Add barbican role
Sem-Ver: feature
Change-Id: I91e736d2647511db24fe37bab646f3cd3b2f3f1a
diff --git a/doc/source/roles/openstack_helm_barbican/index.rst b/doc/source/roles/openstack_helm_barbican/index.rst
new file mode 100644
index 0000000..7a449d8
--- /dev/null
+++ b/doc/source/roles/openstack_helm_barbican/index.rst
@@ -0,0 +1,10 @@
+.. Copyright (C) 2022 VEXXHOST, Inc.
+.. SPDX-License-Identifier: Apache-2.0
+
+``openstack_helm_barbican``
+===========================
+
+.. toctree::
+ :maxdepth: 2
+
+ defaults/main
\ No newline at end of file
diff --git a/playbooks/generate_workspace.yml b/playbooks/generate_workspace.yml
index 7556f41..038cbb2 100644
--- a/playbooks/generate_workspace.yml
+++ b/playbooks/generate_workspace.yml
@@ -209,6 +209,7 @@
vars:
default_map:
openstack_helm_endpoints_region_name: "{{ region_name }}"
+ openstack_helm_endpoints_barbican_api_host: "key-manager.{{ domain_name }}"
openstack_helm_endpoints_cinder_api_host: "volume.{{ domain_name }}"
openstack_helm_endpoints_designate_api_host: "dns.{{ domain_name }}"
openstack_helm_endpoints_glance_api_host: "image.{{ domain_name }}"
@@ -297,7 +298,21 @@
with_lines: >
ls {{ playbook_dir }}/../roles/*/defaults/main.yml |
xargs grep undef |
- egrep -v '(_host|region_name|_ssh_key|_vip|_interface)' |
+ egrep -v '(_host|region_name|_ssh_key|_vip|_interface|_kek)' |
+ cut -d':' -f2
+
+ - name: Generate base64 encoded secrets
+ ansible.builtin.set_fact:
+ secrets: "{{ secrets | default({}) | combine({item: lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=32') | b64encode}) }}"
+ # NOTE(mnaser): We don't want to override existing secrets, so we generate
+ # a new one if and only if it doesn't exist
+ when: item not in secrets
+ # NOTE(mnaser): This is absolutely hideous but there's no clean way of
+ # doing this using `with_fileglob` or `with_filetree`
+ with_lines: >
+ ls {{ playbook_dir }}/../roles/*/defaults/main.yml |
+ xargs grep undef |
+ egrep '(_kek)' |
cut -d':' -f2
- name: Generate temporary files for generating keys for missing variables
diff --git a/releasenotes/notes/barbican-add-role-8c70f47a587d871a.yaml b/releasenotes/notes/barbican-add-role-8c70f47a587d871a.yaml
new file mode 100644
index 0000000..e26dc8d
--- /dev/null
+++ b/releasenotes/notes/barbican-add-role-8c70f47a587d871a.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Add barbican role
diff --git a/roles/openstack_helm_barbican/defaults/main.yml b/roles/openstack_helm_barbican/defaults/main.yml
new file mode 100644
index 0000000..149da0c
--- /dev/null
+++ b/roles/openstack_helm_barbican/defaults/main.yml
@@ -0,0 +1,61 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2022 VEXXHOST, Inc.
+# .. SPDX-License-Identifier: Apache-2.0
+
+# Default variables
+# =================
+
+# .. contents:: Sections
+# :local:
+
+
+# .. envvar:: openstack_helm_barbican_chart_repo_name [[[
+#
+# Helm repository name for the chart.
+openstack_helm_barbican_chart_repo_name: openstack-helm
+
+ # ]]]
+# .. envvar:: openstack_helm_barbican_chart_repo_url [[[
+#
+# Helm repository URL for the chart.
