Merge "Add support for encrypting Barbican API"

2020-05-13 16:36:27 +00:00 · 2020-05-13 16:36:27 +00:00 · 9540f22e24
commit 9540f22e24
parent e51f3e0c5e 2e08ffd6d3
5 changed files with 30 additions and 8 deletions
--- a/ansible/roles/barbican/defaults/main.yml
+++ b/ansible/roles/barbican/defaults/main.yml
@ -16,12 +16,14 @@ barbican_services:
        external: false
        port: "{{ barbican_api_port }}"
        listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
      barbican_api_external:
        enabled: "{{ enable_barbican }}"
        mode: "http"
        external: true
        port: "{{ barbican_api_port }}"
        listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
  barbican-keystone-listener:
    container_name: barbican_keystone_listener
    group: barbican-keystone-listener
@ -142,3 +144,8 @@ barbican_ks_roles:
  - "{{ barbican_creator_role }}"
  - "{{ barbican_observer_role }}"
  - "{{ barbican_audit_role }}"
+
+####################
+# TLS
+####################
+barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@ -49,7 +49,7 @@

 - include_tasks: copy-certs.yml
  when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool

 - name: Copying over config.json files for services
  template:
--- a/ansible/roles/barbican/templates/barbican-api.ini.j2
+++ b/ansible/roles/barbican/templates/barbican-api.ini.j2
@ -1,6 +1,9 @@
 [uwsgi]
-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
-protocol = http
+{% if barbican_enable_tls_backend | bool %}
+https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem
+{% else %}
+http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
+{% endif %}
 processes = {{ openstack_service_workers }}
 lazy = true
 vacuum = true
--- a/ansible/roles/barbican/templates/barbican-api.json.j2
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@ -19,7 +19,19 @@
            "owner": "barbican",
            "perm": "0600",
            "optional": true
-        }{% if barbican_policy_file is defined %},
+        }{% if barbican_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/barbican-cert.pem",
+            "dest": "/etc/barbican/certs/barbican-cert.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/barbican-key.pem",
+            "dest": "/etc/barbican/certs/barbican-key.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        }{% endif %}{% if barbican_policy_file is defined %},
        {
            "source": "{{ container_config_directory }}/{{ barbican_policy_file }}",
            "dest": "/etc/barbican/{{ barbican_policy_file }}",
--- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
@ -2,7 +2,7 @@
 features:
  - |
    Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
-    When used in conjunction with enabling TLS for service API endpoints,
-    network communcation will be encrypted end to end, from client through
-    HAProxy to the backend service.
+    to the Keystone, Glance, Heat, Placement, Horizon, Barbican, and Cinder
+    services. When used in conjunction with enabling TLS for service API
+    endpoints, network communcation will be encrypted end to end, from client
+    through HAProxy to the backend service.