From ac6d9c6ee11c0ae352608032228ae20f843dd014 Mon Sep 17 00:00:00 2001 From: Michael Polenchuk Date: Wed, 27 Jun 2018 18:11:35 +0400 Subject: [PATCH] Bring in Barbican service onboard Change-Id: I68759360c9dd8f8cf422161e21ed15df6c694e84 Signed-off-by: Michael Polenchuk --- mcp/config/states/openstack_ha | 3 +++ mcp/config/states/openstack_noha | 3 +++ .../cluster/mcp-common-ha/openstack_compute.yml | 5 ++++ .../cluster/mcp-common-ha/openstack_control.yml.j2 | 16 +++++++++++++ .../mcp-common-ha/openstack_control_init.yml | 1 + .../cluster/mcp-common-ha/openstack_database.yml | 1 + .../cluster/mcp-common-ha/openstack_init.yml.j2 | 8 +++++++ .../mcp-common-noha/haproxy_openstack_api.yml | 22 ++++++++++++++++++ .../cluster/mcp-common-noha/openstack_compute.yml | 5 ++++ .../cluster/mcp-common-noha/openstack_control.yml | 27 +++++++++++++++++++++- .../cluster/mcp-common-noha/openstack_init.yml.j2 | 9 ++++++++ 11 files changed, 99 insertions(+), 1 deletion(-) diff --git a/mcp/config/states/openstack_ha b/mcp/config/states/openstack_ha index 73c44bb66..f08090425 100755 --- a/mcp/config/states/openstack_ha +++ b/mcp/config/states/openstack_ha @@ -53,6 +53,9 @@ salt -I 'neutron:gateway' state.sls neutron.gateway salt -I 'nova:compute' state.sls nova +salt -I 'barbican:server' state.sls barbican -b 1 +salt -I 'barbican:client' state.sls barbican + salt -I 'redis:cluster:role:master' state.sls redis salt -I 'redis:server' state.sls redis salt -I 'gnocchi:server' state.sls gnocchi -b 1 diff --git a/mcp/config/states/openstack_noha b/mcp/config/states/openstack_noha index 70db238be..02530236a 100755 --- a/mcp/config/states/openstack_noha +++ b/mcp/config/states/openstack_noha @@ -46,6 +46,9 @@ salt -I 'neutron:compute' state.sls neutron salt -I 'nova:compute' state.sls nova +salt -I 'barbican:server' state.sls barbican +salt -I 'barbican:client' state.sls barbican + salt -I 'redis:server' state.sls redis salt -I 'gnocchi:server' state.sls gnocchi salt -I 'panko:server' state.sls panko diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml index 7f1cb3a0b..df90bc451 100644 --- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml +++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_compute.yml @@ -17,6 +17,7 @@ classes: - system.cinder.volume.backend.lvm - system.ceilometer.agent.cluster - system.ceilometer.agent.polling.default + - service.barbican.client.cluster - cluster.mcp-common-ha.openstack_compute_pdf - cluster.mcp-common-ha.include.maas_proxy - cluster.mcp-common-ha.include.lab_proxy_pdf @@ -52,6 +53,8 @@ parameters: volume_group: ${linux:storage:lvm:cinder-vg:name} database: connection_recycle_time: ${_param:db_connection_recycle_time} + barbican: + enabled: ${_param:barbican_integration_enabled} linux: storage: lvm: @@ -74,3 +77,5 @@ parameters: compute: disk_cachemodes: file=directsync,block=none preallocate_images: space + barbican: + enabled: ${_param:barbican_integration_enabled} diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 index 0189e038c..28d727eaa 100644 --- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 +++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 @@ -20,6 +20,9 @@ classes: - system.heat.server.cluster - system.designate.server.cluster - system.designate.server.backend.bind + - system.barbican.server.cluster + - system.apache.server.site.barbican + - service.barbican.server.plugin.simple_crypto - system.bind.server.single - system.haproxy.proxy.listen.openstack.placement - system.glusterfs.client.cluster @@ -71,6 +74,8 @@ parameters: controller: &db_conn_recycle_time database: connection_recycle_time: ${_param:db_connection_recycle_time} + barbican: + enabled: ${_param:barbican_integration_enabled} cinder: controller: <<: *db_conn_recycle_time @@ -149,6 +154,17 @@ parameters: neutron_api: # Set source balancing type: heat + barbican: + server: + ks_notifications_enable: true + store: + software: + crypto_plugin: simple_crypto + store_plugin: store_crypto + global_default: true + database: + connection_recycle_time: ${_param:db_connection_recycle_time} + host: ${_param:openstack_database_address} bind: server: control: diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control_init.yml b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control_init.yml index 0664c5399..7310833b8 100644 --- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control_init.yml +++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control_init.yml @@ -16,6 +16,7 @@ classes: - system.keystone.client.service.designate - system.keystone.client.service.gnocchi - system.keystone.client.service.panko + - system.keystone.client.service.barbican - system.keystone.client.v3.service.keystone parameters: keystone: diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_database.yml b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_database.yml index 89c485e0f..badfa3a3c 100644 --- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_database.yml +++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_database.yml @@ -21,6 +21,7 @@ classes: - system.galera.server.database.nova - system.galera.server.database.neutron - system.galera.server.database.panko + - system.galera.server.database.barbican parameters: _param: keepalived_vip_interface: ${_param:single_nic} diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_init.yml.j2 b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_init.yml.j2 index b0f28f9f1..9be8b4543 100644 --- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_init.yml.j2 +++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_init.yml.j2 @@ -184,6 +184,14 @@ parameters: keystone_neutron_password: opnfv_secret keystone_nova_password: opnfv_secret keystone_designate_password: opnfv_secret + + barbican_version: ${_param:openstack_version} + barbican_service_host: ${_param:openstack_control_address} + mysql_barbican_password: opnfv_secret + keystone_barbican_password: opnfv_secret + barbican_simple_crypto_kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=" + barbican_integration_enabled: false + ceilometer_secret_key: opnfv_secret horizon_version: ${_param:openstack_version} horizon_secret_key: opaesee8Que2yahJoh9fo0eefo1Aeyo6ahyei8zeiboh3aeth5loth7ieNa5xi5e diff --git a/mcp/reclass/classes/cluster/mcp-common-noha/haproxy_openstack_api.yml b/mcp/reclass/classes/cluster/mcp-common-noha/haproxy_openstack_api.yml index 9fe5247a4..595e14b68 100644 --- a/mcp/reclass/classes/cluster/mcp-common-noha/haproxy_openstack_api.yml +++ b/mcp/reclass/classes/cluster/mcp-common-noha/haproxy_openstack_api.yml @@ -153,3 +153,25 @@ parameters: host: ${_param:cluster_node01_address} port: 8042 params: ${_param:haproxy_check} + barbican_api: + type: openstack-service + service_name: barbican + binds: + - address: ${_param:cluster_vip_address} + port: 9311 + servers: + - name: ctl01 + host: ${_param:cluster_node01_address} + port: 9311 + params: ${_param:haproxy_check} + barbican_admin_api: + type: openstack-service + service_name: barbican + binds: + - address: ${_param:cluster_vip_address} + port: 9312 + servers: + - name: ctl01 + host: ${_param:cluster_node01_address} + port: 9312 + params: ${_param:haproxy_check} diff --git a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml index bfa46ac5c..673853e69 100644 --- a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml +++ b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_compute.yml @@ -16,6 +16,7 @@ classes: - system.ceilometer.client.cinder_volume - system.ceilometer.agent.polling.default - system.linux.system.repo.mcp.openstack + - service.barbican.client.single - cluster.mcp-common-noha.openstack_compute_pdf parameters: _param: @@ -34,6 +35,8 @@ parameters: user: neutron tenant: service password: ${_param:keystone_neutron_password} + barbican: + enabled: ${_param:barbican_integration_enabled} neutron: compute: notification: true @@ -54,6 +57,8 @@ parameters: host: ${_param:cluster_local_address} message_queue: host: ${_param:cluster_local_address} + barbican: + enabled: ${_param:barbican_integration_enabled} nfs: client: mount: diff --git a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_control.yml b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_control.yml index f458281ce..0eeff7c05 100644 --- a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_control.yml +++ b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_control.yml @@ -26,6 +26,7 @@ classes: - system.keystone.client.service.aodh - system.keystone.client.service.gnocchi - system.keystone.client.service.panko + - system.keystone.client.service.barbican - system.glance.control.single - system.nova.control.single - system.cinder.control.single @@ -42,6 +43,9 @@ classes: - system.galera.server.database.aodh - system.galera.server.database.gnocchi - system.galera.server.database.panko + - system.galera.server.database.barbican + - system.barbican.server.single + - service.barbican.server.plugin.simple_crypto - service.redis.server.single - service.ceilometer.server.single - system.ceilometer.server.coordination.redis @@ -55,6 +59,7 @@ classes: - service.panko.server.single - system.apache.server.site.gnocchi - system.apache.server.site.panko + - system.apache.server.site.barbican - system.horizon.server.single - service.haproxy.proxy.single - cluster.mcp-common-noha.haproxy_openstack_api @@ -99,6 +104,12 @@ parameters: engine: file images: [] workers: 1 + barbican: + enabled: ${_param:barbican_integration_enabled} + cinder: + controller: + barbican: + enabled: ${_param:barbican_integration_enabled} nova: controller: networking: dvr @@ -111,6 +122,8 @@ parameters: novncproxy_port: 6080 vncproxy_url: http://${_param:cluster_vip_address}:6080 workers: 1 + barbican: + enabled: ${_param:barbican_integration_enabled} horizon: server: # yamllint disable-line rule:truthy @@ -162,6 +175,18 @@ parameters: apache: server: site: - gnocchi: + gnocchi: &wsgi_threads wsgi: threads: 1 + barbican: + <<: *wsgi_threads + barbican_admin: + <<: *wsgi_threads + barbican: + server: + ks_notifications_enable: true + store: + software: + crypto_plugin: simple_crypto + store_plugin: store_crypto + global_default: true diff --git a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_init.yml.j2 b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_init.yml.j2 index 872156574..2e0a13175 100644 --- a/mcp/reclass/classes/cluster/mcp-common-noha/openstack_init.yml.j2 +++ b/mcp/reclass/classes/cluster/mcp-common-noha/openstack_init.yml.j2 @@ -85,6 +85,15 @@ parameters: horizon_identity_host: ${_param:cluster_vip_address} horizon_identity_encryption: none horizon_identity_version: 3 + + barbican_version: ${_param:openstack_version} + barbican_service_host: ${_param:cluster_local_address} + apache_barbican_api_address: ${_param:single_address} + mysql_barbican_password: opnfv_secret + keystone_barbican_password: opnfv_secret + barbican_simple_crypto_kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=" + barbican_integration_enabled: false + aodh_version: ${_param:openstack_version} keystone_aodh_password: opnfv_secret aodh_service_host: ${_param:cluster_local_address} -- 2.16.6