Merge "Remove ContrailFlowsCreatedTooMany alert"
diff --git a/README.rst b/README.rst
index 54e9502..876907e 100644
--- a/README.rst
+++ b/README.rst
@@ -592,9 +592,9 @@
Set up metadata secret for the Vrouter
--------------------------------------
+--------------------------------------
-In order to get cloud-init within the instance to properly fetch
+In order to get cloud-init within the instance to properly fetch
instance metadata, metadata_proxy_secret in the Vrouter agent config
should match the value in nova.conf. The administrator should define
it in the pillar:
@@ -606,6 +606,23 @@
metadata:
secret: opencontrail
+Add auth info for Barbican on compute nodes
+-------------------------------------------
+
+.. code-block:: yaml
+
+ opencontrail:
+ compute:
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: admin
+ password: "supersecretpassword123"
+ tenant: admin
+
+
Keystone v3
-----------
diff --git a/metadata/service/compute/lbaas/barbican.yml b/metadata/service/compute/lbaas/barbican.yml
new file mode 100644
index 0000000..a297c8b
--- /dev/null
+++ b/metadata/service/compute/lbaas/barbican.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ opencontrail_barbican_user_domain: 'default'
+ opencontrail_barbican_project_domain: 'default'
+ opencontrail:
+ compute:
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: "${_param:opencontrail_barbican_user}"
+ password: "${_param:opencontrail_barbican_password}"
+ tenant: "${_param:opencontrail_barbican_tenant}"
+ user_domain: "${_param:opencontrail_barbican_user_domain}"
+ project_domain: "${_param:opencontrail_barbican_project_domain}"
diff --git a/opencontrail/compute.sls b/opencontrail/compute.sls
index c410cd1..7abcf73 100644
--- a/opencontrail/compute.sls
+++ b/opencontrail/compute.sls
@@ -26,6 +26,21 @@
{%- endif %}
+{%- if compute.get('lbaas', {}).get('enabled', False) %}
+
+{%- if compute.lbaas.get('secret_manager', {}).get('engine', 'noop') == 'barbican' %}
+
+/etc/contrail/contrail-lbaas-auth.conf:
+ file.managed:
+ - source: salt://opencontrail/files/{{ compute.version }}/contrail-lbaas-auth.conf
+ - template: jinja
+ - require:
+ - pkg: opencontrail_compute_packages
+
+{%- endif %}
+
+{%- endif %}
+
/etc/contrail/contrail-vrouter-nodemgr.conf:
file.managed:
- source: salt://opencontrail/files/{{ compute.version }}/contrail-vrouter-nodemgr.conf
diff --git a/opencontrail/files/3.0/contrail-lbaas-auth.conf b/opencontrail/files/3.0/contrail-lbaas-auth.conf
new file mode 100644
index 0000000..d175571
--- /dev/null
+++ b/opencontrail/files/3.0/contrail-lbaas-auth.conf
@@ -0,0 +1,16 @@
+{%- from "opencontrail/map.jinja" import compute with context %}
+{%- from "opencontrail/map.jinja" import common with context -%}
+[BARBICAN]
+admin_user={{ compute.lbaas.secret_manager.identity.user }}
+admin_password={{ compute.lbaas.secret_manager.identity.password }}
+admin_tenant_name={{ compute.lbaas.secret_manager.identity.tenant }}
+{%- if common.identity.get('version', '2.0') == "3" %}
+admin_user_domain={{ compute.lbaas.secret_manager.identity.user_domain }}
+admin_project_domain={{ compute.lbaas.secret_manager.identity.project_domain }}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v3
+{%- else %}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v2.0
+{%- endif %}
+{%- if common.identity.region is defined %}
+region={{ common.identity.region }}
+{%- endif %}
diff --git a/opencontrail/files/4.0/contrail-lbaas-auth.conf b/opencontrail/files/4.0/contrail-lbaas-auth.conf
new file mode 100644
index 0000000..d175571
--- /dev/null
+++ b/opencontrail/files/4.0/contrail-lbaas-auth.conf
@@ -0,0 +1,16 @@
+{%- from "opencontrail/map.jinja" import compute with context %}
+{%- from "opencontrail/map.jinja" import common with context -%}
+[BARBICAN]
+admin_user={{ compute.lbaas.secret_manager.identity.user }}
+admin_password={{ compute.lbaas.secret_manager.identity.password }}
+admin_tenant_name={{ compute.lbaas.secret_manager.identity.tenant }}
+{%- if common.identity.get('version', '2.0') == "3" %}
+admin_user_domain={{ compute.lbaas.secret_manager.identity.user_domain }}
+admin_project_domain={{ compute.lbaas.secret_manager.identity.project_domain }}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v3
+{%- else %}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v2.0
+{%- endif %}
+{%- if common.identity.region is defined %}
+region={{ common.identity.region }}
+{%- endif %}
diff --git a/tests/pillar/vrouter.sls b/tests/pillar/vrouter.sls
index 13e05e5..d9ba886 100644
--- a/tests/pillar/vrouter.sls
+++ b/tests/pillar/vrouter.sls
@@ -35,4 +35,12 @@
address: 127.0.0.1
port: 6632
ssl:
- enabled: True
\ No newline at end of file
+ enabled: True
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: admin
+ password: "supersecretpassword123"
+ tenant: admin
diff --git a/tests/pillar/vrouter40.sls b/tests/pillar/vrouter40.sls
index f19ce4e..16cdcff 100644
--- a/tests/pillar/vrouter40.sls
+++ b/tests/pillar/vrouter40.sls
@@ -44,3 +44,11 @@
port: 6632
ssl:
enabled: True
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: admin
+ password: "supersecretpassword123"
+ tenant: admin