49006e56d9
Fixes an issue where access rules failed to validate:
Cannot validate request with restricted access rules. Set
service_type in [keystone_authtoken] to allow access rule validation
I've used the values from the endpoint. This was mostly a straight
forward copy and paste, except:
- versioned endpoints e.g cinderv3 where I stripped the version
- monasca has multiple endpoints associated with a single service. For
this, I concatenated logging and monitoring to be logging-monitoring.
Closes-Bug: #1965111
Change-Id: Ic4b3ab60abad8c3dd96cd4923a67f2a8f9d195d7
94 lines
2.8 KiB
Django/Jinja
94 lines
2.8 KiB
Django/Jinja
[DEFAULT]
|
|
debug = {{ barbican_logging_debug }}
|
|
log_dir = /var/log/kolla/barbican
|
|
{% if service_name == "barbican-api" %}
|
|
log_file = barbican-api.log
|
|
{% endif %}
|
|
|
|
bind_port = {{ barbican_api_listen_port }}
|
|
bind_host = {{ api_interface_address }}
|
|
host_href = {{ barbican_public_endpoint }}
|
|
|
|
backlog = 4096
|
|
|
|
db_auto_create = False
|
|
sql_connection = mysql+pymysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }}
|
|
|
|
transport_url = {{ rpc_transport_url }}
|
|
|
|
# ================= Secret Store Plugin ===================
|
|
[secretstore]
|
|
namespace = barbican.secretstore.plugin
|
|
enabled_secretstore_plugins = store_crypto
|
|
|
|
# ================= Crypto plugin ===================
|
|
[crypto]
|
|
namespace = barbican.crypto.plugin
|
|
enabled_crypto_plugins = {{ barbican_crypto_plugin }}
|
|
|
|
{% if barbican_crypto_plugin == 'p11_crypto' %}
|
|
[p11_crypto_plugin]
|
|
# Path to vendor PKCS11 library
|
|
library_path = {{ barbican_library_path }}
|
|
# Password to login to PKCS11 session
|
|
login = '{{ barbican_p11_password }}'
|
|
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
|
|
mkek_label = 'kolla_master_kek'
|
|
# Length in bytes of master KEK
|
|
mkek_length = 32
|
|
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
|
|
hmac_label = 'kolla_hmac'
|
|
{% endif %}
|
|
{% if barbican_crypto_plugin == 'simple_crypto' %}
|
|
[simple_crypto_plugin]
|
|
# the kek should be a 32-byte value which is base64 encoded
|
|
kek = '{{ barbican_crypto_key }}'
|
|
{% endif %}
|
|
|
|
|
|
[keystone_notifications]
|
|
enable = True
|
|
{% if enable_keystone | bool %}
|
|
topic = barbican_notifications
|
|
{% endif %}
|
|
|
|
[keystone_authtoken]
|
|
service_type = key-manager
|
|
www_authenticate_uri = {{ keystone_internal_url }}
|
|
project_domain_id = {{ default_project_domain_id }}
|
|
project_name = service
|
|
user_domain_id = {{ default_user_domain_id }}
|
|
username = {{ barbican_keystone_user }}
|
|
password = {{ barbican_keystone_password }}
|
|
auth_url = {{ keystone_internal_url }}
|
|
auth_type = password
|
|
cafile = {{ openstack_cacert }}
|
|
region_name = {{ openstack_region_name }}
|
|
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcache_secret_key }}
|
|
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
|
|
|
[oslo_messaging_notifications]
|
|
transport_url = {{ notify_transport_url }}
|
|
{% if barbican_enabled_notification_topics %}
|
|
driver = messagingv2
|
|
topics = {{ barbican_enabled_notification_topics | map(attribute='name') | join(',') }}
|
|
{% else %}
|
|
driver = noop
|
|
{% endif %}
|
|
|
|
{% if om_enable_rabbitmq_tls | bool %}
|
|
[oslo_messaging_rabbit]
|
|
ssl = true
|
|
ssl_ca_file = {{ om_rabbitmq_cacert }}
|
|
{% endif %}
|
|
|
|
[oslo_middleware]
|
|
enable_proxy_headers_parsing = True
|
|
|
|
{% if barbican_policy_file is defined %}
|
|
[oslo_policy]
|
|
policy_file = {{ barbican_policy_file }}
|
|
{% endif %}
|