diff --git a/deployment/barbican/barbican-client-puppet.yaml b/deployment/barbican/barbican-client-puppet.yaml new file mode 100644 index 0000000000..d97016557a --- /dev/null +++ b/deployment/barbican/barbican-client-puppet.yaml @@ -0,0 +1,60 @@ +heat_template_version: rocky + +description: > + OpenStack Barbican client configuration + +parameters: + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +outputs: + role_data: + description: Role data for the Barbican client. + value: + service_name: barbican_client + service_config_settings: + nova_compute: + nova::compute::keymgr_backend: barbican + nova::compute::barbican_endpoint: + get_param: [EndpointMap, BarbicanInternal, uri] + nova::compute::barbican_auth_endpoint: + get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] + cinder_volume: &cinder_barbican_config + cinder::config::cinder_config: + key_manager/backend: + value: barbican + barbican/barbican_endpoint: + value: {get_param: [EndpointMap, BarbicanInternal, uri]} + barbican/auth_endpoint: + value: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + cinder_backup: *cinder_barbican_config + glance_api: + glance::api::keymgr_backend: barbican + glance::api::keymgr_encryption_api_url: + get_param: [EndpointMap, BarbicanInternal, uri] + glance::api::keymgr_encryption_auth_url: + get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] diff --git a/environments/services/barbican-edge.yaml b/environments/services/barbican-edge.yaml new file mode 100644 index 0000000000..e00c09e717 --- /dev/null +++ b/environments/services/barbican-edge.yaml @@ -0,0 +1,4 @@ +# A Heat environment file which can be used to configure services running at +# a DCN/Edge site to access Barbican in the control plane. +resource_registry: + OS::TripleO::Services::BarbicanClient: ../../deployment/barbican/barbican-client-puppet.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 47884e6648..88cb5d586b 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -252,6 +252,7 @@ resource_registry: OS::TripleO::Services::BarbicanBackendDogtag: OS::Heat::None OS::TripleO::Services::BarbicanBackendKmip: OS::Heat::None OS::TripleO::Services::BarbicanBackendPkcs11Crypto: OS::Heat::None + OS::TripleO::Services::BarbicanClient: OS::Heat::None OS::TripleO::Services::AodhApi: OS::Heat::None OS::TripleO::Services::AodhEvaluator: OS::Heat::None OS::TripleO::Services::AodhListener: OS::Heat::None diff --git a/releasenotes/notes/add-barbican-client-for-dcn-7182e8bab41fce21.yaml b/releasenotes/notes/add-barbican-client-for-dcn-7182e8bab41fce21.yaml new file mode 100644 index 0000000000..eb33129f02 --- /dev/null +++ b/releasenotes/notes/add-barbican-client-for-dcn-7182e8bab41fce21.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + Add new BarbicanClient tripleo service for configuring DCN/Edge nodes + to access a barbican service running in the control plane. The client + service is disabled by default, and can be enabled by including the + environments/services/barbican-edge.yaml environment file when deploying + a DCN/Edge stack. +fixes: + - | + Ensure the barbican Key Manager settings are configured on DCN/Edge nodes + when the barbican service is deployed in the control plane. See `bug 1886070 + `_. diff --git a/roles/DistributedCompute.yaml b/roles/DistributedCompute.yaml index 08f4338e3a..c3c7db728f 100644 --- a/roles/DistributedCompute.yaml +++ b/roles/DistributedCompute.yaml @@ -18,6 +18,7 @@ ServicesDefault: - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD + - OS::TripleO::Services::BarbicanClient - OS::TripleO::Services::BootParams - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/DistributedComputeHCI.yaml b/roles/DistributedComputeHCI.yaml index 6cb04bb6df..e756ebc50a 100644 --- a/roles/DistributedComputeHCI.yaml +++ b/roles/DistributedComputeHCI.yaml @@ -20,6 +20,7 @@ ServicesDefault: - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD + - OS::TripleO::Services::BarbicanClient - OS::TripleO::Services::BootParams - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/DistributedComputeHCIScaleOut.yaml b/roles/DistributedComputeHCIScaleOut.yaml index cc521072aa..2018b1448e 100644 --- a/roles/DistributedComputeHCIScaleOut.yaml +++ b/roles/DistributedComputeHCIScaleOut.yaml @@ -20,6 +20,7 @@ ServicesDefault: - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD + - OS::TripleO::Services::BarbicanClient - OS::TripleO::Services::BootParams - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/DistributedComputeScaleOut.yaml b/roles/DistributedComputeScaleOut.yaml index bfa08da80d..a9ac546186 100644 --- a/roles/DistributedComputeScaleOut.yaml +++ b/roles/DistributedComputeScaleOut.yaml @@ -18,6 +18,7 @@ ServicesDefault: - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD + - OS::TripleO::Services::BarbicanClient - OS::TripleO::Services::BootParams - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient