openstack/kolla-ansible
Code Issues Proposed changes
ff7856258e
kolla-ansible/ansible/roles/barbican/templates/barbican.conf.j2
Matt Crees 09df6fc1aa Add a flag to handle RabbitMQ high availability 
A combination of durable queues and classic queue mirroring can be used
to provide high availability of RabbitMQ. However, these options should
only be used together, otherwise the system will become unstable. Using
the flag ``om_enable_rabbitmq_high_availability`` will either enable
both options at once, or neither of them.

There are some queues that should not be mirrored:
* ``reply`` queues (these have a single consumer and TTL policy)
* ``fanout`` queues (these have a TTL policy)
* ``amq`` queues (these are auto-delete queues, with a single consumer)
An exclusionary pattern is used in the classic mirroring policy. This
pattern is ``^(?!(amq\\.)|(.*_fanout_)|(reply_)).*``

Change-Id: I51c8023b260eb40b2eaa91bd276b46890c215c25
2023-01-13 15:40:08 +00:00

98 lines
3.0 KiB
Django/Jinja
Raw Blame History

[DEFAULT]
debug = {{ barbican_logging_debug }}
log_dir = /var/log/kolla/barbican
{% if service_name == "barbican-api" %}
log_file = barbican-api.log
{% endif %}
bind_port = {{ barbican_api_listen_port }}
bind_host = {{ api_interface_address }}
host_href = {{ barbican_public_endpoint }}
backlog = 4096
db_auto_create = False
sql_connection = mysql+pymysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }}
transport_url = {{ rpc_transport_url }}
# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = {{ barbican_crypto_plugin }}
{% if barbican_crypto_plugin == 'p11_crypto' %}
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = {{ barbican_library_path }}
# Password to login to PKCS11 session
login = '{{ barbican_p11_password }}'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'kolla_master_kek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'kolla_hmac'
{% endif %}
{% if barbican_crypto_plugin == 'simple_crypto' %}
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = '{{ barbican_crypto_key }}'
{% endif %}
[keystone_notifications]
enable = True
{% if enable_keystone | bool %}
topic = barbican_notifications
{% endif %}
[keystone_authtoken]
service_type = key-manager
www_authenticate_uri = {{ keystone_internal_url }}
project_domain_id = {{ default_project_domain_id }}
project_name = service
user_domain_id = {{ default_user_domain_id }}
username = {{ barbican_keystone_user }}
password = {{ barbican_keystone_password }}
auth_url = {{ keystone_internal_url }}
auth_type = password
cafile = {{ openstack_cacert }}
region_name = {{ openstack_region_name }}
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
[oslo_messaging_notifications]
transport_url = {{ notify_transport_url }}
{% if barbican_enabled_notification_topics %}
driver = messagingv2
topics = {{ barbican_enabled_notification_topics | map(attribute='name') | join(',') }}
{% else %}
driver = noop
{% endif %}
[oslo_messaging_rabbit]
heartbeat_in_pthread = false
{% if om_enable_rabbitmq_tls | bool %}
ssl = true
ssl_ca_file = {{ om_rabbitmq_cacert }}
{% endif %}
{% if om_enable_rabbitmq_high_availability | bool %}
amqp_durable_queues = true
{% endif %}
[oslo_middleware]
enable_proxy_headers_parsing = True
{% if barbican_policy_file is defined %}
[oslo_policy]
policy_file = {{ barbican_policy_file }}
{% endif %}
View Git Blame Copy Permalink