysql::password: {get_param: BarbicanPassword}
126 barbican::db::mysql::user: barbican
127 barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
128 barbican::db::mysql::dbname: barbican
129 barbican::db::mysql::allowed_hosts:
131 - "%{hiera('mysql_bind_host')}"
133 barbican::keystone::auth::public_url: {get_param: [EndpointMap, BarbicanPublic, uri]}
134 barbican::keystone::auth::internal_url: {get_param: [EndpointMap, BarbicanInternal, uri]}
135 barbican::keystone::auth::admin_url: {get_param: [EndpointMap, BarbicanAdmin, uri]}
136 barbican::keystone::auth::password: {get_param: BarbicanPassword}
137 barbican::keystone::auth::region: {get_param: KeystoneRegion}
138 barbican::keystone::auth::tenant: 'service'
140 nova::compute::keymgr_api_class: >
141 castellan.key_manager.barbican_key_manager.BarbicanKeyManager
142 nova::compute::barbican_endpoint:
143 get_param: [EndpointMap, BarbicanInternal, uri]
144 nova::compute::barbican_auth_endpoint:
145 get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
147 cinder::api::keymgr_api_class: >
148 castellan.key_manager.barbican_key_manager.BarbicanKeyManager
149 cinder::api::keymgr_encryption_api_url:
150 get_param: [EndpointMap, BarbicanInternal, uri]
151 cinder::api::keymgr_encryption_auth_url:
152 get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]
154 get_attr: [ApacheServiceBase, role_data, metadata_settings]
157 expression: $.data.apache_upgrade + $.data.barbican_api_upgrade
160 get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
161 barbican_api_upgrade:
162 - name: Check if barbican_api is deployed
163 command: systemctl is-enabled openstack-barbican-api
166 register: barbican_api_enabled
167 - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
168 shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
169 when: barbican_api_enabled.rc == 0
170 tags: step0,validation
171 - name: Install openstack-barbican-api package if it was disabled
173 yum: name=openstack-barbican-api state=latest
174 when: barbican_api_enabled.rc != 0