Barbican role for OpenStack-Ansible

Barbican role for OpenStack-Ansible

This Ansible role installs and configures OpenStack barbican.

To clone or view the source code for this repository, visit the role repository for os_barbican.

Default variables

## Verbosity Options
debug: False

# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
barbican_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
barbican_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((barbican_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable'])) }}"

# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
barbican_package_state: "latest"
barbican_pip_package_state: "latest"

# Set installation method.
barbican_install_method: "source"

# Toggle keystone authentication for barbican
barbican_keystone_auth: no

## System info
barbican_system_group_name: barbican
barbican_system_user_name: barbican
barbican_system_user_comment: Barbican System User
barbican_system_user_shell: /bin/false
barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}"
barbican_etc_directory: /etc/barbican
barbican_vassals_directory: "{{ barbican_etc_directory }}/vassals"

#Barbican services info
barbican_api_program_name: barbican-api
barbican_keystone_listener_program_name: barbican-keystone-listener
barbican_worker_program_name: barbican-worker
barbican_retry_program_name: barbican-retry

## Service Name-Group Mapping
barbican_services:
  barbican:
    group: barbican_all
    service_name: barbican
    init_config_overrides: "{{ barbican_init_config_overrides }}"
    execstarts: >-
      {{ barbican_uwsgi_bin }}/uwsgi
      --master
      --die-on-term
      --emperor {{ barbican_vassals_directory }}
    start_order: 1

## Service Type and Data
barbican_service_name: barbican
barbican_service_user_name: barbican
barbican_service_type: key-manager
barbican_service_description: "OpenStack Key and Secrets Management (Barbican)"
barbican_default_role_names:
  - "key-manager:service-admin"
  - creator
  - observer
  - audit
barbican_service_role_names:
  - admin
  - creator
barbican_service_region: RegionOne
barbican_service_host: "0.0.0.0"
barbican_service_port: 9311
barbican_service_proto: http
barbican_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(barbican_service_proto) }}"
barbican_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(barbican_service_proto) }}"
barbican_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(barbican_service_proto) }}"
barbican_service_publicurl: "{{ barbican_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ barbican_service_port }}"
barbican_service_internalurl: "{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
barbican_service_adminurl: "{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"

barbican_init_config_overrides: {}
barbican_config_overrides: {}
barbican_policy_overrides: {}
barbican_paste_overrides: {}
barbican_api_audit_map_overrides: {}
barbican_vassals_api_overrides: {}

## Toggle developer mode
barbican_developer_mode: false

## The git source/branch
barbican_git_repo: "https://git.openstack.org/openstack/barbican"
barbican_git_install_branch: 'stable/rocky'

## The packages to build from source (used in developer mode)
barbican_developer_constraints:
  - "git+{{ barbican_git_repo }}@{{ barbican_git_install_branch }}#egg=barbican"

# Name of the virtual env to deploy into
barbican_venv_tag: untagged
barbican_bin: "{{ _barbican_bin }}"

# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
barbican_venv_download: "{{ not barbican_developer_mode | bool }}"
# URL of the pre-built virtualenv
barbican_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/barbican.tgz

# Database vars
barbican_db_setup_host: "{{ ('galera_all' in groups) | ternary(groups['galera_all'][0], 'localhost') }}"
barbican_galera_address: "{{ galera_address | default('127.0.0.1') }}"
barbican_galera_database: barbican
barbican_galera_user: barbican
barbican_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
barbican_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"

## Oslo Messaging

# RPC
barbican_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
barbican_oslomsg_rpc_setup_host: "{{ (barbican_oslomsg_rpc_host_group in groups) | ternary(groups[barbican_oslomsg_rpc_host_group][0], 'localhost') }}"
barbican_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
barbican_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
barbican_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
barbican_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
barbican_oslomsg_rpc_userid: barbican
barbican_oslomsg_rpc_vhost: /barbican

# Notify
barbican_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
barbican_oslomsg_notify_setup_host: "{{ (barbican_oslomsg_notify_host_group in groups) | ternary(groups[barbican_oslomsg_notify_host_group][0], 'localhost') }}"
barbican_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
barbican_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
barbican_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
barbican_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
barbican_oslomsg_notify_userid: "{{ barbican_oslomsg_rpc_userid }}"
barbican_oslomsg_notify_password: "{{ barbican_oslomsg_rpc_password }}"
barbican_oslomsg_notify_vhost: "{{ barbican_oslomsg_rpc_vhost }}"

## (Qdrouterd) integration
# TODO(ansmith): Change structure when more backends will be supported
barbican_oslomsg_amqp1_enabled: "{{ barbican_oslomsg_rpc_transport == 'amqp' }}"

# Keystone AuthToken/Middleware
barbican_keystone_auth_plugin: password
barbican_service_project_domain_id: default
barbican_service_user_domain_id: default
barbican_service_project_name: service

# Apache configuration vars
barbican_wsgi_processes_max: 16
barbican_wsgi_processes: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, barbican_wsgi_processes_max] | min }}"
barbican_wsgi_threads: 1
barbican_apache_log_level: info
barbican_apache_servertokens: "Prod"
barbican_apache_serversignature: "Off"

barbican_ssl: false
barbican_ssl_cert: /etc/ssl/certs/barbican.pem
barbican_ssl_key: /etc/ssl/private/barbican.key
barbican_ssl_ca_cert: /etc/ssl/certs/barbican-ca.pem
barbican_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
barbican_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"

# if using a self-signed certificate, set this to true to regenerate it
barbican_ssl_self_signed_regen: false
barbican_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

# Set these in user_variables to deploy custom certificates
#barbican_user_ssl_cert: <path to cert on ansible deployment host>
#barbican_user_ssl_key: <path to cert on ansible deployment host>
#barbican_user_ssl_ca_cert: <path to cert on ansible deployment host>

# packages required to run the barbican service
barbican_pip_packages:
  - barbican
  - osprofiler
  - PyMySQL
  - python-memcached
  - systemd-python
  - uwsgi

barbican_optional_oslomsg_amqp1_pip_packages:
  - oslo.messaging[amqp1]

# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
barbican_role_project_group: barbican_all

barbican_uwsgi_init_overrides: {}

Dependencies

This role needs pip >= 7.1 installed on the target host.

This role requires the following variables to be defined:

barbican_galera_address
barbican_galera_password
barbican_oslomsg_rpc_password
barbican_service_password
keystone_admin_user_name
keystone_auth_admin_password
keystone_admin_tenant_name

Example playbook

- name: Install barbican server
  hosts: barbican_all
  user: root
  roles:
   - role: "os_barbican"
  vars:
    external_lb_vip_address: 172.16.24.1
    internal_lb_vip_address: 192.168.0.1
    barbican_galera_address: "{{ internal_lb_vip_address }}"
    barbican_service_password: SuperSecretePassword1
    barbican_galera_password: SuperSecretePassword2
    barbican_oslomsg_rpc_password: SuperSecretePassword3
    barbican_oslomsg_notify_password: "{{ barbican_oslomsg_rpc_password }}" # if using the same user, please use the same password
    keystone_admin_user_name: admin
    keystone_auth_admin_password: SuperSecretePassword5
    keystone_admin_tenant_name: admin
    galera_root_user: root
  vars_prompt:
    - name: "galera_root_password"
      prompt: "What is galera_root_password?"

Tags

This role supports two tags: barbican-install and barbican-config. The barbican-install tag can be used to install and upgrade. The barbican- config tag can be used to maintain configuration of the service.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.