+openstack_helm_barbican_chart_repo_url: https://tarballs.opendev.org/openstack/openstack-helm/
+
+ # ]]]
+# .. envvar:: openstack_helm_barbican_chart_name [[[
+#
+# Helm chart name (will also be used for release name)
+openstack_helm_barbican_chart_name: barbican
+
+ # ]]]
+# .. envvar:: openstack_helm_barbican_image_repository [[[
+#
+# Image repository location to be prefixed for all images
+openstack_helm_barbican_image_repository: "{{ atmosphere_image_repository | default('us-docker.pkg.dev/vexxhost-infra/openstack') }}"
+
+ # ]]]
+# .. envvar:: openstack_helm_barbican_image_tag [[[
+#
+# Image tag for container
+openstack_helm_barbican_image_tag: 12.0.1.dev11
+
+ # ]]]
+# .. envvar:: openstack_helm_barbican_heat_image_tag [[[
+#
+# Image tag for Heat to be used for jobs running via Helm hooks
+openstack_helm_barbican_heat_image_tag: wallaby
+
+ # ]]]
+# .. envvar:: openstack_helm_barbican_values [[[
+#
+# Overrides for Helm chart values
+openstack_helm_barbican_values: {}
+
+ # ]]]
+# .. envvar:: openstack_helm_barbican_kek [[[
+#
+# Barbican key encryption key
+openstack_helm_barbican_kek: "{{ undef(hint='You must specify a Barbican key encryption key') }}"
+
+ # ]]]
diff --git a/roles/openstack_helm_barbican/meta/main.yml b/roles/openstack_helm_barbican/meta/main.yml
new file mode 100644
index 0000000..d7db878
--- /dev/null
+++ b/roles/openstack_helm_barbican/meta/main.yml
@@ -0,0 +1,29 @@
+# Copyright (c) 2022 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+ author: VEXXHOST, Inc.
+ description: Ansible role for OpenStack Barbican
+ license: Apache-2.0
+ min_ansible_version: 5.5.0
+ platforms:
+ - name: Ubuntu
+ versions:
+ - focal
+
+dependencies:
+ - role: helm_repository
+ vars:
+ helm_repository_name: "{{ openstack_helm_barbican_chart_repo_name }}"
+ helm_repository_repo_url: "{{ openstack_helm_barbican_chart_repo_url }}"
diff --git a/roles/openstack_helm_barbican/tasks/main.yml b/roles/openstack_helm_barbican/tasks/main.yml
new file mode 100644
index 0000000..1aca5b0
--- /dev/null
+++ b/roles/openstack_helm_barbican/tasks/main.yml
@@ -0,0 +1,38 @@
+# Copyright (c) 2022 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Generate OpenStack-Helm endpoints
+ ansible.builtin.include_role:
+ name: openstack_helm_endpoints
+ vars:
+ openstack_helm_endpoints_repo_name: "{{ openstack_helm_barbican_chart_repo_name }}"
+ openstack_helm_endpoints_repo_url: "{{ openstack_helm_barbican_chart_repo_url }}"
+ openstack_helm_endpoints_chart: "{{ openstack_helm_barbican_chart_name }}"
+
+- name: Deploy Helm chart
+ kubernetes.core.helm:
+ name: "{{ openstack_helm_barbican_chart_name }}"
+ chart_ref: "{{ openstack_helm_barbican_chart_repo_name }}/{{ openstack_helm_barbican_chart_name }}"
+ chart_version: 0.2.12
+ release_namespace: openstack
+ kubeconfig: /etc/kubernetes/admin.conf
+ values: "{{ _openstack_helm_barbican_values | combine(openstack_helm_barbican_values, recursive=True) }}"
+
+- name: Create Ingress
+ ansible.builtin.include_role:
+ name: openstack_helm_ingress
+ vars:
+ openstack_helm_ingress_endpoint: barbican
+ openstack_helm_ingress_service_name: barbican-api
+ openstack_helm_ingress_service_port: 9311
diff --git a/roles/openstack_helm_barbican/vars/main.yml b/roles/openstack_helm_barbican/vars/main.yml
new file mode 100644
index 0000000..597f8ca
--- /dev/null
+++ b/roles/openstack_helm_barbican/vars/main.yml
@@ -0,0 +1,43 @@
+# Copyright (c) 2022 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+_openstack_helm_barbican_values:
