Merge "Handle the hardcoded configuration values" into release/2019.2.0
diff --git a/.kitchen.yml b/.kitchen.yml
index 4a7d870..79bda71 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -27,10 +27,123 @@
- apache
- barbican
pillars:
+ barbican_plugins.sls:
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: https
+ host: localhost
+ port: 8200
+ root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
+ approle_role_id: role_id
+ approle_secret_id: secret_id
+ kv_mountpoint: secret
+ ssl_ca_crt_file: '/etc/barbican/ssl/vault/CA.crt'
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ -----END CERTIFICATE-----
+ ssl.sls:
+ barbican:
+ server:
+ identity:
+ engine: keystone
+ host: 10.0.106.20
+ port: 35357
+ domain: default
+ tenant: service
+ user: barbican
+ password: password
+ database:
+ engine: "mysql+pymysql"
+ host: 10.0.106.20
+ port: 3306
+ name: barbican
+ user: barbican
+ password: password
+ x509:
+ enabled: True
+ ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ key_file: /etc/barbican/ssl/mysql/client-key.pem
+ cert_file: /etc/barbican/ssl/mysql/client-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIGSjCCBDKgAwIBAgIJAIHRPs2rZbLvMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ -----END CERTIFICATE-----
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIJKQIBAAKCAgEAq0m4kOIITliYea07yJnlSRNY0o6NaykiteSfHGauiub4lNQJ
+ -----END RSA PRIVATE KEY-----
+ ssl:
+ enabled: True
+ cacert_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
+ message_queue:
+ engine: rabbitmq
+ user: openstack
+ password: password
+ virtual_host: '/openstack'
+ members:
+ - host: 10.10.10.10
+ port: 5672
+ - host: 10.10.10.11
+ port: 5672
+ - host: 10.10.10.12
+ port: 5672
+ port: 5671
+ ssl:
+ # Case #1: specify cacert file and ca cert body explicitly
+ enabled: True
+ cacert_file: /etc/barbican/ssl/rabbitmq_cacert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIF0TCCA7mgAwIBAgIJAMHIQpWZYGDTMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ BAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0GA1UEBwwGUHJhZ3Vl
+ MREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MTQxMTI2MDdaFw0yNzA4MTIxMTI2
+ MDdaMEoxCzAJBgNVBAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0G
+ A1UEBwwGUHJhZ3VlMREwDwYDVQQKDAhNaXJhbnRpczCCAiIwDQYJKoZIhvcNAQEB
+ BQADggIPADCCAgoCggIBAL596jeUmim5bo0J52vPylX8xZOCaCvW9wlSYbk143dU
+ x7sqlAbPePvN6jj44BrYV01F4rCn9uxuaFLrbjF4rUDp81F0yMqghwyLmlTgJBOq
+ AMNiEtrBUwmenJPuM55IYeO9OFbPeBvZyqKy2IG18GbK35QE85rOgaEfgDIkVeV9
+ yNB8b+yftn3ebRZCceU5lx/o+w2eQkuyloy1F5QC7U2MhGF2ekLX79s8x+LNlbiO
+ EF1D/FWFor3HY9DwNlg7U99mVID2Bj8lPPt4dW8JDMKkghh+S797l3H6RYKHhIvs
+ wi+50ljhk5nHl+qCooGKuGZ2WokrGXWkoDfrrpl//7FFRPwauoU/akDVfoWYffqx
+ jnvlQFkAlI3S5F/vwJGI1JGvPv5p5uRxPJEeMI0Sp9bVrznHGCgaJyY+vIBoZCwS
+ i0t16gsgeezcu44Y65crv4XNOBKOS+KqvMwdzzukOj9YsYwNnlLly0VvTEdxTwwI
+ 7NopRglUQrLusjZ5wwe23kf07xVxC98e1LRQzR5oEAUKkDrQzjmXBfcV92GrE3s7
+ 1L4dvfXUE1mVxabhBCoS6kO3JQGPK+1LJDIs/F0uVVtOy/oz6mIdV2scCteFRAbm
+ BhfEoVbaYNlUxlNGno2I/HEep4P0DrFPQi0ZmGfvNO6t3EvTSnWcsUL9h55wZ3Pl
+ AgMBAAGjgbkwgbYwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
+ FN2inIsMteL9vxR8Lo0yHI+4KaDGMHoGA1UdIwRzMHGAFN2inIsMteL9vxR8Lo0y
+ HI+4KaDGoU6kTDBKMQswCQYDVQQGEwJjejEXMBUGA1UEAwwOU2FsdCBNYXN0ZXIg
+ Q0ExDzANBgNVBAcMBlByYWd1ZTERMA8GA1UECgwITWlyYW50aXOCCQDByEKVmWBg
+ 0zANBgkqhkiG9w0BAQsFAAOCAgEAq8yv5IZWHyZuySpe85GCfdn4VFfSw6O1tdOZ
+ 7PnCNGqkLie3D0X5VIymDkEwSGrvRtAKvtRajej/1/T2lNJNzQaqQObMK9UpXMmu
+ g0qjAjYjbYMRS+4V1FJiyxxqyvE//XO+Jznj3jnF6IDnTYJp3tCUswvUYRSpAErP
+ CwtvBLzPhF9t3W+ElcrgM7UNDPRoVlun0q6FH4WAAKuuqXfJaEbe9XrkR+cBlP4O
+ 7utdveEREw0cONoFtHM/yVwb9ovaitMEA/b6qH286cJ59zXJbhMe7+n9dFlMnAAh
+ WfayyLzlaOjxicGMPcmUMRh9n8fml7bR3mekL1BGZt451kH3+FSfjPpF3hqVqb3c
+ 8LZsCrD10UYUOOQ1zyE8YaeQ6UgNW7LFJlngvNLAZKxRupc0FNGgDTMr8sgdBBeR
+ gH0cp+h4mDusEzYpaPIqci5+UOMelK/SMIYzMtD1ogZp/c9qIGh5nXwRkspHGrtk
+ ay6yizlPyY4QS1dOD/8nhGRbp5OQF1o5ZUtXlnaFHeLK7zl9iddqSvBVUNFdpDz+
+ uVYHAw4O2T7J7ge+gGgmjRPQjW1+O+jFWlSkO+7iFjdIOTZ6tpqYEglh0khgM8b5
+ V0MAVuww51/1DqirRG6Ge/3Sw44eDZID22jjCwLrDH0GSX76cDTe6Bx/WS0Wg7y/
+ /86PB1o=
+ -----END CERTIFICATE-----
top.sls:
base:
"*":
- barbican
+ - linux_repo_openstack
+ - release
verifier:
name: inspec
@@ -52,18 +165,81 @@
platform: ubuntu
suites:
- - name: ssl
- provisioner:
- pillars-from-files:
- barbican.sls: tests/pillar/ssl.sls
-
- - name: control_single
+<% for os_version in ['ocata','pike', 'queens'] %>
+ - name: control_single_<%=os_version%>
provisioner:
pillars-from-files:
barbican.sls: tests/pillar/control_single.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ <% unless os_version == 'ocata' || os_version == 'pike' %>
+ - barbican_plugins
+ <% end %>
- - name: control_cluster
+ - name: control_cluster_<%=os_version%>
provisioner:
pillars-from-files:
barbican.sls: tests/pillar/control_cluster.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ <% unless os_version == 'ocata' || os_version == 'pike' %>
+ - barbican_plugins
+ <% end %>
+
+ - name: control_single_ssl_<%=os_version%>
+ provisioner:
+ pillars-from-files:
+ barbican.sls: tests/pillar/control_single.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ - ssl
+
+ - name: control_cluster_ssl_<%=os_version%>
+ provisioner:
+ pillars-from-files:
+ barbican.sls: tests/pillar/control_cluster.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%=os_version%>.sls
+ pillars:
+ release.sls:
+ barbican:
+ server:
+ version: <%=os_version%>
+ top.sls:
+ base:
+ "*":
+ - barbican
+ - linux_repo_openstack
+ - release
+ - ssl
+<% end %>
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/README.rst b/README.rst
index 904bf22..47f3e6d 100644
--- a/README.rst
+++ b/README.rst
@@ -302,6 +302,35 @@
mkek_length: 32
hmac_label: 'my_hmac_label'
+VAULT
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: http
+ host: localhost
+ port: 8200
+ root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
+ approle_role_id: role_id
+ approle_secret_id: secret_id
+ kv_mountpoint: secret
+
+Vault supports secure connection. You able to define following fields for use security connection,
+also you should place file of certificate or define cert content in cacert field, in the last case
+`ssl_ca_crt_file` field required to define.
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: https
+ ssl_ca_crt_file: '/etc/barbican/ssl/vault/CA.crt'
+ cacert: (certificate content)
Software Only Crypto
@@ -352,6 +381,14 @@
simple_cmc_profile: 'caOtherCert'
ca_expiration_time: 1
plugin_working_dir: '/etc/barbican/dogtag'
+ vault:
+ schema: http
+ host: localhost
+ port: 8200
+ root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
+ approle_role_id: role_id
+ approle_secret_id: secret_id
+ kv_mountpoint: secret
store:
software:
crypto_plugin: simple_crypto
diff --git a/barbican/_ssl/plugin/init.sls b/barbican/_ssl/plugin/init.sls
new file mode 100644
index 0000000..6858200
--- /dev/null
+++ b/barbican/_ssl/plugin/init.sls
@@ -0,0 +1,33 @@
+{%- from "barbican/map.jinja" import server with context %}
+
+barbican_plugin_ssl:
+ test.show_notification:
+ - text: "Running barbican._ssl.plugin"
+
+{%- if server.get('plugin', {}).get('vault', {}).get('schema', 'http') == 'https' %}
+
+ {%- set ca_file=server.plugin.vault.ssl_ca_crt_file %}
+
+barbican_plugin_vault_ca:
+ {%- if server.plugin.vault.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: barbican:server:plugin:vault:cacert
+ - mode: 444
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+barbican_plugin_vault_ca_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - mode: 444
+ - user: barbican
+ - group: barbican
+
+{%- endif %}
diff --git a/barbican/files/queens/barbican.conf.Debian b/barbican/files/queens/barbican.conf.Debian
index c9d230d..3958f8e 100644
--- a/barbican/files/queens/barbican.conf.Debian
+++ b/barbican/files/queens/barbican.conf.Debian
@@ -411,11 +411,14 @@
# List of secret store plugins to load. (multi valued)
#enabled_secretstore_plugins = store_crypto
+{%- if server.get('plugin', {}).vault is defined %}
+enabled_secretstore_plugins = vault_plugin
+{%- endif %}
# Flag to enable multiple secret store plugin backend support. Default
# is False (boolean value)
#enable_multiple_secret_stores = false
-enable_multiple_secret_stores = True
+enable_multiple_secret_stores = {% if server.get('plugin', {}).vault is defined %}false{% else %}true{% endif %}
# List of suffix to use for looking up plugins which are supported
# with multiple backend support. (list value)
diff --git a/barbican/files/queens/plugin/_vault.conf b/barbican/files/queens/plugin/_vault.conf
new file mode 100644
index 0000000..ac5fbe3
--- /dev/null
+++ b/barbican/files/queens/plugin/_vault.conf
@@ -0,0 +1,33 @@
+
+#
+# From barbican.plugin.vault
+#
+
+# Vault endpoint URL.
+# vault_url = http://127.0.0.1:8200
+vault_url = {{ plugin.get('schema', 'http') }}://{{ plugin.get('host', '127.0.0.1') }}:{{ plugin.get('port', '8200') }}
+
+# Root token for vault or AppRole role ID.
+#root_token_id = token
+#approle_role_id = role ID
+{%- if plugin.root_token_id is defined %}
+root_token_id = {{ plugin.root_token_id }}
+ {%- else %}
+approle_role_id = {{ plugin.approle_role_id }}
+{%- endif %}
+
+# AppRole secret_id for authentication with vault.
+#approle_secret_id = #secret_id
+{%- if plugin.approle_secret_id is defined %}
+approle_secret_id = {{ plugin.approle_secret_id }}
+{%- endif %}
+
+# Mountpoint of KV store in Vault to use.
+#kv_mountpoint = secret
+kv_mountpoint = {{ plugin.get('kv_mountpoint', 'secret') }}
+
+#Absolute path to CA cert file.
+#ssl_ca_crt_file = /path/to/the/cert
+{% if plugin.ssl_ca_crt_file is defined %}
+ssl_ca_crt_file = {{ plugin.ssl_ca_crt_file }}
+{%- endif %}
diff --git a/barbican/server.sls b/barbican/server.sls
index 79f58b9..7d5d07f 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -5,6 +5,7 @@
- apache
- barbican._ssl.mysql
- barbican._ssl.rabbitmq
+ - barbican._ssl.plugin
- barbican.db.offline_sync
barbican_policy-rc.d_present:
@@ -36,6 +37,7 @@
- pkg: barbican_server_packages
- sls: barbican._ssl.mysql
- sls: barbican._ssl.rabbitmq
+ - sls: barbican._ssl.plugin
- require_in:
- sls: barbican.db.offline_sync
diff --git a/metadata/service/server/plugin/vault.yml b/metadata/service/server/plugin/vault.yml
new file mode 100644
index 0000000..095475f
--- /dev/null
+++ b/metadata/service/server/plugin/vault.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ barbican_vault_schema: http
+ barbican_vault_host: localhost
+ barbican_vault_port: 8200
+ barbican_vault_kv_mountpoint: secret
+ barbican_vault_ca_certs: '/etc/barbican/ssl/vault/CA.crt'
+ barbican:
+ server:
+ plugin:
+ vault:
+ schema: ${_param:barbican_vault_schema}
+ host: ${_param:barbican_vault_host}
+ port: ${_param:barbican_vault_port}
+ kv_mountpoint: ${_param:barbican_vault_kv_mountpoint}
+ ssl_ca_crt_file: ${_param:barbican_vault_ca_certs}
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index e9e4cac..2efac2a 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -98,7 +98,7 @@
log_appender: false
log_handlers:
watchedfile:
- enabled: true
+ enabled: false
fluentd:
enabled: false
ossyslog:
@@ -131,3 +131,42 @@
max_requests: 0
max_clients: 20
limit: 20
+ site:
+ barbican:
+ enabled: false
+ available: true
+ type: wsgi
+ name: barbican
+ wsgi:
+ daemon_process: barbican-api
+ processes: 3
+ threads: 10
+ user: barbican
+ group: barbican
+ display_name: '%{GROUP}'
+ script_alias: '/ /usr/bin/barbican-wsgi-api'
+ application_group: '%{GLOBAL}'
+ authorization: 'On'
+ host:
+ address: 127.0.0.1
+ name: 127.0.0.1
+ port: 9311
+ barbican_admin:
+ enabled: false
+ available: true
+ type: wsgi
+ name: barbican_admin
+ wsgi:
+ daemon_process: barbican-api-admin
+ processes: 3
+ threads: 10
+ user: barbican
+ group: barbican
+ display_name: '%{GROUP}'
+ script_alias: '/ /usr/bin/barbican-wsgi-api'
+ application_group: '%{GLOBAL}'
+ authorization: 'On'
+ host:
+ address: 127.0.0.1
+ name: 127.0.0.1
+ port: 9312
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 91ea05e..9b1c642 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -89,7 +89,7 @@
log_appender: false
log_handlers:
watchedfile:
- enabled: true
+ enabled: false
fluentd:
enabled: false
ossyslog:
diff --git a/tests/pillar/repo_mcp_openstack_ocata.sls b/tests/pillar/repo_mcp_openstack_ocata.sls
new file mode 100644
index 0000000..e601208
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_ocata.sls
@@ -0,0 +1,44 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_hotfix:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-hotfix main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-hotfix'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_security:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-security main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-security'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_updates:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-updates main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-uptades'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_holdback:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-holdback main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-holdback'
