Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / barbican / ad898b285e9bfbf9e39e8bf343f998bc316e988f / . / barbican / server.sls
blob: 79f58b952e4a25f563c5eb6551ac88248d23767b [file] [log] [blame]
{%- from "barbican/map.jinja" import server with context %}
{%- if server.enabled %}
include:
- apache
- barbican._ssl.mysql
- barbican._ssl.rabbitmq
- barbican.db.offline_sync
barbican_policy-rc.d_present:
file.managed:
- name: /usr/sbin/policy-rc.d
- mode: 755
- contents: |
#!/bin/sh
exit 101
barbican_server_packages:
pkg.installed:
- names: {{ server.pkgs }}
- require_in:
- sls: barbican._ssl.mysql
- sls: barbican._ssl.rabbitmq
- require:
- file: barbican_policy-rc.d_present
- require_in:
- file: barbican_policy-rc.d_absent
/etc/barbican/barbican.conf:
file.managed:
- source: salt://barbican/files/{{ server.version }}/barbican.conf.{{ grains.os_family }}
- template: jinja
- mode: 0640
- group: barbican
- require:
- pkg: barbican_server_packages
- sls: barbican._ssl.mysql
- sls: barbican._ssl.rabbitmq
- require_in:
- sls: barbican.db.offline_sync
barbican_sync_secret_stores:
cmd.run:
- name: barbican-manage db sync_secret_stores
- runas: barbican
{%- if grains.get('noservices') or server.version in ['ocata', 'pike'] %}
- onlyif: /bin/false
{%- endif %}
- require:
- file: /etc/barbican/barbican.conf
- pkg: barbican_server_packages
- sls: barbican.db.offline_sync
{%- for name, rule in server.get('policy', {}).items() %}
{%- if rule != None %}
barbican_keystone_rule_{{ name }}_present:
keystone_policy.rule_present:
- path: /etc/barbican/policy.json
- name: {{ name }}
- rule: "{{ rule }}"
- require:
- pkg: barbican_server_packages
{%- else %}
barbican_keystone_rule_{{ name }}_absent:
keystone_policy.rule_absent:
- path: /etc/barbican/policy.json
- name: {{ name }}
- require:
- pkg: barbican_server_packages
{%- endif %}
{%- endfor %}
{%- if server.logging.log_appender %}
{%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
barbican_fluentd_logger_package:
pkg.installed:
- name: python-fluent-logger
{%- endif %}
/etc/barbican/logging.conf:
file.managed:
- mode: 0640
- user: root
- group: barbican
- source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- defaults:
service_name: barbican
_data: {{ server.logging }}
- require:
- pkg: barbican_server_packages
- file: /etc/barbican/barbican.conf
{%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
- pkg: barbican_fluentd_logger_package
{%- endif %}
- require_in:
- sls: barbican.db.offline_sync
- watch_in:
- service: barbican_server_services
/var/log/barbican/barbican.log:
file.managed:
- user: barbican
- group: barbican
- watch_in:
- service: barbican_server_services
- require_in:
- cmd: barbican_sync_secret_stores
{%- endif %}
{#- Creation of sites using templates is deprecated, sites should be generated by apache pillar, and enabled by barbican formula #}
{%- if pillar.get('apache', {}).get('server', {}).get('site', {}).barbican is not defined %}
barbican_cleanup_configs:
file.absent:
- name: /etc/apache2/conf-enabled/barbican-api.conf
- require:
- pkg: barbican_server_packages
barbican_apache_conf_file:
file.managed:
- name: /etc/apache2/sites-available/barbican-api.conf
- source: salt://barbican/files/{{ server.version }}/barbican-api.apache2.conf.Debian
- template: jinja
- require:
- pkg: barbican_server_packages
- barbican_cleanup_configs
apache_enable_barbican_wsgi:
apache_site.enabled:
- name: barbican-api
- require:
- barbican_apache_conf_file
{%- else %}
barbican_cleanup_configs:
file.absent:
- names:
- '/etc/apache2/sites-available/barbican-api.conf'
- '/etc/apache2/sites-enabled/barbican-api.conf'
- '/etc/apache2/conf-enabled/barbican-api.conf'
barbican_apache_conf_file:
file.exists:
- names:
- /etc/apache2/sites-available/wsgi_barbican.conf
- /etc/apache2/sites-available/wsgi_barbican_admin.conf
- require:
- pkg: barbican_server_packages
- barbican_cleanup_configs
- barbican_sync_secret_stores
apache_enable_barbican_wsgi:
apache_site.enabled:
- names:
- wsgi_barbican
- wsgi_barbican_admin
- require:
- barbican_apache_conf_file
- barbican_sync_secret_stores
{%- endif %}
barbican_apache_restart:
service.running:
- enable: true
- name: apache2
- init_delay: 5
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
- watch:
- file: /etc/barbican/barbican.conf
- barbican_apache_conf_file
barbican_server_services:
service.running:
- names: {{ server.services }}
- enable: true
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
- watch:
- file: /etc/barbican/barbican.conf
- require:
- barbican_sync_secret_stores
{%- if server.get('async_queues_enable', False) %}
barbican_async_workers_enable:
service.running:
- names:
- barbican-worker
- enable: true
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
- watch:
- file: /etc/barbican/barbican.conf
- require:
- barbican_server_services
{%- else %}
barbican_async_workers_disable:
service.dead:
- names:
- barbican-worker
- enable: false
{%- endif %}
{%- if 'dogtag' in server.get('plugin', {}) %}
barbican_dogtag_packages:
pkg.installed:
- names: {{ server.dogtag_pkgs }}
- watch_in:
- service: barbican_server_services
{%- if 'dogtag' in server.get('plugin', {}) %}
{%- if server.dogtag_admin_cert.engine != 'noop' %}
{# For some cases dogtag_admin_cert can be undefined. It is done to rise an exception during the state below. #}
{{ server.plugin.dogtag.get('pem_path', '/etc/barbican/kra_admin_cert.pem') }}:
file.managed:
- contents: {{ server.dogtag_admin_cert.key | yaml }}
- mode: 600
- user: barbican
- group: barbican
- require_in:
- cmd: barbican_sync_secret_stores
{%- endif %}
{%- endif %}
{%- endif %}
barbican_policy-rc.d_absent:
file.absent:
- name: /usr/sbin/policy-rc.d
{%- endif %}