+ endpoints: "{{ openstack_helm_endpoints }}"
+ images:
+ tags:
+ bootstrap: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+ db_drop: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+ db_init: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+ dep_check: "{{ openstack_helm_barbican_image_repository }}/kubernetes-entrypoint:latest"
+ ks_endpoints: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+ ks_service: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+ ks_user: "{{ openstack_helm_barbican_image_repository }}/heat:{{ openstack_helm_barbican_heat_image_tag }}"
+ barbican_db_sync: "{{ openstack_helm_barbican_image_repository }}/barbican:{{ openstack_helm_barbican_image_tag }}"
+ barbican_api: "{{ openstack_helm_barbican_image_repository }}/barbican:{{ openstack_helm_barbican_image_tag }}"
+ rabbit_init: "{{ openstack_helm_barbican_image_repository }}/rabbitmq:3.8.23-management"
+ pod:
+ replicas:
+ api: 3
+ conf:
+ barbican:
+ DEFAULT:
+ log_config_append: null
+ simple_crypto_plugin:
+ kek: "{{ openstack_helm_barbican_kek }}"
+ simple_crypto_kek_rewrap:
+ old_kek: "{{ openstack_helm_barbican_kek }}"
+
+ manifests:
+ ingress_api: false
+ service_ingress_api: false
diff --git a/roles/openstack_helm_endpoints/defaults/main.yml b/roles/openstack_helm_endpoints/defaults/main.yml
index 1fef800..53cf321 100644
--- a/roles/openstack_helm_endpoints/defaults/main.yml
+++ b/roles/openstack_helm_endpoints/defaults/main.yml
@@ -155,6 +155,30 @@
openstack_helm_endpoints_placement_mariadb_password: "{{ undef(hint='You must specify a Placement MariaDB password') }}"
# ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_api_host [[[
+#
+# API hostname for OpenStack Barbican Service
+openstack_helm_endpoints_barbican_api_host: "{{ undef(hint='You must specify a Barbican API hostname') }}"
+
+ # ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_region_name [[[
+#
+# Region name for service
+openstack_helm_endpoints_barbican_region_name: "{{ openstack_helm_endpoints_region_name }}"
+
+ # ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_keystone_password [[[
+#
+# Keystone password for service
+openstack_helm_endpoints_barbican_keystone_password: "{{ undef(hint='You must specify a Barbican Keystone password') }}"
+
+ # ]]]
+# .. envvar:: openstack_helm_endpoints_barbican_mariadb_password [[[
+#
+# Database password for service
+openstack_helm_endpoints_barbican_mariadb_password: "{{ undef(hint='You must specify a Barbican MariaDB password') }}"
+
+ # ]]]
# .. envvar:: openstack_helm_endpoints_neutron_api_host [[[
#
# API hostname for OpenStack Networking Service
diff --git a/roles/openstack_helm_endpoints/vars/main.yml b/roles/openstack_helm_endpoints/vars/main.yml
index f575e92..561b335 100644
--- a/roles/openstack_helm_endpoints/vars/main.yml
+++ b/roles/openstack_helm_endpoints/vars/main.yml
@@ -151,6 +151,27 @@
api:
public: 443
+_openstack_helm_endpoints_key_manager:
+ identity:
+ auth:
+ barbican:
+ region_name: "{{ openstack_helm_endpoints_barbican_region_name }}"
+ username: "barbican-{{ openstack_helm_endpoints_barbican_region_name }}"
+ password: "{{ openstack_helm_endpoints_barbican_keystone_password }}"
+ oslo_db:
+ auth:
+ barbican:
+ password: "{{ openstack_helm_endpoints_barbican_mariadb_password }}"
+ key_manager:
+ scheme:
+ public: https
+ host_fqdn_override:
+ public:
+ host: "{{ openstack_helm_endpoints_barbican_api_host }}"
+ port:
+ api:
+ public: 443
+
_openstack_helm_endpoints_network:
identity:
auth: