Code Review / apex-tripleo-heat-templates.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Merge "Internal TLS: use common CA file parameter for libvirt CA cert"
[apex-tripleo-heat-templates.git] / puppet / services / barbican-api.yaml
diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml
index d8787c8..ad59e70 100644 (file)
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@@ -55,6 +55,12 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  BarbicanPolicies:
+    description: |
+      A hash of policies to configure for Barbican.
+      e.g. { barbican-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
 
 resources:
 
@@ -77,6 +83,7 @@ outputs:
             barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             barbican::keystone::authtoken::project_name: 'service'
+            barbican::policy::policies: {get_param: BarbicanPolicies}
             barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
             barbican::api::db_auto_create: false
             barbican::api::enabled_certificate_plugins: ['simple_certificate']
@@ -146,16 +153,22 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
-        - name: Check if barbican_api is deployed
-          command: systemctl is-enabled openstack-barbican-api
-          tags: common
-          ignore_errors: True
-          register: barbican_api_enabled
-        - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
-          shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
-          when: barbican_api_enabled.rc == 0
-          tags: step0,validation
-        - name: Install openstack-barbican-api package if it was disabled
-          tags: step3
-          yum: name=openstack-barbican-api state=latest
-          when: barbican_api_enabled.rc != 0
+        yaql:
+          expression: $.data.apache_upgrade + $.data.barbican_api_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            barbican_api_upgrade:
+              - name: Check if barbican_api is deployed
+                command: systemctl is-enabled openstack-barbican-api
+                tags: common
+                ignore_errors: True
+                register: barbican_api_enabled
+              - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
+                shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
+                when: barbican_api_enabled.rc == 0
+                tags: step0,validation
+              - name: Install openstack-barbican-api package if it was disabled
+                tags: step3
+                yum: name=openstack-barbican-api state=latest
+                when: barbican_api_enabled.rc != 0