+ priority: 1050
+ package: '*'
diff --git a/tests/pillar/repo_mcp_openstack_pike.sls b/tests/pillar/repo_mcp_openstack_pike.sls
new file mode 100644
index 0000000..789b907
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_pike.sls
@@ -0,0 +1,12 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/pike/{{ grains.get('oscodename') }} pike main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/pike/{{ grains.get('oscodename') }}/archive-mcppike.key"
+ pin:
+ - pin: 'release a=pike'
+ priority: 1050
+ package: '*'
\ No newline at end of file
diff --git a/tests/pillar/repo_mcp_openstack_queens.sls b/tests/pillar/repo_mcp_openstack_queens.sls
new file mode 100644
index 0000000..65fb320
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_queens.sls
@@ -0,0 +1,12 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.mirantis.com/nightly/openstack-queens/{{ grains.get('oscodename') }} {{ grains.get('oscodename') }} main"
+ architectures: amd64
+ key_url: "http://mirror.mirantis.com/nightly/openstack-queens/{{ grains.get('oscodename') }}/archive-queens.key"
+ pin:
+ - pin: 'release l=queens'
+ priority: 1050
+ package: '*'
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
deleted file mode 100644
index b8b1398..0000000
--- a/tests/pillar/ssl.sls
+++ /dev/null
@@ -1,205 +0,0 @@
-barbican:
- server:
- enabled: true
- version: ocata
- host_href: ''
- is_proxied: true
- dogtag_admin_cert:
- engine: manual
- key: 'some dogtag key'
- plugin:
- simple_crypto:
- kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
- p11_crypto:
- library_path: '/usr/lib/libCryptoki2_64.so'
- login: 'mypassword'
- mkek_label: 'an_mkek'
- mkek_length: 32
- hmac_label: 'my_hmac_label'
- kmip:
- username: 'admin'
- password: 'password'
- host: localhost
- port: 5696
- keyfile: '/path/to/certs/cert.key'
- certfile: '/path/to/certs/cert.crt'
- ca_certs: '/path/to/certs/LocalCA.crt'
- dogtag:
- pem_path: '/etc/barbican/kra_admin_cert.pem'
- dogtag_host: localhost
- dogtag_port: 8443
- nss_db_path: '/etc/barbican/alias'
- nss_db_path_ca: '/etc/barbican/alias-ca'
- nss_password: 'password123'
- simple_cmc_profile: 'caOtherCert'
- ca_expiration_time: 1
- plugin_working_dir: '/etc/barbican/dogtag'
- store:
- software:
- crypto_plugin: simple_crypto
- store_plugin: store_crypto
- global_default: True
- kmip:
- store_plugin: kmip_plugin
- dogtag:
- store_plugin: dogtag_crypto
- pkcs11:
- store_plugin: store_crypto
- crypto_plugin: p11_crypto
- database:
- engine: "mysql+pymysql"
- host: 10.0.106.20
- port: 3306
- name: barbican
- user: barbican
- password: password
- x509:
- enabled: True
- ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
- key_file: /etc/barbican/ssl/mysql/client-key.pem
- cert_file: /etc/barbican/ssl/mysql/client-cert.pem
- cacert: |
- -----BEGIN CERTIFICATE-----
- MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
- -----END CERTIFICATE-----
- cert: |
- -----BEGIN CERTIFICATE-----
- MIIGSjCCBDKgAwIBAgIJAIHRPs2rZbLvMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
- -----END CERTIFICATE-----
- key: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIJKQIBAAKCAgEAq0m4kOIITliYea07yJnlSRNY0o6NaykiteSfHGauiub4lNQJ
- -----END RSA PRIVATE KEY-----
- ssl:
- enabled: True
- cacert_file: /etc/barbican/ssl/mysql/ca-cert.pem
- cacert: |
- -----BEGIN CERTIFICATE-----
- MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
- -----END CERTIFICATE-----
- bind:
- address: 10.0.106.20
- port: 9311
- admin_port: 9312
- identity:
- engine: keystone
- host: 10.0.106.20
- port: 35357
- domain: default
- tenant: service
- user: barbican
- password: password
- message_queue:
- engine: rabbitmq
- user: openstack
- password: password
- virtual_host: '/openstack'
- members:
- - host: 10.10.10.10
- port: 5672
- - host: 10.10.10.11
- port: 5672
- - host: 10.10.10.12
- port: 5672
- port: 5671
- ssl:
- # Case #1: specify cacert file and ca cert body explicitly
- enabled: True
- cacert_file: /etc/barbican/ssl/rabbitmq_cacert.pem
- cacert: |
- -----BEGIN CERTIFICATE-----
- MIIF0TCCA7mgAwIBAgIJAMHIQpWZYGDTMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
- BAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0GA1UEBwwGUHJhZ3Vl
- MREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MTQxMTI2MDdaFw0yNzA4MTIxMTI2
- MDdaMEoxCzAJBgNVBAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0G
- A1UEBwwGUHJhZ3VlMREwDwYDVQQKDAhNaXJhbnRpczCCAiIwDQYJKoZIhvcNAQEB
- BQADggIPADCCAgoCggIBAL596jeUmim5bo0J52vPylX8xZOCaCvW9wlSYbk143dU
- x7sqlAbPePvN6jj44BrYV01F4rCn9uxuaFLrbjF4rUDp81F0yMqghwyLmlTgJBOq
- AMNiEtrBUwmenJPuM55IYeO9OFbPeBvZyqKy2IG18GbK35QE85rOgaEfgDIkVeV9
- yNB8b+yftn3ebRZCceU5lx/o+w2eQkuyloy1F5QC7U2MhGF2ekLX79s8x+LNlbiO
- EF1D/FWFor3HY9DwNlg7U99mVID2Bj8lPPt4dW8JDMKkghh+S797l3H6RYKHhIvs
- wi+50ljhk5nHl+qCooGKuGZ2WokrGXWkoDfrrpl//7FFRPwauoU/akDVfoWYffqx
- jnvlQFkAlI3S5F/vwJGI1JGvPv5p5uRxPJEeMI0Sp9bVrznHGCgaJyY+vIBoZCwS
- i0t16gsgeezcu44Y65crv4XNOBKOS+KqvMwdzzukOj9YsYwNnlLly0VvTEdxTwwI
- 7NopRglUQrLusjZ5wwe23kf07xVxC98e1LRQzR5oEAUKkDrQzjmXBfcV92GrE3s7
- 1L4dvfXUE1mVxabhBCoS6kO3JQGPK+1LJDIs/F0uVVtOy/oz6mIdV2scCteFRAbm
- BhfEoVbaYNlUxlNGno2I/HEep4P0DrFPQi0ZmGfvNO6t3EvTSnWcsUL9h55wZ3Pl
- AgMBAAGjgbkwgbYwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
- FN2inIsMteL9vxR8Lo0yHI+4KaDGMHoGA1UdIwRzMHGAFN2inIsMteL9vxR8Lo0y
- HI+4KaDGoU6kTDBKMQswCQYDVQQGEwJjejEXMBUGA1UEAwwOU2FsdCBNYXN0ZXIg
- Q0ExDzANBgNVBAcMBlByYWd1ZTERMA8GA1UECgwITWlyYW50aXOCCQDByEKVmWBg
- 0zANBgkqhkiG9w0BAQsFAAOCAgEAq8yv5IZWHyZuySpe85GCfdn4VFfSw6O1tdOZ
- 7PnCNGqkLie3D0X5VIymDkEwSGrvRtAKvtRajej/1/T2lNJNzQaqQObMK9UpXMmu
- g0qjAjYjbYMRS+4V1FJiyxxqyvE//XO+Jznj3jnF6IDnTYJp3tCUswvUYRSpAErP
- CwtvBLzPhF9t3W+ElcrgM7UNDPRoVlun0q6FH4WAAKuuqXfJaEbe9XrkR+cBlP4O
- 7utdveEREw0cONoFtHM/yVwb9ovaitMEA/b6qH286cJ59zXJbhMe7+n9dFlMnAAh
- WfayyLzlaOjxicGMPcmUMRh9n8fml7bR3mekL1BGZt451kH3+FSfjPpF3hqVqb3c
- 8LZsCrD10UYUOOQ1zyE8YaeQ6UgNW7LFJlngvNLAZKxRupc0FNGgDTMr8sgdBBeR
- gH0cp+h4mDusEzYpaPIqci5+UOMelK/SMIYzMtD1ogZp/c9qIGh5nXwRkspHGrtk
- ay6yizlPyY4QS1dOD/8nhGRbp5OQF1o5ZUtXlnaFHeLK7zl9iddqSvBVUNFdpDz+
- uVYHAw4O2T7J7ge+gGgmjRPQjW1+O+jFWlSkO+7iFjdIOTZ6tpqYEglh0khgM8b5
- V0MAVuww51/1DqirRG6Ge/3Sw44eDZID22jjCwLrDH0GSX76cDTe6Bx/WS0Wg7y/
- /86PB1o=
- -----END CERTIFICATE-----
- cache:
- members:
- - host: 10.10.10.10
- port: 11211
- - host: 10.10.10.11
- port: 11211
- - host: 10.10.10.12
- port: 11211
-apache:
- server:
- enabled: true
- default_mpm: event
- mpm:
- prefork:
- enabled: true
- servers:
- start: 5
- spare:
- min: 2
- max: 10
- max_requests: 0
- max_clients: 20
- limit: 20
- site:
- barbican:
- enabled: false
- available: true
- type: wsgi
- name: barbican
- wsgi:
- daemon_process: barbican-api
- processes: 3
- threads: 10
- user: barbican
- group: barbican
- display_name: '%{GROUP}'
- script_alias: '/ /usr/bin/barbican-wsgi-api'
- application_group: '%{GLOBAL}'
- authorization: 'On'
- host:
- address: 127.0.0.1
- name: 127.0.0.1
- port: 9311
- barbican_admin:
- enabled: false
- available: true
- type: wsgi
- name: barbican_admin
- wsgi:
- daemon_process: barbican-api-admin
- processes: 3
- threads: 10
- user: barbican
- group: barbican
- display_name: '%{GROUP}'
- script_alias: '/ /usr/bin/barbican-wsgi-api'
- application_group: '%{GLOBAL}'
- authorization: 'On'
- host:
- address: 127.0.0.1
- name: 127.0.0.1
- port: 9312